| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame^] | 1 | #! /usr/bin/env perl |
| 2 | # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | # |
| 4 | # Licensed under the OpenSSL license (the "License"). You may not use |
| 5 | # this file except in compliance with the License. You can obtain a copy |
| 6 | # in the file LICENSE in the source distribution or at |
| 7 | # https://www.openssl.org/source/license.html |
| 8 | |
| 9 | |
| 10 | use strict; |
| 11 | use warnings; |
| 12 | |
| 13 | use POSIX; |
| 14 | use File::Spec::Functions qw/splitdir curdir catfile/; |
| 15 | use File::Compare; |
| 16 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; |
| 17 | use OpenSSL::Test::Utils; |
| 18 | |
| 19 | setup("test_tsa"); |
| 20 | |
| 21 | plan skip_all => "TS is not supported by this OpenSSL build" |
| 22 | if disabled("ts"); |
| 23 | |
| 24 | # All these are modified inside indir further down. They need to exist |
| 25 | # here, however, to be available in all subroutines. |
| 26 | my $openssl_conf; |
| 27 | my $testtsa; |
| 28 | my $CAtsa; |
| 29 | my @RUN; |
| 30 | |
| 31 | sub create_tsa_cert { |
| 32 | my $INDEX = shift; |
| 33 | my $EXT = shift; |
| 34 | my $r = 1; |
| 35 | $ENV{TSDNSECT} = "ts_cert_dn"; |
| 36 | |
| 37 | ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", |
| 38 | "-out", "tsa_req${INDEX}.pem", |
| 39 | "-keyout", "tsa_key${INDEX}.pem"]))); |
| 40 | note "using extension $EXT"; |
| 41 | ok(run(app(["openssl", "x509", "-req", |
| 42 | "-in", "tsa_req${INDEX}.pem", |
| 43 | "-out", "tsa_cert${INDEX}.pem", |
| 44 | "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", |
| 45 | "-CAcreateserial", |
| 46 | "-extfile", $openssl_conf, "-extensions", $EXT]))); |
| 47 | } |
| 48 | |
| 49 | sub create_time_stamp_response { |
| 50 | my $queryfile = shift; |
| 51 | my $outputfile = shift; |
| 52 | my $datafile = shift; |
| 53 | |
| 54 | ok(run(app([@RUN, "-reply", "-section", "$datafile", |
| 55 | "-queryfile", "$queryfile", "-out", "$outputfile"]))); |
| 56 | } |
| 57 | |
| 58 | sub verify_time_stamp_response { |
| 59 | my $queryfile = shift; |
| 60 | my $inputfile = shift; |
| 61 | my $datafile = shift; |
| 62 | |
| 63 | ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile", |
| 64 | "-in", "$inputfile", "-CAfile", "tsaca.pem", |
| 65 | "-untrusted", "tsa_cert1.pem"]))); |
| 66 | ok(run(app([@RUN, "-verify", "-data", "$datafile", |
| 67 | "-in", "$inputfile", "-CAfile", "tsaca.pem", |
| 68 | "-untrusted", "tsa_cert1.pem"]))); |
| 69 | } |
| 70 | |
| 71 | sub verify_time_stamp_response_fail { |
| 72 | my $queryfile = shift; |
| 73 | my $inputfile = shift; |
| 74 | |
| 75 | ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile", |
| 76 | "-in", "$inputfile", "-CAfile", "tsaca.pem", |
| 77 | "-untrusted", "tsa_cert1.pem"]))); |
| 78 | } |
| 79 | |
| 80 | # main functions |
| 81 | |
| 82 | plan tests => 20; |
| 83 | |
| 84 | note "setting up TSA test directory"; |
| 85 | indir "tsa" => sub |
| 86 | { |
| 87 | $openssl_conf = srctop_file("test", "CAtsa.cnf"); |
| 88 | $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); |
| 89 | $CAtsa = srctop_file("test", "CAtsa.cnf"); |
| 90 | @RUN = ("openssl", "ts", "-config", $openssl_conf); |
| 91 | |
| 92 | # ../apps/CA.pl needs these |
| 93 | $ENV{OPENSSL_CONFIG} = "-config $openssl_conf"; |
| 94 | $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); |
| 95 | |
| 96 | SKIP: { |
| 97 | $ENV{TSDNSECT} = "ts_ca_dn"; |
| 98 | skip "failed", 19 |
| 99 | unless ok(run(app(["openssl", "req", "-config", $openssl_conf, |
| 100 | "-new", "-x509", "-nodes", |
| 101 | "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), |
| 102 | 'creating a new CA for the TSA tests'); |
| 103 | |
| 104 | skip "failed", 18 |
| 105 | unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { |
| 106 | create_tsa_cert("1", "tsa_cert") |
| 107 | }; |
| 108 | |
| 109 | skip "failed", 17 |
| 110 | unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { |
| 111 | create_tsa_cert("2", "non_tsa_cert") |
| 112 | }; |
| 113 | |
| 114 | skip "failed", 16 |
| 115 | unless ok(run(app([@RUN, "-query", "-data", $testtsa, |
| 116 | "-tspolicy", "tsa_policy1", "-cert", |
| 117 | "-out", "req1.tsq"])), |
| 118 | 'creating req1.req time stamp request for file testtsa'); |
| 119 | |
| 120 | ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])), |
| 121 | 'printing req1.req'); |
| 122 | |
| 123 | subtest 'generating valid response for req1.req' => sub { |
| 124 | create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") |
| 125 | }; |
| 126 | |
| 127 | ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])), |
| 128 | 'printing response'); |
| 129 | |
| 130 | subtest 'verifying valid response' => sub { |
| 131 | verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) |
| 132 | }; |
| 133 | |
| 134 | skip "failed", 11 |
| 135 | unless subtest 'verifying valid token' => sub { |
| 136 | ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", |
| 137 | "-out", "resp1.tsr.token", "-token_out"]))); |
| 138 | ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq", |
| 139 | "-in", "resp1.tsr.token", "-token_in", |
| 140 | "-CAfile", "tsaca.pem", |
| 141 | "-untrusted", "tsa_cert1.pem"]))); |
| 142 | ok(run(app([@RUN, "-verify", "-data", $testtsa, |
| 143 | "-in", "resp1.tsr.token", "-token_in", |
| 144 | "-CAfile", "tsaca.pem", |
| 145 | "-untrusted", "tsa_cert1.pem"]))); |
| 146 | }; |
| 147 | |
| 148 | skip "failed", 10 |
| 149 | unless ok(run(app([@RUN, "-query", "-data", $testtsa, |
| 150 | "-tspolicy", "tsa_policy2", "-no_nonce", |
| 151 | "-out", "req2.tsq"])), |
| 152 | 'creating req2.req time stamp request for file testtsa'); |
| 153 | |
| 154 | ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])), |
| 155 | 'printing req2.req'); |
| 156 | |
| 157 | skip "failed", 8 |
| 158 | unless subtest 'generating valid response for req2.req' => sub { |
| 159 | create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") |
| 160 | }; |
| 161 | |
| 162 | skip "failed", 7 |
| 163 | unless subtest 'checking -token_in and -token_out options with -reply' => sub { |
| 164 | my $RESPONSE2="resp2.tsr.copy.tsr"; |
| 165 | my $TOKEN_DER="resp2.tsr.token.der"; |
| 166 | |
| 167 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", |
| 168 | "-out", "$TOKEN_DER", "-token_out"]))); |
| 169 | ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", |
| 170 | "-token_in", "-out", "$RESPONSE2"]))); |
| 171 | is(compare($RESPONSE2, "resp2.tsr"), 0); |
| 172 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", |
| 173 | "-text", "-token_out"]))); |
| 174 | ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", |
| 175 | "-token_in", "-text", "-token_out"]))); |
| 176 | ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq", |
| 177 | "-text", "-token_out"]))); |
| 178 | }; |
| 179 | |
| 180 | ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])), |
| 181 | 'printing response'); |
| 182 | |
| 183 | subtest 'verifying valid response' => sub { |
| 184 | verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) |
| 185 | }; |
| 186 | |
| 187 | subtest 'verifying response against wrong request, it should fail' => sub { |
| 188 | verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") |
| 189 | }; |
| 190 | |
| 191 | subtest 'verifying response against wrong request, it should fail' => sub { |
| 192 | verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") |
| 193 | }; |
| 194 | |
| 195 | skip "failure", 2 |
| 196 | unless ok(run(app([@RUN, "-query", "-data", $CAtsa, |
| 197 | "-no_nonce", "-out", "req3.tsq"])), |
| 198 | "creating req3.req time stamp request for file CAtsa.cnf"); |
| 199 | |
| 200 | ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])), |
| 201 | 'printing req3.req'); |
| 202 | |
| 203 | subtest 'verifying response against wrong request, it should fail' => sub { |
| 204 | verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") |
| 205 | }; |
| 206 | } |
| 207 | }, create => 1, cleanup => 1 |