1*e0c4386eSCy Schubert#! /usr/bin/env perl
2*e0c4386eSCy Schubert# Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3*e0c4386eSCy Schubert#
4*e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License").  You may not use
5*e0c4386eSCy Schubert# this file except in compliance with the License.  You can obtain a copy
6*e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at
7*e0c4386eSCy Schubert# https://www.openssl.org/source/license.html
8*e0c4386eSCy Schubert
9*e0c4386eSCy Schubertuse strict;
10*e0c4386eSCy Schubertuse warnings;
11*e0c4386eSCy Schubert
12*e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT with bldtop_file srctop_file cmdstr/;
13*e0c4386eSCy Schubertuse OpenSSL::Test::Utils;
14*e0c4386eSCy Schubert
15*e0c4386eSCy Schubertsetup("test_verify_store");
16*e0c4386eSCy Schubert
17*e0c4386eSCy Schubertplan tests => 10;
18*e0c4386eSCy Schubert
19*e0c4386eSCy Schubertmy $dummycnf = srctop_file("apps", "openssl.cnf");
20*e0c4386eSCy Schubertmy $cakey = srctop_file("test", "certs", "ca-key.pem");
21*e0c4386eSCy Schubertmy $ukey = srctop_file("test", "certs", "ee-key.pem");
22*e0c4386eSCy Schubert
23*e0c4386eSCy Schubertmy $cnf = srctop_file("test", "ca-and-certs.cnf");
24*e0c4386eSCy Schubertmy $CAkey = "keyCA.ss";
25*e0c4386eSCy Schubertmy $CAcert="certCA.ss";
26*e0c4386eSCy Schubertmy $CAserial="certCA.srl";
27*e0c4386eSCy Schubertmy $CAreq="reqCA.ss";
28*e0c4386eSCy Schubertmy $CAreq2="req2CA.ss"; # temp
29*e0c4386eSCy Schubertmy $Ukey="keyU.ss";
30*e0c4386eSCy Schubertmy $Ureq="reqU.ss";
31*e0c4386eSCy Schubertmy $Ucert="certU.ss";
32*e0c4386eSCy Schubert
33*e0c4386eSCy SchubertSKIP: {
34*e0c4386eSCy Schubert    req( 'make cert request',
35*e0c4386eSCy Schubert         qw(-new -section userreq),
36*e0c4386eSCy Schubert         -config       => $cnf,
37*e0c4386eSCy Schubert         -out          => $CAreq,
38*e0c4386eSCy Schubert         -key          => $cakey,
39*e0c4386eSCy Schubert         -keyout       => $CAkey );
40*e0c4386eSCy Schubert
41*e0c4386eSCy Schubert    skip 'failure', 8 unless
42*e0c4386eSCy Schubert        x509( 'convert request into self-signed cert',
43*e0c4386eSCy Schubert              qw(-req -CAcreateserial -days 30),
44*e0c4386eSCy Schubert              qw(-extensions v3_ca),
45*e0c4386eSCy Schubert              -in       => $CAreq,
46*e0c4386eSCy Schubert              -out      => $CAcert,
47*e0c4386eSCy Schubert              -signkey  => $CAkey,
48*e0c4386eSCy Schubert              -extfile  => $cnf );
49*e0c4386eSCy Schubert
50*e0c4386eSCy Schubert    skip 'failure', 7 unless
51*e0c4386eSCy Schubert        x509( 'convert cert into a cert request',
52*e0c4386eSCy Schubert              qw(-x509toreq),
53*e0c4386eSCy Schubert              -in       => $CAcert,
54*e0c4386eSCy Schubert              -out      => $CAreq2,
55*e0c4386eSCy Schubert              -signkey  => $CAkey );
56*e0c4386eSCy Schubert
57*e0c4386eSCy Schubert    skip 'failure', 6 unless
58*e0c4386eSCy Schubert        req( 'verify request 1',
59*e0c4386eSCy Schubert             qw(-verify -noout -section userreq),
60*e0c4386eSCy Schubert             -config    => $dummycnf,
61*e0c4386eSCy Schubert             -in        => $CAreq );
62*e0c4386eSCy Schubert
63*e0c4386eSCy Schubert    skip 'failure', 5 unless
64*e0c4386eSCy Schubert        req( 'verify request 2',
65*e0c4386eSCy Schubert             qw(-verify -noout -section userreq),
66*e0c4386eSCy Schubert             -config    => $dummycnf,
67*e0c4386eSCy Schubert             -in        => $CAreq2 );
68*e0c4386eSCy Schubert
69*e0c4386eSCy Schubert    skip 'failure', 4 unless
70*e0c4386eSCy Schubert        verify( 'verify signature',
71*e0c4386eSCy Schubert                -CAstore => $CAcert,
72*e0c4386eSCy Schubert                $CAcert );
73*e0c4386eSCy Schubert
74*e0c4386eSCy Schubert    skip 'failure', 3 unless
75*e0c4386eSCy Schubert        req( 'make a user cert request',
76*e0c4386eSCy Schubert             qw(-new -section userreq),
77*e0c4386eSCy Schubert             -config  => $cnf,
78*e0c4386eSCy Schubert             -out     => $Ureq,
79*e0c4386eSCy Schubert             -key     => $ukey,
80*e0c4386eSCy Schubert             -keyout  => $Ukey );
81*e0c4386eSCy Schubert
82*e0c4386eSCy Schubert    skip 'failure', 2 unless
83*e0c4386eSCy Schubert        x509( 'sign user cert request',
84*e0c4386eSCy Schubert              qw(-req -CAcreateserial -days 30 -extensions v3_ee),
85*e0c4386eSCy Schubert              -in     => $Ureq,
86*e0c4386eSCy Schubert              -out    => $Ucert,
87*e0c4386eSCy Schubert              -CA     => $CAcert,
88*e0c4386eSCy Schubert              -CAkey  => $CAkey,
89*e0c4386eSCy Schubert              -CAserial => $CAserial,
90*e0c4386eSCy Schubert              -extfile => $cnf )
91*e0c4386eSCy Schubert        && verify( undef,
92*e0c4386eSCy Schubert                   -CAstore => $CAcert,
93*e0c4386eSCy Schubert                   $Ucert );
94*e0c4386eSCy Schubert
95*e0c4386eSCy Schubert    skip 'failure', 0 unless
96*e0c4386eSCy Schubert        x509( 'Certificate details',
97*e0c4386eSCy Schubert              qw(-subject -issuer -startdate -enddate -noout),
98*e0c4386eSCy Schubert              -in     => $Ucert );
99*e0c4386eSCy Schubert}
100*e0c4386eSCy Schubert
101*e0c4386eSCy Schubertsub verify {
102*e0c4386eSCy Schubert    my $title = shift;
103*e0c4386eSCy Schubert
104*e0c4386eSCy Schubert    ok(run(app([qw(openssl verify), @_])), $title);
105*e0c4386eSCy Schubert}
106*e0c4386eSCy Schubert
107*e0c4386eSCy Schubertsub req {
108*e0c4386eSCy Schubert    my $title = shift;
109*e0c4386eSCy Schubert
110*e0c4386eSCy Schubert    ok(run(app([qw(openssl req), @_])), $title);
111*e0c4386eSCy Schubert}
112*e0c4386eSCy Schubert
113*e0c4386eSCy Schubertsub x509 {
114*e0c4386eSCy Schubert    my $title = shift;
115*e0c4386eSCy Schubert
116*e0c4386eSCy Schubert    ok(run(app([qw(openssl x509), @_])), $title);
117*e0c4386eSCy Schubert}
118