4 # A few very basic tests for the 'ts' time stamping authority command.
11 OPENSSL_CONF="../CAtsa.cnf"
13 # Because that's what ../apps/CA.sh really looks at
14 SSLEAY_CONFIG="-config $OPENSSL_CONF"
17 OPENSSL="`pwd`/../util/opensslwrap.sh"
22 echo "TSA test failed!" >&2
28 rm -rf tsa 2>/dev/null
41 echo "Creating a new CA for the TSA tests..."
43 $SH ../../apps/CA.sh -newca <<EOF
58 ../../util/shlib_wrap.sh ../../apps/openssl req -new -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem <<EOF
67 ../../util/shlib_wrap.sh ../../apps/openssl ca -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
68 -extensions $EXT <<EOF
77 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
80 create_time_stamp_request1 () {
82 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
86 create_time_stamp_request2 () {
88 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
93 create_time_stamp_request3 () {
95 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
101 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
102 test $? != 0 && error
105 create_time_stamp_response () {
107 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
108 test $? != 0 && error
111 time_stamp_response_token_test () {
113 RESPONSE2=$2.copy.tsr
114 TOKEN_DER=$2.token.der
115 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
116 test $? != 0 && error
117 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
118 test $? != 0 && error
120 test $? != 0 && error
121 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
122 test $? != 0 && error
123 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
124 test $? != 0 && error
125 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
126 test $? != 0 && error
129 verify_time_stamp_response () {
131 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \
132 -untrusted tsa_cert1.pem
133 test $? != 0 && error
134 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile demoCA/cacert.pem \
135 -untrusted tsa_cert1.pem
136 test $? != 0 && error
139 verify_time_stamp_token () {
141 # create the token from the response first
142 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
143 test $? != 0 && error
144 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
145 -CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem
146 test $? != 0 && error
147 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
148 -CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem
149 test $? != 0 && error
152 verify_time_stamp_response_fail () {
154 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \
155 -untrusted tsa_cert1.pem
156 # Checks if the verification failed, as it should have.
163 echo "Setting up TSA test directory..."
166 echo "Creating CA for TSA tests..."
169 echo "Creating tsa_cert1.pem TSA server cert..."
170 create_tsa_cert 1 tsa_cert
172 echo "Creating tsa_cert2.pem non-TSA server cert..."
173 create_tsa_cert 2 non_tsa_cert
175 echo "Creating req1.req time stamp request for file testtsa..."
176 create_time_stamp_request1
178 echo "Printing req1.req..."
179 print_request req1.tsq
181 echo "Generating valid response for req1.req..."
182 create_time_stamp_response req1.tsq resp1.tsr tsa_config1
184 echo "Printing response..."
185 print_response resp1.tsr
187 echo "Verifying valid response..."
188 verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
190 echo "Verifying valid token..."
191 verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
193 # The tests below are commented out, because invalid signer certificates
194 # can no longer be specified in the config file.
196 # echo "Generating _invalid_ response for req1.req..."
197 # create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
199 # echo "Printing response..."
200 # print_response resp1_bad.tsr
202 # echo "Verifying invalid response, it should fail..."
203 # verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
205 echo "Creating req2.req time stamp request for file testtsa..."
206 create_time_stamp_request2
208 echo "Printing req2.req..."
209 print_request req2.tsq
211 echo "Generating valid response for req2.req..."
212 create_time_stamp_response req2.tsq resp2.tsr tsa_config1
214 echo "Checking '-token_in' and '-token_out' options with '-reply'..."
215 time_stamp_response_token_test req2.tsq resp2.tsr
217 echo "Printing response..."
218 print_response resp2.tsr
220 echo "Verifying valid response..."
221 verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
223 echo "Verifying response against wrong request, it should fail..."
224 verify_time_stamp_response_fail req1.tsq resp2.tsr
226 echo "Verifying response against wrong request, it should fail..."
227 verify_time_stamp_response_fail req2.tsq resp1.tsr
229 echo "Creating req3.req time stamp request for file CAtsa.cnf..."
230 create_time_stamp_request3
232 echo "Printing req3.req..."
233 print_request req3.tsq
235 echo "Verifying response against wrong request, it should fail..."
236 verify_time_stamp_response_fail req3.tsq resp1.tsr
238 echo "Cleaning up..."