1*f1535dc8Sdjm#!/bin/sh 2*f1535dc8Sdjm 3*f1535dc8Sdjm# 4*f1535dc8Sdjm# A few very basic tests for the 'ts' time stamping authority command. 5*f1535dc8Sdjm# 6*f1535dc8Sdjm 7*f1535dc8SdjmSH="/bin/sh" 8*f1535dc8Sdjmif test "$OSTYPE" = msdosdjgpp; then 9*f1535dc8Sdjm PATH="../apps\;$PATH" 10*f1535dc8Sdjmelse 11*f1535dc8Sdjm PATH="../apps:$PATH" 12*f1535dc8Sdjmfi 13*f1535dc8Sdjmexport SH PATH 14*f1535dc8Sdjm 15*f1535dc8SdjmOPENSSL_CONF="../CAtsa.cnf" 16*f1535dc8Sdjmexport OPENSSL_CONF 17*f1535dc8Sdjm# Because that's what ../apps/CA.sh really looks at 18*f1535dc8SdjmSSLEAY_CONFIG="-config $OPENSSL_CONF" 19*f1535dc8Sdjmexport SSLEAY_CONFIG 20*f1535dc8Sdjm 21*f1535dc8SdjmOPENSSL="`pwd`/../util/opensslwrap.sh" 22*f1535dc8Sdjmexport OPENSSL 23*f1535dc8Sdjm 24*f1535dc8Sdjmerror () { 25*f1535dc8Sdjm 26*f1535dc8Sdjm echo "TSA test failed!" >&2 27*f1535dc8Sdjm exit 1 28*f1535dc8Sdjm} 29*f1535dc8Sdjm 30*f1535dc8Sdjmsetup_dir () { 31*f1535dc8Sdjm 32*f1535dc8Sdjm rm -rf tsa 2>/dev/null 33*f1535dc8Sdjm mkdir tsa 34*f1535dc8Sdjm cd ./tsa 35*f1535dc8Sdjm} 36*f1535dc8Sdjm 37*f1535dc8Sdjmclean_up_dir () { 38*f1535dc8Sdjm 39*f1535dc8Sdjm cd .. 40*f1535dc8Sdjm rm -rf tsa 41*f1535dc8Sdjm} 42*f1535dc8Sdjm 43*f1535dc8Sdjmcreate_ca () { 44*f1535dc8Sdjm 45*f1535dc8Sdjm echo "Creating a new CA for the TSA tests..." 46*f1535dc8Sdjm TSDNSECT=ts_ca_dn 47*f1535dc8Sdjm export TSDNSECT 48*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \ 49*f1535dc8Sdjm -out tsaca.pem -keyout tsacakey.pem 50*f1535dc8Sdjm test $? != 0 && error 51*f1535dc8Sdjm} 52*f1535dc8Sdjm 53*f1535dc8Sdjmcreate_tsa_cert () { 54*f1535dc8Sdjm 55*f1535dc8Sdjm INDEX=$1 56*f1535dc8Sdjm export INDEX 57*f1535dc8Sdjm EXT=$2 58*f1535dc8Sdjm TSDNSECT=ts_cert_dn 59*f1535dc8Sdjm export TSDNSECT 60*f1535dc8Sdjm 61*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl req -new \ 62*f1535dc8Sdjm -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem 63*f1535dc8Sdjm test $? != 0 && error 64*f1535dc8Sdjmecho Using extension $EXT 65*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \ 66*f1535dc8Sdjm -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \ 67*f1535dc8Sdjm -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \ 68*f1535dc8Sdjm -extfile $OPENSSL_CONF -extensions $EXT 69*f1535dc8Sdjm test $? != 0 && error 70*f1535dc8Sdjm} 71*f1535dc8Sdjm 72*f1535dc8Sdjmprint_request () { 73*f1535dc8Sdjm 74*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text 75*f1535dc8Sdjm} 76*f1535dc8Sdjm 77*f1535dc8Sdjmcreate_time_stamp_request1 () { 78*f1535dc8Sdjm 79*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq 80*f1535dc8Sdjm test $? != 0 && error 81*f1535dc8Sdjm} 82*f1535dc8Sdjm 83*f1535dc8Sdjmcreate_time_stamp_request2 () { 84*f1535dc8Sdjm 85*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \ 86*f1535dc8Sdjm -out req2.tsq 87*f1535dc8Sdjm test $? != 0 && error 88*f1535dc8Sdjm} 89*f1535dc8Sdjm 90*f1535dc8Sdjmcreate_time_stamp_request3 () { 91*f1535dc8Sdjm 92*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq 93*f1535dc8Sdjm test $? != 0 && error 94*f1535dc8Sdjm} 95*f1535dc8Sdjm 96*f1535dc8Sdjmprint_response () { 97*f1535dc8Sdjm 98*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text 99*f1535dc8Sdjm test $? != 0 && error 100*f1535dc8Sdjm} 101*f1535dc8Sdjm 102*f1535dc8Sdjmcreate_time_stamp_response () { 103*f1535dc8Sdjm 104*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2 105*f1535dc8Sdjm test $? != 0 && error 106*f1535dc8Sdjm} 107*f1535dc8Sdjm 108*f1535dc8Sdjmtime_stamp_response_token_test () { 109*f1535dc8Sdjm 110*f1535dc8Sdjm RESPONSE2=$2.copy.tsr 111*f1535dc8Sdjm TOKEN_DER=$2.token.der 112*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out 113*f1535dc8Sdjm test $? != 0 && error 114*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2 115*f1535dc8Sdjm test $? != 0 && error 116*f1535dc8Sdjm cmp $RESPONSE2 $2 117*f1535dc8Sdjm test $? != 0 && error 118*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out 119*f1535dc8Sdjm test $? != 0 && error 120*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out 121*f1535dc8Sdjm test $? != 0 && error 122*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out 123*f1535dc8Sdjm test $? != 0 && error 124*f1535dc8Sdjm} 125*f1535dc8Sdjm 126*f1535dc8Sdjmverify_time_stamp_response () { 127*f1535dc8Sdjm 128*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ 129*f1535dc8Sdjm -untrusted tsa_cert1.pem 130*f1535dc8Sdjm test $? != 0 && error 131*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \ 132*f1535dc8Sdjm -untrusted tsa_cert1.pem 133*f1535dc8Sdjm test $? != 0 && error 134*f1535dc8Sdjm} 135*f1535dc8Sdjm 136*f1535dc8Sdjmverify_time_stamp_token () { 137*f1535dc8Sdjm 138*f1535dc8Sdjm # create the token from the response first 139*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out 140*f1535dc8Sdjm test $? != 0 && error 141*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \ 142*f1535dc8Sdjm -CAfile tsaca.pem -untrusted tsa_cert1.pem 143*f1535dc8Sdjm test $? != 0 && error 144*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \ 145*f1535dc8Sdjm -CAfile tsaca.pem -untrusted tsa_cert1.pem 146*f1535dc8Sdjm test $? != 0 && error 147*f1535dc8Sdjm} 148*f1535dc8Sdjm 149*f1535dc8Sdjmverify_time_stamp_response_fail () { 150*f1535dc8Sdjm 151*f1535dc8Sdjm ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ 152*f1535dc8Sdjm -untrusted tsa_cert1.pem 153*f1535dc8Sdjm # Checks if the verification failed, as it should have. 154*f1535dc8Sdjm test $? = 0 && error 155*f1535dc8Sdjm echo Ok 156*f1535dc8Sdjm} 157*f1535dc8Sdjm 158*f1535dc8Sdjm# main functions 159*f1535dc8Sdjm 160*f1535dc8Sdjmecho "Setting up TSA test directory..." 161*f1535dc8Sdjmsetup_dir 162*f1535dc8Sdjm 163*f1535dc8Sdjmecho "Creating CA for TSA tests..." 164*f1535dc8Sdjmcreate_ca 165*f1535dc8Sdjm 166*f1535dc8Sdjmecho "Creating tsa_cert1.pem TSA server cert..." 167*f1535dc8Sdjmcreate_tsa_cert 1 tsa_cert 168*f1535dc8Sdjm 169*f1535dc8Sdjmecho "Creating tsa_cert2.pem non-TSA server cert..." 170*f1535dc8Sdjmcreate_tsa_cert 2 non_tsa_cert 171*f1535dc8Sdjm 172*f1535dc8Sdjmecho "Creating req1.req time stamp request for file testtsa..." 173*f1535dc8Sdjmcreate_time_stamp_request1 174*f1535dc8Sdjm 175*f1535dc8Sdjmecho "Printing req1.req..." 176*f1535dc8Sdjmprint_request req1.tsq 177*f1535dc8Sdjm 178*f1535dc8Sdjmecho "Generating valid response for req1.req..." 179*f1535dc8Sdjmcreate_time_stamp_response req1.tsq resp1.tsr tsa_config1 180*f1535dc8Sdjm 181*f1535dc8Sdjmecho "Printing response..." 182*f1535dc8Sdjmprint_response resp1.tsr 183*f1535dc8Sdjm 184*f1535dc8Sdjmecho "Verifying valid response..." 185*f1535dc8Sdjmverify_time_stamp_response req1.tsq resp1.tsr ../testtsa 186*f1535dc8Sdjm 187*f1535dc8Sdjmecho "Verifying valid token..." 188*f1535dc8Sdjmverify_time_stamp_token req1.tsq resp1.tsr ../testtsa 189*f1535dc8Sdjm 190*f1535dc8Sdjm# The tests below are commented out, because invalid signer certificates 191*f1535dc8Sdjm# can no longer be specified in the config file. 192*f1535dc8Sdjm 193*f1535dc8Sdjm# echo "Generating _invalid_ response for req1.req..." 194*f1535dc8Sdjm# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2 195*f1535dc8Sdjm 196*f1535dc8Sdjm# echo "Printing response..." 197*f1535dc8Sdjm# print_response resp1_bad.tsr 198*f1535dc8Sdjm 199*f1535dc8Sdjm# echo "Verifying invalid response, it should fail..." 200*f1535dc8Sdjm# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr 201*f1535dc8Sdjm 202*f1535dc8Sdjmecho "Creating req2.req time stamp request for file testtsa..." 203*f1535dc8Sdjmcreate_time_stamp_request2 204*f1535dc8Sdjm 205*f1535dc8Sdjmecho "Printing req2.req..." 206*f1535dc8Sdjmprint_request req2.tsq 207*f1535dc8Sdjm 208*f1535dc8Sdjmecho "Generating valid response for req2.req..." 209*f1535dc8Sdjmcreate_time_stamp_response req2.tsq resp2.tsr tsa_config1 210*f1535dc8Sdjm 211*f1535dc8Sdjmecho "Checking '-token_in' and '-token_out' options with '-reply'..." 212*f1535dc8Sdjmtime_stamp_response_token_test req2.tsq resp2.tsr 213*f1535dc8Sdjm 214*f1535dc8Sdjmecho "Printing response..." 215*f1535dc8Sdjmprint_response resp2.tsr 216*f1535dc8Sdjm 217*f1535dc8Sdjmecho "Verifying valid response..." 218*f1535dc8Sdjmverify_time_stamp_response req2.tsq resp2.tsr ../testtsa 219*f1535dc8Sdjm 220*f1535dc8Sdjmecho "Verifying response against wrong request, it should fail..." 221*f1535dc8Sdjmverify_time_stamp_response_fail req1.tsq resp2.tsr 222*f1535dc8Sdjm 223*f1535dc8Sdjmecho "Verifying response against wrong request, it should fail..." 224*f1535dc8Sdjmverify_time_stamp_response_fail req2.tsq resp1.tsr 225*f1535dc8Sdjm 226*f1535dc8Sdjmecho "Creating req3.req time stamp request for file CAtsa.cnf..." 227*f1535dc8Sdjmcreate_time_stamp_request3 228*f1535dc8Sdjm 229*f1535dc8Sdjmecho "Printing req3.req..." 230*f1535dc8Sdjmprint_request req3.tsq 231*f1535dc8Sdjm 232*f1535dc8Sdjmecho "Verifying response against wrong request, it should fail..." 233*f1535dc8Sdjmverify_time_stamp_response_fail req3.tsq resp1.tsr 234*f1535dc8Sdjm 235*f1535dc8Sdjmecho "Cleaning up..." 236*f1535dc8Sdjmclean_up_dir 237*f1535dc8Sdjm 238*f1535dc8Sdjmexit 0 239