aboutsummaryrefslogtreecommitdiff
path: root/openssl/test/testtsa
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/test/testtsa')
-rw-r--r--openssl/test/testtsa238
1 files changed, 238 insertions, 0 deletions
diff --git a/openssl/test/testtsa b/openssl/test/testtsa
new file mode 100644
index 000000000..bb653b5f7
--- /dev/null
+++ b/openssl/test/testtsa
@@ -0,0 +1,238 @@
+#!/bin/sh
+
+#
+# A few very basic tests for the 'ts' time stamping authority command.
+#
+
+SH="/bin/sh"
+if test "$OSTYPE" = msdosdjgpp; then
+ PATH="../apps\;$PATH"
+else
+ PATH="../apps:$PATH"
+fi
+export SH PATH
+
+OPENSSL_CONF="../CAtsa.cnf"
+export OPENSSL_CONF
+# Because that's what ../apps/CA.sh really looks at
+SSLEAY_CONFIG="-config $OPENSSL_CONF"
+export SSLEAY_CONFIG
+
+OPENSSL="`pwd`/../util/opensslwrap.sh"
+export OPENSSL
+
+error () {
+
+ echo "TSA test failed!" >&2
+ exit 1
+}
+
+setup_dir () {
+
+ rm -rf tsa 2>/dev/null
+ mkdir tsa
+ cd ./tsa
+}
+
+clean_up_dir () {
+
+ cd ..
+ rm -rf tsa
+}
+
+create_ca () {
+
+ echo "Creating a new CA for the TSA tests..."
+ TSDNSECT=ts_ca_dn
+ export TSDNSECT
+ ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
+ -out tsaca.pem -keyout tsacakey.pem
+ test $? != 0 && error
+}
+
+create_tsa_cert () {
+
+ INDEX=$1
+ export INDEX
+ EXT=$2
+ TSDNSECT=ts_cert_dn
+ export TSDNSECT
+
+ ../../util/shlib_wrap.sh ../../apps/openssl req -new \
+ -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
+ test $? != 0 && error
+echo Using extension $EXT
+ ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
+ -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
+ -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
+ -extfile $OPENSSL_CONF -extensions $EXT
+ test $? != 0 && error
+}
+
+print_request () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
+}
+
+create_time_stamp_request1 () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
+ test $? != 0 && error
+}
+
+create_time_stamp_request2 () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
+ -out req2.tsq
+ test $? != 0 && error
+}
+
+create_time_stamp_request3 () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
+ test $? != 0 && error
+}
+
+print_response () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
+ test $? != 0 && error
+}
+
+create_time_stamp_response () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
+ test $? != 0 && error
+}
+
+time_stamp_response_token_test () {
+
+ RESPONSE2=$2.copy.tsr
+ TOKEN_DER=$2.token.der
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
+ test $? != 0 && error
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
+ test $? != 0 && error
+ cmp $RESPONSE2 $2
+ test $? != 0 && error
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
+ test $? != 0 && error
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
+ test $? != 0 && error
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
+ test $? != 0 && error
+}
+
+verify_time_stamp_response () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
+ -untrusted tsa_cert1.pem
+ test $? != 0 && error
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \
+ -untrusted tsa_cert1.pem
+ test $? != 0 && error
+}
+
+verify_time_stamp_token () {
+
+ # create the token from the response first
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
+ test $? != 0 && error
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
+ -CAfile tsaca.pem -untrusted tsa_cert1.pem
+ test $? != 0 && error
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
+ -CAfile tsaca.pem -untrusted tsa_cert1.pem
+ test $? != 0 && error
+}
+
+verify_time_stamp_response_fail () {
+
+ ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
+ -untrusted tsa_cert1.pem
+ # Checks if the verification failed, as it should have.
+ test $? = 0 && error
+ echo Ok
+}
+
+# main functions
+
+echo "Setting up TSA test directory..."
+setup_dir
+
+echo "Creating CA for TSA tests..."
+create_ca
+
+echo "Creating tsa_cert1.pem TSA server cert..."
+create_tsa_cert 1 tsa_cert
+
+echo "Creating tsa_cert2.pem non-TSA server cert..."
+create_tsa_cert 2 non_tsa_cert
+
+echo "Creating req1.req time stamp request for file testtsa..."
+create_time_stamp_request1
+
+echo "Printing req1.req..."
+print_request req1.tsq
+
+echo "Generating valid response for req1.req..."
+create_time_stamp_response req1.tsq resp1.tsr tsa_config1
+
+echo "Printing response..."
+print_response resp1.tsr
+
+echo "Verifying valid response..."
+verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
+
+echo "Verifying valid token..."
+verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
+
+# The tests below are commented out, because invalid signer certificates
+# can no longer be specified in the config file.
+
+# echo "Generating _invalid_ response for req1.req..."
+# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
+
+# echo "Printing response..."
+# print_response resp1_bad.tsr
+
+# echo "Verifying invalid response, it should fail..."
+# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
+
+echo "Creating req2.req time stamp request for file testtsa..."
+create_time_stamp_request2
+
+echo "Printing req2.req..."
+print_request req2.tsq
+
+echo "Generating valid response for req2.req..."
+create_time_stamp_response req2.tsq resp2.tsr tsa_config1
+
+echo "Checking '-token_in' and '-token_out' options with '-reply'..."
+time_stamp_response_token_test req2.tsq resp2.tsr
+
+echo "Printing response..."
+print_response resp2.tsr
+
+echo "Verifying valid response..."
+verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
+
+echo "Verifying response against wrong request, it should fail..."
+verify_time_stamp_response_fail req1.tsq resp2.tsr
+
+echo "Verifying response against wrong request, it should fail..."
+verify_time_stamp_response_fail req2.tsq resp1.tsr
+
+echo "Creating req3.req time stamp request for file CAtsa.cnf..."
+create_time_stamp_request3
+
+echo "Printing req3.req..."
+print_request req3.tsq
+
+echo "Verifying response against wrong request, it should fail..."
+verify_time_stamp_response_fail req3.tsq resp1.tsr
+
+echo "Cleaning up..."
+clean_up_dir
+
+exit 0