testtsa 6.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
  1. #!/bin/sh
  2. #
  3. # A few very basic tests for the 'ts' time stamping authority command.
  4. #
  5. SH="/bin/sh"
  6. if test "$OSTYPE" = msdosdjgpp; then
  7. PATH="../apps\;$PATH"
  8. else
  9. PATH="../apps:$PATH"
  10. fi
  11. export SH PATH
  12. OPENSSL_CONF="../CAtsa.cnf"
  13. export OPENSSL_CONF
  14. # Because that's what ../apps/CA.sh really looks at
  15. SSLEAY_CONFIG="-config $OPENSSL_CONF"
  16. export SSLEAY_CONFIG
  17. OPENSSL="`pwd`/../util/opensslwrap.sh"
  18. export OPENSSL
  19. error () {
  20. echo "TSA test failed!" >&2
  21. exit 1
  22. }
  23. setup_dir () {
  24. rm -rf tsa 2>/dev/null
  25. mkdir tsa
  26. cd ./tsa
  27. }
  28. clean_up_dir () {
  29. cd ..
  30. rm -rf tsa
  31. }
  32. create_ca () {
  33. echo "Creating a new CA for the TSA tests..."
  34. TSDNSECT=ts_ca_dn
  35. export TSDNSECT
  36. ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
  37. -out tsaca.pem -keyout tsacakey.pem
  38. test $? != 0 && error
  39. }
  40. create_tsa_cert () {
  41. INDEX=$1
  42. export INDEX
  43. EXT=$2
  44. TSDNSECT=ts_cert_dn
  45. export TSDNSECT
  46. ../../util/shlib_wrap.sh ../../apps/openssl req -new \
  47. -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
  48. test $? != 0 && error
  49. echo Using extension $EXT
  50. ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
  51. -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
  52. -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
  53. -extfile $OPENSSL_CONF -extensions $EXT
  54. test $? != 0 && error
  55. }
  56. print_request () {
  57. ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
  58. }
  59. create_time_stamp_request1 () {
  60. ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
  61. test $? != 0 && error
  62. }
  63. create_time_stamp_request2 () {
  64. ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
  65. -out req2.tsq
  66. test $? != 0 && error
  67. }
  68. create_time_stamp_request3 () {
  69. ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
  70. test $? != 0 && error
  71. }
  72. print_response () {
  73. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
  74. test $? != 0 && error
  75. }
  76. create_time_stamp_response () {
  77. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
  78. test $? != 0 && error
  79. }
  80. time_stamp_response_token_test () {
  81. RESPONSE2=$2.copy.tsr
  82. TOKEN_DER=$2.token.der
  83. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
  84. test $? != 0 && error
  85. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
  86. test $? != 0 && error
  87. cmp $RESPONSE2 $2
  88. test $? != 0 && error
  89. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
  90. test $? != 0 && error
  91. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
  92. test $? != 0 && error
  93. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
  94. test $? != 0 && error
  95. }
  96. verify_time_stamp_response () {
  97. ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
  98. -untrusted tsa_cert1.pem
  99. test $? != 0 && error
  100. ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \
  101. -untrusted tsa_cert1.pem
  102. test $? != 0 && error
  103. }
  104. verify_time_stamp_token () {
  105. # create the token from the response first
  106. ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
  107. test $? != 0 && error
  108. ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
  109. -CAfile tsaca.pem -untrusted tsa_cert1.pem
  110. test $? != 0 && error
  111. ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
  112. -CAfile tsaca.pem -untrusted tsa_cert1.pem
  113. test $? != 0 && error
  114. }
  115. verify_time_stamp_response_fail () {
  116. ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
  117. -untrusted tsa_cert1.pem
  118. # Checks if the verification failed, as it should have.
  119. test $? = 0 && error
  120. echo Ok
  121. }
  122. # main functions
  123. echo "Setting up TSA test directory..."
  124. setup_dir
  125. echo "Creating CA for TSA tests..."
  126. create_ca
  127. echo "Creating tsa_cert1.pem TSA server cert..."
  128. create_tsa_cert 1 tsa_cert
  129. echo "Creating tsa_cert2.pem non-TSA server cert..."
  130. create_tsa_cert 2 non_tsa_cert
  131. echo "Creating req1.req time stamp request for file testtsa..."
  132. create_time_stamp_request1
  133. echo "Printing req1.req..."
  134. print_request req1.tsq
  135. echo "Generating valid response for req1.req..."
  136. create_time_stamp_response req1.tsq resp1.tsr tsa_config1
  137. echo "Printing response..."
  138. print_response resp1.tsr
  139. echo "Verifying valid response..."
  140. verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
  141. echo "Verifying valid token..."
  142. verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
  143. # The tests below are commented out, because invalid signer certificates
  144. # can no longer be specified in the config file.
  145. # echo "Generating _invalid_ response for req1.req..."
  146. # create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
  147. # echo "Printing response..."
  148. # print_response resp1_bad.tsr
  149. # echo "Verifying invalid response, it should fail..."
  150. # verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
  151. echo "Creating req2.req time stamp request for file testtsa..."
  152. create_time_stamp_request2
  153. echo "Printing req2.req..."
  154. print_request req2.tsq
  155. echo "Generating valid response for req2.req..."
  156. create_time_stamp_response req2.tsq resp2.tsr tsa_config1
  157. echo "Checking '-token_in' and '-token_out' options with '-reply'..."
  158. time_stamp_response_token_test req2.tsq resp2.tsr
  159. echo "Printing response..."
  160. print_response resp2.tsr
  161. echo "Verifying valid response..."
  162. verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
  163. echo "Verifying response against wrong request, it should fail..."
  164. verify_time_stamp_response_fail req1.tsq resp2.tsr
  165. echo "Verifying response against wrong request, it should fail..."
  166. verify_time_stamp_response_fail req2.tsq resp1.tsr
  167. echo "Creating req3.req time stamp request for file CAtsa.cnf..."
  168. create_time_stamp_request3
  169. echo "Printing req3.req..."
  170. print_request req3.tsq
  171. echo "Verifying response against wrong request, it should fail..."
  172. verify_time_stamp_response_fail req3.tsq resp1.tsr
  173. echo "Cleaning up..."
  174. clean_up_dir
  175. exit 0