appstest.sh revision 1.1
1#!/bin/sh 2# 3# appstest.sh - test script for openssl command according to man OPENSSL(1) 4# 5# input : none 6# output : all files generated by this script go under $ssldir 7# 8 9openssl_bin=/usr/bin/openssl 10 11uname_s=`uname -s | grep 'MINGW'` 12if [ "$uname_s" = "" ] ; then 13 mingw=0 14else 15 mingw=1 16fi 17 18function section_message { 19 echo "" 20 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 21 echo "===" 22 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 23 echo "===" 24} 25 26function start_message { 27 echo "" 28 echo "[TEST] $1" 29} 30 31function check_exit_status { 32 status=$1 33 if [ $status -ne 0 ] ; then 34 echo ":-< error occurs, exit status = [ $status ]" 35 exit $status 36 else 37 echo ":-) success. " 38 fi 39} 40 41#---------#---------#---------#---------#---------#---------#---------#--------- 42 43# 44# create ssldir, and all files generated by this script goes under this dir. 45# 46ssldir="appstest_dir" 47 48if [ -d $ssldir ] ; then 49 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 50 /bin/rm -rf $ssldir 51fi 52 53mkdir -p $ssldir 54 55export OPENSSL_CONF=$ssldir/openssl.cnf 56touch $OPENSSL_CONF 57 58user1_dir=$ssldir/user1 59mkdir -p $user1_dir 60 61key_dir=$ssldir/key 62mkdir -p $key_dir 63 64#---------#---------#---------#---------#---------#---------#---------#--------- 65 66# === COMMAND USAGE === 67section_message "COMMAND USAGE" 68 69start_message "output usages of all commands." 70 71cmds=`$openssl_bin list-standard-commands` 72$openssl_bin -help 2>> $user1_dir/usages.out 73for c in $cmds ; do 74 $openssl_bin $c -help 2>> $user1_dir/usages.out 75done 76 77start_message "check all list-* commands." 78 79lists="" 80lists="$lists list-standard-commands" 81lists="$lists list-message-digest-commands list-message-digest-algorithms" 82lists="$lists list-cipher-commands list-cipher-algorithms" 83lists="$lists list-public-key-algorithms" 84 85listsfile=$user1_dir/lists.out 86 87for l in $lists ; do 88 echo "" >> $listsfile 89 echo "$l" >> $listsfile 90 $openssl_bin $l >> $listsfile 91done 92 93start_message "check interactive mode" 94$openssl_bin <<__EOF__ 95help 96quit 97__EOF__ 98check_exit_status $? 99 100#---------#---------#---------#---------#---------#---------#---------#--------- 101 102# --- listing operations --- 103section_message "listing operations" 104 105start_message "ciphers" 106$openssl_bin ciphers -V 107check_exit_status $? 108 109start_message "errstr" 110$openssl_bin errstr 2606A074 111check_exit_status $? 112$openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 113check_exit_status $? 114 115#---------#---------#---------#---------#---------#---------#---------#--------- 116 117# --- random number etc. operations --- 118section_message "random number etc. operations" 119 120start_message "passwd" 121 122pass="test-pass-1234" 123 124echo $pass | $openssl_bin passwd -stdin -1 125check_exit_status $? 126 127echo $pass | $openssl_bin passwd -stdin -apr1 128check_exit_status $? 129 130echo $pass | $openssl_bin passwd -stdin -crypt 131check_exit_status $? 132 133start_message "prime" 134 135$openssl_bin prime 1 136check_exit_status $? 137 138$openssl_bin prime 2 139check_exit_status $? 140 141$openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 142check_exit_status $? 143 144start_message "rand" 145 146$openssl_bin rand -base64 100 147check_exit_status $? 148 149$openssl_bin rand -hex 100 150check_exit_status $? 151 152#---------#---------#---------#---------#---------#---------#---------#--------- 153 154# === MESSAGE DIGEST COMMANDS === 155section_message "MESSAGE DIGEST COMMANDS" 156 157start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 158 159text="1234567890abcdefghijklmnopqrstuvwxyz" 160dgstdat=$user1_dir/dgst.dat 161echo $text > $dgstdat 162hmac_key="test-hmac-key" 163cmac_key="1234567890abcde1234567890abcde12" 164 165digests=`$openssl_bin list-message-digest-commands` 166 167for d in $digests ; do 168 169 echo -n "$d ... " 170 $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat 171 check_exit_status $? 172 173 echo -n "$d HMAC ... " 174 $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac $dgstdat 175 check_exit_status $? 176 177 echo -n "$d CMAC ... " 178 $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:$cmac_key \ 179 -out $dgstdat.$d.cmac $dgstdat 180 check_exit_status $? 181done 182 183#---------#---------#---------#---------#---------#---------#---------#--------- 184 185# === ENCODING AND CIPHER COMMANDS === 186section_message "ENCODING AND CIPHER COMMANDS" 187 188start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 189 190text="1234567890abcdefghijklmnopqrstuvwxyz" 191encfile=$user1_dir/encfile.dat 192echo $text > $encfile 193pass="test-pass-1234" 194 195ciphers=`$openssl_bin list-cipher-commands` 196 197for c in $ciphers ; do 198 echo -n "$c ... encoding ... " 199 $openssl_bin enc -$c -e -base64 -pass pass:$pass -in $encfile -out $encfile-$c.enc 200 check_exit_status $? 201 202 echo -n "decoding ... " 203 $openssl_bin enc -$c -d -base64 -pass pass:$pass -in $encfile-$c.enc -out $encfile-$c.dec 204 check_exit_status $? 205 206 echo -n "cmp ... " 207 cmp $encfile $encfile-$c.dec 208 check_exit_status $? 209done 210 211#---------#---------#---------#---------#---------#---------#---------#--------- 212 213# === various KEY operations === 214section_message "various KEY operations" 215 216key_pass=test-key-pass 217 218# DH 219 220start_message "gendh - Obsoleted by dhparam." 221gendh2=$key_dir/gendh2.pem 222$openssl_bin gendh -2 -out $gendh2 223check_exit_status $? 224 225start_message "dh - Obsoleted by dhparam." 226$openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 227check_exit_status $? 228 229start_message "dhparam - Superseded by genpkey and pkeyparam." 230dhparam2=$key_dir/dhparam2.pem 231$openssl_bin dhparam -2 -out $dhparam2 232check_exit_status $? 233$openssl_bin dhparam -in $dhparam2 -check -text -out $dhparam2.out 234check_exit_status $? 235 236# DSA 237 238start_message "dsaparam - Superseded by genpkey and pkeyparam." 239dsaparam512=$key_dir/dsaparam512.pem 240$openssl_bin dsaparam -genkey -out $dsaparam512 512 241check_exit_status $? 242 243start_message "dsa" 244$openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out 245check_exit_status $? 246 247start_message "gendsa - Superseded by genpkey and pkey." 248gendsa_des3=$key_dir/gendsa_des3.pem 249$openssl_bin gendsa -des3 -out $gendsa_des3 -passout pass:$key_pass $dsaparam512 250check_exit_status $? 251 252# RSA 253 254start_message "genrsa - Superseded by genpkey." 255genrsa_aes256=$key_dir/genrsa_aes256.pem 256$openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 -passout pass:$key_pass 2048 257check_exit_status $? 258 259start_message "rsa" 260$openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass -check -text -out $genrsa_aes256.out 261check_exit_status $? 262 263start_message "rsautl - Superseded by pkeyutl." 264rsautldat=$key_dir/rsautl.dat 265rsautlsig=$key_dir/rsautl.sig 266echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 267 268$openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 -passin pass:$key_pass -out $rsautlsig 269check_exit_status $? 270 271$openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 -passin pass:$key_pass 272check_exit_status $? 273 274# EC 275 276start_message "ecparam -list-curves" 277$openssl_bin ecparam -list_curves 278check_exit_status $? 279 280# get all EC curves 281ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 282 283start_message "ecparam and ec" 284 285for curve in $ec_curves ; 286do 287 ecparam=$key_dir/ecparam_$curve.pem 288 289 echo -n "ec - $curve ... ecparam ... " 290 $openssl_bin ecparam -out $ecparam -name $curve -genkey -param_enc explicit \ 291 -conv_form compressed -C 292 check_exit_status $? 293 294 echo -n "ec ... " 295 $openssl_bin ec -in $ecparam -text -out $ecparam.out 2> /dev/null 296 check_exit_status $? 297done 298 299# PKEY 300 301start_message "genpkey" 302 303# DH by GENPKEY 304 305genpkey_dh_param=$key_dir/genpkey_dh_param.pem 306$openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 307 -pkeyopt dh_paramgen_prime_len:1024 308check_exit_status $? 309 310genpkey_dh=$key_dir/genpkey_dh.pem 311$openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 312check_exit_status $? 313 314# DSA by GENPKEY 315 316genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 317$openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 318 -pkeyopt dsa_paramgen_bits:1024 319check_exit_status $? 320 321genpkey_dsa=$key_dir/genpkey_dsa.pem 322$openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 323check_exit_status $? 324 325# RSA by GENPKEY 326 327genpkey_rsa=$key_dir/genpkey_rsa.pem 328$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 329 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 330check_exit_status $? 331 332# EC by GENPKEY 333 334genpkey_ec_param=$key_dir/genpkey_ec_param.pem 335$openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 336 -pkeyopt ec_paramgen_curve:secp384r1 337check_exit_status $? 338 339genpkey_ec=$key_dir/genpkey_ec.pem 340$openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 341check_exit_status $? 342 343start_message "pkeyparam" 344 345$openssl_bin pkeyparam -in $genpkey_dh_param -text -out $genpkey_dh_param.out 346check_exit_status $? 347 348$openssl_bin pkeyparam -in $genpkey_dsa_param -text -out $genpkey_dsa_param.out 349check_exit_status $? 350 351$openssl_bin pkeyparam -in $genpkey_ec_param -text -out $genpkey_ec_param.out 352check_exit_status $? 353 354start_message "pkey" 355 356$openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out 357check_exit_status $? 358 359$openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out 360check_exit_status $? 361 362$openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out 363check_exit_status $? 364 365$openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out 366check_exit_status $? 367 368start_message "pkeyutl" 369 370pkeyutldat=$key_dir/pkeyutl.dat 371pkeyutlsig=$key_dir/pkeyutl.sig 372echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 373 374$openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa -out $pkeyutlsig 375check_exit_status $? 376 377$openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig -inkey $genpkey_rsa 378check_exit_status $? 379 380$openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 381check_exit_status $? 382 383#---------#---------#---------#---------#---------#---------#---------#--------- 384 385section_message "setup local CA" 386 387# 388# prepare test openssl.cnf 389# 390 391ca_dir=$ssldir/testCA 392tsa_dir=$ssldir/testTSA 393ocsp_dir=$ssldir/testOCSP 394server_dir=$ssldir/server 395 396cat << __EOF__ > $ssldir/openssl.cnf 397oid_section = new_oids 398[ new_oids ] 399tsa_policy1 = 1.2.3.4.1 400tsa_policy2 = 1.2.3.4.5.6 401tsa_policy3 = 1.2.3.4.5.7 402[ ca ] 403default_ca = CA_default 404[ CA_default ] 405dir = ./$ca_dir 406crl_dir = \$dir/crl 407database = \$dir/index.txt 408new_certs_dir = \$dir/newcerts 409serial = \$dir/serial 410crlnumber = \$dir/crlnumber 411default_days = 1 412default_md = default 413policy = policy_match 414[ policy_match ] 415countryName = match 416stateOrProvinceName = match 417organizationName = match 418organizationalUnitName = optional 419commonName = supplied 420emailAddress = optional 421[ req ] 422distinguished_name = req_distinguished_name 423[ req_distinguished_name ] 424countryName = Country Name 425countryName_default = JP 426countryName_min = 2 427countryName_max = 2 428stateOrProvinceName = State or Province Name 429stateOrProvinceName_default = Tokyo 430organizationName = Organization Name 431organizationName_default = TEST_DUMMY_COMPANY 432commonName = Common Name 433[ tsa ] 434default_tsa = tsa_config1 435[ tsa_config1 ] 436dir = ./$tsa_dir 437serial = \$dir/serial 438crypto_device = builtin 439digests = sha1, sha256, sha384, sha512 440default_policy = tsa_policy1 441other_policies = tsa_policy2, tsa_policy3 442[ tsa_ext ] 443keyUsage = critical,nonRepudiation 444extendedKeyUsage = critical,timeStamping 445[ ocsp_ext ] 446basicConstraints = CA:FALSE 447keyUsage = nonRepudiation,digitalSignature,keyEncipherment 448extendedKeyUsage = OCSPSigning 449__EOF__ 450 451#---------#---------#---------#---------#---------#---------#---------#--------- 452 453# 454# setup test CA 455# 456 457mkdir -p $ca_dir 458mkdir -p $tsa_dir 459mkdir -p $ocsp_dir 460mkdir -p $server_dir 461 462mkdir -p $ca_dir/certs 463mkdir -p $ca_dir/private 464mkdir -p $ca_dir/crl 465mkdir -p $ca_dir/newcerts 466chmod 700 $ca_dir/private 467echo "01" > $ca_dir/serial 468touch $ca_dir/index.txt 469touch $ca_dir/crlnumber 470echo "01" > $ca_dir/crlnumber 471 472# 473# setup test TSA 474# 475mkdir -p $tsa_dir/private 476chmod 700 $tsa_dir/private 477echo "01" > $tsa_dir/serial 478touch $tsa_dir/index.txt 479 480# 481# setup test OCSP 482# 483mkdir -p $ocsp_dir/private 484chmod 700 $ocsp_dir/private 485 486#---------#---------#---------#---------#---------#---------#---------#--------- 487 488# --- CA initiate (generate CA key and cert) --- 489 490start_message "req ... generate CA key and self signed cert" 491 492ca_cert=$ca_dir/ca_cert.pem 493ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 494 495if [ $mingw = 0 ] ; then 496 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' 497else 498 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 499fi 500 501$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \ 502 -days 1 -passout pass:$ca_pass -batch -subj $subj 503check_exit_status $? 504 505#---------#---------#---------#---------#---------#---------#---------#--------- 506 507# --- TSA initiate (generate TSA key and cert) --- 508 509start_message "req ... generate TSA key and cert" 510 511# generate CSR for TSA 512 513tsa_csr=$tsa_dir/tsa_csr.pem 514tsa_key=$tsa_dir/private/tsa_key.pem 515tsa_pass=test-tsa-pass 516 517if [ $mingw = 0 ] ; then 518 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' 519else 520 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 521fi 522 523$openssl_bin req -new -keyout $tsa_key -out $tsa_csr -passout pass:$tsa_pass -subj $subj 524check_exit_status $? 525 526start_message "ca ... sign by CA with TSA extensions" 527 528tsa_cert=$tsa_dir/tsa_cert.pem 529 530$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 531-in $tsa_csr -out $tsa_cert -extensions tsa_ext 532check_exit_status $? 533 534#---------#---------#---------#---------#---------#---------#---------#--------- 535 536# --- OCSP initiate (generate OCSP key and cert) --- 537 538start_message "req ... generate OCSP key and cert" 539 540# generate CSR for OCSP 541 542ocsp_csr=$ocsp_dir/ocsp_csr.pem 543ocsp_key=$ocsp_dir/private/ocsp_key.pem 544 545if [ $mingw = 0 ] ; then 546 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' 547else 548 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' 549fi 550 551$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr -subj $subj 552check_exit_status $? 553 554start_message "ca ... sign by CA with OCSP extensions" 555 556ocsp_cert=$ocsp_dir/ocsp_cert.pem 557 558$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 559-in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext 560check_exit_status $? 561 562#---------#---------#---------#---------#---------#---------#---------#--------- 563 564# --- server-admin operations (generate server key and csr) --- 565section_message "server-admin operations (generate server key and csr)" 566 567start_message "req ... generate server csr#1" 568 569server_key=$server_dir/server_key.pem 570server_csr=$server_dir/server_csr.pem 571server_pass=test-server-pass 572 573if [ $mingw = 0 ] ; then 574 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' 575else 576 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' 577fi 578 579$openssl_bin req -new -keyout $server_key -out $server_csr -passout pass:$server_pass -subj $subj 580check_exit_status $? 581 582start_message "req ... generate server csr#2 (interactive mode)" 583 584revoke_key=$server_dir/revoke_key.pem 585revoke_csr=$server_dir/revoke_csr.pem 586revoke_pass=test-revoke-pass 587 588$openssl_bin req -new -keyout $revoke_key -out $revoke_csr -passout pass:$revoke_pass <<__EOF__ 589JP 590Tokyo 591TEST_DUMMY_COMPANY 592revoke.test_dummy.com 593__EOF__ 594check_exit_status $? 595 596#---------#---------#---------#---------#---------#---------#---------#--------- 597 598# --- CA operations (issue cert for server) --- 599section_message "CA operations (issue cert for server)" 600 601start_message "ca ... issue cert for server csr#1" 602 603server_cert=$server_dir/server_cert.pem 604$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 605 -in $server_csr -out $server_cert 606check_exit_status $? 607 608start_message "x509 ... issue cert for server csr#2" 609 610revoke_cert=$server_dir/revoke_cert.pem 611$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key -passin pass:$ca_pass \ 612 -CAcreateserial -out $revoke_cert 613check_exit_status $? 614 615#---------#---------#---------#---------#---------#---------#---------#--------- 616 617# --- CA operations (revoke cert and generate crl) --- 618section_message "CA operations (revoke cert and generate crl)" 619 620start_message "ca ... revoke server cert#2" 621crl_file=$ca_dir/crl.pem 622$openssl_bin ca -gencrl -out $crl_file -crldays 30 -revoke $revoke_cert \ 623 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert 624check_exit_status $? 625 626start_message "crl ... CA generates CRL" 627$openssl_bin crl -in $crl_file -fingerprint 628check_exit_status $? 629 630crl_p7=$ca_dir/crl.p7 631start_message "crl2pkcs7 ... convert CRL to pkcs7" 632$openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 633check_exit_status $? 634 635#---------#---------#---------#---------#---------#---------#---------#--------- 636 637# --- server-admin operations (check csr, verify cert, certhash) --- 638section_message "server-admin operations (check csr, verify cert, certhash)" 639 640start_message "asn1parse ... parse server csr#1" 641$openssl_bin asn1parse -in $server_csr -i \ 642 -dlimit 100 -length 1000 -strparse 01 > $server_csr.asn1parse.out 643check_exit_status $? 644 645start_message "verify ... server cert#1" 646$openssl_bin verify -verbose -CAfile $ca_cert $server_cert 647check_exit_status $? 648 649start_message "x509 ... get detail info about server cert#1" 650$openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ 651 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 652 -subject -subject_hash -subject_hash_old -ocsp_uri -ocspid -modulus \ 653 -pubkey -serial -email > $server_cert.x509.out 654check_exit_status $? 655 656if [ $mingw = 0 ] ; then 657 start_message "certhash" 658 $openssl_bin certhash -v $server_dir 659 check_exit_status $? 660fi 661 662# self signed 663start_message "x509 ... generate self signed server cert" 664server_self_cert=$server_dir/server_self_cert.pem 665$openssl_bin x509 -in $server_cert -signkey $server_key -passin pass:$server_pass -out $server_self_cert 666check_exit_status $? 667 668#---------#---------#---------#---------#---------#---------#---------#--------- 669 670# --- Netscape SPKAC operations --- 671section_message "Netscape SPKAC operations" 672 673# server-admin generates SPKAC 674 675start_message "spkac" 676spkacfile=$server_dir/spkac.file 677 678$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 679check_exit_status $? 680 681$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 682check_exit_status $? 683 684spkacreq=$server_dir/spkac.req 685cat << __EOF__ > $spkacreq 686countryName = JP 687stateOrProvinceName = Tokyo 688organizationName = TEST_DUMMY_COMPANY 689commonName = spkac.test_dummy.com 690__EOF__ 691cat $spkacfile >> $spkacreq 692 693# CA signs SPKAC 694start_message "ca ... CA signs SPKAC csr" 695spkaccert=$server_dir/spkac.cert 696$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 697 -spkac $spkacreq -out $spkaccert 698check_exit_status $? 699 700start_message "x509 ... convert DER format SPKAC cert to PEM" 701spkacpem=$server_dir/spkac.pem 702$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 703check_exit_status $? 704 705# server-admin cert verify 706 707start_message "nseq" 708$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 709check_exit_status $? 710 711#---------#---------#---------#---------#---------#---------#---------#--------- 712 713# --- user1 operations (generate user1 key and csr) --- 714section_message "user1 operations (generate user1 key and csr)" 715 716# trust 717start_message "x509 ... trust testCA cert" 718user1_trust=$user1_dir/user1_trust_ca.pem 719$openssl_bin x509 -in $ca_cert -addtrust clientAuth -setalias "trusted testCA" -purpose -out $user1_trust 720check_exit_status $? 721 722start_message "req ... generate private key and csr for user1" 723 724user1_key=$user1_dir/user1_key.pem 725user1_csr=$user1_dir/user1_csr.pem 726user1_pass=test-user1-pass 727 728if [ $mingw = 0 ] ; then 729 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' 730else 731 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' 732fi 733 734$openssl_bin req -new -keyout $user1_key -out $user1_csr -passout pass:$user1_pass -subj $subj 735check_exit_status $? 736 737#---------#---------#---------#---------#---------#---------#---------#--------- 738 739# --- CA operations (issue cert for user1) --- 740section_message "CA operations (issue cert for user1)" 741 742start_message "ca ... issue cert for user1" 743 744user1_cert=$user1_dir/user1_cert.pem 745$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 746 -in $user1_csr -out $user1_cert 747check_exit_status $? 748 749#---------#---------#---------#---------#---------#---------#---------#--------- 750 751# --- TSA operations --- 752section_message "TSA operations" 753 754tsa_dat=$user1_dir/tsa.dat 755cat << __EOF__ > $tsa_dat 756Hello Bob, 757Sincerely yours 758Alice 759__EOF__ 760 761# Query 762start_message "ts ... create time stamp request" 763 764tsa_tsq=$user1_dir/tsa.tsq 765 766$openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 767check_exit_status $? 768 769start_message "ts ... print time stamp request" 770 771$openssl_bin ts -query -in $tsa_tsq -text 772check_exit_status $? 773 774# Reply 775start_message "ts ... create time stamp response for a request" 776 777tsa_tsr=$user1_dir/tsa.tsr 778 779$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key -passin pass:$tsa_pass \ 780 -signer $tsa_cert -chain $ca_cert -out $tsa_tsr 781check_exit_status $? 782 783# Verify 784start_message "ts ... verify time stamp response" 785 786$openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr -CAfile $ca_cert -untrusted $tsa_cert 787check_exit_status $? 788 789#---------#---------#---------#---------#---------#---------#---------#--------- 790 791# --- S/MIME operations --- 792section_message "S/MIME operations" 793 794smime_txt=$user1_dir/smime.txt 795smime_msg=$user1_dir/smime.msg 796smime_ver=$user1_dir/smime.ver 797 798cat << __EOF__ > $smime_txt 799Hello Bob, 800Sincerely yours 801Alice 802__EOF__ 803 804# sign 805start_message "smime ... sign to message" 806 807$openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \ 808 -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass 809check_exit_status $? 810 811# verify 812start_message "smime ... verify message" 813 814$openssl_bin smime -verify -in $smime_msg -signer $user1_cert -CAfile $ca_cert -out $smime_ver 815check_exit_status $? 816 817#---------#---------#---------#---------#---------#---------#---------#--------- 818 819# --- OCSP operations --- 820section_message "OCSP operations" 821 822# request 823start_message "ocsp ... create OCSP request" 824 825ocsp_req=$user1_dir/ocsp_req.der 826$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ 827 -CAfile $ca_cert -reqout $ocsp_req 828check_exit_status $? 829 830# response 831start_message "ocsp ... create OCPS response for a request" 832 833ocsp_res=$user1_dir/ocsp_res.der 834$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ 835 -rsigner $ocsp_cert -rkey $ocsp_key -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1 836check_exit_status $? 837 838# ocsp server 839start_message "ocsp ... start OCSP server in background" 840 841ocsp_port=8888 842 843$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ 844 -rsigner $ocsp_cert -rkey $ocsp_key -port '*:'$ocsp_port -nrequest 1 & 845check_exit_status $? 846ocsp_svr_pid=$! 847echo "ocsp server pid = [ $ocsp_svr_pid ]" 848sleep 1 849 850# send query to oscp server 851start_message "ocsp ... send OCSP request to server" 852 853ocsp_qry=$user1_dir/ocsp_qry.der 854$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ 855 -CAfile $ca_cert -url http://localhost:$ocsp_port -resp_text -respout $ocsp_qry > $ocsp_qry.out 2>&1 856check_exit_status $? 857 858#---------#---------#---------#---------#---------#---------#---------#--------- 859 860# --- PKCS operations --- 861section_message "PKCS operations" 862 863pkcs_pass=test-pkcs-pass 864 865start_message "pkcs7 ... output certs in crl(pkcs7)" 866$openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 867check_exit_status $? 868 869start_message "pkcs8 ... convert key to pkcs8" 870$openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ 871 -passin pass:$user1_pass -passout pass:$user1_pass -v1 pbeWithSHA1AndDES-CBC -v2 des3 872check_exit_status $? 873 874start_message "pkcs8 ... convert pkcs8 to key in DER format" 875$openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass -outform DER -out $user1_key.p8.der 876check_exit_status $? 877 878start_message "pkcs12 ... create" 879$openssl_bin pkcs12 -export -in $server_cert -inkey $server_key -passin pass:$server_pass \ 880 -certfile $ca_cert -CAfile $ca_cert -caname "server_p12" -passout pass:$pkcs_pass \ 881 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain -out $server_cert.p12 882check_exit_status $? 883 884start_message "pkcs12 ... verify" 885$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info -noout 886check_exit_status $? 887 888start_message "pkcs12 ... to PEM" 889$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \ 890 -passout pass:$pkcs_pass -out $server_cert.p12.pem 891check_exit_status $? 892 893#---------#---------#---------#---------#---------#---------#---------#--------- 894 895# --- client/server operations --- 896section_message "client/server operations" 897 898host="localhost" 899port=4433 900sess_log=$user1_dir/s_client_sess.log 901s_client_out=$user1_dir/s_client.out 902 903start_message "s_server ... start SSL/TLS test server" 904$openssl_bin s_server -accept $port -CAfile $ca_cert \ 905 -cert $server_cert -key $server_key -pass pass:$server_pass \ 906 -context "appstest.sh" -id_prefix "APPSTEST.SH" \ 907 -crl_check -no_ssl2 -no_ssl3 -no_tls1 \ 908 -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" \ 909 -www -quiet & 910check_exit_status $? 911s_server_pid=$! 912echo "s_server pid = [ $s_server_pid ]" 913sleep 1 914 915start_message "s_client ... connect to SSL/TLS test server" 916$openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 917 -showcerts -crl_check -issuer_checks -policy_check -pause -prexit \ 918 -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \ 919 -sess_out $sess_log < /dev/null > $s_client_out 2>&1 920check_exit_status $? 921 922start_message "s_time ... connect to SSL/TLS test server" 923$openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2 924check_exit_status $? 925 926start_message "sess_id" 927$openssl_bin sess_id -in $sess_log -text -out $sess_log.out 928check_exit_status $? 929 930sleep 1 931kill -TERM $s_server_pid 932wait $s_server_pid 933 934#---------#---------#---------#---------#---------#---------#---------#--------- 935 936# === PERFORMANCE === 937section_message "PERFORMANCE" 938 939start_message "speed" 940$openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 941check_exit_status $? 942 943#---------#---------#---------#---------#---------#---------#---------#--------- 944 945# --- VERSION INFORMATION --- 946section_message "VERSION INFORMATION" 947 948start_message "version" 949$openssl_bin version -a 950check_exit_status $? 951 952#---------#---------#---------#---------#---------#---------#---------#--------- 953 954section_message "END" 955 956exit 0 957 958