2 $! A few very basic tests for the 'ts' time stamping authority command.
6 $ if f$getsyi("cpu") .ge. 128 then __arch := AXP
7 $ exe_dir := sys$disk:[-.'__arch'.exe.apps]
9 $ openssl := mcr 'exe_dir'openssl
10 $ OPENSSL_CONF := [-]CAtsa.cnf
14 $ write sys$error "TSA test failed!"
21 $ @[-.utils]deltree [.tsa]*.*
22 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
33 $ @[-.utils]deltree [.tsa]*.*
34 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
41 $ write sys$output "Creating a new CA for the TSA tests..."
42 $ @[--.utils]deltree [.demoCA]*.*
44 $ open/write file VMStsa-response.create_ca
47 $ write file "Budapest"
48 $ write file "Budapest"
49 $ write file "Gov-CA Ltd."
52 $ open/read sys$ca_input VMStsa-response.create_ca
53 $ @[--.apps]CA.com -input sys$ca_input -newca
54 $ save_severity = $severity
56 $ if save_severity .ne. 1 then call error
64 $ open/write file VMStsa-response1.create_tsa_cert
66 $ write file "Budapest"
68 $ write file "Hun-TSA Ltd."
69 $ write file "tsa",INDEX
71 $ define/user sys$input VMStsa-response.create_tsa_cert
73 -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
74 $ if $severity .ne. 1 then call error
76 $ open/write file VMStsa-response2.create_tsa_cert
80 $ define/user sys$input VMStsa-response.create_tsa_cert
81 $ openssl ca -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
83 $ if $severity .ne. 1 then call error
89 $ openssl ts -query -in 'p1' -text
92 $ create_time_stamp_request1: subroutine
94 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
96 $ if $severity .ne. 1 then call error
99 $ create_time_stamp_request2: subroutine
101 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
102 -no_nonce -out req2.tsq
103 $ if $severity .ne. 1 then call error
106 $ create_time_stamp_request3: subroutine
108 $ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
109 $ if $severity .ne. 1 then call error
115 $ openssl ts -reply -in 'p1' -text
116 $ if $severity .ne. 1 then call error
119 $ create_time_stamp_response:
122 $ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
123 $ if $severity .ne. 1 then call error
126 $ time_stamp_response_token_test:
129 $ RESPONSE2:='p2'.copy_tsr
130 $ TOKEN_DER:='p2'.token_der
131 $ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
132 $ if $severity .ne. 1 then call error
133 $ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
134 $ if $severity .ne. 1 then call error
135 $ backup/compare 'RESPONSE2' 'p2'
136 $ if $severity .ne. 1 then call error
137 $ openssl ts -reply -in 'p2' -text -token_out
138 $ if $severity .ne. 1 then call error
139 $ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
140 $ if $severity .ne. 1 then call error
141 $ openssl ts -reply -queryfile 'p1' -text -token_out
142 $ if $severity .ne. 1 then call error
145 $ verify_time_stamp_response:
148 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
149 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
150 $ if $severity .ne. 1 then call error
151 $ openssl ts -verify -data 'p3' -in 'p2' -
152 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
153 $ if $severity .ne. 1 then call error
156 $ verify_time_stamp_token:
159 $ # create the token from the response first
160 $ openssl ts -reply -in 'p2' -out 'p2'.token -token_out
161 $ if $severity .ne. 1 then call error
162 $ openssl ts -verify -queryfile 'p1' -in 'p2'.token -token_in \
163 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
164 $ if $severity .ne. 1 then call error
165 $ openssl ts -verify -data 'p3' -in 'p2'.token -token_in \
166 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
167 $ if $severity .ne. 1 then call error
170 $ verify_time_stamp_response_fail:
173 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
174 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
175 $ # Checks if the verification failed, as it should have.
176 $ if $severity .ne. 1 then call error
177 $ write sys$output "Ok"
180 $ ! Main body ----------------------------------------------------------
182 $ write sys$output "Setting up TSA test directory..."
185 $ write sys$output "Creating CA for TSA tests..."
188 $ write sys$output "Creating tsa_cert1.pem TSA server cert..."
189 $ call create_tsa_cert 1 tsa_cert
191 $ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
192 $ call create_tsa_cert 2 non_tsa_cert
194 $ write sys$output "Creating req1.req time stamp request for file testtsa..."
195 $ call create_time_stamp_request1
197 $ write sys$output "Printing req1.req..."
198 $ call print_request req1.tsq
200 $ write sys$output "Generating valid response for req1.req..."
201 $ call create_time_stamp_response req1.tsq resp1.tsr tsa_config1
203 $ write sys$output "Printing response..."
204 $ call print_response resp1.tsr
206 $ write sys$output "Verifying valid response..."
207 $ call verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
209 $ write sys$output "Verifying valid token..."
210 $ call verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
212 $ ! The tests below are commented out, because invalid signer certificates
213 $ ! can no longer be specified in the config file.
215 $ ! write sys$output "Generating _invalid_ response for req1.req..."
216 $ ! call create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
218 $ ! write sys$output "Printing response..."
219 $ ! call print_response resp1_bad.tsr
221 $ ! write sys$output "Verifying invalid response, it should fail..."
222 $ ! call verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
224 $ write sys$output "Creating req2.req time stamp request for file testtsa..."
225 $ call create_time_stamp_request2
227 $ write sys$output "Printing req2.req..."
228 $ call print_request req2.tsq
230 $ write sys$output "Generating valid response for req2.req..."
231 $ call create_time_stamp_response req2.tsq resp2.tsr tsa_config1
233 $ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
234 $ call time_stamp_response_token_test req2.tsq resp2.tsr
236 $ write sys$output "Printing response..."
237 $ call print_response resp2.tsr
239 $ write sys$output "Verifying valid response..."
240 $ call verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
242 $ write sys$output "Verifying response against wrong request, it should fail..."
243 $ call verify_time_stamp_response_fail req1.tsq resp2.tsr
245 $ write sys$output "Verifying response against wrong request, it should fail..."
246 $ call verify_time_stamp_response_fail req2.tsq resp1.tsr
248 $ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
249 $ call create_time_stamp_request3
251 $ write sys$output "Printing req3.req..."
252 $ call print_request req3.tsq
254 $ write sys$output "Verifying response against wrong request, it should fail..."
255 $ call verify_time_stamp_response_fail req3.tsq resp1.tsr
257 $ write sys$output "Cleaning up..."