appstest.sh revision 1.13
1#!/bin/sh 2# 3# $OpenBSD: appstest.sh,v 1.13 2018/09/08 11:12:27 inoguchi Exp $ 4# 5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19# 20# appstest.sh - test script for openssl command according to man OPENSSL(1) 21# 22# input : none 23# output : all files generated by this script go under $ssldir 24# 25 26function section_message { 27 echo "" 28 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 29 echo "===" 30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 31 echo "===" 32} 33 34function start_message { 35 echo "" 36 echo "[TEST] $1" 37} 38 39function stop_s_server { 40 if [ ! -z "$s_server_pid" ] ; then 41 echo ":-| stop s_server [ $s_server_pid ]" 42 sleep 1 43 kill -TERM $s_server_pid 44 wait $s_server_pid 45 s_server_pid= 46 fi 47} 48 49function check_exit_status { 50 status=$1 51 if [ $status -ne 0 ] ; then 52 stop_s_server 53 echo ":-< error occurs, exit status = [ $status ]" 54 exit $status 55 else 56 echo ":-) success. " 57 fi 58} 59 60function usage { 61 echo "usage: appstest.sh [-q]" 62} 63 64function test_usage_lists_others { 65 # === COMMAND USAGE === 66 section_message "COMMAND USAGE" 67 68 start_message "output usages of all commands." 69 70 cmds=`$openssl_bin list-standard-commands` 71 $openssl_bin -help 2>> $user1_dir/usages.out 72 for c in $cmds ; do 73 $openssl_bin $c -help 2>> $user1_dir/usages.out 74 done 75 76 start_message "check all list-* commands." 77 78 lists="" 79 lists="$lists list-standard-commands" 80 lists="$lists list-message-digest-commands list-message-digest-algorithms" 81 lists="$lists list-cipher-commands list-cipher-algorithms" 82 lists="$lists list-public-key-algorithms" 83 84 listsfile=$user1_dir/lists.out 85 86 for l in $lists ; do 87 echo "" >> $listsfile 88 echo "$l" >> $listsfile 89 $openssl_bin $l >> $listsfile 90 done 91 92 start_message "check interactive mode" 93 $openssl_bin <<__EOF__ 94help 95quit 96__EOF__ 97 check_exit_status $? 98 99 #---------#---------#---------#---------#---------#---------#--------- 100 101 # --- listing operations --- 102 section_message "listing operations" 103 104 start_message "ciphers" 105 $openssl_bin ciphers -V 106 check_exit_status $? 107 108 start_message "errstr" 109 $openssl_bin errstr 2606A074 110 check_exit_status $? 111 $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 112 check_exit_status $? 113 114 #---------#---------#---------#---------#---------#---------#--------- 115 116 # --- random number etc. operations --- 117 section_message "random number etc. operations" 118 119 start_message "passwd" 120 121 pass="test-pass-1234" 122 123 echo $pass | $openssl_bin passwd -stdin -1 124 check_exit_status $? 125 126 echo $pass | $openssl_bin passwd -stdin -apr1 127 check_exit_status $? 128 129 echo $pass | $openssl_bin passwd -stdin -crypt 130 check_exit_status $? 131 132 start_message "prime" 133 134 $openssl_bin prime 1 135 check_exit_status $? 136 137 $openssl_bin prime 2 138 check_exit_status $? 139 140 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 141 check_exit_status $? 142 143 start_message "rand" 144 145 $openssl_bin rand -base64 100 146 check_exit_status $? 147 148 $openssl_bin rand -hex 100 149 check_exit_status $? 150} 151 152function test_md { 153 # === MESSAGE DIGEST COMMANDS === 154 section_message "MESSAGE DIGEST COMMANDS" 155 156 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 157 158 text="1234567890abcdefghijklmnopqrstuvwxyz" 159 dgstdat=$user1_dir/dgst.dat 160 echo $text > $dgstdat 161 hmac_key="test-hmac-key" 162 cmac_key="1234567890abcde1234567890abcde12" 163 164 digests=`$openssl_bin list-message-digest-commands` 165 166 for d in $digests ; do 167 168 echo -n "$d ... " 169 $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat 170 check_exit_status $? 171 172 echo -n "$d HMAC ... " 173 $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac \ 174 $dgstdat 175 check_exit_status $? 176 177 echo -n "$d CMAC ... " 178 $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc \ 179 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat 180 check_exit_status $? 181 done 182} 183 184function test_encoding_cipher { 185 # === ENCODING AND CIPHER COMMANDS === 186 section_message "ENCODING AND CIPHER COMMANDS" 187 188 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 189 190 text="1234567890abcdefghijklmnopqrstuvwxyz" 191 encfile=$user1_dir/encfile.dat 192 echo $text > $encfile 193 pass="test-pass-1234" 194 195 ciphers=`$openssl_bin list-cipher-commands` 196 197 for c in $ciphers ; do 198 echo -n "$c ... encoding ... " 199 $openssl_bin enc -$c -e -base64 -pass pass:$pass \ 200 -in $encfile -out $encfile-$c.enc 201 check_exit_status $? 202 203 echo -n "decoding ... " 204 $openssl_bin enc -$c -d -base64 -pass pass:$pass \ 205 -in $encfile-$c.enc -out $encfile-$c.dec 206 check_exit_status $? 207 208 echo -n "cmp ... " 209 cmp $encfile $encfile-$c.dec 210 check_exit_status $? 211 done 212} 213 214function test_key { 215 # === various KEY operations === 216 section_message "various KEY operations" 217 218 key_pass=test-key-pass 219 220 # DH 221 222 start_message "gendh - Obsoleted by dhparam." 223 gendh2=$key_dir/gendh2.pem 224 $openssl_bin gendh -2 -out $gendh2 225 check_exit_status $? 226 227 start_message "dh - Obsoleted by dhparam." 228 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 229 check_exit_status $? 230 231 if [ $no_long_tests = 0 ] ; then 232 start_message "dhparam - Superseded by genpkey and pkeyparam." 233 dhparam2=$key_dir/dhparam2.pem 234 $openssl_bin dhparam -2 -out $dhparam2 235 check_exit_status $? 236 $openssl_bin dhparam -in $dhparam2 -check -text \ 237 -out $dhparam2.out 238 check_exit_status $? 239 else 240 start_message "SKIPPNG dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 241 fi 242 243 # DSA 244 245 start_message "dsaparam - Superseded by genpkey and pkeyparam." 246 dsaparam512=$key_dir/dsaparam512.pem 247 $openssl_bin dsaparam -genkey -out $dsaparam512 512 248 check_exit_status $? 249 250 start_message "dsa" 251 $openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out 252 check_exit_status $? 253 254 start_message "gendsa - Superseded by genpkey and pkey." 255 gendsa_des3=$key_dir/gendsa_des3.pem 256 $openssl_bin gendsa -des3 -out $gendsa_des3 \ 257 -passout pass:$key_pass $dsaparam512 258 check_exit_status $? 259 260 # RSA 261 262 start_message "genrsa - Superseded by genpkey." 263 genrsa_aes256=$key_dir/genrsa_aes256.pem 264 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ 265 -passout pass:$key_pass 2048 266 check_exit_status $? 267 268 start_message "rsa" 269 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ 270 -check -text -out $genrsa_aes256.out 271 check_exit_status $? 272 273 start_message "rsautl - Superseded by pkeyutl." 274 rsautldat=$key_dir/rsautl.dat 275 rsautlsig=$key_dir/rsautl.sig 276 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 277 278 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ 279 -passin pass:$key_pass -out $rsautlsig 280 check_exit_status $? 281 282 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ 283 -passin pass:$key_pass 284 check_exit_status $? 285 286 # EC 287 288 start_message "ecparam -list-curves" 289 $openssl_bin ecparam -list_curves 290 check_exit_status $? 291 292 # get all EC curves 293 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 294 295 start_message "ecparam and ec" 296 297 for curve in $ec_curves ; 298 do 299 ecparam=$key_dir/ecparam_$curve.pem 300 301 echo -n "ec - $curve ... ecparam ... " 302 $openssl_bin ecparam -out $ecparam -name $curve -genkey \ 303 -param_enc explicit -conv_form compressed -C 304 check_exit_status $? 305 306 echo -n "ec ... " 307 $openssl_bin ec -in $ecparam -text \ 308 -out $ecparam.out 2> /dev/null 309 check_exit_status $? 310 done 311 312 # PKEY 313 314 start_message "genpkey" 315 316 # DH by GENPKEY 317 318 genpkey_dh_param=$key_dir/genpkey_dh_param.pem 319 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 320 -pkeyopt dh_paramgen_prime_len:1024 321 check_exit_status $? 322 323 genpkey_dh=$key_dir/genpkey_dh.pem 324 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 325 check_exit_status $? 326 327 # DSA by GENPKEY 328 329 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 330 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 331 -pkeyopt dsa_paramgen_bits:1024 332 check_exit_status $? 333 334 genpkey_dsa=$key_dir/genpkey_dsa.pem 335 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 336 check_exit_status $? 337 338 # RSA by GENPKEY 339 340 genpkey_rsa=$key_dir/genpkey_rsa.pem 341 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 342 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 343 check_exit_status $? 344 345 # EC by GENPKEY 346 347 genpkey_ec_param=$key_dir/genpkey_ec_param.pem 348 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 349 -pkeyopt ec_paramgen_curve:secp384r1 350 check_exit_status $? 351 352 genpkey_ec=$key_dir/genpkey_ec.pem 353 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 354 check_exit_status $? 355 356 start_message "pkeyparam" 357 358 $openssl_bin pkeyparam -in $genpkey_dh_param -text \ 359 -out $genpkey_dh_param.out 360 check_exit_status $? 361 362 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ 363 -out $genpkey_dsa_param.out 364 check_exit_status $? 365 366 $openssl_bin pkeyparam -in $genpkey_ec_param -text \ 367 -out $genpkey_ec_param.out 368 check_exit_status $? 369 370 start_message "pkey" 371 372 $openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out 373 check_exit_status $? 374 375 $openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out 376 check_exit_status $? 377 378 $openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out 379 check_exit_status $? 380 381 $openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out 382 check_exit_status $? 383 384 start_message "pkeyutl" 385 386 pkeyutldat=$key_dir/pkeyutl.dat 387 pkeyutlsig=$key_dir/pkeyutl.sig 388 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 389 390 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ 391 -out $pkeyutlsig 392 check_exit_status $? 393 394 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ 395 -inkey $genpkey_rsa 396 check_exit_status $? 397 398 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 399 check_exit_status $? 400} 401 402function test_pki { 403 section_message "setup local CA" 404 405 # 406 # prepare test openssl.cnf 407 # 408 409 cat << __EOF__ > $ssldir/openssl.cnf 410oid_section = new_oids 411[ new_oids ] 412tsa_policy1 = 1.2.3.4.1 413tsa_policy2 = 1.2.3.4.5.6 414tsa_policy3 = 1.2.3.4.5.7 415[ ca ] 416default_ca = CA_default 417[ CA_default ] 418dir = ./$ca_dir 419crl_dir = \$dir/crl 420database = \$dir/index.txt 421new_certs_dir = \$dir/newcerts 422serial = \$dir/serial 423crlnumber = \$dir/crlnumber 424default_days = 1 425default_md = default 426policy = policy_match 427[ policy_match ] 428countryName = match 429stateOrProvinceName = match 430organizationName = match 431organizationalUnitName = optional 432commonName = supplied 433emailAddress = optional 434[ req ] 435distinguished_name = req_distinguished_name 436[ req_distinguished_name ] 437countryName = Country Name 438countryName_default = JP 439countryName_min = 2 440countryName_max = 2 441stateOrProvinceName = State or Province Name 442stateOrProvinceName_default = Tokyo 443organizationName = Organization Name 444organizationName_default = TEST_DUMMY_COMPANY 445commonName = Common Name 446[ tsa ] 447default_tsa = tsa_config1 448[ tsa_config1 ] 449dir = ./$tsa_dir 450serial = \$dir/serial 451crypto_device = builtin 452digests = sha1, sha256, sha384, sha512 453default_policy = tsa_policy1 454other_policies = tsa_policy2, tsa_policy3 455[ tsa_ext ] 456keyUsage = critical,nonRepudiation 457extendedKeyUsage = critical,timeStamping 458[ ocsp_ext ] 459basicConstraints = CA:FALSE 460keyUsage = nonRepudiation,digitalSignature,keyEncipherment 461extendedKeyUsage = OCSPSigning 462__EOF__ 463 464 #---------#---------#---------#---------#---------#---------#--------- 465 466 # 467 # setup test CA 468 # 469 470 mkdir -p $ca_dir 471 mkdir -p $tsa_dir 472 mkdir -p $ocsp_dir 473 mkdir -p $server_dir 474 475 mkdir -p $ca_dir/certs 476 mkdir -p $ca_dir/private 477 mkdir -p $ca_dir/crl 478 mkdir -p $ca_dir/newcerts 479 chmod 700 $ca_dir/private 480 echo "01" > $ca_dir/serial 481 touch $ca_dir/index.txt 482 touch $ca_dir/crlnumber 483 echo "01" > $ca_dir/crlnumber 484 485 # 486 # setup test TSA 487 # 488 mkdir -p $tsa_dir/private 489 chmod 700 $tsa_dir/private 490 echo "01" > $tsa_dir/serial 491 touch $tsa_dir/index.txt 492 493 # 494 # setup test OCSP 495 # 496 mkdir -p $ocsp_dir/private 497 chmod 700 $ocsp_dir/private 498 499 #---------#---------#---------#---------#---------#---------#--------- 500 501 # --- CA initiate (generate CA key and cert) --- 502 503 start_message "req ... generate CA key and self signed cert" 504 505 ca_cert=$ca_dir/ca_cert.pem 506 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 507 508 if [ $mingw = 0 ] ; then 509 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' 510 else 511 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 512 fi 513 514 $openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert \ 515 -keyout $ca_key -days 1 -passout pass:$ca_pass -batch \ 516 -subj $subj 517 check_exit_status $? 518 519 #---------#---------#---------#---------#---------#---------#--------- 520 521 # --- TSA initiate (generate TSA key and cert) --- 522 523 start_message "req ... generate TSA key and cert" 524 525 # generate CSR for TSA 526 527 tsa_csr=$tsa_dir/tsa_csr.pem 528 tsa_key=$tsa_dir/private/tsa_key.pem 529 tsa_pass=test-tsa-pass 530 531 if [ $mingw = 0 ] ; then 532 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' 533 else 534 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 535 fi 536 537 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ 538 -passout pass:$tsa_pass -subj $subj 539 check_exit_status $? 540 541 start_message "ca ... sign by CA with TSA extensions" 542 543 tsa_cert=$tsa_dir/tsa_cert.pem 544 545 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 546 -in $tsa_csr -out $tsa_cert -extensions tsa_ext 547 check_exit_status $? 548 549 #---------#---------#---------#---------#---------#---------#--------- 550 551 # --- OCSP initiate (generate OCSP key and cert) --- 552 553 start_message "req ... generate OCSP key and cert" 554 555 # generate CSR for OCSP 556 557 ocsp_csr=$ocsp_dir/ocsp_csr.pem 558 ocsp_key=$ocsp_dir/private/ocsp_key.pem 559 560 if [ $mingw = 0 ] ; then 561 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' 562 else 563 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' 564 fi 565 566 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ 567 -subj $subj 568 check_exit_status $? 569 570 start_message "ca ... sign by CA with OCSP extensions" 571 572 ocsp_cert=$ocsp_dir/ocsp_cert.pem 573 574 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 575 -in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext 576 check_exit_status $? 577 578 #---------#---------#---------#---------#---------#---------#--------- 579 580 # --- server-admin operations (generate server key and csr) --- 581 section_message "server-admin operations (generate server key and csr)" 582 583 start_message "req ... generate server csr#1" 584 585 server_key=$server_dir/server_key.pem 586 server_csr=$server_dir/server_csr.pem 587 server_pass=test-server-pass 588 589 if [ $mingw = 0 ] ; then 590 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' 591 else 592 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' 593 fi 594 595 $openssl_bin req -new -keyout $server_key -out $server_csr \ 596 -passout pass:$server_pass -subj $subj 597 check_exit_status $? 598 599 start_message "req ... generate server csr#2 (interactive mode)" 600 601 revoke_key=$server_dir/revoke_key.pem 602 revoke_csr=$server_dir/revoke_csr.pem 603 revoke_pass=test-revoke-pass 604 605 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \ 606 -passout pass:$revoke_pass <<__EOF__ 607JP 608Tokyo 609TEST_DUMMY_COMPANY 610revoke.test_dummy.com 611__EOF__ 612 check_exit_status $? 613 614 #---------#---------#---------#---------#---------#---------#--------- 615 616 # --- CA operations (issue cert for server) --- 617 section_message "CA operations (issue cert for server)" 618 619 start_message "ca ... issue cert for server csr#1" 620 621 server_cert=$server_dir/server_cert.pem 622 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 623 -in $server_csr -out $server_cert 624 check_exit_status $? 625 626 start_message "x509 ... issue cert for server csr#2" 627 628 revoke_cert=$server_dir/revoke_cert.pem 629 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key \ 630 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert 631 check_exit_status $? 632 633 #---------#---------#---------#---------#---------#---------#--------- 634 635 # --- CA operations (revoke cert and generate crl) --- 636 section_message "CA operations (revoke cert and generate crl)" 637 638 start_message "ca ... revoke server cert#2" 639 crl_file=$ca_dir/crl.pem 640 $openssl_bin ca -gencrl -out $crl_file -crldays 30 \ 641 -revoke $revoke_cert \ 642 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert 643 check_exit_status $? 644 645 start_message "crl ... CA generates CRL" 646 $openssl_bin crl -in $crl_file -fingerprint 647 check_exit_status $? 648 649 crl_p7=$ca_dir/crl.p7 650 start_message "crl2pkcs7 ... convert CRL to pkcs7" 651 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 652 check_exit_status $? 653 654 #---------#---------#---------#---------#---------#---------#--------- 655 656 # --- server-admin operations (check csr, verify cert, certhash) --- 657 section_message "server-admin operations (check csr, verify cert, certhash)" 658 659 start_message "asn1parse ... parse server csr#1" 660 $openssl_bin asn1parse -in $server_csr -i -dlimit 100 -length 1000 \ 661 -strparse 01 > $server_csr.asn1parse.out 662 check_exit_status $? 663 664 start_message "verify ... server cert#1" 665 $openssl_bin verify -verbose -CAfile $ca_cert $server_cert 666 check_exit_status $? 667 668 start_message "x509 ... get detail info about server cert#1" 669 $openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ 670 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 671 -subject -subject_hash -subject_hash_old -ocsp_uri \ 672 -ocspid -modulus -pubkey -serial -email > $server_cert.x509.out 673 check_exit_status $? 674 675 if [ $mingw = 0 ] ; then 676 start_message "certhash" 677 $openssl_bin certhash -v $server_dir 678 check_exit_status $? 679 fi 680 681 # self signed 682 start_message "x509 ... generate self signed server cert" 683 server_self_cert=$server_dir/server_self_cert.pem 684 $openssl_bin x509 -in $server_cert -signkey $server_key \ 685 -passin pass:$server_pass -out $server_self_cert 686 check_exit_status $? 687 688 #---------#---------#---------#---------#---------#---------#--------- 689 690 # --- Netscape SPKAC operations --- 691 section_message "Netscape SPKAC operations" 692 693 # server-admin generates SPKAC 694 695 start_message "spkac" 696 spkacfile=$server_dir/spkac.file 697 698 $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 699 check_exit_status $? 700 701 $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 702 check_exit_status $? 703 704 spkacreq=$server_dir/spkac.req 705 cat << __EOF__ > $spkacreq 706countryName = JP 707stateOrProvinceName = Tokyo 708organizationName = TEST_DUMMY_COMPANY 709commonName = spkac.test_dummy.com 710__EOF__ 711 cat $spkacfile >> $spkacreq 712 713 # CA signs SPKAC 714 start_message "ca ... CA signs SPKAC csr" 715 spkaccert=$server_dir/spkac.cert 716 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 717 -spkac $spkacreq -out $spkaccert 718 check_exit_status $? 719 720 start_message "x509 ... convert DER format SPKAC cert to PEM" 721 spkacpem=$server_dir/spkac.pem 722 $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 723 check_exit_status $? 724 725 # server-admin cert verify 726 727 start_message "nseq" 728 $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 729 check_exit_status $? 730 731 #---------#---------#---------#---------#---------#---------#--------- 732 733 # --- user1 operations (generate user1 key and csr) --- 734 section_message "user1 operations (generate user1 key and csr)" 735 736 # trust 737 start_message "x509 ... trust testCA cert" 738 user1_trust=$user1_dir/user1_trust_ca.pem 739 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \ 740 -setalias "trusted testCA" -purpose -out $user1_trust 741 check_exit_status $? 742 743 start_message "req ... generate private key and csr for user1" 744 745 user1_key=$user1_dir/user1_key.pem 746 user1_csr=$user1_dir/user1_csr.pem 747 user1_pass=test-user1-pass 748 749 if [ $mingw = 0 ] ; then 750 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' 751 else 752 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' 753 fi 754 755 $openssl_bin req -new -keyout $user1_key -out $user1_csr \ 756 -passout pass:$user1_pass -subj $subj 757 check_exit_status $? 758 759 #---------#---------#---------#---------#---------#---------#--------- 760 761 # --- CA operations (issue cert for user1) --- 762 section_message "CA operations (issue cert for user1)" 763 764 start_message "ca ... issue cert for user1" 765 766 user1_cert=$user1_dir/user1_cert.pem 767 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 768 -in $user1_csr -out $user1_cert 769 check_exit_status $? 770} 771 772function test_tsa { 773 # --- TSA operations --- 774 section_message "TSA operations" 775 776 tsa_dat=$user1_dir/tsa.dat 777 cat << __EOF__ > $tsa_dat 778Hello Bob, 779Sincerely yours 780Alice 781__EOF__ 782 783 # Query 784 start_message "ts ... create time stamp request" 785 786 tsa_tsq=$user1_dir/tsa.tsq 787 788 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 789 check_exit_status $? 790 791 start_message "ts ... print time stamp request" 792 793 $openssl_bin ts -query -in $tsa_tsq -text 794 check_exit_status $? 795 796 # Reply 797 start_message "ts ... create time stamp response for a request" 798 799 tsa_tsr=$user1_dir/tsa.tsr 800 801 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ 802 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ 803 -out $tsa_tsr 804 check_exit_status $? 805 806 # Verify 807 start_message "ts ... verify time stamp response" 808 809 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ 810 -CAfile $ca_cert -untrusted $tsa_cert 811 check_exit_status $? 812} 813 814function test_smime { 815 # --- S/MIME operations --- 816 section_message "S/MIME operations" 817 818 smime_txt=$user1_dir/smime.txt 819 smime_msg=$user1_dir/smime.msg 820 smime_ver=$user1_dir/smime.ver 821 822 cat << __EOF__ > $smime_txt 823Hello Bob, 824Sincerely yours 825Alice 826__EOF__ 827 828 # sign 829 start_message "smime ... sign to message" 830 831 $openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \ 832 -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass 833 check_exit_status $? 834 835 # verify 836 start_message "smime ... verify message" 837 838 $openssl_bin smime -verify -in $smime_msg -signer $user1_cert \ 839 -CAfile $ca_cert -out $smime_ver 840 check_exit_status $? 841} 842 843function test_ocsp { 844 # --- OCSP operations --- 845 section_message "OCSP operations" 846 847 # request 848 start_message "ocsp ... create OCSP request" 849 850 ocsp_req=$user1_dir/ocsp_req.der 851 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ 852 -cert $revoke_cert -CAfile $ca_cert -reqout $ocsp_req 853 check_exit_status $? 854 855 # response 856 start_message "ocsp ... create OCPS response for a request" 857 858 ocsp_res=$user1_dir/ocsp_res.der 859 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 860 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 861 -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1 862 check_exit_status $? 863 864 # ocsp server 865 start_message "ocsp ... start OCSP server in background" 866 867 ocsp_port=8888 868 869 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 870 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 871 -port '*:'$ocsp_port -nrequest 1 & 872 check_exit_status $? 873 ocsp_svr_pid=$! 874 echo "ocsp server pid = [ $ocsp_svr_pid ]" 875 sleep 1 876 877 # send query to ocsp server 878 start_message "ocsp ... send OCSP request to server" 879 880 ocsp_qry=$user1_dir/ocsp_qry.der 881 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ 882 -cert $revoke_cert -CAfile $ca_cert \ 883 -url http://localhost:$ocsp_port -resp_text \ 884 -respout $ocsp_qry > $ocsp_qry.out 2>&1 885 check_exit_status $? 886} 887 888function test_pkcs { 889 # --- PKCS operations --- 890 section_message "PKCS operations" 891 892 pkcs_pass=test-pkcs-pass 893 894 start_message "pkcs7 ... output certs in crl(pkcs7)" 895 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 896 check_exit_status $? 897 898 start_message "pkcs8 ... convert key to pkcs8" 899 $openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ 900 -passin pass:$user1_pass -passout pass:$user1_pass \ 901 -v1 pbeWithSHA1AndDES-CBC -v2 des3 902 check_exit_status $? 903 904 start_message "pkcs8 ... convert pkcs8 to key in DER format" 905 $openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass \ 906 -outform DER -out $user1_key.p8.der 907 check_exit_status $? 908 909 start_message "pkcs12 ... create" 910 $openssl_bin pkcs12 -export -in $server_cert -inkey $server_key \ 911 -passin pass:$server_pass -certfile $ca_cert -CAfile $ca_cert \ 912 -caname "server_p12" -passout pass:$pkcs_pass \ 913 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \ 914 -out $server_cert.p12 915 check_exit_status $? 916 917 start_message "pkcs12 ... verify" 918 $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info \ 919 -noout 920 check_exit_status $? 921 922 start_message "pkcs12 ... to PEM" 923 $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \ 924 -passout pass:$pkcs_pass -out $server_cert.p12.pem 925 check_exit_status $? 926} 927 928function test_server_client { 929 # --- client/server operations (TLS) --- 930 section_message "client/server operations (TLS)" 931 932 host="localhost" 933 port=4433 934 sess_dat=$user1_dir/s_client_sess.dat 935 s_server_out=$server_dir/s_server_tls.out 936 937 start_message "s_server ... start SSL/TLS test server" 938 $openssl_bin s_server -accept $port -CAfile $ca_cert \ 939 -cert $server_cert -key $server_key -pass pass:$server_pass \ 940 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 941 -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" -www \ 942 -cipher ALL \ 943 -msg -tlsextdebug > $s_server_out 2>&1 & 944 check_exit_status $? 945 s_server_pid=$! 946 echo "s_server pid = [ $s_server_pid ]" 947 sleep 1 948 949 # protocol = TLSv1 950 951 s_client_out=$user1_dir/s_client_tls_1_0.out 952 953 start_message "s_client ... connect to SSL/TLS test server by TLSv1" 954 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 955 -pause -prexit \ 956 -tls1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 957 check_exit_status $? 958 959 grep 'Protocol : TLSv1$' $s_client_out > /dev/null 960 check_exit_status $? 961 962 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 963 check_exit_status $? 964 965 # protocol = TLSv1.1 966 967 s_client_out=$user1_dir/s_client_tls_1_1.out 968 969 start_message "s_client ... connect to SSL/TLS test server by TLSv1.1" 970 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 971 -pause -prexit \ 972 -tls1_1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 973 check_exit_status $? 974 975 grep 'Protocol : TLSv1\.1$' $s_client_out > /dev/null 976 check_exit_status $? 977 978 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 979 check_exit_status $? 980 981 # protocol = TLSv1.2 982 983 s_client_out=$user1_dir/s_client_tls_1_2.out 984 985 start_message "s_client ... connect to SSL/TLS test server by TLSv1.2" 986 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 987 -pause -prexit \ 988 -tls1_2 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 989 check_exit_status $? 990 991 grep 'Protocol : TLSv1\.2$' $s_client_out > /dev/null 992 check_exit_status $? 993 994 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 995 check_exit_status $? 996 997 # all available ciphers with random order 998 999 ciphers=`$openssl_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' | sort -R` 1000 cnum=0 1001 for c in $ciphers ; do 1002 cnum=`expr $cnum + 1` 1003 cnstr=`printf %03d $cnum` 1004 s_client_out=$user1_dir/s_client_tls_${cnstr}_${c}.out 1005 1006 start_message "s_client ... connect to SSL/TLS test server with [ $cnstr ] $c" 1007 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 1008 -pause -prexit -cipher $c \ 1009 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1010 check_exit_status $? 1011 1012 grep "Cipher : $c" $s_client_out > /dev/null 1013 check_exit_status $? 1014 1015 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1016 check_exit_status $? 1017 done 1018 1019 # Get session ticket to reuse 1020 1021 s_client_out=$user1_dir/s_client_tls_reuse_1.out 1022 1023 start_message "s_client ... connect to SSL/TLS test server to get session id" 1024 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 1025 -pause -prexit \ 1026 -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \ 1027 -sess_out $sess_dat \ 1028 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1029 check_exit_status $? 1030 1031 grep 'New, TLSv1/SSLv3' $s_client_out > /dev/null 1032 check_exit_status $? 1033 1034 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1035 check_exit_status $? 1036 1037 # Reuse session ticket 1038 1039 s_client_out=$user1_dir/s_client_tls_reuse_2.out 1040 1041 start_message "s_client ... connect to SSL/TLS test server reusing session id" 1042 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 1043 -pause -prexit -sess_in $sess_dat \ 1044 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1045 check_exit_status $? 1046 1047 grep 'Reused, TLSv1/SSLv3' $s_client_out > /dev/null 1048 check_exit_status $? 1049 1050 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1051 check_exit_status $? 1052 1053 # invalid verification pattern 1054 1055 s_client_out=$user1_dir/s_client_tls_invalid.out 1056 1057 start_message "s_client ... connect to SSL/TLS test server but verify error" 1058 $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ 1059 -pause -prexit \ 1060 -showcerts -crl_check -issuer_checks -policy_check \ 1061 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1062 check_exit_status $? 1063 1064 grep 'Verify return code: 24 (invalid CA certificate)' $s_client_out \ 1065 > /dev/null 1066 check_exit_status $? 1067 1068 # s_time 1069 start_message "s_time ... connect to SSL/TLS test server" 1070 $openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2 1071 check_exit_status $? 1072 1073 # sess_id 1074 start_message "sess_id" 1075 $openssl_bin sess_id -in $sess_dat -text -out $sess_dat.out 1076 check_exit_status $? 1077 1078 stop_s_server 1079} 1080 1081function test_speed { 1082 # === PERFORMANCE === 1083 section_message "PERFORMANCE" 1084 1085 if [ $no_long_tests = 0 ] ; then 1086 start_message "speed" 1087 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 1088 check_exit_status $? 1089 else 1090 start_message "SKIPPNG speed (quick mode)" 1091 fi 1092} 1093 1094function test_version { 1095 # --- VERSION INFORMATION --- 1096 section_message "VERSION INFORMATION" 1097 1098 start_message "version" 1099 $openssl_bin version -a 1100 check_exit_status $? 1101} 1102 1103#---------#---------#---------#---------#---------#---------#---------#--------- 1104 1105openssl_bin=${OPENSSL:-/usr/bin/openssl} 1106 1107no_long_tests=0 1108 1109while [ "$1" != "" ]; do 1110 case $1 in 1111 -q | --quick ) shift 1112 no_long_tests=1 1113 ;; 1114 * ) usage 1115 exit 1 1116 esac 1117done 1118 1119# 1120# create ssldir, and all files generated by this script goes under this dir. 1121# 1122ssldir="appstest_dir" 1123 1124if [ -d $ssldir ] ; then 1125 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 1126 /bin/rm -rf $ssldir 1127fi 1128 1129mkdir -p $ssldir 1130 1131ca_dir=$ssldir/testCA 1132tsa_dir=$ssldir/testTSA 1133ocsp_dir=$ssldir/testOCSP 1134server_dir=$ssldir/server 1135user1_dir=$ssldir/user1 1136mkdir -p $user1_dir 1137key_dir=$ssldir/key 1138mkdir -p $key_dir 1139 1140export OPENSSL_CONF=$ssldir/openssl.cnf 1141touch $OPENSSL_CONF 1142 1143uname_s=`uname -s | grep 'MINGW'` 1144if [ "$uname_s" = "" ] ; then 1145 mingw=0 1146else 1147 mingw=1 1148fi 1149 1150# 1151# process tests 1152# 1153test_usage_lists_others 1154test_md 1155test_encoding_cipher 1156test_key 1157test_pki 1158test_tsa 1159test_smime 1160test_ocsp 1161test_pkcs 1162test_server_client 1163test_speed 1164test_version 1165 1166section_message "END" 1167 1168exit 0 1169 1170