xref: /openbsd/lib/libssl/test/testtsa (revision f1535dc8) 
1#!/bin/sh
2
3#
4# A few very basic tests for the 'ts' time stamping authority command.
5#
6
7SH="/bin/sh"
8if test "$OSTYPE" = msdosdjgpp; then
9    PATH="../apps\;$PATH"
10else
11    PATH="../apps:$PATH"
12fi
13export SH PATH
14
15OPENSSL_CONF="../CAtsa.cnf"
16export OPENSSL_CONF
17# Because that's what ../apps/CA.sh really looks at
18SSLEAY_CONFIG="-config $OPENSSL_CONF"
19export SSLEAY_CONFIG
20
21OPENSSL="`pwd`/../util/opensslwrap.sh"
22export OPENSSL
23
24error () {
25
26    echo "TSA test failed!" >&2
27    exit 1
28}
29
30setup_dir () {
31
32    rm -rf tsa 2>/dev/null
33    mkdir tsa
34    cd ./tsa
35}
36
37clean_up_dir () {
38
39    cd ..
40    rm -rf tsa
41}
42
43create_ca () {
44
45    echo "Creating a new CA for the TSA tests..."
46    TSDNSECT=ts_ca_dn
47    export TSDNSECT
48    ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
49	-out tsaca.pem -keyout tsacakey.pem
50    test $? != 0 && error
51}
52
53create_tsa_cert () {
54
55    INDEX=$1
56    export INDEX
57    EXT=$2
58    TSDNSECT=ts_cert_dn
59    export TSDNSECT
60
61    ../../util/shlib_wrap.sh ../../apps/openssl req -new \
62	-out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
63    test $? != 0 && error
64echo Using extension $EXT
65    ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
66	-in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
67	-CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
68	-extfile $OPENSSL_CONF -extensions $EXT
69    test $? != 0 && error
70}
71
72print_request () {
73
74    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
75}
76
77create_time_stamp_request1 () {
78
79    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
80    test $? != 0 && error
81}
82
83create_time_stamp_request2 () {
84
85    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
86	-out req2.tsq
87    test $? != 0 && error
88}
89
90create_time_stamp_request3 () {
91
92    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
93    test $? != 0 && error
94}
95
96print_response () {
97
98    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
99    test $? != 0 && error
100}
101
102create_time_stamp_response () {
103
104    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
105    test $? != 0 && error
106}
107
108time_stamp_response_token_test () {
109
110    RESPONSE2=$2.copy.tsr
111    TOKEN_DER=$2.token.der
112    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
113    test $? != 0 && error
114    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
115    test $? != 0 && error
116    cmp $RESPONSE2 $2
117    test $? != 0 && error
118    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
119    test $? != 0 && error
120    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
121    test $? != 0 && error
122    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
123    test $? != 0 && error
124}
125
126verify_time_stamp_response () {
127
128    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
129	-untrusted tsa_cert1.pem
130    test $? != 0 && error
131    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \
132	-untrusted tsa_cert1.pem
133    test $? != 0 && error
134}
135
136verify_time_stamp_token () {
137
138    # create the token from the response first
139    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
140    test $? != 0 && error
141    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
142	-CAfile tsaca.pem -untrusted tsa_cert1.pem
143    test $? != 0 && error
144    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
145	-CAfile tsaca.pem -untrusted tsa_cert1.pem
146    test $? != 0 && error
147}
148
149verify_time_stamp_response_fail () {
150
151    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
152	-untrusted tsa_cert1.pem
153    # Checks if the verification failed, as it should have.
154    test $? = 0 && error
155    echo Ok
156}
157
158# main functions
159
160echo "Setting up TSA test directory..."
161setup_dir
162
163echo "Creating CA for TSA tests..."
164create_ca
165
166echo "Creating tsa_cert1.pem TSA server cert..."
167create_tsa_cert 1 tsa_cert
168
169echo "Creating tsa_cert2.pem non-TSA server cert..."
170create_tsa_cert 2 non_tsa_cert
171
172echo "Creating req1.req time stamp request for file testtsa..."
173create_time_stamp_request1
174
175echo "Printing req1.req..."
176print_request req1.tsq
177
178echo "Generating valid response for req1.req..."
179create_time_stamp_response req1.tsq resp1.tsr tsa_config1
180
181echo "Printing response..."
182print_response resp1.tsr
183
184echo "Verifying valid response..."
185verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
186
187echo "Verifying valid token..."
188verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
189
190# The tests below are commented out, because invalid signer certificates
191# can no longer be specified in the config file.
192
193# echo "Generating _invalid_ response for req1.req..."
194# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
195
196# echo "Printing response..."
197# print_response resp1_bad.tsr
198
199# echo "Verifying invalid response, it should fail..."
200# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
201
202echo "Creating req2.req time stamp request for file testtsa..."
203create_time_stamp_request2
204
205echo "Printing req2.req..."
206print_request req2.tsq
207
208echo "Generating valid response for req2.req..."
209create_time_stamp_response req2.tsq resp2.tsr tsa_config1
210
211echo "Checking '-token_in' and '-token_out' options with '-reply'..."
212time_stamp_response_token_test req2.tsq resp2.tsr
213
214echo "Printing response..."
215print_response resp2.tsr
216
217echo "Verifying valid response..."
218verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
219
220echo "Verifying response against wrong request, it should fail..."
221verify_time_stamp_response_fail req1.tsq resp2.tsr
222
223echo "Verifying response against wrong request, it should fail..."
224verify_time_stamp_response_fail req2.tsq resp1.tsr
225
226echo "Creating req3.req time stamp request for file CAtsa.cnf..."
227create_time_stamp_request3
228
229echo "Printing req3.req..."
230print_request req3.tsq
231
232echo "Verifying response against wrong request, it should fail..."
233verify_time_stamp_response_fail req3.tsq resp1.tsr
234
235echo "Cleaning up..."
236clean_up_dir
237
238exit 0
239