4 # A few very basic tests for the 'ts' time stamping authority command.
11 OPENSSL_CONF="../CAtsa.cnf"
13 # Because that's what ../apps/CA.sh really looks at
14 SSLEAY_CONFIG="-config $OPENSSL_CONF"
17 OPENSSL="`pwd`/../util/opensslwrap.sh"
22 echo "TSA test failed!" >&2
28 rm -rf tsa 2>/dev/null
41 echo "Creating a new CA for the TSA tests..."
44 ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
45 -out tsaca.pem -keyout tsacakey.pem
57 ../../util/shlib_wrap.sh ../../apps/openssl req -new \
58 -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
60 echo Using extension $EXT
61 ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
62 -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
63 -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
64 -extfile $OPENSSL_CONF -extensions $EXT
70 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
73 create_time_stamp_request1 () {
75 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
79 create_time_stamp_request2 () {
81 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
86 create_time_stamp_request3 () {
88 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
94 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
98 create_time_stamp_response () {
100 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
101 test $? != 0 && error
104 time_stamp_response_token_test () {
106 RESPONSE2=$2.copy.tsr
107 TOKEN_DER=$2.token.der
108 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
109 test $? != 0 && error
110 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
111 test $? != 0 && error
113 test $? != 0 && error
114 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
115 test $? != 0 && error
116 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
117 test $? != 0 && error
118 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
119 test $? != 0 && error
122 verify_time_stamp_response () {
124 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
125 -untrusted tsa_cert1.pem
126 test $? != 0 && error
127 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \
128 -untrusted tsa_cert1.pem
129 test $? != 0 && error
132 verify_time_stamp_token () {
134 # create the token from the response first
135 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
136 test $? != 0 && error
137 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
138 -CAfile tsaca.pem -untrusted tsa_cert1.pem
139 test $? != 0 && error
140 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
141 -CAfile tsaca.pem -untrusted tsa_cert1.pem
142 test $? != 0 && error
145 verify_time_stamp_response_fail () {
147 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
148 -untrusted tsa_cert1.pem
149 # Checks if the verification failed, as it should have.
156 echo "Setting up TSA test directory..."
159 echo "Creating CA for TSA tests..."
162 echo "Creating tsa_cert1.pem TSA server cert..."
163 create_tsa_cert 1 tsa_cert
165 echo "Creating tsa_cert2.pem non-TSA server cert..."
166 create_tsa_cert 2 non_tsa_cert
168 echo "Creating req1.req time stamp request for file testtsa..."
169 create_time_stamp_request1
171 echo "Printing req1.req..."
172 print_request req1.tsq
174 echo "Generating valid response for req1.req..."
175 create_time_stamp_response req1.tsq resp1.tsr tsa_config1
177 echo "Printing response..."
178 print_response resp1.tsr
180 echo "Verifying valid response..."
181 verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
183 echo "Verifying valid token..."
184 verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
186 # The tests below are commented out, because invalid signer certificates
187 # can no longer be specified in the config file.
189 # echo "Generating _invalid_ response for req1.req..."
190 # create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
192 # echo "Printing response..."
193 # print_response resp1_bad.tsr
195 # echo "Verifying invalid response, it should fail..."
196 # verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
198 echo "Creating req2.req time stamp request for file testtsa..."
199 create_time_stamp_request2
201 echo "Printing req2.req..."
202 print_request req2.tsq
204 echo "Generating valid response for req2.req..."
205 create_time_stamp_response req2.tsq resp2.tsr tsa_config1
207 echo "Checking '-token_in' and '-token_out' options with '-reply'..."
208 time_stamp_response_token_test req2.tsq resp2.tsr
210 echo "Printing response..."
211 print_response resp2.tsr
213 echo "Verifying valid response..."
214 verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
216 echo "Verifying response against wrong request, it should fail..."
217 verify_time_stamp_response_fail req1.tsq resp2.tsr
219 echo "Verifying response against wrong request, it should fail..."
220 verify_time_stamp_response_fail req2.tsq resp1.tsr
222 echo "Creating req3.req time stamp request for file CAtsa.cnf..."
223 create_time_stamp_request3
225 echo "Printing req3.req..."
226 print_request req3.tsq
228 echo "Verifying response against wrong request, it should fail..."
229 verify_time_stamp_response_fail req3.tsq resp1.tsr
231 echo "Cleaning up..."