1$! 2$! A few very basic tests for the 'ts' time stamping authority command. 3$! 4$ 5$ __arch = "VAX" 6$ if f$getsyi("cpu") .ge. 128 then - 7 __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE") 8$ if __arch .eqs. "" then __arch = "UNK" 9$! 10$ if (p4 .eqs. "64") then __arch = __arch+ "_64" 11$! 12$ exe_dir = "sys$disk:[-.''__arch'.exe.apps]" 13$ 14$ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'" 15$ OPENSSL_CONF = "[-]CAtsa.cnf" 16$ ! Because that's what ../apps/CA.sh really looks at 17$ SSLEAY_CONFIG = "-config " + OPENSSL_CONF 18$ 19$ error: 20$ subroutine 21$ write sys$error "TSA test failed!" 22$ exit 3 23$ endsubroutine 24$ 25$ setup_dir: 26$ subroutine 27$ 28$ if f$search("tsa.dir") .nes "" 29$ then 30$ @[-.util]deltree [.tsa]*.* 31$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;* 32$ delete tsa.dir;* 33$ endif 34$ 35$ create/dir [.tsa] 36$ set default [.tsa] 37$ endsubroutine 38$ 39$ clean_up_dir: 40$ subroutine 41$ 42$ set default [-] 43$ @[-.util]deltree [.tsa]*.* 44$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;* 45$ delete tsa.dir;* 46$ endsubroutine 47$ 48$ create_ca: 49$ subroutine 50$ 51$ write sys$output "Creating a new CA for the TSA tests..." 52$ TSDNSECT = "ts_ca_dn" 53$ openssl req -new -x509 -nodes - 54 -out tsaca.pem -keyout tsacakey.pem 55$ if $severity .ne. 1 then call error 56$ endsubroutine 57$ 58$ create_tsa_cert: 59$ subroutine 60$ 61$ INDEX=p1 62$ EXT=p2 63$ TSDNSECT = "ts_cert_dn" 64$ 65$ openssl req -new - 66 -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem 67$ if $severity .ne. 1 then call error 68$ 69$ write sys$output "Using extension ''EXT'" 70$ openssl x509 -req - 71 -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem - 72 "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" - 73 -extfile 'OPENSSL_CONF' -extensions "''EXT'" 74$ if $severity .ne. 1 then call error 75$ endsubroutine 76$ 77$ print_request: 78$ subroutine 79$ 80$ openssl ts -query -in 'p1' -text 81$ endsubroutine 82$ 83$ create_time_stamp_request1: subroutine 84$ 85$ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 - 86 -cert -out req1.tsq 87$ if $severity .ne. 1 then call error 88$ endsubroutine 89$ 90$ create_time_stamp_request2: subroutine 91$ 92$ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 - 93 -no_nonce -out req2.tsq 94$ if $severity .ne. 1 then call error 95$ endsubroutine 96$ 97$ create_time_stamp_request3: subroutine 98$ 99$ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq 100$ if $severity .ne. 1 then call error 101$ endsubroutine 102$ 103$ print_response: 104$ subroutine 105$ 106$ openssl ts -reply -in 'p1' -text 107$ if $severity .ne. 1 then call error 108$ endsubroutine 109$ 110$ create_time_stamp_response: 111$ subroutine 112$ 113$ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2' 114$ if $severity .ne. 1 then call error 115$ endsubroutine 116$ 117$ time_stamp_response_token_test: 118$ subroutine 119$ 120$ RESPONSE2 = p2+ "-copy_tsr" 121$ TOKEN_DER = p2+ "-token_der" 122$ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out 123$ if $severity .ne. 1 then call error 124$ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2' 125$ if $severity .ne. 1 then call error 126$ backup/compare 'RESPONSE2' 'p2' 127$ if $severity .ne. 1 then call error 128$ openssl ts -reply -in 'p2' -text -token_out 129$ if $severity .ne. 1 then call error 130$ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out 131$ if $severity .ne. 1 then call error 132$ openssl ts -reply -queryfile 'p1' -text -token_out 133$ if $severity .ne. 1 then call error 134$ endsubroutine 135$ 136$ verify_time_stamp_response: 137$ subroutine 138$ 139$ openssl ts -verify -queryfile 'p1' -in 'p2' - 140 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 141$ if $severity .ne. 1 then call error 142$ openssl ts -verify -data 'p3' -in 'p2' - 143 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 144$ if $severity .ne. 1 then call error 145$ endsubroutine 146$ 147$ verify_time_stamp_token: 148$ subroutine 149$ 150$ ! create the token from the response first 151$ openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out 152$ if $severity .ne. 1 then call error 153$ openssl ts -verify -queryfile "''p1'" -in "''p2'-token" - 154 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 155$ if $severity .ne. 1 then call error 156$ openssl ts -verify -data "''p3'" -in "''p2'-token" - 157 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 158$ if $severity .ne. 1 then call error 159$ endsubroutine 160$ 161$ verify_time_stamp_response_fail: 162$ subroutine 163$ 164$ openssl ts -verify -queryfile 'p1' -in 'p2' - 165 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 166$ ! Checks if the verification failed, as it should have. 167$ if $severity .eq. 1 then call error 168$ write sys$output "Ok" 169$ endsubroutine 170$ 171$ ! Main body ---------------------------------------------------------- 172$ 173$ set noon 174$ 175$ write sys$output "Setting up TSA test directory..." 176$ call setup_dir 177$ 178$ write sys$output "Creating CA for TSA tests..." 179$ call create_ca 180$ 181$ write sys$output "Creating tsa_cert1.pem TSA server cert..." 182$ call create_tsa_cert 1 "tsa_cert" 183$ 184$ write sys$output "Creating tsa_cert2.pem non-TSA server cert..." 185$ call create_tsa_cert 2 "non_tsa_cert" 186$ 187$ write sys$output "Creating req1.req time stamp request for file testtsa..." 188$ call create_time_stamp_request1 189$ 190$ write sys$output "Printing req1.req..." 191$ call print_request "req1.tsq" 192$ 193$ write sys$output "Generating valid response for req1.req..." 194$ call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1" 195$ 196$ write sys$output "Printing response..." 197$ call print_response "resp1.tsr" 198$ 199$ write sys$output "Verifying valid response..." 200$ call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com" 201$ 202$ write sys$output "Verifying valid token..." 203$ call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com" 204$ 205$ ! The tests below are commented out, because invalid signer certificates 206$ ! can no longer be specified in the config file. 207$ 208$ ! write sys$output "Generating _invalid_ response for req1.req..." 209$ ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2" 210$ 211$ ! write sys$output "Printing response..." 212$ ! call print_response "resp1_bad.tsr" 213$ 214$ ! write sys$output "Verifying invalid response, it should fail..." 215$ ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr" 216$ 217$ write sys$output "Creating req2.req time stamp request for file testtsa..." 218$ call create_time_stamp_request2 219$ 220$ write sys$output "Printing req2.req..." 221$ call print_request "req2.tsq" 222$ 223$ write sys$output "Generating valid response for req2.req..." 224$ call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1" 225$ 226$ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..." 227$ call time_stamp_response_token_test "req2.tsq" "resp2.tsr" 228$ 229$ write sys$output "Printing response..." 230$ call print_response "resp2.tsr" 231$ 232$ write sys$output "Verifying valid response..." 233$ call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com" 234$ 235$ write sys$output "Verifying response against wrong request, it should fail..." 236$ call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr" 237$ 238$ write sys$output "Verifying response against wrong request, it should fail..." 239$ call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr" 240$ 241$ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..." 242$ call create_time_stamp_request3 243$ 244$ write sys$output "Printing req3.req..." 245$ call print_request "req3.tsq" 246$ 247$ write sys$output "Verifying response against wrong request, it should fail..." 248$ call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr" 249$ 250$ write sys$output "Cleaning up..." 251$ call clean_up_dir 252$ 253$ set on 254$ 255$ exit 256