80-test_tsa.t 9.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use POSIX;
  11. use File::Spec::Functions qw/splitdir curdir catfile/;
  12. use File::Compare;
  13. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file data_file/;
  14. use OpenSSL::Test::Utils;
  15. setup("test_tsa");
  16. plan skip_all => "TS is not supported by this OpenSSL build"
  17. if disabled("ts");
  18. # All these are modified inside indir further down. They need to exist
  19. # here, however, to be available in all subroutines.
  20. my $openssl_conf;
  21. my $testtsa;
  22. my $tsacakey;
  23. my $CAtsa;
  24. my @QUERY = ("openssl", "ts", "-query");
  25. my @REPLY;
  26. my @VERIFY = ("openssl", "ts", "-verify");
  27. sub create_tsa_cert {
  28. my $INDEX = shift;
  29. my $EXT = shift;
  30. my $r = 1;
  31. $ENV{TSDNSECT} = "ts_cert_dn";
  32. ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
  33. "-out", "tsa_req${INDEX}.pem",
  34. "-key", srctop_file("test", "certs", "alt${INDEX}-key.pem"),
  35. "-keyout", "tsa_key${INDEX}.pem"])));
  36. note "using extension $EXT";
  37. ok(run(app(["openssl", "x509", "-req",
  38. "-in", "tsa_req${INDEX}.pem",
  39. "-out", "tsa_cert${INDEX}.pem",
  40. "-CA", "tsaca.pem", "-CAkey", $tsacakey,
  41. "-CAcreateserial",
  42. "-extfile", $openssl_conf, "-extensions", $EXT])));
  43. }
  44. sub create_resp {
  45. my $config = shift;
  46. my $chain = shift;
  47. my $queryfile = shift;
  48. my $outputfile = shift;
  49. ok(run(app([@REPLY, "-section", $config, "-queryfile", $queryfile,
  50. "-chain", $chain, # this overrides "certs" entry in config
  51. "-out", $outputfile])));
  52. }
  53. sub verify_ok {
  54. my $datafile = shift;
  55. my $queryfile = shift;
  56. my $inputfile = shift;
  57. my $untrustedfile = shift;
  58. ok(run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile,
  59. "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile])));
  60. ok(run(app([@VERIFY, "-data", $datafile, "-in", $inputfile,
  61. "-CAfile", "tsaca.pem", "-untrusted", $untrustedfile])));
  62. }
  63. sub verify_fail {
  64. my $queryfile = shift;
  65. my $inputfile = shift;
  66. my $untrustedfile = shift; # is needed for resp2, but not for resp1
  67. my $cafile = shift;
  68. ok(!run(app([@VERIFY, "-queryfile", $queryfile, "-in", $inputfile,
  69. "-untrusted", $untrustedfile, "-CAfile", $cafile])));
  70. }
  71. # main functions
  72. plan tests => 27;
  73. note "setting up TSA test directory";
  74. indir "tsa" => sub
  75. {
  76. $openssl_conf = srctop_file("test", "CAtsa.cnf");
  77. $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
  78. $tsacakey = srctop_file("test", "certs", "ca-key.pem");
  79. $CAtsa = srctop_file("test", "CAtsa.cnf");
  80. @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply");
  81. # ../apps/CA.pl needs these
  82. $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
  83. $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
  84. SKIP: {
  85. $ENV{TSDNSECT} = "ts_ca_dn";
  86. skip "failed", 19
  87. unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
  88. "-new", "-x509", "-noenc",
  89. "-out", "tsaca.pem", "-key", $tsacakey])),
  90. 'creating a new CA for the TSA tests');
  91. skip "failed", 18
  92. unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
  93. create_tsa_cert("1", "tsa_cert")
  94. };
  95. skip "failed", 17
  96. unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
  97. create_tsa_cert("2", "non_tsa_cert")
  98. };
  99. skip "failed", 16
  100. unless ok(run(app([@QUERY, "-data", $testtsa,
  101. "-tspolicy", "tsa_policy1", "-cert",
  102. "-out", "req1.tsq"])),
  103. 'creating req1.req time stamp request for file testtsa');
  104. ok(run(app([@QUERY, "-in", "req1.tsq", "-text"])),
  105. 'printing req1.req');
  106. subtest 'generating valid response for req1.req' => sub {
  107. create_resp("tsa_config1", "tsaca.pem", "req1.tsq", "resp1.tsr")
  108. };
  109. subtest 'generating response with wrong 2nd certid for req1.req' => sub {
  110. create_resp("tsa_config1", "tsa_cert1.pem", "req1.tsq",
  111. "resp1_invalid.tsr")
  112. };
  113. ok(run(app([@REPLY, "-in", "resp1.tsr", "-text"])),
  114. 'printing response');
  115. subtest 'verifying valid response' => sub {
  116. verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert1.pem")
  117. };
  118. skip "failed", 11
  119. unless subtest 'verifying valid token' => sub {
  120. ok(run(app([@REPLY, "-in", "resp1.tsr",
  121. "-out", "resp1.tsr.token", "-token_out"])));
  122. ok(run(app([@VERIFY, "-queryfile", "req1.tsq",
  123. "-in", "resp1.tsr.token", "-token_in",
  124. "-CAfile", "tsaca.pem"])));
  125. ok(run(app([@VERIFY, "-data", $testtsa,
  126. "-in", "resp1.tsr.token", "-token_in",
  127. "-CAfile", "tsaca.pem"])));
  128. };
  129. skip "failed", 10
  130. unless ok(run(app([@QUERY, "-data", $testtsa,
  131. "-tspolicy", "tsa_policy2", "-no_nonce",
  132. "-out", "req2.tsq"])),
  133. 'creating req2.req time stamp request for file testtsa');
  134. ok(run(app([@QUERY, "-in", "req2.tsq", "-text"])),
  135. 'printing req2.req');
  136. skip "failed", 8
  137. unless subtest 'generating valid response for req2.req' => sub {
  138. create_resp("tsa_config1", "tsaca.pem", "req2.tsq", "resp2.tsr")
  139. };
  140. skip "failed", 7
  141. unless subtest 'checking -token_in and -token_out options with -reply' => sub {
  142. my $RESPONSE2="resp2.tsr.copy.tsr";
  143. my $TOKEN_DER="resp2.tsr.token.der";
  144. ok(run(app([@REPLY, "-in", "resp2.tsr",
  145. "-out", "$TOKEN_DER", "-token_out"])));
  146. ok(run(app([@REPLY, "-in", "$TOKEN_DER",
  147. "-token_in", "-out", "$RESPONSE2"])));
  148. is(compare($RESPONSE2, "resp2.tsr"), 0);
  149. ok(run(app([@REPLY, "-in", "resp2.tsr",
  150. "-text", "-token_out"])));
  151. ok(run(app([@REPLY, "-in", "$TOKEN_DER",
  152. "-token_in", "-text", "-token_out"])));
  153. ok(run(app([@REPLY, "-queryfile", "req2.tsq",
  154. "-text", "-token_out"])));
  155. };
  156. ok(run(app([@REPLY, "-in", "resp2.tsr", "-text"])),
  157. 'printing response');
  158. subtest 'verifying valid resp1, wrong untrusted is not used' => sub {
  159. verify_ok($testtsa, "req1.tsq", "resp1.tsr", "tsa_cert2.pem")
  160. };
  161. subtest 'verifying invalid resp1 with wrong 2nd certid' => sub {
  162. verify_fail($testtsa, "req1.tsq", "resp1_invalid.tsr", "tsa_cert2.pem")
  163. };
  164. subtest 'verifying valid resp2, correct untrusted being used' => sub {
  165. verify_ok($testtsa, "req2.tsq", "resp2.tsr", "tsa_cert1.pem")
  166. };
  167. subtest 'verifying resp2 against wrong req1 should fail' => sub {
  168. verify_fail("req1.tsq", "resp2.tsr", "tsa_cert1.pem", "tsaca.pem")
  169. };
  170. subtest 'verifying resp1 against wrong req2 should fail' => sub {
  171. verify_fail("req2.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem")
  172. };
  173. subtest 'verifying resp1 using wrong untrusted should fail' => sub {
  174. verify_fail("req2.tsq", "resp2.tsr", "tsa_cert2.pem", "tsaca.pem")
  175. };
  176. subtest 'verifying resp1 using wrong root should fail' => sub {
  177. verify_fail("req1.tsq", "resp1.tsr", "tsa_cert1.pem", "tsa_cert1.pem")
  178. };
  179. skip "failure", 2
  180. unless ok(run(app([@QUERY, "-data", $CAtsa,
  181. "-no_nonce", "-out", "req3.tsq"])),
  182. "creating req3.req time stamp request for file CAtsa.cnf");
  183. ok(run(app([@QUERY, "-in", "req3.tsq", "-text"])),
  184. 'printing req3.req');
  185. subtest 'verifying resp1 against wrong req3 should fail' => sub {
  186. verify_fail("req3.tsq", "resp1.tsr", "tsa_cert1.pem", "tsaca.pem")
  187. };
  188. }
  189. # verifying response with two ESSCertIDs, referring to leaf cert
  190. # "sectigo-signer.pem" and intermediate cert "sectigo-time-stamping-ca.pem"
  191. # 1. validation chain contains these certs and root "user-trust-ca.pem"
  192. ok(run(app([@VERIFY, "-no_check_time",
  193. "-queryfile", data_file("all-zero.tsq"),
  194. "-in", data_file("sectigo-all-zero.tsr"),
  195. "-CAfile", data_file("user-trust-ca.pem")])),
  196. "validation with two ESSCertIDs and 3-element chain");
  197. # 2. validation chain contains these certs, a cross-cert, and different root
  198. ok(run(app([@VERIFY, "-no_check_time",
  199. "-queryfile", data_file("all-zero.tsq"),
  200. "-in", data_file("sectigo-all-zero.tsr"),
  201. "-untrusted", data_file("user-trust-ca-aaa.pem"),
  202. "-CAfile", data_file("comodo-aaa.pem")])),
  203. "validation with two ESSCertIDs and 4-element chain");
  204. }, create => 1, cleanup => 1