xref: /openbsd/regress/usr.bin/openssl/appstest.sh (revision 5dea098c) 
1#!/bin/sh
2#
3# $OpenBSD: appstest.sh,v 1.63 2024/03/03 13:29:19 tb Exp $
4#
5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19#
20# appstest.sh - test script for openssl command according to man OPENSSL(1)
21#
22# input  : none
23# output : all files generated by this script go under $ssldir
24#
25
26function section_message {
27	echo ""
28	echo "#---------#---------#---------#---------#---------#---------#---------#--------"
29	echo "==="
30	echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
31	echo "==="
32}
33
34function start_message {
35	echo ""
36	echo "[TEST] $1"
37}
38
39function stop_s_server {
40	if [ ! -z "$s_server_pid" ] ; then
41		echo ":-| stop s_server [ $s_server_pid ]"
42		sleep 1
43		kill -TERM $s_server_pid
44		wait $s_server_pid
45		s_server_pid=
46	fi
47}
48
49function stop_gnutls_serv {
50	if [ ! -z "$gnutls_serv_pid" ] ; then
51		echo ":-| stop gnutls-serv [ $gnutls_serv_pid ]"
52		sleep 1
53		kill -TERM $gnutls_serv_pid
54		wait $gnutls_serv_pid
55		gnutls_serv_pid=
56	fi
57}
58
59function check_exit_status {
60	status=$1
61	if [ $status -ne 0 ] ; then
62		stop_s_server
63		echo ":-< error occurs, exit status = [ $status ]"
64		exit $status
65	else
66		echo ":-) success. "
67	fi
68}
69
70function usage {
71	echo "usage: appstest.sh [-egiq]"
72}
73
74function test_usage_lists_others {
75	# === COMMAND USAGE ===
76	section_message "COMMAND USAGE"
77
78	start_message "output usages of all commands."
79
80	cmds=`$openssl_bin list-standard-commands`
81	$openssl_bin -help 2>> $user1_dir/usages.out
82	for c in $cmds ; do
83		$openssl_bin $c -help 2>> $user1_dir/usages.out
84	done
85
86	start_message "check all list-* commands."
87
88	lists=""
89	lists="$lists list-standard-commands"
90	lists="$lists list-message-digest-commands list-message-digest-algorithms"
91	lists="$lists list-cipher-commands list-cipher-algorithms"
92	lists="$lists list-public-key-algorithms"
93
94	listsfile=$user1_dir/lists.out
95
96	for l in $lists ; do
97		echo "" >> $listsfile
98		echo "$l" >> $listsfile
99		$openssl_bin $l >> $listsfile
100	done
101
102	start_message "check interactive mode"
103	$openssl_bin <<__EOF__
104help
105quit
106__EOF__
107	check_exit_status $?
108
109	#---------#---------#---------#---------#---------#---------#---------
110
111	# --- listing operations ---
112	section_message "listing operations"
113
114	start_message "ciphers"
115	$openssl_bin ciphers -V > $user1_dir/ciphers-V.out
116	check_exit_status $?
117
118	start_message "errstr"
119	$openssl_bin errstr 2606A074
120	check_exit_status $?
121
122	#---------#---------#---------#---------#---------#---------#---------
123
124	# --- random number etc. operations ---
125	section_message "random number etc. operations"
126
127	start_message "passwd"
128
129	pass="test-pass-1234"
130
131	echo $pass | $openssl_bin passwd -stdin -1
132	check_exit_status $?
133
134	echo $pass | $openssl_bin passwd -stdin -apr1
135	check_exit_status $?
136
137	echo $pass | $openssl_bin passwd -stdin -crypt
138	check_exit_status $?
139
140	start_message "prime"
141
142	$openssl_bin prime 1
143	check_exit_status $?
144
145	$openssl_bin prime 2
146	check_exit_status $?
147
148	$openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5
149	check_exit_status $?
150
151	start_message "rand"
152
153	$openssl_bin rand -base64 100
154	check_exit_status $?
155
156	$openssl_bin rand -hex 100
157	check_exit_status $?
158}
159
160function test_md {
161	# === MESSAGE DIGEST COMMANDS ===
162	section_message "MESSAGE DIGEST COMMANDS"
163
164	start_message "dgst - See [MESSAGE DIGEST COMMANDS] section."
165
166	text="1234567890abcdefghijklmnopqrstuvwxyz"
167	dgstdat=$user1_dir/dgst.dat
168	echo $text > $dgstdat
169	hmac_key="test-hmac-key"
170	cmac_key="1234567890abcde1234567890abcde12"
171	dgstkey=$user1_dir/dgstkey.pem
172	dgstpass=test-dgst-pass
173	dgstpub=$user1_dir/dgstpub.pem
174	dgstsig=$user1_dir/dgst.sig
175
176	$openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey
177	check_exit_status $?
178
179	$openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \
180		-out $dgstpub
181	check_exit_status $?
182
183	digests=`$openssl_bin list-message-digest-commands`
184
185	for d in $digests ; do
186
187		echo -n "$d ... "
188		$openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat
189		check_exit_status $?
190
191		echo -n "$d HMAC ... "
192		$openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \
193			$dgstdat
194		check_exit_status $?
195
196		echo -n "$d CMAC ... "
197		$openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \
198			-macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat
199		check_exit_status $?
200
201		echo -n "$d sign ... "
202		$openssl_bin dgst -sign $dgstkey -keyform pem \
203			-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
204			-passin pass:$dgstpass -binary -out $dgstsig.$d $dgstdat
205		check_exit_status $?
206
207		echo -n "$d verify ... "
208		$openssl_bin dgst -verify $dgstpub \
209			-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
210			-signature $dgstsig.$d $dgstdat
211		check_exit_status $?
212
213		echo -n "$d prverify ... "
214		$openssl_bin dgst -prverify $dgstkey -passin pass:$dgstpass \
215			-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
216			-signature $dgstsig.$d $dgstdat
217		check_exit_status $?
218	done
219}
220
221function test_encoding_cipher {
222	# === ENCODING AND CIPHER COMMANDS ===
223	section_message "ENCODING AND CIPHER COMMANDS"
224
225	start_message "enc - See [ENCODING AND CIPHER COMMANDS] section."
226
227	text="1234567890abcdefghijklmnopqrstuvwxyz"
228	encfile=$user1_dir/encfile.dat
229	echo $text > $encfile
230	pass="test-pass-1234"
231
232	ciphers=`$openssl_bin list-cipher-commands`
233
234	for c in $ciphers ; do
235		echo -n "$c ... encoding ... "
236		$openssl_bin enc -$c -e -base64 -pass pass:$pass \
237			-in $encfile -out $encfile-$c.enc
238		check_exit_status $?
239
240		echo -n "decoding ... "
241		$openssl_bin enc -$c -d -base64 -pass pass:$pass \
242			-in $encfile-$c.enc -out $encfile-$c.dec
243		check_exit_status $?
244
245		echo -n "cmp ... "
246		cmp $encfile $encfile-$c.dec
247		check_exit_status $?
248	done
249}
250
251function test_key {
252	# === various KEY operations ===
253	section_message "various KEY operations"
254
255	key_pass=test-key-pass
256
257	# DH
258
259	start_message "gendh - Obsoleted by dhparam."
260	gendh2=$key_dir/gendh2.pem
261	$openssl_bin gendh -2 -out $gendh2 > $gendh2.log 2>&1
262	check_exit_status $?
263
264	start_message "dh - Obsoleted by dhparam."
265	$openssl_bin dh -in $gendh2 -check -text -out $gendh2.out
266	check_exit_status $?
267
268	if [ $no_long_tests = 0 ] ; then
269		start_message "dhparam - Superseded by genpkey and pkeyparam."
270		dhparam2=$key_dir/dhparam2.pem
271		$openssl_bin dhparam -2 -out $dhparam2 > $dhparam2.log 2>&1
272		check_exit_status $?
273		$openssl_bin dhparam -in $dhparam2 -check -text \
274			-out $dhparam2.out
275		check_exit_status $?
276	else
277		start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)"
278	fi
279
280	# DSA
281
282	start_message "dsaparam - Superseded by genpkey and pkeyparam."
283	dsaparam512=$key_dir/dsaparam512.pem
284	$openssl_bin dsaparam -genkey -out $dsaparam512 512 \
285		> $dsaparam512.log 2>&1
286	check_exit_status $?
287
288	start_message "dsa"
289	$openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out
290	check_exit_status $?
291
292	start_message "gendsa - Superseded by genpkey and pkey."
293	gendsa_des3=$key_dir/gendsa_des3.pem
294	$openssl_bin gendsa -des3 -out $gendsa_des3 \
295		-passout pass:$key_pass $dsaparam512
296	check_exit_status $?
297
298	# RSA
299
300	start_message "genrsa - Superseded by genpkey."
301	genrsa_aes256=$key_dir/genrsa_aes256.pem
302	$openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \
303		-passout pass:$key_pass 2048 > $genrsa_aes256.log 2>&1
304	check_exit_status $?
305
306	start_message "rsa"
307	$openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \
308		-check -text -out $genrsa_aes256.out
309	check_exit_status $?
310
311	start_message "rsautl - Superseded by pkeyutl."
312	rsautldat=$key_dir/rsautl.dat
313	rsautlsig=$key_dir/rsautl.sig
314	echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat
315
316	$openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \
317		-passin pass:$key_pass -out $rsautlsig
318	check_exit_status $?
319
320	$openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \
321		-passin pass:$key_pass
322	check_exit_status $?
323
324	# EC
325
326	start_message "ecparam -list-curves"
327	$openssl_bin ecparam -list_curves -out $key_dir/ecparam-list_curves.out
328	check_exit_status $?
329
330	# get all EC curves
331	ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1`
332
333	start_message "ecparam and ec"
334
335	for curve in $ec_curves ;
336	do
337		ecparam=$key_dir/ecparam_$curve.pem
338
339		echo -n "ec - $curve ... ecparam ... "
340		$openssl_bin ecparam -out $ecparam -name $curve -genkey \
341			-param_enc explicit -conv_form compressed -C
342		check_exit_status $?
343
344		echo -n "ec ... "
345		$openssl_bin ec -in $ecparam -text \
346			-out $ecparam.out 2> /dev/null
347		check_exit_status $?
348	done
349
350	# PKEY
351
352	start_message "genpkey"
353
354	# DH by GENPKEY
355
356	genpkey_dh_param=$key_dir/genpkey_dh_param.pem
357	$openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \
358		-pkeyopt dh_paramgen_prime_len:1024 > $genpkey_dh_param.log 2>&1
359	check_exit_status $?
360
361	genpkey_dh=$key_dir/genpkey_dh.pem
362	$openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh
363	check_exit_status $?
364
365	# DSA by GENPKEY
366
367	genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem
368	$openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \
369		-pkeyopt dsa_paramgen_bits:1024 > $genpkey_dsa_param.log 2>&1
370	check_exit_status $?
371
372	genpkey_dsa=$key_dir/genpkey_dsa.pem
373	$openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa
374	check_exit_status $?
375
376	# RSA by GENPKEY
377
378	genpkey_rsa=$key_dir/genpkey_rsa.pem
379	$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \
380		-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \
381		> $genpkey_rsa.log 2>&1
382	check_exit_status $?
383
384	genpkey_rsa_pss=$key_dir/genpkey_rsa_pss.pem
385	$openssl_bin genpkey -algorithm RSA-PSS -out $genpkey_rsa_pss \
386		-pkeyopt rsa_keygen_bits:2048 \
387		-pkeyopt rsa_pss_keygen_mgf1_md:sha256 \
388		-pkeyopt rsa_pss_keygen_md:sha256 \
389		-pkeyopt rsa_pss_keygen_saltlen:32 \
390		> $genpkey_rsa_pss.log 2>&1
391	check_exit_status $?
392
393	# EC by GENPKEY
394
395	genpkey_ec_param=$key_dir/genpkey_ec_param.pem
396	$openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \
397		-pkeyopt ec_paramgen_curve:secp384r1
398	check_exit_status $?
399
400	genpkey_ec=$key_dir/genpkey_ec.pem
401	$openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec
402	check_exit_status $?
403
404	genpkey_ec_2=$key_dir/genpkey_ec_2.pem
405	$openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2
406	check_exit_status $?
407
408	start_message "pkeyparam"
409
410	$openssl_bin pkeyparam -in $genpkey_dh_param -text \
411		-out $genpkey_dh_param.out
412	check_exit_status $?
413
414	$openssl_bin pkeyparam -in $genpkey_dsa_param -text \
415		-out $genpkey_dsa_param.out
416	check_exit_status $?
417
418	$openssl_bin pkeyparam -in $genpkey_ec_param -text \
419		-out $genpkey_ec_param.out
420	check_exit_status $?
421
422	start_message "pkey"
423
424	$openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \
425		-text_pub
426	check_exit_status $?
427
428	$openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \
429		-text_pub
430	check_exit_status $?
431
432	$openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \
433		-text_pub
434	check_exit_status $?
435
436	$openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \
437		-text_pub
438	check_exit_status $?
439
440	$openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \
441		-text_pub
442	check_exit_status $?
443
444	start_message "pkeyutl"
445
446	pkeyutldat=$key_dir/pkeyutl.dat
447	pkeyutlsig=$key_dir/pkeyutl.sig
448	echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat
449
450	$openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \
451		-out $pkeyutlsig
452	check_exit_status $?
453
454	$openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \
455		-inkey $genpkey_rsa
456	check_exit_status $?
457
458	$openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa
459	check_exit_status $?
460
461	pkeyutlenc=$key_dir/pkeyutl.enc
462	pkeyutldec=$key_dir/pkeyutl.dec
463
464	$openssl_bin pkeyutl -encrypt -in $pkeyutldat \
465		-pubin -inkey $genpkey_rsa.pub -out $pkeyutlenc
466	check_exit_status $?
467
468	$openssl_bin pkeyutl -decrypt -in $pkeyutlenc \
469		-inkey $genpkey_rsa -out $pkeyutldec
470	check_exit_status $?
471
472	diff $pkeyutldat $pkeyutldec
473	check_exit_status $?
474
475	pkeyutl_rsa_oaep_enc=$key_dir/pkeyutl_rsa_oaep.enc
476	pkeyutl_rsa_oaep_dec=$key_dir/pkeyutl_rsa_oaep.dec
477
478	$openssl_bin pkeyutl -encrypt -in $pkeyutldat \
479		-inkey $genpkey_rsa \
480		-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \
481		-pkeyopt rsa_oaep_label:0011223344556677 \
482		-out $pkeyutl_rsa_oaep_enc
483	check_exit_status $?
484
485	$openssl_bin pkeyutl -decrypt -in $pkeyutl_rsa_oaep_enc \
486		-inkey $genpkey_rsa \
487		-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \
488		-pkeyopt rsa_oaep_label:0011223344556677 \
489		-out $pkeyutl_rsa_oaep_dec
490	check_exit_status $?
491
492	diff $pkeyutldat $pkeyutl_rsa_oaep_dec
493	check_exit_status $?
494
495	pkeyutlsc1=$key_dir/pkeyutl.sc1
496	pkeyutlsc2=$key_dir/pkeyutl.sc2
497
498	$openssl_bin pkeyutl -derive -inkey $genpkey_ec \
499		-peerkey $genpkey_ec_2.pub -out $pkeyutlsc1 -hexdump
500	check_exit_status $?
501
502	$openssl_bin pkeyutl -derive -inkey $genpkey_ec_2 \
503		-peerkey $genpkey_ec.pub -out $pkeyutlsc2 -hexdump
504	check_exit_status $?
505
506	diff $pkeyutlsc1 $pkeyutlsc2
507	check_exit_status $?
508}
509
510function test_pki {
511	section_message "setup local CA"
512
513	#
514	# prepare test openssl.cnf
515	#
516
517	cat << __EOF__ > $ssldir/openssl.cnf
518oid_section = new_oids
519[ new_oids ]
520tsa_policy1 = 1.2.3.4.1
521tsa_policy2 = 1.2.3.4.5.6
522tsa_policy3 = 1.2.3.4.5.7
523[ ca ]
524default_ca    = CA_default
525[ CA_default ]
526dir           = ./$ca_dir
527crl_dir       = \$dir/crl
528database      = \$dir/index.txt
529new_certs_dir = \$dir/newcerts
530serial        = \$dir/serial
531crlnumber     = \$dir/crlnumber
532default_days  = 1
533default_md    = default
534policy        = policy_match
535[ policy_match ]
536countryName             = match
537stateOrProvinceName     = match
538organizationName        = match
539organizationalUnitName  = optional
540commonName              = supplied
541emailAddress            = optional
542[ req ]
543distinguished_name      = req_distinguished_name
544[ req_distinguished_name ]
545countryName                     = Country Name
546countryName_default             = JP
547countryName_min                 = 2
548countryName_max                 = 2
549stateOrProvinceName             = State or Province Name
550stateOrProvinceName_default     = Tokyo
551organizationName                = Organization Name
552organizationName_default        = TEST_DUMMY_COMPANY
553commonName                      = Common Name
554[ tsa ]
555default_tsa   = tsa_config1
556[ tsa_config1 ]
557dir           = ./$tsa_dir
558serial        = \$dir/serial
559crypto_device = builtin
560digests       = sha1, sha256, sha384, sha512
561default_policy = tsa_policy1
562other_policies = tsa_policy2, tsa_policy3
563[ tsa_ext ]
564keyUsage = critical,nonRepudiation
565extendedKeyUsage = critical,timeStamping
566[ ocsp_ext ]
567basicConstraints = CA:FALSE
568keyUsage = nonRepudiation,digitalSignature,keyEncipherment
569extendedKeyUsage = OCSPSigning
570__EOF__
571
572	#---------#---------#---------#---------#---------#---------#---------
573
574	#
575	# setup test CA
576	#
577
578	mkdir -p $ca_dir
579	mkdir -p $tsa_dir
580	mkdir -p $ocsp_dir
581	mkdir -p $server_dir
582
583	mkdir -p $ca_dir/certs
584	mkdir -p $ca_dir/private
585	mkdir -p $ca_dir/crl
586	mkdir -p $ca_dir/newcerts
587	chmod 700 $ca_dir/private
588	echo "01" > $ca_dir/serial
589	touch $ca_dir/index.txt
590	touch $ca_dir/crlnumber
591	echo "01" > $ca_dir/crlnumber
592
593	#
594	# setup test TSA
595	#
596	mkdir -p $tsa_dir/private
597	chmod 700 $tsa_dir/private
598	echo "01" > $tsa_dir/serial
599	touch $tsa_dir/index.txt
600
601	#
602	# setup test OCSP
603	#
604	mkdir -p $ocsp_dir/private
605	chmod 700 $ocsp_dir/private
606
607	#---------#---------#---------#---------#---------#---------#---------
608
609	# --- CA initiate (generate CA key and cert) ---
610
611	start_message "req ... generate CA key and self signed cert"
612
613	ca_cert=$ca_dir/ca_cert.pem
614	ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass
615
616	if [ $mingw = 0 ] ; then
617		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test-dummy.com/'
618	else
619		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test-dummy.com\'
620	fi
621
622	$openssl_bin req -new -x509 -batch -newkey rsa:2048 \
623		-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \
624		-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
625		-config $ssldir/openssl.cnf -verbose \
626		-subj $subj -days 1 -set_serial 1 -multivalue-rdn \
627		-keyout $ca_key -passout pass:$ca_pass \
628		-out $ca_cert -outform pem
629	check_exit_status $?
630
631	#---------#---------#---------#---------#---------#---------#---------
632
633	# --- TSA initiate (generate TSA key and cert) ---
634
635	start_message "req ... generate TSA key and cert"
636
637	# generate CSR for TSA
638
639	tsa_csr=$tsa_dir/tsa_csr.pem
640	tsa_key=$tsa_dir/private/tsa_key.pem
641	tsa_pass=test-tsa-pass
642
643	if [ $mingw = 0 ] ; then
644		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test-dummy.com/'
645	else
646		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test-dummy.com\'
647	fi
648
649	$openssl_bin req -new -keyout $tsa_key -out $tsa_csr \
650		-passout pass:$tsa_pass -subj $subj
651	check_exit_status $?
652
653	start_message "ca ... sign by CA with TSA extensions"
654
655	tsa_cert=$tsa_dir/tsa_cert.pem
656
657	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \
658		-key $ca_pass -config $ssldir/openssl.cnf -create_serial \
659		-policy policy_match -days 1 -md sha256 -extensions tsa_ext \
660		-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \
661		-multivalue-rdn -preserveDN -noemailDN \
662		-in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext \
663		> $tsa_cert.log 2>&1
664	check_exit_status $?
665
666	#---------#---------#---------#---------#---------#---------#---------
667
668	# --- OCSP initiate (generate OCSP key and cert) ---
669
670	start_message "req ... generate OCSP key and cert"
671
672	# generate CSR for OCSP
673
674	ocsp_csr=$ocsp_dir/ocsp_csr.pem
675	ocsp_key=$ocsp_dir/private/ocsp_key.pem
676
677	if [ $mingw = 0 ] ; then
678		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test-dummy.com/'
679	else
680		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test-dummy.com\'
681	fi
682
683	$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \
684		-subj $subj
685	check_exit_status $?
686
687	start_message "ca ... sign by CA with OCSP extensions"
688
689	ocsp_cert=$ocsp_dir/ocsp_cert.pem
690
691	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \
692		-key $ca_pass -out $ocsp_cert -extensions ocsp_ext \
693		-startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \
694		-subj $subj -infiles $ocsp_csr > $ocsp_cert.log 2>&1
695	check_exit_status $?
696
697	#---------#---------#---------#---------#---------#---------#---------
698
699	# --- server-admin operations (generate server key and csr) ---
700	section_message "server-admin operations (generate server key and csr)"
701
702	# RSA certificate
703
704	sv_rsa_key=$server_dir/sv_rsa_key.pem
705	sv_rsa_csr=$server_dir/sv_rsa_csr.pem
706	sv_rsa_pass=test-server-pass
707
708	if [ $mingw = 0 ] ; then
709		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test-dummy.com/'
710	else
711		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test-dummy.com\'
712	fi
713
714	start_message "genrsa ... generate server key#1"
715
716	$openssl_bin genrsa -aes256 -passout pass:$sv_rsa_pass -out $sv_rsa_key
717	check_exit_status $?
718
719	$openssl_bin rsa -in $sv_rsa_key -passin pass:$sv_rsa_pass \
720		-out $sv_rsa_key.nopass
721	check_exit_status $?
722
723	start_message "req ... generate server csr#1"
724
725	$openssl_bin req -new -subj $subj -sha256 \
726		-key $sv_rsa_key -keyform pem -passin pass:$sv_rsa_pass \
727		-addext 'subjectAltName = DNS:localhost.test-dummy.com' \
728		-out $sv_rsa_csr -outform pem
729	check_exit_status $?
730
731	start_message "req ... verify server csr#1"
732
733	$openssl_bin req -verify -in $sv_rsa_csr -inform pem \
734		-newhdr -noout -pubkey -subject -modulus -text \
735		-nameopt multiline -reqopt compatible \
736		-out $sv_rsa_csr.verify.out
737	check_exit_status $?
738
739	start_message "req ... generate server csr#2 (interactive mode)"
740
741	# RSA certificate (for revoke test)
742
743	revoke_key=$server_dir/revoke_key.pem
744	revoke_csr=$server_dir/revoke_csr.pem
745	revoke_pass=test-revoke-pass
746
747	$openssl_bin req -new -keyout $revoke_key -out $revoke_csr \
748		-passout pass:$revoke_pass <<__EOF__
749JP
750Tokyo
751TEST_DUMMY_COMPANY
752revoke.test-dummy.com
753__EOF__
754	check_exit_status $?
755
756	# ECDSA certificate
757
758	sv_ecdsa_key=$server_dir/sv_ecdsa_key.pem
759	sv_ecdsa_csr=$server_dir/sv_ecdsa_csr.pem
760	sv_ecdsa_pass=test-ecdsa-pass
761
762	if [ $mingw = 0 ] ; then
763		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=ecdsa.test-dummy.com/'
764	else
765		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test-dummy.com\'
766	fi
767
768	start_message "ecparam ... generate server key#3"
769
770	$openssl_bin ecparam -name prime256v1 -genkey -out $sv_ecdsa_key
771	check_exit_status $?
772
773	start_message "req ... generate server csr#3"
774
775	$openssl_bin req -new -subj $subj -sha256 \
776		-key $sv_ecdsa_key -keyform pem -passin pass:$sv_ecdsa_pass \
777		-addext 'subjectAltName = DNS:ecdsa.test-dummy.com' \
778		-out $sv_ecdsa_csr -outform pem
779	check_exit_status $?
780
781	start_message "req ... verify server csr#3"
782
783	$openssl_bin req -verify -in $sv_ecdsa_csr -inform pem \
784		-newhdr -noout -pubkey -subject -modulus -text \
785		-nameopt multiline -reqopt compatible \
786		-out $sv_ecdsa_csr.verify.out
787	check_exit_status $?
788
789	#---------#---------#---------#---------#---------#---------#---------
790
791	# --- CA operations (issue cert for server) ---
792	section_message "CA operations (issue cert for server)"
793
794	start_message "ca ... issue cert for server csr#1"
795
796	sv_rsa_cert=$server_dir/sv_rsa_cert.pem
797	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
798		-in $sv_rsa_csr -out $sv_rsa_cert > $sv_rsa_cert.log 2>&1
799	check_exit_status $?
800
801	start_message "x509 ... issue cert for server csr#2"
802
803	$openssl_bin genrsa -out $server_dir/testkey.pem 2>&1
804	check_exit_status $?
805	$openssl_bin rsa -in $server_dir/testkey.pem -pubout \
806		-out $server_dir/testpubkey.pem 2>&1
807	check_exit_status $?
808
809	revoke_cert=$server_dir/revoke_cert.pem
810	$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \
811		-CAkey $ca_key -CAkeyform pem \
812		-CAserial $ca_dir/serial -set_serial 10 \
813		-passin pass:$ca_pass -CAcreateserial -out $revoke_cert \
814		-set_issuer /CN=issuer -set_subject /CN=subject \
815		-force_pubkey $server_dir/testpubkey.pem
816		> $revoke_cert.log 2>&1
817	check_exit_status $?
818
819	start_message "x509 ... check if csr#2 cert has proper issuer & subject"
820	if [ "$($openssl_bin x509 -in $revoke_cert -issuer -noout)" != \
821		"issuer= /CN=issuer" ]; then
822		exit 1
823	fi
824	if [ "$($openssl_bin x509 -in $revoke_cert -subject -noout)" != \
825		"subject= /CN=subject" ]; then
826		exit 1
827	fi
828	check_exit_status 0
829
830	start_message "x509 ... check if csr#2 cert pubkey was forced"
831	$openssl_bin x509 -in $revoke_cert -pubkey -noout > $revoke_cert.pub
832	check_exit_status $?
833	diff $server_dir/testpubkey.pem $revoke_cert.pub
834	check_exit_status $?
835
836	start_message "x509 ... test -new"
837	$openssl_bin genrsa -out $server_dir/ca-new.key 2048
838	check_exit_status $?
839	$openssl_bin x509 -new -set_issuer '/CN=test-issuer' \
840		-set_subject '/CN=test-subject' \
841		-out $server_dir/new.pem -days 1 -key $server_dir/ca-new.key \
842		-force_pubkey $revoke_cert.pub
843	check_exit_status $?
844	$openssl_bin x509 -in $server_dir/new.pem -pubkey -noout \
845		> $server_dir/new.pem.pub
846	check_exit_status $?
847
848	start_message "x509 ... check if -new cert has proper pubkey"
849	diff $server_dir/testpubkey.pem $server_dir/new.pem.pub
850	check_exit_status $?
851
852	start_message "x509 ... check if -new cert has proper issuer & subject"
853	if [ "$($openssl_bin x509 -in $server_dir/new.pem -issuer -noout)" != \
854		"issuer= /CN=test-issuer" ]; then
855		exit 1
856	fi
857	if [ "$($openssl_bin x509 -in $server_dir/new.pem -subject -noout)" != \
858		"subject= /CN=test-subject" ]; then
859		exit 1
860	fi
861	check_exit_status 0
862
863	start_message "x509 ... test -new without -force_pubkey"
864	$openssl_bin x509 -new -set_subject '/CN=test-subject2' \
865		-out $server_dir/new2.pem -days 1 -key $server_dir/ca-new.key
866	check_exit_status $?
867	$openssl_bin x509 -in $server_dir/new2.pem -pubkey -noout \
868		> $server_dir/new2.pem.pub
869	check_exit_status $?
870	$openssl_bin rsa -in $server_dir/ca-new.key -pubout \
871		-out $server_dir/ca-new.pubkey
872	check_exit_status $?
873	diff $server_dir/new2.pem.pub $server_dir/ca-new.pubkey
874	check_exit_status $?
875	if [ "$($openssl_bin x509 -in $server_dir/new2.pem -issuer -noout)" \
876		!= "issuer= /CN=test-subject2" ]; then
877		exit 1
878	fi
879	if [ "$($openssl_bin x509 -in $server_dir/new2.pem -subject -noout)" \
880		!= "subject= /CN=test-subject2" ]; then
881		exit 1
882	fi
883	check_exit_status 0
884
885	start_message "ca ... issue cert for server csr#3"
886
887	sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem
888	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
889		-in $sv_ecdsa_csr -out $sv_ecdsa_cert > $sv_ecdsa_cert.log 2>&1
890	check_exit_status $?
891
892	#---------#---------#---------#---------#---------#---------#---------
893
894	# --- CA operations (revoke cert and generate crl) ---
895	section_message "CA operations (revoke cert and generate crl)"
896
897	start_message "ca ... revoke server cert#2"
898	crl_file=$ca_dir/crl.pem
899	$openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \
900		-config $ssldir/openssl.cnf -name CA_default \
901		-crldays 30 -crlhours 12 -crlsec 30 -updatedb \
902		-crl_reason unspecified -crl_hold 1.2.840.10040.2.2 \
903		-crl_compromise `date -u '+%Y%m%d%H%M%SZ'` \
904		-crl_CA_compromise `date -u '+%Y%m%d%H%M%SZ'` \
905		-keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert \
906		> $crl_file.log 2>&1
907	check_exit_status $?
908
909	start_message "ca ... show certificate status by serial number"
910	$openssl_bin ca -config $ssldir/openssl.cnf -status 1
911
912	start_message "crl ... CA generates CRL"
913	$openssl_bin crl -in $crl_file -fingerprint >> $crl_file.log 2>&1
914	check_exit_status $?
915
916	crl_p7=$ca_dir/crl.p7
917	start_message "crl2pkcs7 ... convert CRL to pkcs7"
918	$openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7
919	check_exit_status $?
920
921	#---------#---------#---------#---------#---------#---------#---------
922
923	# --- server-admin operations (check csr, verify cert, certhash) ---
924	section_message "server-admin operations (check csr, verify cert, certhash)"
925
926	start_message "asn1parse ... parse server csr#1"
927	$openssl_bin asn1parse -in $sv_rsa_csr -i -dlimit 100 -length 1000 \
928		-strparse 01 > $sv_rsa_csr.asn1parse.out
929	check_exit_status $?
930
931	start_message "verify ... server cert#1"
932	$openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \
933	       	-crl_check -issuer_checks -purpose sslserver $sv_rsa_cert
934	check_exit_status $?
935
936	start_message "x509 ... get detail info about server cert#1"
937	$openssl_bin x509 -in $sv_rsa_cert -text -C -dates -startdate -enddate \
938		-fingerprint -issuer -issuer_hash -issuer_hash_old \
939		-subject -hash -subject_hash -subject_hash_old -ocsp_uri \
940		-ocspid -modulus -pubkey -serial -email -noout -trustout \
941		-alias -clrtrust -clrreject -next_serial -checkend 3600 \
942		-nameopt multiline -certopt compatible > $sv_rsa_cert.x509.out
943	check_exit_status $?
944
945	if [ $mingw = 0 ] ; then
946		start_message "certhash"
947		$openssl_bin certhash -v $server_dir \
948			> $server_dir/certhash.log 2>&1
949		check_exit_status $?
950	fi
951
952	# self signed
953	start_message "x509 ... generate self signed server cert"
954	server_self_cert=$server_dir/server_self_cert.pem
955	$openssl_bin x509 -in $sv_rsa_cert -signkey $sv_rsa_key -keyform pem \
956		-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
957		-passin pass:$sv_rsa_pass -out $server_self_cert -days 1
958	check_exit_status $?
959
960	#---------#---------#---------#---------#---------#---------#---------
961
962	# --- Netscape SPKAC operations ---
963	section_message "Netscape SPKAC operations"
964
965	# server-admin generates SPKAC
966
967	start_message "spkac"
968	spkacfile=$server_dir/spkac.file
969
970	$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile
971	check_exit_status $?
972
973	$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out
974	check_exit_status $?
975
976	spkacreq=$server_dir/spkac.req
977	cat << __EOF__ > $spkacreq
978countryName = JP
979stateOrProvinceName = Tokyo
980organizationName = TEST_DUMMY_COMPANY
981commonName = spkac.test-dummy.com
982__EOF__
983	cat $spkacfile >> $spkacreq
984
985	# CA signs SPKAC
986	start_message "ca ... CA signs SPKAC csr"
987	spkaccert=$server_dir/spkac.cert
988	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
989		-spkac $spkacreq -out $spkaccert > $spkaccert.log 2>&1
990	check_exit_status $?
991
992	start_message "x509 ... convert DER format SPKAC cert to PEM"
993	spkacpem=$server_dir/spkac.pem
994	$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM
995	check_exit_status $?
996
997	#---------#---------#---------#---------#---------#---------#---------
998
999	# --- user1 operations (generate user1 key and csr) ---
1000	section_message "user1 operations (generate user1 key and csr)"
1001
1002	# trust
1003	start_message "x509 ... trust testCA cert"
1004	user1_trust=$user1_dir/user1_trust_ca.pem
1005	$openssl_bin x509 -in $ca_cert -addtrust clientAuth \
1006		-setalias "trusted testCA" -purpose -out $user1_trust \
1007		> $user1_trust.log 2>&1
1008	check_exit_status $?
1009
1010	start_message "req ... generate private key and csr for user1"
1011
1012	cl_rsa_key=$user1_dir/cl_rsa_key.pem
1013	cl_rsa_csr=$user1_dir/cl_rsa_csr.pem
1014	cl_rsa_pass=test-user1-pass
1015
1016	if [ $mingw = 0 ] ; then
1017		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test-dummy.com/'
1018	else
1019		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test-dummy.com\'
1020	fi
1021
1022	$openssl_bin req -new -keyout $cl_rsa_key -out $cl_rsa_csr \
1023		-passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1
1024	check_exit_status $?
1025
1026	start_message "req ... generate private key and csr for user2"
1027
1028	cl_ecdsa_key=$user1_dir/cl_ecdsa_key.pem
1029	cl_ecdsa_csr=$user1_dir/cl_ecdsa_csr.pem
1030	cl_ecdsa_pass=test-user1-pass
1031
1032	if [ $mingw = 0 ] ; then
1033		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user2.test-dummy.com/'
1034	else
1035		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user2.test-dummy.com\'
1036	fi
1037
1038	$openssl_bin ecparam -name prime256v1 -genkey -out $cl_ecdsa_key
1039	check_exit_status $?
1040
1041	$openssl_bin req -new -subj $subj -sha256 \
1042		-key $cl_ecdsa_key -keyform pem -passin pass:$cl_ecdsa_pass \
1043		-out $cl_ecdsa_csr -outform pem
1044	check_exit_status $?
1045
1046	#---------#---------#---------#---------#---------#---------#---------
1047
1048	# --- CA operations (issue cert for user1) ---
1049	section_message "CA operations (issue cert for user1)"
1050
1051	start_message "ca ... issue cert for user1"
1052
1053	cl_rsa_cert=$user1_dir/cl_rsa_cert.pem
1054	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
1055		-in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1
1056	check_exit_status $?
1057
1058	start_message "ca ... issue cert for user2"
1059
1060	cl_ecdsa_cert=$user1_dir/cl_ecdsa_cert.pem
1061	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
1062		-in $cl_ecdsa_csr -out $cl_ecdsa_cert > $cl_ecdsa_cert.log 2>&1
1063	check_exit_status $?
1064}
1065
1066function test_tsa {
1067	# --- TSA operations ---
1068	section_message "TSA operations"
1069
1070	tsa_dat=$user1_dir/tsa.dat
1071	cat << __EOF__ > $tsa_dat
1072Hello Bob,
1073Sincerely yours
1074Alice
1075__EOF__
1076
1077	# Query
1078	start_message "ts ... create time stamp request"
1079
1080	tsa_tsq=$user1_dir/tsa.tsq
1081
1082	$openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq
1083	check_exit_status $?
1084
1085	start_message "ts ... print time stamp request"
1086
1087	$openssl_bin ts -query -in $tsa_tsq -text -out $tsa_tsq.log
1088	check_exit_status $?
1089
1090	# Reply
1091	start_message "ts ... create time stamp response for a request"
1092
1093	tsa_tsr=$user1_dir/tsa.tsr
1094
1095	$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \
1096		-passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \
1097		-config $ssldir/openssl.cnf -section tsa_config1 -cert \
1098		-policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr
1099	check_exit_status $?
1100
1101	# Verify
1102	start_message "ts ... verify time stamp response"
1103
1104	$openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \
1105		-CAfile $ca_cert -untrusted $tsa_cert
1106	check_exit_status $?
1107}
1108
1109function test_cms {
1110	# --- CMS operations ---
1111	section_message "CMS operations"
1112
1113	if [ $ecdsa_tests = 1 ] ; then
1114		echo "Using ECDSA certificate"
1115		type=ecdsa
1116		cl_cert=$cl_ecdsa_cert
1117		cl_key=$cl_ecdsa_key
1118		sv_cert=$sv_ecdsa_cert
1119		sv_key=$sv_ecdsa_key
1120		sign_keyopt=
1121		enc_keyopt=
1122	else
1123		echo "Using RSA certificate"
1124		type=rsa
1125		cl_cert=$cl_rsa_cert
1126		cl_key="$cl_rsa_key -passin pass:$cl_rsa_pass"
1127		sv_cert=$sv_rsa_cert
1128		sv_key="$sv_rsa_key -passin pass:$sv_rsa_pass"
1129		sign_keyopt="-keyopt rsa_padding_mode:pss"
1130		enc_keyopt="-keyopt rsa_padding_mode:oaep"
1131	fi
1132
1133	cms_txt=$user1_dir/cms_$type.txt
1134	cms_sig=$user1_dir/cms_$type.sig
1135	cms_enc=$user1_dir/cms_$type.enc
1136	cms_dec=$user1_dir/cms_$type.dec
1137	cms_sgr=$user1_dir/cms_$type.sgr
1138	cms_ver=$user1_dir/cms_$type.ver
1139	cms_out=$user1_dir/cms_$type.out
1140	cms_dct=$user1_dir/cms_$type.dct
1141	cms_dot=$user1_dir/cms_$type.dot
1142	cms_dgc=$user1_dir/cms_$type.dgc
1143	cms_dgv=$user1_dir/cms_$type.dgv
1144	cms_ede=$user1_dir/cms_$type.ede
1145	cms_edd=$user1_dir/cms_$type.edd
1146	cms_srp=$user1_dir/cms_$type.srp
1147	cms_pwe=$user1_dir/cms_$type.pwe
1148	cms_pwd=$user1_dir/cms_$type.pwd
1149
1150	cat << __EOF__ > $cms_txt
1151Hello Bob,
1152Sincerely yours
1153Alice
1154__EOF__
1155
1156	# sign
1157	start_message "cms ... sign to message"
1158
1159	$openssl_bin cms -sign -in $cms_txt -text \
1160		-out $cms_sig -outform smime \
1161		-signer $cl_cert -inkey $cl_key $sign_keyopt \
1162		-keyform pem -md sha256 \
1163		-from user1@test-dummy.com -to server@test-dummy.com \
1164		-subject "test openssl cms" \
1165		-receipt_request_from server@test-dummy.com \
1166		-receipt_request_to user1@test-dummy.com
1167	check_exit_status $?
1168
1169	# encrypt
1170	start_message "cms ... encrypt message"
1171
1172	$openssl_bin cms -encrypt -aes256 -binary -in $cms_sig -inform smime \
1173		-recip $sv_cert $enc_keyopt -out $cms_enc
1174	check_exit_status $?
1175
1176	# decrypt
1177	start_message "cms ... decrypt message"
1178
1179	$openssl_bin cms -decrypt -in $cms_enc -out $cms_dec \
1180		-recip $sv_cert -inkey $sv_key
1181	check_exit_status $?
1182
1183	# verify
1184	start_message "cms ... verify message"
1185
1186	$openssl_bin cms -verify -in $cms_dec \
1187		-CAfile $ca_cert -certfile $cl_cert -nointern \
1188		-check_ss_sig -issuer_checks -policy_check -x509_strict \
1189		-signer $cms_sgr -text -out $cms_ver -receipt_request_print \
1190		> $cms_ver.log 2>&1
1191	check_exit_status $?
1192
1193	diff -b $cms_ver $cms_txt
1194	check_exit_status $?
1195
1196	# cmsout
1197	start_message "cms ... cmsout"
1198
1199	$openssl_bin cms -cmsout -in $cms_enc -print -out $cms_out
1200	check_exit_status $?
1201
1202	# data_create
1203	start_message "cms ... data_create"
1204
1205	$openssl_bin cms -data_create -in $cms_enc -out $cms_dct
1206	check_exit_status $?
1207
1208	# data_out
1209	start_message "cms ... data_out"
1210
1211	$openssl_bin cms -data_out -in $cms_dct -out $cms_dot
1212	check_exit_status $?
1213
1214	# digest_create
1215	start_message "cms ... digest_create"
1216
1217	$openssl_bin cms -digest_create -in $cms_txt -md sha256 -out $cms_dgc
1218	check_exit_status $?
1219
1220	# digest_verify
1221	start_message "cms ... digest_verify"
1222
1223	$openssl_bin cms -digest_verify -in $cms_dgc -md sha256 -out $cms_dgv
1224	check_exit_status $?
1225
1226	diff -b $cms_dgv $cms_txt
1227	check_exit_status $?
1228
1229	# compress
1230
1231	# uncompress
1232
1233	# EncryptedData_encrypt
1234	start_message "cms ... EncryptedData_encrypt"
1235
1236	$openssl_bin cms -EncryptedData_encrypt -in $cms_sig -out $cms_ede \
1237		-aes128 -secretkey 00112233445566778899aabbccddeeff
1238	check_exit_status $?
1239
1240	# EncryptedData_decrypt
1241	start_message "cms ... EncryptedData_decrypt"
1242
1243	$openssl_bin cms -EncryptedData_decrypt -in $cms_ede -out $cms_edd \
1244		-aes128 -secretkey 00112233445566778899aabbccddeeff
1245	check_exit_status $?
1246
1247	diff -b $cms_edd $cms_sig
1248	check_exit_status $?
1249
1250	# sign_receipt
1251	start_message "cms ... sign to receipt"
1252
1253	$openssl_bin cms -sign_receipt -in $cms_sig -out $cms_srp \
1254		-signer $sv_cert -inkey $sv_key -md sha256
1255	check_exit_status $?
1256
1257	# verify_receipt
1258	start_message "cms ... verify receipt"
1259
1260	$openssl_bin cms -verify_receipt $cms_srp -rctform smime -in $cms_sig \
1261		-CAfile $ca_cert -certfile $sv_cert
1262	check_exit_status $?
1263
1264	# encrypt with pwri
1265	start_message "cms ... encrypt with pwri"
1266
1267	$openssl_bin cms -encrypt -camellia256 -in $cms_txt -out $cms_pwe \
1268		-pwri_password abcdefg
1269	check_exit_status $?
1270
1271	# decrypt with pwri
1272	start_message "cms ... decrypt with pwri"
1273
1274	$openssl_bin cms -decrypt -camellia256 -in $cms_pwe -out $cms_pwd \
1275		-pwri_password abcdefg
1276	check_exit_status $?
1277
1278	diff -b $cms_pwd $cms_txt
1279	check_exit_status $?
1280}
1281
1282function test_smime {
1283	# --- S/MIME operations ---
1284	section_message "S/MIME operations"
1285
1286	cl_cert=$cl_rsa_cert
1287	cl_key="$cl_rsa_key -passin pass:$cl_rsa_pass"
1288	sv_cert=$sv_rsa_cert
1289	sv_key="$sv_rsa_key -passin pass:$sv_rsa_pass"
1290
1291	smime_txt=$user1_dir/smime.txt
1292	smime_enc=$user1_dir/smime.enc
1293	smime_sig=$user1_dir/smime.sig
1294	smime_p7o=$user1_dir/smime.p7o
1295	smime_sgr=$user1_dir/smime.sgr
1296	smime_ver=$user1_dir/smime.ver
1297	smime_dec=$user1_dir/smime.dec
1298
1299	cat << __EOF__ > $smime_txt
1300Hello Bob,
1301Sincerely yours
1302Alice
1303__EOF__
1304
1305	# encrypt
1306	start_message "smime ... encrypt message"
1307
1308	$openssl_bin smime -encrypt -aes256 -binary -in $smime_txt \
1309		-out $smime_enc $sv_cert
1310	check_exit_status $?
1311
1312	# sign
1313	start_message "smime ... sign to message"
1314
1315	$openssl_bin smime -sign -in $smime_enc -text -inform smime \
1316		-out $smime_sig -outform smime \
1317		-signer $cl_cert -inkey $cl_key -keyform pem -md sha256 \
1318		-from user1@test-dummy.com -to server@test-dummy.com \
1319		-subject "test openssl smime"
1320	check_exit_status $?
1321
1322	# pk7out
1323	start_message "smime ... pk7out from message"
1324
1325	$openssl_bin smime -pk7out -in $smime_sig -out $smime_p7o
1326	check_exit_status $?
1327
1328	# verify
1329	start_message "smime ... verify message"
1330
1331	$openssl_bin smime -verify -in $smime_sig \
1332		-CAfile $ca_cert -certfile $cl_cert -nointern \
1333		-check_ss_sig -issuer_checks -policy_check -x509_strict \
1334		-signer $smime_sgr -text -out $smime_ver
1335	check_exit_status $?
1336
1337	# decrypt
1338	start_message "smime ... decrypt message"
1339
1340	$openssl_bin smime -decrypt -in $smime_ver -out $smime_dec \
1341		-recip $sv_cert -inkey $sv_key
1342	check_exit_status $?
1343
1344	diff $smime_dec $smime_txt
1345	check_exit_status $?
1346}
1347
1348function test_ocsp {
1349	# --- OCSP operations ---
1350	section_message "OCSP operations"
1351
1352	# get key without pass
1353	cl_rsa_key_nopass=$user1_dir/cl_rsa_key_nopass.pem
1354	$openssl_bin pkey -in $cl_rsa_key -passin pass:$cl_rsa_pass \
1355		-out $cl_rsa_key_nopass
1356	check_exit_status $?
1357
1358	# request
1359	start_message "ocsp ... create OCSP request"
1360
1361	ocsp_req=$user1_dir/ocsp_req.der
1362	$openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \
1363		-cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \
1364		-signer $cl_rsa_cert -signkey $cl_rsa_key_nopass \
1365		-sign_other $cl_rsa_cert -sha256 \
1366		-reqout $ocsp_req -req_text -out $ocsp_req.out
1367	check_exit_status $?
1368
1369	# response
1370	start_message "ocsp ... create OCPS response for a request"
1371
1372	ocsp_res=$user1_dir/ocsp_res.der
1373	$openssl_bin ocsp -index  $ca_dir/index.txt -CA $ca_cert \
1374		-CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \
1375		-reqin $ocsp_req -rother $ocsp_cert -resp_no_certs -noverify \
1376		-nmin 60 -validity_period 300 -status_age 300 \
1377		-respout $ocsp_res -resp_text -out $ocsp_res.out
1378	check_exit_status $?
1379
1380	# ocsp server
1381	start_message "ocsp ... start OCSP server in background"
1382
1383	ocsp_port=8888
1384
1385	ocsp_svr_log=$user1_dir/ocsp_svr.log
1386	$openssl_bin ocsp -index  $ca_dir/index.txt -CA $ca_cert \
1387		-CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \
1388		-host localhost -port $ocsp_port -path / -ndays 1 -nrequest 1 \
1389		-resp_key_id -text -out $ocsp_svr_log &
1390	check_exit_status $?
1391	ocsp_svr_pid=$!
1392	echo "ocsp server pid = [ $ocsp_svr_pid ]"
1393	sleep 1
1394
1395	# send query to ocsp server
1396	start_message "ocsp ... send OCSP request to server"
1397
1398	ocsp_qry=$user1_dir/ocsp_qry.der
1399	$openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \
1400		-cert $revoke_cert -CAfile $ca_cert -no_nonce \
1401		-url http://localhost:$ocsp_port -timeout 10 -text \
1402		-header Host localhost \
1403		-respout $ocsp_qry -out $ocsp_qry.out
1404	check_exit_status $?
1405
1406	# verify response from server
1407	start_message "ocsp ... verify OCSP response from server"
1408
1409	$openssl_bin ocsp -respin $ocsp_qry -CAfile $ca_cert \
1410	-ignore_err -no_signature_verify -no_cert_verify -no_chain \
1411	-no_cert_checks -no_explicit -trust_other -no_intern \
1412	-verify_other $ocsp_cert -VAfile $ocsp_cert
1413	check_exit_status $?
1414}
1415
1416function test_pkcs {
1417	# --- PKCS operations ---
1418	section_message "PKCS operations"
1419
1420	pkcs_pass=test-pkcs-pass
1421
1422	start_message "pkcs7 ... output certs in crl(pkcs7)"
1423	$openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out
1424	check_exit_status $?
1425
1426	start_message "pkcs8 ... convert key to pkcs8"
1427	$openssl_bin pkcs8 -in $cl_rsa_key -topk8 -out $cl_rsa_key.p8 \
1428		-passin pass:$cl_rsa_pass -passout pass:$cl_rsa_pass \
1429		-v1 pbeWithSHA1AndDES-CBC -v2 des3
1430	check_exit_status $?
1431
1432	start_message "pkcs8 ... convert pkcs8 to key in DER format"
1433	$openssl_bin pkcs8 -in $cl_rsa_key.p8 -passin pass:$cl_rsa_pass \
1434		-outform DER -out $cl_rsa_key.p8.der
1435	check_exit_status $?
1436
1437	start_message "pkcs12 ... create"
1438	$openssl_bin pkcs12 -export -in $sv_rsa_cert -inkey $sv_rsa_key \
1439		-passin pass:$sv_rsa_pass -certfile $ca_cert -CAfile $ca_cert \
1440		-caname "caname_server_p12" \
1441		-certpbe AES-256-CBC -keypbe AES-256-CBC -chain \
1442		-name "name_server_p12" -des3 -maciter -macalg sha256 \
1443		-CSP "csp_server_p12" -LMK -keyex \
1444		-passout pass:$pkcs_pass -out $sv_rsa_cert.p12
1445	check_exit_status $?
1446
1447	start_message "pkcs12 ... verify"
1448	$openssl_bin pkcs12 -in $sv_rsa_cert.p12 -passin pass:$pkcs_pass -info \
1449		-noout > $sv_rsa_cert.p12.log 2>&1
1450	check_exit_status $?
1451
1452	start_message "pkcs12 ... private key to PEM without encryption"
1453	$openssl_bin pkcs12 -in $sv_rsa_cert.p12 -password pass:$pkcs_pass \
1454		-nocerts -nomacver -nodes -out $sv_rsa_cert.p12.pem
1455	check_exit_status $?
1456}
1457
1458function test_sc_by_protocol_version {
1459	sc=$1
1460	ver=$2
1461	msg=$3
1462	cid=$4
1463
1464	groups_and_cipher=""
1465	if [ $ver = "tls1_3" ] ; then
1466		# Expect HelloRetryRequest
1467		groups_and_cipher="-groups P-521:P-384 -cipher ALL"
1468	fi
1469
1470	s_client_out=$user1_dir/s_client_${sc}_${ver}.out
1471
1472	start_message "s_client ... connect to TLS/SSL test server by $ver"
1473	sleep $test_pause_sec
1474	$c_bin s_client -connect $host:$port -CAfile $ca_cert \
1475		-$ver $groups_and_cipher \
1476		-msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1477	check_exit_status $?
1478
1479	# check downgrade bits in SH
1480	if [ $ver = "tls1" -o $ver = "tls1_1" ] ; then
1481		perl -0ne \
1482		    'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 00/m)' \
1483		    $s_client_out
1484		check_exit_status $?
1485	elif [ $ver = "tls1_2" ] ; then
1486		perl -0ne \
1487		    'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 01/m)' \
1488		    $s_client_out
1489		check_exit_status $?
1490	elif [ $ver = "tls1_3" ] ; then
1491		perl -0ne \
1492		    'exit (/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44/m)' \
1493		    $s_client_out
1494		check_exit_status $?
1495	fi
1496
1497	# check HRR hash
1498	if [ $ver = "tls1_3" ] ; then
1499		perl -0ne \
1500		    'exit (!/ServerHello\n.*cf 21 ad 74 e5 9a 61 11 be 1d\n.*8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e\n.*09 e2 c8 a8 33 9c/m)' \
1501		    $s_client_out
1502		check_exit_status $?
1503	fi
1504
1505	if [ $ver = "tls1_3" ] ; then
1506		grep 'Server Temp Key: ECDH, .*384.*, 384 bits' $s_client_out \
1507			> /dev/null
1508		check_exit_status $?
1509	fi
1510
1511	# OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until
1512	# NewSessionTicket arrival
1513	if ! [ $cid = "1" -a $ver = "tls1_3" ] ; then
1514		grep "$msg" $s_client_out > /dev/null
1515		check_exit_status $?
1516	fi
1517
1518	grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1519	check_exit_status $?
1520}
1521
1522function test_sc_all_cipher {
1523	sc=$1
1524	ver=$2
1525
1526	copt=cipher
1527	ciphers=$user1_dir/ciphers_${sc}_${ver}
1528
1529	if [ $ver = "tls1_3" ] ; then
1530		echo "TLS_AES_256_GCM_SHA384" > $ciphers
1531		echo "TLS_CHACHA20_POLY1305_SHA256" >> $ciphers
1532		echo "TLS_AES_128_GCM_SHA256" >> $ciphers
1533		if [ $c_id != "0" ] ; then
1534			copt=ciphersuites
1535		fi
1536	else
1537		s_ciph=$server_dir/s_ciph_${sc}_${ver}
1538		cipher_string=""
1539		if [ $s_id = "0" ] ; then
1540			if [ $ecdsa_tests = 1 ] ; then
1541				cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
1542			else
1543				cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
1544			fi
1545		fi
1546		$s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph
1547
1548		c_ciph=$user1_dir/c_ciph_${sc}_${ver}
1549		cipher_string=""
1550		if [ $c_id = "0" ] ; then
1551			if [ $ecdsa_tests = 1 ] ; then
1552				cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
1553			else
1554				cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
1555			fi
1556		fi
1557		$c_bin ciphers -s -v $cipher_string | awk '{print $1}' > $c_ciph
1558
1559		grep -x -f $s_ciph $c_ciph | sort -R > $ciphers
1560	fi
1561
1562	cnum=0
1563	for c in `cat $ciphers` ; do
1564		cnum=`expr $cnum + 1`
1565		cnstr=`printf %03d $cnum`
1566		s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_${cnstr}_${c}.out
1567
1568		start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $ver $c"
1569		sleep $test_pause_sec
1570		$c_bin s_client -connect $host:$port -CAfile $ca_cert \
1571			-$ver -$copt $c \
1572			-msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1573		check_exit_status $?
1574
1575		grep "Cipher is $c" $s_client_out > /dev/null
1576		check_exit_status $?
1577
1578		grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1579		check_exit_status $?
1580	done
1581}
1582
1583function test_sc_session_reuse {
1584	sc=$1
1585	ver=$2
1586
1587	sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat
1588
1589	# Get session ticket to reuse
1590
1591	s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_1.out
1592
1593	start_message "s_client ... connect to TLS/SSL test server to get session id $ver"
1594	sleep $test_pause_sec
1595	$c_bin s_client -connect $host:$port -CAfile $ca_cert \
1596		-$ver -alpn "spdy/3,http/1.1" -sess_out $sess_dat \
1597		-msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1598	check_exit_status $?
1599
1600	grep '^New, TLS.*$' $s_client_out > /dev/null
1601	check_exit_status $?
1602
1603	grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1604	check_exit_status $?
1605
1606	# Reuse session ticket
1607
1608	s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_2.out
1609
1610	start_message "s_client ... connect to TLS/SSL test server reusing session id $ver"
1611	sleep $test_pause_sec
1612	$c_bin s_client -connect $host:$port -CAfile $ca_cert \
1613		-$ver -sess_in $sess_dat \
1614		-msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1615	check_exit_status $?
1616
1617	grep '^Reused, TLS.*$' $s_client_out > /dev/null
1618	check_exit_status $?
1619
1620	grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1621	check_exit_status $?
1622
1623	# sess_id
1624
1625	start_message "sess_id"
1626	$c_bin sess_id -in $sess_dat -text -out $sess_dat.out
1627	check_exit_status $?
1628}
1629
1630function test_sc_verify {
1631	sc=$1
1632	ver=$2
1633
1634	# invalid verification pattern
1635
1636	s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out
1637
1638	start_message "s_client ... connect to tls/ssl test server but verify error $ver"
1639	sleep $test_pause_sec
1640	$c_bin s_client -connect $host:$port -CAfile $ca_cert \
1641		-$ver -showcerts -crl_check -issuer_checks -policy_check \
1642		-status -servername xyz \
1643		-msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1644	check_exit_status $?
1645
1646	grep 'verify return code: 0 (ok)' $s_client_out > /dev/null
1647	if [ $? -eq 0 ] ; then
1648		check_exit_status 1
1649	else
1650		check_exit_status 0
1651	fi
1652
1653	# client certificate pattern
1654
1655	s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_client_cert.out
1656
1657	start_message "s_client ... connect to tls/ssl test server with client certificate $ver"
1658
1659	if [ $ecdsa_tests = 1 ] ; then
1660		echo "Using ECDSA client certificate"
1661		crt=$cl_ecdsa_cert
1662		key=$cl_ecdsa_key
1663		pwd=$cl_ecdsa_pass
1664	else
1665		echo "Using RSA client certificate"
1666		crt=$cl_rsa_cert
1667		key=$cl_rsa_key
1668		pwd=$cl_rsa_pass
1669	fi
1670
1671	sleep $test_pause_sec
1672	$c_bin s_client -connect $host:$port -CAfile $ca_cert \
1673		-$ver -cert $crt -key $key -pass pass:$pwd \
1674		-msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1675	check_exit_status $?
1676
1677	grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1678	check_exit_status $?
1679}
1680
1681function test_server_client {
1682	# --- client/server operations (TLS) ---
1683	section_message "client/server operations (TLS)"
1684
1685	s_id="$1"
1686	c_id="$2"
1687	sc="$1$2"
1688
1689	test_pause_sec=0.2
1690
1691	if [ $s_id = "0" ] ; then
1692		s_bin=$openssl_bin
1693	else
1694		s_bin=$other_openssl_bin
1695	fi
1696
1697	if [ $c_id = "0" ] ; then
1698		c_bin=$openssl_bin
1699	else
1700		c_bin=$other_openssl_bin
1701	fi
1702
1703	echo "s_server is [`$s_bin version`]"
1704	echo "s_client is [`$c_bin version`]"
1705
1706	host="localhost"
1707	port=4433
1708	s_server_out=$server_dir/s_server_${sc}_tls.out
1709
1710	if [ $ecdsa_tests = 1 ] ; then
1711		echo "Using ECDSA certificate"
1712		crt=$sv_ecdsa_cert
1713		key=$sv_ecdsa_key
1714		pwd=$sv_ecdsa_pass
1715	else
1716		echo "Using RSA certificate"
1717		crt=$sv_rsa_cert
1718		key=$sv_rsa_key
1719		pwd=$sv_rsa_pass
1720	fi
1721
1722	start_message "s_server ... start TLS/SSL test server"
1723	$s_bin s_server -accept $port -CAfile $ca_cert \
1724		-cert $crt -key $key -pass pass:$pwd \
1725		-context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
1726		-alpn "http/1.1,spdy/3" -www -cipher ALL -4 \
1727		-msg -tlsextdebug -verify 3 -groups X25519:P-384:P-256 \
1728		-status -servername xyz -cert2 $crt -key2 $key \
1729		> $s_server_out 2>&1 &
1730	check_exit_status $?
1731	s_server_pid=$!
1732	echo "s_server pid = [ $s_server_pid ]"
1733	sleep 1
1734
1735	# test by protocol version
1736	test_sc_by_protocol_version $sc tls1_2 'Protocol  : TLSv1\.2$' $c_id
1737	test_sc_by_protocol_version $sc tls1_3 'Protocol  : TLSv1\.3$' $c_id
1738
1739	# all available ciphers with random order
1740	test_sc_all_cipher $sc tls1_2
1741	test_sc_all_cipher $sc tls1_3
1742
1743	# session resumption
1744	test_sc_session_reuse $sc tls1_2
1745
1746	# invalid verification pattern
1747	test_sc_verify $sc tls1_2
1748	test_sc_verify $sc tls1_3
1749
1750	# s_time
1751	start_message "s_time ... connect to TLS/SSL test server"
1752	$c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \
1753		> $server_dir/s_time_${sc}.log
1754	check_exit_status $?
1755
1756	stop_s_server
1757}
1758
1759function test_server_client_dtls {
1760	# --- client/server operations (DTLS) ---
1761	section_message "client/server operations (DTLS)"
1762
1763	s_id="$1"
1764	c_id="$2"
1765	sc="$1$2"
1766
1767	test_pause_sec=0.2
1768
1769	if [ $s_id = "0" ] ; then
1770		s_bin=$openssl_bin
1771	else
1772		s_bin=$other_openssl_bin
1773	fi
1774
1775	if [ $c_id = "0" ] ; then
1776		c_bin=$openssl_bin
1777	else
1778		c_bin=$other_openssl_bin
1779	fi
1780
1781	echo "s_server is [`$s_bin version`]"
1782	echo "s_client is [`$c_bin version`]"
1783
1784	host="localhost"
1785	port=4433
1786	s_server_out=$server_dir/s_server_${sc}_dtls.out
1787
1788	if [ $ecdsa_tests = 1 ] ; then
1789		echo "Using ECDSA certificate"
1790		crt=$sv_ecdsa_cert
1791		key=$sv_ecdsa_key
1792		pwd=$sv_ecdsa_pass
1793	else
1794		echo "Using RSA certificate"
1795		crt=$sv_rsa_cert
1796		key=$sv_rsa_key
1797		pwd=$sv_rsa_pass
1798	fi
1799
1800	start_message "s_server ... start DTLS test server"
1801	$s_bin s_server -accept $port -CAfile $ca_cert \
1802		-cert $crt -key $key -pass pass:$pwd \
1803		-context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
1804		-alpn "http/1.1,spdy/3" -cipher ALL -4 \
1805		-msg -tlsextdebug -verify 3 -groups X25519:P-384:P-256 \
1806		-status -servername xyz -cert2 $crt -key2 $key -dtls -quiet \
1807		> $s_server_out 2>&1 &
1808	check_exit_status $?
1809	s_server_pid=$!
1810	echo "s_server pid = [ $s_server_pid ]"
1811	sleep 1
1812
1813	# test by protocol version
1814	test_sc_by_protocol_version $sc dtls1_2 'Protocol  : DTLSv1.2$' $c_id
1815
1816	stop_s_server
1817}
1818
1819function test_gnutls {
1820	# --- GnuTLS interoperability ---
1821	section_message "GnuTLS $1 interoperability"
1822
1823	proto="$1"
1824
1825	if [ $proto = "tls" ] ; then
1826		sopt="-www"
1827		lopt=
1828		gopt=
1829	else
1830		sopt="-quiet"
1831		lopt="-dtls"
1832		gopt="-u"
1833	fi
1834
1835	gs_bin=/usr/local/bin/gnutls-serv
1836	gc_bin=/usr/local/bin/gnutls-cli
1837
1838	host="localhost"
1839	port=4433
1840
1841	if [ $ecdsa_tests = 1 ] ; then
1842		echo "Using ECDSA certificate"
1843		crt=$sv_ecdsa_cert
1844		key=$sv_ecdsa_key
1845		sni=ecdsa.test-dummy.com
1846	else
1847		echo "Using RSA certificate"
1848		crt=$sv_rsa_cert
1849		key=$sv_rsa_key.nopass
1850		sni=localhost.test-dummy.com
1851	fi
1852
1853	# LibreSSL - GnuTLS
1854
1855	start_message "s_server ... start $proto test server"
1856	s_server_out=$server_dir/s_server_LG_$proto.out
1857	$openssl_bin s_server -accept $port -CAfile $ca_cert \
1858		-cert $crt -key $key -cert2 $crt -key2 $key \
1859		-servername $sni -msg -tlsextdebug -status $sopt $lopt \
1860		> $s_server_out 2>&1 &
1861	check_exit_status $?
1862	s_server_pid=$!
1863	echo "s_server pid = [ $s_server_pid ]"
1864	sleep 1
1865
1866	gnutls_cli_out=$user1_dir/gnutls-cli_LG_$proto.out
1867	$gc_bin --x509cafile=$ca_cert --sni-hostname=$sni \
1868		--verify-hostname=$sni $gopt -p $port $host < /dev/null \
1869		> $gnutls_cli_out 2>&1
1870	check_exit_status $?
1871
1872	grep 'Handshake was completed' $gnutls_cli_out > /dev/null
1873	check_exit_status $?
1874
1875	stop_s_server
1876
1877	# GnuTLS - LibreSSL
1878
1879	start_message "gnutls-serv ... start $proto test server"
1880	gnutls_serv_out=$server_dir/gnutls-serv_GL_$proto.out
1881	$gs_bin --x509cafile=$ca_cert --x509certfile=$crt --x509keyfile=$key \
1882	       $gopt -p $port > $gnutls_serv_out 2>&1 &
1883	check_exit_status $?
1884	gnutls_serv_pid=$!
1885	echo "gnutls-serv pid = [ $gnutls_serv_pid ]"
1886	sleep 1
1887
1888	s_client_out=$user1_dir/s_client_GL_$proto.out
1889	$openssl_bin s_client -connect $host:$port -CAfile $ca_cert \
1890		-msg -tlsextdebug -status $lopt < /dev/null > $s_client_out 2>&1
1891	check_exit_status $?
1892
1893	grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1894	check_exit_status $?
1895
1896	stop_gnutls_serv
1897}
1898
1899function test_speed {
1900	# === PERFORMANCE ===
1901	section_message "PERFORMANCE"
1902
1903	if [ $no_long_tests = 0 ] ; then
1904		start_message "speed"
1905		$openssl_bin speed sha512 rsa2048 -multi 2 -elapsed
1906		check_exit_status $?
1907	else
1908		start_message "SKIPPING speed (quick mode)"
1909	fi
1910}
1911
1912function test_version {
1913	# --- VERSION INFORMATION ---
1914	section_message "VERSION INFORMATION"
1915
1916	start_message "version"
1917	$openssl_bin version -a
1918	check_exit_status $?
1919}
1920
1921#---------#---------#---------#---------#---------#---------#---------#---------
1922
1923openssl_bin=${OPENSSL:-/usr/bin/openssl}
1924other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11}
1925other_openssl_version=`$other_openssl_bin version | cut -b 1-10`
1926
1927ecdsa_tests=0
1928interop_tests=0
1929gnutls_tests=0
1930no_long_tests=0
1931
1932while [ "$1" != "" ]; do
1933	case $1 in
1934		-e | --ecdsa)		shift
1935					ecdsa_tests=1
1936					;;
1937		-g | --gost)		shift
1938					ecdsa_tests=0
1939					;;
1940		-i | --interop)		shift
1941					interop_tests=1
1942					;;
1943		-n | --gnutls)		shift
1944					gnutls_tests=1
1945					;;
1946		-q | --quick )		shift
1947					no_long_tests=1
1948					;;
1949		* )			usage
1950					exit 1
1951	esac
1952done
1953
1954if [ ! -x $openssl_bin ] ; then
1955	echo ":-< \$OPENSSL [$openssl_bin]  is not executable."
1956	exit 1
1957fi
1958
1959if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then
1960	echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable."
1961	exit 1
1962fi
1963
1964#
1965# create ssldir, and all files generated by this script goes under this dir.
1966#
1967ssldir="appstest_dir"
1968
1969if [ -d $ssldir ] ; then
1970	echo "directory [ $ssldir ] exists, this script deletes this directory ..."
1971	/bin/rm -rf $ssldir
1972fi
1973
1974mkdir -p $ssldir
1975
1976ca_dir=$ssldir/testCA
1977tsa_dir=$ssldir/testTSA
1978ocsp_dir=$ssldir/testOCSP
1979server_dir=$ssldir/server
1980user1_dir=$ssldir/user1
1981mkdir -p $user1_dir
1982key_dir=$ssldir/key
1983mkdir -p $key_dir
1984
1985export OPENSSL_CONF=$ssldir/openssl.cnf
1986touch $OPENSSL_CONF
1987
1988uname_s=`uname -s | grep 'MINGW'`
1989if [ "$uname_s" = "" ] ; then
1990	mingw=0
1991else
1992	mingw=1
1993fi
1994
1995#
1996# process tests
1997#
1998test_usage_lists_others
1999test_md
2000test_encoding_cipher
2001test_key
2002test_pki
2003test_tsa
2004test_cms
2005test_smime
2006test_ocsp
2007test_pkcs
2008test_server_client 0 0
2009if [ $interop_tests = 1 ] ; then
2010	test_server_client 0 1
2011	test_server_client 1 0
2012fi
2013test_server_client_dtls 0 0
2014if [ $interop_tests = 1 ] ; then
2015	test_server_client_dtls 0 1
2016	test_server_client_dtls 1 0
2017fi
2018if [ $gnutls_tests = 1 ] ; then
2019	test_gnutls tls
2020	test_gnutls dtls
2021fi
2022test_speed
2023test_version
2024
2025section_message "END"
2026
2027exit 0
2028
2029