4 # A few very basic tests for the 'ts' time stamping authority command.
8 if test "$OSTYPE" = msdosdjgpp
; then
15 OPENSSL_CONF
="../CAtsa.cnf"
17 # Because that's what ../apps/CA.sh really looks at
18 SSLEAY_CONFIG
="-config $OPENSSL_CONF"
21 OPENSSL
="`pwd`/../util/opensslwrap.sh"
26 echo "TSA test failed!" >&2
32 rm -rf tsa
2>/dev
/null
45 echo "Creating a new CA for the TSA tests..."
48 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl req
-new -x509 -nodes \
49 -out tsaca.pem
-keyout tsacakey.pem
61 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl req
-new \
62 -out tsa_req
${INDEX}.pem
-keyout tsa_key
${INDEX}.pem
64 echo Using extension
$EXT
65 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl x509
-req \
66 -in tsa_req
${INDEX}.pem
-out tsa_cert
${INDEX}.pem \
67 -CA tsaca.pem
-CAkey tsacakey.pem
-CAcreateserial \
68 -extfile $OPENSSL_CONF -extensions $EXT
74 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-query -in $1 -text
77 create_time_stamp_request1
() {
79 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-query -data ..
/testtsa
-policy tsa_policy1
-cert -out req1.tsq
83 create_time_stamp_request2
() {
85 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-query -data ..
/testtsa
-policy tsa_policy2
-no_nonce \
90 create_time_stamp_request3
() {
92 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-query -data ..
/CAtsa.cnf
-no_nonce -out req3.tsq
98 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -in $1 -text
102 create_time_stamp_response
() {
104 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -section $3 -queryfile $1 -out $2
105 test $?
!= 0 && error
108 time_stamp_response_token_test
() {
110 RESPONSE2
=$2.copy.tsr
111 TOKEN_DER
=$2.token.der
112 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -in $2 -out $TOKEN_DER -token_out
113 test $?
!= 0 && error
114 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -in $TOKEN_DER -token_in -out $RESPONSE2
115 test $?
!= 0 && error
117 test $?
!= 0 && error
118 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -in $2 -text -token_out
119 test $?
!= 0 && error
120 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -in $TOKEN_DER -token_in -text -token_out
121 test $?
!= 0 && error
122 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -queryfile $1 -text -token_out
123 test $?
!= 0 && error
126 verify_time_stamp_response
() {
128 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-verify -queryfile $1 -in $2 -CAfile tsaca.pem \
129 -untrusted tsa_cert1.pem
130 test $?
!= 0 && error
131 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-verify -data $3 -in $2 -CAfile tsaca.pem \
132 -untrusted tsa_cert1.pem
133 test $?
!= 0 && error
136 verify_time_stamp_token
() {
138 # create the token from the response first
139 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-reply -in $2 -out $2.token
-token_out
140 test $?
!= 0 && error
141 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-verify -queryfile $1 -in $2.token
-token_in \
142 -CAfile tsaca.pem
-untrusted tsa_cert1.pem
143 test $?
!= 0 && error
144 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-verify -data $3 -in $2.token
-token_in \
145 -CAfile tsaca.pem
-untrusted tsa_cert1.pem
146 test $?
!= 0 && error
149 verify_time_stamp_response_fail
() {
151 ..
/..
/util
/shlib_wrap.sh ..
/..
/apps
/openssl ts
-verify -queryfile $1 -in $2 -CAfile tsaca.pem \
152 -untrusted tsa_cert1.pem
153 # Checks if the verification failed, as it should have.
160 echo "Setting up TSA test directory..."
163 echo "Creating CA for TSA tests..."
166 echo "Creating tsa_cert1.pem TSA server cert..."
167 create_tsa_cert
1 tsa_cert
169 echo "Creating tsa_cert2.pem non-TSA server cert..."
170 create_tsa_cert
2 non_tsa_cert
172 echo "Creating req1.req time stamp request for file testtsa..."
173 create_time_stamp_request1
175 echo "Printing req1.req..."
176 print_request req1.tsq
178 echo "Generating valid response for req1.req..."
179 create_time_stamp_response req1.tsq resp1.tsr tsa_config1
181 echo "Printing response..."
182 print_response resp1.tsr
184 echo "Verifying valid response..."
185 verify_time_stamp_response req1.tsq resp1.tsr ..
/testtsa
187 echo "Verifying valid token..."
188 verify_time_stamp_token req1.tsq resp1.tsr ..
/testtsa
190 # The tests below are commented out, because invalid signer certificates
191 # can no longer be specified in the config file.
193 # echo "Generating _invalid_ response for req1.req..."
194 # create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
196 # echo "Printing response..."
197 # print_response resp1_bad.tsr
199 # echo "Verifying invalid response, it should fail..."
200 # verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
202 echo "Creating req2.req time stamp request for file testtsa..."
203 create_time_stamp_request2
205 echo "Printing req2.req..."
206 print_request req2.tsq
208 echo "Generating valid response for req2.req..."
209 create_time_stamp_response req2.tsq resp2.tsr tsa_config1
211 echo "Checking '-token_in' and '-token_out' options with '-reply'..."
212 time_stamp_response_token_test req2.tsq resp2.tsr
214 echo "Printing response..."
215 print_response resp2.tsr
217 echo "Verifying valid response..."
218 verify_time_stamp_response req2.tsq resp2.tsr ..
/testtsa
220 echo "Verifying response against wrong request, it should fail..."
221 verify_time_stamp_response_fail req1.tsq resp2.tsr
223 echo "Verifying response against wrong request, it should fail..."
224 verify_time_stamp_response_fail req2.tsq resp1.tsr
226 echo "Creating req3.req time stamp request for file CAtsa.cnf..."
227 create_time_stamp_request3
229 echo "Printing req3.req..."
230 print_request req3.tsq
232 echo "Verifying response against wrong request, it should fail..."
233 verify_time_stamp_response_fail req3.tsq resp1.tsr
235 echo "Cleaning up..."