appstest.sh revision 1.24
1#!/bin/sh 2# 3# $OpenBSD: appstest.sh,v 1.24 2019/10/31 15:53:08 inoguchi Exp $ 4# 5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19# 20# appstest.sh - test script for openssl command according to man OPENSSL(1) 21# 22# input : none 23# output : all files generated by this script go under $ssldir 24# 25 26function section_message { 27 echo "" 28 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 29 echo "===" 30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 31 echo "===" 32} 33 34function start_message { 35 echo "" 36 echo "[TEST] $1" 37} 38 39function stop_s_server { 40 if [ ! -z "$s_server_pid" ] ; then 41 echo ":-| stop s_server [ $s_server_pid ]" 42 sleep 1 43 kill -TERM $s_server_pid 44 wait $s_server_pid 45 s_server_pid= 46 fi 47} 48 49function check_exit_status { 50 status=$1 51 if [ $status -ne 0 ] ; then 52 stop_s_server 53 echo ":-< error occurs, exit status = [ $status ]" 54 exit $status 55 else 56 echo ":-) success. " 57 fi 58} 59 60function usage { 61 echo "usage: appstest.sh [-iq]" 62} 63 64function test_usage_lists_others { 65 # === COMMAND USAGE === 66 section_message "COMMAND USAGE" 67 68 start_message "output usages of all commands." 69 70 cmds=`$openssl_bin list-standard-commands` 71 $openssl_bin -help 2>> $user1_dir/usages.out 72 for c in $cmds ; do 73 $openssl_bin $c -help 2>> $user1_dir/usages.out 74 done 75 76 start_message "check all list-* commands." 77 78 lists="" 79 lists="$lists list-standard-commands" 80 lists="$lists list-message-digest-commands list-message-digest-algorithms" 81 lists="$lists list-cipher-commands list-cipher-algorithms" 82 lists="$lists list-public-key-algorithms" 83 84 listsfile=$user1_dir/lists.out 85 86 for l in $lists ; do 87 echo "" >> $listsfile 88 echo "$l" >> $listsfile 89 $openssl_bin $l >> $listsfile 90 done 91 92 start_message "check interactive mode" 93 $openssl_bin <<__EOF__ 94help 95quit 96__EOF__ 97 check_exit_status $? 98 99 #---------#---------#---------#---------#---------#---------#--------- 100 101 # --- listing operations --- 102 section_message "listing operations" 103 104 start_message "ciphers" 105 $openssl_bin ciphers -V 106 check_exit_status $? 107 108 start_message "errstr" 109 $openssl_bin errstr 2606A074 110 check_exit_status $? 111 $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 112 check_exit_status $? 113 114 #---------#---------#---------#---------#---------#---------#--------- 115 116 # --- random number etc. operations --- 117 section_message "random number etc. operations" 118 119 start_message "passwd" 120 121 pass="test-pass-1234" 122 123 echo $pass | $openssl_bin passwd -stdin -1 124 check_exit_status $? 125 126 echo $pass | $openssl_bin passwd -stdin -apr1 127 check_exit_status $? 128 129 echo $pass | $openssl_bin passwd -stdin -crypt 130 check_exit_status $? 131 132 start_message "prime" 133 134 $openssl_bin prime 1 135 check_exit_status $? 136 137 $openssl_bin prime 2 138 check_exit_status $? 139 140 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 141 check_exit_status $? 142 143 start_message "rand" 144 145 $openssl_bin rand -base64 100 146 check_exit_status $? 147 148 $openssl_bin rand -hex 100 149 check_exit_status $? 150} 151 152function test_md { 153 # === MESSAGE DIGEST COMMANDS === 154 section_message "MESSAGE DIGEST COMMANDS" 155 156 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 157 158 text="1234567890abcdefghijklmnopqrstuvwxyz" 159 dgstdat=$user1_dir/dgst.dat 160 echo $text > $dgstdat 161 hmac_key="test-hmac-key" 162 cmac_key="1234567890abcde1234567890abcde12" 163 dgstkey=$user1_dir/dgstkey.pem 164 dgstpass=test-dgst-pass 165 dgstpub=$user1_dir/dgstpub.pem 166 dgstsig=$user1_dir/dgst.sig 167 168 $openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey 169 check_exit_status $? 170 171 $openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \ 172 -out $dgstpub 173 check_exit_status $? 174 175 digests=`$openssl_bin list-message-digest-commands` 176 177 for d in $digests ; do 178 179 echo -n "$d ... " 180 $openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat 181 check_exit_status $? 182 183 echo -n "$d HMAC ... " 184 $openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \ 185 $dgstdat 186 check_exit_status $? 187 188 echo -n "$d CMAC ... " 189 $openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \ 190 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat 191 check_exit_status $? 192 193 echo -n "$d sign ... " 194 $openssl_bin dgst -sign $dgstkey -keyform pem \ 195 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 196 -passin pass:$dgstpass -binary -out $dgstsig.$d $dgstdat 197 check_exit_status $? 198 199 echo -n "$d verify ... " 200 $openssl_bin dgst -verify $dgstpub \ 201 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 202 -signature $dgstsig.$d $dgstdat 203 check_exit_status $? 204 205 echo -n "$d prverify ... " 206 $openssl_bin dgst -prverify $dgstkey -passin pass:$dgstpass \ 207 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 208 -signature $dgstsig.$d $dgstdat 209 check_exit_status $? 210 done 211} 212 213function test_encoding_cipher { 214 # === ENCODING AND CIPHER COMMANDS === 215 section_message "ENCODING AND CIPHER COMMANDS" 216 217 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 218 219 text="1234567890abcdefghijklmnopqrstuvwxyz" 220 encfile=$user1_dir/encfile.dat 221 echo $text > $encfile 222 pass="test-pass-1234" 223 224 ciphers=`$openssl_bin list-cipher-commands` 225 226 for c in $ciphers ; do 227 echo -n "$c ... encoding ... " 228 $openssl_bin enc -$c -e -base64 -pass pass:$pass \ 229 -in $encfile -out $encfile-$c.enc 230 check_exit_status $? 231 232 echo -n "decoding ... " 233 $openssl_bin enc -$c -d -base64 -pass pass:$pass \ 234 -in $encfile-$c.enc -out $encfile-$c.dec 235 check_exit_status $? 236 237 echo -n "cmp ... " 238 cmp $encfile $encfile-$c.dec 239 check_exit_status $? 240 done 241} 242 243function test_key { 244 # === various KEY operations === 245 section_message "various KEY operations" 246 247 key_pass=test-key-pass 248 249 # DH 250 251 start_message "gendh - Obsoleted by dhparam." 252 gendh2=$key_dir/gendh2.pem 253 $openssl_bin gendh -2 -out $gendh2 254 check_exit_status $? 255 256 start_message "dh - Obsoleted by dhparam." 257 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 258 check_exit_status $? 259 260 if [ $no_long_tests = 0 ] ; then 261 start_message "dhparam - Superseded by genpkey and pkeyparam." 262 dhparam2=$key_dir/dhparam2.pem 263 $openssl_bin dhparam -2 -out $dhparam2 264 check_exit_status $? 265 $openssl_bin dhparam -in $dhparam2 -check -text \ 266 -out $dhparam2.out 267 check_exit_status $? 268 else 269 start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 270 fi 271 272 # DSA 273 274 start_message "dsaparam - Superseded by genpkey and pkeyparam." 275 dsaparam512=$key_dir/dsaparam512.pem 276 $openssl_bin dsaparam -genkey -out $dsaparam512 512 277 check_exit_status $? 278 279 start_message "dsa" 280 $openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out 281 check_exit_status $? 282 283 start_message "gendsa - Superseded by genpkey and pkey." 284 gendsa_des3=$key_dir/gendsa_des3.pem 285 $openssl_bin gendsa -des3 -out $gendsa_des3 \ 286 -passout pass:$key_pass $dsaparam512 287 check_exit_status $? 288 289 # RSA 290 291 start_message "genrsa - Superseded by genpkey." 292 genrsa_aes256=$key_dir/genrsa_aes256.pem 293 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ 294 -passout pass:$key_pass 2048 295 check_exit_status $? 296 297 start_message "rsa" 298 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ 299 -check -text -out $genrsa_aes256.out 300 check_exit_status $? 301 302 start_message "rsautl - Superseded by pkeyutl." 303 rsautldat=$key_dir/rsautl.dat 304 rsautlsig=$key_dir/rsautl.sig 305 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 306 307 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ 308 -passin pass:$key_pass -out $rsautlsig 309 check_exit_status $? 310 311 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ 312 -passin pass:$key_pass 313 check_exit_status $? 314 315 # EC 316 317 start_message "ecparam -list-curves" 318 $openssl_bin ecparam -list_curves 319 check_exit_status $? 320 321 # get all EC curves 322 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 323 324 start_message "ecparam and ec" 325 326 for curve in $ec_curves ; 327 do 328 ecparam=$key_dir/ecparam_$curve.pem 329 330 echo -n "ec - $curve ... ecparam ... " 331 $openssl_bin ecparam -out $ecparam -name $curve -genkey \ 332 -param_enc explicit -conv_form compressed -C 333 check_exit_status $? 334 335 echo -n "ec ... " 336 $openssl_bin ec -in $ecparam -text \ 337 -out $ecparam.out 2> /dev/null 338 check_exit_status $? 339 done 340 341 # PKEY 342 343 start_message "genpkey" 344 345 # DH by GENPKEY 346 347 genpkey_dh_param=$key_dir/genpkey_dh_param.pem 348 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 349 -pkeyopt dh_paramgen_prime_len:1024 350 check_exit_status $? 351 352 genpkey_dh=$key_dir/genpkey_dh.pem 353 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 354 check_exit_status $? 355 356 # DSA by GENPKEY 357 358 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 359 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 360 -pkeyopt dsa_paramgen_bits:1024 361 check_exit_status $? 362 363 genpkey_dsa=$key_dir/genpkey_dsa.pem 364 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 365 check_exit_status $? 366 367 # RSA by GENPKEY 368 369 genpkey_rsa=$key_dir/genpkey_rsa.pem 370 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 371 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 372 check_exit_status $? 373 374 # EC by GENPKEY 375 376 genpkey_ec_param=$key_dir/genpkey_ec_param.pem 377 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 378 -pkeyopt ec_paramgen_curve:secp384r1 379 check_exit_status $? 380 381 genpkey_ec=$key_dir/genpkey_ec.pem 382 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 383 check_exit_status $? 384 385 genpkey_ec_2=$key_dir/genpkey_ec_2.pem 386 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2 387 check_exit_status $? 388 389 start_message "pkeyparam" 390 391 $openssl_bin pkeyparam -in $genpkey_dh_param -text \ 392 -out $genpkey_dh_param.out 393 check_exit_status $? 394 395 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ 396 -out $genpkey_dsa_param.out 397 check_exit_status $? 398 399 $openssl_bin pkeyparam -in $genpkey_ec_param -text \ 400 -out $genpkey_ec_param.out 401 check_exit_status $? 402 403 start_message "pkey" 404 405 $openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \ 406 -text_pub 407 check_exit_status $? 408 409 $openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \ 410 -text_pub 411 check_exit_status $? 412 413 $openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \ 414 -text_pub 415 check_exit_status $? 416 417 $openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \ 418 -text_pub 419 check_exit_status $? 420 421 $openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \ 422 -text_pub 423 check_exit_status $? 424 425 start_message "pkeyutl" 426 427 pkeyutldat=$key_dir/pkeyutl.dat 428 pkeyutlsig=$key_dir/pkeyutl.sig 429 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 430 431 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ 432 -out $pkeyutlsig 433 check_exit_status $? 434 435 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ 436 -inkey $genpkey_rsa 437 check_exit_status $? 438 439 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 440 check_exit_status $? 441 442 pkeyutlenc=$key_dir/pkeyutl.enc 443 pkeyutldec=$key_dir/pkeyutl.dec 444 445 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 446 -pubin -inkey $genpkey_rsa.pub -out $pkeyutlenc 447 check_exit_status $? 448 449 $openssl_bin pkeyutl -decrypt -in $pkeyutlenc \ 450 -inkey $genpkey_rsa -out $pkeyutldec 451 check_exit_status $? 452 453 diff $pkeyutldat $pkeyutldec 454 check_exit_status $? 455 456 pkeyutl_rsa_oaep_enc=$key_dir/pkeyutl_rsa_oaep.enc 457 pkeyutl_rsa_oaep_dec=$key_dir/pkeyutl_rsa_oaep.dec 458 459 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 460 -inkey $genpkey_rsa \ 461 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 462 -pkeyopt rsa_oaep_label:0011223344556677 \ 463 -out $pkeyutl_rsa_oaep_enc 464 check_exit_status $? 465 466 $openssl_bin pkeyutl -decrypt -in $pkeyutl_rsa_oaep_enc \ 467 -inkey $genpkey_rsa \ 468 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 469 -pkeyopt rsa_oaep_label:0011223344556677 \ 470 -out $pkeyutl_rsa_oaep_dec 471 check_exit_status $? 472 473 diff $pkeyutldat $pkeyutl_rsa_oaep_dec 474 check_exit_status $? 475 476 pkeyutlsc1=$key_dir/pkeyutl.sc1 477 pkeyutlsc2=$key_dir/pkeyutl.sc2 478 479 $openssl_bin pkeyutl -derive -inkey $genpkey_ec \ 480 -peerkey $genpkey_ec_2.pub -out $pkeyutlsc1 -hexdump 481 check_exit_status $? 482 483 $openssl_bin pkeyutl -derive -inkey $genpkey_ec_2 \ 484 -peerkey $genpkey_ec.pub -out $pkeyutlsc2 -hexdump 485 check_exit_status $? 486 487 diff $pkeyutlsc1 $pkeyutlsc2 488 check_exit_status $? 489} 490 491function test_pki { 492 section_message "setup local CA" 493 494 # 495 # prepare test openssl.cnf 496 # 497 498 cat << __EOF__ > $ssldir/openssl.cnf 499oid_section = new_oids 500[ new_oids ] 501tsa_policy1 = 1.2.3.4.1 502tsa_policy2 = 1.2.3.4.5.6 503tsa_policy3 = 1.2.3.4.5.7 504[ ca ] 505default_ca = CA_default 506[ CA_default ] 507dir = ./$ca_dir 508crl_dir = \$dir/crl 509database = \$dir/index.txt 510new_certs_dir = \$dir/newcerts 511serial = \$dir/serial 512crlnumber = \$dir/crlnumber 513default_days = 1 514default_md = default 515policy = policy_match 516[ policy_match ] 517countryName = match 518stateOrProvinceName = match 519organizationName = match 520organizationalUnitName = optional 521commonName = supplied 522emailAddress = optional 523[ req ] 524distinguished_name = req_distinguished_name 525[ req_distinguished_name ] 526countryName = Country Name 527countryName_default = JP 528countryName_min = 2 529countryName_max = 2 530stateOrProvinceName = State or Province Name 531stateOrProvinceName_default = Tokyo 532organizationName = Organization Name 533organizationName_default = TEST_DUMMY_COMPANY 534commonName = Common Name 535[ tsa ] 536default_tsa = tsa_config1 537[ tsa_config1 ] 538dir = ./$tsa_dir 539serial = \$dir/serial 540crypto_device = builtin 541digests = sha1, sha256, sha384, sha512 542default_policy = tsa_policy1 543other_policies = tsa_policy2, tsa_policy3 544[ tsa_ext ] 545keyUsage = critical,nonRepudiation 546extendedKeyUsage = critical,timeStamping 547[ ocsp_ext ] 548basicConstraints = CA:FALSE 549keyUsage = nonRepudiation,digitalSignature,keyEncipherment 550extendedKeyUsage = OCSPSigning 551__EOF__ 552 553 #---------#---------#---------#---------#---------#---------#--------- 554 555 # 556 # setup test CA 557 # 558 559 mkdir -p $ca_dir 560 mkdir -p $tsa_dir 561 mkdir -p $ocsp_dir 562 mkdir -p $server_dir 563 564 mkdir -p $ca_dir/certs 565 mkdir -p $ca_dir/private 566 mkdir -p $ca_dir/crl 567 mkdir -p $ca_dir/newcerts 568 chmod 700 $ca_dir/private 569 echo "01" > $ca_dir/serial 570 touch $ca_dir/index.txt 571 touch $ca_dir/crlnumber 572 echo "01" > $ca_dir/crlnumber 573 574 # 575 # setup test TSA 576 # 577 mkdir -p $tsa_dir/private 578 chmod 700 $tsa_dir/private 579 echo "01" > $tsa_dir/serial 580 touch $tsa_dir/index.txt 581 582 # 583 # setup test OCSP 584 # 585 mkdir -p $ocsp_dir/private 586 chmod 700 $ocsp_dir/private 587 588 #---------#---------#---------#---------#---------#---------#--------- 589 590 # --- CA initiate (generate CA key and cert) --- 591 592 start_message "req ... generate CA key and self signed cert" 593 594 ca_cert=$ca_dir/ca_cert.pem 595 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 596 597 if [ $mingw = 0 ] ; then 598 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' 599 else 600 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\' 601 fi 602 603 $openssl_bin req -new -x509 -batch -newkey rsa:2048 \ 604 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 605 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 606 -config $ssldir/openssl.cnf -verbose \ 607 -subj $subj -days 1 -set_serial 1 -multivalue-rdn \ 608 -keyout $ca_key -passout pass:$ca_pass \ 609 -out $ca_cert -outform pem 610 check_exit_status $? 611 612 #---------#---------#---------#---------#---------#---------#--------- 613 614 # --- TSA initiate (generate TSA key and cert) --- 615 616 start_message "req ... generate TSA key and cert" 617 618 # generate CSR for TSA 619 620 tsa_csr=$tsa_dir/tsa_csr.pem 621 tsa_key=$tsa_dir/private/tsa_key.pem 622 tsa_pass=test-tsa-pass 623 624 if [ $mingw = 0 ] ; then 625 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' 626 else 627 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 628 fi 629 630 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ 631 -passout pass:$tsa_pass -subj $subj -asn1-kludge 632 check_exit_status $? 633 634 start_message "ca ... sign by CA with TSA extensions" 635 636 tsa_cert=$tsa_dir/tsa_cert.pem 637 638 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 639 -key $ca_pass -config $ssldir/openssl.cnf -create_serial \ 640 -policy policy_match -days 1 -md sha256 -extensions tsa_ext \ 641 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \ 642 -multivalue-rdn -preserveDN -noemailDN \ 643 -in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext 644 check_exit_status $? 645 646 #---------#---------#---------#---------#---------#---------#--------- 647 648 # --- OCSP initiate (generate OCSP key and cert) --- 649 650 start_message "req ... generate OCSP key and cert" 651 652 # generate CSR for OCSP 653 654 ocsp_csr=$ocsp_dir/ocsp_csr.pem 655 ocsp_key=$ocsp_dir/private/ocsp_key.pem 656 657 if [ $mingw = 0 ] ; then 658 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' 659 else 660 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' 661 fi 662 663 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ 664 -subj $subj -no-asn1-kludge 665 check_exit_status $? 666 667 start_message "ca ... sign by CA with OCSP extensions" 668 669 ocsp_cert=$ocsp_dir/ocsp_cert.pem 670 671 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 672 -key $ca_pass -out $ocsp_cert -extensions ocsp_ext \ 673 -startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \ 674 -subj $subj -infiles $ocsp_csr 675 check_exit_status $? 676 677 #---------#---------#---------#---------#---------#---------#--------- 678 679 # --- server-admin operations (generate server key and csr) --- 680 section_message "server-admin operations (generate server key and csr)" 681 682 server_key=$server_dir/server_key.pem 683 server_csr=$server_dir/server_csr.pem 684 server_pass=test-server-pass 685 686 if [ $mingw = 0 ] ; then 687 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' 688 else 689 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' 690 fi 691 692 start_message "genrsa ... generate server key#1" 693 694 $openssl_bin genrsa -aes256 -passout pass:$server_pass -out $server_key 695 check_exit_status $? 696 697 start_message "req ... generate server csr#1" 698 699 $openssl_bin req -new -subj $subj -sha256 \ 700 -key $server_key -keyform pem -passin pass:$server_pass \ 701 -out $server_csr -outform pem 702 check_exit_status $? 703 704 start_message "req ... verify server csr#1" 705 706 $openssl_bin req -verify -in $server_csr -inform pem \ 707 -newhdr -noout -pubkey -subject -modulus -text \ 708 -nameopt multiline -reqopt compatible \ 709 -out $server_csr.verify.out 710 check_exit_status $? 711 712 start_message "req ... generate server csr#2 (interactive mode)" 713 714 revoke_key=$server_dir/revoke_key.pem 715 revoke_csr=$server_dir/revoke_csr.pem 716 revoke_pass=test-revoke-pass 717 718 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \ 719 -passout pass:$revoke_pass <<__EOF__ 720JP 721Tokyo 722TEST_DUMMY_COMPANY 723revoke.test_dummy.com 724__EOF__ 725 check_exit_status $? 726 727 #---------#---------#---------#---------#---------#---------#--------- 728 729 # --- CA operations (issue cert for server) --- 730 section_message "CA operations (issue cert for server)" 731 732 start_message "ca ... issue cert for server csr#1" 733 734 server_cert=$server_dir/server_cert.pem 735 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 736 -in $server_csr -out $server_cert 737 check_exit_status $? 738 739 start_message "x509 ... issue cert for server csr#2" 740 741 revoke_cert=$server_dir/revoke_cert.pem 742 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \ 743 -CAkey $ca_key -CAkeyform pem \ 744 -CAserial $ca_dir/serial -set_serial 10 \ 745 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert 746 check_exit_status $? 747 748 #---------#---------#---------#---------#---------#---------#--------- 749 750 # --- CA operations (revoke cert and generate crl) --- 751 section_message "CA operations (revoke cert and generate crl)" 752 753 start_message "ca ... revoke server cert#2" 754 crl_file=$ca_dir/crl.pem 755 $openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \ 756 -config $ssldir/openssl.cnf -name CA_default \ 757 -crldays 30 -crlhours 12 -crlsec 30 -updatedb \ 758 -crl_reason unspecified -crl_hold 1.2.840.10040.2.2 \ 759 -crl_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 760 -crl_CA_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 761 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert 762 check_exit_status $? 763 764 start_message "ca ... show certificate status by serial number" 765 $openssl_bin ca -config $ssldir/openssl.cnf -status 1 766 767 start_message "crl ... CA generates CRL" 768 $openssl_bin crl -in $crl_file -fingerprint 769 check_exit_status $? 770 771 crl_p7=$ca_dir/crl.p7 772 start_message "crl2pkcs7 ... convert CRL to pkcs7" 773 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 774 check_exit_status $? 775 776 #---------#---------#---------#---------#---------#---------#--------- 777 778 # --- server-admin operations (check csr, verify cert, certhash) --- 779 section_message "server-admin operations (check csr, verify cert, certhash)" 780 781 start_message "asn1parse ... parse server csr#1" 782 $openssl_bin asn1parse -in $server_csr -i -dlimit 100 -length 1000 \ 783 -strparse 01 > $server_csr.asn1parse.out 784 check_exit_status $? 785 786 start_message "verify ... server cert#1" 787 $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \ 788 -crl_check -issuer_checks -purpose sslserver $server_cert 789 check_exit_status $? 790 791 start_message "x509 ... get detail info about server cert#1" 792 $openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ 793 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 794 -subject -hash -subject_hash -subject_hash_old -ocsp_uri \ 795 -ocspid -modulus -pubkey -serial -email -noout -trustout \ 796 -alias -clrtrust -clrreject -next_serial -checkend 3600 \ 797 -nameopt multiline -certopt compatible > $server_cert.x509.out 798 check_exit_status $? 799 800 if [ $mingw = 0 ] ; then 801 start_message "certhash" 802 $openssl_bin certhash -v $server_dir 803 check_exit_status $? 804 fi 805 806 # self signed 807 start_message "x509 ... generate self signed server cert" 808 server_self_cert=$server_dir/server_self_cert.pem 809 $openssl_bin x509 -in $server_cert -signkey $server_key -keyform pem \ 810 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 811 -passin pass:$server_pass -out $server_self_cert -days 1 812 check_exit_status $? 813 814 #---------#---------#---------#---------#---------#---------#--------- 815 816 # --- Netscape SPKAC operations --- 817 section_message "Netscape SPKAC operations" 818 819 # server-admin generates SPKAC 820 821 start_message "spkac" 822 spkacfile=$server_dir/spkac.file 823 824 $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 825 check_exit_status $? 826 827 $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 828 check_exit_status $? 829 830 spkacreq=$server_dir/spkac.req 831 cat << __EOF__ > $spkacreq 832countryName = JP 833stateOrProvinceName = Tokyo 834organizationName = TEST_DUMMY_COMPANY 835commonName = spkac.test_dummy.com 836__EOF__ 837 cat $spkacfile >> $spkacreq 838 839 # CA signs SPKAC 840 start_message "ca ... CA signs SPKAC csr" 841 spkaccert=$server_dir/spkac.cert 842 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 843 -spkac $spkacreq -out $spkaccert 844 check_exit_status $? 845 846 start_message "x509 ... convert DER format SPKAC cert to PEM" 847 spkacpem=$server_dir/spkac.pem 848 $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 849 check_exit_status $? 850 851 # server-admin cert verify 852 853 start_message "nseq" 854 $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 855 check_exit_status $? 856 857 #---------#---------#---------#---------#---------#---------#--------- 858 859 # --- user1 operations (generate user1 key and csr) --- 860 section_message "user1 operations (generate user1 key and csr)" 861 862 # trust 863 start_message "x509 ... trust testCA cert" 864 user1_trust=$user1_dir/user1_trust_ca.pem 865 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \ 866 -setalias "trusted testCA" -purpose -out $user1_trust 867 check_exit_status $? 868 869 start_message "req ... generate private key and csr for user1" 870 871 user1_key=$user1_dir/user1_key.pem 872 user1_csr=$user1_dir/user1_csr.pem 873 user1_pass=test-user1-pass 874 875 if [ $mingw = 0 ] ; then 876 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' 877 else 878 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' 879 fi 880 881 $openssl_bin req -new -keyout $user1_key -out $user1_csr \ 882 -passout pass:$user1_pass -subj $subj 883 check_exit_status $? 884 885 #---------#---------#---------#---------#---------#---------#--------- 886 887 # --- CA operations (issue cert for user1) --- 888 section_message "CA operations (issue cert for user1)" 889 890 start_message "ca ... issue cert for user1" 891 892 user1_cert=$user1_dir/user1_cert.pem 893 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 894 -in $user1_csr -out $user1_cert 895 check_exit_status $? 896} 897 898function test_tsa { 899 # --- TSA operations --- 900 section_message "TSA operations" 901 902 tsa_dat=$user1_dir/tsa.dat 903 cat << __EOF__ > $tsa_dat 904Hello Bob, 905Sincerely yours 906Alice 907__EOF__ 908 909 # Query 910 start_message "ts ... create time stamp request" 911 912 tsa_tsq=$user1_dir/tsa.tsq 913 914 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 915 check_exit_status $? 916 917 start_message "ts ... print time stamp request" 918 919 $openssl_bin ts -query -in $tsa_tsq -text 920 check_exit_status $? 921 922 # Reply 923 start_message "ts ... create time stamp response for a request" 924 925 tsa_tsr=$user1_dir/tsa.tsr 926 927 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ 928 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ 929 -config $ssldir/openssl.cnf -section tsa_config1 -cert \ 930 -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr 931 check_exit_status $? 932 933 # Verify 934 start_message "ts ... verify time stamp response" 935 936 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ 937 -CAfile $ca_cert -untrusted $tsa_cert 938 check_exit_status $? 939} 940 941function test_smime { 942 # --- S/MIME operations --- 943 section_message "S/MIME operations" 944 945 smime_txt=$user1_dir/smime.txt 946 smime_enc=$user1_dir/smime.enc 947 smime_sig=$user1_dir/smime.sig 948 smime_p7o=$user1_dir/smime.p7o 949 smime_sgr=$user1_dir/smime.sgr 950 smime_ver=$user1_dir/smime.ver 951 smime_dec=$user1_dir/smime.dec 952 953 cat << __EOF__ > $smime_txt 954Hello Bob, 955Sincerely yours 956Alice 957__EOF__ 958 959 # encrypt 960 start_message "smime ... encrypt message" 961 962 $openssl_bin smime -encrypt -aes256 -binary -in $smime_txt \ 963 -out $smime_enc $server_cert 964 check_exit_status $? 965 966 # sign 967 start_message "smime ... sign to message" 968 969 $openssl_bin smime -sign -in $smime_enc -text -inform smime \ 970 -out $smime_sig -outform smime \ 971 -signer $user1_cert -inkey $user1_key -keyform pem \ 972 -passin pass:$user1_pass -md sha256 \ 973 -from user1@test_dummy.com -to server@test_dummy.com \ 974 -subject "test openssl smime" 975 check_exit_status $? 976 977 # pk7out 978 start_message "smime ... pk7out from message" 979 980 $openssl_bin smime -pk7out -in $smime_sig -out $smime_p7o 981 check_exit_status $? 982 983 # verify 984 start_message "smime ... verify message" 985 986 $openssl_bin smime -verify -in $smime_sig \ 987 -CAfile $ca_cert -certfile $user1_cert -nointern \ 988 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 989 -signer $smime_sgr -text -out $smime_ver 990 check_exit_status $? 991 992 # decrypt 993 start_message "smime ... decrypt message" 994 995 $openssl_bin smime -decrypt -in $smime_ver -out $smime_dec \ 996 -recip $server_cert -inkey $server_key -passin pass:$server_pass 997 check_exit_status $? 998 999 diff $smime_dec $smime_txt 1000 check_exit_status $? 1001} 1002 1003function test_ocsp { 1004 # --- OCSP operations --- 1005 section_message "OCSP operations" 1006 1007 # get key without pass 1008 user1_key_nopass=$user1_dir/user1_key_nopass.pem 1009 $openssl_bin pkey -in $user1_key -passin pass:$user1_pass \ 1010 -out $user1_key_nopass 1011 check_exit_status $? 1012 1013 # request 1014 start_message "ocsp ... create OCSP request" 1015 1016 ocsp_req=$user1_dir/ocsp_req.der 1017 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ 1018 -cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \ 1019 -signer $user1_cert -signkey $user1_key_nopass \ 1020 -sign_other $user1_cert -sha256 \ 1021 -reqout $ocsp_req -req_text -out $ocsp_req.out 1022 check_exit_status $? 1023 1024 # response 1025 start_message "ocsp ... create OCPS response for a request" 1026 1027 ocsp_res=$user1_dir/ocsp_res.der 1028 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1029 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1030 -reqin $ocsp_req -rother $ocsp_cert -resp_no_certs -noverify \ 1031 -nmin 60 -validity_period 300 -status_age 300 \ 1032 -respout $ocsp_res -resp_text -out $ocsp_res.out 1033 check_exit_status $? 1034 1035 # ocsp server 1036 start_message "ocsp ... start OCSP server in background" 1037 1038 ocsp_port=8888 1039 1040 ocsp_svr_log=$user1_dir/ocsp_svr.log 1041 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1042 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1043 -host localhost -port $ocsp_port -path / -ndays 1 -nrequest 1 \ 1044 -resp_key_id -text -out $ocsp_svr_log & 1045 check_exit_status $? 1046 ocsp_svr_pid=$! 1047 echo "ocsp server pid = [ $ocsp_svr_pid ]" 1048 sleep 1 1049 1050 # send query to ocsp server 1051 start_message "ocsp ... send OCSP request to server" 1052 1053 ocsp_qry=$user1_dir/ocsp_qry.der 1054 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ 1055 -cert $revoke_cert -CAfile $ca_cert -no_nonce \ 1056 -url http://localhost:$ocsp_port -timeout 10 -text \ 1057 -header Host localhost \ 1058 -respout $ocsp_qry -out $ocsp_qry.out 1059 check_exit_status $? 1060 1061 # verify response from server 1062 start_message "ocsp ... verify OCSP response from server" 1063 1064 $openssl_bin ocsp -respin $ocsp_qry -CAfile $ca_cert \ 1065 -ignore_err -no_signature_verify -no_cert_verify -no_chain \ 1066 -no_cert_checks -no_explicit -trust_other -no_intern \ 1067 -verify_other $ocsp_cert -VAfile $ocsp_cert 1068 check_exit_status $? 1069} 1070 1071function test_pkcs { 1072 # --- PKCS operations --- 1073 section_message "PKCS operations" 1074 1075 pkcs_pass=test-pkcs-pass 1076 1077 start_message "pkcs7 ... output certs in crl(pkcs7)" 1078 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 1079 check_exit_status $? 1080 1081 start_message "pkcs8 ... convert key to pkcs8" 1082 $openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ 1083 -passin pass:$user1_pass -passout pass:$user1_pass \ 1084 -v1 pbeWithSHA1AndDES-CBC -v2 des3 1085 check_exit_status $? 1086 1087 start_message "pkcs8 ... convert pkcs8 to key in DER format" 1088 $openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass \ 1089 -outform DER -out $user1_key.p8.der 1090 check_exit_status $? 1091 1092 start_message "pkcs12 ... create" 1093 $openssl_bin pkcs12 -export -in $server_cert -inkey $server_key \ 1094 -passin pass:$server_pass -certfile $ca_cert -CAfile $ca_cert \ 1095 -caname "caname_server_p12" \ 1096 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \ 1097 -name "name_server_p12" -des3 -maciter -macalg sha256 \ 1098 -CSP "csp_server_p12" -LMK -keyex \ 1099 -passout pass:$pkcs_pass -out $server_cert.p12 1100 check_exit_status $? 1101 1102 start_message "pkcs12 ... verify" 1103 $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info \ 1104 -noout 1105 check_exit_status $? 1106 1107 start_message "pkcs12 ... private key to PEM without encryption" 1108 $openssl_bin pkcs12 -in $server_cert.p12 -password pass:$pkcs_pass \ 1109 -nocerts -nomacver -nodes -out $server_cert.p12.pem 1110 check_exit_status $? 1111} 1112 1113function test_server_client { 1114 # --- client/server operations (TLS) --- 1115 section_message "client/server operations (TLS)" 1116 1117 s_id="$1" 1118 c_id="$2" 1119 sc="$1$2" 1120 1121 test_pause_sec=0.2 1122 1123 if [ $s_id = "0" ] ; then 1124 s_bin=$openssl_bin 1125 else 1126 s_bin=$other_openssl_bin 1127 fi 1128 1129 if [ $c_id = "0" ] ; then 1130 c_bin=$openssl_bin 1131 else 1132 c_bin=$other_openssl_bin 1133 fi 1134 1135 echo "s_server is [`$s_bin version`]" 1136 echo "s_client is [`$c_bin version`]" 1137 1138 host="localhost" 1139 port=4433 1140 sess_dat=$user1_dir/s_client_${sc}_sess.dat 1141 s_server_out=$server_dir/s_server_${sc}_tls.out 1142 1143 $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null 1144 if [ $? -eq 0 ] ; then 1145 extra_opts="-4" 1146 else 1147 extra_opts="" 1148 fi 1149 1150 start_message "s_server ... start TLS/SSL test server" 1151 $s_bin s_server -accept $port -CAfile $ca_cert \ 1152 -cert $server_cert -key $server_key -pass pass:$server_pass \ 1153 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 1154 -alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \ 1155 -msg -tlsextdebug > $s_server_out 2>&1 & 1156 check_exit_status $? 1157 s_server_pid=$! 1158 echo "s_server pid = [ $s_server_pid ]" 1159 sleep 1 1160 1161 # protocol = TLSv1 1162 1163 s_client_out=$user1_dir/s_client_${sc}_tls_1_0.out 1164 1165 start_message "s_client ... connect to TLS/SSL test server by TLSv1" 1166 sleep $test_pause_sec 1167 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1168 -tls1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1169 check_exit_status $? 1170 1171 grep 'Protocol : TLSv1$' $s_client_out > /dev/null 1172 check_exit_status $? 1173 1174 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1175 check_exit_status $? 1176 1177 # protocol = TLSv1.1 1178 1179 s_client_out=$user1_dir/s_client_${sc}_tls_1_1.out 1180 1181 start_message "s_client ... connect to TLS/SSL test server by TLSv1.1" 1182 sleep $test_pause_sec 1183 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1184 -tls1_1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1185 check_exit_status $? 1186 1187 grep 'Protocol : TLSv1\.1$' $s_client_out > /dev/null 1188 check_exit_status $? 1189 1190 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1191 check_exit_status $? 1192 1193 # protocol = TLSv1.2 1194 1195 s_client_out=$user1_dir/s_client_${sc}_tls_1_2.out 1196 1197 start_message "s_client ... connect to TLS/SSL test server by TLSv1.2" 1198 sleep $test_pause_sec 1199 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1200 -tls1_2 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1201 check_exit_status $? 1202 1203 grep 'Protocol : TLSv1\.2$' $s_client_out > /dev/null 1204 check_exit_status $? 1205 1206 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1207 check_exit_status $? 1208 1209 # all available ciphers with random order 1210 1211 s_ciph=$server_dir/s_ciph_${sc} 1212 if [ $s_id = "0" ] ; then 1213 $s_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' > $s_ciph 1214 else 1215 $s_bin ciphers -v | awk '{print $1}' > $s_ciph 1216 fi 1217 1218 c_ciph=$user1_dir/c_ciph_${sc} 1219 if [ $c_id = "0" ] ; then 1220 $c_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' > $c_ciph 1221 else 1222 $c_bin ciphers -v | awk '{print $1}' > $c_ciph 1223 fi 1224 1225 ciphers=$user1_dir/ciphers_${sc} 1226 grep -x -f $s_ciph $c_ciph | sort -R > $ciphers 1227 1228 cnum=0 1229 for c in `cat $ciphers` ; do 1230 cnum=`expr $cnum + 1` 1231 cnstr=`printf %03d $cnum` 1232 s_client_out=$user1_dir/s_client_${sc}_tls_${cnstr}_${c}.out 1233 1234 start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $c" 1235 sleep $test_pause_sec 1236 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1237 -cipher $c \ 1238 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1239 check_exit_status $? 1240 1241 grep "Cipher : $c" $s_client_out > /dev/null 1242 check_exit_status $? 1243 1244 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1245 check_exit_status $? 1246 done 1247 1248 # Get session ticket to reuse 1249 1250 s_client_out=$user1_dir/s_client_${sc}_tls_reuse_1.out 1251 1252 start_message "s_client ... connect to TLS/SSL test server to get session id" 1253 sleep $test_pause_sec 1254 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1255 -alpn "spdy/3,http/1.1" -sess_out $sess_dat \ 1256 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1257 check_exit_status $? 1258 1259 grep '^New, TLS.*$' $s_client_out > /dev/null 1260 check_exit_status $? 1261 1262 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1263 check_exit_status $? 1264 1265 # Reuse session ticket 1266 1267 s_client_out=$user1_dir/s_client_${sc}_tls_reuse_2.out 1268 1269 start_message "s_client ... connect to TLS/SSL test server reusing session id" 1270 sleep $test_pause_sec 1271 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1272 -sess_in $sess_dat \ 1273 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1274 check_exit_status $? 1275 1276 grep '^Reused, TLS.*$' $s_client_out > /dev/null 1277 check_exit_status $? 1278 1279 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1280 check_exit_status $? 1281 1282 # invalid verification pattern 1283 1284 s_client_out=$user1_dir/s_client_${sc}_tls_invalid.out 1285 1286 start_message "s_client ... connect to TLS/SSL test server but verify error" 1287 sleep $test_pause_sec 1288 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1289 -showcerts -crl_check -issuer_checks -policy_check \ 1290 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1291 check_exit_status $? 1292 1293 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1294 if [ $? -eq 0 ] ; then 1295 check_exit_status 1 1296 else 1297 check_exit_status 0 1298 fi 1299 1300 # s_time 1301 start_message "s_time ... connect to TLS/SSL test server" 1302 $c_bin s_time -connect $host:$port -CApath $ca_dir -time 2 1303 check_exit_status $? 1304 1305 # sess_id 1306 start_message "sess_id" 1307 $c_bin sess_id -in $sess_dat -text -out $sess_dat.out 1308 check_exit_status $? 1309 1310 stop_s_server 1311} 1312 1313function test_speed { 1314 # === PERFORMANCE === 1315 section_message "PERFORMANCE" 1316 1317 if [ $no_long_tests = 0 ] ; then 1318 start_message "speed" 1319 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 1320 check_exit_status $? 1321 else 1322 start_message "SKIPPING speed (quick mode)" 1323 fi 1324} 1325 1326function test_version { 1327 # --- VERSION INFORMATION --- 1328 section_message "VERSION INFORMATION" 1329 1330 start_message "version" 1331 $openssl_bin version -a 1332 check_exit_status $? 1333} 1334 1335#---------#---------#---------#---------#---------#---------#---------#--------- 1336 1337openssl_bin=${OPENSSL:-/usr/bin/openssl} 1338other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl} 1339 1340interop_tests=0 1341no_long_tests=0 1342 1343while [ "$1" != "" ]; do 1344 case $1 in 1345 -i | --interop) shift 1346 interop_tests=1 1347 ;; 1348 -q | --quick ) shift 1349 no_long_tests=1 1350 ;; 1351 * ) usage 1352 exit 1 1353 esac 1354done 1355 1356if [ ! -x $openssl_bin ] ; then 1357 echo ":-< \$OPENSSL [$openssl_bin] is not executable." 1358 exit 1 1359fi 1360 1361if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then 1362 echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable." 1363 exit 1 1364fi 1365 1366# 1367# create ssldir, and all files generated by this script goes under this dir. 1368# 1369ssldir="appstest_dir" 1370 1371if [ -d $ssldir ] ; then 1372 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 1373 /bin/rm -rf $ssldir 1374fi 1375 1376mkdir -p $ssldir 1377 1378ca_dir=$ssldir/testCA 1379tsa_dir=$ssldir/testTSA 1380ocsp_dir=$ssldir/testOCSP 1381server_dir=$ssldir/server 1382user1_dir=$ssldir/user1 1383mkdir -p $user1_dir 1384key_dir=$ssldir/key 1385mkdir -p $key_dir 1386 1387export OPENSSL_CONF=$ssldir/openssl.cnf 1388touch $OPENSSL_CONF 1389 1390uname_s=`uname -s | grep 'MINGW'` 1391if [ "$uname_s" = "" ] ; then 1392 mingw=0 1393else 1394 mingw=1 1395fi 1396 1397# 1398# process tests 1399# 1400test_usage_lists_others 1401test_md 1402test_encoding_cipher 1403test_key 1404test_pki 1405test_tsa 1406test_smime 1407test_ocsp 1408test_pkcs 1409test_server_client 0 0 1410if [ $interop_tests = 1 ] ; then 1411 test_server_client 0 1 1412 test_server_client 1 0 1413fi 1414test_speed 1415test_version 1416 1417section_message "END" 1418 1419exit 0 1420 1421