Remove EXHEADER, TEST, APPS, links:, install: and uninstall: where relevant
[openssl.git] / test / testtsa.com
1 $!
2 $! A few very basic tests for the 'ts' time stamping authority command.
3 $!
4 $
5 $       __arch = "VAX"
6 $       if f$getsyi("cpu") .ge. 128 then -
7            __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
8 $       if __arch .eqs. "" then __arch = "UNK"
9 $!
10 $       if (p4 .eqs. "64") then __arch = __arch+ "_64"
11 $!
12 $       exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
13 $
14 $       openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
15 $       OPENSSL_CONF = "[-]CAtsa.cnf"
16 $       ! Because that's what ../apps/CA.sh really looks at
17 $       SSLEAY_CONFIG = "-config " + OPENSSL_CONF
18 $
19 $ error:
20 $       subroutine
21 $               write sys$error "TSA test failed!"
22 $               exit 3
23 $       endsubroutine
24 $
25 $ setup_dir:
26 $       subroutine
27 $
28 $               if f$search("tsa.dir") .nes ""
29 $               then
30 $                       @[-.util]deltree [.tsa]*.*
31 $                       set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
32 $                       delete tsa.dir;*
33 $               endif
34 $
35 $               create/dir [.tsa]
36 $               set default [.tsa]
37 $       endsubroutine
38 $
39 $ clean_up_dir:
40 $       subroutine
41 $
42 $               set default [-]
43 $               @[-.util]deltree [.tsa]*.*
44 $               set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
45 $               delete tsa.dir;*
46 $       endsubroutine
47 $
48 $ create_ca:
49 $       subroutine
50 $
51 $               write sys$output "Creating a new CA for the TSA tests..."
52 $               TSDNSECT = "ts_ca_dn"
53 $               openssl req -new -x509 -nodes -
54                         -out tsaca.pem -keyout tsacakey.pem
55 $               if $severity .ne. 1 then call error
56 $       endsubroutine
57 $
58 $ create_tsa_cert:
59 $       subroutine
60 $
61 $               INDEX=p1
62 $               EXT=p2
63 $               TSDNSECT = "ts_cert_dn"
64 $
65 $               openssl req -new -
66                         -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
67 $               if $severity .ne. 1 then call error
68 $
69 $               write sys$output "Using extension ''EXT'"
70 $               openssl x509 -req -
71                         -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
72                         "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" -
73                         -extfile 'OPENSSL_CONF' -extensions "''EXT'"
74 $               if $severity .ne. 1 then call error
75 $       endsubroutine
76 $
77 $ print_request:
78 $       subroutine
79 $
80 $               openssl ts -query -in 'p1' -text
81 $       endsubroutine
82 $
83 $ create_time_stamp_request1: subroutine
84 $
85 $               openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
86                         -cert -out req1.tsq
87 $               if $severity .ne. 1 then call error
88 $       endsubroutine
89 $
90 $ create_time_stamp_request2: subroutine
91 $
92 $               openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
93                         -no_nonce -out req2.tsq
94 $               if $severity .ne. 1 then call error
95 $       endsubroutine
96 $
97 $ create_time_stamp_request3: subroutine
98 $
99 $               openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
100 $               if $severity .ne. 1 then call error
101 $       endsubroutine
102 $
103 $ print_response:
104 $       subroutine
105 $
106 $               openssl ts -reply -in 'p1' -text
107 $               if $severity .ne. 1 then call error
108 $       endsubroutine
109 $
110 $ create_time_stamp_response:
111 $       subroutine
112 $
113 $               openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
114 $               if $severity .ne. 1 then call error
115 $       endsubroutine
116 $
117 $ time_stamp_response_token_test:
118 $       subroutine
119 $
120 $               RESPONSE2 = p2+ "-copy_tsr"
121 $               TOKEN_DER = p2+ "-token_der"
122 $               openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
123 $               if $severity .ne. 1 then call error
124 $               openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
125 $               if $severity .ne. 1 then call error
126 $               backup/compare 'RESPONSE2' 'p2'
127 $               if $severity .ne. 1 then call error
128 $               openssl ts -reply -in 'p2' -text -token_out
129 $               if $severity .ne. 1 then call error
130 $               openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
131 $               if $severity .ne. 1 then call error
132 $               openssl ts -reply -queryfile 'p1' -text -token_out
133 $               if $severity .ne. 1 then call error
134 $       endsubroutine
135 $
136 $ verify_time_stamp_response:
137 $       subroutine
138 $
139 $               openssl ts -verify -queryfile 'p1' -in 'p2' -
140                         "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
141 $               if $severity .ne. 1 then call error
142 $               openssl ts -verify -data 'p3' -in 'p2' -
143                         "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
144 $               if $severity .ne. 1 then call error
145 $       endsubroutine
146 $
147 $ verify_time_stamp_token:
148 $       subroutine
149 $
150 $               ! create the token from the response first
151 $               openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out
152 $               if $severity .ne. 1 then call error
153 $               openssl ts -verify -queryfile "''p1'" -in "''p2'-token" -
154                  -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
155 $               if $severity .ne. 1 then call error
156 $               openssl ts -verify -data "''p3'" -in "''p2'-token" -
157                  -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
158 $               if $severity .ne. 1 then call error
159 $       endsubroutine
160 $
161 $ verify_time_stamp_response_fail:
162 $       subroutine
163 $
164 $               openssl ts -verify -queryfile 'p1' -in 'p2' -
165                         "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
166 $               ! Checks if the verification failed, as it should have.
167 $               if $severity .eq. 1 then call error
168 $               write sys$output "Ok"
169 $       endsubroutine
170 $
171 $       ! Main body ----------------------------------------------------------
172 $
173 $       set noon
174 $
175 $       write sys$output "Setting up TSA test directory..."
176 $       call setup_dir
177 $
178 $       write sys$output "Creating CA for TSA tests..."
179 $       call create_ca
180 $
181 $       write sys$output "Creating tsa_cert1.pem TSA server cert..."
182 $       call create_tsa_cert 1 "tsa_cert"
183 $
184 $       write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
185 $       call create_tsa_cert 2 "non_tsa_cert"
186 $
187 $       write sys$output "Creating req1.req time stamp request for file testtsa..."
188 $       call create_time_stamp_request1
189 $
190 $       write sys$output "Printing req1.req..."
191 $       call print_request "req1.tsq"
192 $
193 $       write sys$output "Generating valid response for req1.req..."
194 $       call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1"
195 $
196 $       write sys$output "Printing response..."
197 $       call print_response "resp1.tsr"
198 $
199 $       write sys$output "Verifying valid response..."
200 $       call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com"
201 $
202 $       write sys$output "Verifying valid token..."
203 $       call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com"
204 $
205 $       ! The tests below are commented out, because invalid signer certificates
206 $       ! can no longer be specified in the config file.
207 $
208 $       ! write sys$output "Generating _invalid_ response for req1.req..."
209 $       ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2"
210 $
211 $       ! write sys$output "Printing response..."
212 $       ! call print_response "resp1_bad.tsr"
213 $
214 $       ! write sys$output "Verifying invalid response, it should fail..."
215 $       ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr"
216 $
217 $       write sys$output "Creating req2.req time stamp request for file testtsa..."
218 $       call create_time_stamp_request2
219 $
220 $       write sys$output "Printing req2.req..."
221 $       call print_request "req2.tsq"
222 $
223 $       write sys$output "Generating valid response for req2.req..."
224 $       call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1"
225 $
226 $       write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
227 $       call time_stamp_response_token_test "req2.tsq" "resp2.tsr"
228 $
229 $       write sys$output "Printing response..."
230 $       call print_response "resp2.tsr"
231 $
232 $       write sys$output "Verifying valid response..."
233 $       call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com"
234 $
235 $       write sys$output "Verifying response against wrong request, it should fail..."
236 $       call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr"
237 $
238 $       write sys$output "Verifying response against wrong request, it should fail..."
239 $       call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr"
240 $
241 $       write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
242 $       call create_time_stamp_request3
243 $
244 $       write sys$output "Printing req3.req..."
245 $       call print_request "req3.tsq"
246 $
247 $       write sys$output "Verifying response against wrong request, it should fail..."
248 $       call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr"
249 $
250 $       write sys$output "Cleaning up..."
251 $       call clean_up_dir
252 $
253 $       set on
254 $
255 $       exit