#!/bin/sh # # A few very basic tests for the 'ts' time stamping authority command. # SH="/bin/sh" if test "$OSTYPE" = msdosdjgpp; then PATH="../apps\;$PATH" else PATH="../apps:$PATH" fi export SH PATH OPENSSL_CONF="../CAtsa.cnf" export OPENSSL_CONF # Because that's what ../apps/CA.pl really looks at SSLEAY_CONFIG="-config $OPENSSL_CONF" export SSLEAY_CONFIG OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL RUN () { ../../util/shlib_wrap.sh ../../apps/openssl ts $* } create_tsa_cert () { INDEX=$1 export INDEX EXT=$2 TSDNSECT=ts_cert_dn export TSDNSECT ../../util/shlib_wrap.sh ../../apps/openssl req -new \ -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem || exit 1 echo using extension $EXT ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \ -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \ -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \ -extfile $OPENSSL_CONF -extensions $EXT || exit 1 } create_time_stamp_response () { RUN -reply -section $3 -queryfile $1 -out $2 || exit 1 } verify_time_stamp_response () { RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem || exit 1 RUN -verify -data $3 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem || exit 1 } verify_time_stamp_response_fail () { RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem && exit 1 echo ok } # main functions echo setting up TSA test directory rm -rf tsa 2>/dev/null mkdir tsa cd ./tsa echo creating a new CA for the TSA tests TSDNSECT=ts_ca_dn export TSDNSECT ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \ -out tsaca.pem -keyout tsacakey.pem || exit 1 echo creating tsa_cert1.pem TSA server cert create_tsa_cert 1 tsa_cert echo creating tsa_cert2.pem non-TSA server cert create_tsa_cert 2 non_tsa_cert echo creating req1.req time stamp request for file testtsa RUN -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq || exit 1 echo printing req1.req RUN -query -in req1.tsq -text echo generating valid response for req1.req create_time_stamp_response req1.tsq resp1.tsr tsa_config1 echo printing response RUN -reply -in resp1.tsr -text || exit 1 echo verifying valid response verify_time_stamp_response req1.tsq resp1.tsr ../testtsa echo verifying valid token RUN -reply -in resp1.tsr -out resp1.tsr.token -token_out || exit 1 RUN -verify -queryfile req1.tsq -in resp1.tsr.token -token_in \ -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 RUN -verify -data ../testtsa -in resp1.tsr.token -token_in \ -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 echo creating req2.req time stamp request for file testtsa RUN -query -data ../testtsa -policy tsa_policy2 -no_nonce \ -out req2.tsq || exit 1 echo printing req2.req RUN -query -in req2.tsq -text echo generating valid response for req2.req create_time_stamp_response req2.tsq resp2.tsr tsa_config1 echo checking -token_in and -token_out options with -reply RESPONSE2=resp2.tsr.copy.tsr TOKEN_DER=resp2.tsr.token.der RUN -reply -in resp2.tsr -out $TOKEN_DER -token_out || exit 1 RUN -reply -in $TOKEN_DER -token_in -out $RESPONSE2 || exit 1 cmp $RESPONSE2 resp2.tsr || exit 1 RUN -reply -in resp2.tsr -text -token_out || exit 1 RUN -reply -in $TOKEN_DER -token_in -text -token_out || exit 1 RUN -reply -queryfile req2.tsq -text -token_out || exit 1 echo printing response RUN -reply -in resp2.tsr -text || exit 1 echo verifying valid response verify_time_stamp_response req2.tsq resp2.tsr ../testtsa echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req1.tsq resp2.tsr echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req2.tsq resp1.tsr echo creating req3.req time stamp request for file CAtsa.cnf RUN -query -data ../CAtsa.cnf -no_nonce -out req3.tsq || exit 1 echo printing req3.req RUN -query -in req3.tsq -text echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req3.tsq resp1.tsr echo cleaning up cd .. rm -rf tsa exit 0