From 8573552e8c3eed250dfc2031dd794500f343ac94 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ulf=20M=C3=B6ller?= <ulf@openssl.org>
Date: Sun, 12 Feb 2006 23:19:25 +0000
Subject: [PATCH] time stamp Makefile, test files Submitted by: Zoltan Glozik
 <zglozik@opentsa.org>

---
 crypto/ts/Makefile | 120 +++++++++++++++++++++++
 test/CAtsa.cnf     | 172 +++++++++++++++++++++++++++++++++
 test/testtsa       | 234 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 526 insertions(+)
 create mode 100644 crypto/ts/Makefile
 create mode 100644 test/CAtsa.cnf
 create mode 100644 test/testtsa

diff --git a/crypto/ts/Makefile b/crypto/ts/Makefile
new file mode 100644
index 0000000000..5d3162592b
--- /dev/null
+++ b/crypto/ts/Makefile
@@ -0,0 +1,120 @@
+#
+# SSLeay/crypto/ts/Makefile
+#
+
+DIR=	ts
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I../../include
+CFLAG = -g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKEDEPPROG=	makedepend
+MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=	Makefile
+AR=		ar r
+
+PEX_LIBS=
+EX_LIBS=
+ 
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL= Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	ts_err.c ts_req_utils.c ts_req_print.c ts_resp_utils.c ts_resp_print.c \
+	ts_resp_sign.c ts_resp_verify.c ts_verify_ctx.c ts_lib.c ts_conf.c \
+	ts_asn1.c
+LIBOBJ= ts_err.o ts_req_utils.o ts_req_print.o ts_resp_utils.o ts_resp_print.o \
+	ts_resp_sign.o ts_resp_verify.o ts_verify_ctx.o ts_lib.o ts_conf.o \
+	ts_asn1.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ts.h
+HEADER=	$(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB) || echo Never mind.
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@for i in $(EXHEADER) ; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ts_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ts_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ts_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+ts_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+ts_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ts_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ts_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ts_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ts_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ts_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ts_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+ts_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ts_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ts_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ts_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ts.h ts_lib.c
+ts_resp_print.o: ../../e_os.h ../../include/openssl/asn1.h
+ts_resp_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ts_resp_print.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ts_resp_print.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+ts_resp_print.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+ts_resp_print.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+ts_resp_print.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+ts_resp_print.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ts_resp_print.o: ../../include/openssl/obj_mac.h
+ts_resp_print.o: ../../include/openssl/objects.h
+ts_resp_print.o: ../../include/openssl/opensslconf.h
+ts_resp_print.o: ../../include/openssl/opensslv.h
+ts_resp_print.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+ts_resp_print.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+ts_resp_print.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ts_resp_print.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ts_resp_print.o: ../../include/openssl/x509_vfy.h
+ts_resp_print.o: ../../include/openssl/x509v3.h ../cryptlib.h ts.h
+ts_resp_print.o: ts_resp_print.c
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
new file mode 100644
index 0000000000..732e9996d6
--- /dev/null
+++ b/test/CAtsa.cnf
@@ -0,0 +1,172 @@
+
+#
+# This config is used by the Time Stamp Authority tests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+oid_section		= new_oids
+
+[ new_oids ]
+
+# Policies used by the TSA tests.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+#----------------------------------------------------------------------
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+[ CA_default ]
+
+dir		= ./demoCA
+certs		= $dir/certs		# Where the issued certs are kept
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+private_key	= $dir/private/cakey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+default_days	= 365			# how long to certify for
+default_md	= sha1			# which md to use.
+preserve	= no			# keep passed DN ordering
+
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= supplied
+stateOrProvinceName	= supplied
+organizationName	= supplied
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+#----------------------------------------------------------------------
+[ req ]
+default_bits		= 1024
+default_md		= sha1
+distinguished_name	= req_distinguished_name
+encrypt_rsa_key		= no
+# attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= HU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= 
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= 
+
+commonName			= Common Name (eg, YOUR name)
+commonName_max			= 64
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ tsa_cert ]
+
+# TSA server cert is not a CA cert.
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ non_tsa_cert ]
+
+# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+# timeStamping is not supported by this certificate
+# extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+
+#----------------------------------------------------------------------
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= .			# TSA root directory
+serial		= $dir/tsa_serial	# The current serial number (mandatory)
+signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
+
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+
+[ tsa_config2 ]
+
+# This configuration uses a certificate which doesn't have timeStamping usage.
+# These are used by the TSA reply generation only.
+dir		= .			# TSA root directory
+serial		= $dir/tsa_serial	# The current serial number (mandatory)
+signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
+
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
diff --git a/test/testtsa b/test/testtsa
new file mode 100644
index 0000000000..b135438b7d
--- /dev/null
+++ b/test/testtsa
@@ -0,0 +1,234 @@
+#!/bin/sh
+
+#
+# A few very basic tests for the 'ts' time stamping authority command.
+#
+
+SH="/bin/sh"
+PATH=../../apps:$PATH
+export SH PATH
+
+OPENSSL_CONF="../CAtsa.cnf"
+export OPENSSL_CONF
+
+error () {
+
+    echo "ERROR DURING TSA TESTS!!!!!!!!!!!!!!!!" >&2
+    exit 1
+}
+
+setup_dir () {
+
+    rm -rf tsa 2>/dev/null
+    mkdir tsa
+    cd ./tsa
+}
+
+clean_up_dir () {
+
+    cd ..
+    rm -rf tsa
+}
+
+create_ca () {
+
+    echo "Creating a new CA for the TSA tests..."
+    /bin/rm -fr demoCA
+    $SH ../../apps/CA.sh -newca <<EOF
+
+HU
+Budapest
+Budapest
+Gov-CA Ltd.
+ca1
+EOF
+    test $? != 0 && error
+}
+
+create_tsa_cert () {
+
+    INDEX=$1
+    EXT=$2
+    openssl req -new -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem <<EOF
+HU
+Budapest
+Buda
+Hun-TSA Ltd.
+tsa${INDEX}
+EOF
+    test $? != 0 && error
+
+    openssl ca -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
+	-extensions $EXT <<EOF
+y
+y
+EOF
+    test $? != 0 && error
+}
+
+print_request () {
+
+    openssl ts -query -in $1 -text
+}
+
+create_time_stamp_request1 () {
+
+    openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
+    test $? != 0 && error
+}
+
+create_time_stamp_request2 () {
+
+    openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
+	-out req2.tsq
+    test $? != 0 && error
+}
+
+create_time_stamp_request3 () {
+
+    openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
+    test $? != 0 && error
+}
+
+print_response () {
+
+    openssl ts -reply -in $1 -text
+    test $? != 0 && error
+}
+
+create_time_stamp_response () {
+
+    openssl ts -reply -section $3 -queryfile $1 -out $2
+    test $? != 0 && error
+}
+
+time_stamp_response_token_test () {
+
+    RESPONSE2=$2.copy.tsr
+    TOKEN_DER=$2.token.der
+    openssl ts -reply -in $2 -out $TOKEN_DER -token_out
+    test $? != 0 && error
+    openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
+    test $? != 0 && error
+    cmp $RESPONSE2 $2
+    test $? != 0 && error
+    openssl ts -reply -in $2 -text -token_out
+    test $? != 0 && error
+    openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
+    test $? != 0 && error
+    openssl ts -reply -queryfile $1 -text -token_out
+    test $? != 0 && error
+}
+
+verify_time_stamp_response () {
+
+    openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \
+	-untrusted tsa_cert1.pem
+    test $? != 0 && error
+    openssl ts -verify -data $3 -in $2 -CAfile demoCA/cacert.pem \
+	-untrusted tsa_cert1.pem
+    test $? != 0 && error
+}
+
+verify_time_stamp_token () {
+
+    # create the token from the response first
+    openssl ts -reply -in $2 -out $2.token -token_out
+    test $? != 0 && error
+    openssl ts -verify -queryfile $1 -in $2.token -token_in \
+	-CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem
+    test $? != 0 && error
+    openssl ts -verify -data $3 -in $2.token -token_in \
+	-CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem
+    test $? != 0 && error
+}
+
+verify_time_stamp_response_fail () {
+
+    openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \
+	-untrusted tsa_cert1.pem
+    # Checks if the verification failed, as it should have.
+    test $? == 0 && error
+}
+
+# main functions
+
+echo "Setting up TSA test directory..."
+setup_dir
+
+echo "Creating CA for TSA tests..."
+create_ca
+
+echo "Creating tsa_cert1.pem TSA server cert..."
+create_tsa_cert 1 tsa_cert
+
+echo "Creating tsa_cert2.pem non-TSA server cert..."
+create_tsa_cert 2 non_tsa_cert
+
+echo "Creating req1.req time stamp request for file testtsa..."
+create_time_stamp_request1
+
+echo "Printing req1.req..."
+print_request req1.tsq
+
+echo "Generating valid response for req1.req..."
+create_time_stamp_response req1.tsq resp1.tsr tsa_config1
+
+echo "Printing response..."
+print_response resp1.tsr
+
+echo "Verifying valid response..."
+verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
+
+echo "Verifying valid token..."
+verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
+
+# The tests below are commented out, because invalid signer certificates
+# can no longer be specified in the config file.
+
+# echo "Generating _invalid_ response for req1.req..."
+# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
+
+# echo "Printing response..."
+# print_response resp1_bad.tsr
+
+# echo "Verifying invalid response, it should fail..."
+# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
+
+echo "Creating req2.req time stamp request for file testtsa..."
+create_time_stamp_request2
+
+echo "Printing req2.req..."
+print_request req2.tsq
+
+echo "Generating valid response for req2.req..."
+create_time_stamp_response req2.tsq resp2.tsr tsa_config1
+
+echo "Checking '-token_in' and '-token_out' options with '-reply'..."
+time_stamp_response_token_test req2.tsq resp2.tsr
+
+echo "Printing response..."
+print_response resp2.tsr
+
+echo "Verifying valid response..."
+verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
+
+echo "Verifying response against wrong request, it should fail..."
+verify_time_stamp_response_fail req1.tsq resp2.tsr
+
+echo "Verifying response against wrong request, it should fail..."
+verify_time_stamp_response_fail req2.tsq resp1.tsr
+
+echo "Creating req3.req time stamp request for file CAtsa.cnf..."
+create_time_stamp_request3
+
+echo "Printing req3.req..."
+print_request req3.tsq
+
+echo "Verifying response against wrong request, it should fail..."
+verify_time_stamp_response_fail req3.tsq resp1.tsr
+
+echo "Cleaning up..."
+clean_up_dir
+
+exit 0
-- 
2.34.1