OWEALs
/
openssl
zrkadlo git://git.openssl.org/openssl.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147
							#!/bin/sh

#
# A few very basic tests for the 'ts' time stamping authority command.
#

SH="/bin/sh"
if test "$OSTYPE" = msdosdjgpp; then
    PATH="../apps\;$PATH"
else
    PATH="../apps:$PATH"
fi
export SH PATH

OPENSSL_CONF="../CAtsa.cnf"
export OPENSSL_CONF
# Because that's what ../apps/CA.pl really looks at
SSLEAY_CONFIG="-config $OPENSSL_CONF"
export SSLEAY_CONFIG

OPENSSL="`pwd`/../util/opensslwrap.sh"
export OPENSSL

RUN () {
    ../../util/shlib_wrap.sh ../../apps/openssl ts $*
}

create_tsa_cert () {
    INDEX=$1
    export INDEX
    EXT=$2
    TSDNSECT=ts_cert_dn
    export TSDNSECT

    ../../util/shlib_wrap.sh ../../apps/openssl req -new \
	-out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem || exit 1
    echo using extension $EXT
    ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
	-in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
	-CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
	-extfile $OPENSSL_CONF -extensions $EXT || exit 1
}

create_time_stamp_response () {
    RUN -reply -section $3 -queryfile $1 -out $2 || exit 1
}

verify_time_stamp_response () {
    RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
	-untrusted tsa_cert1.pem || exit 1
    RUN -verify -data $3 -in $2 -CAfile tsaca.pem \
	-untrusted tsa_cert1.pem || exit 1
}

verify_time_stamp_response_fail () {
    RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
	-untrusted tsa_cert1.pem && exit 1
    echo ok
}

# main functions

echo setting up TSA test directory
rm -rf tsa 2>/dev/null
mkdir tsa
cd ./tsa

echo creating a new CA for the TSA tests
TSDNSECT=ts_ca_dn
export TSDNSECT
../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
	-out tsaca.pem -keyout tsacakey.pem || exit 1

echo creating tsa_cert1.pem TSA server cert
create_tsa_cert 1 tsa_cert

echo creating tsa_cert2.pem non-TSA server cert
create_tsa_cert 2 non_tsa_cert

echo creating req1.req time stamp request for file testtsa
RUN -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq || exit 1

echo printing req1.req
RUN -query -in req1.tsq -text

echo generating valid response for req1.req
create_time_stamp_response req1.tsq resp1.tsr tsa_config1

echo printing response
RUN -reply -in resp1.tsr -text || exit 1

echo verifying valid response
verify_time_stamp_response req1.tsq resp1.tsr ../testtsa

echo verifying valid token
RUN -reply -in resp1.tsr -out resp1.tsr.token -token_out || exit 1
RUN -verify -queryfile req1.tsq -in resp1.tsr.token -token_in \
    -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1
RUN -verify -data ../testtsa -in resp1.tsr.token -token_in \
    -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1

echo creating req2.req time stamp request for file testtsa
RUN -query -data ../testtsa -policy tsa_policy2 -no_nonce \
    -out req2.tsq || exit 1

echo printing req2.req
RUN -query -in req2.tsq -text

echo generating valid response for req2.req
create_time_stamp_response req2.tsq resp2.tsr tsa_config1

echo checking -token_in and -token_out options with -reply
RESPONSE2=resp2.tsr.copy.tsr
TOKEN_DER=resp2.tsr.token.der
RUN -reply -in resp2.tsr -out $TOKEN_DER -token_out || exit 1
RUN -reply -in $TOKEN_DER -token_in -out $RESPONSE2 || exit 1
cmp $RESPONSE2 resp2.tsr || exit 1
RUN -reply -in resp2.tsr -text -token_out || exit 1
RUN -reply -in $TOKEN_DER -token_in -text -token_out || exit 1
RUN -reply -queryfile req2.tsq -text -token_out || exit 1

echo printing response
RUN -reply -in resp2.tsr -text || exit 1

echo verifying valid response
verify_time_stamp_response req2.tsq resp2.tsr ../testtsa

echo verifying response against wrong request, it should fail
verify_time_stamp_response_fail req1.tsq resp2.tsr

echo verifying response against wrong request, it should fail
verify_time_stamp_response_fail req2.tsq resp1.tsr

echo creating req3.req time stamp request for file CAtsa.cnf
RUN -query -data ../CAtsa.cnf -no_nonce -out req3.tsq || exit 1

echo printing req3.req
RUN -query -in req3.tsq -text

echo verifying response against wrong request, it should fail
verify_time_stamp_response_fail req3.tsq resp1.tsr

echo cleaning up
cd ..
rm -rf tsa

exit 0