80-test_tsa.t 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the OpenSSL license (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use POSIX;
  11. use File::Spec::Functions qw/splitdir curdir catfile/;
  12. use File::Compare;
  13. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
  14. use OpenSSL::Test::Utils;
  15. setup("test_tsa");
  16. plan skip_all => "TS is not supported by this OpenSSL build"
  17. if disabled("ts");
  18. # All these are modified inside indir further down. They need to exist
  19. # here, however, to be available in all subroutines.
  20. my $openssl_conf;
  21. my $testtsa;
  22. my $CAtsa;
  23. my @RUN;
  24. sub create_tsa_cert {
  25. my $INDEX = shift;
  26. my $EXT = shift;
  27. my $r = 1;
  28. $ENV{TSDNSECT} = "ts_cert_dn";
  29. ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
  30. "-out", "tsa_req${INDEX}.pem",
  31. "-keyout", "tsa_key${INDEX}.pem"])));
  32. note "using extension $EXT";
  33. ok(run(app(["openssl", "x509", "-req",
  34. "-in", "tsa_req${INDEX}.pem",
  35. "-out", "tsa_cert${INDEX}.pem",
  36. "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
  37. "-CAcreateserial",
  38. "-extfile", $openssl_conf, "-extensions", $EXT])));
  39. }
  40. sub create_time_stamp_response {
  41. my $queryfile = shift;
  42. my $outputfile = shift;
  43. my $datafile = shift;
  44. ok(run(app([@RUN, "-reply", "-section", "$datafile",
  45. "-queryfile", "$queryfile", "-out", "$outputfile"])));
  46. }
  47. sub verify_time_stamp_response {
  48. my $queryfile = shift;
  49. my $inputfile = shift;
  50. my $datafile = shift;
  51. ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
  52. "-in", "$inputfile", "-CAfile", "tsaca.pem",
  53. "-untrusted", "tsa_cert1.pem"])));
  54. ok(run(app([@RUN, "-verify", "-data", "$datafile",
  55. "-in", "$inputfile", "-CAfile", "tsaca.pem",
  56. "-untrusted", "tsa_cert1.pem"])));
  57. }
  58. sub verify_time_stamp_response_fail {
  59. my $queryfile = shift;
  60. my $inputfile = shift;
  61. ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
  62. "-in", "$inputfile", "-CAfile", "tsaca.pem",
  63. "-untrusted", "tsa_cert1.pem"])));
  64. }
  65. # main functions
  66. plan tests => 20;
  67. note "setting up TSA test directory";
  68. indir "tsa" => sub
  69. {
  70. $openssl_conf = srctop_file("test", "CAtsa.cnf");
  71. $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
  72. $CAtsa = srctop_file("test", "CAtsa.cnf");
  73. @RUN = ("openssl", "ts", "-config", $openssl_conf);
  74. # ../apps/CA.pl needs these
  75. $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
  76. $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
  77. SKIP: {
  78. $ENV{TSDNSECT} = "ts_ca_dn";
  79. skip "failed", 19
  80. unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
  81. "-new", "-x509", "-nodes",
  82. "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
  83. 'creating a new CA for the TSA tests');
  84. skip "failed", 18
  85. unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
  86. create_tsa_cert("1", "tsa_cert")
  87. };
  88. skip "failed", 17
  89. unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
  90. create_tsa_cert("2", "non_tsa_cert")
  91. };
  92. skip "failed", 16
  93. unless ok(run(app([@RUN, "-query", "-data", $testtsa,
  94. "-tspolicy", "tsa_policy1", "-cert",
  95. "-out", "req1.tsq"])),
  96. 'creating req1.req time stamp request for file testtsa');
  97. ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
  98. 'printing req1.req');
  99. subtest 'generating valid response for req1.req' => sub {
  100. create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
  101. };
  102. ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
  103. 'printing response');
  104. subtest 'verifying valid response' => sub {
  105. verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
  106. };
  107. skip "failed", 11
  108. unless subtest 'verifying valid token' => sub {
  109. ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
  110. "-out", "resp1.tsr.token", "-token_out"])));
  111. ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
  112. "-in", "resp1.tsr.token", "-token_in",
  113. "-CAfile", "tsaca.pem",
  114. "-untrusted", "tsa_cert1.pem"])));
  115. ok(run(app([@RUN, "-verify", "-data", $testtsa,
  116. "-in", "resp1.tsr.token", "-token_in",
  117. "-CAfile", "tsaca.pem",
  118. "-untrusted", "tsa_cert1.pem"])));
  119. };
  120. skip "failed", 10
  121. unless ok(run(app([@RUN, "-query", "-data", $testtsa,
  122. "-tspolicy", "tsa_policy2", "-no_nonce",
  123. "-out", "req2.tsq"])),
  124. 'creating req2.req time stamp request for file testtsa');
  125. ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
  126. 'printing req2.req');
  127. skip "failed", 8
  128. unless subtest 'generating valid response for req2.req' => sub {
  129. create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
  130. };
  131. skip "failed", 7
  132. unless subtest 'checking -token_in and -token_out options with -reply' => sub {
  133. my $RESPONSE2="resp2.tsr.copy.tsr";
  134. my $TOKEN_DER="resp2.tsr.token.der";
  135. ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
  136. "-out", "$TOKEN_DER", "-token_out"])));
  137. ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
  138. "-token_in", "-out", "$RESPONSE2"])));
  139. is(compare($RESPONSE2, "resp2.tsr"), 0);
  140. ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
  141. "-text", "-token_out"])));
  142. ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
  143. "-token_in", "-text", "-token_out"])));
  144. ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
  145. "-text", "-token_out"])));
  146. };
  147. ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
  148. 'printing response');
  149. subtest 'verifying valid response' => sub {
  150. verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
  151. };
  152. subtest 'verifying response against wrong request, it should fail' => sub {
  153. verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
  154. };
  155. subtest 'verifying response against wrong request, it should fail' => sub {
  156. verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
  157. };
  158. skip "failure", 2
  159. unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
  160. "-no_nonce", "-out", "req3.tsq"])),
  161. "creating req3.req time stamp request for file CAtsa.cnf");
  162. ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
  163. 'printing req3.req');
  164. subtest 'verifying response against wrong request, it should fail' => sub {
  165. verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
  166. };
  167. }
  168. }, create => 1, cleanup => 1