1 #! /usr/bin/env perl 2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. 3 # 4 # Licensed under the OpenSSL license (the "License"). You may not use 5 # this file except in compliance with the License. You can obtain a copy 6 # in the file LICENSE in the source distribution or at 7 # https://www.openssl.org/source/license.html 8 9 10 use strict; 11 use warnings; 12 13 use POSIX; 14 use File::Spec::Functions qw/splitdir curdir catfile/; 15 use File::Compare; 16 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; 17 use OpenSSL::Test::Utils; 18 19 setup("test_tsa"); 20 21 plan skip_all => "TS is not supported by this OpenSSL build" 22 if disabled("ts"); 23 24 # All these are modified inside indir further down. They need to exist 25 # here, however, to be available in all subroutines. 26 my $openssl_conf; 27 my $testtsa; 28 my $CAtsa; 29 my @RUN; 30 31 sub create_tsa_cert { 32 my $INDEX = shift; 33 my $EXT = shift; 34 my $r = 1; 35 $ENV{TSDNSECT} = "ts_cert_dn"; 36 37 ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", 38 "-out", "tsa_req${INDEX}.pem", 39 "-keyout", "tsa_key${INDEX}.pem"]))); 40 note "using extension $EXT"; 41 ok(run(app(["openssl", "x509", "-req", 42 "-in", "tsa_req${INDEX}.pem", 43 "-out", "tsa_cert${INDEX}.pem", 44 "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", 45 "-CAcreateserial", 46 "-extfile", $openssl_conf, "-extensions", $EXT]))); 47 } 48 49 sub create_time_stamp_response { 50 my $queryfile = shift; 51 my $outputfile = shift; 52 my $datafile = shift; 53 54 ok(run(app([@RUN, "-reply", "-section", "$datafile", 55 "-queryfile", "$queryfile", "-out", "$outputfile"]))); 56 } 57 58 sub verify_time_stamp_response { 59 my $queryfile = shift; 60 my $inputfile = shift; 61 my $datafile = shift; 62 63 ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile", 64 "-in", "$inputfile", "-CAfile", "tsaca.pem", 65 "-untrusted", "tsa_cert1.pem"]))); 66 ok(run(app([@RUN, "-verify", "-data", "$datafile", 67 "-in", "$inputfile", "-CAfile", "tsaca.pem", 68 "-untrusted", "tsa_cert1.pem"]))); 69 } 70 71 sub verify_time_stamp_response_fail { 72 my $queryfile = shift; 73 my $inputfile = shift; 74 75 ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile", 76 "-in", "$inputfile", "-CAfile", "tsaca.pem", 77 "-untrusted", "tsa_cert1.pem"]))); 78 } 79 80 # main functions 81 82 plan tests => 20; 83 84 note "setting up TSA test directory"; 85 indir "tsa" => sub 86 { 87 $openssl_conf = srctop_file("test", "CAtsa.cnf"); 88 $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); 89 $CAtsa = srctop_file("test", "CAtsa.cnf"); 90 @RUN = ("openssl", "ts", "-config", $openssl_conf); 91 92 # ../apps/CA.pl needs these 93 $ENV{OPENSSL_CONFIG} = "-config $openssl_conf"; 94 $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); 95 96 SKIP: { 97 $ENV{TSDNSECT} = "ts_ca_dn"; 98 skip "failed", 19 99 unless ok(run(app(["openssl", "req", "-config", $openssl_conf, 100 "-new", "-x509", "-nodes", 101 "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), 102 'creating a new CA for the TSA tests'); 103 104 skip "failed", 18 105 unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { 106 create_tsa_cert("1", "tsa_cert") 107 }; 108 109 skip "failed", 17 110 unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { 111 create_tsa_cert("2", "non_tsa_cert") 112 }; 113 114 skip "failed", 16 115 unless ok(run(app([@RUN, "-query", "-data", $testtsa, 116 "-tspolicy", "tsa_policy1", "-cert", 117 "-out", "req1.tsq"])), 118 'creating req1.req time stamp request for file testtsa'); 119 120 ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])), 121 'printing req1.req'); 122 123 subtest 'generating valid response for req1.req' => sub { 124 create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") 125 }; 126 127 ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])), 128 'printing response'); 129 130 subtest 'verifying valid response' => sub { 131 verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) 132 }; 133 134 skip "failed", 11 135 unless subtest 'verifying valid token' => sub { 136 ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", 137 "-out", "resp1.tsr.token", "-token_out"]))); 138 ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq", 139 "-in", "resp1.tsr.token", "-token_in", 140 "-CAfile", "tsaca.pem", 141 "-untrusted", "tsa_cert1.pem"]))); 142 ok(run(app([@RUN, "-verify", "-data", $testtsa, 143 "-in", "resp1.tsr.token", "-token_in", 144 "-CAfile", "tsaca.pem", 145 "-untrusted", "tsa_cert1.pem"]))); 146 }; 147 148 skip "failed", 10 149 unless ok(run(app([@RUN, "-query", "-data", $testtsa, 150 "-tspolicy", "tsa_policy2", "-no_nonce", 151 "-out", "req2.tsq"])), 152 'creating req2.req time stamp request for file testtsa'); 153 154 ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])), 155 'printing req2.req'); 156 157 skip "failed", 8 158 unless subtest 'generating valid response for req2.req' => sub { 159 create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") 160 }; 161 162 skip "failed", 7 163 unless subtest 'checking -token_in and -token_out options with -reply' => sub { 164 my $RESPONSE2="resp2.tsr.copy.tsr"; 165 my $TOKEN_DER="resp2.tsr.token.der"; 166 167 ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", 168 "-out", "$TOKEN_DER", "-token_out"]))); 169 ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", 170 "-token_in", "-out", "$RESPONSE2"]))); 171 is(compare($RESPONSE2, "resp2.tsr"), 0); 172 ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", 173 "-text", "-token_out"]))); 174 ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", 175 "-token_in", "-text", "-token_out"]))); 176 ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq", 177 "-text", "-token_out"]))); 178 }; 179 180 ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])), 181 'printing response'); 182 183 subtest 'verifying valid response' => sub { 184 verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) 185 }; 186 187 subtest 'verifying response against wrong request, it should fail' => sub { 188 verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") 189 }; 190 191 subtest 'verifying response against wrong request, it should fail' => sub { 192 verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") 193 }; 194 195 skip "failure", 2 196 unless ok(run(app([@RUN, "-query", "-data", $CAtsa, 197 "-no_nonce", "-out", "req3.tsq"])), 198 "creating req3.req time stamp request for file CAtsa.cnf"); 199 200 ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])), 201 'printing req3.req'); 202 203 subtest 'verifying response against wrong request, it should fail' => sub { 204 verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") 205 }; 206 } 207 }, create => 1, cleanup => 1 208
Indexes created Sat Feb 28 05:31:39 UTC 2026