Fix 80-test_ssl_old.t: only count the ciphers if there are any.
[openssl.git] / test / recipes / 80-test_tsa.t
1 #! /usr/bin/env perl
2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the OpenSSL license (the "License").  You may not use
5 # this file except in compliance with the License.  You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9
10 use strict;
11 use warnings;
12
13 use POSIX;
14 use File::Spec::Functions qw/splitdir curdir catfile/;
15 use File::Compare;
16 use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
17 use OpenSSL::Test::Utils;
18
19 setup("test_tsa");
20
21 plan skip_all => "TS is not supported by this OpenSSL build"
22     if disabled("ts");
23
24 # All these are modified inside indir further down. They need to exist
25 # here, however, to be available in all subroutines.
26 my $testtsa;
27 my $CAtsa;
28 my @RUN = ("openssl", "ts");
29
30 sub create_tsa_cert {
31     my $INDEX = shift;
32     my $EXT = shift;
33     my $r = 1;
34     $ENV{TSDNSECT} = "ts_cert_dn";
35
36     ok(run(app(["openssl", "req", "-new",
37                 "-out", "tsa_req${INDEX}.pem",
38                 "-keyout", "tsa_key${INDEX}.pem"])));
39     note "using extension $EXT";
40     ok(run(app(["openssl", "x509", "-req",
41                 "-in", "tsa_req${INDEX}.pem",
42                 "-out", "tsa_cert${INDEX}.pem",
43                 "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
44                 "-CAcreateserial",
45                 "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT])));
46 }
47
48 sub create_time_stamp_response {
49     my $queryfile = shift;
50     my $outputfile = shift;
51     my $datafile = shift;
52
53     ok(run(app([@RUN, "-reply", "-section", "$datafile",
54                 "-queryfile", "$queryfile", "-out", "$outputfile"])));
55 }
56
57 sub verify_time_stamp_response {
58     my $queryfile = shift;
59     my $inputfile = shift;
60     my $datafile = shift;
61
62     ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
63                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
64                 "-untrusted", "tsa_cert1.pem"])));
65     ok(run(app([@RUN, "-verify", "-data", "$datafile",
66                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
67                 "-untrusted", "tsa_cert1.pem"])));
68 }
69
70 sub verify_time_stamp_response_fail {
71     my $queryfile = shift;
72     my $inputfile = shift;
73
74     ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
75                  "-in", "$inputfile", "-CAfile", "tsaca.pem",
76                  "-untrusted", "tsa_cert1.pem"])));
77 }
78
79 # main functions
80
81 plan tests => 20;
82
83 note "setting up TSA test directory";
84 indir "tsa" => sub
85 {
86     $ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf");
87     # Because that's what ../apps/CA.pl really looks at
88     $ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF};
89     $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
90     $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
91     $CAtsa = srctop_file("test", "CAtsa.cnf");
92
93  SKIP: {
94      $ENV{TSDNSECT} = "ts_ca_dn";
95      skip "failed", 19
96          unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes",
97                             "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
98                    'creating a new CA for the TSA tests');
99
100      skip "failed", 18
101          unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
102              create_tsa_cert("1", "tsa_cert")
103      };
104
105      skip "failed", 17
106          unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
107              create_tsa_cert("2", "non_tsa_cert")
108      };
109
110      skip "failed", 16
111          unless ok(run(app([@RUN, "-query", "-data", $testtsa,
112                             "-tspolicy", "tsa_policy1", "-cert",
113                             "-out", "req1.tsq"])),
114                    'creating req1.req time stamp request for file testtsa');
115
116      ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
117         'printing req1.req');
118
119      subtest 'generating valid response for req1.req' => sub {
120          create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
121      };
122
123      ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
124         'printing response');
125
126      subtest 'verifying valid response' => sub {
127          verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
128      };
129
130      skip "failed", 11
131          unless subtest 'verifying valid token' => sub {
132              ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
133                          "-out", "resp1.tsr.token", "-token_out"])));
134              ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
135                          "-in", "resp1.tsr.token", "-token_in",
136                          "-CAfile", "tsaca.pem",
137                          "-untrusted", "tsa_cert1.pem"])));
138              ok(run(app([@RUN, "-verify", "-data", $testtsa,
139                          "-in", "resp1.tsr.token", "-token_in",
140                          "-CAfile", "tsaca.pem",
141                          "-untrusted", "tsa_cert1.pem"])));
142      };
143
144      skip "failed", 10
145          unless ok(run(app([@RUN, "-query", "-data", $testtsa,
146                             "-tspolicy", "tsa_policy2", "-no_nonce",
147                             "-out", "req2.tsq"])),
148                    'creating req2.req time stamp request for file testtsa');
149
150      ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
151         'printing req2.req');
152
153      skip "failed", 8
154          unless subtest 'generating valid response for req2.req' => sub {
155              create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
156      };
157
158      skip "failed", 7
159          unless subtest 'checking -token_in and -token_out options with -reply' => sub {
160              my $RESPONSE2="resp2.tsr.copy.tsr";
161              my $TOKEN_DER="resp2.tsr.token.der";
162
163              ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
164                          "-out", "$TOKEN_DER", "-token_out"])));
165              ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
166                          "-token_in", "-out", "$RESPONSE2"])));
167              is(compare($RESPONSE2, "resp2.tsr"), 0);
168              ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
169                          "-text", "-token_out"])));
170              ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
171                          "-token_in", "-text", "-token_out"])));
172              ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
173                          "-text", "-token_out"])));
174      };
175
176      ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
177         'printing response');
178
179      subtest 'verifying valid response' => sub {
180          verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
181      };
182
183      subtest 'verifying response against wrong request, it should fail' => sub {
184          verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
185      };
186
187      subtest 'verifying response against wrong request, it should fail' => sub {
188          verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
189      };
190
191      skip "failure", 2
192          unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
193                             "-no_nonce", "-out", "req3.tsq"])),
194                    "creating req3.req time stamp request for file CAtsa.cnf");
195
196      ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
197         'printing req3.req');
198
199      subtest 'verifying response against wrong request, it should fail' => sub {
200          verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
201      };
202     }
203 }, create => 1, cleanup => 1