80-test_ca.t 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use POSIX;
  11. use File::Path 2.00 qw/rmtree/;
  12. use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
  13. use OpenSSL::Test::Utils;
  14. use Time::Local qw/timegm/;
  15. setup("test_ca");
  16. $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
  17. my $cnf = srctop_file("test","ca-and-certs.cnf");
  18. my $std_openssl_cnf = '"'
  19. . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
  20. . '"';
  21. sub src_file {
  22. return srctop_file("test", "certs", shift);
  23. }
  24. rmtree("demoCA", { safe => 0 });
  25. plan tests => 20;
  26. require_ok(srctop_file("test", "recipes", "tconversion.pl"));
  27. SKIP: {
  28. my $cakey = src_file("ca-key.pem");
  29. $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
  30. skip "failed creating CA structure", 4
  31. if !ok(run(perlapp(["CA.pl","-newca",
  32. "-extra-req", "-key $cakey"], stdin => undef)),
  33. 'creating CA structure');
  34. my $eekey = src_file("ee-key.pem");
  35. $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
  36. skip "failed creating new certificate request", 3
  37. if !ok(run(perlapp(["CA.pl","-newreq",
  38. '-extra-req', "-outform DER -section userreq -key $eekey"])),
  39. 'creating certificate request');
  40. $ENV{OPENSSL_CONFIG} = qq(-rand_serial -inform DER -config "$std_openssl_cnf");
  41. skip "failed to sign certificate request", 2
  42. if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
  43. 'signing certificate request');
  44. ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
  45. 'verifying new certificate');
  46. skip "CT not configured, can't use -precert", 1
  47. if disabled("ct");
  48. my $eekey2 = src_file("ee-key-3072.pem");
  49. $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
  50. ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
  51. 'creating new pre-certificate');
  52. }
  53. SKIP: {
  54. skip "SM2 is not supported by this OpenSSL build", 1
  55. if disabled("sm2");
  56. is(yes(cmdstr(app(["openssl", "ca", "-config",
  57. $cnf,
  58. "-in", src_file("sm2-csr.pem"),
  59. "-out", "sm2-test.crt",
  60. "-sigopt", "distid:1234567812345678",
  61. "-vfyopt", "distid:1234567812345678",
  62. "-md", "sm3",
  63. "-cert", src_file("sm2-root.crt"),
  64. "-keyfile", src_file("sm2-root.key")]))),
  65. 0,
  66. "Signing SM2 certificate request");
  67. }
  68. my $v3_cert = "v3-test.crt";
  69. ok(run(app(["openssl", "ca", "-batch", "-config", $cnf, "-extensions", "empty",
  70. "-in", src_file("x509-check.csr"), "-out", $v3_cert])));
  71. # although no explicit extensions given:
  72. has_version($v3_cert, 3);
  73. has_SKID($v3_cert, 1);
  74. has_AKID($v3_cert, 1);
  75. test_revoke('notimes', {
  76. should_succeed => 1,
  77. });
  78. test_revoke('lastupdate_invalid', {
  79. lastupdate => '1234567890',
  80. should_succeed => 0,
  81. });
  82. test_revoke('lastupdate_utctime', {
  83. lastupdate => '200901123456Z',
  84. should_succeed => 1,
  85. });
  86. test_revoke('lastupdate_generalizedtime', {
  87. lastupdate => '20990901123456Z',
  88. should_succeed => 1,
  89. });
  90. test_revoke('nextupdate_invalid', {
  91. nextupdate => '1234567890',
  92. should_succeed => 0,
  93. });
  94. test_revoke('nextupdate_utctime', {
  95. nextupdate => '200901123456Z',
  96. should_succeed => 1,
  97. });
  98. test_revoke('nextupdate_generalizedtime', {
  99. nextupdate => '20990901123456Z',
  100. should_succeed => 1,
  101. });
  102. test_revoke('both_utctime', {
  103. lastupdate => '200901123456Z',
  104. nextupdate => '200908123456Z',
  105. should_succeed => 1,
  106. });
  107. test_revoke('both_generalizedtime', {
  108. lastupdate => '20990901123456Z',
  109. nextupdate => '20990908123456Z',
  110. should_succeed => 1,
  111. });
  112. sub test_revoke {
  113. my ($filename, $opts) = @_;
  114. subtest "Revoke certificate and generate CRL: $filename" => sub {
  115. # Before Perl 5.12.0, the range of times Perl could represent was
  116. # limited by the size of time_t, so Time::Local was hamstrung by the
  117. # Y2038 problem
  118. # Perl 5.12.0 onwards use an internal time implementation with a
  119. # guaranteed >32-bit time range on all architectures, so the tests
  120. # involving post-2038 times won't fail provided we're running under
  121. # that version or newer
  122. plan skip_all =>
  123. 'Perl >= 5.12.0 required to run certificate revocation tests'
  124. if $] < 5.012000;
  125. $ENV{CN2} = $filename;
  126. ok(
  127. run(app(['openssl',
  128. 'req',
  129. '-config', $cnf,
  130. '-new',
  131. '-key', data_file('revoked.key'),
  132. '-out', "$filename-req.pem",
  133. '-section', 'userreq',
  134. ])),
  135. 'Generate CSR'
  136. );
  137. delete $ENV{CN2};
  138. ok(
  139. run(app(['openssl',
  140. 'ca',
  141. '-batch',
  142. '-config', $cnf,
  143. '-in', "$filename-req.pem",
  144. '-out', "$filename-cert.pem",
  145. ])),
  146. 'Sign CSR'
  147. );
  148. ok(
  149. run(app(['openssl',
  150. 'ca',
  151. '-config', $cnf,
  152. '-revoke', "$filename-cert.pem",
  153. ])),
  154. 'Revoke certificate'
  155. );
  156. my @gencrl_opts;
  157. if (exists $opts->{lastupdate}) {
  158. push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
  159. }
  160. if (exists $opts->{nextupdate}) {
  161. push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
  162. }
  163. is(
  164. run(app(['openssl',
  165. 'ca',
  166. '-config', $cnf,
  167. '-gencrl',
  168. '-out', "$filename-crl.pem",
  169. '-crlsec', '60',
  170. @gencrl_opts,
  171. ])),
  172. $opts->{should_succeed},
  173. 'Generate CRL'
  174. );
  175. my $crl_gentime = time;
  176. # The following tests only need to run if the CRL was supposed to be
  177. # generated:
  178. return unless $opts->{should_succeed};
  179. my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
  180. if (exists $opts->{lastupdate}) {
  181. is(
  182. $crl_lastupdate,
  183. rfc5280_time($opts->{lastupdate}),
  184. 'CRL lastUpdate field has expected value'
  185. );
  186. } else {
  187. diag("CRL lastUpdate: $crl_lastupdate");
  188. diag("openssl run time: $crl_gentime");
  189. ok(
  190. # Is the CRL's lastUpdate time within a second of the time that
  191. # `openssl ca -gencrl` was executed?
  192. $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
  193. 'CRL lastUpdate field has (roughly) expected value'
  194. );
  195. }
  196. my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
  197. if (exists $opts->{nextupdate}) {
  198. is(
  199. $crl_nextupdate,
  200. rfc5280_time($opts->{nextupdate}),
  201. 'CRL nextUpdate field has expected value'
  202. );
  203. } else {
  204. diag("CRL nextUpdate: $crl_nextupdate");
  205. diag("openssl run time: $crl_gentime");
  206. ok(
  207. # Is the CRL's lastUpdate time within a second of the time that
  208. # `openssl ca -gencrl` was executed, taking into account the use
  209. # of '-crlsec 60'?
  210. $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
  211. 'CRL nextUpdate field has (roughly) expected value'
  212. );
  213. }
  214. };
  215. }
  216. sub yes {
  217. my $cntr = 10;
  218. open(PIPE, "|-", join(" ",@_));
  219. local $SIG{PIPE} = "IGNORE";
  220. 1 while $cntr-- > 0 && print PIPE "y\n";
  221. close PIPE;
  222. return 0;
  223. }
  224. # Get the value of the lastUpdate or nextUpdate field from a CRL
  225. sub crl_field {
  226. my ($crl_path, $field_name) = @_;
  227. my @out = run(
  228. app(['openssl',
  229. 'crl',
  230. '-in', $crl_path,
  231. '-noout',
  232. '-' . lc($field_name),
  233. ]),
  234. capture => 1,
  235. statusvar => \my $exit,
  236. );
  237. ok($exit, "CRL $field_name field retrieved");
  238. diag("CRL $field_name: $out[0]");
  239. $out[0] =~ s/^\Q$field_name\E=//;
  240. $out[0] =~ s/\n?//;
  241. my $time = human_time($out[0]);
  242. return $time;
  243. }
  244. # Converts human-readable ASN1_TIME_print() output to Unix time
  245. sub human_time {
  246. my ($human) = @_;
  247. my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
  248. my %months = (
  249. Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5,
  250. Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
  251. );
  252. return timegm($s, $m, $h, $d, $months{$mo}, $y);
  253. }
  254. # Converts an RFC 5280 timestamp to Unix time
  255. sub rfc5280_time {
  256. my ($asn1) = @_;
  257. my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
  258. return timegm($s, $m, $h, $d, $mo - 1, $y);
  259. }