appstest.sh revision 1.10
1#!/bin/sh 2# 3# $OpenBSD: appstest.sh,v 1.10 2018/09/07 14:11:39 inoguchi Exp $ 4# 5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19# 20# appstest.sh - test script for openssl command according to man OPENSSL(1) 21# 22# input : none 23# output : all files generated by this script go under $ssldir 24# 25 26openssl_bin=${OPENSSL:-/usr/bin/openssl} 27 28uname_s=`uname -s | grep 'MINGW'` 29if [ "$uname_s" = "" ] ; then 30 mingw=0 31else 32 mingw=1 33fi 34 35function section_message { 36 echo "" 37 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 38 echo "===" 39 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 40 echo "===" 41} 42 43function start_message { 44 echo "" 45 echo "[TEST] $1" 46} 47 48function stop_s_server { 49 if [ ! -z "$s_server_pid" ] ; then 50 echo ":-| stop s_server [ $s_server_pid ]" 51 sleep 1 52 kill -TERM $s_server_pid 53 wait $s_server_pid 54 s_server_pid= 55 fi 56} 57 58function check_exit_status { 59 status=$1 60 if [ $status -ne 0 ] ; then 61 stop_s_server 62 echo ":-< error occurs, exit status = [ $status ]" 63 exit $status 64 else 65 echo ":-) success. " 66 fi 67} 68 69function usage { 70 echo "usage: appstest.sh [-q]" 71} 72 73no_long_tests=0 74 75while [ "$1" != "" ]; do 76 case $1 in 77 -q | --quick ) shift 78 no_long_tests=1 79 ;; 80 * ) usage 81 exit 1 82 esac 83done 84 85#---------#---------#---------#---------#---------#---------#---------#--------- 86 87# 88# create ssldir, and all files generated by this script goes under this dir. 89# 90ssldir="appstest_dir" 91 92if [ -d $ssldir ] ; then 93 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 94 /bin/rm -rf $ssldir 95fi 96 97mkdir -p $ssldir 98 99export OPENSSL_CONF=$ssldir/openssl.cnf 100touch $OPENSSL_CONF 101 102user1_dir=$ssldir/user1 103mkdir -p $user1_dir 104 105key_dir=$ssldir/key 106mkdir -p $key_dir 107 108#---------#---------#---------#---------#---------#---------#---------#--------- 109 110# === COMMAND USAGE === 111section_message "COMMAND USAGE" 112 113start_message "output usages of all commands." 114 115cmds=`$openssl_bin list-standard-commands` 116$openssl_bin -help 2>> $user1_dir/usages.out 117for c in $cmds ; do 118 $openssl_bin $c -help 2>> $user1_dir/usages.out 119done 120 121start_message "check all list-* commands." 122 123lists="" 124lists="$lists list-standard-commands" 125lists="$lists list-message-digest-commands list-message-digest-algorithms" 126lists="$lists list-cipher-commands list-cipher-algorithms" 127lists="$lists list-public-key-algorithms" 128 129listsfile=$user1_dir/lists.out 130 131for l in $lists ; do 132 echo "" >> $listsfile 133 echo "$l" >> $listsfile 134 $openssl_bin $l >> $listsfile 135done 136 137start_message "check interactive mode" 138$openssl_bin <<__EOF__ 139help 140quit 141__EOF__ 142check_exit_status $? 143 144#---------#---------#---------#---------#---------#---------#---------#--------- 145 146# --- listing operations --- 147section_message "listing operations" 148 149start_message "ciphers" 150$openssl_bin ciphers -V 151check_exit_status $? 152 153start_message "errstr" 154$openssl_bin errstr 2606A074 155check_exit_status $? 156$openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 157check_exit_status $? 158 159#---------#---------#---------#---------#---------#---------#---------#--------- 160 161# --- random number etc. operations --- 162section_message "random number etc. operations" 163 164start_message "passwd" 165 166pass="test-pass-1234" 167 168echo $pass | $openssl_bin passwd -stdin -1 169check_exit_status $? 170 171echo $pass | $openssl_bin passwd -stdin -apr1 172check_exit_status $? 173 174echo $pass | $openssl_bin passwd -stdin -crypt 175check_exit_status $? 176 177start_message "prime" 178 179$openssl_bin prime 1 180check_exit_status $? 181 182$openssl_bin prime 2 183check_exit_status $? 184 185$openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 186check_exit_status $? 187 188start_message "rand" 189 190$openssl_bin rand -base64 100 191check_exit_status $? 192 193$openssl_bin rand -hex 100 194check_exit_status $? 195 196#---------#---------#---------#---------#---------#---------#---------#--------- 197 198# === MESSAGE DIGEST COMMANDS === 199section_message "MESSAGE DIGEST COMMANDS" 200 201start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 202 203text="1234567890abcdefghijklmnopqrstuvwxyz" 204dgstdat=$user1_dir/dgst.dat 205echo $text > $dgstdat 206hmac_key="test-hmac-key" 207cmac_key="1234567890abcde1234567890abcde12" 208 209digests=`$openssl_bin list-message-digest-commands` 210 211for d in $digests ; do 212 213 echo -n "$d ... " 214 $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat 215 check_exit_status $? 216 217 echo -n "$d HMAC ... " 218 $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac $dgstdat 219 check_exit_status $? 220 221 echo -n "$d CMAC ... " 222 $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:$cmac_key \ 223 -out $dgstdat.$d.cmac $dgstdat 224 check_exit_status $? 225done 226 227#---------#---------#---------#---------#---------#---------#---------#--------- 228 229# === ENCODING AND CIPHER COMMANDS === 230section_message "ENCODING AND CIPHER COMMANDS" 231 232start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 233 234text="1234567890abcdefghijklmnopqrstuvwxyz" 235encfile=$user1_dir/encfile.dat 236echo $text > $encfile 237pass="test-pass-1234" 238 239ciphers=`$openssl_bin list-cipher-commands` 240 241for c in $ciphers ; do 242 echo -n "$c ... encoding ... " 243 $openssl_bin enc -$c -e -base64 -pass pass:$pass -in $encfile -out $encfile-$c.enc 244 check_exit_status $? 245 246 echo -n "decoding ... " 247 $openssl_bin enc -$c -d -base64 -pass pass:$pass -in $encfile-$c.enc -out $encfile-$c.dec 248 check_exit_status $? 249 250 echo -n "cmp ... " 251 cmp $encfile $encfile-$c.dec 252 check_exit_status $? 253done 254 255#---------#---------#---------#---------#---------#---------#---------#--------- 256 257# === various KEY operations === 258section_message "various KEY operations" 259 260key_pass=test-key-pass 261 262# DH 263 264start_message "gendh - Obsoleted by dhparam." 265gendh2=$key_dir/gendh2.pem 266$openssl_bin gendh -2 -out $gendh2 267check_exit_status $? 268 269start_message "dh - Obsoleted by dhparam." 270$openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 271check_exit_status $? 272 273if [ $no_long_tests = 0 ] ; then 274 start_message "dhparam - Superseded by genpkey and pkeyparam." 275 dhparam2=$key_dir/dhparam2.pem 276 $openssl_bin dhparam -2 -out $dhparam2 277 check_exit_status $? 278 $openssl_bin dhparam -in $dhparam2 -check -text -out $dhparam2.out 279 check_exit_status $? 280else 281 start_message "SKIPPNG dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 282fi 283 284# DSA 285 286start_message "dsaparam - Superseded by genpkey and pkeyparam." 287dsaparam512=$key_dir/dsaparam512.pem 288$openssl_bin dsaparam -genkey -out $dsaparam512 512 289check_exit_status $? 290 291start_message "dsa" 292$openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out 293check_exit_status $? 294 295start_message "gendsa - Superseded by genpkey and pkey." 296gendsa_des3=$key_dir/gendsa_des3.pem 297$openssl_bin gendsa -des3 -out $gendsa_des3 -passout pass:$key_pass $dsaparam512 298check_exit_status $? 299 300# RSA 301 302start_message "genrsa - Superseded by genpkey." 303genrsa_aes256=$key_dir/genrsa_aes256.pem 304$openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 -passout pass:$key_pass 2048 305check_exit_status $? 306 307start_message "rsa" 308$openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass -check -text -out $genrsa_aes256.out 309check_exit_status $? 310 311start_message "rsautl - Superseded by pkeyutl." 312rsautldat=$key_dir/rsautl.dat 313rsautlsig=$key_dir/rsautl.sig 314echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 315 316$openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 -passin pass:$key_pass -out $rsautlsig 317check_exit_status $? 318 319$openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 -passin pass:$key_pass 320check_exit_status $? 321 322# EC 323 324start_message "ecparam -list-curves" 325$openssl_bin ecparam -list_curves 326check_exit_status $? 327 328# get all EC curves 329ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 330 331start_message "ecparam and ec" 332 333for curve in $ec_curves ; 334do 335 ecparam=$key_dir/ecparam_$curve.pem 336 337 echo -n "ec - $curve ... ecparam ... " 338 $openssl_bin ecparam -out $ecparam -name $curve -genkey -param_enc explicit \ 339 -conv_form compressed -C 340 check_exit_status $? 341 342 echo -n "ec ... " 343 $openssl_bin ec -in $ecparam -text -out $ecparam.out 2> /dev/null 344 check_exit_status $? 345done 346 347# PKEY 348 349start_message "genpkey" 350 351# DH by GENPKEY 352 353genpkey_dh_param=$key_dir/genpkey_dh_param.pem 354$openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 355 -pkeyopt dh_paramgen_prime_len:1024 356check_exit_status $? 357 358genpkey_dh=$key_dir/genpkey_dh.pem 359$openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 360check_exit_status $? 361 362# DSA by GENPKEY 363 364genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 365$openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 366 -pkeyopt dsa_paramgen_bits:1024 367check_exit_status $? 368 369genpkey_dsa=$key_dir/genpkey_dsa.pem 370$openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 371check_exit_status $? 372 373# RSA by GENPKEY 374 375genpkey_rsa=$key_dir/genpkey_rsa.pem 376$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 377 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 378check_exit_status $? 379 380# EC by GENPKEY 381 382genpkey_ec_param=$key_dir/genpkey_ec_param.pem 383$openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 384 -pkeyopt ec_paramgen_curve:secp384r1 385check_exit_status $? 386 387genpkey_ec=$key_dir/genpkey_ec.pem 388$openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 389check_exit_status $? 390 391start_message "pkeyparam" 392 393$openssl_bin pkeyparam -in $genpkey_dh_param -text -out $genpkey_dh_param.out 394check_exit_status $? 395 396$openssl_bin pkeyparam -in $genpkey_dsa_param -text -out $genpkey_dsa_param.out 397check_exit_status $? 398 399$openssl_bin pkeyparam -in $genpkey_ec_param -text -out $genpkey_ec_param.out 400check_exit_status $? 401 402start_message "pkey" 403 404$openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out 405check_exit_status $? 406 407$openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out 408check_exit_status $? 409 410$openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out 411check_exit_status $? 412 413$openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out 414check_exit_status $? 415 416start_message "pkeyutl" 417 418pkeyutldat=$key_dir/pkeyutl.dat 419pkeyutlsig=$key_dir/pkeyutl.sig 420echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 421 422$openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa -out $pkeyutlsig 423check_exit_status $? 424 425$openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig -inkey $genpkey_rsa 426check_exit_status $? 427 428$openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 429check_exit_status $? 430 431#---------#---------#---------#---------#---------#---------#---------#--------- 432 433section_message "setup local CA" 434 435# 436# prepare test openssl.cnf 437# 438 439ca_dir=$ssldir/testCA 440tsa_dir=$ssldir/testTSA 441ocsp_dir=$ssldir/testOCSP 442server_dir=$ssldir/server 443 444cat << __EOF__ > $ssldir/openssl.cnf 445oid_section = new_oids 446[ new_oids ] 447tsa_policy1 = 1.2.3.4.1 448tsa_policy2 = 1.2.3.4.5.6 449tsa_policy3 = 1.2.3.4.5.7 450[ ca ] 451default_ca = CA_default 452[ CA_default ] 453dir = ./$ca_dir 454crl_dir = \$dir/crl 455database = \$dir/index.txt 456new_certs_dir = \$dir/newcerts 457serial = \$dir/serial 458crlnumber = \$dir/crlnumber 459default_days = 1 460default_md = default 461policy = policy_match 462[ policy_match ] 463countryName = match 464stateOrProvinceName = match 465organizationName = match 466organizationalUnitName = optional 467commonName = supplied 468emailAddress = optional 469[ req ] 470distinguished_name = req_distinguished_name 471[ req_distinguished_name ] 472countryName = Country Name 473countryName_default = JP 474countryName_min = 2 475countryName_max = 2 476stateOrProvinceName = State or Province Name 477stateOrProvinceName_default = Tokyo 478organizationName = Organization Name 479organizationName_default = TEST_DUMMY_COMPANY 480commonName = Common Name 481[ tsa ] 482default_tsa = tsa_config1 483[ tsa_config1 ] 484dir = ./$tsa_dir 485serial = \$dir/serial 486crypto_device = builtin 487digests = sha1, sha256, sha384, sha512 488default_policy = tsa_policy1 489other_policies = tsa_policy2, tsa_policy3 490[ tsa_ext ] 491keyUsage = critical,nonRepudiation 492extendedKeyUsage = critical,timeStamping 493[ ocsp_ext ] 494basicConstraints = CA:FALSE 495keyUsage = nonRepudiation,digitalSignature,keyEncipherment 496extendedKeyUsage = OCSPSigning 497__EOF__ 498 499#---------#---------#---------#---------#---------#---------#---------#--------- 500 501# 502# setup test CA 503# 504 505mkdir -p $ca_dir 506mkdir -p $tsa_dir 507mkdir -p $ocsp_dir 508mkdir -p $server_dir 509 510mkdir -p $ca_dir/certs 511mkdir -p $ca_dir/private 512mkdir -p $ca_dir/crl 513mkdir -p $ca_dir/newcerts 514chmod 700 $ca_dir/private 515echo "01" > $ca_dir/serial 516touch $ca_dir/index.txt 517touch $ca_dir/crlnumber 518echo "01" > $ca_dir/crlnumber 519 520# 521# setup test TSA 522# 523mkdir -p $tsa_dir/private 524chmod 700 $tsa_dir/private 525echo "01" > $tsa_dir/serial 526touch $tsa_dir/index.txt 527 528# 529# setup test OCSP 530# 531mkdir -p $ocsp_dir/private 532chmod 700 $ocsp_dir/private 533 534#---------#---------#---------#---------#---------#---------#---------#--------- 535 536# --- CA initiate (generate CA key and cert) --- 537 538start_message "req ... generate CA key and self signed cert" 539 540ca_cert=$ca_dir/ca_cert.pem 541ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 542 543if [ $mingw = 0 ] ; then 544 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' 545else 546 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 547fi 548 549$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \ 550 -days 1 -passout pass:$ca_pass -batch -subj $subj 551check_exit_status $? 552 553#---------#---------#---------#---------#---------#---------#---------#--------- 554 555# --- TSA initiate (generate TSA key and cert) --- 556 557start_message "req ... generate TSA key and cert" 558 559# generate CSR for TSA 560 561tsa_csr=$tsa_dir/tsa_csr.pem 562tsa_key=$tsa_dir/private/tsa_key.pem 563tsa_pass=test-tsa-pass 564 565if [ $mingw = 0 ] ; then 566 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' 567else 568 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 569fi 570 571$openssl_bin req -new -keyout $tsa_key -out $tsa_csr -passout pass:$tsa_pass -subj $subj 572check_exit_status $? 573 574start_message "ca ... sign by CA with TSA extensions" 575 576tsa_cert=$tsa_dir/tsa_cert.pem 577 578$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 579-in $tsa_csr -out $tsa_cert -extensions tsa_ext 580check_exit_status $? 581 582#---------#---------#---------#---------#---------#---------#---------#--------- 583 584# --- OCSP initiate (generate OCSP key and cert) --- 585 586start_message "req ... generate OCSP key and cert" 587 588# generate CSR for OCSP 589 590ocsp_csr=$ocsp_dir/ocsp_csr.pem 591ocsp_key=$ocsp_dir/private/ocsp_key.pem 592 593if [ $mingw = 0 ] ; then 594 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' 595else 596 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' 597fi 598 599$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr -subj $subj 600check_exit_status $? 601 602start_message "ca ... sign by CA with OCSP extensions" 603 604ocsp_cert=$ocsp_dir/ocsp_cert.pem 605 606$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 607-in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext 608check_exit_status $? 609 610#---------#---------#---------#---------#---------#---------#---------#--------- 611 612# --- server-admin operations (generate server key and csr) --- 613section_message "server-admin operations (generate server key and csr)" 614 615start_message "req ... generate server csr#1" 616 617server_key=$server_dir/server_key.pem 618server_csr=$server_dir/server_csr.pem 619server_pass=test-server-pass 620 621if [ $mingw = 0 ] ; then 622 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' 623else 624 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' 625fi 626 627$openssl_bin req -new -keyout $server_key -out $server_csr -passout pass:$server_pass -subj $subj 628check_exit_status $? 629 630start_message "req ... generate server csr#2 (interactive mode)" 631 632revoke_key=$server_dir/revoke_key.pem 633revoke_csr=$server_dir/revoke_csr.pem 634revoke_pass=test-revoke-pass 635 636$openssl_bin req -new -keyout $revoke_key -out $revoke_csr -passout pass:$revoke_pass <<__EOF__ 637JP 638Tokyo 639TEST_DUMMY_COMPANY 640revoke.test_dummy.com 641__EOF__ 642check_exit_status $? 643 644#---------#---------#---------#---------#---------#---------#---------#--------- 645 646# --- CA operations (issue cert for server) --- 647section_message "CA operations (issue cert for server)" 648 649start_message "ca ... issue cert for server csr#1" 650 651server_cert=$server_dir/server_cert.pem 652$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 653 -in $server_csr -out $server_cert 654check_exit_status $? 655 656start_message "x509 ... issue cert for server csr#2" 657 658revoke_cert=$server_dir/revoke_cert.pem 659$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key -passin pass:$ca_pass \ 660 -CAcreateserial -out $revoke_cert 661check_exit_status $? 662 663#---------#---------#---------#---------#---------#---------#---------#--------- 664 665# --- CA operations (revoke cert and generate crl) --- 666section_message "CA operations (revoke cert and generate crl)" 667 668start_message "ca ... revoke server cert#2" 669crl_file=$ca_dir/crl.pem 670$openssl_bin ca -gencrl -out $crl_file -crldays 30 -revoke $revoke_cert \ 671 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert 672check_exit_status $? 673 674start_message "crl ... CA generates CRL" 675$openssl_bin crl -in $crl_file -fingerprint 676check_exit_status $? 677 678crl_p7=$ca_dir/crl.p7 679start_message "crl2pkcs7 ... convert CRL to pkcs7" 680$openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 681check_exit_status $? 682 683#---------#---------#---------#---------#---------#---------#---------#--------- 684 685# --- server-admin operations (check csr, verify cert, certhash) --- 686section_message "server-admin operations (check csr, verify cert, certhash)" 687 688start_message "asn1parse ... parse server csr#1" 689$openssl_bin asn1parse -in $server_csr -i \ 690 -dlimit 100 -length 1000 -strparse 01 > $server_csr.asn1parse.out 691check_exit_status $? 692 693start_message "verify ... server cert#1" 694$openssl_bin verify -verbose -CAfile $ca_cert $server_cert 695check_exit_status $? 696 697start_message "x509 ... get detail info about server cert#1" 698$openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ 699 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 700 -subject -subject_hash -subject_hash_old -ocsp_uri -ocspid -modulus \ 701 -pubkey -serial -email > $server_cert.x509.out 702check_exit_status $? 703 704if [ $mingw = 0 ] ; then 705 start_message "certhash" 706 $openssl_bin certhash -v $server_dir 707 check_exit_status $? 708fi 709 710# self signed 711start_message "x509 ... generate self signed server cert" 712server_self_cert=$server_dir/server_self_cert.pem 713$openssl_bin x509 -in $server_cert -signkey $server_key -passin pass:$server_pass -out $server_self_cert 714check_exit_status $? 715 716#---------#---------#---------#---------#---------#---------#---------#--------- 717 718# --- Netscape SPKAC operations --- 719section_message "Netscape SPKAC operations" 720 721# server-admin generates SPKAC 722 723start_message "spkac" 724spkacfile=$server_dir/spkac.file 725 726$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 727check_exit_status $? 728 729$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 730check_exit_status $? 731 732spkacreq=$server_dir/spkac.req 733cat << __EOF__ > $spkacreq 734countryName = JP 735stateOrProvinceName = Tokyo 736organizationName = TEST_DUMMY_COMPANY 737commonName = spkac.test_dummy.com 738__EOF__ 739cat $spkacfile >> $spkacreq 740 741# CA signs SPKAC 742start_message "ca ... CA signs SPKAC csr" 743spkaccert=$server_dir/spkac.cert 744$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 745 -spkac $spkacreq -out $spkaccert 746check_exit_status $? 747 748start_message "x509 ... convert DER format SPKAC cert to PEM" 749spkacpem=$server_dir/spkac.pem 750$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 751check_exit_status $? 752 753# server-admin cert verify 754 755start_message "nseq" 756$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 757check_exit_status $? 758 759#---------#---------#---------#---------#---------#---------#---------#--------- 760 761# --- user1 operations (generate user1 key and csr) --- 762section_message "user1 operations (generate user1 key and csr)" 763 764# trust 765start_message "x509 ... trust testCA cert" 766user1_trust=$user1_dir/user1_trust_ca.pem 767$openssl_bin x509 -in $ca_cert -addtrust clientAuth -setalias "trusted testCA" -purpose -out $user1_trust 768check_exit_status $? 769 770start_message "req ... generate private key and csr for user1" 771 772user1_key=$user1_dir/user1_key.pem 773user1_csr=$user1_dir/user1_csr.pem 774user1_pass=test-user1-pass 775 776if [ $mingw = 0 ] ; then 777 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' 778else 779 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' 780fi 781 782$openssl_bin req -new -keyout $user1_key -out $user1_csr -passout pass:$user1_pass -subj $subj 783check_exit_status $? 784 785#---------#---------#---------#---------#---------#---------#---------#--------- 786 787# --- CA operations (issue cert for user1) --- 788section_message "CA operations (issue cert for user1)" 789 790start_message "ca ... issue cert for user1" 791 792user1_cert=$user1_dir/user1_cert.pem 793$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 794 -in $user1_csr -out $user1_cert 795check_exit_status $? 796 797#---------#---------#---------#---------#---------#---------#---------#--------- 798 799# --- TSA operations --- 800section_message "TSA operations" 801 802tsa_dat=$user1_dir/tsa.dat 803cat << __EOF__ > $tsa_dat 804Hello Bob, 805Sincerely yours 806Alice 807__EOF__ 808 809# Query 810start_message "ts ... create time stamp request" 811 812tsa_tsq=$user1_dir/tsa.tsq 813 814$openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 815check_exit_status $? 816 817start_message "ts ... print time stamp request" 818 819$openssl_bin ts -query -in $tsa_tsq -text 820check_exit_status $? 821 822# Reply 823start_message "ts ... create time stamp response for a request" 824 825tsa_tsr=$user1_dir/tsa.tsr 826 827$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key -passin pass:$tsa_pass \ 828 -signer $tsa_cert -chain $ca_cert -out $tsa_tsr 829check_exit_status $? 830 831# Verify 832start_message "ts ... verify time stamp response" 833 834$openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr -CAfile $ca_cert -untrusted $tsa_cert 835check_exit_status $? 836 837#---------#---------#---------#---------#---------#---------#---------#--------- 838 839# --- S/MIME operations --- 840section_message "S/MIME operations" 841 842smime_txt=$user1_dir/smime.txt 843smime_msg=$user1_dir/smime.msg 844smime_ver=$user1_dir/smime.ver 845 846cat << __EOF__ > $smime_txt 847Hello Bob, 848Sincerely yours 849Alice 850__EOF__ 851 852# sign 853start_message "smime ... sign to message" 854 855$openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \ 856 -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass 857check_exit_status $? 858 859# verify 860start_message "smime ... verify message" 861 862$openssl_bin smime -verify -in $smime_msg -signer $user1_cert -CAfile $ca_cert -out $smime_ver 863check_exit_status $? 864 865#---------#---------#---------#---------#---------#---------#---------#--------- 866 867# --- OCSP operations --- 868section_message "OCSP operations" 869 870# request 871start_message "ocsp ... create OCSP request" 872 873ocsp_req=$user1_dir/ocsp_req.der 874$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ 875 -CAfile $ca_cert -reqout $ocsp_req 876check_exit_status $? 877 878# response 879start_message "ocsp ... create OCPS response for a request" 880 881ocsp_res=$user1_dir/ocsp_res.der 882$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ 883 -rsigner $ocsp_cert -rkey $ocsp_key -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1 884check_exit_status $? 885 886# ocsp server 887start_message "ocsp ... start OCSP server in background" 888 889ocsp_port=8888 890 891$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ 892 -rsigner $ocsp_cert -rkey $ocsp_key -port '*:'$ocsp_port -nrequest 1 & 893check_exit_status $? 894ocsp_svr_pid=$! 895echo "ocsp server pid = [ $ocsp_svr_pid ]" 896sleep 1 897 898# send query to ocsp server 899start_message "ocsp ... send OCSP request to server" 900 901ocsp_qry=$user1_dir/ocsp_qry.der 902$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ 903 -CAfile $ca_cert -url http://localhost:$ocsp_port -resp_text -respout $ocsp_qry > $ocsp_qry.out 2>&1 904check_exit_status $? 905 906#---------#---------#---------#---------#---------#---------#---------#--------- 907 908# --- PKCS operations --- 909section_message "PKCS operations" 910 911pkcs_pass=test-pkcs-pass 912 913start_message "pkcs7 ... output certs in crl(pkcs7)" 914$openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 915check_exit_status $? 916 917start_message "pkcs8 ... convert key to pkcs8" 918$openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ 919 -passin pass:$user1_pass -passout pass:$user1_pass -v1 pbeWithSHA1AndDES-CBC -v2 des3 920check_exit_status $? 921 922start_message "pkcs8 ... convert pkcs8 to key in DER format" 923$openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass -outform DER -out $user1_key.p8.der 924check_exit_status $? 925 926start_message "pkcs12 ... create" 927$openssl_bin pkcs12 -export -in $server_cert -inkey $server_key -passin pass:$server_pass \ 928 -certfile $ca_cert -CAfile $ca_cert -caname "server_p12" -passout pass:$pkcs_pass \ 929 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain -out $server_cert.p12 930check_exit_status $? 931 932start_message "pkcs12 ... verify" 933$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info -noout 934check_exit_status $? 935 936start_message "pkcs12 ... to PEM" 937$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \ 938 -passout pass:$pkcs_pass -out $server_cert.p12.pem 939check_exit_status $? 940 941#---------#---------#---------#---------#---------#---------#---------#--------- 942 943# --- client/server operations (TLS) --- 944section_message "client/server operations (TLS)" 945 946host="localhost" 947port=4433 948sess_dat=$user1_dir/s_client_sess.dat 949s_server_out=$server_dir/s_server_tls.out 950 951start_message "s_server ... start SSL/TLS test server" 952$openssl_bin s_server -accept $port -CAfile $ca_cert \ 953 -cert $server_cert -key $server_key -pass pass:$server_pass \ 954 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 955 -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" -www \ 956 -msg -tlsextdebug > $s_server_out 2>&1 & 957check_exit_status $? 958s_server_pid=$! 959echo "s_server pid = [ $s_server_pid ]" 960sleep 1 961 962# protocol = TLSv1 963 964s_client_out=$user1_dir/s_client_tls_1_0.out 965 966start_message "s_client ... connect to SSL/TLS test server by TLSv1" 967$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 968 -tls1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 969check_exit_status $? 970 971grep 'Protocol : TLSv1$' $s_client_out > /dev/null 972check_exit_status $? 973 974grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 975check_exit_status $? 976 977# protocol = TLSv1.1 978 979s_client_out=$user1_dir/s_client_tls_1_1.out 980 981start_message "s_client ... connect to SSL/TLS test server by TLSv1.1" 982$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 983 -tls1_1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 984check_exit_status $? 985 986grep 'Protocol : TLSv1\.1$' $s_client_out > /dev/null 987check_exit_status $? 988 989grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 990check_exit_status $? 991 992# protocol = TLSv1.2 993 994s_client_out=$user1_dir/s_client_tls_1_2.out 995 996start_message "s_client ... connect to SSL/TLS test server by TLSv1.2" 997$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 998 -tls1_2 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 999check_exit_status $? 1000 1001grep 'Protocol : TLSv1\.2$' $s_client_out > /dev/null 1002check_exit_status $? 1003 1004grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1005check_exit_status $? 1006 1007# all available TLSv1.2 ciphers 1008 1009ciphers=`$openssl_bin ciphers TLSv1.2:-ECDSA:-ADH:-NULL | sed 's/:/ /g'` 1010for c in $ciphers ; do 1011 s_client_out=$user1_dir/s_client_tls_$c.out 1012 1013 start_message "s_client ... connect to SSL/TLS test server with $c" 1014 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 1015 -cipher $c -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1016 check_exit_status $? 1017 1018 grep "Cipher : $c" $s_client_out > /dev/null 1019 check_exit_status $? 1020 1021 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1022 check_exit_status $? 1023done 1024 1025# Get session ticket to reuse 1026 1027s_client_out=$user1_dir/s_client_tls_reuse_1.out 1028 1029start_message "s_client ... connect to SSL/TLS test server to get session id" 1030$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 1031 -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \ 1032 -sess_out $sess_dat \ 1033 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1034check_exit_status $? 1035 1036grep 'New, TLSv1/SSLv3' $s_client_out > /dev/null 1037check_exit_status $? 1038 1039grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1040check_exit_status $? 1041 1042# Reuse session ticket 1043 1044s_client_out=$user1_dir/s_client_tls_reuse_2.out 1045 1046start_message "s_client ... connect to SSL/TLS test server reusing session id" 1047$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 1048 -sess_in $sess_dat \ 1049 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1050check_exit_status $? 1051 1052grep 'Reused, TLSv1/SSLv3' $s_client_out > /dev/null 1053check_exit_status $? 1054 1055grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1056check_exit_status $? 1057 1058# invalid verification pattern 1059 1060s_client_out=$user1_dir/s_client_tls_invalid.out 1061 1062start_message "s_client ... connect to SSL/TLS test server but verify error" 1063$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 1064 -showcerts -crl_check -issuer_checks -policy_check \ 1065 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1066check_exit_status $? 1067 1068grep 'Verify return code: 24 (invalid CA certificate)' $s_client_out > /dev/null 1069check_exit_status $? 1070 1071# s_time 1072start_message "s_time ... connect to SSL/TLS test server" 1073$openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2 1074check_exit_status $? 1075 1076# sess_id 1077start_message "sess_id" 1078$openssl_bin sess_id -in $sess_dat -text -out $sess_dat.out 1079check_exit_status $? 1080 1081stop_s_server 1082 1083#---------#---------#---------#---------#---------#---------#---------#--------- 1084 1085# === PERFORMANCE === 1086section_message "PERFORMANCE" 1087 1088if [ $no_long_tests = 0 ] ; then 1089 start_message "speed" 1090 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 1091 check_exit_status $? 1092else 1093 start_message "SKIPPNG speed (quick mode)" 1094fi 1095 1096#---------#---------#---------#---------#---------#---------#---------#--------- 1097 1098# --- VERSION INFORMATION --- 1099section_message "VERSION INFORMATION" 1100 1101start_message "version" 1102$openssl_bin version -a 1103check_exit_status $? 1104 1105#---------#---------#---------#---------#---------#---------#---------#--------- 1106 1107section_message "END" 1108 1109exit 0 1110 1111