test/recipes/80-test_tsa.t

   1 #! /usr/bin/perl
   2
   3 use strict;
   4 use warnings;
   5
   6 use POSIX;
   7 use File::Spec::Functions qw/splitdir curdir catfile/;
   8 use File::Compare;
   9 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
  10
  11 setup("test_tsa");
  12
  13 # All these are modified inside indir further down. They need to exist
  14 # here, however, to be available in all subroutines.
  15 my $testtsa;
  16 my $CAtsa;
  17 my @RUN = ("openssl", "ts");
  18
  19 sub create_tsa_cert {
  20     my $INDEX = shift;
  21     my $EXT = shift;
  22     my $r = 1;
  23     $ENV{TSDNSECT} = "ts_cert_dn";
  24
  25     ok(run(app(["openssl", "req", "-new",
  26                 "-out", "tsa_req${INDEX}.pem",
  27                 "-keyout", "tsa_key${INDEX}.pem"])));
  28     note "using extension $EXT";
  29     ok(run(app(["openssl", "x509", "-req",
  30                 "-in", "tsa_req${INDEX}.pem",
  31                 "-out", "tsa_cert${INDEX}.pem",
  32                 "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
  33                 "-CAcreateserial",
  34                 "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT])));
  35 }
  36
  37 sub create_time_stamp_response {
  38     my $queryfile = shift;
  39     my $outputfile = shift;
  40     my $datafile = shift;
  41
  42     ok(run(app([@RUN, "-reply", "-section", "$datafile",
  43                 "-queryfile", "$queryfile", "-out", "$outputfile"])));
  44 }
  45
  46 sub verify_time_stamp_response {
  47     my $queryfile = shift;
  48     my $inputfile = shift;
  49     my $datafile = shift;
  50
  51     ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
  52                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
  53                 "-untrusted", "tsa_cert1.pem"])));
  54     ok(run(app([@RUN, "-verify", "-data", "$datafile",
  55                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
  56                 "-untrusted", "tsa_cert1.pem"])));
  57 }
  58
  59 sub verify_time_stamp_response_fail {
  60     my $queryfile = shift;
  61     my $inputfile = shift;
  62
  63     ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
  64                  "-in", "$inputfile", "-CAfile", "tsaca.pem",
  65                  "-untrusted", "tsa_cert1.pem"])));
  66 }
  67
  68 # main functions
  69
  70 plan tests => 20;
  71
  72 note "setting up TSA test directory";
  73 indir "tsa" => sub
  74 {
  75     $ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf");
  76     # Because that's what ../apps/CA.pl really looks at
  77     $ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF};
  78     $ENV{OPENSSL} = cmdstr(app(["openssl"]));
  79     $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
  80     $CAtsa = srctop_file("test", "CAtsa.cnf");
  81
  82  SKIP: {
  83      $ENV{TSDNSECT} = "ts_ca_dn";
  84      skip "failed", 19
  85          unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes",
  86                             "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
  87                    'creating a new CA for the TSA tests');
  88
  89      skip "failed", 18
  90          unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
  91              create_tsa_cert("1", "tsa_cert")
  92      };
  93
  94      skip "failed", 17
  95          unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
  96              create_tsa_cert("2", "non_tsa_cert")
  97      };
  98
  99      skip "failed", 16
 100          unless ok(run(app([@RUN, "-query", "-data", $testtsa,
 101                             "-tspolicy", "tsa_policy1", "-cert",
 102                             "-out", "req1.tsq"])),
 103                    'creating req1.req time stamp request for file testtsa');
 104
 105      ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
 106         'printing req1.req');
 107
 108      subtest 'generating valid response for req1.req' => sub {
 109          create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
 110      };
 111
 112      ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
 113         'printing response');
 114
 115      subtest 'verifying valid response' => sub {
 116          verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
 117      };
 118
 119      skip "failed", 11
 120          unless subtest 'verifying valid token' => sub {
 121              ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
 122                          "-out", "resp1.tsr.token", "-token_out"])));
 123              ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
 124                          "-in", "resp1.tsr.token", "-token_in",
 125                          "-CAfile", "tsaca.pem",
 126                          "-untrusted", "tsa_cert1.pem"])));
 127              ok(run(app([@RUN, "-verify", "-data", $testtsa,
 128                          "-in", "resp1.tsr.token", "-token_in",
 129                          "-CAfile", "tsaca.pem",
 130                          "-untrusted", "tsa_cert1.pem"])));
 131      };
 132
 133      skip "failed", 10
 134          unless ok(run(app([@RUN, "-query", "-data", $testtsa,
 135                             "-tspolicy", "tsa_policy2", "-no_nonce",
 136                             "-out", "req2.tsq"])),
 137                    'creating req2.req time stamp request for file testtsa');
 138
 139      ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
 140         'printing req2.req');
 141
 142      skip "failed", 8
 143          unless subtest 'generating valid response for req2.req' => sub {
 144              create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
 145      };
 146
 147      skip "failed", 7
 148          unless subtest 'checking -token_in and -token_out options with -reply' => sub {
 149              my $RESPONSE2="resp2.tsr.copy.tsr";
 150              my $TOKEN_DER="resp2.tsr.token.der";
 151
 152              ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
 153                          "-out", "$TOKEN_DER", "-token_out"])));
 154              ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
 155                          "-token_in", "-out", "$RESPONSE2"])));
 156              is(compare($RESPONSE2, "resp2.tsr"), 0);
 157              ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
 158                          "-text", "-token_out"])));
 159              ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
 160                          "-token_in", "-text", "-token_out"])));
 161              ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
 162                          "-text", "-token_out"])));
 163      };
 164
 165      ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
 166         'printing response');
 167
 168      subtest 'verifying valid response' => sub {
 169          verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
 170      };
 171
 172      subtest 'verifying response against wrong request, it should fail' => sub {
 173          verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
 174      };
 175
 176      subtest 'verifying response against wrong request, it should fail' => sub {
 177          verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
 178      };
 179
 180      skip "failure", 2
 181          unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
 182                             "-no_nonce", "-out", "req3.tsq"])),
 183                    "creating req3.req time stamp request for file CAtsa.cnf");
 184
 185      ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
 186         'printing req3.req');
 187
 188      subtest 'verifying response against wrong request, it should fail' => sub {
 189          verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
 190      };
 191     }
 192 }, create => 1, cleanup => 1