2 $! A few very basic tests for the 'ts' time stamping authority command.
6 $ if f$getsyi("cpu") .ge. 128 then __arch := AXP
7 $ exe_dir := sys$disk:[-.'__arch'.exe.apps]
9 $ openssl := mcr 'f$parse(exe_dir+"openssl.exe")'
10 $ OPENSSL_CONF := [-]CAtsa.cnf
14 $ write sys$error "TSA test failed!"
21 $ if f$search("tsa.dir") .nes ""
23 $ @[-.util]deltree [.tsa]*.*
24 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
36 $ @[-.util]deltree [.tsa]*.*
37 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
44 $ write sys$output "Creating a new CA for the TSA tests..."
45 $ @[--.util]deltree [.demoCA]*.*
47 $ open/write file VMStsa-response.create_ca
50 $ write file "Budapest"
51 $ write file "Budapest"
52 $ write file "Gov-CA Ltd."
55 $ open/read sys$ca_input VMStsa-response.create_ca
56 $ @[--.apps]CA.com -input sys$ca_input -newca
57 $ save_severity = $severity
59 $ if save_severity .ne. 1 then call error
67 $ open/write file VMStsa-response1.create_tsa_cert
69 $ write file "Budapest"
71 $ write file "Hun-TSA Ltd."
72 $ write file "tsa",INDEX
74 $ define/user sys$input VMStsa-response.create_tsa_cert
76 -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
77 $ if $severity .ne. 1 then call error
79 $ open/write file VMStsa-response2.create_tsa_cert
83 $ define/user sys$input VMStsa-response.create_tsa_cert
84 $ openssl ca -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
86 $ if $severity .ne. 1 then call error
92 $ openssl ts -query -in 'p1' -text
95 $ create_time_stamp_request1: subroutine
97 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
99 $ if $severity .ne. 1 then call error
102 $ create_time_stamp_request2: subroutine
104 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
105 -no_nonce -out req2.tsq
106 $ if $severity .ne. 1 then call error
109 $ create_time_stamp_request3: subroutine
111 $ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
112 $ if $severity .ne. 1 then call error
118 $ openssl ts -reply -in 'p1' -text
119 $ if $severity .ne. 1 then call error
122 $ create_time_stamp_response:
125 $ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
126 $ if $severity .ne. 1 then call error
129 $ time_stamp_response_token_test:
132 $ RESPONSE2:='p2'.copy_tsr
133 $ TOKEN_DER:='p2'.token_der
134 $ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
135 $ if $severity .ne. 1 then call error
136 $ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
137 $ if $severity .ne. 1 then call error
138 $ backup/compare 'RESPONSE2' 'p2'
139 $ if $severity .ne. 1 then call error
140 $ openssl ts -reply -in 'p2' -text -token_out
141 $ if $severity .ne. 1 then call error
142 $ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
143 $ if $severity .ne. 1 then call error
144 $ openssl ts -reply -queryfile 'p1' -text -token_out
145 $ if $severity .ne. 1 then call error
148 $ verify_time_stamp_response:
151 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
152 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
153 $ if $severity .ne. 1 then call error
154 $ openssl ts -verify -data 'p3' -in 'p2' -
155 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
156 $ if $severity .ne. 1 then call error
159 $ verify_time_stamp_token:
162 $ # create the token from the response first
163 $ openssl ts -reply -in 'p2' -out 'p2'.token -token_out
164 $ if $severity .ne. 1 then call error
165 $ openssl ts -verify -queryfile 'p1' -in 'p2'.token -token_in \
166 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
167 $ if $severity .ne. 1 then call error
168 $ openssl ts -verify -data 'p3' -in 'p2'.token -token_in \
169 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
170 $ if $severity .ne. 1 then call error
173 $ verify_time_stamp_response_fail:
176 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
177 -CAfile [.demoCA]cacert.pem -untrusted tsa_cert1.pem
178 $ # Checks if the verification failed, as it should have.
179 $ if $severity .ne. 1 then call error
180 $ write sys$output "Ok"
183 $ ! Main body ----------------------------------------------------------
185 $ write sys$output "Setting up TSA test directory..."
188 $ write sys$output "Creating CA for TSA tests..."
191 $ write sys$output "Creating tsa_cert1.pem TSA server cert..."
192 $ call create_tsa_cert 1 tsa_cert
194 $ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
195 $ call create_tsa_cert 2 non_tsa_cert
197 $ write sys$output "Creating req1.req time stamp request for file testtsa..."
198 $ call create_time_stamp_request1
200 $ write sys$output "Printing req1.req..."
201 $ call print_request req1.tsq
203 $ write sys$output "Generating valid response for req1.req..."
204 $ call create_time_stamp_response req1.tsq resp1.tsr tsa_config1
206 $ write sys$output "Printing response..."
207 $ call print_response resp1.tsr
209 $ write sys$output "Verifying valid response..."
210 $ call verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
212 $ write sys$output "Verifying valid token..."
213 $ call verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
215 $ ! The tests below are commented out, because invalid signer certificates
216 $ ! can no longer be specified in the config file.
218 $ ! write sys$output "Generating _invalid_ response for req1.req..."
219 $ ! call create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
221 $ ! write sys$output "Printing response..."
222 $ ! call print_response resp1_bad.tsr
224 $ ! write sys$output "Verifying invalid response, it should fail..."
225 $ ! call verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
227 $ write sys$output "Creating req2.req time stamp request for file testtsa..."
228 $ call create_time_stamp_request2
230 $ write sys$output "Printing req2.req..."
231 $ call print_request req2.tsq
233 $ write sys$output "Generating valid response for req2.req..."
234 $ call create_time_stamp_response req2.tsq resp2.tsr tsa_config1
236 $ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
237 $ call time_stamp_response_token_test req2.tsq resp2.tsr
239 $ write sys$output "Printing response..."
240 $ call print_response resp2.tsr
242 $ write sys$output "Verifying valid response..."
243 $ call verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
245 $ write sys$output "Verifying response against wrong request, it should fail..."
246 $ call verify_time_stamp_response_fail req1.tsq resp2.tsr
248 $ write sys$output "Verifying response against wrong request, it should fail..."
249 $ call verify_time_stamp_response_fail req2.tsq resp1.tsr
251 $ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
252 $ call create_time_stamp_request3
254 $ write sys$output "Printing req3.req..."
255 $ call print_request req3.tsq
257 $ write sys$output "Verifying response against wrong request, it should fail..."
258 $ call verify_time_stamp_response_fail req3.tsq resp1.tsr
260 $ write sys$output "Cleaning up..."