1#! /usr/bin/env perl
2# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the OpenSSL license (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10use strict;
11use warnings;
12
13use POSIX;
14use File::Spec::Functions qw/splitdir curdir catfile/;
15use File::Compare;
16use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
17use OpenSSL::Test::Utils;
18
19setup("test_tsa");
20
21plan skip_all => "TS is not supported by this OpenSSL build"
22    if disabled("ts");
23
24# All these are modified inside indir further down. They need to exist
25# here, however, to be available in all subroutines.
26my $openssl_conf;
27my $testtsa;
28my $CAtsa;
29my @RUN;
30
31sub create_tsa_cert {
32    my $INDEX = shift;
33    my $EXT = shift;
34    my $r = 1;
35    $ENV{TSDNSECT} = "ts_cert_dn";
36
37    ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
38                "-out", "tsa_req${INDEX}.pem",
39                "-keyout", "tsa_key${INDEX}.pem"])));
40    note "using extension $EXT";
41    ok(run(app(["openssl", "x509", "-req",
42                "-in", "tsa_req${INDEX}.pem",
43                "-out", "tsa_cert${INDEX}.pem",
44                "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
45                "-CAcreateserial",
46                "-extfile", $openssl_conf, "-extensions", $EXT])));
47}
48
49sub create_time_stamp_response {
50    my $queryfile = shift;
51    my $outputfile = shift;
52    my $datafile = shift;
53
54    ok(run(app([@RUN, "-reply", "-section", "$datafile",
55                "-queryfile", "$queryfile", "-out", "$outputfile"])));
56}
57
58sub verify_time_stamp_response {
59    my $queryfile = shift;
60    my $inputfile = shift;
61    my $datafile = shift;
62
63    ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
64                "-in", "$inputfile", "-CAfile", "tsaca.pem",
65                "-untrusted", "tsa_cert1.pem"])));
66    ok(run(app([@RUN, "-verify", "-data", "$datafile",
67                "-in", "$inputfile", "-CAfile", "tsaca.pem",
68                "-untrusted", "tsa_cert1.pem"])));
69}
70
71sub verify_time_stamp_response_fail {
72    my $queryfile = shift;
73    my $inputfile = shift;
74
75    ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
76                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
77                 "-untrusted", "tsa_cert1.pem"])));
78}
79
80# main functions
81
82plan tests => 20;
83
84note "setting up TSA test directory";
85indir "tsa" => sub
86{
87    $openssl_conf = srctop_file("test", "CAtsa.cnf");
88    $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
89    $CAtsa = srctop_file("test", "CAtsa.cnf");
90    @RUN = ("openssl", "ts", "-config", $openssl_conf);
91
92    # ../apps/CA.pl needs these
93    $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
94    $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
95
96 SKIP: {
97     $ENV{TSDNSECT} = "ts_ca_dn";
98     skip "failed", 19
99         unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
100                            "-new", "-x509", "-nodes",
101                            "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
102                   'creating a new CA for the TSA tests');
103
104     skip "failed", 18
105         unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
106             create_tsa_cert("1", "tsa_cert")
107     };
108
109     skip "failed", 17
110         unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
111             create_tsa_cert("2", "non_tsa_cert")
112     };
113
114     skip "failed", 16
115         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
116                            "-tspolicy", "tsa_policy1", "-cert",
117                            "-out", "req1.tsq"])),
118                   'creating req1.req time stamp request for file testtsa');
119
120     ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
121        'printing req1.req');
122
123     subtest 'generating valid response for req1.req' => sub {
124         create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
125     };
126
127     ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
128        'printing response');
129
130     subtest 'verifying valid response' => sub {
131         verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
132     };
133
134     skip "failed", 11
135         unless subtest 'verifying valid token' => sub {
136             ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
137                         "-out", "resp1.tsr.token", "-token_out"])));
138             ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
139                         "-in", "resp1.tsr.token", "-token_in",
140                         "-CAfile", "tsaca.pem",
141                         "-untrusted", "tsa_cert1.pem"])));
142             ok(run(app([@RUN, "-verify", "-data", $testtsa,
143                         "-in", "resp1.tsr.token", "-token_in",
144                         "-CAfile", "tsaca.pem",
145                         "-untrusted", "tsa_cert1.pem"])));
146     };
147
148     skip "failed", 10
149         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
150                            "-tspolicy", "tsa_policy2", "-no_nonce",
151                            "-out", "req2.tsq"])),
152                   'creating req2.req time stamp request for file testtsa');
153
154     ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
155        'printing req2.req');
156
157     skip "failed", 8
158         unless subtest 'generating valid response for req2.req' => sub {
159             create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
160     };
161
162     skip "failed", 7
163         unless subtest 'checking -token_in and -token_out options with -reply' => sub {
164             my $RESPONSE2="resp2.tsr.copy.tsr";
165             my $TOKEN_DER="resp2.tsr.token.der";
166
167             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
168                         "-out", "$TOKEN_DER", "-token_out"])));
169             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
170                         "-token_in", "-out", "$RESPONSE2"])));
171             is(compare($RESPONSE2, "resp2.tsr"), 0);
172             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
173                         "-text", "-token_out"])));
174             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
175                         "-token_in", "-text", "-token_out"])));
176             ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
177                         "-text", "-token_out"])));
178     };
179
180     ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
181        'printing response');
182
183     subtest 'verifying valid response' => sub {
184         verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
185     };
186
187     subtest 'verifying response against wrong request, it should fail' => sub {
188         verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
189     };
190
191     subtest 'verifying response against wrong request, it should fail' => sub {
192         verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
193     };
194
195     skip "failure", 2
196         unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
197                            "-no_nonce", "-out", "req3.tsq"])),
198                   "creating req3.req time stamp request for file CAtsa.cnf");
199
200     ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
201        'printing req3.req');
202
203     subtest 'verifying response against wrong request, it should fail' => sub {
204         verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
205     };
206    }
207}, create => 1, cleanup => 1
208