test/recipes/80-test_tsa.t

   1 #! /usr/bin/perl
   2
   3 use strict;
   4 use warnings;
   5
   6 use POSIX;
   7 use File::Spec::Functions qw/splitdir curdir catfile/;
   8 use File::Compare;
   9 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
  10 use OpenSSL::Test::Utils;
  11
  12 setup("test_tsa");
  13
  14 plan skip_all => "TS is not supported by this OpenSSL build"
  15     if disabled("ts");
  16
  17 # All these are modified inside indir further down. They need to exist
  18 # here, however, to be available in all subroutines.
  19 my $testtsa;
  20 my $CAtsa;
  21 my @RUN = ("openssl", "ts");
  22
  23 sub create_tsa_cert {
  24     my $INDEX = shift;
  25     my $EXT = shift;
  26     my $r = 1;
  27     $ENV{TSDNSECT} = "ts_cert_dn";
  28
  29     ok(run(app(["openssl", "req", "-new",
  30                 "-out", "tsa_req${INDEX}.pem",
  31                 "-keyout", "tsa_key${INDEX}.pem"])));
  32     note "using extension $EXT";
  33     ok(run(app(["openssl", "x509", "-req",
  34                 "-in", "tsa_req${INDEX}.pem",
  35                 "-out", "tsa_cert${INDEX}.pem",
  36                 "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
  37                 "-CAcreateserial",
  38                 "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT])));
  39 }
  40
  41 sub create_time_stamp_response {
  42     my $queryfile = shift;
  43     my $outputfile = shift;
  44     my $datafile = shift;
  45
  46     ok(run(app([@RUN, "-reply", "-section", "$datafile",
  47                 "-queryfile", "$queryfile", "-out", "$outputfile"])));
  48 }
  49
  50 sub verify_time_stamp_response {
  51     my $queryfile = shift;
  52     my $inputfile = shift;
  53     my $datafile = shift;
  54
  55     ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
  56                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
  57                 "-untrusted", "tsa_cert1.pem"])));
  58     ok(run(app([@RUN, "-verify", "-data", "$datafile",
  59                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
  60                 "-untrusted", "tsa_cert1.pem"])));
  61 }
  62
  63 sub verify_time_stamp_response_fail {
  64     my $queryfile = shift;
  65     my $inputfile = shift;
  66
  67     ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
  68                  "-in", "$inputfile", "-CAfile", "tsaca.pem",
  69                  "-untrusted", "tsa_cert1.pem"])));
  70 }
  71
  72 # main functions
  73
  74 plan tests => 20;
  75
  76 note "setting up TSA test directory";
  77 indir "tsa" => sub
  78 {
  79     $ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf");
  80     # Because that's what ../apps/CA.pl really looks at
  81     $ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF};
  82     $ENV{OPENSSL} = cmdstr(app(["openssl"]));
  83     $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
  84     $CAtsa = srctop_file("test", "CAtsa.cnf");
  85
  86  SKIP: {
  87      $ENV{TSDNSECT} = "ts_ca_dn";
  88      skip "failed", 19
  89          unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes",
  90                             "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
  91                    'creating a new CA for the TSA tests');
  92
  93      skip "failed", 18
  94          unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
  95              create_tsa_cert("1", "tsa_cert")
  96      };
  97
  98      skip "failed", 17
  99          unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
 100              create_tsa_cert("2", "non_tsa_cert")
 101      };
 102
 103      skip "failed", 16
 104          unless ok(run(app([@RUN, "-query", "-data", $testtsa,
 105                             "-tspolicy", "tsa_policy1", "-cert",
 106                             "-out", "req1.tsq"])),
 107                    'creating req1.req time stamp request for file testtsa');
 108
 109      ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
 110         'printing req1.req');
 111
 112      subtest 'generating valid response for req1.req' => sub {
 113          create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
 114      };
 115
 116      ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
 117         'printing response');
 118
 119      subtest 'verifying valid response' => sub {
 120          verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
 121      };
 122
 123      skip "failed", 11
 124          unless subtest 'verifying valid token' => sub {
 125              ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
 126                          "-out", "resp1.tsr.token", "-token_out"])));
 127              ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
 128                          "-in", "resp1.tsr.token", "-token_in",
 129                          "-CAfile", "tsaca.pem",
 130                          "-untrusted", "tsa_cert1.pem"])));
 131              ok(run(app([@RUN, "-verify", "-data", $testtsa,
 132                          "-in", "resp1.tsr.token", "-token_in",
 133                          "-CAfile", "tsaca.pem",
 134                          "-untrusted", "tsa_cert1.pem"])));
 135      };
 136
 137      skip "failed", 10
 138          unless ok(run(app([@RUN, "-query", "-data", $testtsa,
 139                             "-tspolicy", "tsa_policy2", "-no_nonce",
 140                             "-out", "req2.tsq"])),
 141                    'creating req2.req time stamp request for file testtsa');
 142
 143      ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
 144         'printing req2.req');
 145
 146      skip "failed", 8
 147          unless subtest 'generating valid response for req2.req' => sub {
 148              create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
 149      };
 150
 151      skip "failed", 7
 152          unless subtest 'checking -token_in and -token_out options with -reply' => sub {
 153              my $RESPONSE2="resp2.tsr.copy.tsr";
 154              my $TOKEN_DER="resp2.tsr.token.der";
 155
 156              ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
 157                          "-out", "$TOKEN_DER", "-token_out"])));
 158              ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
 159                          "-token_in", "-out", "$RESPONSE2"])));
 160              is(compare($RESPONSE2, "resp2.tsr"), 0);
 161              ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
 162                          "-text", "-token_out"])));
 163              ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
 164                          "-token_in", "-text", "-token_out"])));
 165              ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
 166                          "-text", "-token_out"])));
 167      };
 168
 169      ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
 170         'printing response');
 171
 172      subtest 'verifying valid response' => sub {
 173          verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
 174      };
 175
 176      subtest 'verifying response against wrong request, it should fail' => sub {
 177          verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
 178      };
 179
 180      subtest 'verifying response against wrong request, it should fail' => sub {
 181          verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
 182      };
 183
 184      skip "failure", 2
 185          unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
 186                             "-no_nonce", "-out", "req3.tsq"])),
 187                    "creating req3.req time stamp request for file CAtsa.cnf");
 188
 189      ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
 190         'printing req3.req');
 191
 192      subtest 'verifying response against wrong request, it should fail' => sub {
 193          verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
 194      };
 195     }
 196 }, create => 1, cleanup => 1