2 $! A few very basic tests for the 'ts' time stamping authority command.
6 $ if f$getsyi("cpu") .ge. 128 then -
7 __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
8 $ if __arch .eqs. "" then __arch = "UNK"
10 $ if (p4 .eqs. "64") then __arch = __arch+ "_64"
12 $ exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
14 $ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
15 $ OPENSSL_CONF = "[-]CAtsa.cnf"
16 $ ! Because that's what ../apps/CA.sh really looks at
17 $ SSLEAY_CONFIG = "-config " + OPENSSL_CONF
21 $ write sys$error "TSA test failed!"
28 $ if f$search("tsa.dir") .nes ""
30 $ @[-.util]deltree [.tsa]*.*
31 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
43 $ @[-.util]deltree [.tsa]*.*
44 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
51 $ write sys$output "Creating a new CA for the TSA tests..."
52 $ TSDNSECT = "ts_ca_dn"
53 $ openssl req -new -x509 -nodes -
54 -out tsaca.pem -keyout tsacakey.pem
55 $ if $severity .ne. 1 then call error
63 $ TSDNSECT = "ts_cert_dn"
66 -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
67 $ if $severity .ne. 1 then call error
69 $ write sys$output "Using extension ''EXT'"
71 -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
72 "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" -
73 -extfile 'OPENSSL_CONF' -extensions "''EXT'"
74 $ if $severity .ne. 1 then call error
80 $ openssl ts -query -in 'p1' -text
83 $ create_time_stamp_request1: subroutine
85 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
87 $ if $severity .ne. 1 then call error
90 $ create_time_stamp_request2: subroutine
92 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
93 -no_nonce -out req2.tsq
94 $ if $severity .ne. 1 then call error
97 $ create_time_stamp_request3: subroutine
99 $ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
100 $ if $severity .ne. 1 then call error
106 $ openssl ts -reply -in 'p1' -text
107 $ if $severity .ne. 1 then call error
110 $ create_time_stamp_response:
113 $ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
114 $ if $severity .ne. 1 then call error
117 $ time_stamp_response_token_test:
120 $ RESPONSE2 = p2+ "-copy_tsr"
121 $ TOKEN_DER = p2+ "-token_der"
122 $ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
123 $ if $severity .ne. 1 then call error
124 $ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
125 $ if $severity .ne. 1 then call error
126 $ backup/compare 'RESPONSE2' 'p2'
127 $ if $severity .ne. 1 then call error
128 $ openssl ts -reply -in 'p2' -text -token_out
129 $ if $severity .ne. 1 then call error
130 $ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
131 $ if $severity .ne. 1 then call error
132 $ openssl ts -reply -queryfile 'p1' -text -token_out
133 $ if $severity .ne. 1 then call error
136 $ verify_time_stamp_response:
139 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
140 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
141 $ if $severity .ne. 1 then call error
142 $ openssl ts -verify -data 'p3' -in 'p2' -
143 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
144 $ if $severity .ne. 1 then call error
147 $ verify_time_stamp_token:
150 $ ! create the token from the response first
151 $ openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out
152 $ if $severity .ne. 1 then call error
153 $ openssl ts -verify -queryfile "''p1'" -in "''p2'-token" -
154 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
155 $ if $severity .ne. 1 then call error
156 $ openssl ts -verify -data "''p3'" -in "''p2'-token" -
157 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
158 $ if $severity .ne. 1 then call error
161 $ verify_time_stamp_response_fail:
164 $ openssl ts -verify -queryfile 'p1' -in 'p2' -
165 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
166 $ ! Checks if the verification failed, as it should have.
167 $ if $severity .eq. 1 then call error
168 $ write sys$output "Ok"
171 $ ! Main body ----------------------------------------------------------
175 $ write sys$output "Setting up TSA test directory..."
178 $ write sys$output "Creating CA for TSA tests..."
181 $ write sys$output "Creating tsa_cert1.pem TSA server cert..."
182 $ call create_tsa_cert 1 "tsa_cert"
184 $ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
185 $ call create_tsa_cert 2 "non_tsa_cert"
187 $ write sys$output "Creating req1.req time stamp request for file testtsa..."
188 $ call create_time_stamp_request1
190 $ write sys$output "Printing req1.req..."
191 $ call print_request "req1.tsq"
193 $ write sys$output "Generating valid response for req1.req..."
194 $ call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1"
196 $ write sys$output "Printing response..."
197 $ call print_response "resp1.tsr"
199 $ write sys$output "Verifying valid response..."
200 $ call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com"
202 $ write sys$output "Verifying valid token..."
203 $ call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com"
205 $ ! The tests below are commented out, because invalid signer certificates
206 $ ! can no longer be specified in the config file.
208 $ ! write sys$output "Generating _invalid_ response for req1.req..."
209 $ ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2"
211 $ ! write sys$output "Printing response..."
212 $ ! call print_response "resp1_bad.tsr"
214 $ ! write sys$output "Verifying invalid response, it should fail..."
215 $ ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr"
217 $ write sys$output "Creating req2.req time stamp request for file testtsa..."
218 $ call create_time_stamp_request2
220 $ write sys$output "Printing req2.req..."
221 $ call print_request "req2.tsq"
223 $ write sys$output "Generating valid response for req2.req..."
224 $ call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1"
226 $ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
227 $ call time_stamp_response_token_test "req2.tsq" "resp2.tsr"
229 $ write sys$output "Printing response..."
230 $ call print_response "resp2.tsr"
232 $ write sys$output "Verifying valid response..."
233 $ call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com"
235 $ write sys$output "Verifying response against wrong request, it should fail..."
236 $ call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr"
238 $ write sys$output "Verifying response against wrong request, it should fail..."
239 $ call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr"
241 $ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
242 $ call create_time_stamp_request3
244 $ write sys$output "Printing req3.req..."
245 $ call print_request "req3.tsq"
247 $ write sys$output "Verifying response against wrong request, it should fail..."
248 $ call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr"
250 $ write sys$output "Cleaning up..."