testtsa.com 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
  1. $!
  2. $! A few very basic tests for the 'ts' time stamping authority command.
  3. $!
  4. $
  5. $ __arch = "VAX"
  6. $ if f$getsyi("cpu") .ge. 128 then -
  7. __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
  8. $ if __arch .eqs. "" then __arch = "UNK"
  9. $!
  10. $ if (p4 .eqs. "64") then __arch = __arch+ "_64"
  11. $!
  12. $ exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
  13. $
  14. $ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
  15. $ OPENSSL_CONF = "[-]CAtsa.cnf"
  16. $ ! Because that's what ../apps/CA.sh really looks at
  17. $ SSLEAY_CONFIG = "-config " + OPENSSL_CONF
  18. $
  19. $ error:
  20. $ subroutine
  21. $ write sys$error "TSA test failed!"
  22. $ exit 3
  23. $ endsubroutine
  24. $
  25. $ setup_dir:
  26. $ subroutine
  27. $
  28. $ if f$search("tsa.dir") .nes ""
  29. $ then
  30. $ @[-.util]deltree [.tsa]*.*
  31. $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
  32. $ delete tsa.dir;*
  33. $ endif
  34. $
  35. $ create/dir [.tsa]
  36. $ set default [.tsa]
  37. $ endsubroutine
  38. $
  39. $ clean_up_dir:
  40. $ subroutine
  41. $
  42. $ set default [-]
  43. $ @[-.util]deltree [.tsa]*.*
  44. $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
  45. $ delete tsa.dir;*
  46. $ endsubroutine
  47. $
  48. $ create_ca:
  49. $ subroutine
  50. $
  51. $ write sys$output "Creating a new CA for the TSA tests..."
  52. $ TSDNSECT = "ts_ca_dn"
  53. $ openssl req -new -x509 -nodes -
  54. -out tsaca.pem -keyout tsacakey.pem
  55. $ if $severity .ne. 1 then call error
  56. $ endsubroutine
  57. $
  58. $ create_tsa_cert:
  59. $ subroutine
  60. $
  61. $ INDEX=p1
  62. $ EXT=p2
  63. $ TSDNSECT = "ts_cert_dn"
  64. $
  65. $ openssl req -new -
  66. -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
  67. $ if $severity .ne. 1 then call error
  68. $
  69. $ write sys$output "Using extension ''EXT'"
  70. $ openssl x509 -req -
  71. -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
  72. "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" -
  73. -extfile 'OPENSSL_CONF' -extensions "''EXT'"
  74. $ if $severity .ne. 1 then call error
  75. $ endsubroutine
  76. $
  77. $ print_request:
  78. $ subroutine
  79. $
  80. $ openssl ts -query -in 'p1' -text
  81. $ endsubroutine
  82. $
  83. $ create_time_stamp_request1: subroutine
  84. $
  85. $ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
  86. -cert -out req1.tsq
  87. $ if $severity .ne. 1 then call error
  88. $ endsubroutine
  89. $
  90. $ create_time_stamp_request2: subroutine
  91. $
  92. $ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
  93. -no_nonce -out req2.tsq
  94. $ if $severity .ne. 1 then call error
  95. $ endsubroutine
  96. $
  97. $ create_time_stamp_request3: subroutine
  98. $
  99. $ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
  100. $ if $severity .ne. 1 then call error
  101. $ endsubroutine
  102. $
  103. $ print_response:
  104. $ subroutine
  105. $
  106. $ openssl ts -reply -in 'p1' -text
  107. $ if $severity .ne. 1 then call error
  108. $ endsubroutine
  109. $
  110. $ create_time_stamp_response:
  111. $ subroutine
  112. $
  113. $ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
  114. $ if $severity .ne. 1 then call error
  115. $ endsubroutine
  116. $
  117. $ time_stamp_response_token_test:
  118. $ subroutine
  119. $
  120. $ RESPONSE2 = p2+ "-copy_tsr"
  121. $ TOKEN_DER = p2+ "-token_der"
  122. $ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
  123. $ if $severity .ne. 1 then call error
  124. $ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
  125. $ if $severity .ne. 1 then call error
  126. $ backup/compare 'RESPONSE2' 'p2'
  127. $ if $severity .ne. 1 then call error
  128. $ openssl ts -reply -in 'p2' -text -token_out
  129. $ if $severity .ne. 1 then call error
  130. $ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
  131. $ if $severity .ne. 1 then call error
  132. $ openssl ts -reply -queryfile 'p1' -text -token_out
  133. $ if $severity .ne. 1 then call error
  134. $ endsubroutine
  135. $
  136. $ verify_time_stamp_response:
  137. $ subroutine
  138. $
  139. $ openssl ts -verify -queryfile 'p1' -in 'p2' -
  140. "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
  141. $ if $severity .ne. 1 then call error
  142. $ openssl ts -verify -data 'p3' -in 'p2' -
  143. "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
  144. $ if $severity .ne. 1 then call error
  145. $ endsubroutine
  146. $
  147. $ verify_time_stamp_token:
  148. $ subroutine
  149. $
  150. $ ! create the token from the response first
  151. $ openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out
  152. $ if $severity .ne. 1 then call error
  153. $ openssl ts -verify -queryfile "''p1'" -in "''p2'-token" -
  154. -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
  155. $ if $severity .ne. 1 then call error
  156. $ openssl ts -verify -data "''p3'" -in "''p2'-token" -
  157. -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
  158. $ if $severity .ne. 1 then call error
  159. $ endsubroutine
  160. $
  161. $ verify_time_stamp_response_fail:
  162. $ subroutine
  163. $
  164. $ openssl ts -verify -queryfile 'p1' -in 'p2' -
  165. "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
  166. $ ! Checks if the verification failed, as it should have.
  167. $ if $severity .eq. 1 then call error
  168. $ write sys$output "Ok"
  169. $ endsubroutine
  170. $
  171. $ ! Main body ----------------------------------------------------------
  172. $
  173. $ set noon
  174. $
  175. $ write sys$output "Setting up TSA test directory..."
  176. $ call setup_dir
  177. $
  178. $ write sys$output "Creating CA for TSA tests..."
  179. $ call create_ca
  180. $
  181. $ write sys$output "Creating tsa_cert1.pem TSA server cert..."
  182. $ call create_tsa_cert 1 "tsa_cert"
  183. $
  184. $ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
  185. $ call create_tsa_cert 2 "non_tsa_cert"
  186. $
  187. $ write sys$output "Creating req1.req time stamp request for file testtsa..."
  188. $ call create_time_stamp_request1
  189. $
  190. $ write sys$output "Printing req1.req..."
  191. $ call print_request "req1.tsq"
  192. $
  193. $ write sys$output "Generating valid response for req1.req..."
  194. $ call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1"
  195. $
  196. $ write sys$output "Printing response..."
  197. $ call print_response "resp1.tsr"
  198. $
  199. $ write sys$output "Verifying valid response..."
  200. $ call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com"
  201. $
  202. $ write sys$output "Verifying valid token..."
  203. $ call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com"
  204. $
  205. $ ! The tests below are commented out, because invalid signer certificates
  206. $ ! can no longer be specified in the config file.
  207. $
  208. $ ! write sys$output "Generating _invalid_ response for req1.req..."
  209. $ ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2"
  210. $
  211. $ ! write sys$output "Printing response..."
  212. $ ! call print_response "resp1_bad.tsr"
  213. $
  214. $ ! write sys$output "Verifying invalid response, it should fail..."
  215. $ ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr"
  216. $
  217. $ write sys$output "Creating req2.req time stamp request for file testtsa..."
  218. $ call create_time_stamp_request2
  219. $
  220. $ write sys$output "Printing req2.req..."
  221. $ call print_request "req2.tsq"
  222. $
  223. $ write sys$output "Generating valid response for req2.req..."
  224. $ call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1"
  225. $
  226. $ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
  227. $ call time_stamp_response_token_test "req2.tsq" "resp2.tsr"
  228. $
  229. $ write sys$output "Printing response..."
  230. $ call print_response "resp2.tsr"
  231. $
  232. $ write sys$output "Verifying valid response..."
  233. $ call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com"
  234. $
  235. $ write sys$output "Verifying response against wrong request, it should fail..."
  236. $ call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr"
  237. $
  238. $ write sys$output "Verifying response against wrong request, it should fail..."
  239. $ call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr"
  240. $
  241. $ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
  242. $ call create_time_stamp_request3
  243. $
  244. $ write sys$output "Printing req3.req..."
  245. $ call print_request "req3.tsq"
  246. $
  247. $ write sys$output "Verifying response against wrong request, it should fail..."
  248. $ call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr"
  249. $
  250. $ write sys$output "Cleaning up..."
  251. $ call clean_up_dir
  252. $
  253. $ set on
  254. $
  255. $ exit