2 # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
14 use File::Path 2.00 qw/rmtree/;
15 use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
16 use OpenSSL::Test::Utils;
17 use Time::Local qw/timegm/;
21 $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
23 my $cnf = '"' . srctop_file("test","ca-and-certs.cnf") . '"';;
24 my $std_openssl_cnf = '"'
25 . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
28 rmtree("demoCA", { safe => 0 });
32 $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
33 skip "failed creating CA structure", 4
34 if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
35 'creating CA structure');
37 $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
38 skip "failed creating new certificate request", 3
39 if !ok(run(perlapp(["CA.pl","-newreq",
40 '-extra-req', '-outform DER -section userreq'])),
41 'creating certificate request');
42 $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf;
43 skip "failed to sign certificate request", 2
44 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
45 'signing certificate request');
47 ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
48 'verifying new certificate');
50 skip "CT not configured, can't use -precert", 1
53 $ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
54 ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)),
55 'creating new pre-certificate');
59 skip "SM2 is not supported by this OpenSSL build", 1
62 is(yes(cmdstr(app(["openssl", "ca", "-config",
64 "-in", srctop_file("test", "certs", "sm2-csr.pem"),
65 "-out", "sm2-test.crt",
66 "-sigopt", "distid:1234567812345678",
67 "-vfyopt", "distid:1234567812345678",
69 "-cert", srctop_file("test", "certs", "sm2-root.crt"),
70 "-keyfile", srctop_file("test", "certs", "sm2-root.key")]))),
72 "Signing SM2 certificate request");
75 test_revoke('notimes', {
78 test_revoke('lastupdate_invalid', {
79 lastupdate => '1234567890',
82 test_revoke('lastupdate_utctime', {
83 lastupdate => '200901123456Z',
86 test_revoke('lastupdate_generalizedtime', {
87 lastupdate => '20990901123456Z',
90 test_revoke('nextupdate_invalid', {
91 nextupdate => '1234567890',
94 test_revoke('nextupdate_utctime', {
95 nextupdate => '200901123456Z',
98 test_revoke('nextupdate_generalizedtime', {
99 nextupdate => '20990901123456Z',
102 test_revoke('both_utctime', {
103 lastupdate => '200901123456Z',
104 nextupdate => '200908123456Z',
107 test_revoke('both_generalizedtime', {
108 lastupdate => '20990901123456Z',
109 nextupdate => '20990908123456Z',
114 my ($filename, $opts) = @_;
116 subtest "Revoke certificate and generate CRL: $filename" => sub {
117 # Before Perl 5.12.0, the range of times Perl could represent was
118 # limited by the size of time_t, so Time::Local was hamstrung by the
120 # Perl 5.12.0 onwards use an internal time implementation with a
121 # guaranteed >32-bit time range on all architectures, so the tests
122 # involving post-2038 times won't fail provided we're running under
123 # that version or newer
125 'Perl >= 5.12.0 required to run certificate revocation tests'
128 $ENV{CN2} = $filename;
134 '-key', data_file('revoked.key'),
135 '-out', "$filename-req.pem",
136 '-section', 'userreq',
147 '-in', "$filename-req.pem",
148 '-out', "$filename-cert.pem",
157 '-revoke', "$filename-cert.pem",
164 if (exists $opts->{lastupdate}) {
165 push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
168 if (exists $opts->{nextupdate}) {
169 push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
177 '-out', "$filename-crl.pem",
181 $opts->{should_succeed},
184 my $crl_gentime = time;
186 # The following tests only need to run if the CRL was supposed to be
188 return unless $opts->{should_succeed};
190 my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
191 if (exists $opts->{lastupdate}) {
194 rfc5280_time($opts->{lastupdate}),
195 'CRL lastUpdate field has expected value'
198 diag("CRL lastUpdate: $crl_lastupdate");
199 diag("openssl run time: $crl_gentime");
201 # Is the CRL's lastUpdate time within a second of the time that
202 # `openssl ca -gencrl` was executed?
203 $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
204 'CRL lastUpdate field has (roughly) expected value'
208 my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
209 if (exists $opts->{nextupdate}) {
212 rfc5280_time($opts->{nextupdate}),
213 'CRL nextUpdate field has expected value'
216 diag("CRL nextUpdate: $crl_nextupdate");
217 diag("openssl run time: $crl_gentime");
219 # Is the CRL's lastUpdate time within a second of the time that
220 # `openssl ca -gencrl` was executed, taking into account the use
222 $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
223 'CRL nextUpdate field has (roughly) expected value'
231 open(PIPE, "|-", join(" ",@_));
232 local $SIG{PIPE} = "IGNORE";
233 1 while $cntr-- > 0 && print PIPE "y\n";
238 # Get the value of the lastUpdate or nextUpdate field from a CRL
240 my ($crl_path, $field_name) = @_;
247 '-' . lc($field_name),
250 statusvar => \my $exit,
252 ok($exit, "CRL $field_name field retrieved");
253 diag("CRL $field_name: $out[0]");
255 $out[0] =~ s/^\Q$field_name\E=//;
257 my $time = human_time($out[0]);
262 # Converts human-readable ASN1_TIME_print() output to Unix time
266 my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
269 Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5,
270 Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
273 return timegm($s, $m, $h, $d, $months{$mo}, $y);
276 # Converts an RFC 5280 timestamp to Unix time
280 my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
282 return timegm($s, $m, $h, $d, $mo - 1, $y);