2 $! A few very basic tests for the 'ts' time stamping authority command.
6 $ if f$getsyi("cpu") .ge. 128 then -
7 __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
8 $ if __arch .eqs. "" then __arch := UNK
9 $ exe_dir := sys$disk:[-.'__arch'.exe.apps]
11 $ openssl := mcr 'f$parse(exe_dir+"openssl.exe")'
12 $ OPENSSL_CONF := [-]CAtsa.cnf
13 $ ! Because that's what ../apps/CA.sh really looks at
14 $ SSLEAY_CONFIG = "-config " + OPENSSL_CONF
18 $ write sys$error "TSA test failed!"
25 $ if f$search("tsa.dir") .nes ""
27 $ @[-.util]deltree [.tsa]*.*
28 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
40 $ @[-.util]deltree [.tsa]*.*
41 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
48 $ write sys$output "Creating a new CA for the TSA tests..."
49 $ @[--.util]deltree [.demoCA]*.*
51 $ open/write file VMStsa-response.create_ca
54 $ write file "Budapest"
55 $ write file "Budapest"
56 $ write file "Gov-CA Ltd."
59 $ open/read sys$ca_input VMStsa-response.create_ca
60 $ @[--.apps]CA.com -input sys$ca_input -newca
61 $ save_severity = $severity
63 $ if save_severity .ne. 1 then call error
71 $ open/write file VMStsa-response1.create_tsa_cert
73 $ write file "Budapest"
75 $ write file "Hun-TSA Ltd."
76 $ write file "tsa",INDEX
78 $ define/user sys$input VMStsa-response.create_tsa_cert
80 -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
81 $ if $severity .ne. 1 then call error
83 $ open/write file VMStsa-response2.create_tsa_cert
87 $ define/user sys$input VMStsa-response.create_tsa_cert
88 $ openssl ca -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
90 $ if $severity .ne. 1 then call error
96 $ openssl ts -query -in 'p1' -text
99 $ create_time_stamp_request1: subroutine
101 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
103 $ if $severity .ne. 1 then call error
106 $ create_time_stamp_request2: subroutine
108 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
109 -no_nonce -out req2.tsq
110 $ if $severity .ne. 1 then call error
113 $ create_time_stamp_request3: subroutine
115 $ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
116 $ if $severity .ne. 1 then call error
122 $ openssl ts -reply -in 'p1' -text
123 $ if $severity .ne. 1 then call error
126 $ create_time_stamp_response:
129 $ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
130 $ if $severity .ne. 1 then call error
133 $ time_stamp_response_token_test:
136 $ RESPONSE2:='p2'.copy_tsr
137 $ TOKEN_DER:='p2'.token_der
138 $ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
139 $ if $severity .ne. 1 then call error
140 $ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
141 $ if $severity .ne. 1 then call error
142 $ backup/compare 'RESPONSE2' 'p2'
143 $ if $severity .ne. 1 then call error
144 $ openssl ts -reply -in 'p2' -text -token_out
145 $ if $severity .ne. 1 then call error
146 $ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
147 $ if $severity .ne. 1 then call error
148 $ openssl ts -reply -queryfile 'p1' -text -token_out
149 $ if $severity .ne. 1 then call error
152 $ verify_time_stamp_response:
155 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
156 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
157 $ if $severity .ne. 1 then call error
158 $ openssl ts -verify -data 'p3' -in 'p2' -
159 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
160 $ if $severity .ne. 1 then call error
163 $ verify_time_stamp_token:
166 $ # create the token from the response first
167 $ openssl ts -reply -in 'p2' -out 'p2'.token -token_out
168 $ if $severity .ne. 1 then call error
169 $ openssl ts -verify -queryfile 'p1' -in 'p2'.token -token_in \
170 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
171 $ if $severity .ne. 1 then call error
172 $ openssl ts -verify -data 'p3' -in 'p2'.token -token_in \
173 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
174 $ if $severity .ne. 1 then call error
177 $ verify_time_stamp_response_fail:
180 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
181 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
182 $ # Checks if the verification failed, as it should have.
183 $ if $severity .ne. 1 then call error
184 $ write sys$output "Ok"
187 $ ! Main body ----------------------------------------------------------
189 $ write sys$output "Setting up TSA test directory..."
192 $ write sys$output "Creating CA for TSA tests..."
195 $ write sys$output "Creating tsa_cert1.pem TSA server cert..."
196 $ call create_tsa_cert 1 tsa_cert
198 $ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
199 $ call create_tsa_cert 2 non_tsa_cert
201 $ write sys$output "Creating req1.req time stamp request for file testtsa..."
202 $ call create_time_stamp_request1
204 $ write sys$output "Printing req1.req..."
205 $ call print_request req1.tsq
207 $ write sys$output "Generating valid response for req1.req..."
208 $ call create_time_stamp_response req1.tsq resp1.tsr tsa_config1
210 $ write sys$output "Printing response..."
211 $ call print_response resp1.tsr
213 $ write sys$output "Verifying valid response..."
214 $ call verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
216 $ write sys$output "Verifying valid token..."
217 $ call verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
219 $ ! The tests below are commented out, because invalid signer certificates
220 $ ! can no longer be specified in the config file.
222 $ ! write sys$output "Generating _invalid_ response for req1.req..."
223 $ ! call create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
225 $ ! write sys$output "Printing response..."
226 $ ! call print_response resp1_bad.tsr
228 $ ! write sys$output "Verifying invalid response, it should fail..."
229 $ ! call verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
231 $ write sys$output "Creating req2.req time stamp request for file testtsa..."
232 $ call create_time_stamp_request2
234 $ write sys$output "Printing req2.req..."
235 $ call print_request req2.tsq
237 $ write sys$output "Generating valid response for req2.req..."
238 $ call create_time_stamp_response req2.tsq resp2.tsr tsa_config1
240 $ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
241 $ call time_stamp_response_token_test req2.tsq resp2.tsr
243 $ write sys$output "Printing response..."
244 $ call print_response resp2.tsr
246 $ write sys$output "Verifying valid response..."
247 $ call verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
249 $ write sys$output "Verifying response against wrong request, it should fail..."
250 $ call verify_time_stamp_response_fail req1.tsq resp2.tsr
252 $ write sys$output "Verifying response against wrong request, it should fail..."
253 $ call verify_time_stamp_response_fail req2.tsq resp1.tsr
255 $ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
256 $ call create_time_stamp_request3
258 $ write sys$output "Printing req3.req..."
259 $ call print_request req3.tsq
261 $ write sys$output "Verifying response against wrong request, it should fail..."
262 $ call verify_time_stamp_response_fail req3.tsq resp1.tsr
264 $ write sys$output "Cleaning up..."