appstest.sh revision 1.38
1#!/bin/sh 2# 3# $OpenBSD: appstest.sh,v 1.38 2020/05/17 01:43:27 inoguchi Exp $ 4# 5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19# 20# appstest.sh - test script for openssl command according to man OPENSSL(1) 21# 22# input : none 23# output : all files generated by this script go under $ssldir 24# 25 26function section_message { 27 echo "" 28 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 29 echo "===" 30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 31 echo "===" 32} 33 34function start_message { 35 echo "" 36 echo "[TEST] $1" 37} 38 39function stop_s_server { 40 if [ ! -z "$s_server_pid" ] ; then 41 echo ":-| stop s_server [ $s_server_pid ]" 42 sleep 1 43 kill -TERM $s_server_pid 44 wait $s_server_pid 45 s_server_pid= 46 fi 47} 48 49function check_exit_status { 50 status=$1 51 if [ $status -ne 0 ] ; then 52 stop_s_server 53 echo ":-< error occurs, exit status = [ $status ]" 54 exit $status 55 else 56 echo ":-) success. " 57 fi 58} 59 60function usage { 61 echo "usage: appstest.sh [-iq]" 62} 63 64function test_usage_lists_others { 65 # === COMMAND USAGE === 66 section_message "COMMAND USAGE" 67 68 start_message "output usages of all commands." 69 70 cmds=`$openssl_bin list-standard-commands` 71 $openssl_bin -help 2>> $user1_dir/usages.out 72 for c in $cmds ; do 73 $openssl_bin $c -help 2>> $user1_dir/usages.out 74 done 75 76 start_message "check all list-* commands." 77 78 lists="" 79 lists="$lists list-standard-commands" 80 lists="$lists list-message-digest-commands list-message-digest-algorithms" 81 lists="$lists list-cipher-commands list-cipher-algorithms" 82 lists="$lists list-public-key-algorithms" 83 84 listsfile=$user1_dir/lists.out 85 86 for l in $lists ; do 87 echo "" >> $listsfile 88 echo "$l" >> $listsfile 89 $openssl_bin $l >> $listsfile 90 done 91 92 start_message "check interactive mode" 93 $openssl_bin <<__EOF__ 94help 95quit 96__EOF__ 97 check_exit_status $? 98 99 #---------#---------#---------#---------#---------#---------#--------- 100 101 # --- listing operations --- 102 section_message "listing operations" 103 104 start_message "ciphers" 105 $openssl_bin ciphers -V 106 check_exit_status $? 107 108 start_message "errstr" 109 $openssl_bin errstr 2606A074 110 check_exit_status $? 111 $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 112 check_exit_status $? 113 114 #---------#---------#---------#---------#---------#---------#--------- 115 116 # --- random number etc. operations --- 117 section_message "random number etc. operations" 118 119 start_message "passwd" 120 121 pass="test-pass-1234" 122 123 echo $pass | $openssl_bin passwd -stdin -1 124 check_exit_status $? 125 126 echo $pass | $openssl_bin passwd -stdin -apr1 127 check_exit_status $? 128 129 echo $pass | $openssl_bin passwd -stdin -crypt 130 check_exit_status $? 131 132 start_message "prime" 133 134 $openssl_bin prime 1 135 check_exit_status $? 136 137 $openssl_bin prime 2 138 check_exit_status $? 139 140 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 141 check_exit_status $? 142 143 start_message "rand" 144 145 $openssl_bin rand -base64 100 146 check_exit_status $? 147 148 $openssl_bin rand -hex 100 149 check_exit_status $? 150} 151 152function test_md { 153 # === MESSAGE DIGEST COMMANDS === 154 section_message "MESSAGE DIGEST COMMANDS" 155 156 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 157 158 text="1234567890abcdefghijklmnopqrstuvwxyz" 159 dgstdat=$user1_dir/dgst.dat 160 echo $text > $dgstdat 161 hmac_key="test-hmac-key" 162 cmac_key="1234567890abcde1234567890abcde12" 163 dgstkey=$user1_dir/dgstkey.pem 164 dgstpass=test-dgst-pass 165 dgstpub=$user1_dir/dgstpub.pem 166 dgstsig=$user1_dir/dgst.sig 167 168 $openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey 169 check_exit_status $? 170 171 $openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \ 172 -out $dgstpub 173 check_exit_status $? 174 175 digests=`$openssl_bin list-message-digest-commands` 176 177 for d in $digests ; do 178 179 echo -n "$d ... " 180 $openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat 181 check_exit_status $? 182 183 echo -n "$d HMAC ... " 184 $openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \ 185 $dgstdat 186 check_exit_status $? 187 188 echo -n "$d CMAC ... " 189 $openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \ 190 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat 191 check_exit_status $? 192 193 echo -n "$d sign ... " 194 $openssl_bin dgst -sign $dgstkey -keyform pem \ 195 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 196 -passin pass:$dgstpass -binary -out $dgstsig.$d $dgstdat 197 check_exit_status $? 198 199 echo -n "$d verify ... " 200 $openssl_bin dgst -verify $dgstpub \ 201 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 202 -signature $dgstsig.$d $dgstdat 203 check_exit_status $? 204 205 echo -n "$d prverify ... " 206 $openssl_bin dgst -prverify $dgstkey -passin pass:$dgstpass \ 207 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 208 -signature $dgstsig.$d $dgstdat 209 check_exit_status $? 210 done 211} 212 213function test_encoding_cipher { 214 # === ENCODING AND CIPHER COMMANDS === 215 section_message "ENCODING AND CIPHER COMMANDS" 216 217 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 218 219 text="1234567890abcdefghijklmnopqrstuvwxyz" 220 encfile=$user1_dir/encfile.dat 221 echo $text > $encfile 222 pass="test-pass-1234" 223 224 ciphers=`$openssl_bin list-cipher-commands` 225 226 for c in $ciphers ; do 227 echo -n "$c ... encoding ... " 228 $openssl_bin enc -$c -e -base64 -pass pass:$pass \ 229 -in $encfile -out $encfile-$c.enc 230 check_exit_status $? 231 232 echo -n "decoding ... " 233 $openssl_bin enc -$c -d -base64 -pass pass:$pass \ 234 -in $encfile-$c.enc -out $encfile-$c.dec 235 check_exit_status $? 236 237 echo -n "cmp ... " 238 cmp $encfile $encfile-$c.dec 239 check_exit_status $? 240 done 241} 242 243function test_key { 244 # === various KEY operations === 245 section_message "various KEY operations" 246 247 key_pass=test-key-pass 248 249 # DH 250 251 start_message "gendh - Obsoleted by dhparam." 252 gendh2=$key_dir/gendh2.pem 253 $openssl_bin gendh -2 -out $gendh2 254 check_exit_status $? 255 256 start_message "dh - Obsoleted by dhparam." 257 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 258 check_exit_status $? 259 260 if [ $no_long_tests = 0 ] ; then 261 start_message "dhparam - Superseded by genpkey and pkeyparam." 262 dhparam2=$key_dir/dhparam2.pem 263 $openssl_bin dhparam -2 -out $dhparam2 264 check_exit_status $? 265 $openssl_bin dhparam -in $dhparam2 -check -text \ 266 -out $dhparam2.out 267 check_exit_status $? 268 else 269 start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 270 fi 271 272 # DSA 273 274 start_message "dsaparam - Superseded by genpkey and pkeyparam." 275 dsaparam512=$key_dir/dsaparam512.pem 276 $openssl_bin dsaparam -genkey -out $dsaparam512 512 277 check_exit_status $? 278 279 start_message "dsa" 280 $openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out 281 check_exit_status $? 282 283 start_message "gendsa - Superseded by genpkey and pkey." 284 gendsa_des3=$key_dir/gendsa_des3.pem 285 $openssl_bin gendsa -des3 -out $gendsa_des3 \ 286 -passout pass:$key_pass $dsaparam512 287 check_exit_status $? 288 289 # RSA 290 291 start_message "genrsa - Superseded by genpkey." 292 genrsa_aes256=$key_dir/genrsa_aes256.pem 293 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ 294 -passout pass:$key_pass 2048 295 check_exit_status $? 296 297 start_message "rsa" 298 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ 299 -check -text -out $genrsa_aes256.out 300 check_exit_status $? 301 302 start_message "rsautl - Superseded by pkeyutl." 303 rsautldat=$key_dir/rsautl.dat 304 rsautlsig=$key_dir/rsautl.sig 305 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 306 307 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ 308 -passin pass:$key_pass -out $rsautlsig 309 check_exit_status $? 310 311 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ 312 -passin pass:$key_pass 313 check_exit_status $? 314 315 # EC 316 317 start_message "ecparam -list-curves" 318 $openssl_bin ecparam -list_curves 319 check_exit_status $? 320 321 # get all EC curves 322 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 323 324 start_message "ecparam and ec" 325 326 for curve in $ec_curves ; 327 do 328 ecparam=$key_dir/ecparam_$curve.pem 329 330 echo -n "ec - $curve ... ecparam ... " 331 $openssl_bin ecparam -out $ecparam -name $curve -genkey \ 332 -param_enc explicit -conv_form compressed -C 333 check_exit_status $? 334 335 echo -n "ec ... " 336 $openssl_bin ec -in $ecparam -text \ 337 -out $ecparam.out 2> /dev/null 338 check_exit_status $? 339 done 340 341 # PKEY 342 343 start_message "genpkey" 344 345 # DH by GENPKEY 346 347 genpkey_dh_param=$key_dir/genpkey_dh_param.pem 348 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 349 -pkeyopt dh_paramgen_prime_len:1024 350 check_exit_status $? 351 352 genpkey_dh=$key_dir/genpkey_dh.pem 353 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 354 check_exit_status $? 355 356 # DSA by GENPKEY 357 358 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 359 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 360 -pkeyopt dsa_paramgen_bits:1024 361 check_exit_status $? 362 363 genpkey_dsa=$key_dir/genpkey_dsa.pem 364 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 365 check_exit_status $? 366 367 # RSA by GENPKEY 368 369 genpkey_rsa=$key_dir/genpkey_rsa.pem 370 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 371 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 372 check_exit_status $? 373 374 genpkey_rsa_pss=$key_dir/genpkey_rsa_pss.pem 375 $openssl_bin genpkey -algorithm RSA-PSS -out $genpkey_rsa_pss \ 376 -pkeyopt rsa_keygen_bits:2048 \ 377 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 \ 378 -pkeyopt rsa_pss_keygen_md:sha256 \ 379 -pkeyopt rsa_pss_keygen_saltlen:32 380 check_exit_status $? 381 382 # EC by GENPKEY 383 384 genpkey_ec_param=$key_dir/genpkey_ec_param.pem 385 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 386 -pkeyopt ec_paramgen_curve:secp384r1 387 check_exit_status $? 388 389 genpkey_ec=$key_dir/genpkey_ec.pem 390 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 391 check_exit_status $? 392 393 genpkey_ec_2=$key_dir/genpkey_ec_2.pem 394 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2 395 check_exit_status $? 396 397 start_message "pkeyparam" 398 399 $openssl_bin pkeyparam -in $genpkey_dh_param -text \ 400 -out $genpkey_dh_param.out 401 check_exit_status $? 402 403 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ 404 -out $genpkey_dsa_param.out 405 check_exit_status $? 406 407 $openssl_bin pkeyparam -in $genpkey_ec_param -text \ 408 -out $genpkey_ec_param.out 409 check_exit_status $? 410 411 start_message "pkey" 412 413 $openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \ 414 -text_pub 415 check_exit_status $? 416 417 $openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \ 418 -text_pub 419 check_exit_status $? 420 421 $openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \ 422 -text_pub 423 check_exit_status $? 424 425 $openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \ 426 -text_pub 427 check_exit_status $? 428 429 $openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \ 430 -text_pub 431 check_exit_status $? 432 433 start_message "pkeyutl" 434 435 pkeyutldat=$key_dir/pkeyutl.dat 436 pkeyutlsig=$key_dir/pkeyutl.sig 437 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 438 439 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ 440 -out $pkeyutlsig 441 check_exit_status $? 442 443 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ 444 -inkey $genpkey_rsa 445 check_exit_status $? 446 447 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 448 check_exit_status $? 449 450 pkeyutlenc=$key_dir/pkeyutl.enc 451 pkeyutldec=$key_dir/pkeyutl.dec 452 453 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 454 -pubin -inkey $genpkey_rsa.pub -out $pkeyutlenc 455 check_exit_status $? 456 457 $openssl_bin pkeyutl -decrypt -in $pkeyutlenc \ 458 -inkey $genpkey_rsa -out $pkeyutldec 459 check_exit_status $? 460 461 diff $pkeyutldat $pkeyutldec 462 check_exit_status $? 463 464 pkeyutl_rsa_oaep_enc=$key_dir/pkeyutl_rsa_oaep.enc 465 pkeyutl_rsa_oaep_dec=$key_dir/pkeyutl_rsa_oaep.dec 466 467 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \ 468 -inkey $genpkey_rsa \ 469 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 470 -pkeyopt rsa_oaep_label:0011223344556677 \ 471 -out $pkeyutl_rsa_oaep_enc 472 check_exit_status $? 473 474 $openssl_bin pkeyutl -decrypt -in $pkeyutl_rsa_oaep_enc \ 475 -inkey $genpkey_rsa \ 476 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \ 477 -pkeyopt rsa_oaep_label:0011223344556677 \ 478 -out $pkeyutl_rsa_oaep_dec 479 check_exit_status $? 480 481 diff $pkeyutldat $pkeyutl_rsa_oaep_dec 482 check_exit_status $? 483 484 pkeyutlsc1=$key_dir/pkeyutl.sc1 485 pkeyutlsc2=$key_dir/pkeyutl.sc2 486 487 $openssl_bin pkeyutl -derive -inkey $genpkey_ec \ 488 -peerkey $genpkey_ec_2.pub -out $pkeyutlsc1 -hexdump 489 check_exit_status $? 490 491 $openssl_bin pkeyutl -derive -inkey $genpkey_ec_2 \ 492 -peerkey $genpkey_ec.pub -out $pkeyutlsc2 -hexdump 493 check_exit_status $? 494 495 diff $pkeyutlsc1 $pkeyutlsc2 496 check_exit_status $? 497} 498 499function test_pki { 500 section_message "setup local CA" 501 502 # 503 # prepare test openssl.cnf 504 # 505 506 cat << __EOF__ > $ssldir/openssl.cnf 507oid_section = new_oids 508[ new_oids ] 509tsa_policy1 = 1.2.3.4.1 510tsa_policy2 = 1.2.3.4.5.6 511tsa_policy3 = 1.2.3.4.5.7 512[ ca ] 513default_ca = CA_default 514[ CA_default ] 515dir = ./$ca_dir 516crl_dir = \$dir/crl 517database = \$dir/index.txt 518new_certs_dir = \$dir/newcerts 519serial = \$dir/serial 520crlnumber = \$dir/crlnumber 521default_days = 1 522default_md = default 523policy = policy_match 524[ policy_match ] 525countryName = match 526stateOrProvinceName = match 527organizationName = match 528organizationalUnitName = optional 529commonName = supplied 530emailAddress = optional 531[ req ] 532distinguished_name = req_distinguished_name 533[ req_distinguished_name ] 534countryName = Country Name 535countryName_default = JP 536countryName_min = 2 537countryName_max = 2 538stateOrProvinceName = State or Province Name 539stateOrProvinceName_default = Tokyo 540organizationName = Organization Name 541organizationName_default = TEST_DUMMY_COMPANY 542commonName = Common Name 543[ tsa ] 544default_tsa = tsa_config1 545[ tsa_config1 ] 546dir = ./$tsa_dir 547serial = \$dir/serial 548crypto_device = builtin 549digests = sha1, sha256, sha384, sha512 550default_policy = tsa_policy1 551other_policies = tsa_policy2, tsa_policy3 552[ tsa_ext ] 553keyUsage = critical,nonRepudiation 554extendedKeyUsage = critical,timeStamping 555[ ocsp_ext ] 556basicConstraints = CA:FALSE 557keyUsage = nonRepudiation,digitalSignature,keyEncipherment 558extendedKeyUsage = OCSPSigning 559__EOF__ 560 561 #---------#---------#---------#---------#---------#---------#--------- 562 563 # 564 # setup test CA 565 # 566 567 mkdir -p $ca_dir 568 mkdir -p $tsa_dir 569 mkdir -p $ocsp_dir 570 mkdir -p $server_dir 571 572 mkdir -p $ca_dir/certs 573 mkdir -p $ca_dir/private 574 mkdir -p $ca_dir/crl 575 mkdir -p $ca_dir/newcerts 576 chmod 700 $ca_dir/private 577 echo "01" > $ca_dir/serial 578 touch $ca_dir/index.txt 579 touch $ca_dir/crlnumber 580 echo "01" > $ca_dir/crlnumber 581 582 # 583 # setup test TSA 584 # 585 mkdir -p $tsa_dir/private 586 chmod 700 $tsa_dir/private 587 echo "01" > $tsa_dir/serial 588 touch $tsa_dir/index.txt 589 590 # 591 # setup test OCSP 592 # 593 mkdir -p $ocsp_dir/private 594 chmod 700 $ocsp_dir/private 595 596 #---------#---------#---------#---------#---------#---------#--------- 597 598 # --- CA initiate (generate CA key and cert) --- 599 600 start_message "req ... generate CA key and self signed cert" 601 602 ca_cert=$ca_dir/ca_cert.pem 603 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 604 605 if [ $mingw = 0 ] ; then 606 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' 607 else 608 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\' 609 fi 610 611 $openssl_bin req -new -x509 -batch -newkey rsa:2048 \ 612 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ 613 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 614 -config $ssldir/openssl.cnf -verbose \ 615 -subj $subj -days 1 -set_serial 1 -multivalue-rdn \ 616 -keyout $ca_key -passout pass:$ca_pass \ 617 -out $ca_cert -outform pem 618 check_exit_status $? 619 620 #---------#---------#---------#---------#---------#---------#--------- 621 622 # --- TSA initiate (generate TSA key and cert) --- 623 624 start_message "req ... generate TSA key and cert" 625 626 # generate CSR for TSA 627 628 tsa_csr=$tsa_dir/tsa_csr.pem 629 tsa_key=$tsa_dir/private/tsa_key.pem 630 tsa_pass=test-tsa-pass 631 632 if [ $mingw = 0 ] ; then 633 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' 634 else 635 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 636 fi 637 638 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ 639 -passout pass:$tsa_pass -subj $subj -asn1-kludge 640 check_exit_status $? 641 642 start_message "ca ... sign by CA with TSA extensions" 643 644 tsa_cert=$tsa_dir/tsa_cert.pem 645 646 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 647 -key $ca_pass -config $ssldir/openssl.cnf -create_serial \ 648 -policy policy_match -days 1 -md sha256 -extensions tsa_ext \ 649 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \ 650 -multivalue-rdn -preserveDN -noemailDN \ 651 -in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext 652 check_exit_status $? 653 654 #---------#---------#---------#---------#---------#---------#--------- 655 656 # --- OCSP initiate (generate OCSP key and cert) --- 657 658 start_message "req ... generate OCSP key and cert" 659 660 # generate CSR for OCSP 661 662 ocsp_csr=$ocsp_dir/ocsp_csr.pem 663 ocsp_key=$ocsp_dir/private/ocsp_key.pem 664 665 if [ $mingw = 0 ] ; then 666 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' 667 else 668 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' 669 fi 670 671 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ 672 -subj $subj -no-asn1-kludge 673 check_exit_status $? 674 675 start_message "ca ... sign by CA with OCSP extensions" 676 677 ocsp_cert=$ocsp_dir/ocsp_cert.pem 678 679 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ 680 -key $ca_pass -out $ocsp_cert -extensions ocsp_ext \ 681 -startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \ 682 -subj $subj -infiles $ocsp_csr 683 check_exit_status $? 684 685 #---------#---------#---------#---------#---------#---------#--------- 686 687 # --- server-admin operations (generate server key and csr) --- 688 section_message "server-admin operations (generate server key and csr)" 689 690 server_key=$server_dir/server_key.pem 691 server_csr=$server_dir/server_csr.pem 692 server_pass=test-server-pass 693 694 if [ $mingw = 0 ] ; then 695 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' 696 else 697 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' 698 fi 699 700 start_message "genrsa ... generate server key#1" 701 702 $openssl_bin genrsa -aes256 -passout pass:$server_pass -out $server_key 703 check_exit_status $? 704 705 start_message "req ... generate server csr#1" 706 707 $openssl_bin req -new -subj $subj -sha256 \ 708 -key $server_key -keyform pem -passin pass:$server_pass \ 709 -addext 'subjectAltName = DNS:localhost.test_dummy.com' \ 710 -out $server_csr -outform pem 711 check_exit_status $? 712 713 start_message "req ... verify server csr#1" 714 715 $openssl_bin req -verify -in $server_csr -inform pem \ 716 -newhdr -noout -pubkey -subject -modulus -text \ 717 -nameopt multiline -reqopt compatible \ 718 -out $server_csr.verify.out 719 check_exit_status $? 720 721 start_message "req ... generate server csr#2 (interactive mode)" 722 723 revoke_key=$server_dir/revoke_key.pem 724 revoke_csr=$server_dir/revoke_csr.pem 725 revoke_pass=test-revoke-pass 726 727 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \ 728 -passout pass:$revoke_pass <<__EOF__ 729JP 730Tokyo 731TEST_DUMMY_COMPANY 732revoke.test_dummy.com 733__EOF__ 734 check_exit_status $? 735 736 ecdsa_key=$server_dir/ecdsa_key.pem 737 ecdsa_csr=$server_dir/ecdsa_csr.pem 738 ecdsa_pass=test-ecdsa-pass 739 740 if [ $mingw = 0 ] ; then 741 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=ecdsa.test_dummy.com/' 742 else 743 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test_dummy.com\' 744 fi 745 746 start_message "ecparam ... generate server key#3" 747 748 $openssl_bin ecparam -name prime256v1 -genkey -out $ecdsa_key 749 check_exit_status $? 750 751 start_message "req ... generate server csr#3" 752 753 $openssl_bin req -new -subj $subj -sha256 \ 754 -key $ecdsa_key -keyform pem -passin pass:$ecdsa_pass \ 755 -addext 'subjectAltName = DNS:localhost.test_dummy.com' \ 756 -out $ecdsa_csr -outform pem 757 check_exit_status $? 758 759 start_message "req ... verify server csr#3" 760 761 $openssl_bin req -verify -in $ecdsa_csr -inform pem \ 762 -newhdr -noout -pubkey -subject -modulus -text \ 763 -nameopt multiline -reqopt compatible \ 764 -out $ecdsa_csr.verify.out 765 check_exit_status $? 766 767 #---------#---------#---------#---------#---------#---------#--------- 768 769 # --- CA operations (issue cert for server) --- 770 section_message "CA operations (issue cert for server)" 771 772 start_message "ca ... issue cert for server csr#1" 773 774 server_cert=$server_dir/server_cert.pem 775 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 776 -in $server_csr -out $server_cert 777 check_exit_status $? 778 779 start_message "x509 ... issue cert for server csr#2" 780 781 revoke_cert=$server_dir/revoke_cert.pem 782 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \ 783 -CAkey $ca_key -CAkeyform pem \ 784 -CAserial $ca_dir/serial -set_serial 10 \ 785 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert 786 check_exit_status $? 787 788 start_message "ca ... issue cert for server csr#3" 789 790 ecdsa_cert=$server_dir/ecdsa_cert.pem 791 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 792 -in $ecdsa_csr -out $ecdsa_cert 793 check_exit_status $? 794 795 #---------#---------#---------#---------#---------#---------#--------- 796 797 # --- CA operations (revoke cert and generate crl) --- 798 section_message "CA operations (revoke cert and generate crl)" 799 800 start_message "ca ... revoke server cert#2" 801 crl_file=$ca_dir/crl.pem 802 $openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \ 803 -config $ssldir/openssl.cnf -name CA_default \ 804 -crldays 30 -crlhours 12 -crlsec 30 -updatedb \ 805 -crl_reason unspecified -crl_hold 1.2.840.10040.2.2 \ 806 -crl_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 807 -crl_CA_compromise `date -u '+%Y%m%d%H%M%SZ'` \ 808 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert 809 check_exit_status $? 810 811 start_message "ca ... show certificate status by serial number" 812 $openssl_bin ca -config $ssldir/openssl.cnf -status 1 813 814 start_message "crl ... CA generates CRL" 815 $openssl_bin crl -in $crl_file -fingerprint 816 check_exit_status $? 817 818 crl_p7=$ca_dir/crl.p7 819 start_message "crl2pkcs7 ... convert CRL to pkcs7" 820 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 821 check_exit_status $? 822 823 #---------#---------#---------#---------#---------#---------#--------- 824 825 # --- server-admin operations (check csr, verify cert, certhash) --- 826 section_message "server-admin operations (check csr, verify cert, certhash)" 827 828 start_message "asn1parse ... parse server csr#1" 829 $openssl_bin asn1parse -in $server_csr -i -dlimit 100 -length 1000 \ 830 -strparse 01 > $server_csr.asn1parse.out 831 check_exit_status $? 832 833 start_message "verify ... server cert#1" 834 $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \ 835 -crl_check -issuer_checks -purpose sslserver $server_cert 836 check_exit_status $? 837 838 start_message "x509 ... get detail info about server cert#1" 839 $openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ 840 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 841 -subject -hash -subject_hash -subject_hash_old -ocsp_uri \ 842 -ocspid -modulus -pubkey -serial -email -noout -trustout \ 843 -alias -clrtrust -clrreject -next_serial -checkend 3600 \ 844 -nameopt multiline -certopt compatible > $server_cert.x509.out 845 check_exit_status $? 846 847 if [ $mingw = 0 ] ; then 848 start_message "certhash" 849 $openssl_bin certhash -v $server_dir 850 check_exit_status $? 851 fi 852 853 # self signed 854 start_message "x509 ... generate self signed server cert" 855 server_self_cert=$server_dir/server_self_cert.pem 856 $openssl_bin x509 -in $server_cert -signkey $server_key -keyform pem \ 857 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ 858 -passin pass:$server_pass -out $server_self_cert -days 1 859 check_exit_status $? 860 861 #---------#---------#---------#---------#---------#---------#--------- 862 863 # --- Netscape SPKAC operations --- 864 section_message "Netscape SPKAC operations" 865 866 # server-admin generates SPKAC 867 868 start_message "spkac" 869 spkacfile=$server_dir/spkac.file 870 871 $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 872 check_exit_status $? 873 874 $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 875 check_exit_status $? 876 877 spkacreq=$server_dir/spkac.req 878 cat << __EOF__ > $spkacreq 879countryName = JP 880stateOrProvinceName = Tokyo 881organizationName = TEST_DUMMY_COMPANY 882commonName = spkac.test_dummy.com 883__EOF__ 884 cat $spkacfile >> $spkacreq 885 886 # CA signs SPKAC 887 start_message "ca ... CA signs SPKAC csr" 888 spkaccert=$server_dir/spkac.cert 889 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 890 -spkac $spkacreq -out $spkaccert 891 check_exit_status $? 892 893 start_message "x509 ... convert DER format SPKAC cert to PEM" 894 spkacpem=$server_dir/spkac.pem 895 $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 896 check_exit_status $? 897 898 # server-admin cert verify 899 900 start_message "nseq" 901 $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 902 check_exit_status $? 903 904 #---------#---------#---------#---------#---------#---------#--------- 905 906 # --- user1 operations (generate user1 key and csr) --- 907 section_message "user1 operations (generate user1 key and csr)" 908 909 # trust 910 start_message "x509 ... trust testCA cert" 911 user1_trust=$user1_dir/user1_trust_ca.pem 912 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \ 913 -setalias "trusted testCA" -purpose -out $user1_trust 914 check_exit_status $? 915 916 start_message "req ... generate private key and csr for user1" 917 918 user1_key=$user1_dir/user1_key.pem 919 user1_csr=$user1_dir/user1_csr.pem 920 user1_pass=test-user1-pass 921 922 if [ $mingw = 0 ] ; then 923 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' 924 else 925 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' 926 fi 927 928 $openssl_bin req -new -keyout $user1_key -out $user1_csr \ 929 -passout pass:$user1_pass -subj $subj 930 check_exit_status $? 931 932 #---------#---------#---------#---------#---------#---------#--------- 933 934 # --- CA operations (issue cert for user1) --- 935 section_message "CA operations (issue cert for user1)" 936 937 start_message "ca ... issue cert for user1" 938 939 user1_cert=$user1_dir/user1_cert.pem 940 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 941 -in $user1_csr -out $user1_cert 942 check_exit_status $? 943} 944 945function test_tsa { 946 # --- TSA operations --- 947 section_message "TSA operations" 948 949 tsa_dat=$user1_dir/tsa.dat 950 cat << __EOF__ > $tsa_dat 951Hello Bob, 952Sincerely yours 953Alice 954__EOF__ 955 956 # Query 957 start_message "ts ... create time stamp request" 958 959 tsa_tsq=$user1_dir/tsa.tsq 960 961 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 962 check_exit_status $? 963 964 start_message "ts ... print time stamp request" 965 966 $openssl_bin ts -query -in $tsa_tsq -text 967 check_exit_status $? 968 969 # Reply 970 start_message "ts ... create time stamp response for a request" 971 972 tsa_tsr=$user1_dir/tsa.tsr 973 974 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ 975 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ 976 -config $ssldir/openssl.cnf -section tsa_config1 -cert \ 977 -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr 978 check_exit_status $? 979 980 # Verify 981 start_message "ts ... verify time stamp response" 982 983 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ 984 -CAfile $ca_cert -untrusted $tsa_cert 985 check_exit_status $? 986} 987 988function test_cms { 989 # --- CMS operations --- 990 section_message "CMS operations" 991 992 cms_txt=$user1_dir/cms.txt 993 cms_sig=$user1_dir/cms.sig 994 cms_enc=$user1_dir/cms.enc 995 cms_dec=$user1_dir/cms.dec 996 cms_sgr=$user1_dir/cms.sgr 997 cms_ver=$user1_dir/cms.ver 998 cms_out=$user1_dir/cms.out 999 cms_dct=$user1_dir/cms.dct 1000 cms_dot=$user1_dir/cms.dot 1001 cms_dgc=$user1_dir/cms.dgc 1002 cms_dgv=$user1_dir/cms.dgv 1003 cms_ede=$user1_dir/cms.ede 1004 cms_edd=$user1_dir/cms.edd 1005 cms_srp=$user1_dir/cms.srp 1006 cms_pwe=$user1_dir/cms.pwe 1007 cms_pwd=$user1_dir/cms.pwd 1008 1009 cat << __EOF__ > $cms_txt 1010Hello Bob, 1011Sincerely yours 1012Alice 1013__EOF__ 1014 1015 # sign 1016 start_message "cms ... sign to message" 1017 1018 $openssl_bin cms -sign -in $cms_txt -text \ 1019 -out $cms_sig -outform smime \ 1020 -signer $user1_cert -inkey $user1_key -keyform pem \ 1021 -keyopt rsa_padding_mode:pss \ 1022 -passin pass:$user1_pass -md sha256 \ 1023 -from user1@test_dummy.com -to server@test_dummy.com \ 1024 -subject "test openssl cms" \ 1025 -receipt_request_from server@test_dummy.com \ 1026 -receipt_request_to user1@test_dummy.com 1027 check_exit_status $? 1028 1029 # encrypt 1030 start_message "cms ... encrypt message" 1031 1032 $openssl_bin cms -encrypt -aes256 -binary -in $cms_sig -inform smime \ 1033 -recip $server_cert -keyopt rsa_padding_mode:oaep \ 1034 -out $cms_enc 1035 check_exit_status $? 1036 1037 # decrypt 1038 start_message "cms ... decrypt message" 1039 1040 $openssl_bin cms -decrypt -in $cms_enc -out $cms_dec \ 1041 -recip $server_cert -inkey $server_key -passin pass:$server_pass 1042 check_exit_status $? 1043 1044 # verify 1045 start_message "cms ... verify message" 1046 1047 $openssl_bin cms -verify -in $cms_dec \ 1048 -CAfile $ca_cert -certfile $user1_cert -nointern \ 1049 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1050 -signer $cms_sgr -text -out $cms_ver -receipt_request_print 1051 check_exit_status $? 1052 1053 diff -b $cms_ver $cms_txt 1054 check_exit_status $? 1055 1056 # cmsout 1057 start_message "cms ... cmsout" 1058 1059 $openssl_bin cms -cmsout -in $cms_enc -print -out $cms_out 1060 check_exit_status $? 1061 1062 # data_create 1063 start_message "cms ... data_create" 1064 1065 $openssl_bin cms -data_create -in $cms_enc -out $cms_dct 1066 check_exit_status $? 1067 1068 # data_out 1069 start_message "cms ... data_out" 1070 1071 $openssl_bin cms -data_out -in $cms_dct -out $cms_dot 1072 check_exit_status $? 1073 1074 # digest_create 1075 start_message "cms ... digest_create" 1076 1077 $openssl_bin cms -digest_create -in $cms_txt -md sha256 -out $cms_dgc 1078 check_exit_status $? 1079 1080 # digest_verify 1081 start_message "cms ... digest_verify" 1082 1083 $openssl_bin cms -digest_verify -in $cms_dgc -md sha256 -out $cms_dgv 1084 check_exit_status $? 1085 1086 diff -b $cms_dgv $cms_txt 1087 check_exit_status $? 1088 1089 # compress 1090 1091 # uncompress 1092 1093 # EncryptedData_encrypt 1094 start_message "cms ... EncryptedData_encrypt" 1095 1096 $openssl_bin cms -EncryptedData_encrypt -in $cms_sig -out $cms_ede \ 1097 -aes128 -secretkey 00112233445566778899aabbccddeeff 1098 check_exit_status $? 1099 1100 # EncryptedData_decrypt 1101 start_message "cms ... EncryptedData_decrypt" 1102 1103 $openssl_bin cms -EncryptedData_decrypt -in $cms_ede -out $cms_edd \ 1104 -aes128 -secretkey 00112233445566778899aabbccddeeff 1105 check_exit_status $? 1106 1107 diff -b $cms_edd $cms_sig 1108 check_exit_status $? 1109 1110 # sign_receipt 1111 start_message "cms ... sign to receipt" 1112 1113 $openssl_bin cms -sign_receipt -in $cms_sig -out $cms_srp \ 1114 -signer $server_cert -inkey $server_key \ 1115 -passin pass:$server_pass -md sha256 1116 check_exit_status $? 1117 1118 # verify_receipt 1119 start_message "cms ... verify receipt" 1120 1121 $openssl_bin cms -verify_receipt $cms_srp -rctform smime -in $cms_sig \ 1122 -CAfile $ca_cert -certfile $server_cert 1123 check_exit_status $? 1124 1125 # encrypt with pwri 1126 start_message "cms ... encrypt with pwri" 1127 1128 $openssl_bin cms -encrypt -camellia256 -in $cms_txt -out $cms_pwe \ 1129 -pwri_password abcdefg 1130 check_exit_status $? 1131 1132 # decrypt with pwri 1133 start_message "cms ... decrypt with pwri" 1134 1135 $openssl_bin cms -decrypt -camellia256 -in $cms_pwe -out $cms_pwd \ 1136 -pwri_password abcdefg 1137 check_exit_status $? 1138 1139 diff -b $cms_pwd $cms_txt 1140 check_exit_status $? 1141} 1142 1143function test_smime { 1144 # --- S/MIME operations --- 1145 section_message "S/MIME operations" 1146 1147 smime_txt=$user1_dir/smime.txt 1148 smime_enc=$user1_dir/smime.enc 1149 smime_sig=$user1_dir/smime.sig 1150 smime_p7o=$user1_dir/smime.p7o 1151 smime_sgr=$user1_dir/smime.sgr 1152 smime_ver=$user1_dir/smime.ver 1153 smime_dec=$user1_dir/smime.dec 1154 1155 cat << __EOF__ > $smime_txt 1156Hello Bob, 1157Sincerely yours 1158Alice 1159__EOF__ 1160 1161 # encrypt 1162 start_message "smime ... encrypt message" 1163 1164 $openssl_bin smime -encrypt -aes256 -binary -in $smime_txt \ 1165 -out $smime_enc $server_cert 1166 check_exit_status $? 1167 1168 # sign 1169 start_message "smime ... sign to message" 1170 1171 $openssl_bin smime -sign -in $smime_enc -text -inform smime \ 1172 -out $smime_sig -outform smime \ 1173 -signer $user1_cert -inkey $user1_key -keyform pem \ 1174 -passin pass:$user1_pass -md sha256 \ 1175 -from user1@test_dummy.com -to server@test_dummy.com \ 1176 -subject "test openssl smime" 1177 check_exit_status $? 1178 1179 # pk7out 1180 start_message "smime ... pk7out from message" 1181 1182 $openssl_bin smime -pk7out -in $smime_sig -out $smime_p7o 1183 check_exit_status $? 1184 1185 # verify 1186 start_message "smime ... verify message" 1187 1188 $openssl_bin smime -verify -in $smime_sig \ 1189 -CAfile $ca_cert -certfile $user1_cert -nointern \ 1190 -check_ss_sig -issuer_checks -policy_check -x509_strict \ 1191 -signer $smime_sgr -text -out $smime_ver 1192 check_exit_status $? 1193 1194 # decrypt 1195 start_message "smime ... decrypt message" 1196 1197 $openssl_bin smime -decrypt -in $smime_ver -out $smime_dec \ 1198 -recip $server_cert -inkey $server_key -passin pass:$server_pass 1199 check_exit_status $? 1200 1201 diff $smime_dec $smime_txt 1202 check_exit_status $? 1203} 1204 1205function test_ocsp { 1206 # --- OCSP operations --- 1207 section_message "OCSP operations" 1208 1209 # get key without pass 1210 user1_key_nopass=$user1_dir/user1_key_nopass.pem 1211 $openssl_bin pkey -in $user1_key -passin pass:$user1_pass \ 1212 -out $user1_key_nopass 1213 check_exit_status $? 1214 1215 # request 1216 start_message "ocsp ... create OCSP request" 1217 1218 ocsp_req=$user1_dir/ocsp_req.der 1219 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ 1220 -cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \ 1221 -signer $user1_cert -signkey $user1_key_nopass \ 1222 -sign_other $user1_cert -sha256 \ 1223 -reqout $ocsp_req -req_text -out $ocsp_req.out 1224 check_exit_status $? 1225 1226 # response 1227 start_message "ocsp ... create OCPS response for a request" 1228 1229 ocsp_res=$user1_dir/ocsp_res.der 1230 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1231 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1232 -reqin $ocsp_req -rother $ocsp_cert -resp_no_certs -noverify \ 1233 -nmin 60 -validity_period 300 -status_age 300 \ 1234 -respout $ocsp_res -resp_text -out $ocsp_res.out 1235 check_exit_status $? 1236 1237 # ocsp server 1238 start_message "ocsp ... start OCSP server in background" 1239 1240 ocsp_port=8888 1241 1242 ocsp_svr_log=$user1_dir/ocsp_svr.log 1243 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ 1244 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ 1245 -host localhost -port $ocsp_port -path / -ndays 1 -nrequest 1 \ 1246 -resp_key_id -text -out $ocsp_svr_log & 1247 check_exit_status $? 1248 ocsp_svr_pid=$! 1249 echo "ocsp server pid = [ $ocsp_svr_pid ]" 1250 sleep 1 1251 1252 # send query to ocsp server 1253 start_message "ocsp ... send OCSP request to server" 1254 1255 ocsp_qry=$user1_dir/ocsp_qry.der 1256 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ 1257 -cert $revoke_cert -CAfile $ca_cert -no_nonce \ 1258 -url http://localhost:$ocsp_port -timeout 10 -text \ 1259 -header Host localhost \ 1260 -respout $ocsp_qry -out $ocsp_qry.out 1261 check_exit_status $? 1262 1263 # verify response from server 1264 start_message "ocsp ... verify OCSP response from server" 1265 1266 $openssl_bin ocsp -respin $ocsp_qry -CAfile $ca_cert \ 1267 -ignore_err -no_signature_verify -no_cert_verify -no_chain \ 1268 -no_cert_checks -no_explicit -trust_other -no_intern \ 1269 -verify_other $ocsp_cert -VAfile $ocsp_cert 1270 check_exit_status $? 1271} 1272 1273function test_pkcs { 1274 # --- PKCS operations --- 1275 section_message "PKCS operations" 1276 1277 pkcs_pass=test-pkcs-pass 1278 1279 start_message "pkcs7 ... output certs in crl(pkcs7)" 1280 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 1281 check_exit_status $? 1282 1283 start_message "pkcs8 ... convert key to pkcs8" 1284 $openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ 1285 -passin pass:$user1_pass -passout pass:$user1_pass \ 1286 -v1 pbeWithSHA1AndDES-CBC -v2 des3 1287 check_exit_status $? 1288 1289 start_message "pkcs8 ... convert pkcs8 to key in DER format" 1290 $openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass \ 1291 -outform DER -out $user1_key.p8.der 1292 check_exit_status $? 1293 1294 start_message "pkcs12 ... create" 1295 $openssl_bin pkcs12 -export -in $server_cert -inkey $server_key \ 1296 -passin pass:$server_pass -certfile $ca_cert -CAfile $ca_cert \ 1297 -caname "caname_server_p12" \ 1298 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \ 1299 -name "name_server_p12" -des3 -maciter -macalg sha256 \ 1300 -CSP "csp_server_p12" -LMK -keyex \ 1301 -passout pass:$pkcs_pass -out $server_cert.p12 1302 check_exit_status $? 1303 1304 start_message "pkcs12 ... verify" 1305 $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info \ 1306 -noout 1307 check_exit_status $? 1308 1309 start_message "pkcs12 ... private key to PEM without encryption" 1310 $openssl_bin pkcs12 -in $server_cert.p12 -password pass:$pkcs_pass \ 1311 -nocerts -nomacver -nodes -out $server_cert.p12.pem 1312 check_exit_status $? 1313} 1314 1315function test_sc_by_protocol_version { 1316 cid=$1 1317 ver=$2 1318 msg=$3 1319 1320 s_client_out=$user1_dir/s_client_${sc}_${ver}.out 1321 1322 start_message "s_client ... connect to TLS/SSL test server by $ver" 1323 sleep $test_pause_sec 1324 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1325 -$ver -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1326 check_exit_status $? 1327 1328 # OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until 1329 # NewSessionTicket arrival 1330 if ! [ $cid = "1" -a $ver = "tls1_3" ] ; then 1331 grep "$msg" $s_client_out > /dev/null 1332 check_exit_status $? 1333 fi 1334 1335 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1336 check_exit_status $? 1337} 1338 1339function test_sc_all_cipher { 1340 sc=$1 1341 ver=$2 1342 1343 copt=cipher 1344 ciphers=$user1_dir/ciphers_${sc}_${ver} 1345 1346 if [ $ver = "tls1_3" ] ; then 1347 if [ $c_id = "0" ] ; then 1348 echo "AEAD-AES256-GCM-SHA384" > $ciphers 1349 echo "AEAD-CHACHA20-POLY1305-SHA256" >> $ciphers 1350 echo "AEAD-AES128-GCM-SHA256" >> $ciphers 1351 else 1352 echo "TLS_AES_256_GCM_SHA384" > $ciphers 1353 echo "TLS_CHACHA20_POLY1305_SHA256" >> $ciphers 1354 echo "TLS_AES_128_GCM_SHA256" >> $ciphers 1355 copt=ciphersuites 1356 fi 1357 else 1358 s_ciph=$server_dir/s_ciph_${sc}_${ver} 1359 cipher_string="" 1360 if [ $s_id = "0" ] ; then 1361 if [ $ecdsa_tests = 0 ] ; then 1362 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1363 else 1364 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1365 fi 1366 fi 1367 $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph 1368 1369 c_ciph=$user1_dir/c_ciph_${sc}_${ver} 1370 cipher_string="" 1371 if [ $c_id = "0" ] ; then 1372 if [ $ecdsa_tests = 0 ] ; then 1373 cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" 1374 else 1375 cipher_string="ECDSA+TLSv1.2:!TLSv1.3" 1376 fi 1377 fi 1378 $c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph 1379 1380 grep -x -f $s_ciph $c_ciph | sort -R > $ciphers 1381 fi 1382 1383 cnum=0 1384 for c in `cat $ciphers` ; do 1385 cnum=`expr $cnum + 1` 1386 cnstr=`printf %03d $cnum` 1387 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_${cnstr}_${c}.out 1388 1389 start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $ver $c" 1390 sleep $test_pause_sec 1391 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1392 -$ver -$copt $c \ 1393 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1394 check_exit_status $? 1395 1396 grep "Cipher is $c" $s_client_out > /dev/null 1397 check_exit_status $? 1398 1399 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1400 check_exit_status $? 1401 done 1402} 1403 1404function test_sc_session_reuse { 1405 sc=$1 1406 ver=$2 1407 sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat 1408 1409 # Get session ticket to reuse 1410 1411 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_1.out 1412 1413 start_message "s_client ... connect to TLS/SSL test server to get session id $ver" 1414 sleep $test_pause_sec 1415 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1416 -$ver -alpn "spdy/3,http/1.1" -sess_out $sess_dat \ 1417 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1418 check_exit_status $? 1419 1420 grep '^New, TLS.*$' $s_client_out > /dev/null 1421 check_exit_status $? 1422 1423 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1424 check_exit_status $? 1425 1426 # Reuse session ticket 1427 1428 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_2.out 1429 1430 start_message "s_client ... connect to TLS/SSL test server reusing session id $ver" 1431 sleep $test_pause_sec 1432 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1433 -$ver -sess_in $sess_dat \ 1434 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1435 check_exit_status $? 1436 1437 grep '^Reused, TLS.*$' $s_client_out > /dev/null 1438 check_exit_status $? 1439 1440 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null 1441 check_exit_status $? 1442 1443 # sess_id 1444 1445 start_message "sess_id" 1446 $c_bin sess_id -in $sess_dat -text -out $sess_dat.out 1447 check_exit_status $? 1448} 1449 1450function test_sc_verify { 1451 sc=$1 1452 ver=$2 1453 1454 # invalid verification pattern 1455 1456 s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out 1457 1458 start_message "s_client ... connect to tls/ssl test server but verify error $ver" 1459 sleep $test_pause_sec 1460 $c_bin s_client -connect $host:$port -CAfile $ca_cert \ 1461 -$ver -showcerts -crl_check -issuer_checks -policy_check \ 1462 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 1463 check_exit_status $? 1464 1465 grep 'verify return code: 0 (ok)' $s_client_out > /dev/null 1466 if [ $? -eq 0 ] ; then 1467 check_exit_status 1 1468 else 1469 check_exit_status 0 1470 fi 1471} 1472 1473function test_server_client { 1474 # --- client/server operations (TLS) --- 1475 section_message "client/server operations (TLS)" 1476 1477 s_id="$1" 1478 c_id="$2" 1479 sc="$1$2" 1480 1481 test_pause_sec=0.2 1482 1483 if [ $s_id = "0" ] ; then 1484 s_bin=$openssl_bin 1485 else 1486 s_bin=$other_openssl_bin 1487 fi 1488 1489 if [ $c_id = "0" ] ; then 1490 c_bin=$openssl_bin 1491 else 1492 c_bin=$other_openssl_bin 1493 fi 1494 1495 echo "s_server is [`$s_bin version`]" 1496 echo "s_client is [`$c_bin version`]" 1497 1498 host="localhost" 1499 port=4433 1500 s_server_out=$server_dir/s_server_${sc}_tls.out 1501 1502 if [ $ecdsa_tests = 0 ] ; then 1503 echo "Using RSA certificate" 1504 crt=$server_cert 1505 key=$server_key 1506 pwd=$server_pass 1507 else 1508 echo "Using ECDSA certificate" 1509 crt=$ecdsa_cert 1510 key=$ecdsa_key 1511 pwd=$ecdsa_pass 1512 fi 1513 1514 $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null 1515 if [ $? -eq 0 ] ; then 1516 extra_opts="-4" 1517 else 1518 extra_opts="" 1519 fi 1520 1521 start_message "s_server ... start TLS/SSL test server" 1522 $s_bin s_server -accept $port -CAfile $ca_cert \ 1523 -cert $crt -key $key -pass pass:$pwd \ 1524 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ 1525 -alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \ 1526 -msg -tlsextdebug > $s_server_out 2>&1 & 1527 check_exit_status $? 1528 s_server_pid=$! 1529 echo "s_server pid = [ $s_server_pid ]" 1530 sleep 1 1531 1532 # test by protocol version 1533 test_sc_by_protocol_version $c_id tls1 'Protocol : TLSv1$' 1534 test_sc_by_protocol_version $c_id tls1_1 'Protocol : TLSv1\.1$' 1535 test_sc_by_protocol_version $c_id tls1_2 'Protocol : TLSv1\.2$' 1536 test_sc_by_protocol_version $c_id tls1_3 'Protocol : TLSv1\.3$' 1537 1538 # all available ciphers with random order 1539 test_sc_all_cipher $sc tls1_2 1540 test_sc_all_cipher $sc tls1_3 1541 1542 # session resumption 1543 test_sc_session_reuse $sc tls1_2 1544 1545 # invalid verification pattern 1546 test_sc_verify $sc tls1_2 1547 test_sc_verify $sc tls1_3 1548 1549 # s_time 1550 start_message "s_time ... connect to TLS/SSL test server" 1551 $c_bin s_time -connect $host:$port -CApath $ca_dir -time 2 1552 check_exit_status $? 1553 1554 stop_s_server 1555} 1556 1557function test_speed { 1558 # === PERFORMANCE === 1559 section_message "PERFORMANCE" 1560 1561 if [ $no_long_tests = 0 ] ; then 1562 start_message "speed" 1563 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 1564 check_exit_status $? 1565 else 1566 start_message "SKIPPING speed (quick mode)" 1567 fi 1568} 1569 1570function test_version { 1571 # --- VERSION INFORMATION --- 1572 section_message "VERSION INFORMATION" 1573 1574 start_message "version" 1575 $openssl_bin version -a 1576 check_exit_status $? 1577} 1578 1579#---------#---------#---------#---------#---------#---------#---------#--------- 1580 1581openssl_bin=${OPENSSL:-/usr/bin/openssl} 1582other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11} 1583 1584ecdsa_tests=0 1585interop_tests=0 1586no_long_tests=0 1587 1588while [ "$1" != "" ]; do 1589 case $1 in 1590 -e | --ecdsa) 1591 shift 1592 ecdsa_tests=1 1593 ;; 1594 -i | --interop) shift 1595 interop_tests=1 1596 ;; 1597 -q | --quick ) shift 1598 no_long_tests=1 1599 ;; 1600 * ) usage 1601 exit 1 1602 esac 1603done 1604 1605if [ ! -x $openssl_bin ] ; then 1606 echo ":-< \$OPENSSL [$openssl_bin] is not executable." 1607 exit 1 1608fi 1609 1610if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then 1611 echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable." 1612 exit 1 1613fi 1614 1615# 1616# create ssldir, and all files generated by this script goes under this dir. 1617# 1618ssldir="appstest_dir" 1619 1620if [ -d $ssldir ] ; then 1621 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 1622 /bin/rm -rf $ssldir 1623fi 1624 1625mkdir -p $ssldir 1626 1627ca_dir=$ssldir/testCA 1628tsa_dir=$ssldir/testTSA 1629ocsp_dir=$ssldir/testOCSP 1630server_dir=$ssldir/server 1631user1_dir=$ssldir/user1 1632mkdir -p $user1_dir 1633key_dir=$ssldir/key 1634mkdir -p $key_dir 1635 1636export OPENSSL_CONF=$ssldir/openssl.cnf 1637touch $OPENSSL_CONF 1638 1639uname_s=`uname -s | grep 'MINGW'` 1640if [ "$uname_s" = "" ] ; then 1641 mingw=0 1642else 1643 mingw=1 1644fi 1645 1646# 1647# process tests 1648# 1649test_usage_lists_others 1650test_md 1651test_encoding_cipher 1652test_key 1653test_pki 1654test_tsa 1655test_cms 1656test_smime 1657test_ocsp 1658test_pkcs 1659test_server_client 0 0 1660if [ $interop_tests = 1 ] ; then 1661 test_server_client 0 1 1662 test_server_client 1 0 1663fi 1664test_speed 1665test_version 1666 1667section_message "END" 1668 1669exit 0 1670 1671