#!/bin/sh # # A few very basic tests for the 'ts' time stamping authority command. # SH="/bin/sh" if test "$OSTYPE" = msdosdjgpp; then PATH="../apps\;$PATH" else PATH="../apps:$PATH" fi export SH PATH OPENSSL_CONF="../CAtsa.cnf" export OPENSSL_CONF # Because that's what ../apps/CA.sh really looks at SSLEAY_CONFIG="-config $OPENSSL_CONF" export SSLEAY_CONFIG OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL error () { echo "TSA test failed!" >&2 exit 1 } setup_dir () { rm -rf tsa 2>/dev/null mkdir tsa cd ./tsa } clean_up_dir () { cd .. rm -rf tsa } create_ca () { echo "Creating a new CA for the TSA tests..." TSDNSECT=ts_ca_dn export TSDNSECT ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \ -out tsaca.pem -keyout tsacakey.pem test $? != 0 && error } create_tsa_cert () { INDEX=$1 export INDEX EXT=$2 TSDNSECT=ts_cert_dn export TSDNSECT ../../util/shlib_wrap.sh ../../apps/openssl req -new \ -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem test $? != 0 && error echo Using extension $EXT ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \ -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \ -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \ -extfile $OPENSSL_CONF -extensions $EXT test $? != 0 && error } print_request () { ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text } create_time_stamp_request1 () { ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq test $? != 0 && error } create_time_stamp_request2 () { ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \ -out req2.tsq test $? != 0 && error } create_time_stamp_request3 () { ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq test $? != 0 && error } print_response () { ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text test $? != 0 && error } create_time_stamp_response () { ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2 test $? != 0 && error } time_stamp_response_token_test () { RESPONSE2=$2.copy.tsr TOKEN_DER=$2.token.der ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out test $? != 0 && error ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2 test $? != 0 && error cmp $RESPONSE2 $2 test $? != 0 && error ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out test $? != 0 && error ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out test $? != 0 && error ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out test $? != 0 && error } verify_time_stamp_response () { ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem test $? != 0 && error ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem test $? != 0 && error } verify_time_stamp_token () { # create the token from the response first ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out test $? != 0 && error ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \ -CAfile tsaca.pem -untrusted tsa_cert1.pem test $? != 0 && error ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \ -CAfile tsaca.pem -untrusted tsa_cert1.pem test $? != 0 && error } verify_time_stamp_response_fail () { ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem # Checks if the verification failed, as it should have. test $? = 0 && error echo Ok } # main functions echo "Setting up TSA test directory..." setup_dir echo "Creating CA for TSA tests..." create_ca echo "Creating tsa_cert1.pem TSA server cert..." create_tsa_cert 1 tsa_cert echo "Creating tsa_cert2.pem non-TSA server cert..." create_tsa_cert 2 non_tsa_cert echo "Creating req1.req time stamp request for file testtsa..." create_time_stamp_request1 echo "Printing req1.req..." print_request req1.tsq echo "Generating valid response for req1.req..." create_time_stamp_response req1.tsq resp1.tsr tsa_config1 echo "Printing response..." print_response resp1.tsr echo "Verifying valid response..." verify_time_stamp_response req1.tsq resp1.tsr ../testtsa echo "Verifying valid token..." verify_time_stamp_token req1.tsq resp1.tsr ../testtsa # The tests below are commented out, because invalid signer certificates # can no longer be specified in the config file. # echo "Generating _invalid_ response for req1.req..." # create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2 # echo "Printing response..." # print_response resp1_bad.tsr # echo "Verifying invalid response, it should fail..." # verify_time_stamp_response_fail req1.tsq resp1_bad.tsr echo "Creating req2.req time stamp request for file testtsa..." create_time_stamp_request2 echo "Printing req2.req..." print_request req2.tsq echo "Generating valid response for req2.req..." create_time_stamp_response req2.tsq resp2.tsr tsa_config1 echo "Checking '-token_in' and '-token_out' options with '-reply'..." time_stamp_response_token_test req2.tsq resp2.tsr echo "Printing response..." print_response resp2.tsr echo "Verifying valid response..." verify_time_stamp_response req2.tsq resp2.tsr ../testtsa echo "Verifying response against wrong request, it should fail..." verify_time_stamp_response_fail req1.tsq resp2.tsr echo "Verifying response against wrong request, it should fail..." verify_time_stamp_response_fail req2.tsq resp1.tsr echo "Creating req3.req time stamp request for file CAtsa.cnf..." create_time_stamp_request3 echo "Printing req3.req..." print_request req3.tsq echo "Verifying response against wrong request, it should fail..." verify_time_stamp_response_fail req3.tsq resp1.tsr echo "Cleaning up..." clean_up_dir exit 0