2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
14 use File::Spec::Functions qw/splitdir curdir catfile/;
16 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
17 use OpenSSL::Test::Utils;
21 plan skip_all => "TS is not supported by this OpenSSL build"
24 # All these are modified inside indir further down. They need to exist
25 # here, however, to be available in all subroutines.
35 $ENV{TSDNSECT} = "ts_cert_dn";
37 ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
38 "-out", "tsa_req${INDEX}.pem",
39 "-keyout", "tsa_key${INDEX}.pem"])));
40 note "using extension $EXT";
41 ok(run(app(["openssl", "x509", "-req",
42 "-in", "tsa_req${INDEX}.pem",
43 "-out", "tsa_cert${INDEX}.pem",
44 "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
46 "-extfile", $openssl_conf, "-extensions", $EXT])));
49 sub create_time_stamp_response {
50 my $queryfile = shift;
51 my $outputfile = shift;
54 ok(run(app([@RUN, "-reply", "-section", "$datafile",
55 "-queryfile", "$queryfile", "-out", "$outputfile"])));
58 sub verify_time_stamp_response {
59 my $queryfile = shift;
60 my $inputfile = shift;
63 ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
64 "-in", "$inputfile", "-CAfile", "tsaca.pem",
65 "-untrusted", "tsa_cert1.pem"])));
66 ok(run(app([@RUN, "-verify", "-data", "$datafile",
67 "-in", "$inputfile", "-CAfile", "tsaca.pem",
68 "-untrusted", "tsa_cert1.pem"])));
71 sub verify_time_stamp_response_fail {
72 my $queryfile = shift;
73 my $inputfile = shift;
75 ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
76 "-in", "$inputfile", "-CAfile", "tsaca.pem",
77 "-untrusted", "tsa_cert1.pem"])));
84 note "setting up TSA test directory";
87 $openssl_conf = srctop_file("test", "CAtsa.cnf");
88 $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
89 $CAtsa = srctop_file("test", "CAtsa.cnf");
90 @RUN = ("openssl", "ts", "-config", $openssl_conf);
92 # ../apps/CA.pl needs these
93 $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
94 $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
97 $ENV{TSDNSECT} = "ts_ca_dn";
99 unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
100 "-new", "-x509", "-nodes",
101 "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
102 'creating a new CA for the TSA tests');
105 unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
106 create_tsa_cert("1", "tsa_cert")
110 unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
111 create_tsa_cert("2", "non_tsa_cert")
115 unless ok(run(app([@RUN, "-query", "-data", $testtsa,
116 "-tspolicy", "tsa_policy1", "-cert",
117 "-out", "req1.tsq"])),
118 'creating req1.req time stamp request for file testtsa');
120 ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
121 'printing req1.req');
123 subtest 'generating valid response for req1.req' => sub {
124 create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
127 ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
128 'printing response');
130 subtest 'verifying valid response' => sub {
131 verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
135 unless subtest 'verifying valid token' => sub {
136 ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
137 "-out", "resp1.tsr.token", "-token_out"])));
138 ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
139 "-in", "resp1.tsr.token", "-token_in",
140 "-CAfile", "tsaca.pem",
141 "-untrusted", "tsa_cert1.pem"])));
142 ok(run(app([@RUN, "-verify", "-data", $testtsa,
143 "-in", "resp1.tsr.token", "-token_in",
144 "-CAfile", "tsaca.pem",
145 "-untrusted", "tsa_cert1.pem"])));
149 unless ok(run(app([@RUN, "-query", "-data", $testtsa,
150 "-tspolicy", "tsa_policy2", "-no_nonce",
151 "-out", "req2.tsq"])),
152 'creating req2.req time stamp request for file testtsa');
154 ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
155 'printing req2.req');
158 unless subtest 'generating valid response for req2.req' => sub {
159 create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
163 unless subtest 'checking -token_in and -token_out options with -reply' => sub {
164 my $RESPONSE2="resp2.tsr.copy.tsr";
165 my $TOKEN_DER="resp2.tsr.token.der";
167 ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
168 "-out", "$TOKEN_DER", "-token_out"])));
169 ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
170 "-token_in", "-out", "$RESPONSE2"])));
171 is(compare($RESPONSE2, "resp2.tsr"), 0);
172 ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
173 "-text", "-token_out"])));
174 ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
175 "-token_in", "-text", "-token_out"])));
176 ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
177 "-text", "-token_out"])));
180 ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
181 'printing response');
183 subtest 'verifying valid response' => sub {
184 verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
187 subtest 'verifying response against wrong request, it should fail' => sub {
188 verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
191 subtest 'verifying response against wrong request, it should fail' => sub {
192 verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
196 unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
197 "-no_nonce", "-out", "req3.tsq"])),
198 "creating req3.req time stamp request for file CAtsa.cnf");
200 ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
201 'printing req3.req');
203 subtest 'verifying response against wrong request, it should fail' => sub {
204 verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
207 }, create => 1, cleanup => 1