1#!/bin/sh 2# 3# $OpenBSD: appstest.sh,v 1.46 2020/08/01 14:31:23 inoguchi Exp $ 4# 5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19# 20# appstest.sh - test script for openssl command according to man OPENSSL(1) 21# 22# input : none 23# output : all files generated by this script go under $ssldir 24# 25 26function section_message { 27 echo "" 28 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 29 echo "===" 30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 31 echo "===" 32} 33 34function start_message { 35 echo "" 36 echo "[TEST] $1" 37} 38 39function stop_s_server { 40 if [ ! -z "$s_server_pid" ] ; then 41 echo ":-| stop s_server [ $s_server_pid ]" 42 sleep 1 43 kill -TERM $s_server_pid 44 wait $s_server_pid 45 s_server_pid= 46 fi 47} 48 49function check_exit_status { 50 status=$1 51 if [ $status -ne 0 ] ; then 52 stop_s_server 53 echo ":-< error occurs, exit status = [ $status ]" 54 exit $status 55 else 56 echo ":-) success. " 57 fi 58} 59 60function usage { 61 echo "usage: appstest.sh [-egiq]" 62} 63 64function test_usage_lists_others { 65 # === COMMAND USAGE === 66 section_message "COMMAND USAGE" 67 68 start_message "output usages of all commands." 69 70 cmds=`$openssl_bin list-standard-commands` 71 $openssl_bin -help 2>> $user1_dir/usages.out 72 for c in $cmds ; do 73 $openssl_bin $c -help 2>> $user1_dir/usages.out 74 done 75 76 start_message "check all list-* commands." 77 78 lists="" 79 lists="$lists list-standard-commands" 80 lists="$lists list-message-digest-commands list-message-digest-algorithms" 81 lists="$lists list-cipher-commands list-cipher-algorithms" 82 lists="$lists list-public-key-algorithms" 83 84 listsfile=$user1_dir/lists.out 85 86 for l in $lists ; do 87 echo "" >> $listsfile 88 echo "$l" >> $listsfile 89 $openssl_bin $l >> $listsfile 90 done 91 92 start_message "check interactive mode" 93 $openssl_bin <<__EOF__ 94help 95quit 96__EOF__ 97 check_exit_status $? 98 99 #---------#---------#---------#---------#---------#---------#--------- 100 101 # --- listing operations --- 102 section_message "listing operations" 103 104 start_message "ciphers" 105 $openssl_bin ciphers -V > $user1_dir/ciphers-V.out 106 check_exit_status $? 107 108 start_message "errstr" 109 $openssl_bin errstr 2606A074 110 check_exit_status $? 111 $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 112 check_exit_status $? 113 114 #---------#---------#---------#---------#---------#---------#--------- 115 116 # --- random number etc. operations --- 117 section_message "random number etc. operations" 118 119 start_message "passwd" 120 121 pass="test-pass-1234" 122 123 echo $pass | $openssl_bin passwd -stdin -1 124 check_exit_status $? 125 126 echo $pass | $openssl_bin passwd -stdin -apr1 127 check_exit_status $? 128 129 echo $pass | $openssl_bin passwd -stdin -crypt 130 check_exit_status $? 131 132 start_message "prime" 133 134 $openssl_bin prime 1 135 check_exit_status $? 136 137 $openssl_bin prime 2 138 check_exit_status $? 139 140 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 141 check_exit_status $? 142 143 start_message "rand" 144 145 $openssl_bin rand -base64 100 146 check_exit_status $? 147 148 $openssl_bin rand -hex 100 149 check_exit_status $? 150} 151 152function test_md { 153 # === MESSAGE DIGEST COMMANDS === 154 section_message "MESSAGE DIGEST COMMANDS" 155 156 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 157 158 text="1234567890abcdefghijklmnopqrstuvwxyz" 159 dgstdat=$user1_dir/dgst.dat 160 echo $text > $dgstdat 161 hmac_key="test-hmac-key" 162 cmac_key="1234567890abcde1234567890abcde12" 163 dgstkey=$user1_dir/dgstkey.pem 164 dgstpass=test-dgst-pass 165 dgstpub=$user1_dir/dgstpub.pem 166 dgstsig=$user1_dir/dgst.sig 167 168 $openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey 169 check_exit_status $? 170 171 $openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \ 172 -out $dgstpub 173 check_exit_status $? 174 175 digests=`$openssl_bin list-message-digest-commands` 176 177 for d in $digests ; do 178 179 echo -n "$d ... " 180 $openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat 181 check_exit_status $? 182 183 echo -n "$d HMAC ... " 184 $openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \ 185 $dgstdat 186 check_exit_status $? 187 188 echo -n "$d CMAC ... " 189 $openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \ 190 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat 191 check_exit_status $? 192 193 echo -n "$d sign ... " 194 $openssl_bin dgst -sign $dgstkey -keyform pem \ 195 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 196 -passin pass:$dgstpass -binary -out $dgstsig.$d $dgstdat 197 check_exit_status $? 198 199 echo -n "$d verify ... " 200 $openssl_bin dgst -verify $dgstpub \ 201 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 202 -signature $dgstsig.$d $dgstdat 203 check_exit_status $? 204 205 echo -n "$d prverify ... " 206 $openssl_bin dgst -prverify $dgstkey -passin pass:$dgstpass \ 207 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 208 -signature $dgstsig.$d $dgstdat 209 check_exit_status $? 210 done 211} 212 213function test_encoding_cipher { 214 # === ENCODING AND CIPHER COMMANDS === 215 section_message "ENCODING AND CIPHER COMMANDS" 216 217 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 218 219 text="1234567890abcdefghijklmnopqrstuvwxyz" 220 encfile=$user1_dir/encfile.dat 221 echo $text > $encfile 222 pass="test-pass-1234" 223 224 ciphers=`$openssl_bin list-cipher-commands` 225 226 for c in $ciphers ; do 227 echo -n "$c ... encoding ... " 228 $openssl_bin enc -$c -e -base64 -pass pass:$pass \ 229 -in $encfile -out $encfile-$c.enc 230 check_exit_status $? 231 232 echo -n "decoding ... " 233 $openssl_bin enc -$c -d -base64 -pass pass:$pass \ 234 -in $encfile-$c.enc -out $encfile-$c.dec 235 check_exit_status $? 236 237 echo -n "cmp ... " 238 cmp $encfile $encfile-$c.dec 239 check_exit_status $? 240 done 241} 242 243function test_key { 244 # === various KEY operations === 245 section_message "various KEY operations" 246 247 key_pass=test-key-pass 248 249 # DH 250 251 start_message "gendh - Obsoleted by dhparam." 252 gendh2=$key_dir/gendh2.pem 253 $openssl_bin gendh -2 -out $gendh2 > $gendh2.log 2>&1 254 check_exit_status $? 255 256 start_message "dh - Obsoleted by dhparam." 257 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 258 check_exit_status $? 259 260 if [ $no_long_tests = 0 ] ; then 261 start_message "dhparam - Superseded by genpkey and pkeyparam." 262 dhparam2=$key_dir/dhparam2.pem 263 $openssl_bin dhparam -2 -out $dhparam2 > $dhparam2.log 2>&1 264 check_exit_status $? 265 $openssl_bin dhparam -in $dhparam2 -check -text \ 266 -out $dhparam2.out 267 check_exit_status $? 268 else 269 start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 270 fi 271 272 # DSA 273 274 start_message "dsaparam - Superseded by genpkey and pkeyparam." 275 dsaparam512=$key_dir/dsaparam512.pem 276 $openssl_bin dsaparam -genkey -out $dsaparam512 512 \ 277 > $dsaparam512.log 2>&1 278 check_exit_status $? 279 280 start_message "dsa" 281 $openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out 282 check_exit_status $? 283 284 start_message "gendsa - Superseded by genpkey and pkey." 285 gendsa_des3=$key_dir/gendsa_des3.pem 286 $openssl_bin gendsa -des3 -out $gendsa_des3 \ 287 -passout pass:$key_pass $dsaparam512 288 check_exit_status $? 289 290 # RSA 291 292 start_message "genrsa - Superseded by genpkey." 293 genrsa_aes256=$key_dir/genrsa_aes256.pem 294 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ 295 -passout pass:$key_pass 2048 > $genrsa_aes256.log 2>&1 296 check_exit_status $? 297 298 start_message "rsa" 299 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ 300 -check -text -out $genrsa_aes256.out 301 check_exit_status $? 302 303 start_message "rsautl - Superseded by pkeyutl." 304 rsautldat=$key_dir/rsautl.dat 305 rsautlsig=$key_dir/rsautl.sig 306 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 307 308 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ 309 -passin pass:$key_pass -out $rsautlsig 310 check_exit_status $? 311 312 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ 313 -passin pass:$key_pass 314 check_exit_status $? 315 316 # EC 317 318 start_message "ecparam -list-curves" 319 $openssl_bin ecparam -list_curves -out $key_dir/ecparam-list_curves.out 320 check_exit_status $? 321 322 # get all EC curves 323 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 324 325 start_message "ecparam and ec" 326 327 for curve in $ec_curves ; 328 do 329 ecparam=$key_dir/ecparam_$curve.pem 330 331 echo -n "ec - $curve ... ecparam ... " 332 $openssl_bin ecparam -out $ecparam -name $curve -genkey \ 333 -param_enc explicit -conv_form compressed -C 334 check_exit_status $? 335 336 echo -n "ec ... " 337 $openssl_bin ec -in $ecparam -text \ 338 -out $ecparam.out 2> /dev/null 339 check_exit_status $? 340 done 341 342 # PKEY 343 344 start_message "genpkey" 345 346 # DH by GENPKEY 347 348 genpkey_dh_param=$key_dir/genpkey_dh_param.pem 349 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 350 -pkeyopt dh_paramgen_prime_len:1024 > $genpkey_dh_param.log 2>&1 351 check_exit_status $? 352 353 genpkey_dh=$key_dir/genpkey_dh.pem 354 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 355 check_exit_status $? 356 357 # DSA by GENPKEY 358 359 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 360 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 361 -pkeyopt dsa_paramgen_bits:1024 > $genpkey_dsa_param.log 2>&1 362 check_exit_status $? 363 364 genpkey_dsa=$key_dir/genpkey_dsa.pem 365 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 366 check_exit_status $? 367 368 # RSA by GENPKEY 369 370 genpkey_rsa=$key_dir/genpkey_rsa.pem 371 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 372 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 373 > $genpkey_rsa.log 2>&1 374 check_exit_status $? 375 376 genpkey_rsa_pss=$key_dir/genpkey_rsa_pss.pem 377 $openssl_bin genpkey -algorithm RSA-PSS -out $genpkey_rsa_pss \ 378 -pkeyopt rsa_keygen_bits:2048 \ 379 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 \ 380 -pkeyopt rsa_pss_keygen_md:sha256 \ 381 -pkeyopt rsa_pss_keygen_saltlen:32 \ 382 > $genpkey_rsa_pss.log 2>&1 383 check_exit_status $? 384 385 # EC by GENPKEY 386 387 genpkey_ec_param=$key_dir/genpkey_ec_param.pem 388 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 389 -pkeyopt ec_paramgen_curve:secp384r1 390 check_exit_status $? 391 392 genpkey_ec=$key_dir/genpkey_ec.pem 393 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 394 check_exit_status $? 395 396 genpkey_ec_2=$key_dir/genpkey_ec_2.pem 397 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2 398 check_exit_status $? 399 400 start_message "pkeyparam" 401 402 $openssl_bin pkeyparam -in $genpkey_dh_param -text \ 403 -out $genpkey_dh_param.out 404 check_exit_status $? 405 406 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ 407 -out $genpkey_dsa_param.out 408 check_exit_status $? 409 410 $openssl_bin pkeyparam -in $genpkey_ec_param -text \ 411 -out $genpkey_ec_param.out 412 check_exit_status $? 413 414 start_message "pkey" 415 416 $openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \ 417 -text_pub 418 check_exit_status $? 419 420 $openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \ 421 -text_pub 422 check_exit_status $? 423 424 $openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \ 425 -text_pub 426 check_exit_status $? 427 428 $openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \ 429 -text_pub 430 check_exit_status $? 431 432 $openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \ 433 -text_pub 434 check_exit_status $? 435 436 start_message "pkeyutl" 437 438 pkeyutldat=$key_dir/pkeyutl.dat 439 pkeyutlsig=$key_dir/pkeyutl.sig 440 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 441 442 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ 443 -out $pkeyutlsig 444 check_exit_status $? 445 446 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ 447 -inkey $genpkey_rsa 448 check_exit_status $? 449 450 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 451 check_exit_status $? 452 453 pkeyutlenc=$key_dir/pkeyutl.enc 454 pkeyutldec=$key_dir/pkeyutl.dec 455 456 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 457 -pubin -inkey $genpkey_rsa.pub -out $pkeyutlenc 458 check_exit_status $? 459 460 $openssl_bin pkeyutl -decrypt -in $pkeyutlenc \ 461 -inkey $genpkey_rsa -out $pkeyutldec 462 check_exit_status $? 463 464 diff $pkeyutldat $pkeyutldec 465 check_exit_status $? 466 467 pkeyutl_rsa_oaep_enc=$key_dir/pkeyutl_rsa_oaep.enc 468 pkeyutl_rsa_oaep_dec=$key_dir/pkeyutl_rsa_oaep.dec 469 470 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 471 -inkey $genpkey_rsa \ 472 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 473 -pkeyopt rsa_oaep_label:0011223344556677 \ 474 -out $pkeyutl_rsa_oaep_enc 475 check_exit_status $? 476 477 $openssl_bin pkeyutl -decrypt -in $pkeyutl_rsa_oaep_enc \ 478 -inkey $genpkey_rsa \ 479 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 480 -pkeyopt rsa_oaep_label:0011223344556677 \ 481 -out $pkeyutl_rsa_oaep_dec 482 check_exit_status $? 483 484 diff $pkeyutldat $pkeyutl_rsa_oaep_dec 485 check_exit_status $? 486 487 pkeyutlsc1=$key_dir/pkeyutl.sc1 488 pkeyutlsc2=$key_dir/pkeyutl.sc2 489 490 $openssl_bin pkeyutl -derive -inkey $genpkey_ec \ 491 -peerkey $genpkey_ec_2.pub -out $pkeyutlsc1 -hexdump 492 check_exit_status $? 493 494 $openssl_bin pkeyutl -derive -inkey $genpkey_ec_2 \ 495 -peerkey $genpkey_ec.pub -out $pkeyutlsc2 -hexdump 496 check_exit_status $? 497 498 diff $pkeyutlsc1 $pkeyutlsc2 499 check_exit_status $? 500} 501 502function test_pki { 503 section_message "setup local CA" 504 505 # 506 # prepare test openssl.cnf 507 # 508 509 cat << __EOF__ > $ssldir/openssl.cnf 510oid_section = new_oids 511[ new_oids ] 512tsa_policy1 = 1.2.3.4.1 513tsa_policy2 = 1.2.3.4.5.6 514tsa_policy3 = 1.2.3.4.5.7 515[ ca ] 516default_ca = CA_default 517[ CA_default ] 518dir = ./$ca_dir 519crl_dir = \$dir/crl 520database = \$dir/index.txt 521new_certs_dir = \$dir/newcerts 522serial = \$dir/serial 523crlnumber = \$dir/crlnumber 524default_days = 1 525default_md = default 526policy = policy_match 527[ policy_match ] 528countryName = match 529stateOrProvinceName = match 530organizationName = match 531organizationalUnitName = optional 532commonName = supplied 533emailAddress = optional 534[ req ] 535distinguished_name = req_distinguished_name 536[ req_distinguished_name ] 537countryName = Country Name 538countryName_default = JP 539countryName_min = 2 540countryName_max = 2 541stateOrProvinceName = State or Province Name 542stateOrProvinceName_default = Tokyo 543organizationName = Organization Name 544organizationName_default = TEST_DUMMY_COMPANY 545commonName = Common Name 546[ tsa ] 547default_tsa = tsa_config1 548[ tsa_config1 ] 549dir = ./$tsa_dir 550serial = \$dir/serial 551crypto_device = builtin 552digests = sha1, sha256, sha384, sha512 553default_policy = tsa_policy1 554other_policies = tsa_policy2, tsa_policy3 555[ tsa_ext ] 556keyUsage = critical,nonRepudiation 557extendedKeyUsage = critical,timeStamping 558[ ocsp_ext ] 559basicConstraints = CA:FALSE 560keyUsage = nonRepudiation,digitalSignature,keyEncipherment 561extendedKeyUsage = OCSPSigning 562__EOF__ 563 564 #---------#---------#---------#---------#---------#---------#--------- 565 566 # 567 # setup test CA 568 # 569 570 mkdir -p $ca_dir 571 mkdir -p $tsa_dir 572 mkdir -p $ocsp_dir 573 mkdir -p $server_dir 574 575 mkdir -p $ca_dir/certs 576 mkdir -p $ca_dir/private 577 mkdir -p $ca_dir/crl 578 mkdir -p $ca_dir/newcerts 579 chmod 700 $ca_dir/private 580 echo "01" > $ca_dir/serial 581 touch $ca_dir/index.txt 582 touch $ca_dir/crlnumber 583 echo "01" > $ca_dir/crlnumber 584 585 # 586 # setup test TSA 587 # 588 mkdir -p $tsa_dir/private 589 chmod 700 $tsa_dir/private 590 echo "01" > $tsa_dir/serial 591 touch $tsa_dir/index.txt 592 593 # 594 # setup test OCSP 595 # 596 mkdir -p $ocsp_dir/private 597 chmod 700 $ocsp_dir/private 598 599 #---------#---------#---------#---------#---------#---------#--------- 600 601 # --- CA initiate (generate CA key and cert) --- 602 603 start_message "req ... generate CA key and self signed cert" 604 605 ca_cert=$ca_dir/ca_cert.pem 606 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 607 608 if [ $mingw = 0 ] ; then 609 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test-dummy.com/' 610 else 611 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test-dummy.com\' 612 fi 613 614 $openssl_bin req -new -x509 -batch -newkey rsa:2048 \ 615 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 616 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 617 -config $ssldir/openssl.cnf -verbose \ 618 -subj $subj -days 1 -set_serial 1 -multivalue-rdn \ 619 -keyout $ca_key -passout pass:$ca_pass \ 620 -out $ca_cert -outform pem 621 check_exit_status $? 622 623 #---------#---------#---------#---------#---------#---------#--------- 624 625 # --- TSA initiate (generate TSA key and cert) --- 626 627 start_message "req ... generate TSA key and cert" 628 629 # generate CSR for TSA 630 631 tsa_csr=$tsa_dir/tsa_csr.pem 632 tsa_key=$tsa_dir/private/tsa_key.pem 633 tsa_pass=test-tsa-pass 634 635 if [ $mingw = 0 ] ; then 636 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test-dummy.com/' 637 else 638 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test-dummy.com\' 639 fi 640 641 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ 642 -passout pass:$tsa_pass -subj $subj -asn1-kludge 643 check_exit_status $? 644 645 start_message "ca ... sign by CA with TSA extensions" 646 647 tsa_cert=$tsa_dir/tsa_cert.pem 648 649 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 650 -key $ca_pass -config $ssldir/openssl.cnf -create_serial \ 651 -policy policy_match -days 1 -md sha256 -extensions tsa_ext \ 652 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \ 653 -multivalue-rdn -preserveDN -noemailDN \ 654 -in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext \ 655 > $tsa_cert.log 2>&1 656 check_exit_status $? 657 658 #---------#---------#---------#---------#---------#---------#--------- 659 660 # --- OCSP initiate (generate OCSP key and cert) --- 661 662 start_message "req ... generate OCSP key and cert" 663 664 # generate CSR for OCSP 665 666 ocsp_csr=$ocsp_dir/ocsp_csr.pem 667 ocsp_key=$ocsp_dir/private/ocsp_key.pem 668 669 if [ $mingw = 0 ] ; then 670 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test-dummy.com/' 671 else 672 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test-dummy.com\' 673 fi 674 675 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ 676 -subj $subj -no-asn1-kludge 677 check_exit_status $? 678 679 start_message "ca ... sign by CA with OCSP extensions" 680 681 ocsp_cert=$ocsp_dir/ocsp_cert.pem 682 683 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 684 -key $ca_pass -out $ocsp_cert -extensions ocsp_ext \ 685 -startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \ 686 -subj $subj -infiles $ocsp_csr > $ocsp_cert.log 2>&1 687 check_exit_status $? 688 689 #---------#---------#---------#---------#---------#---------#--------- 690 691 # --- server-admin operations (generate server key and csr) --- 692 section_message "server-admin operations (generate server key and csr)" 693 694 # RSA certificate 695 696 sv_rsa_key=$server_dir/sv_rsa_key.pem 697 sv_rsa_csr=$server_dir/sv_rsa_csr.pem 698 sv_rsa_pass=test-server-pass 699 700 if [ $mingw = 0 ] ; then 701 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test-dummy.com/' 702 else 703 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test-dummy.com\' 704 fi 705 706 start_message "genrsa ... generate server key#1" 707 708 $openssl_bin genrsa -aes256 -passout pass:$sv_rsa_pass -out $sv_rsa_key 709 check_exit_status $? 710 711 start_message "req ... generate server csr#1" 712 713 $openssl_bin req -new -subj $subj -sha256 \ 714 -key $sv_rsa_key -keyform pem -passin pass:$sv_rsa_pass \ 715 -addext 'subjectAltName = DNS:localhost.test-dummy.com' \ 716 -out $sv_rsa_csr -outform pem 717 check_exit_status $? 718 719 start_message "req ... verify server csr#1" 720 721 $openssl_bin req -verify -in $sv_rsa_csr -inform pem \ 722 -newhdr -noout -pubkey -subject -modulus -text \ 723 -nameopt multiline -reqopt compatible \ 724 -out $sv_rsa_csr.verify.out 725 check_exit_status $? 726 727 start_message "req ... generate server csr#2 (interactive mode)" 728 729 # RSA certificate (for revoke test) 730 731 revoke_key=$server_dir/revoke_key.pem 732 revoke_csr=$server_dir/revoke_csr.pem 733 revoke_pass=test-revoke-pass 734 735 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \ 736 -passout pass:$revoke_pass <<__EOF__ 737JP 738Tokyo 739TEST_DUMMY_COMPANY 740revoke.test-dummy.com 741__EOF__ 742 check_exit_status $? 743 744 # ECDSA certificate 745 746 sv_ecdsa_key=$server_dir/sv_ecdsa_key.pem 747 sv_ecdsa_csr=$server_dir/sv_ecdsa_csr.pem 748 sv_ecdsa_pass=test-ecdsa-pass 749 750 if [ $mingw = 0 ] ; then 751 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=ecdsa.test-dummy.com/' 752 else 753 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test-dummy.com\' 754 fi 755 756 start_message "ecparam ... generate server key#3" 757 758 $openssl_bin ecparam -name prime256v1 -genkey -out $sv_ecdsa_key 759 check_exit_status $? 760 761 start_message "req ... generate server csr#3" 762 763 $openssl_bin req -new -subj $subj -sha256 \ 764 -key $sv_ecdsa_key -keyform pem -passin pass:$sv_ecdsa_pass \ 765 -addext 'subjectAltName = DNS:ecdsa.test-dummy.com' \ 766 -out $sv_ecdsa_csr -outform pem 767 check_exit_status $? 768 769 start_message "req ... verify server csr#3" 770 771 $openssl_bin req -verify -in $sv_ecdsa_csr -inform pem \ 772 -newhdr -noout -pubkey -subject -modulus -text \ 773 -nameopt multiline -reqopt compatible \ 774 -out $sv_ecdsa_csr.verify.out 775 check_exit_status $? 776 777 # GOST certificate 778 779 sv_gost_key=$server_dir/sv_gost_key.pem 780 sv_gost_csr=$server_dir/sv_gost_csr.pem 781 sv_gost_pass=test-gost-pass 782 783 if [ $mingw = 0 ] ; then 784 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=gost.test-dummy.com/' 785 else 786 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=gost.test-dummy.com\' 787 fi 788 789 start_message "genpkey ... generate server key#4" 790 791 $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ 792 -pkeyopt dgst:streebog512 -out $sv_gost_key 793 check_exit_status $? 794 795 start_message "req ... generate server csr#4" 796 797 $openssl_bin req -new -subj $subj -streebog512 \ 798 -key $sv_gost_key -keyform pem -passin pass:$sv_gost_pass \ 799 -addext 'subjectAltName = DNS:gost.test-dummy.com' \ 800 -out $sv_gost_csr -outform pem 801 check_exit_status $? 802 803 start_message "req ... verify server csr#4" 804 805 $openssl_bin req -verify -in $sv_gost_csr -inform pem \ 806 -newhdr -noout -pubkey -subject -modulus -text \ 807 -nameopt multiline -reqopt compatible \ 808 -out $sv_gost_csr.verify.out 809 check_exit_status $? 810 811 #---------#---------#---------#---------#---------#---------#--------- 812 813 # --- CA operations (issue cert for server) --- 814 section_message "CA operations (issue cert for server)" 815 816 start_message "ca ... issue cert for server csr#1" 817 818 sv_rsa_cert=$server_dir/sv_rsa_cert.pem 819 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 820 -in $sv_rsa_csr -out $sv_rsa_cert > $sv_rsa_cert.log 2>&1 821 check_exit_status $? 822 823 start_message "x509 ... issue cert for server csr#2" 824 825 revoke_cert=$server_dir/revoke_cert.pem 826 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \ 827 -CAkey $ca_key -CAkeyform pem \ 828 -CAserial $ca_dir/serial -set_serial 10 \ 829 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert \ 830 > $revoke_cert.log 2>&1 831 check_exit_status $? 832 833 start_message "ca ... issue cert for server csr#3" 834 835 sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem 836 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 837 -in $sv_ecdsa_csr -out $sv_ecdsa_cert > $sv_ecdsa_cert.log 2>&1 838 check_exit_status $? 839 840 start_message "ca ... issue cert for server csr#4" 841 842 sv_gost_cert=$server_dir/sv_gost_cert.pem 843 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 844 -in $sv_gost_csr -out $sv_gost_cert > $sv_gost_cert.log 2>&1 845 check_exit_status $? 846 847 #---------#---------#---------#---------#---------#---------#--------- 848 849 # --- CA operations (revoke cert and generate crl) --- 850 section_message "CA operations (revoke cert and generate crl)" 851 852 start_message "ca ... revoke server cert#2" 853 crl_file=$ca_dir/crl.pem 854 $openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \ 855 -config $ssldir/openssl.cnf -name CA_default \ 856 -crldays 30 -crlhours 12 -crlsec 30 -updatedb \ 857 -crl_reason unspecified -crl_hold 1.2.840.10040.2.2 \ 858 -crl_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 859 -crl_CA_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 860 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert \ 861 > $crl_file.log 2>&1 862 check_exit_status $? 863 864 start_message "ca ... show certificate status by serial number" 865 $openssl_bin ca -config $ssldir/openssl.cnf -status 1 866 867 start_message "crl ... CA generates CRL" 868 $openssl_bin crl -in $crl_file -fingerprint >> $crl_file.log 2>&1 869 check_exit_status $? 870 871 crl_p7=$ca_dir/crl.p7 872 start_message "crl2pkcs7 ... convert CRL to pkcs7" 873 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 874 check_exit_status $? 875 876 #---------#---------#---------#---------#---------#---------#--------- 877 878 # --- server-admin operations (check csr, verify cert, certhash) --- 879 section_message "server-admin operations (check csr, verify cert, certhash)" 880 881 start_message "asn1parse ... parse server csr#1" 882 $openssl_bin asn1parse -in $sv_rsa_csr -i -dlimit 100 -length 1000 \ 883 -strparse 01 > $sv_rsa_csr.asn1parse.out 884 check_exit_status $? 885 886 start_message "verify ... server cert#1" 887 $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \ 888 -crl_check -issuer_checks -purpose sslserver $sv_rsa_cert 889 check_exit_status $? 890 891 start_message "x509 ... get detail info about server cert#1" 892 $openssl_bin x509 -in $sv_rsa_cert -text -C -dates -startdate -enddate \ 893 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 894 -subject -hash -subject_hash -subject_hash_old -ocsp_uri \ 895 -ocspid -modulus -pubkey -serial -email -noout -trustout \ 896 -alias -clrtrust -clrreject -next_serial -checkend 3600 \ 897 -nameopt multiline -certopt compatible > $sv_rsa_cert.x509.out 898 check_exit_status $? 899 900 if [ $mingw = 0 ] ; then 901 start_message "certhash" 902 $openssl_bin certhash -v $server_dir \ 903 > $server_dir/certhash.log 2>&1 904 check_exit_status $? 905 fi 906 907 # self signed 908 start_message "x509 ... generate self signed server cert" 909 server_self_cert=$server_dir/server_self_cert.pem 910 $openssl_bin x509 -in $sv_rsa_cert -signkey $sv_rsa_key -keyform pem \ 911 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 912 -passin pass:$sv_rsa_pass -out $server_self_cert -days 1 913 check_exit_status $? 914 915 #---------#---------#---------#---------#---------#---------#--------- 916 917 # --- Netscape SPKAC operations --- 918 section_message "Netscape SPKAC operations" 919 920 # server-admin generates SPKAC 921 922 start_message "spkac" 923 spkacfile=$server_dir/spkac.file 924 925 $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 926 check_exit_status $? 927 928 $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 929 check_exit_status $? 930 931 spkacreq=$server_dir/spkac.req 932 cat << __EOF__ > $spkacreq 933countryName = JP 934stateOrProvinceName = Tokyo 935organizationName = TEST_DUMMY_COMPANY 936commonName = spkac.test-dummy.com 937__EOF__ 938 cat $spkacfile >> $spkacreq 939 940 # CA signs SPKAC 941 start_message "ca ... CA signs SPKAC csr" 942 spkaccert=$server_dir/spkac.cert 943 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 944 -spkac $spkacreq -out $spkaccert > $spkaccert.log 2>&1 945 check_exit_status $? 946 947 start_message "x509 ... convert DER format SPKAC cert to PEM" 948 spkacpem=$server_dir/spkac.pem 949 $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 950 check_exit_status $? 951 952 # server-admin cert verify 953 954 start_message "nseq" 955 $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 956 check_exit_status $? 957 958 #---------#---------#---------#---------#---------#---------#--------- 959 960 # --- user1 operations (generate user1 key and csr) --- 961 section_message "user1 operations (generate user1 key and csr)" 962 963 # trust 964 start_message "x509 ... trust testCA cert" 965 user1_trust=$user1_dir/user1_trust_ca.pem 966 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \ 967 -setalias "trusted testCA" -purpose -out $user1_trust \ 968 > $user1_trust.log 2>&1 969 check_exit_status $? 970 971 start_message "req ... generate private key and csr for user1" 972 973 cl_rsa_key=$user1_dir/cl_rsa_key.pem 974 cl_rsa_csr=$user1_dir/cl_rsa_csr.pem 975 cl_rsa_pass=test-user1-pass 976 977 if [ $mingw = 0 ] ; then 978 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test-dummy.com/' 979 else 980 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test-dummy.com\' 981 fi 982 983 $openssl_bin req -new -keyout $cl_rsa_key -out $cl_rsa_csr \ 984 -passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1 985 check_exit_status $? 986 987 start_message "req ... generate private key and csr for user2" 988 989 cl_ecdsa_key=$user1_dir/cl_ecdsa_key.pem 990 cl_ecdsa_csr=$user1_dir/cl_ecdsa_csr.pem 991 cl_ecdsa_pass=test-user1-pass 992 993 if [ $mingw = 0 ] ; then 994 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user2.test-dummy.com/' 995 else 996 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user2.test-dummy.com\' 997 fi 998 999 $openssl_bin ecparam -name prime256v1 -genkey -out $cl_ecdsa_key 1000 check_exit_status $? 1001 1002 $openssl_bin req -new -subj $subj -sha256 \ 1003 -key $cl_ecdsa_key -keyform pem -passin pass:$cl_ecdsa_pass \ 1004 -out $cl_ecdsa_csr -outform pem 1005 check_exit_status $? 1006 1007 start_message "req ... generate private key and csr for user3" 1008 1009 cl_gost_key=$user1_dir/cl_gost_key.pem 1010 cl_gost_csr=$user1_dir/cl_gost_csr.pem 1011 cl_gost_pass=test-user1-pass 1012 1013 if [ $mingw = 0 ] ; then 1014 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user3.test-dummy.com/' 1015 else 1016 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user3.test-dummy.com\' 1017 fi 1018 1019 $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ 1020 -pkeyopt dgst:streebog512 -out $cl_gost_key 1021 check_exit_status $? 1022 1023 $openssl_bin req -new -subj $subj -streebog512 \ 1024 -key $cl_gost_key -keyform pem -passin pass:$cl_gost_pass \ 1025 -out $cl_gost_csr -outform pem 1026 check_exit_status $? 1027 1028 #---------#---------#---------#---------#---------#---------#--------- 1029 1030 # --- CA operations (issue cert for user1) --- 1031 section_message "CA operations (issue cert for user1)" 1032 1033 start_message "ca ... issue cert for user1" 1034 1035 cl_rsa_cert=$user1_dir/cl_rsa_cert.pem 1036 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1037 -in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1 1038 check_exit_status $? 1039 1040 start_message "ca ... issue cert for user2" 1041 1042 cl_ecdsa_cert=$user1_dir/cl_ecdsa_cert.pem 1043 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1044 -in $cl_ecdsa_csr -out $cl_ecdsa_cert > $cl_ecdsa_cert.log 2>&1 1045 check_exit_status $? 1046 1047 start_message "ca ... issue cert for user3" 1048 1049 cl_gost_cert=$user1_dir/cl_gost_cert.pem 1050 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1051 -in $cl_gost_csr -out $cl_gost_cert > $cl_gost_cert.log 2>&1 1052 check_exit_status $? 1053} 1054 1055function test_tsa { 1056 # --- TSA operations --- 1057 section_message "TSA operations" 1058 1059 tsa_dat=$user1_dir/tsa.dat 1060 cat << __EOF__ > $tsa_dat 1061Hello Bob, 1062Sincerely yours 1063Alice 1064__EOF__ 1065 1066 # Query 1067 start_message "ts ... create time stamp request" 1068 1069 tsa_tsq=$user1_dir/tsa.tsq 1070 1071 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 1072 check_exit_status $? 1073 1074 start_message "ts ... print time stamp request" 1075 1076 $openssl_bin ts -query -in $tsa_tsq -text -out $tsa_tsq.log 1077 check_exit_status $? 1078 1079 # Reply 1080 start_message "ts ... create time stamp response for a request" 1081 1082 tsa_tsr=$user1_dir/tsa.tsr 1083 1084 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ 1085 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ 1086 -config $ssldir/openssl.cnf -section tsa_config1 -cert \ 1087 -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr 1088 check_exit_status $? 1089 1090 # Verify 1091 start_message "ts ... verify time stamp response" 1092 1093 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ 1094 -CAfile $ca_cert -untrusted $tsa_cert 1095 check_exit_status $? 1096} 1097 1098function test_cms { 1099 # --- CMS operations --- 1100 section_message "CMS operations" 1101 1102 cms_txt=$user1_dir/cms.txt 1103 cms_sig=$user1_dir/cms.sig 1104 cms_enc=$user1_dir/cms.enc 1105 cms_dec=$user1_dir/cms.dec 1106 cms_sgr=$user1_dir/cms.sgr 1107 cms_ver=$user1_dir/cms.ver 1108 cms_out=$user1_dir/cms.out 1109 cms_dct=$user1_dir/cms.dct 1110 cms_dot=$user1_dir/cms.dot 1111 cms_dgc=$user1_dir/cms.dgc 1112 cms_dgv=$user1_dir/cms.dgv 1113 cms_ede=$user1_dir/cms.ede 1114 cms_edd=$user1_dir/cms.edd 1115 cms_srp=$user1_dir/cms.srp 1116 cms_pwe=$user1_dir/cms.pwe 1117 cms_pwd=$user1_dir/cms.pwd 1118 1119 cat << __EOF__ > $cms_txt 1120Hello Bob, 1121Sincerely yours 1122Alice 1123__EOF__ 1124 1125 # sign 1126 start_message "cms ... sign to message" 1127 1128 $openssl_bin cms -sign -in $cms_txt -text \ 1129 -out $cms_sig -outform smime \ 1130 -signer $cl_rsa_cert -inkey $cl_rsa_key -keyform pem \ 1131 -keyopt rsa_padding_mode:pss \ 1132 -passin pass:$cl_rsa_pass -md sha256 \ 1133 -from user1@test-dummy.com -to server@test-dummy.com \ 1134 -subject "test openssl cms" \ 1135 -receipt_request_from server@test-dummy.com \ 1136 -receipt_request_to user1@test-dummy.com 1137 check_exit_status $? 1138 1139 # encrypt 1140 start_message "cms ... encrypt message" 1141 1142 $openssl_bin cms -encrypt -aes256 -binary -in $cms_sig -inform smime \ 1143 -recip $sv_rsa_cert -keyopt rsa_padding_mode:oaep \ 1144 -out $cms_enc 1145 check_exit_status $? 1146 1147 # decrypt 1148 start_message "cms ... decrypt message" 1149 1150 $openssl_bin cms -decrypt -in $cms_enc -out $cms_dec \ 1151 -recip $sv_rsa_cert -inkey $sv_rsa_key -passin pass:$sv_rsa_pass 1152 check_exit_status $? 1153 1154 # verify 1155 start_message "cms ... verify message" 1156 1157 $openssl_bin cms -verify -in $cms_dec \ 1158 -CAfile $ca_cert -certfile $cl_rsa_cert -nointern \ 1159 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1160 -signer $cms_sgr -text -out $cms_ver -receipt_request_print \ 1161 > $cms_ver.log 2>&1 1162 check_exit_status $? 1163 1164 diff -b $cms_ver $cms_txt 1165 check_exit_status $? 1166 1167 # cmsout 1168 start_message "cms ... cmsout" 1169 1170 $openssl_bin cms -cmsout -in $cms_enc -print -out $cms_out 1171 check_exit_status $? 1172 1173 # data_create 1174 start_message "cms ... data_create" 1175 1176 $openssl_bin cms -data_create -in $cms_enc -out $cms_dct 1177 check_exit_status $? 1178 1179 # data_out 1180 start_message "cms ... data_out" 1181 1182 $openssl_bin cms -data_out -in $cms_dct -out $cms_dot 1183 check_exit_status $? 1184 1185 # digest_create 1186 start_message "cms ... digest_create" 1187 1188 $openssl_bin cms -digest_create -in $cms_txt -md sha256 -out $cms_dgc 1189 check_exit_status $? 1190 1191 # digest_verify 1192 start_message "cms ... digest_verify" 1193 1194 $openssl_bin cms -digest_verify -in $cms_dgc -md sha256 -out $cms_dgv 1195 check_exit_status $? 1196 1197 diff -b $cms_dgv $cms_txt 1198 check_exit_status $? 1199 1200 # compress 1201 1202 # uncompress 1203 1204 # EncryptedData_encrypt 1205 start_message "cms ... EncryptedData_encrypt" 1206 1207 $openssl_bin cms -EncryptedData_encrypt -in $cms_sig -out $cms_ede \ 1208 -aes128 -secretkey 00112233445566778899aabbccddeeff 1209 check_exit_status $? 1210 1211 # EncryptedData_decrypt 1212 start_message "cms ... EncryptedData_decrypt" 1213 1214 $openssl_bin cms -EncryptedData_decrypt -in $cms_ede -out $cms_edd \ 1215 -aes128 -secretkey 00112233445566778899aabbccddeeff 1216 check_exit_status $? 1217 1218 diff -b $cms_edd $cms_sig 1219 check_exit_status $? 1220 1221 # sign_receipt 1222 start_message "cms ... sign to receipt" 1223 1224 $openssl_bin cms -sign_receipt -in $cms_sig -out $cms_srp \ 1225 -signer $sv_rsa_cert -inkey $sv_rsa_key \ 1226 -passin pass:$sv_rsa_pass -md sha256 1227 check_exit_status $? 1228 1229 # verify_receipt 1230 start_message "cms ... verify receipt" 1231 1232 $openssl_bin cms -verify_receipt $cms_srp -rctform smime -in $cms_sig \ 1233 -CAfile $ca_cert -certfile $sv_rsa_cert 1234 check_exit_status $? 1235 1236 # encrypt with pwri 1237 start_message "cms ... encrypt with pwri" 1238 1239 $openssl_bin cms -encrypt -camellia256 -in $cms_txt -out $cms_pwe \ 1240 -pwri_password abcdefg 1241 check_exit_status $? 1242 1243 # decrypt with pwri 1244 start_message "cms ... decrypt with pwri" 1245 1246 $openssl_bin cms -decrypt -camellia256 -in $cms_pwe -out $cms_pwd \ 1247 -pwri_password abcdefg 1248 check_exit_status $? 1249 1250 diff -b $cms_pwd $cms_txt 1251 check_exit_status $? 1252} 1253 1254function test_smime { 1255 # --- S/MIME operations --- 1256 section_message "S/MIME operations" 1257 1258 smime_txt=$user1_dir/smime.txt 1259 smime_enc=$user1_dir/smime.enc 1260 smime_sig=$user1_dir/smime.sig 1261 smime_p7o=$user1_dir/smime.p7o 1262 smime_sgr=$user1_dir/smime.sgr 1263 smime_ver=$user1_dir/smime.ver 1264 smime_dec=$user1_dir/smime.dec 1265 1266 cat << __EOF__ > $smime_txt 1267Hello Bob, 1268Sincerely yours 1269Alice 1270__EOF__ 1271 1272 # encrypt 1273 start_message "smime ... encrypt message" 1274 1275 $openssl_bin smime -encrypt -aes256 -binary -in $smime_txt \ 1276 -out $smime_enc $sv_rsa_cert 1277 check_exit_status $? 1278 1279 # sign 1280 start_message "smime ... sign to message" 1281 1282 $openssl_bin smime -sign -in $smime_enc -text -inform smime \ 1283 -out $smime_sig -outform smime \ 1284 -signer $cl_rsa_cert -inkey $cl_rsa_key -keyform pem \ 1285 -passin pass:$cl_rsa_pass -md sha256 \ 1286 -from user1@test-dummy.com -to server@test-dummy.com \ 1287 -subject "test openssl smime" 1288 check_exit_status $? 1289 1290 # pk7out 1291 start_message "smime ... pk7out from message" 1292 1293 $openssl_bin smime -pk7out -in $smime_sig -out $smime_p7o 1294 check_exit_status $? 1295 1296 # verify 1297 start_message "smime ... verify message" 1298 1299 $openssl_bin smime -verify -in $smime_sig \ 1300 -CAfile $ca_cert -certfile $cl_rsa_cert -nointern \ 1301 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1302 -signer $smime_sgr -text -out $smime_ver 1303 check_exit_status $? 1304 1305 # decrypt 1306 start_message "smime ... decrypt message" 1307 1308 $openssl_bin smime -decrypt -in $smime_ver -out $smime_dec \ 1309 -recip $sv_rsa_cert -inkey $sv_rsa_key -passin pass:$sv_rsa_pass 1310 check_exit_status $? 1311 1312 diff $smime_dec $smime_txt 1313 check_exit_status $? 1314} 1315 1316function test_ocsp { 1317 # --- OCSP operations --- 1318 section_message "OCSP operations" 1319 1320 # get key without pass 1321 cl_rsa_key_nopass=$user1_dir/cl_rsa_key_nopass.pem 1322 $openssl_bin pkey -in $cl_rsa_key -passin pass:$cl_rsa_pass \ 1323 -out $cl_rsa_key_nopass 1324 check_exit_status $? 1325 1326 # request 1327 start_message "ocsp ... create OCSP request" 1328 1329 ocsp_req=$user1_dir/ocsp_req.der 1330 $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ 1331 -cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \ 1332 -signer $cl_rsa_cert -signkey $cl_rsa_key_nopass \ 1333 -sign_other $cl_rsa_cert -sha256 \ 1334 -reqout $ocsp_req -req_text -out $ocsp_req.out 1335 check_exit_status $? 1336 1337 # response 1338 start_message "ocsp ... create OCPS response for a request" 1339 1340 ocsp_res=$user1_dir/ocsp_res.der 1341 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1342 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1343 -reqin $ocsp_req -rother $ocsp_cert -resp_no_certs -noverify \ 1344 -nmin 60 -validity_period 300 -status_age 300 \ 1345 -respout $ocsp_res -resp_text -out $ocsp_res.out 1346 check_exit_status $? 1347 1348 # ocsp server 1349 start_message "ocsp ... start OCSP server in background" 1350 1351 ocsp_port=8888 1352 1353 ocsp_svr_log=$user1_dir/ocsp_svr.log 1354 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1355 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1356 -host localhost -port $ocsp_port -path / -ndays 1 -nrequest 1 \ 1357 -resp_key_id -text -out $ocsp_svr_log & 1358 check_exit_status $? 1359 ocsp_svr_pid=$! 1360 echo "ocsp server pid = [ $ocsp_svr_pid ]" 1361 sleep 1 1362 1363 # send query to ocsp server 1364 start_message "ocsp ... send OCSP request to server" 1365 1366 ocsp_qry=$user1_dir/ocsp_qry.der 1367 $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ 1368 -cert $revoke_cert -CAfile $ca_cert -no_nonce \ 1369 -url http://localhost:$ocsp_port -timeout 10 -text \ 1370 -header Host localhost \ 1371 -respout $ocsp_qry -out $ocsp_qry.out 1372 check_exit_status $? 1373 1374 # verify response from server 1375 start_message "ocsp ... verify OCSP response from server" 1376 1377 $openssl_bin ocsp -respin $ocsp_qry -CAfile $ca_cert \ 1378 -ignore_err -no_signature_verify -no_cert_verify -no_chain \ 1379 -no_cert_checks -no_explicit -trust_other -no_intern \ 1380 -verify_other $ocsp_cert -VAfile $ocsp_cert 1381 check_exit_status $? 1382} 1383 1384function test_pkcs { 1385 # --- PKCS operations --- 1386 section_message "PKCS operations" 1387 1388 pkcs_pass=test-pkcs-pass 1389 1390 start_message "pkcs7 ... output certs in crl(pkcs7)" 1391 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 1392 check_exit_status $? 1393 1394 start_message "pkcs8 ... convert key to pkcs8" 1395 $openssl_bin pkcs8 -in $cl_rsa_key -topk8 -out $cl_rsa_key.p8 \ 1396 -passin pass:$cl_rsa_pass -passout pass:$cl_rsa_pass \ 1397 -v1 pbeWithSHA1AndDES-CBC -v2 des3 1398 check_exit_status $? 1399 1400 start_message "pkcs8 ... convert pkcs8 to key in DER format" 1401 $openssl_bin pkcs8 -in $cl_rsa_key.p8 -passin pass:$cl_rsa_pass \ 1402 -outform DER -out $cl_rsa_key.p8.der 1403 check_exit_status $? 1404 1405 start_message "pkcs12 ... create" 1406 $openssl_bin pkcs12 -export -in $sv_rsa_cert -inkey $sv_rsa_key \ 1407 -passin pass:$sv_rsa_pass -certfile $ca_cert -CAfile $ca_cert \ 1408 -caname "caname_server_p12" \ 1409 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \ 1410 -name "name_server_p12" -des3 -maciter -macalg sha256 \ 1411 -CSP "csp_server_p12" -LMK -keyex \ 1412 -passout pass:$pkcs_pass -out $sv_rsa_cert.p12 1413 check_exit_status $? 1414 1415 start_message "pkcs12 ... verify" 1416 $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -passin pass:$pkcs_pass -info \ 1417 -noout > $sv_rsa_cert.p12.log 2>&1 1418 check_exit_status $? 1419 1420 start_message "pkcs12 ... private key to PEM without encryption" 1421 $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -password pass:$pkcs_pass \ 1422 -nocerts -nomacver -nodes -out $sv_rsa_cert.p12.pem 1423 check_exit_status $? 1424} 1425 1426function test_sc_by_protocol_version { 1427 sc=$1 1428 ver=$2 1429 msg=$3 1430 cid=$4 1431 1432 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1433 return 1434 fi 1435 1436 groups_and_cipher="" 1437 if [ $ver = "tls1_3" ] ; then 1438 # Expect HelloRetryRequest 1439 groups_and_cipher="-groups P-521:P-384 -cipher ALL" 1440 fi 1441 1442 s_client_out=$user1_dir/s_client_${sc}_${ver}.out 1443 1444 start_message "s_client ... connect to TLS/SSL test server by $ver" 1445 sleep $test_pause_sec 1446 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1447 -$ver $groups_and_cipher \ 1448 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1449 check_exit_status $? 1450 1451 # check downgrade bits in SH 1452 if [ $ver = "tls1" -o $ver = "tls1_1" ] ; then 1453 perl -0ne \ 1454 'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 00/m)' \ 1455 $s_client_out 1456 check_exit_status $? 1457 elif [ $ver = "tls1_2" ] ; then 1458 perl -0ne \ 1459 'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 01/m)' \ 1460 $s_client_out 1461 check_exit_status $? 1462 elif [ $ver = "tls1_3" ] ; then 1463 perl -0ne \ 1464 'exit (/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44/m)' \ 1465 $s_client_out 1466 check_exit_status $? 1467 fi 1468 1469 # check HRR hash 1470 if [ $ver = "tls1_3" ] ; then 1471 perl -0ne \ 1472 'exit (!/ServerHello\n.*cf 21 ad 74 e5 9a 61 11 be 1d\n.*8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e\n.*09 e2 c8 a8 33 9c/m)' \ 1473 $s_client_out 1474 check_exit_status $? 1475 fi 1476 1477 if [ $ver = "tls1_3" ] ; then 1478 grep 'Server Temp Key: ECDH, P-384, 384 bits' $s_client_out \ 1479 > /dev/null 1480 check_exit_status $? 1481 fi 1482 1483 # OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until 1484 # NewSessionTicket arrival 1485 if ! [ $cid = "1" -a $ver = "tls1_3" ] ; then 1486 grep "$msg" $s_client_out > /dev/null 1487 check_exit_status $? 1488 fi 1489 1490 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1491 check_exit_status $? 1492} 1493 1494function test_sc_all_cipher { 1495 sc=$1 1496 ver=$2 1497 1498 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1499 return 1500 fi 1501 1502 copt=cipher 1503 ciphers=$user1_dir/ciphers_${sc}_${ver} 1504 1505 if [ $ver = "tls1_3" ] ; then 1506 if [ $c_id = "0" ] ; then 1507 echo "AEAD-AES256-GCM-SHA384" > $ciphers 1508 echo "AEAD-CHACHA20-POLY1305-SHA256" >> $ciphers 1509 echo "AEAD-AES128-GCM-SHA256" >> $ciphers 1510 else 1511 echo "TLS_AES_256_GCM_SHA384" > $ciphers 1512 echo "TLS_CHACHA20_POLY1305_SHA256" >> $ciphers 1513 echo "TLS_AES_128_GCM_SHA256" >> $ciphers 1514 copt=ciphersuites 1515 fi 1516 else 1517 s_ciph=$server_dir/s_ciph_${sc}_${ver} 1518 cipher_string="" 1519 if [ $s_id = "0" ] ; then 1520 if [ $ecdsa_tests = 1 ] ; then 1521 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1522 elif [ $gost_tests = 1 ] ; then 1523 cipher_string="kGOST:!NULL:!TLSv1.3" 1524 else 1525 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1526 fi 1527 fi 1528 $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph 1529 1530 c_ciph=$user1_dir/c_ciph_${sc}_${ver} 1531 cipher_string="" 1532 if [ $c_id = "0" ] ; then 1533 if [ $ecdsa_tests = 1 ] ; then 1534 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1535 elif [ $gost_tests = 1 ] ; then 1536 cipher_string="kGOST:!NULL:!TLSv1.3" 1537 else 1538 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1539 fi 1540 fi 1541 $c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph 1542 1543 grep -x -f $s_ciph $c_ciph | sort -R > $ciphers 1544 fi 1545 1546 cnum=0 1547 for c in `cat $ciphers` ; do 1548 cnum=`expr $cnum + 1` 1549 cnstr=`printf %03d $cnum` 1550 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_${cnstr}_${c}.out 1551 1552 start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $ver $c" 1553 sleep $test_pause_sec 1554 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1555 -$ver -$copt $c \ 1556 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1557 check_exit_status $? 1558 1559 grep "Cipher is $c" $s_client_out > /dev/null 1560 check_exit_status $? 1561 1562 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1563 check_exit_status $? 1564 done 1565} 1566 1567function test_sc_session_reuse { 1568 sc=$1 1569 ver=$2 1570 1571 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1572 return 1573 fi 1574 1575 sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat 1576 1577 # Get session ticket to reuse 1578 1579 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_1.out 1580 1581 start_message "s_client ... connect to TLS/SSL test server to get session id $ver" 1582 sleep $test_pause_sec 1583 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1584 -$ver -alpn "spdy/3,http/1.1" -sess_out $sess_dat \ 1585 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1586 check_exit_status $? 1587 1588 grep '^New, TLS.*$' $s_client_out > /dev/null 1589 check_exit_status $? 1590 1591 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1592 check_exit_status $? 1593 1594 # Reuse session ticket 1595 1596 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_2.out 1597 1598 start_message "s_client ... connect to TLS/SSL test server reusing session id $ver" 1599 sleep $test_pause_sec 1600 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1601 -$ver -sess_in $sess_dat \ 1602 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1603 check_exit_status $? 1604 1605 grep '^Reused, TLS.*$' $s_client_out > /dev/null 1606 check_exit_status $? 1607 1608 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1609 check_exit_status $? 1610 1611 # sess_id 1612 1613 start_message "sess_id" 1614 $c_bin sess_id -in $sess_dat -text -out $sess_dat.out 1615 check_exit_status $? 1616} 1617 1618function test_sc_verify { 1619 sc=$1 1620 ver=$2 1621 1622 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1623 return 1624 fi 1625 1626 # invalid verification pattern 1627 1628 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out 1629 1630 start_message "s_client ... connect to tls/ssl test server but verify error $ver" 1631 sleep $test_pause_sec 1632 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1633 -$ver -showcerts -crl_check -issuer_checks -policy_check \ 1634 -status -servername xyz \ 1635 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1636 check_exit_status $? 1637 1638 grep 'verify return code: 0 (ok)' $s_client_out > /dev/null 1639 if [ $? -eq 0 ] ; then 1640 check_exit_status 1 1641 else 1642 check_exit_status 0 1643 fi 1644 1645 # client certificate pattern 1646 1647 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_client_cert.out 1648 1649 start_message "s_client ... connect to tls/ssl test server with client certificate $ver" 1650 1651 if [ $ecdsa_tests = 1 ] ; then 1652 echo "Using ECDSA client certificate" 1653 crt=$cl_ecdsa_cert 1654 key=$cl_ecdsa_key 1655 pwd=$cl_ecdsa_pass 1656 elif [ $gost_tests = 1 ] ; then 1657 echo "Using GOST client certificate" 1658 crt=$cl_gost_cert 1659 key=$cl_gost_key 1660 pwd=$cl_gost_pass 1661 else 1662 echo "Using RSA client certificate" 1663 crt=$cl_rsa_cert 1664 key=$cl_rsa_key 1665 pwd=$cl_rsa_pass 1666 fi 1667 1668 sleep $test_pause_sec 1669 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1670 -$ver -cert $crt -key $key -pass pass:$pwd \ 1671 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1672 check_exit_status $? 1673 1674 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1675 check_exit_status $? 1676} 1677 1678function test_server_client { 1679 # --- client/server operations (TLS) --- 1680 section_message "client/server operations (TLS)" 1681 1682 s_id="$1" 1683 c_id="$2" 1684 sc="$1$2" 1685 1686 test_pause_sec=0.2 1687 1688 if [ $s_id = "0" ] ; then 1689 s_bin=$openssl_bin 1690 else 1691 s_bin=$other_openssl_bin 1692 fi 1693 1694 if [ $c_id = "0" ] ; then 1695 c_bin=$openssl_bin 1696 else 1697 c_bin=$other_openssl_bin 1698 fi 1699 1700 echo "s_server is [`$s_bin version`]" 1701 echo "s_client is [`$c_bin version`]" 1702 1703 host="localhost" 1704 port=4433 1705 s_server_out=$server_dir/s_server_${sc}_tls.out 1706 1707 if [ $ecdsa_tests = 1 ] ; then 1708 echo "Using ECDSA certificate" 1709 crt=$sv_ecdsa_cert 1710 key=$sv_ecdsa_key 1711 pwd=$sv_ecdsa_pass 1712 elif [ $gost_tests = 1 ] ; then 1713 echo "Using GOST certificate" 1714 crt=$sv_gost_cert 1715 key=$sv_gost_key 1716 pwd=$sv_gost_pass 1717 else 1718 echo "Using RSA certificate" 1719 crt=$sv_rsa_cert 1720 key=$sv_rsa_key 1721 pwd=$sv_rsa_pass 1722 fi 1723 1724 $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null 1725 if [ $? -eq 0 ] ; then 1726 extra_opts="-4" 1727 else 1728 extra_opts="" 1729 fi 1730 1731 start_message "s_server ... start TLS/SSL test server" 1732 $s_bin s_server -accept $port -CAfile $ca_cert \ 1733 -cert $crt -key $key -pass pass:$pwd \ 1734 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 1735 -alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \ 1736 -msg -tlsextdebug -verify 3 -groups X25519:P-384:P-256 \ 1737 -status -servername xyz -cert2 $crt -key2 $key \ 1738 > $s_server_out 2>&1 & 1739 check_exit_status $? 1740 s_server_pid=$! 1741 echo "s_server pid = [ $s_server_pid ]" 1742 sleep 1 1743 1744 # test by protocol version 1745 test_sc_by_protocol_version $sc tls1 'Protocol : TLSv1$' $c_id 1746 test_sc_by_protocol_version $sc tls1_1 'Protocol : TLSv1\.1$' $c_id 1747 test_sc_by_protocol_version $sc tls1_2 'Protocol : TLSv1\.2$' $c_id 1748 test_sc_by_protocol_version $sc tls1_3 'Protocol : TLSv1\.3$' $c_id 1749 1750 # all available ciphers with random order 1751 test_sc_all_cipher $sc tls1_2 1752 test_sc_all_cipher $sc tls1_3 1753 1754 # session resumption 1755 test_sc_session_reuse $sc tls1_2 1756 1757 # invalid verification pattern 1758 test_sc_verify $sc tls1_2 1759 test_sc_verify $sc tls1_3 1760 1761 # s_time 1762 if [ $gost_tests != 1 ] ; then 1763 start_message "s_time ... connect to TLS/SSL test server" 1764 $c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \ 1765 > $server_dir/s_time_${sc}.log 1766 check_exit_status $? 1767 fi 1768 1769 stop_s_server 1770} 1771 1772function test_speed { 1773 # === PERFORMANCE === 1774 section_message "PERFORMANCE" 1775 1776 if [ $no_long_tests = 0 ] ; then 1777 start_message "speed" 1778 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 1779 check_exit_status $? 1780 else 1781 start_message "SKIPPING speed (quick mode)" 1782 fi 1783} 1784 1785function test_version { 1786 # --- VERSION INFORMATION --- 1787 section_message "VERSION INFORMATION" 1788 1789 start_message "version" 1790 $openssl_bin version -a 1791 check_exit_status $? 1792} 1793 1794#---------#---------#---------#---------#---------#---------#---------#--------- 1795 1796openssl_bin=${OPENSSL:-/usr/bin/openssl} 1797other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11} 1798 1799ecdsa_tests=0 1800gost_tests=0 1801interop_tests=0 1802no_long_tests=0 1803 1804while [ "$1" != "" ]; do 1805 case $1 in 1806 -e | --ecdsa) shift 1807 ecdsa_tests=1 1808 gost_tests=0 1809 ;; 1810 -g | --gost) shift 1811 gost_tests=1 1812 ecdsa_tests=0 1813 ;; 1814 -i | --interop) shift 1815 interop_tests=1 1816 ;; 1817 -q | --quick ) shift 1818 no_long_tests=1 1819 ;; 1820 * ) usage 1821 exit 1 1822 esac 1823done 1824 1825if [ ! -x $openssl_bin ] ; then 1826 echo ":-< \$OPENSSL [$openssl_bin] is not executable." 1827 exit 1 1828fi 1829 1830if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then 1831 echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable." 1832 exit 1 1833fi 1834 1835# 1836# create ssldir, and all files generated by this script goes under this dir. 1837# 1838ssldir="appstest_dir" 1839 1840if [ -d $ssldir ] ; then 1841 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 1842 /bin/rm -rf $ssldir 1843fi 1844 1845mkdir -p $ssldir 1846 1847ca_dir=$ssldir/testCA 1848tsa_dir=$ssldir/testTSA 1849ocsp_dir=$ssldir/testOCSP 1850server_dir=$ssldir/server 1851user1_dir=$ssldir/user1 1852mkdir -p $user1_dir 1853key_dir=$ssldir/key 1854mkdir -p $key_dir 1855 1856export OPENSSL_CONF=$ssldir/openssl.cnf 1857touch $OPENSSL_CONF 1858 1859uname_s=`uname -s | grep 'MINGW'` 1860if [ "$uname_s" = "" ] ; then 1861 mingw=0 1862else 1863 mingw=1 1864fi 1865 1866# 1867# process tests 1868# 1869test_usage_lists_others 1870test_md 1871test_encoding_cipher 1872test_key 1873test_pki 1874test_tsa 1875test_cms 1876test_smime 1877test_ocsp 1878test_pkcs 1879test_server_client 0 0 1880if [ $interop_tests = 1 ] ; then 1881 test_server_client 0 1 1882 test_server_client 1 0 1883fi 1884test_speed 1885test_version 1886 1887section_message "END" 1888 1889exit 0 1890 1891