1#!/bin/sh 2# 3# $OpenBSD: appstest.sh,v 1.67 2025/01/19 11:04:35 tb Exp $ 4# 5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19# 20# appstest.sh - test script for openssl command according to man OPENSSL(1) 21# 22# input : none 23# output : all files generated by this script go under $ssldir 24# 25 26function section_message { 27 echo "" 28 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 29 echo "===" 30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 31 echo "===" 32} 33 34function start_message { 35 echo "" 36 echo "[TEST] $1" 37} 38 39function stop_s_server { 40 if [ ! -z "$s_server_pid" ] ; then 41 echo ":-| stop s_server [ $s_server_pid ]" 42 sleep 1 43 kill -TERM $s_server_pid 44 wait $s_server_pid 45 s_server_pid= 46 fi 47} 48 49function stop_gnutls_serv { 50 if [ ! -z "$gnutls_serv_pid" ] ; then 51 echo ":-| stop gnutls-serv [ $gnutls_serv_pid ]" 52 sleep 1 53 kill -TERM $gnutls_serv_pid 54 wait $gnutls_serv_pid 55 gnutls_serv_pid= 56 fi 57} 58 59function check_exit_status { 60 status=$1 61 if [ $status -ne 0 ] ; then 62 stop_s_server 63 echo ":-< error occurs, exit status = [ $status ]" 64 exit $status 65 else 66 echo ":-) success. " 67 fi 68} 69 70function usage { 71 echo "usage: appstest.sh [-egiq]" 72} 73 74function test_usage_lists_others { 75 # === COMMAND USAGE === 76 section_message "COMMAND USAGE" 77 78 start_message "output usages of all commands." 79 80 cmds=`$openssl_bin list-standard-commands` 81 $openssl_bin -help 2>> $user1_dir/usages.out 82 for c in $cmds ; do 83 $openssl_bin $c -help 2>> $user1_dir/usages.out 84 done 85 86 start_message "check all list-* commands." 87 88 lists="" 89 lists="$lists list-standard-commands" 90 lists="$lists list-message-digest-commands list-message-digest-algorithms" 91 lists="$lists list-cipher-commands list-cipher-algorithms" 92 lists="$lists list-public-key-algorithms" 93 94 listsfile=$user1_dir/lists.out 95 96 for l in $lists ; do 97 echo "" >> $listsfile 98 echo "$l" >> $listsfile 99 $openssl_bin $l >> $listsfile 100 done 101 102 start_message "check interactive mode" 103 $openssl_bin <<__EOF__ 104help 105quit 106__EOF__ 107 check_exit_status $? 108 109 #---------#---------#---------#---------#---------#---------#--------- 110 111 # --- listing operations --- 112 section_message "listing operations" 113 114 start_message "ciphers" 115 $openssl_bin ciphers -V > $user1_dir/ciphers-V.out 116 check_exit_status $? 117 118 start_message "errstr" 119 $openssl_bin errstr 2606A074 120 check_exit_status $? 121 122 #---------#---------#---------#---------#---------#---------#--------- 123 124 # --- random number etc. operations --- 125 section_message "random number etc. operations" 126 127 start_message "passwd" 128 129 pass="test-pass-1234" 130 131 echo $pass | $openssl_bin passwd -stdin -1 132 check_exit_status $? 133 134 echo $pass | $openssl_bin passwd -stdin -apr1 135 check_exit_status $? 136 137 echo $pass | $openssl_bin passwd -stdin -crypt 138 check_exit_status $? 139 140 start_message "prime" 141 142 $openssl_bin prime 1 143 check_exit_status $? 144 145 $openssl_bin prime 2 146 check_exit_status $? 147 148 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 149 check_exit_status $? 150 151 start_message "rand" 152 153 $openssl_bin rand -base64 100 154 check_exit_status $? 155 156 $openssl_bin rand -hex 100 157 check_exit_status $? 158} 159 160function test_md { 161 # === MESSAGE DIGEST COMMANDS === 162 section_message "MESSAGE DIGEST COMMANDS" 163 164 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 165 166 text="1234567890abcdefghijklmnopqrstuvwxyz" 167 dgstdat=$user1_dir/dgst.dat 168 echo $text > $dgstdat 169 hmac_key="test-hmac-key" 170 cmac_key="1234567890abcde1234567890abcde12" 171 dgstkey=$user1_dir/dgstkey.pem 172 dgstpass=test-dgst-pass 173 dgstpub=$user1_dir/dgstpub.pem 174 dgstsig=$user1_dir/dgst.sig 175 176 $openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey 177 check_exit_status $? 178 179 $openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \ 180 -out $dgstpub 181 check_exit_status $? 182 183 digests=`$openssl_bin list-message-digest-commands` 184 185 for d in $digests ; do 186 187 echo -n "$d ... " 188 $openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat 189 check_exit_status $? 190 191 echo -n "$d HMAC ... " 192 $openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \ 193 $dgstdat 194 check_exit_status $? 195 196 echo -n "$d CMAC ... " 197 $openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \ 198 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat 199 check_exit_status $? 200 201 echo -n "$d sign ... " 202 $openssl_bin dgst -sign $dgstkey -keyform pem \ 203 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 204 -passin pass:$dgstpass -binary -out $dgstsig.$d $dgstdat 205 check_exit_status $? 206 207 echo -n "$d verify ... " 208 $openssl_bin dgst -verify $dgstpub \ 209 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 210 -signature $dgstsig.$d $dgstdat 211 check_exit_status $? 212 213 echo -n "$d prverify ... " 214 $openssl_bin dgst -prverify $dgstkey -passin pass:$dgstpass \ 215 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 216 -signature $dgstsig.$d $dgstdat 217 check_exit_status $? 218 done 219} 220 221function test_encoding_cipher { 222 # === ENCODING AND CIPHER COMMANDS === 223 section_message "ENCODING AND CIPHER COMMANDS" 224 225 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 226 227 text="1234567890abcdefghijklmnopqrstuvwxyz" 228 encfile=$user1_dir/encfile.dat 229 echo $text > $encfile 230 pass="test-pass-1234" 231 232 ciphers=`$openssl_bin list-cipher-commands` 233 234 for c in $ciphers ; do 235 echo -n "$c ... encoding ... " 236 $openssl_bin enc -$c -e -base64 -pass pass:$pass \ 237 -in $encfile -out $encfile-$c.enc 238 check_exit_status $? 239 240 echo -n "decoding ... " 241 $openssl_bin enc -$c -d -base64 -pass pass:$pass \ 242 -in $encfile-$c.enc -out $encfile-$c.dec 243 check_exit_status $? 244 245 echo -n "cmp ... " 246 cmp $encfile $encfile-$c.dec 247 check_exit_status $? 248 done 249} 250 251function test_key { 252 # === various KEY operations === 253 section_message "various KEY operations" 254 255 key_pass=test-key-pass 256 257 # DH 258 259 start_message "gendh - Obsoleted by dhparam." 260 gendh2=$key_dir/gendh2.pem 261 $openssl_bin gendh -2 -out $gendh2 > $gendh2.log 2>&1 262 check_exit_status $? 263 264 start_message "dh - Obsoleted by dhparam." 265 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 266 check_exit_status $? 267 268 if [ $no_long_tests = 0 ] ; then 269 start_message "dhparam - Superseded by genpkey and pkeyparam." 270 dhparam2=$key_dir/dhparam2.pem 271 $openssl_bin dhparam -2 -out $dhparam2 > $dhparam2.log 2>&1 272 check_exit_status $? 273 $openssl_bin dhparam -in $dhparam2 -check -text \ 274 -out $dhparam2.out 275 check_exit_status $? 276 else 277 start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 278 fi 279 280 # DSA 281 282 start_message "dsaparam - Superseded by genpkey and pkeyparam." 283 dsaparam512=$key_dir/dsaparam512.pem 284 $openssl_bin dsaparam -genkey -out $dsaparam512 512 \ 285 > $dsaparam512.log 2>&1 286 check_exit_status $? 287 288 start_message "dsa" 289 $openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out 290 check_exit_status $? 291 292 start_message "gendsa - Superseded by genpkey and pkey." 293 gendsa_des3=$key_dir/gendsa_des3.pem 294 $openssl_bin gendsa -des3 -out $gendsa_des3 \ 295 -passout pass:$key_pass $dsaparam512 296 check_exit_status $? 297 298 # RSA 299 300 start_message "genrsa - Superseded by genpkey." 301 genrsa_aes256=$key_dir/genrsa_aes256.pem 302 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ 303 -passout pass:$key_pass 2048 > $genrsa_aes256.log 2>&1 304 check_exit_status $? 305 306 start_message "rsa" 307 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ 308 -check -text -out $genrsa_aes256.out 309 check_exit_status $? 310 311 start_message "rsautl - Superseded by pkeyutl." 312 rsautldat=$key_dir/rsautl.dat 313 rsautlsig=$key_dir/rsautl.sig 314 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 315 316 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ 317 -passin pass:$key_pass -out $rsautlsig 318 check_exit_status $? 319 320 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ 321 -passin pass:$key_pass 322 check_exit_status $? 323 324 # EC 325 326 start_message "ecparam -list-curves" 327 $openssl_bin ecparam -list_curves -out $key_dir/ecparam-list_curves.out 328 check_exit_status $? 329 330 # get all EC curves 331 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 332 333 start_message "ecparam and ec" 334 335 for curve in $ec_curves ; 336 do 337 ecparam=$key_dir/ecparam_$curve.pem 338 339 echo -n "ec - $curve ... ecparam ... " 340 $openssl_bin ecparam -out $ecparam -name $curve -genkey \ 341 -param_enc explicit -conv_form compressed 342 check_exit_status $? 343 344 echo -n "ec ... " 345 $openssl_bin ec -in $ecparam -text \ 346 -out $ecparam.out 2> /dev/null 347 check_exit_status $? 348 done 349 350 # PKEY 351 352 start_message "genpkey" 353 354 # DH by GENPKEY 355 356 genpkey_dh_param=$key_dir/genpkey_dh_param.pem 357 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 358 -pkeyopt dh_paramgen_prime_len:1024 > $genpkey_dh_param.log 2>&1 359 check_exit_status $? 360 361 genpkey_dh=$key_dir/genpkey_dh.pem 362 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 363 check_exit_status $? 364 365 # DSA by GENPKEY 366 367 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 368 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 369 -pkeyopt dsa_paramgen_bits:1024 > $genpkey_dsa_param.log 2>&1 370 check_exit_status $? 371 372 genpkey_dsa=$key_dir/genpkey_dsa.pem 373 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 374 check_exit_status $? 375 376 # RSA by GENPKEY 377 378 genpkey_rsa=$key_dir/genpkey_rsa.pem 379 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 380 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 381 > $genpkey_rsa.log 2>&1 382 check_exit_status $? 383 384 genpkey_rsa_pss=$key_dir/genpkey_rsa_pss.pem 385 $openssl_bin genpkey -algorithm RSA-PSS -out $genpkey_rsa_pss \ 386 -pkeyopt rsa_keygen_bits:2048 \ 387 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 \ 388 -pkeyopt rsa_pss_keygen_md:sha256 \ 389 -pkeyopt rsa_pss_keygen_saltlen:32 \ 390 > $genpkey_rsa_pss.log 2>&1 391 check_exit_status $? 392 393 # EC by GENPKEY 394 395 genpkey_ec_param=$key_dir/genpkey_ec_param.pem 396 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 397 -pkeyopt ec_paramgen_curve:secp384r1 398 check_exit_status $? 399 400 genpkey_ec=$key_dir/genpkey_ec.pem 401 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 402 check_exit_status $? 403 404 genpkey_ec_2=$key_dir/genpkey_ec_2.pem 405 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2 406 check_exit_status $? 407 408 start_message "pkeyparam" 409 410 $openssl_bin pkeyparam -in $genpkey_dh_param -text \ 411 -out $genpkey_dh_param.out 412 check_exit_status $? 413 414 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ 415 -out $genpkey_dsa_param.out 416 check_exit_status $? 417 418 $openssl_bin pkeyparam -in $genpkey_ec_param -text \ 419 -out $genpkey_ec_param.out 420 check_exit_status $? 421 422 start_message "pkey" 423 424 $openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \ 425 -text_pub 426 check_exit_status $? 427 428 $openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \ 429 -text_pub 430 check_exit_status $? 431 432 $openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \ 433 -text_pub 434 check_exit_status $? 435 436 $openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \ 437 -text_pub 438 check_exit_status $? 439 440 $openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \ 441 -text_pub 442 check_exit_status $? 443 444 start_message "pkeyutl" 445 446 pkeyutldat=$key_dir/pkeyutl.dat 447 pkeyutlsig=$key_dir/pkeyutl.sig 448 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 449 450 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ 451 -out $pkeyutlsig 452 check_exit_status $? 453 454 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ 455 -inkey $genpkey_rsa 456 check_exit_status $? 457 458 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 459 check_exit_status $? 460 461 pkeyutlenc=$key_dir/pkeyutl.enc 462 pkeyutldec=$key_dir/pkeyutl.dec 463 464 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 465 -pubin -inkey $genpkey_rsa.pub -out $pkeyutlenc 466 check_exit_status $? 467 468 $openssl_bin pkeyutl -decrypt -in $pkeyutlenc \ 469 -inkey $genpkey_rsa -out $pkeyutldec 470 check_exit_status $? 471 472 diff $pkeyutldat $pkeyutldec 473 check_exit_status $? 474 475 pkeyutl_rsa_oaep_enc=$key_dir/pkeyutl_rsa_oaep.enc 476 pkeyutl_rsa_oaep_dec=$key_dir/pkeyutl_rsa_oaep.dec 477 478 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 479 -inkey $genpkey_rsa \ 480 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 481 -pkeyopt rsa_oaep_label:0011223344556677 \ 482 -out $pkeyutl_rsa_oaep_enc 483 check_exit_status $? 484 485 $openssl_bin pkeyutl -decrypt -in $pkeyutl_rsa_oaep_enc \ 486 -inkey $genpkey_rsa \ 487 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 488 -pkeyopt rsa_oaep_label:0011223344556677 \ 489 -out $pkeyutl_rsa_oaep_dec 490 check_exit_status $? 491 492 diff $pkeyutldat $pkeyutl_rsa_oaep_dec 493 check_exit_status $? 494 495 pkeyutlsc1=$key_dir/pkeyutl.sc1 496 pkeyutlsc2=$key_dir/pkeyutl.sc2 497 498 $openssl_bin pkeyutl -derive -inkey $genpkey_ec \ 499 -peerkey $genpkey_ec_2.pub -out $pkeyutlsc1 -hexdump 500 check_exit_status $? 501 502 $openssl_bin pkeyutl -derive -inkey $genpkey_ec_2 \ 503 -peerkey $genpkey_ec.pub -out $pkeyutlsc2 -hexdump 504 check_exit_status $? 505 506 diff $pkeyutlsc1 $pkeyutlsc2 507 check_exit_status $? 508} 509 510function test_pki { 511 section_message "setup local CA" 512 513 # 514 # prepare test openssl.cnf 515 # 516 517 cat << __EOF__ > $ssldir/openssl.cnf 518oid_section = new_oids 519[ new_oids ] 520tsa_policy1 = 1.2.3.4.1 521tsa_policy2 = 1.2.3.4.5.6 522tsa_policy3 = 1.2.3.4.5.7 523[ ca ] 524default_ca = CA_default 525[ CA_default ] 526dir = ./$ca_dir 527crl_dir = \$dir/crl 528database = \$dir/index.txt 529new_certs_dir = \$dir/newcerts 530serial = \$dir/serial 531crlnumber = \$dir/crlnumber 532default_days = 1 533default_md = default 534policy = policy_match 535[ policy_match ] 536countryName = match 537stateOrProvinceName = match 538organizationName = match 539organizationalUnitName = optional 540commonName = supplied 541emailAddress = optional 542[ req ] 543distinguished_name = req_distinguished_name 544[ req_distinguished_name ] 545countryName = Country Name 546countryName_default = JP 547countryName_min = 2 548countryName_max = 2 549stateOrProvinceName = State or Province Name 550stateOrProvinceName_default = Tokyo 551organizationName = Organization Name 552organizationName_default = TEST_DUMMY_COMPANY 553commonName = Common Name 554[ tsa ] 555default_tsa = tsa_config1 556[ tsa_config1 ] 557dir = ./$tsa_dir 558serial = \$dir/serial 559crypto_device = builtin 560digests = sha1, sha256, sha384, sha512 561default_policy = tsa_policy1 562other_policies = tsa_policy2, tsa_policy3 563[ tsa_ext ] 564keyUsage = critical,nonRepudiation 565extendedKeyUsage = critical,timeStamping 566[ ocsp_ext ] 567basicConstraints = CA:FALSE 568keyUsage = nonRepudiation,digitalSignature,keyEncipherment 569extendedKeyUsage = OCSPSigning 570__EOF__ 571 572 #---------#---------#---------#---------#---------#---------#--------- 573 574 # 575 # setup test CA 576 # 577 578 mkdir -p $ca_dir 579 mkdir -p $tsa_dir 580 mkdir -p $ocsp_dir 581 mkdir -p $server_dir 582 583 mkdir -p $ca_dir/certs 584 mkdir -p $ca_dir/private 585 mkdir -p $ca_dir/crl 586 mkdir -p $ca_dir/newcerts 587 chmod 700 $ca_dir/private 588 echo "01" > $ca_dir/serial 589 touch $ca_dir/index.txt 590 touch $ca_dir/crlnumber 591 echo "01" > $ca_dir/crlnumber 592 593 # 594 # setup test TSA 595 # 596 mkdir -p $tsa_dir/private 597 chmod 700 $tsa_dir/private 598 echo "01" > $tsa_dir/serial 599 touch $tsa_dir/index.txt 600 601 # 602 # setup test OCSP 603 # 604 mkdir -p $ocsp_dir/private 605 chmod 700 $ocsp_dir/private 606 607 #---------#---------#---------#---------#---------#---------#--------- 608 609 # --- CA initiate (generate CA key and cert) --- 610 611 start_message "req ... generate CA key and self signed cert" 612 613 ca_cert=$ca_dir/ca_cert.pem 614 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 615 616 if [ $mingw = 0 ] ; then 617 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test-dummy.com/' 618 else 619 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test-dummy.com\' 620 fi 621 622 $openssl_bin req -new -x509 -batch -newkey rsa:2048 \ 623 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 624 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 625 -config $ssldir/openssl.cnf -verbose \ 626 -subj $subj -days 1 -set_serial 1 -multivalue-rdn \ 627 -keyout $ca_key -passout pass:$ca_pass \ 628 -out $ca_cert -outform pem 629 check_exit_status $? 630 631 #---------#---------#---------#---------#---------#---------#--------- 632 633 # --- TSA initiate (generate TSA key and cert) --- 634 635 start_message "req ... generate TSA key and cert" 636 637 # generate CSR for TSA 638 639 tsa_csr=$tsa_dir/tsa_csr.pem 640 tsa_key=$tsa_dir/private/tsa_key.pem 641 tsa_pass=test-tsa-pass 642 643 if [ $mingw = 0 ] ; then 644 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test-dummy.com/' 645 else 646 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test-dummy.com\' 647 fi 648 649 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ 650 -passout pass:$tsa_pass -subj $subj 651 check_exit_status $? 652 653 start_message "ca ... sign by CA with TSA extensions" 654 655 tsa_cert=$tsa_dir/tsa_cert.pem 656 657 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 658 -key $ca_pass -config $ssldir/openssl.cnf -create_serial \ 659 -policy policy_match -days 1 -md sha256 -extensions tsa_ext \ 660 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \ 661 -multivalue-rdn -preserveDN -noemailDN \ 662 -in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext \ 663 > $tsa_cert.log 2>&1 664 check_exit_status $? 665 666 #---------#---------#---------#---------#---------#---------#--------- 667 668 # --- OCSP initiate (generate OCSP key and cert) --- 669 670 start_message "req ... generate OCSP key and cert" 671 672 # generate CSR for OCSP 673 674 ocsp_csr=$ocsp_dir/ocsp_csr.pem 675 ocsp_key=$ocsp_dir/private/ocsp_key.pem 676 677 if [ $mingw = 0 ] ; then 678 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test-dummy.com/' 679 else 680 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test-dummy.com\' 681 fi 682 683 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ 684 -subj $subj 685 check_exit_status $? 686 687 start_message "ca ... sign by CA with OCSP extensions" 688 689 ocsp_cert=$ocsp_dir/ocsp_cert.pem 690 691 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 692 -key $ca_pass -out $ocsp_cert -extensions ocsp_ext \ 693 -startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \ 694 -subj $subj -infiles $ocsp_csr > $ocsp_cert.log 2>&1 695 check_exit_status $? 696 697 #---------#---------#---------#---------#---------#---------#--------- 698 699 # --- server-admin operations (generate server key and csr) --- 700 section_message "server-admin operations (generate server key and csr)" 701 702 # RSA certificate 703 704 sv_rsa_key=$server_dir/sv_rsa_key.pem 705 sv_rsa_csr=$server_dir/sv_rsa_csr.pem 706 sv_rsa_pass=test-server-pass 707 708 if [ $mingw = 0 ] ; then 709 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test-dummy.com/' 710 else 711 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test-dummy.com\' 712 fi 713 714 start_message "genrsa ... generate server key#1" 715 716 $openssl_bin genrsa -aes256 -passout pass:$sv_rsa_pass -out $sv_rsa_key 717 check_exit_status $? 718 719 $openssl_bin rsa -in $sv_rsa_key -passin pass:$sv_rsa_pass \ 720 -out $sv_rsa_key.nopass 721 check_exit_status $? 722 723 start_message "req ... generate server csr#1" 724 725 $openssl_bin req -new -subj $subj -sha256 \ 726 -key $sv_rsa_key -keyform pem -passin pass:$sv_rsa_pass \ 727 -addext 'subjectAltName = DNS:localhost.test-dummy.com' \ 728 -out $sv_rsa_csr -outform pem 729 check_exit_status $? 730 731 start_message "req ... verify server csr#1" 732 733 $openssl_bin req -verify -in $sv_rsa_csr -inform pem \ 734 -newhdr -noout -pubkey -subject -modulus -text \ 735 -nameopt multiline -reqopt compatible \ 736 -out $sv_rsa_csr.verify.out 737 check_exit_status $? 738 739 start_message "req ... generate server csr#2 (interactive mode)" 740 741 # RSA certificate (for revoke test) 742 743 revoke_key=$server_dir/revoke_key.pem 744 revoke_csr=$server_dir/revoke_csr.pem 745 revoke_pass=test-revoke-pass 746 747 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \ 748 -passout pass:$revoke_pass <<__EOF__ 749JP 750Tokyo 751TEST_DUMMY_COMPANY 752revoke.test-dummy.com 753__EOF__ 754 check_exit_status $? 755 756 # ECDSA certificate 757 758 sv_ecdsa_key=$server_dir/sv_ecdsa_key.pem 759 sv_ecdsa_csr=$server_dir/sv_ecdsa_csr.pem 760 sv_ecdsa_pass=test-ecdsa-pass 761 762 if [ $mingw = 0 ] ; then 763 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=ecdsa.test-dummy.com/' 764 else 765 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test-dummy.com\' 766 fi 767 768 start_message "ecparam ... generate server key#3" 769 770 $openssl_bin ecparam -name prime256v1 -genkey -out $sv_ecdsa_key 771 check_exit_status $? 772 773 start_message "req ... generate server csr#3" 774 775 $openssl_bin req -new -subj $subj -sha256 \ 776 -key $sv_ecdsa_key -keyform pem -passin pass:$sv_ecdsa_pass \ 777 -addext 'subjectAltName = DNS:ecdsa.test-dummy.com' \ 778 -out $sv_ecdsa_csr -outform pem 779 check_exit_status $? 780 781 start_message "req ... verify server csr#3" 782 783 $openssl_bin req -verify -in $sv_ecdsa_csr -inform pem \ 784 -newhdr -noout -pubkey -subject -modulus -text \ 785 -nameopt multiline -reqopt compatible \ 786 -out $sv_ecdsa_csr.verify.out 787 check_exit_status $? 788 789 #---------#---------#---------#---------#---------#---------#--------- 790 791 # --- CA operations (issue cert for server) --- 792 section_message "CA operations (issue cert for server)" 793 794 start_message "ca ... issue cert for server csr#1" 795 796 sv_rsa_cert=$server_dir/sv_rsa_cert.pem 797 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 798 -in $sv_rsa_csr -out $sv_rsa_cert > $sv_rsa_cert.log 2>&1 799 check_exit_status $? 800 801 start_message "x509 ... issue cert for server csr#2" 802 803 $openssl_bin genrsa -out $server_dir/testkey.pem 2>&1 804 check_exit_status $? 805 $openssl_bin rsa -in $server_dir/testkey.pem -pubout \ 806 -out $server_dir/testpubkey.pem 2>&1 807 check_exit_status $? 808 809 revoke_cert=$server_dir/revoke_cert.pem 810 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \ 811 -CAkey $ca_key -CAkeyform pem \ 812 -CAserial $ca_dir/serial -set_serial 10 \ 813 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert \ 814 -set_issuer /CN=issuer -set_subject /CN=subject \ 815 -force_pubkey $server_dir/testpubkey.pem 816 > $revoke_cert.log 2>&1 817 check_exit_status $? 818 819 start_message "x509 ... check if csr#2 cert has proper issuer & subject" 820 if [ "$($openssl_bin x509 -in $revoke_cert -issuer -noout)" != \ 821 "issuer= /CN=issuer" ]; then 822 exit 1 823 fi 824 if [ "$($openssl_bin x509 -in $revoke_cert -subject -noout)" != \ 825 "subject= /CN=subject" ]; then 826 exit 1 827 fi 828 check_exit_status 0 829 830 start_message "x509 ... check if csr#2 cert pubkey was forced" 831 $openssl_bin x509 -in $revoke_cert -pubkey -noout > $revoke_cert.pub 832 check_exit_status $? 833 diff $server_dir/testpubkey.pem $revoke_cert.pub 834 check_exit_status $? 835 836 start_message "x509 ... test -new" 837 $openssl_bin genrsa -out $server_dir/ca-new.key 2048 838 check_exit_status $? 839 $openssl_bin x509 -new -set_issuer '/CN=test-issuer' \ 840 -set_subject '/CN=test-subject' \ 841 -out $server_dir/new.pem -days 1 -key $server_dir/ca-new.key \ 842 -force_pubkey $revoke_cert.pub 843 check_exit_status $? 844 $openssl_bin x509 -in $server_dir/new.pem -pubkey -noout \ 845 > $server_dir/new.pem.pub 846 check_exit_status $? 847 848 start_message "x509 ... check if -new cert has proper pubkey" 849 diff $server_dir/testpubkey.pem $server_dir/new.pem.pub 850 check_exit_status $? 851 852 start_message "x509 ... check if -new cert has proper issuer & subject" 853 if [ "$($openssl_bin x509 -in $server_dir/new.pem -issuer -noout)" != \ 854 "issuer= /CN=test-issuer" ]; then 855 exit 1 856 fi 857 if [ "$($openssl_bin x509 -in $server_dir/new.pem -subject -noout)" != \ 858 "subject= /CN=test-subject" ]; then 859 exit 1 860 fi 861 check_exit_status 0 862 863 start_message "x509 ... test -new without -force_pubkey" 864 $openssl_bin x509 -new -set_subject '/CN=test-subject2' \ 865 -out $server_dir/new2.pem -days 1 -key $server_dir/ca-new.key 866 check_exit_status $? 867 $openssl_bin x509 -in $server_dir/new2.pem -pubkey -noout \ 868 > $server_dir/new2.pem.pub 869 check_exit_status $? 870 $openssl_bin rsa -in $server_dir/ca-new.key -pubout \ 871 -out $server_dir/ca-new.pubkey 872 check_exit_status $? 873 diff $server_dir/new2.pem.pub $server_dir/ca-new.pubkey 874 check_exit_status $? 875 if [ "$($openssl_bin x509 -in $server_dir/new2.pem -issuer -noout)" \ 876 != "issuer= /CN=test-subject2" ]; then 877 exit 1 878 fi 879 if [ "$($openssl_bin x509 -in $server_dir/new2.pem -subject -noout)" \ 880 != "subject= /CN=test-subject2" ]; then 881 exit 1 882 fi 883 check_exit_status 0 884 885 start_message "ca ... issue cert for server csr#3" 886 887 sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem 888 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 889 -in $sv_ecdsa_csr -out $sv_ecdsa_cert > $sv_ecdsa_cert.log 2>&1 890 check_exit_status $? 891 892 #---------#---------#---------#---------#---------#---------#--------- 893 894 # --- CA operations (revoke cert and generate crl) --- 895 section_message "CA operations (revoke cert and generate crl)" 896 897 start_message "ca ... revoke server cert#2" 898 crl_file=$ca_dir/crl.pem 899 $openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \ 900 -config $ssldir/openssl.cnf -name CA_default \ 901 -crldays 30 -crlhours 12 -crlsec 30 -updatedb \ 902 -crl_reason unspecified -crl_hold 1.2.840.10040.2.2 \ 903 -crl_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 904 -crl_CA_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 905 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert \ 906 > $crl_file.log 2>&1 907 check_exit_status $? 908 909 start_message "ca ... show certificate status by serial number" 910 $openssl_bin ca -config $ssldir/openssl.cnf -status 1 911 912 start_message "crl ... CA generates CRL" 913 $openssl_bin crl -in $crl_file -fingerprint >> $crl_file.log 2>&1 914 check_exit_status $? 915 916 crl_p7=$ca_dir/crl.p7 917 start_message "crl2pkcs7 ... convert CRL to pkcs7" 918 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 919 check_exit_status $? 920 921 #---------#---------#---------#---------#---------#---------#--------- 922 923 # --- server-admin operations (check csr, verify cert, certhash) --- 924 section_message "server-admin operations (check csr, verify cert, certhash)" 925 926 start_message "asn1parse ... parse server csr#1" 927 $openssl_bin asn1parse -in $sv_rsa_csr -i -dlimit 100 -length 1000 \ 928 -strparse 01 > $sv_rsa_csr.asn1parse.out 929 check_exit_status $? 930 931 start_message "verify ... server cert#1" 932 $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \ 933 -crl_check -issuer_checks -purpose sslserver $sv_rsa_cert 934 check_exit_status $? 935 936 start_message "x509 ... get detail info about server cert#1" 937 $openssl_bin x509 -in $sv_rsa_cert -text -dates -startdate -enddate \ 938 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 939 -subject -hash -subject_hash -subject_hash_old -ocsp_uri \ 940 -ocspid -modulus -pubkey -serial -email -noout -trustout \ 941 -alias -clrtrust -clrreject -next_serial -checkend 3600 \ 942 -nameopt multiline -certopt compatible > $sv_rsa_cert.x509.out 943 check_exit_status $? 944 945 if [ $mingw = 0 ] ; then 946 start_message "certhash" 947 $openssl_bin certhash -v $server_dir \ 948 > $server_dir/certhash.log 2>&1 949 check_exit_status $? 950 fi 951 952 # self signed 953 start_message "x509 ... generate self signed server cert" 954 server_self_cert=$server_dir/server_self_cert.pem 955 $openssl_bin x509 -in $sv_rsa_cert -signkey $sv_rsa_key -keyform pem \ 956 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 957 -passin pass:$sv_rsa_pass -out $server_self_cert -days 1 958 check_exit_status $? 959 960 #---------#---------#---------#---------#---------#---------#--------- 961 962 # --- user1 operations (generate user1 key and csr) --- 963 section_message "user1 operations (generate user1 key and csr)" 964 965 # trust 966 start_message "x509 ... trust testCA cert" 967 user1_trust=$user1_dir/user1_trust_ca.pem 968 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \ 969 -setalias "trusted testCA" -purpose -out $user1_trust \ 970 > $user1_trust.log 2>&1 971 check_exit_status $? 972 973 start_message "req ... generate private key and csr for user1" 974 975 cl_rsa_key=$user1_dir/cl_rsa_key.pem 976 cl_rsa_csr=$user1_dir/cl_rsa_csr.pem 977 cl_rsa_pass=test-user1-pass 978 979 if [ $mingw = 0 ] ; then 980 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test-dummy.com/' 981 else 982 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test-dummy.com\' 983 fi 984 985 $openssl_bin req -new -keyout $cl_rsa_key -out $cl_rsa_csr \ 986 -passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1 987 check_exit_status $? 988 989 start_message "req ... generate private key and csr for user2" 990 991 cl_ecdsa_key=$user1_dir/cl_ecdsa_key.pem 992 cl_ecdsa_csr=$user1_dir/cl_ecdsa_csr.pem 993 cl_ecdsa_pass=test-user1-pass 994 995 if [ $mingw = 0 ] ; then 996 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user2.test-dummy.com/' 997 else 998 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user2.test-dummy.com\' 999 fi 1000 1001 $openssl_bin ecparam -name prime256v1 -genkey -out $cl_ecdsa_key 1002 check_exit_status $? 1003 1004 $openssl_bin req -new -subj $subj -sha256 \ 1005 -key $cl_ecdsa_key -keyform pem -passin pass:$cl_ecdsa_pass \ 1006 -out $cl_ecdsa_csr -outform pem 1007 check_exit_status $? 1008 1009 #---------#---------#---------#---------#---------#---------#--------- 1010 1011 # --- CA operations (issue cert for user1) --- 1012 section_message "CA operations (issue cert for user1)" 1013 1014 start_message "ca ... issue cert for user1" 1015 1016 cl_rsa_cert=$user1_dir/cl_rsa_cert.pem 1017 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1018 -in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1 1019 check_exit_status $? 1020 1021 start_message "ca ... issue cert for user2" 1022 1023 cl_ecdsa_cert=$user1_dir/cl_ecdsa_cert.pem 1024 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1025 -in $cl_ecdsa_csr -out $cl_ecdsa_cert > $cl_ecdsa_cert.log 2>&1 1026 check_exit_status $? 1027} 1028 1029function test_tsa { 1030 # --- TSA operations --- 1031 section_message "TSA operations" 1032 1033 tsa_dat=$user1_dir/tsa.dat 1034 cat << __EOF__ > $tsa_dat 1035Hello Bob, 1036Sincerely yours 1037Alice 1038__EOF__ 1039 1040 # Query 1041 start_message "ts ... create time stamp request" 1042 1043 tsa_tsq=$user1_dir/tsa.tsq 1044 1045 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 1046 check_exit_status $? 1047 1048 start_message "ts ... print time stamp request" 1049 1050 $openssl_bin ts -query -in $tsa_tsq -text -out $tsa_tsq.log 1051 check_exit_status $? 1052 1053 # Reply 1054 start_message "ts ... create time stamp response for a request" 1055 1056 tsa_tsr=$user1_dir/tsa.tsr 1057 1058 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ 1059 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ 1060 -config $ssldir/openssl.cnf -section tsa_config1 -cert \ 1061 -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr 1062 check_exit_status $? 1063 1064 # Verify 1065 start_message "ts ... verify time stamp response" 1066 1067 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ 1068 -CAfile $ca_cert -untrusted $tsa_cert 1069 check_exit_status $? 1070} 1071 1072function test_cms { 1073 # --- CMS operations --- 1074 section_message "CMS operations" 1075 1076 if [ $ecdsa_tests = 1 ] ; then 1077 echo "Using ECDSA certificate" 1078 type=ecdsa 1079 cl_cert=$cl_ecdsa_cert 1080 cl_key=$cl_ecdsa_key 1081 sv_cert=$sv_ecdsa_cert 1082 sv_key=$sv_ecdsa_key 1083 sign_keyopt= 1084 enc_keyopt= 1085 else 1086 echo "Using RSA certificate" 1087 type=rsa 1088 cl_cert=$cl_rsa_cert 1089 cl_key="$cl_rsa_key -passin pass:$cl_rsa_pass" 1090 sv_cert=$sv_rsa_cert 1091 sv_key="$sv_rsa_key -passin pass:$sv_rsa_pass" 1092 sign_keyopt="-keyopt rsa_padding_mode:pss" 1093 enc_keyopt="-keyopt rsa_padding_mode:oaep" 1094 fi 1095 1096 cms_txt=$user1_dir/cms_$type.txt 1097 cms_sig=$user1_dir/cms_$type.sig 1098 cms_enc=$user1_dir/cms_$type.enc 1099 cms_dec=$user1_dir/cms_$type.dec 1100 cms_sgr=$user1_dir/cms_$type.sgr 1101 cms_ver=$user1_dir/cms_$type.ver 1102 cms_out=$user1_dir/cms_$type.out 1103 cms_dct=$user1_dir/cms_$type.dct 1104 cms_dot=$user1_dir/cms_$type.dot 1105 cms_dgc=$user1_dir/cms_$type.dgc 1106 cms_dgv=$user1_dir/cms_$type.dgv 1107 cms_ede=$user1_dir/cms_$type.ede 1108 cms_edd=$user1_dir/cms_$type.edd 1109 cms_srp=$user1_dir/cms_$type.srp 1110 cms_pwe=$user1_dir/cms_$type.pwe 1111 cms_pwd=$user1_dir/cms_$type.pwd 1112 1113 cat << __EOF__ > $cms_txt 1114Hello Bob, 1115Sincerely yours 1116Alice 1117__EOF__ 1118 1119 # sign 1120 start_message "cms ... sign to message" 1121 1122 $openssl_bin cms -sign -in $cms_txt -text \ 1123 -out $cms_sig -outform smime \ 1124 -signer $cl_cert -inkey $cl_key $sign_keyopt \ 1125 -keyform pem -md sha256 \ 1126 -from user1@test-dummy.com -to server@test-dummy.com \ 1127 -subject "test openssl cms" \ 1128 -receipt_request_from server@test-dummy.com \ 1129 -receipt_request_to user1@test-dummy.com 1130 check_exit_status $? 1131 1132 # encrypt 1133 start_message "cms ... encrypt message" 1134 1135 $openssl_bin cms -encrypt -aes256 -binary -in $cms_sig -inform smime \ 1136 -recip $sv_cert $enc_keyopt -out $cms_enc 1137 check_exit_status $? 1138 1139 # decrypt 1140 start_message "cms ... decrypt message" 1141 1142 $openssl_bin cms -decrypt -in $cms_enc -out $cms_dec \ 1143 -recip $sv_cert -inkey $sv_key 1144 check_exit_status $? 1145 1146 # verify 1147 start_message "cms ... verify message" 1148 1149 $openssl_bin cms -verify -in $cms_dec \ 1150 -CAfile $ca_cert -certfile $cl_cert -nointern \ 1151 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1152 -signer $cms_sgr -text -out $cms_ver -receipt_request_print \ 1153 > $cms_ver.log 2>&1 1154 check_exit_status $? 1155 1156 diff -b $cms_ver $cms_txt 1157 check_exit_status $? 1158 1159 # cmsout 1160 start_message "cms ... cmsout" 1161 1162 $openssl_bin cms -cmsout -in $cms_enc -print -out $cms_out 1163 check_exit_status $? 1164 1165 # data_create 1166 start_message "cms ... data_create" 1167 1168 $openssl_bin cms -data_create -in $cms_enc -out $cms_dct 1169 check_exit_status $? 1170 1171 # data_out 1172 start_message "cms ... data_out" 1173 1174 $openssl_bin cms -data_out -in $cms_dct -out $cms_dot 1175 check_exit_status $? 1176 1177 # digest_create 1178 start_message "cms ... digest_create" 1179 1180 $openssl_bin cms -digest_create -in $cms_txt -md sha256 -out $cms_dgc 1181 check_exit_status $? 1182 1183 # digest_verify 1184 start_message "cms ... digest_verify" 1185 1186 $openssl_bin cms -digest_verify -in $cms_dgc -md sha256 -out $cms_dgv 1187 check_exit_status $? 1188 1189 diff -b $cms_dgv $cms_txt 1190 check_exit_status $? 1191 1192 # compress 1193 1194 # uncompress 1195 1196 # EncryptedData_encrypt 1197 start_message "cms ... EncryptedData_encrypt" 1198 1199 $openssl_bin cms -EncryptedData_encrypt -in $cms_sig -out $cms_ede \ 1200 -aes128 -secretkey 00112233445566778899aabbccddeeff 1201 check_exit_status $? 1202 1203 # EncryptedData_decrypt 1204 start_message "cms ... EncryptedData_decrypt" 1205 1206 $openssl_bin cms -EncryptedData_decrypt -in $cms_ede -out $cms_edd \ 1207 -aes128 -secretkey 00112233445566778899aabbccddeeff 1208 check_exit_status $? 1209 1210 diff -b $cms_edd $cms_sig 1211 check_exit_status $? 1212 1213 # sign_receipt 1214 start_message "cms ... sign to receipt" 1215 1216 $openssl_bin cms -sign_receipt -in $cms_sig -out $cms_srp \ 1217 -signer $sv_cert -inkey $sv_key -md sha256 1218 check_exit_status $? 1219 1220 # verify_receipt 1221 start_message "cms ... verify receipt" 1222 1223 $openssl_bin cms -verify_receipt $cms_srp -rctform smime -in $cms_sig \ 1224 -CAfile $ca_cert -certfile $sv_cert 1225 check_exit_status $? 1226 1227 # encrypt with pwri 1228 start_message "cms ... encrypt with pwri" 1229 1230 $openssl_bin cms -encrypt -camellia256 -in $cms_txt -out $cms_pwe \ 1231 -pwri_password abcdefg 1232 check_exit_status $? 1233 1234 # decrypt with pwri 1235 start_message "cms ... decrypt with pwri" 1236 1237 $openssl_bin cms -decrypt -camellia256 -in $cms_pwe -out $cms_pwd \ 1238 -pwri_password abcdefg 1239 check_exit_status $? 1240 1241 diff -b $cms_pwd $cms_txt 1242 check_exit_status $? 1243} 1244 1245function test_smime { 1246 # --- S/MIME operations --- 1247 section_message "S/MIME operations" 1248 1249 cl_cert=$cl_rsa_cert 1250 cl_key="$cl_rsa_key -passin pass:$cl_rsa_pass" 1251 sv_cert=$sv_rsa_cert 1252 sv_key="$sv_rsa_key -passin pass:$sv_rsa_pass" 1253 1254 smime_txt=$user1_dir/smime.txt 1255 smime_enc=$user1_dir/smime.enc 1256 smime_sig=$user1_dir/smime.sig 1257 smime_p7o=$user1_dir/smime.p7o 1258 smime_sgr=$user1_dir/smime.sgr 1259 smime_ver=$user1_dir/smime.ver 1260 smime_dec=$user1_dir/smime.dec 1261 1262 cat << __EOF__ > $smime_txt 1263Hello Bob, 1264Sincerely yours 1265Alice 1266__EOF__ 1267 1268 # encrypt 1269 start_message "smime ... encrypt message" 1270 1271 $openssl_bin smime -encrypt -aes256 -binary -in $smime_txt \ 1272 -out $smime_enc $sv_cert 1273 check_exit_status $? 1274 1275 # sign 1276 start_message "smime ... sign to message" 1277 1278 $openssl_bin smime -sign -in $smime_enc -text -inform smime \ 1279 -out $smime_sig -outform smime \ 1280 -signer $cl_cert -inkey $cl_key -keyform pem -md sha256 \ 1281 -from user1@test-dummy.com -to server@test-dummy.com \ 1282 -subject "test openssl smime" 1283 check_exit_status $? 1284 1285 # pk7out 1286 start_message "smime ... pk7out from message" 1287 1288 $openssl_bin smime -pk7out -in $smime_sig -out $smime_p7o 1289 check_exit_status $? 1290 1291 # verify 1292 start_message "smime ... verify message" 1293 1294 $openssl_bin smime -verify -in $smime_sig \ 1295 -CAfile $ca_cert -certfile $cl_cert -nointern \ 1296 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1297 -signer $smime_sgr -text -out $smime_ver 1298 check_exit_status $? 1299 1300 # decrypt 1301 start_message "smime ... decrypt message" 1302 1303 $openssl_bin smime -decrypt -in $smime_ver -out $smime_dec \ 1304 -recip $sv_cert -inkey $sv_key 1305 check_exit_status $? 1306 1307 diff $smime_dec $smime_txt 1308 check_exit_status $? 1309} 1310 1311function test_ocsp { 1312 # --- OCSP operations --- 1313 section_message "OCSP operations" 1314 1315 # get key without pass 1316 cl_rsa_key_nopass=$user1_dir/cl_rsa_key_nopass.pem 1317 $openssl_bin pkey -in $cl_rsa_key -passin pass:$cl_rsa_pass \ 1318 -out $cl_rsa_key_nopass 1319 check_exit_status $? 1320 1321 # request 1322 start_message "ocsp ... create OCSP request" 1323 1324 ocsp_req=$user1_dir/ocsp_req.der 1325 $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ 1326 -cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \ 1327 -signer $cl_rsa_cert -signkey $cl_rsa_key_nopass \ 1328 -sign_other $cl_rsa_cert -sha256 \ 1329 -reqout $ocsp_req -req_text -out $ocsp_req.out 1330 check_exit_status $? 1331 1332 # response 1333 start_message "ocsp ... create OCPS response for a request" 1334 1335 ocsp_res=$user1_dir/ocsp_res.der 1336 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1337 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1338 -reqin $ocsp_req -rother $ocsp_cert -resp_no_certs -noverify \ 1339 -nmin 60 -validity_period 300 -status_age 300 \ 1340 -respout $ocsp_res -resp_text -out $ocsp_res.out 1341 check_exit_status $? 1342 1343 # ocsp server 1344 start_message "ocsp ... start OCSP server in background" 1345 1346 ocsp_port=8888 1347 1348 ocsp_svr_log=$user1_dir/ocsp_svr.log 1349 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1350 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1351 -host localhost -port $ocsp_port -path / -ndays 1 -nrequest 1 \ 1352 -resp_key_id -text -out $ocsp_svr_log & 1353 check_exit_status $? 1354 ocsp_svr_pid=$! 1355 echo "ocsp server pid = [ $ocsp_svr_pid ]" 1356 sleep 1 1357 1358 # send query to ocsp server 1359 start_message "ocsp ... send OCSP request to server" 1360 1361 ocsp_qry=$user1_dir/ocsp_qry.der 1362 $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ 1363 -cert $revoke_cert -CAfile $ca_cert -no_nonce \ 1364 -url http://localhost:$ocsp_port -timeout 10 -text \ 1365 -header Host localhost \ 1366 -respout $ocsp_qry -out $ocsp_qry.out 1367 check_exit_status $? 1368 1369 # verify response from server 1370 start_message "ocsp ... verify OCSP response from server" 1371 1372 $openssl_bin ocsp -respin $ocsp_qry -CAfile $ca_cert \ 1373 -ignore_err -no_signature_verify -no_cert_verify -no_chain \ 1374 -no_cert_checks -no_explicit -trust_other -no_intern \ 1375 -verify_other $ocsp_cert -VAfile $ocsp_cert 1376 check_exit_status $? 1377} 1378 1379function test_pkcs { 1380 # --- PKCS operations --- 1381 section_message "PKCS operations" 1382 1383 pkcs_pass=test-pkcs-pass 1384 1385 start_message "pkcs7 ... output certs in crl(pkcs7)" 1386 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 1387 check_exit_status $? 1388 1389 start_message "pkcs8 ... convert key to pkcs8" 1390 $openssl_bin pkcs8 -in $cl_rsa_key -topk8 -out $cl_rsa_key.p8 \ 1391 -passin pass:$cl_rsa_pass -passout pass:$cl_rsa_pass \ 1392 -v1 pbeWithSHA1AndDES-CBC -v2 des3 1393 check_exit_status $? 1394 1395 start_message "pkcs8 ... convert pkcs8 to key in DER format" 1396 $openssl_bin pkcs8 -in $cl_rsa_key.p8 -passin pass:$cl_rsa_pass \ 1397 -outform DER -out $cl_rsa_key.p8.der 1398 check_exit_status $? 1399 1400 start_message "pkcs12 ... create" 1401 $openssl_bin pkcs12 -export -in $sv_rsa_cert -inkey $sv_rsa_key \ 1402 -passin pass:$sv_rsa_pass -certfile $ca_cert -CAfile $ca_cert \ 1403 -caname "caname_server_p12" \ 1404 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \ 1405 -name "name_server_p12" -des3 -maciter -macalg sha256 \ 1406 -keyex -passout pass:$pkcs_pass -out $sv_rsa_cert.p12 1407 check_exit_status $? 1408 1409 start_message "pkcs12 ... verify" 1410 $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -passin pass:$pkcs_pass -info \ 1411 -noout > $sv_rsa_cert.p12.log 2>&1 1412 check_exit_status $? 1413 1414 start_message "pkcs12 ... private key to PEM without encryption" 1415 $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -password pass:$pkcs_pass \ 1416 -nocerts -nomacver -nodes -out $sv_rsa_cert.p12.pem 1417 check_exit_status $? 1418} 1419 1420function test_sc_by_protocol_version { 1421 sc=$1 1422 ver=$2 1423 msg=$3 1424 cid=$4 1425 1426 groups_and_cipher="" 1427 if [ $ver = "tls1_3" ] ; then 1428 # Expect HelloRetryRequest 1429 groups_and_cipher="-groups P-521:P-384 -cipher ALL" 1430 fi 1431 1432 s_client_out=$user1_dir/s_client_${sc}_${ver}.out 1433 1434 start_message "s_client ... connect to TLS/SSL test server by $ver" 1435 sleep $test_pause_sec 1436 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1437 -$ver $groups_and_cipher \ 1438 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1439 check_exit_status $? 1440 1441 # check downgrade bits in SH 1442 if [ $ver = "tls1" -o $ver = "tls1_1" ] ; then 1443 perl -0ne \ 1444 'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 00/m)' \ 1445 $s_client_out 1446 check_exit_status $? 1447 elif [ $ver = "tls1_2" ] ; then 1448 perl -0ne \ 1449 'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 01/m)' \ 1450 $s_client_out 1451 check_exit_status $? 1452 elif [ $ver = "tls1_3" ] ; then 1453 perl -0ne \ 1454 'exit (/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44/m)' \ 1455 $s_client_out 1456 check_exit_status $? 1457 fi 1458 1459 # check HRR hash 1460 if [ $ver = "tls1_3" ] ; then 1461 perl -0ne \ 1462 'exit (!/ServerHello\n.*cf 21 ad 74 e5 9a 61 11 be 1d\n.*8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e\n.*09 e2 c8 a8 33 9c/m)' \ 1463 $s_client_out 1464 check_exit_status $? 1465 fi 1466 1467 if [ $ver = "tls1_3" ] ; then 1468 grep 'Server Temp Key: ECDH, .*384.*, 384 bits' $s_client_out \ 1469 > /dev/null 1470 check_exit_status $? 1471 fi 1472 1473 # OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until 1474 # NewSessionTicket arrival 1475 if ! [ $cid = "1" -a $ver = "tls1_3" ] ; then 1476 grep "$msg" $s_client_out > /dev/null 1477 check_exit_status $? 1478 fi 1479 1480 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1481 check_exit_status $? 1482} 1483 1484function test_sc_all_cipher { 1485 sc=$1 1486 ver=$2 1487 1488 copt=cipher 1489 ciphers=$user1_dir/ciphers_${sc}_${ver} 1490 1491 if [ $ver = "tls1_3" ] ; then 1492 echo "TLS_AES_256_GCM_SHA384" > $ciphers 1493 echo "TLS_CHACHA20_POLY1305_SHA256" >> $ciphers 1494 echo "TLS_AES_128_GCM_SHA256" >> $ciphers 1495 if [ $c_id != "0" ] ; then 1496 copt=ciphersuites 1497 fi 1498 else 1499 s_ciph=$server_dir/s_ciph_${sc}_${ver} 1500 cipher_string="" 1501 if [ $s_id = "0" ] ; then 1502 if [ $ecdsa_tests = 1 ] ; then 1503 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1504 else 1505 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1506 fi 1507 fi 1508 $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph 1509 1510 c_ciph=$user1_dir/c_ciph_${sc}_${ver} 1511 cipher_string="" 1512 if [ $c_id = "0" ] ; then 1513 if [ $ecdsa_tests = 1 ] ; then 1514 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1515 else 1516 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1517 fi 1518 fi 1519 $c_bin ciphers -s -v $cipher_string | awk '{print $1}' > $c_ciph 1520 1521 grep -x -f $s_ciph $c_ciph | sort -R > $ciphers 1522 fi 1523 1524 cnum=0 1525 for c in `cat $ciphers` ; do 1526 cnum=`expr $cnum + 1` 1527 cnstr=`printf %03d $cnum` 1528 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_${cnstr}_${c}.out 1529 1530 start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $ver $c" 1531 sleep $test_pause_sec 1532 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1533 -$ver -$copt $c \ 1534 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1535 check_exit_status $? 1536 1537 grep "Cipher is $c" $s_client_out > /dev/null 1538 check_exit_status $? 1539 1540 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1541 check_exit_status $? 1542 done 1543} 1544 1545function test_sc_session_reuse { 1546 sc=$1 1547 ver=$2 1548 1549 sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat 1550 1551 # Get session ticket to reuse 1552 1553 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_1.out 1554 1555 start_message "s_client ... connect to TLS/SSL test server to get session id $ver" 1556 sleep $test_pause_sec 1557 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1558 -$ver -alpn "spdy/3,http/1.1" -sess_out $sess_dat \ 1559 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1560 check_exit_status $? 1561 1562 grep '^New, TLS.*$' $s_client_out > /dev/null 1563 check_exit_status $? 1564 1565 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1566 check_exit_status $? 1567 1568 # Reuse session ticket 1569 1570 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_2.out 1571 1572 start_message "s_client ... connect to TLS/SSL test server reusing session id $ver" 1573 sleep $test_pause_sec 1574 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1575 -$ver -sess_in $sess_dat \ 1576 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1577 check_exit_status $? 1578 1579 grep '^Reused, TLS.*$' $s_client_out > /dev/null 1580 check_exit_status $? 1581 1582 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1583 check_exit_status $? 1584 1585 # sess_id 1586 1587 start_message "sess_id" 1588 $c_bin sess_id -in $sess_dat -text -out $sess_dat.out 1589 check_exit_status $? 1590} 1591 1592function test_sc_verify { 1593 sc=$1 1594 ver=$2 1595 1596 # invalid verification pattern 1597 1598 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out 1599 1600 start_message "s_client ... connect to tls/ssl test server but verify error $ver" 1601 sleep $test_pause_sec 1602 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1603 -$ver -showcerts -crl_check -issuer_checks -policy_check \ 1604 -status -servername xyz \ 1605 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1606 check_exit_status $? 1607 1608 grep 'verify return code: 0 (ok)' $s_client_out > /dev/null 1609 if [ $? -eq 0 ] ; then 1610 check_exit_status 1 1611 else 1612 check_exit_status 0 1613 fi 1614 1615 # client certificate pattern 1616 1617 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_client_cert.out 1618 1619 start_message "s_client ... connect to tls/ssl test server with client certificate $ver" 1620 1621 if [ $ecdsa_tests = 1 ] ; then 1622 echo "Using ECDSA client certificate" 1623 crt=$cl_ecdsa_cert 1624 key=$cl_ecdsa_key 1625 pwd=$cl_ecdsa_pass 1626 else 1627 echo "Using RSA client certificate" 1628 crt=$cl_rsa_cert 1629 key=$cl_rsa_key 1630 pwd=$cl_rsa_pass 1631 fi 1632 1633 sleep $test_pause_sec 1634 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1635 -$ver -cert $crt -key $key -pass pass:$pwd \ 1636 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1637 check_exit_status $? 1638 1639 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1640 check_exit_status $? 1641} 1642 1643function test_server_client { 1644 # --- client/server operations (TLS) --- 1645 section_message "client/server operations (TLS)" 1646 1647 s_id="$1" 1648 c_id="$2" 1649 sc="$1$2" 1650 1651 test_pause_sec=0.2 1652 1653 if [ $s_id = "0" ] ; then 1654 s_bin=$openssl_bin 1655 else 1656 s_bin=$other_openssl_bin 1657 fi 1658 1659 if [ $c_id = "0" ] ; then 1660 c_bin=$openssl_bin 1661 else 1662 c_bin=$other_openssl_bin 1663 fi 1664 1665 echo "s_server is [`$s_bin version`]" 1666 echo "s_client is [`$c_bin version`]" 1667 1668 host="localhost" 1669 port=4433 1670 s_server_out=$server_dir/s_server_${sc}_tls.out 1671 1672 if [ $ecdsa_tests = 1 ] ; then 1673 echo "Using ECDSA certificate" 1674 crt=$sv_ecdsa_cert 1675 key=$sv_ecdsa_key 1676 pwd=$sv_ecdsa_pass 1677 else 1678 echo "Using RSA certificate" 1679 crt=$sv_rsa_cert 1680 key=$sv_rsa_key 1681 pwd=$sv_rsa_pass 1682 fi 1683 1684 start_message "s_server ... start TLS/SSL test server" 1685 $s_bin s_server -accept $port -CAfile $ca_cert \ 1686 -cert $crt -key $key -pass pass:$pwd \ 1687 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 1688 -alpn "http/1.1,spdy/3" -www -cipher ALL -4 \ 1689 -msg -tlsextdebug -verify 3 -groups X25519:P-384:P-256 \ 1690 -status -servername xyz -cert2 $crt -key2 $key \ 1691 > $s_server_out 2>&1 & 1692 check_exit_status $? 1693 s_server_pid=$! 1694 echo "s_server pid = [ $s_server_pid ]" 1695 sleep 1 1696 1697 # test by protocol version 1698 test_sc_by_protocol_version $sc tls1_2 'Protocol : TLSv1\.2$' $c_id 1699 test_sc_by_protocol_version $sc tls1_3 'Protocol : TLSv1\.3$' $c_id 1700 1701 # all available ciphers with random order 1702 test_sc_all_cipher $sc tls1_2 1703 test_sc_all_cipher $sc tls1_3 1704 1705 # session resumption 1706 test_sc_session_reuse $sc tls1_2 1707 1708 # invalid verification pattern 1709 test_sc_verify $sc tls1_2 1710 test_sc_verify $sc tls1_3 1711 1712 # s_time 1713 start_message "s_time ... connect to TLS/SSL test server" 1714 $c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \ 1715 > $server_dir/s_time_${sc}.log 1716 check_exit_status $? 1717 1718 stop_s_server 1719} 1720 1721function test_server_client_dtls { 1722 # --- client/server operations (DTLS) --- 1723 section_message "client/server operations (DTLS)" 1724 1725 s_id="$1" 1726 c_id="$2" 1727 sc="$1$2" 1728 1729 test_pause_sec=0.2 1730 1731 if [ $s_id = "0" ] ; then 1732 s_bin=$openssl_bin 1733 else 1734 s_bin=$other_openssl_bin 1735 fi 1736 1737 if [ $c_id = "0" ] ; then 1738 c_bin=$openssl_bin 1739 else 1740 c_bin=$other_openssl_bin 1741 fi 1742 1743 echo "s_server is [`$s_bin version`]" 1744 echo "s_client is [`$c_bin version`]" 1745 1746 host="localhost" 1747 port=4433 1748 s_server_out=$server_dir/s_server_${sc}_dtls.out 1749 1750 if [ $ecdsa_tests = 1 ] ; then 1751 echo "Using ECDSA certificate" 1752 crt=$sv_ecdsa_cert 1753 key=$sv_ecdsa_key 1754 pwd=$sv_ecdsa_pass 1755 else 1756 echo "Using RSA certificate" 1757 crt=$sv_rsa_cert 1758 key=$sv_rsa_key 1759 pwd=$sv_rsa_pass 1760 fi 1761 1762 start_message "s_server ... start DTLS test server" 1763 $s_bin s_server -accept $port -CAfile $ca_cert \ 1764 -cert $crt -key $key -pass pass:$pwd \ 1765 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 1766 -alpn "http/1.1,spdy/3" -cipher ALL -4 \ 1767 -msg -tlsextdebug -verify 3 -groups X25519:P-384:P-256 \ 1768 -status -servername xyz -cert2 $crt -key2 $key -dtls -quiet \ 1769 > $s_server_out 2>&1 & 1770 check_exit_status $? 1771 s_server_pid=$! 1772 echo "s_server pid = [ $s_server_pid ]" 1773 sleep 1 1774 1775 # test by protocol version 1776 test_sc_by_protocol_version $sc dtls1_2 'Protocol : DTLSv1.2$' $c_id 1777 1778 stop_s_server 1779} 1780 1781function test_gnutls { 1782 # --- GnuTLS interoperability --- 1783 section_message "GnuTLS $1 interoperability" 1784 1785 proto="$1" 1786 1787 if [ $proto = "tls" ] ; then 1788 sopt="-www" 1789 lopt= 1790 gopt= 1791 else 1792 sopt="-quiet" 1793 lopt="-dtls" 1794 gopt="-u" 1795 fi 1796 1797 gs_bin=/usr/local/bin/gnutls-serv 1798 gc_bin=/usr/local/bin/gnutls-cli 1799 1800 host="localhost" 1801 port=4433 1802 1803 if [ $ecdsa_tests = 1 ] ; then 1804 echo "Using ECDSA certificate" 1805 crt=$sv_ecdsa_cert 1806 key=$sv_ecdsa_key 1807 sni=ecdsa.test-dummy.com 1808 else 1809 echo "Using RSA certificate" 1810 crt=$sv_rsa_cert 1811 key=$sv_rsa_key.nopass 1812 sni=localhost.test-dummy.com 1813 fi 1814 1815 # LibreSSL - GnuTLS 1816 1817 start_message "s_server ... start $proto test server" 1818 s_server_out=$server_dir/s_server_LG_$proto.out 1819 $openssl_bin s_server -accept $port -CAfile $ca_cert \ 1820 -cert $crt -key $key -cert2 $crt -key2 $key \ 1821 -servername $sni -msg -tlsextdebug -status $sopt $lopt \ 1822 > $s_server_out 2>&1 & 1823 check_exit_status $? 1824 s_server_pid=$! 1825 echo "s_server pid = [ $s_server_pid ]" 1826 sleep 1 1827 1828 gnutls_cli_out=$user1_dir/gnutls-cli_LG_$proto.out 1829 $gc_bin --x509cafile=$ca_cert --sni-hostname=$sni \ 1830 --verify-hostname=$sni $gopt -p $port $host < /dev/null \ 1831 > $gnutls_cli_out 2>&1 1832 check_exit_status $? 1833 1834 grep 'Handshake was completed' $gnutls_cli_out > /dev/null 1835 check_exit_status $? 1836 1837 stop_s_server 1838 1839 # GnuTLS - LibreSSL 1840 1841 start_message "gnutls-serv ... start $proto test server" 1842 gnutls_serv_out=$server_dir/gnutls-serv_GL_$proto.out 1843 $gs_bin --x509cafile=$ca_cert --x509certfile=$crt --x509keyfile=$key \ 1844 $gopt -p $port > $gnutls_serv_out 2>&1 & 1845 check_exit_status $? 1846 gnutls_serv_pid=$! 1847 echo "gnutls-serv pid = [ $gnutls_serv_pid ]" 1848 sleep 1 1849 1850 s_client_out=$user1_dir/s_client_GL_$proto.out 1851 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 1852 -msg -tlsextdebug -status $lopt < /dev/null > $s_client_out 2>&1 1853 check_exit_status $? 1854 1855 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1856 check_exit_status $? 1857 1858 stop_gnutls_serv 1859} 1860 1861function test_speed { 1862 # === PERFORMANCE === 1863 section_message "PERFORMANCE" 1864 1865 if [ $no_long_tests = 0 ] ; then 1866 start_message "speed" 1867 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 1868 check_exit_status $? 1869 else 1870 start_message "SKIPPING speed (quick mode)" 1871 fi 1872} 1873 1874function test_version { 1875 # --- VERSION INFORMATION --- 1876 section_message "VERSION INFORMATION" 1877 1878 start_message "version" 1879 $openssl_bin version -a 1880 check_exit_status $? 1881} 1882 1883#---------#---------#---------#---------#---------#---------#---------#--------- 1884 1885openssl_bin=${OPENSSL:-/usr/bin/openssl} 1886other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl33} 1887other_openssl_version=`$other_openssl_bin version | cut -b 1-10` 1888 1889ecdsa_tests=0 1890interop_tests=0 1891gnutls_tests=0 1892no_long_tests=0 1893 1894while [ "$1" != "" ]; do 1895 case $1 in 1896 -e | --ecdsa) shift 1897 ecdsa_tests=1 1898 ;; 1899 -g | --gost) shift 1900 ecdsa_tests=0 1901 ;; 1902 -i | --interop) shift 1903 interop_tests=1 1904 ;; 1905 -n | --gnutls) shift 1906 gnutls_tests=1 1907 ;; 1908 -q | --quick ) shift 1909 no_long_tests=1 1910 ;; 1911 * ) usage 1912 exit 1 1913 esac 1914done 1915 1916if [ ! -x $openssl_bin ] ; then 1917 echo ":-< \$OPENSSL [$openssl_bin] is not executable." 1918 exit 1 1919fi 1920 1921if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then 1922 echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable." 1923 exit 1 1924fi 1925 1926# 1927# create ssldir, and all files generated by this script goes under this dir. 1928# 1929ssldir="appstest_dir" 1930 1931if [ -d $ssldir ] ; then 1932 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 1933 /bin/rm -rf $ssldir 1934fi 1935 1936mkdir -p $ssldir 1937 1938ca_dir=$ssldir/testCA 1939tsa_dir=$ssldir/testTSA 1940ocsp_dir=$ssldir/testOCSP 1941server_dir=$ssldir/server 1942user1_dir=$ssldir/user1 1943mkdir -p $user1_dir 1944key_dir=$ssldir/key 1945mkdir -p $key_dir 1946 1947export OPENSSL_CONF=$ssldir/openssl.cnf 1948touch $OPENSSL_CONF 1949 1950uname_s=`uname -s | grep 'MINGW'` 1951if [ "$uname_s" = "" ] ; then 1952 mingw=0 1953else 1954 mingw=1 1955fi 1956 1957# 1958# process tests 1959# 1960test_usage_lists_others 1961test_md 1962test_encoding_cipher 1963test_key 1964test_pki 1965test_tsa 1966test_cms 1967test_smime 1968test_ocsp 1969test_pkcs 1970test_server_client 0 0 1971if [ $interop_tests = 1 ] ; then 1972 test_server_client 0 1 1973 test_server_client 1 0 1974fi 1975test_server_client_dtls 0 0 1976if [ $interop_tests = 1 ] ; then 1977 test_server_client_dtls 0 1 1978 test_server_client_dtls 1 0 1979fi 1980if [ $gnutls_tests = 1 ] ; then 1981 test_gnutls tls 1982 test_gnutls dtls 1983fi 1984test_speed 1985test_version 1986 1987section_message "END" 1988 1989exit 0 1990 1991