1#!/bin/sh 2# 3# $OpenBSD: appstest.sh,v 1.53 2021/10/25 07:17:14 tb Exp $ 4# 5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19# 20# appstest.sh - test script for openssl command according to man OPENSSL(1) 21# 22# input : none 23# output : all files generated by this script go under $ssldir 24# 25 26function section_message { 27 echo "" 28 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 29 echo "===" 30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 31 echo "===" 32} 33 34function start_message { 35 echo "" 36 echo "[TEST] $1" 37} 38 39function stop_s_server { 40 if [ ! -z "$s_server_pid" ] ; then 41 echo ":-| stop s_server [ $s_server_pid ]" 42 sleep 1 43 kill -TERM $s_server_pid 44 wait $s_server_pid 45 s_server_pid= 46 fi 47} 48 49function stop_gnutls_serv { 50 if [ ! -z "$gnutls_serv_pid" ] ; then 51 echo ":-| stop gnutls-serv [ $gnutls_serv_pid ]" 52 sleep 1 53 kill -TERM $gnutls_serv_pid 54 wait $gnutls_serv_pid 55 gnutls_serv_pid= 56 fi 57} 58 59function check_exit_status { 60 status=$1 61 if [ $status -ne 0 ] ; then 62 stop_s_server 63 echo ":-< error occurs, exit status = [ $status ]" 64 exit $status 65 else 66 echo ":-) success. " 67 fi 68} 69 70function usage { 71 echo "usage: appstest.sh [-egiq]" 72} 73 74function test_usage_lists_others { 75 # === COMMAND USAGE === 76 section_message "COMMAND USAGE" 77 78 start_message "output usages of all commands." 79 80 cmds=`$openssl_bin list-standard-commands` 81 $openssl_bin -help 2>> $user1_dir/usages.out 82 for c in $cmds ; do 83 $openssl_bin $c -help 2>> $user1_dir/usages.out 84 done 85 86 start_message "check all list-* commands." 87 88 lists="" 89 lists="$lists list-standard-commands" 90 lists="$lists list-message-digest-commands list-message-digest-algorithms" 91 lists="$lists list-cipher-commands list-cipher-algorithms" 92 lists="$lists list-public-key-algorithms" 93 94 listsfile=$user1_dir/lists.out 95 96 for l in $lists ; do 97 echo "" >> $listsfile 98 echo "$l" >> $listsfile 99 $openssl_bin $l >> $listsfile 100 done 101 102 start_message "check interactive mode" 103 $openssl_bin <<__EOF__ 104help 105quit 106__EOF__ 107 check_exit_status $? 108 109 #---------#---------#---------#---------#---------#---------#--------- 110 111 # --- listing operations --- 112 section_message "listing operations" 113 114 start_message "ciphers" 115 $openssl_bin ciphers -V > $user1_dir/ciphers-V.out 116 check_exit_status $? 117 118 start_message "errstr" 119 $openssl_bin errstr 2606A074 120 check_exit_status $? 121 $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 122 check_exit_status $? 123 124 #---------#---------#---------#---------#---------#---------#--------- 125 126 # --- random number etc. operations --- 127 section_message "random number etc. operations" 128 129 start_message "passwd" 130 131 pass="test-pass-1234" 132 133 echo $pass | $openssl_bin passwd -stdin -1 134 check_exit_status $? 135 136 echo $pass | $openssl_bin passwd -stdin -apr1 137 check_exit_status $? 138 139 echo $pass | $openssl_bin passwd -stdin -crypt 140 check_exit_status $? 141 142 start_message "prime" 143 144 $openssl_bin prime 1 145 check_exit_status $? 146 147 $openssl_bin prime 2 148 check_exit_status $? 149 150 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 151 check_exit_status $? 152 153 start_message "rand" 154 155 $openssl_bin rand -base64 100 156 check_exit_status $? 157 158 $openssl_bin rand -hex 100 159 check_exit_status $? 160} 161 162function test_md { 163 # === MESSAGE DIGEST COMMANDS === 164 section_message "MESSAGE DIGEST COMMANDS" 165 166 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 167 168 text="1234567890abcdefghijklmnopqrstuvwxyz" 169 dgstdat=$user1_dir/dgst.dat 170 echo $text > $dgstdat 171 hmac_key="test-hmac-key" 172 cmac_key="1234567890abcde1234567890abcde12" 173 dgstkey=$user1_dir/dgstkey.pem 174 dgstpass=test-dgst-pass 175 dgstpub=$user1_dir/dgstpub.pem 176 dgstsig=$user1_dir/dgst.sig 177 178 $openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey 179 check_exit_status $? 180 181 $openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \ 182 -out $dgstpub 183 check_exit_status $? 184 185 digests=`$openssl_bin list-message-digest-commands` 186 187 for d in $digests ; do 188 189 echo -n "$d ... " 190 $openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat 191 check_exit_status $? 192 193 echo -n "$d HMAC ... " 194 $openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \ 195 $dgstdat 196 check_exit_status $? 197 198 echo -n "$d CMAC ... " 199 $openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \ 200 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat 201 check_exit_status $? 202 203 echo -n "$d sign ... " 204 $openssl_bin dgst -sign $dgstkey -keyform pem \ 205 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 206 -passin pass:$dgstpass -binary -out $dgstsig.$d $dgstdat 207 check_exit_status $? 208 209 echo -n "$d verify ... " 210 $openssl_bin dgst -verify $dgstpub \ 211 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 212 -signature $dgstsig.$d $dgstdat 213 check_exit_status $? 214 215 echo -n "$d prverify ... " 216 $openssl_bin dgst -prverify $dgstkey -passin pass:$dgstpass \ 217 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 218 -signature $dgstsig.$d $dgstdat 219 check_exit_status $? 220 done 221} 222 223function test_encoding_cipher { 224 # === ENCODING AND CIPHER COMMANDS === 225 section_message "ENCODING AND CIPHER COMMANDS" 226 227 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 228 229 text="1234567890abcdefghijklmnopqrstuvwxyz" 230 encfile=$user1_dir/encfile.dat 231 echo $text > $encfile 232 pass="test-pass-1234" 233 234 ciphers=`$openssl_bin list-cipher-commands` 235 236 for c in $ciphers ; do 237 echo -n "$c ... encoding ... " 238 $openssl_bin enc -$c -e -base64 -pass pass:$pass \ 239 -in $encfile -out $encfile-$c.enc 240 check_exit_status $? 241 242 echo -n "decoding ... " 243 $openssl_bin enc -$c -d -base64 -pass pass:$pass \ 244 -in $encfile-$c.enc -out $encfile-$c.dec 245 check_exit_status $? 246 247 echo -n "cmp ... " 248 cmp $encfile $encfile-$c.dec 249 check_exit_status $? 250 done 251} 252 253function test_key { 254 # === various KEY operations === 255 section_message "various KEY operations" 256 257 key_pass=test-key-pass 258 259 # DH 260 261 start_message "gendh - Obsoleted by dhparam." 262 gendh2=$key_dir/gendh2.pem 263 $openssl_bin gendh -2 -out $gendh2 > $gendh2.log 2>&1 264 check_exit_status $? 265 266 start_message "dh - Obsoleted by dhparam." 267 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 268 check_exit_status $? 269 270 if [ $no_long_tests = 0 ] ; then 271 start_message "dhparam - Superseded by genpkey and pkeyparam." 272 dhparam2=$key_dir/dhparam2.pem 273 $openssl_bin dhparam -2 -out $dhparam2 > $dhparam2.log 2>&1 274 check_exit_status $? 275 $openssl_bin dhparam -in $dhparam2 -check -text \ 276 -out $dhparam2.out 277 check_exit_status $? 278 else 279 start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 280 fi 281 282 # DSA 283 284 start_message "dsaparam - Superseded by genpkey and pkeyparam." 285 dsaparam512=$key_dir/dsaparam512.pem 286 $openssl_bin dsaparam -genkey -out $dsaparam512 512 \ 287 > $dsaparam512.log 2>&1 288 check_exit_status $? 289 290 start_message "dsa" 291 $openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out 292 check_exit_status $? 293 294 start_message "gendsa - Superseded by genpkey and pkey." 295 gendsa_des3=$key_dir/gendsa_des3.pem 296 $openssl_bin gendsa -des3 -out $gendsa_des3 \ 297 -passout pass:$key_pass $dsaparam512 298 check_exit_status $? 299 300 # RSA 301 302 start_message "genrsa - Superseded by genpkey." 303 genrsa_aes256=$key_dir/genrsa_aes256.pem 304 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ 305 -passout pass:$key_pass 2048 > $genrsa_aes256.log 2>&1 306 check_exit_status $? 307 308 start_message "rsa" 309 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ 310 -check -text -out $genrsa_aes256.out 311 check_exit_status $? 312 313 start_message "rsautl - Superseded by pkeyutl." 314 rsautldat=$key_dir/rsautl.dat 315 rsautlsig=$key_dir/rsautl.sig 316 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 317 318 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ 319 -passin pass:$key_pass -out $rsautlsig 320 check_exit_status $? 321 322 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ 323 -passin pass:$key_pass 324 check_exit_status $? 325 326 # EC 327 328 start_message "ecparam -list-curves" 329 $openssl_bin ecparam -list_curves -out $key_dir/ecparam-list_curves.out 330 check_exit_status $? 331 332 # get all EC curves 333 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 334 335 start_message "ecparam and ec" 336 337 for curve in $ec_curves ; 338 do 339 ecparam=$key_dir/ecparam_$curve.pem 340 341 echo -n "ec - $curve ... ecparam ... " 342 $openssl_bin ecparam -out $ecparam -name $curve -genkey \ 343 -param_enc explicit -conv_form compressed -C 344 check_exit_status $? 345 346 echo -n "ec ... " 347 $openssl_bin ec -in $ecparam -text \ 348 -out $ecparam.out 2> /dev/null 349 check_exit_status $? 350 done 351 352 # PKEY 353 354 start_message "genpkey" 355 356 # DH by GENPKEY 357 358 genpkey_dh_param=$key_dir/genpkey_dh_param.pem 359 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 360 -pkeyopt dh_paramgen_prime_len:1024 > $genpkey_dh_param.log 2>&1 361 check_exit_status $? 362 363 genpkey_dh=$key_dir/genpkey_dh.pem 364 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 365 check_exit_status $? 366 367 # DSA by GENPKEY 368 369 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 370 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 371 -pkeyopt dsa_paramgen_bits:1024 > $genpkey_dsa_param.log 2>&1 372 check_exit_status $? 373 374 genpkey_dsa=$key_dir/genpkey_dsa.pem 375 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 376 check_exit_status $? 377 378 # RSA by GENPKEY 379 380 genpkey_rsa=$key_dir/genpkey_rsa.pem 381 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 382 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 383 > $genpkey_rsa.log 2>&1 384 check_exit_status $? 385 386 genpkey_rsa_pss=$key_dir/genpkey_rsa_pss.pem 387 $openssl_bin genpkey -algorithm RSA-PSS -out $genpkey_rsa_pss \ 388 -pkeyopt rsa_keygen_bits:2048 \ 389 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 \ 390 -pkeyopt rsa_pss_keygen_md:sha256 \ 391 -pkeyopt rsa_pss_keygen_saltlen:32 \ 392 > $genpkey_rsa_pss.log 2>&1 393 check_exit_status $? 394 395 # EC by GENPKEY 396 397 genpkey_ec_param=$key_dir/genpkey_ec_param.pem 398 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 399 -pkeyopt ec_paramgen_curve:secp384r1 400 check_exit_status $? 401 402 genpkey_ec=$key_dir/genpkey_ec.pem 403 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 404 check_exit_status $? 405 406 genpkey_ec_2=$key_dir/genpkey_ec_2.pem 407 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2 408 check_exit_status $? 409 410 start_message "pkeyparam" 411 412 $openssl_bin pkeyparam -in $genpkey_dh_param -text \ 413 -out $genpkey_dh_param.out 414 check_exit_status $? 415 416 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ 417 -out $genpkey_dsa_param.out 418 check_exit_status $? 419 420 $openssl_bin pkeyparam -in $genpkey_ec_param -text \ 421 -out $genpkey_ec_param.out 422 check_exit_status $? 423 424 start_message "pkey" 425 426 $openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \ 427 -text_pub 428 check_exit_status $? 429 430 $openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \ 431 -text_pub 432 check_exit_status $? 433 434 $openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \ 435 -text_pub 436 check_exit_status $? 437 438 $openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \ 439 -text_pub 440 check_exit_status $? 441 442 $openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \ 443 -text_pub 444 check_exit_status $? 445 446 start_message "pkeyutl" 447 448 pkeyutldat=$key_dir/pkeyutl.dat 449 pkeyutlsig=$key_dir/pkeyutl.sig 450 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 451 452 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ 453 -out $pkeyutlsig 454 check_exit_status $? 455 456 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ 457 -inkey $genpkey_rsa 458 check_exit_status $? 459 460 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 461 check_exit_status $? 462 463 pkeyutlenc=$key_dir/pkeyutl.enc 464 pkeyutldec=$key_dir/pkeyutl.dec 465 466 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 467 -pubin -inkey $genpkey_rsa.pub -out $pkeyutlenc 468 check_exit_status $? 469 470 $openssl_bin pkeyutl -decrypt -in $pkeyutlenc \ 471 -inkey $genpkey_rsa -out $pkeyutldec 472 check_exit_status $? 473 474 diff $pkeyutldat $pkeyutldec 475 check_exit_status $? 476 477 pkeyutl_rsa_oaep_enc=$key_dir/pkeyutl_rsa_oaep.enc 478 pkeyutl_rsa_oaep_dec=$key_dir/pkeyutl_rsa_oaep.dec 479 480 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 481 -inkey $genpkey_rsa \ 482 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 483 -pkeyopt rsa_oaep_label:0011223344556677 \ 484 -out $pkeyutl_rsa_oaep_enc 485 check_exit_status $? 486 487 $openssl_bin pkeyutl -decrypt -in $pkeyutl_rsa_oaep_enc \ 488 -inkey $genpkey_rsa \ 489 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 490 -pkeyopt rsa_oaep_label:0011223344556677 \ 491 -out $pkeyutl_rsa_oaep_dec 492 check_exit_status $? 493 494 diff $pkeyutldat $pkeyutl_rsa_oaep_dec 495 check_exit_status $? 496 497 pkeyutlsc1=$key_dir/pkeyutl.sc1 498 pkeyutlsc2=$key_dir/pkeyutl.sc2 499 500 $openssl_bin pkeyutl -derive -inkey $genpkey_ec \ 501 -peerkey $genpkey_ec_2.pub -out $pkeyutlsc1 -hexdump 502 check_exit_status $? 503 504 $openssl_bin pkeyutl -derive -inkey $genpkey_ec_2 \ 505 -peerkey $genpkey_ec.pub -out $pkeyutlsc2 -hexdump 506 check_exit_status $? 507 508 diff $pkeyutlsc1 $pkeyutlsc2 509 check_exit_status $? 510} 511 512function test_pki { 513 section_message "setup local CA" 514 515 # 516 # prepare test openssl.cnf 517 # 518 519 cat << __EOF__ > $ssldir/openssl.cnf 520oid_section = new_oids 521[ new_oids ] 522tsa_policy1 = 1.2.3.4.1 523tsa_policy2 = 1.2.3.4.5.6 524tsa_policy3 = 1.2.3.4.5.7 525[ ca ] 526default_ca = CA_default 527[ CA_default ] 528dir = ./$ca_dir 529crl_dir = \$dir/crl 530database = \$dir/index.txt 531new_certs_dir = \$dir/newcerts 532serial = \$dir/serial 533crlnumber = \$dir/crlnumber 534default_days = 1 535default_md = default 536policy = policy_match 537[ policy_match ] 538countryName = match 539stateOrProvinceName = match 540organizationName = match 541organizationalUnitName = optional 542commonName = supplied 543emailAddress = optional 544[ req ] 545distinguished_name = req_distinguished_name 546[ req_distinguished_name ] 547countryName = Country Name 548countryName_default = JP 549countryName_min = 2 550countryName_max = 2 551stateOrProvinceName = State or Province Name 552stateOrProvinceName_default = Tokyo 553organizationName = Organization Name 554organizationName_default = TEST_DUMMY_COMPANY 555commonName = Common Name 556[ tsa ] 557default_tsa = tsa_config1 558[ tsa_config1 ] 559dir = ./$tsa_dir 560serial = \$dir/serial 561crypto_device = builtin 562digests = sha1, sha256, sha384, sha512 563default_policy = tsa_policy1 564other_policies = tsa_policy2, tsa_policy3 565[ tsa_ext ] 566keyUsage = critical,nonRepudiation 567extendedKeyUsage = critical,timeStamping 568[ ocsp_ext ] 569basicConstraints = CA:FALSE 570keyUsage = nonRepudiation,digitalSignature,keyEncipherment 571extendedKeyUsage = OCSPSigning 572__EOF__ 573 574 #---------#---------#---------#---------#---------#---------#--------- 575 576 # 577 # setup test CA 578 # 579 580 mkdir -p $ca_dir 581 mkdir -p $tsa_dir 582 mkdir -p $ocsp_dir 583 mkdir -p $server_dir 584 585 mkdir -p $ca_dir/certs 586 mkdir -p $ca_dir/private 587 mkdir -p $ca_dir/crl 588 mkdir -p $ca_dir/newcerts 589 chmod 700 $ca_dir/private 590 echo "01" > $ca_dir/serial 591 touch $ca_dir/index.txt 592 touch $ca_dir/crlnumber 593 echo "01" > $ca_dir/crlnumber 594 595 # 596 # setup test TSA 597 # 598 mkdir -p $tsa_dir/private 599 chmod 700 $tsa_dir/private 600 echo "01" > $tsa_dir/serial 601 touch $tsa_dir/index.txt 602 603 # 604 # setup test OCSP 605 # 606 mkdir -p $ocsp_dir/private 607 chmod 700 $ocsp_dir/private 608 609 #---------#---------#---------#---------#---------#---------#--------- 610 611 # --- CA initiate (generate CA key and cert) --- 612 613 start_message "req ... generate CA key and self signed cert" 614 615 ca_cert=$ca_dir/ca_cert.pem 616 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 617 618 if [ $mingw = 0 ] ; then 619 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test-dummy.com/' 620 else 621 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test-dummy.com\' 622 fi 623 624 $openssl_bin req -new -x509 -batch -newkey rsa:2048 \ 625 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 626 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 627 -config $ssldir/openssl.cnf -verbose \ 628 -subj $subj -days 1 -set_serial 1 -multivalue-rdn \ 629 -keyout $ca_key -passout pass:$ca_pass \ 630 -out $ca_cert -outform pem 631 check_exit_status $? 632 633 #---------#---------#---------#---------#---------#---------#--------- 634 635 # --- TSA initiate (generate TSA key and cert) --- 636 637 start_message "req ... generate TSA key and cert" 638 639 # generate CSR for TSA 640 641 tsa_csr=$tsa_dir/tsa_csr.pem 642 tsa_key=$tsa_dir/private/tsa_key.pem 643 tsa_pass=test-tsa-pass 644 645 if [ $mingw = 0 ] ; then 646 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test-dummy.com/' 647 else 648 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test-dummy.com\' 649 fi 650 651 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ 652 -passout pass:$tsa_pass -subj $subj 653 check_exit_status $? 654 655 start_message "ca ... sign by CA with TSA extensions" 656 657 tsa_cert=$tsa_dir/tsa_cert.pem 658 659 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 660 -key $ca_pass -config $ssldir/openssl.cnf -create_serial \ 661 -policy policy_match -days 1 -md sha256 -extensions tsa_ext \ 662 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \ 663 -multivalue-rdn -preserveDN -noemailDN \ 664 -in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext \ 665 > $tsa_cert.log 2>&1 666 check_exit_status $? 667 668 #---------#---------#---------#---------#---------#---------#--------- 669 670 # --- OCSP initiate (generate OCSP key and cert) --- 671 672 start_message "req ... generate OCSP key and cert" 673 674 # generate CSR for OCSP 675 676 ocsp_csr=$ocsp_dir/ocsp_csr.pem 677 ocsp_key=$ocsp_dir/private/ocsp_key.pem 678 679 if [ $mingw = 0 ] ; then 680 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test-dummy.com/' 681 else 682 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test-dummy.com\' 683 fi 684 685 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ 686 -subj $subj 687 check_exit_status $? 688 689 start_message "ca ... sign by CA with OCSP extensions" 690 691 ocsp_cert=$ocsp_dir/ocsp_cert.pem 692 693 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 694 -key $ca_pass -out $ocsp_cert -extensions ocsp_ext \ 695 -startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \ 696 -subj $subj -infiles $ocsp_csr > $ocsp_cert.log 2>&1 697 check_exit_status $? 698 699 #---------#---------#---------#---------#---------#---------#--------- 700 701 # --- server-admin operations (generate server key and csr) --- 702 section_message "server-admin operations (generate server key and csr)" 703 704 # RSA certificate 705 706 sv_rsa_key=$server_dir/sv_rsa_key.pem 707 sv_rsa_csr=$server_dir/sv_rsa_csr.pem 708 sv_rsa_pass=test-server-pass 709 710 if [ $mingw = 0 ] ; then 711 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test-dummy.com/' 712 else 713 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test-dummy.com\' 714 fi 715 716 start_message "genrsa ... generate server key#1" 717 718 $openssl_bin genrsa -aes256 -passout pass:$sv_rsa_pass -out $sv_rsa_key 719 check_exit_status $? 720 721 $openssl_bin rsa -in $sv_rsa_key -passin pass:$sv_rsa_pass \ 722 -out $sv_rsa_key.nopass 723 check_exit_status $? 724 725 start_message "req ... generate server csr#1" 726 727 $openssl_bin req -new -subj $subj -sha256 \ 728 -key $sv_rsa_key -keyform pem -passin pass:$sv_rsa_pass \ 729 -addext 'subjectAltName = DNS:localhost.test-dummy.com' \ 730 -out $sv_rsa_csr -outform pem 731 check_exit_status $? 732 733 start_message "req ... verify server csr#1" 734 735 $openssl_bin req -verify -in $sv_rsa_csr -inform pem \ 736 -newhdr -noout -pubkey -subject -modulus -text \ 737 -nameopt multiline -reqopt compatible \ 738 -out $sv_rsa_csr.verify.out 739 check_exit_status $? 740 741 start_message "req ... generate server csr#2 (interactive mode)" 742 743 # RSA certificate (for revoke test) 744 745 revoke_key=$server_dir/revoke_key.pem 746 revoke_csr=$server_dir/revoke_csr.pem 747 revoke_pass=test-revoke-pass 748 749 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \ 750 -passout pass:$revoke_pass <<__EOF__ 751JP 752Tokyo 753TEST_DUMMY_COMPANY 754revoke.test-dummy.com 755__EOF__ 756 check_exit_status $? 757 758 # ECDSA certificate 759 760 sv_ecdsa_key=$server_dir/sv_ecdsa_key.pem 761 sv_ecdsa_csr=$server_dir/sv_ecdsa_csr.pem 762 sv_ecdsa_pass=test-ecdsa-pass 763 764 if [ $mingw = 0 ] ; then 765 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=ecdsa.test-dummy.com/' 766 else 767 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test-dummy.com\' 768 fi 769 770 start_message "ecparam ... generate server key#3" 771 772 $openssl_bin ecparam -name prime256v1 -genkey -out $sv_ecdsa_key 773 check_exit_status $? 774 775 start_message "req ... generate server csr#3" 776 777 $openssl_bin req -new -subj $subj -sha256 \ 778 -key $sv_ecdsa_key -keyform pem -passin pass:$sv_ecdsa_pass \ 779 -addext 'subjectAltName = DNS:ecdsa.test-dummy.com' \ 780 -out $sv_ecdsa_csr -outform pem 781 check_exit_status $? 782 783 start_message "req ... verify server csr#3" 784 785 $openssl_bin req -verify -in $sv_ecdsa_csr -inform pem \ 786 -newhdr -noout -pubkey -subject -modulus -text \ 787 -nameopt multiline -reqopt compatible \ 788 -out $sv_ecdsa_csr.verify.out 789 check_exit_status $? 790 791 # GOST certificate 792 793 sv_gost_key=$server_dir/sv_gost_key.pem 794 sv_gost_csr=$server_dir/sv_gost_csr.pem 795 sv_gost_pass=test-gost-pass 796 797 if [ $mingw = 0 ] ; then 798 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=gost.test-dummy.com/' 799 else 800 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=gost.test-dummy.com\' 801 fi 802 803 start_message "genpkey ... generate server key#4" 804 805 $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ 806 -pkeyopt dgst:streebog512 -out $sv_gost_key 807 check_exit_status $? 808 809 start_message "req ... generate server csr#4" 810 811 $openssl_bin req -new -subj $subj -streebog512 \ 812 -key $sv_gost_key -keyform pem -passin pass:$sv_gost_pass \ 813 -addext 'subjectAltName = DNS:gost.test-dummy.com' \ 814 -out $sv_gost_csr -outform pem 815 check_exit_status $? 816 817 start_message "req ... verify server csr#4" 818 819 $openssl_bin req -verify -in $sv_gost_csr -inform pem \ 820 -newhdr -noout -pubkey -subject -modulus -text \ 821 -nameopt multiline -reqopt compatible \ 822 -out $sv_gost_csr.verify.out 823 check_exit_status $? 824 825 #---------#---------#---------#---------#---------#---------#--------- 826 827 # --- CA operations (issue cert for server) --- 828 section_message "CA operations (issue cert for server)" 829 830 start_message "ca ... issue cert for server csr#1" 831 832 sv_rsa_cert=$server_dir/sv_rsa_cert.pem 833 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 834 -in $sv_rsa_csr -out $sv_rsa_cert > $sv_rsa_cert.log 2>&1 835 check_exit_status $? 836 837 start_message "x509 ... issue cert for server csr#2" 838 839 revoke_cert=$server_dir/revoke_cert.pem 840 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \ 841 -CAkey $ca_key -CAkeyform pem \ 842 -CAserial $ca_dir/serial -set_serial 10 \ 843 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert \ 844 > $revoke_cert.log 2>&1 845 check_exit_status $? 846 847 start_message "ca ... issue cert for server csr#3" 848 849 sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem 850 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 851 -in $sv_ecdsa_csr -out $sv_ecdsa_cert > $sv_ecdsa_cert.log 2>&1 852 check_exit_status $? 853 854 start_message "ca ... issue cert for server csr#4" 855 856 sv_gost_cert=$server_dir/sv_gost_cert.pem 857 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 858 -in $sv_gost_csr -out $sv_gost_cert > $sv_gost_cert.log 2>&1 859 check_exit_status $? 860 861 #---------#---------#---------#---------#---------#---------#--------- 862 863 # --- CA operations (revoke cert and generate crl) --- 864 section_message "CA operations (revoke cert and generate crl)" 865 866 start_message "ca ... revoke server cert#2" 867 crl_file=$ca_dir/crl.pem 868 $openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \ 869 -config $ssldir/openssl.cnf -name CA_default \ 870 -crldays 30 -crlhours 12 -crlsec 30 -updatedb \ 871 -crl_reason unspecified -crl_hold 1.2.840.10040.2.2 \ 872 -crl_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 873 -crl_CA_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 874 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert \ 875 > $crl_file.log 2>&1 876 check_exit_status $? 877 878 start_message "ca ... show certificate status by serial number" 879 $openssl_bin ca -config $ssldir/openssl.cnf -status 1 880 881 start_message "crl ... CA generates CRL" 882 $openssl_bin crl -in $crl_file -fingerprint >> $crl_file.log 2>&1 883 check_exit_status $? 884 885 crl_p7=$ca_dir/crl.p7 886 start_message "crl2pkcs7 ... convert CRL to pkcs7" 887 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 888 check_exit_status $? 889 890 #---------#---------#---------#---------#---------#---------#--------- 891 892 # --- server-admin operations (check csr, verify cert, certhash) --- 893 section_message "server-admin operations (check csr, verify cert, certhash)" 894 895 start_message "asn1parse ... parse server csr#1" 896 $openssl_bin asn1parse -in $sv_rsa_csr -i -dlimit 100 -length 1000 \ 897 -strparse 01 > $sv_rsa_csr.asn1parse.out 898 check_exit_status $? 899 900 start_message "verify ... server cert#1" 901 $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \ 902 -crl_check -issuer_checks -purpose sslserver $sv_rsa_cert 903 check_exit_status $? 904 905 start_message "x509 ... get detail info about server cert#1" 906 $openssl_bin x509 -in $sv_rsa_cert -text -C -dates -startdate -enddate \ 907 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 908 -subject -hash -subject_hash -subject_hash_old -ocsp_uri \ 909 -ocspid -modulus -pubkey -serial -email -noout -trustout \ 910 -alias -clrtrust -clrreject -next_serial -checkend 3600 \ 911 -nameopt multiline -certopt compatible > $sv_rsa_cert.x509.out 912 check_exit_status $? 913 914 if [ $mingw = 0 ] ; then 915 start_message "certhash" 916 $openssl_bin certhash -v $server_dir \ 917 > $server_dir/certhash.log 2>&1 918 check_exit_status $? 919 fi 920 921 # self signed 922 start_message "x509 ... generate self signed server cert" 923 server_self_cert=$server_dir/server_self_cert.pem 924 $openssl_bin x509 -in $sv_rsa_cert -signkey $sv_rsa_key -keyform pem \ 925 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 926 -passin pass:$sv_rsa_pass -out $server_self_cert -days 1 927 check_exit_status $? 928 929 #---------#---------#---------#---------#---------#---------#--------- 930 931 # --- Netscape SPKAC operations --- 932 section_message "Netscape SPKAC operations" 933 934 # server-admin generates SPKAC 935 936 start_message "spkac" 937 spkacfile=$server_dir/spkac.file 938 939 $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 940 check_exit_status $? 941 942 $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 943 check_exit_status $? 944 945 spkacreq=$server_dir/spkac.req 946 cat << __EOF__ > $spkacreq 947countryName = JP 948stateOrProvinceName = Tokyo 949organizationName = TEST_DUMMY_COMPANY 950commonName = spkac.test-dummy.com 951__EOF__ 952 cat $spkacfile >> $spkacreq 953 954 # CA signs SPKAC 955 start_message "ca ... CA signs SPKAC csr" 956 spkaccert=$server_dir/spkac.cert 957 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 958 -spkac $spkacreq -out $spkaccert > $spkaccert.log 2>&1 959 check_exit_status $? 960 961 start_message "x509 ... convert DER format SPKAC cert to PEM" 962 spkacpem=$server_dir/spkac.pem 963 $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 964 check_exit_status $? 965 966 # server-admin cert verify 967 968 start_message "nseq" 969 $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 970 check_exit_status $? 971 972 #---------#---------#---------#---------#---------#---------#--------- 973 974 # --- user1 operations (generate user1 key and csr) --- 975 section_message "user1 operations (generate user1 key and csr)" 976 977 # trust 978 start_message "x509 ... trust testCA cert" 979 user1_trust=$user1_dir/user1_trust_ca.pem 980 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \ 981 -setalias "trusted testCA" -purpose -out $user1_trust \ 982 > $user1_trust.log 2>&1 983 check_exit_status $? 984 985 start_message "req ... generate private key and csr for user1" 986 987 cl_rsa_key=$user1_dir/cl_rsa_key.pem 988 cl_rsa_csr=$user1_dir/cl_rsa_csr.pem 989 cl_rsa_pass=test-user1-pass 990 991 if [ $mingw = 0 ] ; then 992 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test-dummy.com/' 993 else 994 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test-dummy.com\' 995 fi 996 997 $openssl_bin req -new -keyout $cl_rsa_key -out $cl_rsa_csr \ 998 -passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1 999 check_exit_status $? 1000 1001 start_message "req ... generate private key and csr for user2" 1002 1003 cl_ecdsa_key=$user1_dir/cl_ecdsa_key.pem 1004 cl_ecdsa_csr=$user1_dir/cl_ecdsa_csr.pem 1005 cl_ecdsa_pass=test-user1-pass 1006 1007 if [ $mingw = 0 ] ; then 1008 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user2.test-dummy.com/' 1009 else 1010 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user2.test-dummy.com\' 1011 fi 1012 1013 $openssl_bin ecparam -name prime256v1 -genkey -out $cl_ecdsa_key 1014 check_exit_status $? 1015 1016 $openssl_bin req -new -subj $subj -sha256 \ 1017 -key $cl_ecdsa_key -keyform pem -passin pass:$cl_ecdsa_pass \ 1018 -out $cl_ecdsa_csr -outform pem 1019 check_exit_status $? 1020 1021 start_message "req ... generate private key and csr for user3" 1022 1023 cl_gost_key=$user1_dir/cl_gost_key.pem 1024 cl_gost_csr=$user1_dir/cl_gost_csr.pem 1025 cl_gost_pass=test-user1-pass 1026 1027 if [ $mingw = 0 ] ; then 1028 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user3.test-dummy.com/' 1029 else 1030 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user3.test-dummy.com\' 1031 fi 1032 1033 $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ 1034 -pkeyopt dgst:streebog512 -out $cl_gost_key 1035 check_exit_status $? 1036 1037 $openssl_bin req -new -subj $subj -streebog512 \ 1038 -key $cl_gost_key -keyform pem -passin pass:$cl_gost_pass \ 1039 -out $cl_gost_csr -outform pem 1040 check_exit_status $? 1041 1042 #---------#---------#---------#---------#---------#---------#--------- 1043 1044 # --- CA operations (issue cert for user1) --- 1045 section_message "CA operations (issue cert for user1)" 1046 1047 start_message "ca ... issue cert for user1" 1048 1049 cl_rsa_cert=$user1_dir/cl_rsa_cert.pem 1050 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1051 -in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1 1052 check_exit_status $? 1053 1054 start_message "ca ... issue cert for user2" 1055 1056 cl_ecdsa_cert=$user1_dir/cl_ecdsa_cert.pem 1057 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1058 -in $cl_ecdsa_csr -out $cl_ecdsa_cert > $cl_ecdsa_cert.log 2>&1 1059 check_exit_status $? 1060 1061 start_message "ca ... issue cert for user3" 1062 1063 cl_gost_cert=$user1_dir/cl_gost_cert.pem 1064 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 1065 -in $cl_gost_csr -out $cl_gost_cert > $cl_gost_cert.log 2>&1 1066 check_exit_status $? 1067} 1068 1069function test_tsa { 1070 # --- TSA operations --- 1071 section_message "TSA operations" 1072 1073 tsa_dat=$user1_dir/tsa.dat 1074 cat << __EOF__ > $tsa_dat 1075Hello Bob, 1076Sincerely yours 1077Alice 1078__EOF__ 1079 1080 # Query 1081 start_message "ts ... create time stamp request" 1082 1083 tsa_tsq=$user1_dir/tsa.tsq 1084 1085 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 1086 check_exit_status $? 1087 1088 start_message "ts ... print time stamp request" 1089 1090 $openssl_bin ts -query -in $tsa_tsq -text -out $tsa_tsq.log 1091 check_exit_status $? 1092 1093 # Reply 1094 start_message "ts ... create time stamp response for a request" 1095 1096 tsa_tsr=$user1_dir/tsa.tsr 1097 1098 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ 1099 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ 1100 -config $ssldir/openssl.cnf -section tsa_config1 -cert \ 1101 -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr 1102 check_exit_status $? 1103 1104 # Verify 1105 start_message "ts ... verify time stamp response" 1106 1107 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ 1108 -CAfile $ca_cert -untrusted $tsa_cert 1109 check_exit_status $? 1110} 1111 1112function test_cms { 1113 # --- CMS operations --- 1114 section_message "CMS operations" 1115 1116 if [ $ecdsa_tests = 1 ] ; then 1117 echo "Using ECDSA certificate" 1118 type=ecdsa 1119 cl_cert=$cl_ecdsa_cert 1120 cl_key=$cl_ecdsa_key 1121 sv_cert=$sv_ecdsa_cert 1122 sv_key=$sv_ecdsa_key 1123 sign_keyopt= 1124 enc_keyopt= 1125 else 1126 echo "Using RSA certificate" 1127 type=rsa 1128 cl_cert=$cl_rsa_cert 1129 cl_key="$cl_rsa_key -passin pass:$cl_rsa_pass" 1130 sv_cert=$sv_rsa_cert 1131 sv_key="$sv_rsa_key -passin pass:$sv_rsa_pass" 1132 sign_keyopt="-keyopt rsa_padding_mode:pss" 1133 enc_keyopt="-keyopt rsa_padding_mode:oaep" 1134 fi 1135 1136 cms_txt=$user1_dir/cms_$type.txt 1137 cms_sig=$user1_dir/cms_$type.sig 1138 cms_enc=$user1_dir/cms_$type.enc 1139 cms_dec=$user1_dir/cms_$type.dec 1140 cms_sgr=$user1_dir/cms_$type.sgr 1141 cms_ver=$user1_dir/cms_$type.ver 1142 cms_out=$user1_dir/cms_$type.out 1143 cms_dct=$user1_dir/cms_$type.dct 1144 cms_dot=$user1_dir/cms_$type.dot 1145 cms_dgc=$user1_dir/cms_$type.dgc 1146 cms_dgv=$user1_dir/cms_$type.dgv 1147 cms_ede=$user1_dir/cms_$type.ede 1148 cms_edd=$user1_dir/cms_$type.edd 1149 cms_srp=$user1_dir/cms_$type.srp 1150 cms_pwe=$user1_dir/cms_$type.pwe 1151 cms_pwd=$user1_dir/cms_$type.pwd 1152 1153 cat << __EOF__ > $cms_txt 1154Hello Bob, 1155Sincerely yours 1156Alice 1157__EOF__ 1158 1159 # sign 1160 start_message "cms ... sign to message" 1161 1162 $openssl_bin cms -sign -in $cms_txt -text \ 1163 -out $cms_sig -outform smime \ 1164 -signer $cl_cert -inkey $cl_key $sign_keyopt \ 1165 -keyform pem -md sha256 \ 1166 -from user1@test-dummy.com -to server@test-dummy.com \ 1167 -subject "test openssl cms" \ 1168 -receipt_request_from server@test-dummy.com \ 1169 -receipt_request_to user1@test-dummy.com 1170 check_exit_status $? 1171 1172 # encrypt 1173 start_message "cms ... encrypt message" 1174 1175 $openssl_bin cms -encrypt -aes256 -binary -in $cms_sig -inform smime \ 1176 -recip $sv_cert $enc_keyopt -out $cms_enc 1177 check_exit_status $? 1178 1179 # decrypt 1180 start_message "cms ... decrypt message" 1181 1182 $openssl_bin cms -decrypt -in $cms_enc -out $cms_dec \ 1183 -recip $sv_cert -inkey $sv_key 1184 check_exit_status $? 1185 1186 # verify 1187 start_message "cms ... verify message" 1188 1189 $openssl_bin cms -verify -in $cms_dec \ 1190 -CAfile $ca_cert -certfile $cl_cert -nointern \ 1191 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1192 -signer $cms_sgr -text -out $cms_ver -receipt_request_print \ 1193 > $cms_ver.log 2>&1 1194 check_exit_status $? 1195 1196 diff -b $cms_ver $cms_txt 1197 check_exit_status $? 1198 1199 # cmsout 1200 start_message "cms ... cmsout" 1201 1202 $openssl_bin cms -cmsout -in $cms_enc -print -out $cms_out 1203 check_exit_status $? 1204 1205 # data_create 1206 start_message "cms ... data_create" 1207 1208 $openssl_bin cms -data_create -in $cms_enc -out $cms_dct 1209 check_exit_status $? 1210 1211 # data_out 1212 start_message "cms ... data_out" 1213 1214 $openssl_bin cms -data_out -in $cms_dct -out $cms_dot 1215 check_exit_status $? 1216 1217 # digest_create 1218 start_message "cms ... digest_create" 1219 1220 $openssl_bin cms -digest_create -in $cms_txt -md sha256 -out $cms_dgc 1221 check_exit_status $? 1222 1223 # digest_verify 1224 start_message "cms ... digest_verify" 1225 1226 $openssl_bin cms -digest_verify -in $cms_dgc -md sha256 -out $cms_dgv 1227 check_exit_status $? 1228 1229 diff -b $cms_dgv $cms_txt 1230 check_exit_status $? 1231 1232 # compress 1233 1234 # uncompress 1235 1236 # EncryptedData_encrypt 1237 start_message "cms ... EncryptedData_encrypt" 1238 1239 $openssl_bin cms -EncryptedData_encrypt -in $cms_sig -out $cms_ede \ 1240 -aes128 -secretkey 00112233445566778899aabbccddeeff 1241 check_exit_status $? 1242 1243 # EncryptedData_decrypt 1244 start_message "cms ... EncryptedData_decrypt" 1245 1246 $openssl_bin cms -EncryptedData_decrypt -in $cms_ede -out $cms_edd \ 1247 -aes128 -secretkey 00112233445566778899aabbccddeeff 1248 check_exit_status $? 1249 1250 diff -b $cms_edd $cms_sig 1251 check_exit_status $? 1252 1253 # sign_receipt 1254 start_message "cms ... sign to receipt" 1255 1256 $openssl_bin cms -sign_receipt -in $cms_sig -out $cms_srp \ 1257 -signer $sv_cert -inkey $sv_key -md sha256 1258 check_exit_status $? 1259 1260 # verify_receipt 1261 start_message "cms ... verify receipt" 1262 1263 $openssl_bin cms -verify_receipt $cms_srp -rctform smime -in $cms_sig \ 1264 -CAfile $ca_cert -certfile $sv_cert 1265 check_exit_status $? 1266 1267 # encrypt with pwri 1268 start_message "cms ... encrypt with pwri" 1269 1270 $openssl_bin cms -encrypt -camellia256 -in $cms_txt -out $cms_pwe \ 1271 -pwri_password abcdefg 1272 check_exit_status $? 1273 1274 # decrypt with pwri 1275 start_message "cms ... decrypt with pwri" 1276 1277 $openssl_bin cms -decrypt -camellia256 -in $cms_pwe -out $cms_pwd \ 1278 -pwri_password abcdefg 1279 check_exit_status $? 1280 1281 diff -b $cms_pwd $cms_txt 1282 check_exit_status $? 1283} 1284 1285function test_smime { 1286 # --- S/MIME operations --- 1287 section_message "S/MIME operations" 1288 1289 cl_cert=$cl_rsa_cert 1290 cl_key="$cl_rsa_key -passin pass:$cl_rsa_pass" 1291 sv_cert=$sv_rsa_cert 1292 sv_key="$sv_rsa_key -passin pass:$sv_rsa_pass" 1293 1294 smime_txt=$user1_dir/smime.txt 1295 smime_enc=$user1_dir/smime.enc 1296 smime_sig=$user1_dir/smime.sig 1297 smime_p7o=$user1_dir/smime.p7o 1298 smime_sgr=$user1_dir/smime.sgr 1299 smime_ver=$user1_dir/smime.ver 1300 smime_dec=$user1_dir/smime.dec 1301 1302 cat << __EOF__ > $smime_txt 1303Hello Bob, 1304Sincerely yours 1305Alice 1306__EOF__ 1307 1308 # encrypt 1309 start_message "smime ... encrypt message" 1310 1311 $openssl_bin smime -encrypt -aes256 -binary -in $smime_txt \ 1312 -out $smime_enc $sv_cert 1313 check_exit_status $? 1314 1315 # sign 1316 start_message "smime ... sign to message" 1317 1318 $openssl_bin smime -sign -in $smime_enc -text -inform smime \ 1319 -out $smime_sig -outform smime \ 1320 -signer $cl_cert -inkey $cl_key -keyform pem -md sha256 \ 1321 -from user1@test-dummy.com -to server@test-dummy.com \ 1322 -subject "test openssl smime" 1323 check_exit_status $? 1324 1325 # pk7out 1326 start_message "smime ... pk7out from message" 1327 1328 $openssl_bin smime -pk7out -in $smime_sig -out $smime_p7o 1329 check_exit_status $? 1330 1331 # verify 1332 start_message "smime ... verify message" 1333 1334 $openssl_bin smime -verify -in $smime_sig \ 1335 -CAfile $ca_cert -certfile $cl_cert -nointern \ 1336 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1337 -signer $smime_sgr -text -out $smime_ver 1338 check_exit_status $? 1339 1340 # decrypt 1341 start_message "smime ... decrypt message" 1342 1343 $openssl_bin smime -decrypt -in $smime_ver -out $smime_dec \ 1344 -recip $sv_cert -inkey $sv_key 1345 check_exit_status $? 1346 1347 diff $smime_dec $smime_txt 1348 check_exit_status $? 1349} 1350 1351function test_ocsp { 1352 # --- OCSP operations --- 1353 section_message "OCSP operations" 1354 1355 # get key without pass 1356 cl_rsa_key_nopass=$user1_dir/cl_rsa_key_nopass.pem 1357 $openssl_bin pkey -in $cl_rsa_key -passin pass:$cl_rsa_pass \ 1358 -out $cl_rsa_key_nopass 1359 check_exit_status $? 1360 1361 # request 1362 start_message "ocsp ... create OCSP request" 1363 1364 ocsp_req=$user1_dir/ocsp_req.der 1365 $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ 1366 -cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \ 1367 -signer $cl_rsa_cert -signkey $cl_rsa_key_nopass \ 1368 -sign_other $cl_rsa_cert -sha256 \ 1369 -reqout $ocsp_req -req_text -out $ocsp_req.out 1370 check_exit_status $? 1371 1372 # response 1373 start_message "ocsp ... create OCPS response for a request" 1374 1375 ocsp_res=$user1_dir/ocsp_res.der 1376 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1377 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1378 -reqin $ocsp_req -rother $ocsp_cert -resp_no_certs -noverify \ 1379 -nmin 60 -validity_period 300 -status_age 300 \ 1380 -respout $ocsp_res -resp_text -out $ocsp_res.out 1381 check_exit_status $? 1382 1383 # ocsp server 1384 start_message "ocsp ... start OCSP server in background" 1385 1386 ocsp_port=8888 1387 1388 ocsp_svr_log=$user1_dir/ocsp_svr.log 1389 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1390 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1391 -host localhost -port $ocsp_port -path / -ndays 1 -nrequest 1 \ 1392 -resp_key_id -text -out $ocsp_svr_log & 1393 check_exit_status $? 1394 ocsp_svr_pid=$! 1395 echo "ocsp server pid = [ $ocsp_svr_pid ]" 1396 sleep 1 1397 1398 # send query to ocsp server 1399 start_message "ocsp ... send OCSP request to server" 1400 1401 ocsp_qry=$user1_dir/ocsp_qry.der 1402 $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ 1403 -cert $revoke_cert -CAfile $ca_cert -no_nonce \ 1404 -url http://localhost:$ocsp_port -timeout 10 -text \ 1405 -header Host localhost \ 1406 -respout $ocsp_qry -out $ocsp_qry.out 1407 check_exit_status $? 1408 1409 # verify response from server 1410 start_message "ocsp ... verify OCSP response from server" 1411 1412 $openssl_bin ocsp -respin $ocsp_qry -CAfile $ca_cert \ 1413 -ignore_err -no_signature_verify -no_cert_verify -no_chain \ 1414 -no_cert_checks -no_explicit -trust_other -no_intern \ 1415 -verify_other $ocsp_cert -VAfile $ocsp_cert 1416 check_exit_status $? 1417} 1418 1419function test_pkcs { 1420 # --- PKCS operations --- 1421 section_message "PKCS operations" 1422 1423 pkcs_pass=test-pkcs-pass 1424 1425 start_message "pkcs7 ... output certs in crl(pkcs7)" 1426 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 1427 check_exit_status $? 1428 1429 start_message "pkcs8 ... convert key to pkcs8" 1430 $openssl_bin pkcs8 -in $cl_rsa_key -topk8 -out $cl_rsa_key.p8 \ 1431 -passin pass:$cl_rsa_pass -passout pass:$cl_rsa_pass \ 1432 -v1 pbeWithSHA1AndDES-CBC -v2 des3 1433 check_exit_status $? 1434 1435 start_message "pkcs8 ... convert pkcs8 to key in DER format" 1436 $openssl_bin pkcs8 -in $cl_rsa_key.p8 -passin pass:$cl_rsa_pass \ 1437 -outform DER -out $cl_rsa_key.p8.der 1438 check_exit_status $? 1439 1440 start_message "pkcs12 ... create" 1441 $openssl_bin pkcs12 -export -in $sv_rsa_cert -inkey $sv_rsa_key \ 1442 -passin pass:$sv_rsa_pass -certfile $ca_cert -CAfile $ca_cert \ 1443 -caname "caname_server_p12" \ 1444 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \ 1445 -name "name_server_p12" -des3 -maciter -macalg sha256 \ 1446 -CSP "csp_server_p12" -LMK -keyex \ 1447 -passout pass:$pkcs_pass -out $sv_rsa_cert.p12 1448 check_exit_status $? 1449 1450 start_message "pkcs12 ... verify" 1451 $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -passin pass:$pkcs_pass -info \ 1452 -noout > $sv_rsa_cert.p12.log 2>&1 1453 check_exit_status $? 1454 1455 start_message "pkcs12 ... private key to PEM without encryption" 1456 $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -password pass:$pkcs_pass \ 1457 -nocerts -nomacver -nodes -out $sv_rsa_cert.p12.pem 1458 check_exit_status $? 1459} 1460 1461function test_sc_by_protocol_version { 1462 sc=$1 1463 ver=$2 1464 msg=$3 1465 cid=$4 1466 1467 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1468 return 1469 fi 1470 1471 groups_and_cipher="" 1472 if [ $ver = "tls1_3" ] ; then 1473 # Expect HelloRetryRequest 1474 groups_and_cipher="-groups P-521:P-384 -cipher ALL" 1475 fi 1476 1477 s_client_out=$user1_dir/s_client_${sc}_${ver}.out 1478 1479 start_message "s_client ... connect to TLS/SSL test server by $ver" 1480 sleep $test_pause_sec 1481 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1482 -$ver $groups_and_cipher \ 1483 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1484 check_exit_status $? 1485 1486 # check downgrade bits in SH 1487 if [ $ver = "tls1" -o $ver = "tls1_1" ] ; then 1488 perl -0ne \ 1489 'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 00/m)' \ 1490 $s_client_out 1491 check_exit_status $? 1492 elif [ $ver = "tls1_2" ] ; then 1493 perl -0ne \ 1494 'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 01/m)' \ 1495 $s_client_out 1496 check_exit_status $? 1497 elif [ $ver = "tls1_3" ] ; then 1498 perl -0ne \ 1499 'exit (/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44/m)' \ 1500 $s_client_out 1501 check_exit_status $? 1502 fi 1503 1504 # check HRR hash 1505 if [ $ver = "tls1_3" ] ; then 1506 perl -0ne \ 1507 'exit (!/ServerHello\n.*cf 21 ad 74 e5 9a 61 11 be 1d\n.*8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e\n.*09 e2 c8 a8 33 9c/m)' \ 1508 $s_client_out 1509 check_exit_status $? 1510 fi 1511 1512 if [ $ver = "tls1_3" ] ; then 1513 grep 'Server Temp Key: ECDH, .*384.*, 384 bits' $s_client_out \ 1514 > /dev/null 1515 check_exit_status $? 1516 fi 1517 1518 # OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until 1519 # NewSessionTicket arrival 1520 if ! [ $cid = "1" -a $ver = "tls1_3" ] ; then 1521 grep "$msg" $s_client_out > /dev/null 1522 check_exit_status $? 1523 fi 1524 1525 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1526 check_exit_status $? 1527} 1528 1529function test_sc_all_cipher { 1530 sc=$1 1531 ver=$2 1532 1533 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1534 return 1535 fi 1536 1537 copt=cipher 1538 ciphers=$user1_dir/ciphers_${sc}_${ver} 1539 1540 if [ $ver = "tls1_3" ] ; then 1541 if [ $c_id = "0" ] ; then 1542 echo "AEAD-AES256-GCM-SHA384" > $ciphers 1543 echo "AEAD-CHACHA20-POLY1305-SHA256" >> $ciphers 1544 echo "AEAD-AES128-GCM-SHA256" >> $ciphers 1545 else 1546 echo "TLS_AES_256_GCM_SHA384" > $ciphers 1547 echo "TLS_CHACHA20_POLY1305_SHA256" >> $ciphers 1548 echo "TLS_AES_128_GCM_SHA256" >> $ciphers 1549 copt=ciphersuites 1550 fi 1551 else 1552 s_ciph=$server_dir/s_ciph_${sc}_${ver} 1553 cipher_string="" 1554 if [ $s_id = "0" ] ; then 1555 if [ $ecdsa_tests = 1 ] ; then 1556 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1557 elif [ $gost_tests = 1 ] ; then 1558 cipher_string="kGOST:!NULL:!TLSv1.3" 1559 else 1560 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1561 fi 1562 fi 1563 $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph 1564 1565 c_ciph=$user1_dir/c_ciph_${sc}_${ver} 1566 cipher_string="" 1567 if [ $c_id = "0" ] ; then 1568 if [ $ecdsa_tests = 1 ] ; then 1569 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1570 elif [ $gost_tests = 1 ] ; then 1571 cipher_string="kGOST:!NULL:!TLSv1.3" 1572 else 1573 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1574 fi 1575 fi 1576 $c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph 1577 1578 grep -x -f $s_ciph $c_ciph | sort -R > $ciphers 1579 fi 1580 1581 cnum=0 1582 for c in `cat $ciphers` ; do 1583 cnum=`expr $cnum + 1` 1584 cnstr=`printf %03d $cnum` 1585 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_${cnstr}_${c}.out 1586 1587 start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $ver $c" 1588 sleep $test_pause_sec 1589 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1590 -$ver -$copt $c \ 1591 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1592 check_exit_status $? 1593 1594 grep "Cipher is $c" $s_client_out > /dev/null 1595 check_exit_status $? 1596 1597 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1598 check_exit_status $? 1599 done 1600} 1601 1602function test_sc_session_reuse { 1603 sc=$1 1604 ver=$2 1605 1606 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1607 return 1608 fi 1609 1610 sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat 1611 1612 # Get session ticket to reuse 1613 1614 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_1.out 1615 1616 start_message "s_client ... connect to TLS/SSL test server to get session id $ver" 1617 sleep $test_pause_sec 1618 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1619 -$ver -alpn "spdy/3,http/1.1" -sess_out $sess_dat \ 1620 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1621 check_exit_status $? 1622 1623 grep '^New, TLS.*$' $s_client_out > /dev/null 1624 check_exit_status $? 1625 1626 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1627 check_exit_status $? 1628 1629 # Reuse session ticket 1630 1631 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_2.out 1632 1633 start_message "s_client ... connect to TLS/SSL test server reusing session id $ver" 1634 sleep $test_pause_sec 1635 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1636 -$ver -sess_in $sess_dat \ 1637 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1638 check_exit_status $? 1639 1640 grep '^Reused, TLS.*$' $s_client_out > /dev/null 1641 check_exit_status $? 1642 1643 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1644 check_exit_status $? 1645 1646 # sess_id 1647 1648 start_message "sess_id" 1649 $c_bin sess_id -in $sess_dat -text -out $sess_dat.out 1650 check_exit_status $? 1651} 1652 1653function test_sc_verify { 1654 sc=$1 1655 ver=$2 1656 1657 if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then 1658 return 1659 fi 1660 1661 # invalid verification pattern 1662 1663 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out 1664 1665 start_message "s_client ... connect to tls/ssl test server but verify error $ver" 1666 sleep $test_pause_sec 1667 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1668 -$ver -showcerts -crl_check -issuer_checks -policy_check \ 1669 -status -servername xyz \ 1670 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1671 check_exit_status $? 1672 1673 grep 'verify return code: 0 (ok)' $s_client_out > /dev/null 1674 if [ $? -eq 0 ] ; then 1675 check_exit_status 1 1676 else 1677 check_exit_status 0 1678 fi 1679 1680 # client certificate pattern 1681 1682 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_client_cert.out 1683 1684 start_message "s_client ... connect to tls/ssl test server with client certificate $ver" 1685 1686 if [ $ecdsa_tests = 1 ] ; then 1687 echo "Using ECDSA client certificate" 1688 crt=$cl_ecdsa_cert 1689 key=$cl_ecdsa_key 1690 pwd=$cl_ecdsa_pass 1691 elif [ $gost_tests = 1 ] ; then 1692 echo "Using GOST client certificate" 1693 crt=$cl_gost_cert 1694 key=$cl_gost_key 1695 pwd=$cl_gost_pass 1696 else 1697 echo "Using RSA client certificate" 1698 crt=$cl_rsa_cert 1699 key=$cl_rsa_key 1700 pwd=$cl_rsa_pass 1701 fi 1702 1703 sleep $test_pause_sec 1704 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1705 -$ver -cert $crt -key $key -pass pass:$pwd \ 1706 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1707 check_exit_status $? 1708 1709 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1710 check_exit_status $? 1711} 1712 1713function test_server_client { 1714 # --- client/server operations (TLS) --- 1715 section_message "client/server operations (TLS)" 1716 1717 s_id="$1" 1718 c_id="$2" 1719 sc="$1$2" 1720 1721 test_pause_sec=0.2 1722 1723 if [ $s_id = "0" ] ; then 1724 s_bin=$openssl_bin 1725 else 1726 s_bin=$other_openssl_bin 1727 fi 1728 1729 if [ $c_id = "0" ] ; then 1730 c_bin=$openssl_bin 1731 else 1732 c_bin=$other_openssl_bin 1733 fi 1734 1735 echo "s_server is [`$s_bin version`]" 1736 echo "s_client is [`$c_bin version`]" 1737 1738 host="localhost" 1739 port=4433 1740 s_server_out=$server_dir/s_server_${sc}_tls.out 1741 1742 if [ $ecdsa_tests = 1 ] ; then 1743 echo "Using ECDSA certificate" 1744 crt=$sv_ecdsa_cert 1745 key=$sv_ecdsa_key 1746 pwd=$sv_ecdsa_pass 1747 elif [ $gost_tests = 1 ] ; then 1748 echo "Using GOST certificate" 1749 crt=$sv_gost_cert 1750 key=$sv_gost_key 1751 pwd=$sv_gost_pass 1752 else 1753 echo "Using RSA certificate" 1754 crt=$sv_rsa_cert 1755 key=$sv_rsa_key 1756 pwd=$sv_rsa_pass 1757 fi 1758 1759 start_message "s_server ... start TLS/SSL test server" 1760 $s_bin s_server -accept $port -CAfile $ca_cert \ 1761 -cert $crt -key $key -pass pass:$pwd \ 1762 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 1763 -alpn "http/1.1,spdy/3" -www -cipher ALL -4 \ 1764 -msg -tlsextdebug -verify 3 -groups X25519:P-384:P-256 \ 1765 -status -servername xyz -cert2 $crt -key2 $key \ 1766 > $s_server_out 2>&1 & 1767 check_exit_status $? 1768 s_server_pid=$! 1769 echo "s_server pid = [ $s_server_pid ]" 1770 sleep 1 1771 1772 # test by protocol version 1773 if [ "$other_openssl_version" = "OpenSSL 1." ] ; then 1774 test_sc_by_protocol_version $sc tls1 'Protocol : TLSv1$' $c_id 1775 test_sc_by_protocol_version $sc tls1_1 'Protocol : TLSv1\.1$' $c_id 1776 fi 1777 test_sc_by_protocol_version $sc tls1_2 'Protocol : TLSv1\.2$' $c_id 1778 test_sc_by_protocol_version $sc tls1_3 'Protocol : TLSv1\.3$' $c_id 1779 1780 # all available ciphers with random order 1781 test_sc_all_cipher $sc tls1_2 1782 test_sc_all_cipher $sc tls1_3 1783 1784 # session resumption 1785 test_sc_session_reuse $sc tls1_2 1786 1787 # invalid verification pattern 1788 test_sc_verify $sc tls1_2 1789 test_sc_verify $sc tls1_3 1790 1791 # s_time 1792 if [ $gost_tests != 1 ] ; then 1793 start_message "s_time ... connect to TLS/SSL test server" 1794 $c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \ 1795 > $server_dir/s_time_${sc}.log 1796 check_exit_status $? 1797 fi 1798 1799 stop_s_server 1800} 1801 1802function test_server_client_dtls { 1803 # --- client/server operations (DTLS) --- 1804 section_message "client/server operations (DTLS)" 1805 1806 s_id="$1" 1807 c_id="$2" 1808 sc="$1$2" 1809 1810 test_pause_sec=0.2 1811 1812 if [ $s_id = "0" ] ; then 1813 s_bin=$openssl_bin 1814 else 1815 s_bin=$other_openssl_bin 1816 fi 1817 1818 if [ $c_id = "0" ] ; then 1819 c_bin=$openssl_bin 1820 else 1821 c_bin=$other_openssl_bin 1822 fi 1823 1824 echo "s_server is [`$s_bin version`]" 1825 echo "s_client is [`$c_bin version`]" 1826 1827 host="localhost" 1828 port=4433 1829 s_server_out=$server_dir/s_server_${sc}_dtls.out 1830 1831 if [ $ecdsa_tests = 1 ] ; then 1832 echo "Using ECDSA certificate" 1833 crt=$sv_ecdsa_cert 1834 key=$sv_ecdsa_key 1835 pwd=$sv_ecdsa_pass 1836 elif [ $gost_tests = 1 ] ; then 1837 echo "Using GOST certificate" 1838 crt=$sv_gost_cert 1839 key=$sv_gost_key 1840 pwd=$sv_gost_pass 1841 else 1842 echo "Using RSA certificate" 1843 crt=$sv_rsa_cert 1844 key=$sv_rsa_key 1845 pwd=$sv_rsa_pass 1846 fi 1847 1848 start_message "s_server ... start DTLS test server" 1849 $s_bin s_server -accept $port -CAfile $ca_cert \ 1850 -cert $crt -key $key -pass pass:$pwd \ 1851 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 1852 -alpn "http/1.1,spdy/3" -cipher ALL -4 \ 1853 -msg -tlsextdebug -verify 3 -groups X25519:P-384:P-256 \ 1854 -status -servername xyz -cert2 $crt -key2 $key -dtls -quiet \ 1855 > $s_server_out 2>&1 & 1856 check_exit_status $? 1857 s_server_pid=$! 1858 echo "s_server pid = [ $s_server_pid ]" 1859 sleep 1 1860 1861 # test by protocol version 1862 test_sc_by_protocol_version $sc dtls1_2 'Protocol : DTLSv1.2$' $c_id 1863 1864 stop_s_server 1865} 1866 1867function test_gnutls { 1868 # --- GnuTLS interoperability --- 1869 section_message "GnuTLS $1 interoperability" 1870 1871 proto="$1" 1872 1873 if [ $proto = "tls" ] ; then 1874 sopt="-www" 1875 lopt= 1876 gopt= 1877 else 1878 sopt="-quiet" 1879 lopt="-dtls" 1880 gopt="-u" 1881 fi 1882 1883 gs_bin=/usr/local/bin/gnutls-serv 1884 gc_bin=/usr/local/bin/gnutls-cli 1885 1886 host="localhost" 1887 port=4433 1888 1889 if [ $ecdsa_tests = 1 ] ; then 1890 echo "Using ECDSA certificate" 1891 crt=$sv_ecdsa_cert 1892 key=$sv_ecdsa_key 1893 sni=ecdsa.test-dummy.com 1894 elif [ $gost_tests = 1 ] ; then 1895 echo "Using GOST certificate" 1896 crt=$sv_gost_cert 1897 key=$sv_gost_key 1898 sni=gost.test-dummy.com 1899 else 1900 echo "Using RSA certificate" 1901 crt=$sv_rsa_cert 1902 key=$sv_rsa_key.nopass 1903 sni=localhost.test-dummy.com 1904 fi 1905 1906 # LibreSSL - GnuTLS 1907 1908 start_message "s_server ... start $proto test server" 1909 s_server_out=$server_dir/s_server_LG_$proto.out 1910 $openssl_bin s_server -accept $port -CAfile $ca_cert \ 1911 -cert $crt -key $key -cert2 $crt -key2 $key \ 1912 -servername $sni -msg -tlsextdebug -status $sopt $lopt \ 1913 > $s_server_out 2>&1 & 1914 check_exit_status $? 1915 s_server_pid=$! 1916 echo "s_server pid = [ $s_server_pid ]" 1917 sleep 1 1918 1919 gnutls_cli_out=$user1_dir/gnutls-cli_LG_$proto.out 1920 $gc_bin --x509cafile=$ca_cert --sni-hostname=$sni \ 1921 --verify-hostname=$sni $gopt -p $port $host < /dev/null \ 1922 > $gnutls_cli_out 2>&1 1923 check_exit_status $? 1924 1925 grep 'Handshake was completed' $gnutls_cli_out > /dev/null 1926 check_exit_status $? 1927 1928 stop_s_server 1929 1930 # GnuTLS - LibreSSL 1931 1932 start_message "gnutls-serv ... start $proto test server" 1933 gnutls_serv_out=$server_dir/gnutls-serv_GL_$proto.out 1934 $gs_bin --x509cafile=$ca_cert --x509certfile=$crt --x509keyfile=$key \ 1935 $gopt -p $port > $gnutls_serv_out 2>&1 & 1936 check_exit_status $? 1937 gnutls_serv_pid=$! 1938 echo "gnutls-serv pid = [ $gnutls_serv_pid ]" 1939 sleep 1 1940 1941 s_client_out=$user1_dir/s_client_GL_$proto.out 1942 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 1943 -msg -tlsextdebug -status $lopt < /dev/null > $s_client_out 2>&1 1944 check_exit_status $? 1945 1946 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1947 check_exit_status $? 1948 1949 stop_gnutls_serv 1950} 1951 1952function test_speed { 1953 # === PERFORMANCE === 1954 section_message "PERFORMANCE" 1955 1956 if [ $no_long_tests = 0 ] ; then 1957 start_message "speed" 1958 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 1959 check_exit_status $? 1960 else 1961 start_message "SKIPPING speed (quick mode)" 1962 fi 1963} 1964 1965function test_version { 1966 # --- VERSION INFORMATION --- 1967 section_message "VERSION INFORMATION" 1968 1969 start_message "version" 1970 $openssl_bin version -a 1971 check_exit_status $? 1972} 1973 1974#---------#---------#---------#---------#---------#---------#---------#--------- 1975 1976openssl_bin=${OPENSSL:-/usr/bin/openssl} 1977other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11} 1978other_openssl_version=`$other_openssl_bin version | cut -b 1-10` 1979 1980ecdsa_tests=0 1981gost_tests=0 1982interop_tests=0 1983gnutls_tests=0 1984no_long_tests=0 1985 1986while [ "$1" != "" ]; do 1987 case $1 in 1988 -e | --ecdsa) shift 1989 ecdsa_tests=1 1990 gost_tests=0 1991 ;; 1992 -g | --gost) shift 1993 gost_tests=1 1994 ecdsa_tests=0 1995 ;; 1996 -i | --interop) shift 1997 interop_tests=1 1998 ;; 1999 -n | --gnutls) shift 2000 gnutls_tests=1 2001 ;; 2002 -q | --quick ) shift 2003 no_long_tests=1 2004 ;; 2005 * ) usage 2006 exit 1 2007 esac 2008done 2009 2010if [ ! -x $openssl_bin ] ; then 2011 echo ":-< \$OPENSSL [$openssl_bin] is not executable." 2012 exit 1 2013fi 2014 2015if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then 2016 echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable." 2017 exit 1 2018fi 2019 2020# 2021# create ssldir, and all files generated by this script goes under this dir. 2022# 2023ssldir="appstest_dir" 2024 2025if [ -d $ssldir ] ; then 2026 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 2027 /bin/rm -rf $ssldir 2028fi 2029 2030mkdir -p $ssldir 2031 2032ca_dir=$ssldir/testCA 2033tsa_dir=$ssldir/testTSA 2034ocsp_dir=$ssldir/testOCSP 2035server_dir=$ssldir/server 2036user1_dir=$ssldir/user1 2037mkdir -p $user1_dir 2038key_dir=$ssldir/key 2039mkdir -p $key_dir 2040 2041export OPENSSL_CONF=$ssldir/openssl.cnf 2042touch $OPENSSL_CONF 2043 2044uname_s=`uname -s | grep 'MINGW'` 2045if [ "$uname_s" = "" ] ; then 2046 mingw=0 2047else 2048 mingw=1 2049fi 2050 2051# 2052# process tests 2053# 2054test_usage_lists_others 2055test_md 2056test_encoding_cipher 2057test_key 2058test_pki 2059test_tsa 2060test_cms 2061test_smime 2062test_ocsp 2063test_pkcs 2064test_server_client 0 0 2065if [ $interop_tests = 1 ] ; then 2066 test_server_client 0 1 2067 test_server_client 1 0 2068fi 2069test_server_client_dtls 0 0 2070if [ $interop_tests = 1 ] ; then 2071 test_server_client_dtls 0 1 2072 test_server_client_dtls 1 0 2073fi 2074if [ $gnutls_tests = 1 ] ; then 2075 test_gnutls tls 2076 test_gnutls dtls 2077fi 2078test_speed 2079test_version 2080 2081section_message "END" 2082 2083exit 0 2084 2085