2 $! A few very basic tests for the 'ts' time stamping authority command.
6 $ if f$getsyi("cpu") .ge. 128 then -
7 __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
8 $ if __arch .eqs. "" then __arch := UNK
9 $ exe_dir := sys$disk:[-.'__arch'.exe.apps]
11 $ openssl := mcr 'f$parse(exe_dir+"openssl.exe")'
12 $ OPENSSL_CONF := [-]CAtsa.cnf
13 $ ! Because that's what ../apps/CA.sh really looks at
14 $ SSLEAY_CONFIG = "-config " + OPENSSL_CONF
18 $ write sys$error "TSA test failed!"
25 $ if f$search("tsa.dir") .nes ""
27 $ @[-.util]deltree [.tsa]*.*
28 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
40 $ @[-.util]deltree [.tsa]*.*
41 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
48 $ write sys$output "Creating a new CA for the TSA tests..."
49 $ TSDNSECT = "ts_ca_dn"
50 $ openssl req -new -x509 -nodes -
51 -out tsaca.pem -keyout tsacakey.pem
52 $ if $severity .ne. 1 then call error
60 $ TSDNSECT = "ts_cert_dn"
63 -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
64 $ if $severity .ne. 1 then call error
66 $ write sys$output "Using extension ''EXT'"
68 -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
69 "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" -
70 -extfile 'OPENSSL_CONF' -extensions "''EXT'"
71 $ if $severity .ne. 1 then call error
77 $ openssl ts -query -in 'p1' -text
80 $ create_time_stamp_request1: subroutine
82 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
84 $ if $severity .ne. 1 then call error
87 $ create_time_stamp_request2: subroutine
89 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
90 -no_nonce -out req2.tsq
91 $ if $severity .ne. 1 then call error
94 $ create_time_stamp_request3: subroutine
96 $ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
97 $ if $severity .ne. 1 then call error
103 $ openssl ts -reply -in 'p1' -text
104 $ if $severity .ne. 1 then call error
107 $ create_time_stamp_response:
110 $ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
111 $ if $severity .ne. 1 then call error
114 $ time_stamp_response_token_test:
117 $ RESPONSE2:='p2'.copy_tsr
118 $ TOKEN_DER:='p2'.token_der
119 $ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
120 $ if $severity .ne. 1 then call error
121 $ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
122 $ if $severity .ne. 1 then call error
123 $ backup/compare 'RESPONSE2' 'p2'
124 $ if $severity .ne. 1 then call error
125 $ openssl ts -reply -in 'p2' -text -token_out
126 $ if $severity .ne. 1 then call error
127 $ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
128 $ if $severity .ne. 1 then call error
129 $ openssl ts -reply -queryfile 'p1' -text -token_out
130 $ if $severity .ne. 1 then call error
133 $ verify_time_stamp_response:
136 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
137 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
138 $ if $severity .ne. 1 then call error
139 $ openssl ts -verify -data 'p3' -in 'p2' -
140 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
141 $ if $severity .ne. 1 then call error
144 $ verify_time_stamp_token:
147 $ ! create the token from the response first
148 $ openssl ts -reply -in 'p2' -out 'p2'.token -token_out
149 $ if $severity .ne. 1 then call error
150 $ openssl ts -verify -queryfile 'p1' -in 'p2'.token -token_in -
151 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
152 $ if $severity .ne. 1 then call error
153 $ openssl ts -verify -data 'p3' -in 'p2'.token -token_in -
154 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
155 $ if $severity .ne. 1 then call error
158 $ verify_time_stamp_response_fail:
161 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
162 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
163 $ ! Checks if the verification failed, as it should have.
164 $ if $severity .eq. 1 then call error
165 $ write sys$output "Ok"
168 $ ! Main body ----------------------------------------------------------
172 $ write sys$output "Setting up TSA test directory..."
175 $ write sys$output "Creating CA for TSA tests..."
178 $ write sys$output "Creating tsa_cert1.pem TSA server cert..."
179 $ call create_tsa_cert 1 "tsa_cert"
181 $ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
182 $ call create_tsa_cert 2 "non_tsa_cert"
184 $ write sys$output "Creating req1.req time stamp request for file testtsa..."
185 $ call create_time_stamp_request1
187 $ write sys$output "Printing req1.req..."
188 $ call print_request req1.tsq
190 $ write sys$output "Generating valid response for req1.req..."
191 $ call create_time_stamp_response req1.tsq resp1.tsr tsa_config1
193 $ write sys$output "Printing response..."
194 $ call print_response resp1.tsr
196 $ write sys$output "Verifying valid response..."
197 $ call verify_time_stamp_response req1.tsq resp1.tsr [-]testtsa.com
199 $ write sys$output "Verifying valid token..."
200 $ call verify_time_stamp_token req1.tsq resp1.tsr [-]testtsa.com
202 $ ! The tests below are commented out, because invalid signer certificates
203 $ ! can no longer be specified in the config file.
205 $ ! write sys$output "Generating _invalid_ response for req1.req..."
206 $ ! call create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
208 $ ! write sys$output "Printing response..."
209 $ ! call print_response resp1_bad.tsr
211 $ ! write sys$output "Verifying invalid response, it should fail..."
212 $ ! call verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
214 $ write sys$output "Creating req2.req time stamp request for file testtsa..."
215 $ call create_time_stamp_request2
217 $ write sys$output "Printing req2.req..."
218 $ call print_request req2.tsq
220 $ write sys$output "Generating valid response for req2.req..."
221 $ call create_time_stamp_response req2.tsq resp2.tsr tsa_config1
223 $ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
224 $ call time_stamp_response_token_test req2.tsq resp2.tsr
226 $ write sys$output "Printing response..."
227 $ call print_response resp2.tsr
229 $ write sys$output "Verifying valid response..."
230 $ call verify_time_stamp_response req2.tsq resp2.tsr [-]testtsa.com
232 $ write sys$output "Verifying response against wrong request, it should fail..."
233 $ call verify_time_stamp_response_fail req1.tsq resp2.tsr
235 $ write sys$output "Verifying response against wrong request, it should fail..."
236 $ call verify_time_stamp_response_fail req2.tsq resp1.tsr
238 $ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
239 $ call create_time_stamp_request3
241 $ write sys$output "Printing req3.req..."
242 $ call print_request req3.tsq
244 $ write sys$output "Verifying response against wrong request, it should fail..."
245 $ call verify_time_stamp_response_fail req3.tsq resp1.tsr
247 $ write sys$output "Cleaning up..."