appstest.sh revision 1.6
1#!/bin/sh 2# 3# appstest.sh - test script for openssl command according to man OPENSSL(1) 4# 5# input : none 6# output : all files generated by this script go under $ssldir 7# 8 9openssl_bin=${OPENSSL:-/usr/bin/openssl} 10 11uname_s=`uname -s | grep 'MINGW'` 12if [ "$uname_s" = "" ] ; then 13 mingw=0 14else 15 mingw=1 16fi 17 18function section_message { 19 echo "" 20 echo "#---------#---------#---------#---------#---------#---------#---------#--------" 21 echo "===" 22 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" 23 echo "===" 24} 25 26function start_message { 27 echo "" 28 echo "[TEST] $1" 29} 30 31function check_exit_status { 32 status=$1 33 if [ $status -ne 0 ] ; then 34 echo ":-< error occurs, exit status = [ $status ]" 35 exit $status 36 else 37 echo ":-) success. " 38 fi 39} 40 41function usage { 42 echo "usage: appstest.sh [-q]" 43} 44 45no_long_tests=0 46 47while [ "$1" != "" ]; do 48 case $1 in 49 -q | --quick ) shift 50 no_long_tests=1 51 ;; 52 * ) usage 53 exit 1 54 esac 55done 56 57#---------#---------#---------#---------#---------#---------#---------#--------- 58 59# 60# create ssldir, and all files generated by this script goes under this dir. 61# 62ssldir="appstest_dir" 63 64if [ -d $ssldir ] ; then 65 echo "directory [ $ssldir ] exists, this script deletes this directory ..." 66 /bin/rm -rf $ssldir 67fi 68 69mkdir -p $ssldir 70 71export OPENSSL_CONF=$ssldir/openssl.cnf 72touch $OPENSSL_CONF 73 74user1_dir=$ssldir/user1 75mkdir -p $user1_dir 76 77key_dir=$ssldir/key 78mkdir -p $key_dir 79 80#---------#---------#---------#---------#---------#---------#---------#--------- 81 82# === COMMAND USAGE === 83section_message "COMMAND USAGE" 84 85start_message "output usages of all commands." 86 87cmds=`$openssl_bin list-standard-commands` 88$openssl_bin -help 2>> $user1_dir/usages.out 89for c in $cmds ; do 90 $openssl_bin $c -help 2>> $user1_dir/usages.out 91done 92 93start_message "check all list-* commands." 94 95lists="" 96lists="$lists list-standard-commands" 97lists="$lists list-message-digest-commands list-message-digest-algorithms" 98lists="$lists list-cipher-commands list-cipher-algorithms" 99lists="$lists list-public-key-algorithms" 100 101listsfile=$user1_dir/lists.out 102 103for l in $lists ; do 104 echo "" >> $listsfile 105 echo "$l" >> $listsfile 106 $openssl_bin $l >> $listsfile 107done 108 109start_message "check interactive mode" 110$openssl_bin <<__EOF__ 111help 112quit 113__EOF__ 114check_exit_status $? 115 116#---------#---------#---------#---------#---------#---------#---------#--------- 117 118# --- listing operations --- 119section_message "listing operations" 120 121start_message "ciphers" 122$openssl_bin ciphers -V 123check_exit_status $? 124 125start_message "errstr" 126$openssl_bin errstr 2606A074 127check_exit_status $? 128$openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out 129check_exit_status $? 130 131#---------#---------#---------#---------#---------#---------#---------#--------- 132 133# --- random number etc. operations --- 134section_message "random number etc. operations" 135 136start_message "passwd" 137 138pass="test-pass-1234" 139 140echo $pass | $openssl_bin passwd -stdin -1 141check_exit_status $? 142 143echo $pass | $openssl_bin passwd -stdin -apr1 144check_exit_status $? 145 146echo $pass | $openssl_bin passwd -stdin -crypt 147check_exit_status $? 148 149start_message "prime" 150 151$openssl_bin prime 1 152check_exit_status $? 153 154$openssl_bin prime 2 155check_exit_status $? 156 157$openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 158check_exit_status $? 159 160start_message "rand" 161 162$openssl_bin rand -base64 100 163check_exit_status $? 164 165$openssl_bin rand -hex 100 166check_exit_status $? 167 168#---------#---------#---------#---------#---------#---------#---------#--------- 169 170# === MESSAGE DIGEST COMMANDS === 171section_message "MESSAGE DIGEST COMMANDS" 172 173start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." 174 175text="1234567890abcdefghijklmnopqrstuvwxyz" 176dgstdat=$user1_dir/dgst.dat 177echo $text > $dgstdat 178hmac_key="test-hmac-key" 179cmac_key="1234567890abcde1234567890abcde12" 180 181digests=`$openssl_bin list-message-digest-commands` 182 183for d in $digests ; do 184 185 echo -n "$d ... " 186 $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat 187 check_exit_status $? 188 189 echo -n "$d HMAC ... " 190 $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac $dgstdat 191 check_exit_status $? 192 193 echo -n "$d CMAC ... " 194 $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:$cmac_key \ 195 -out $dgstdat.$d.cmac $dgstdat 196 check_exit_status $? 197done 198 199#---------#---------#---------#---------#---------#---------#---------#--------- 200 201# === ENCODING AND CIPHER COMMANDS === 202section_message "ENCODING AND CIPHER COMMANDS" 203 204start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." 205 206text="1234567890abcdefghijklmnopqrstuvwxyz" 207encfile=$user1_dir/encfile.dat 208echo $text > $encfile 209pass="test-pass-1234" 210 211ciphers=`$openssl_bin list-cipher-commands` 212 213for c in $ciphers ; do 214 echo -n "$c ... encoding ... " 215 $openssl_bin enc -$c -e -base64 -pass pass:$pass -in $encfile -out $encfile-$c.enc 216 check_exit_status $? 217 218 echo -n "decoding ... " 219 $openssl_bin enc -$c -d -base64 -pass pass:$pass -in $encfile-$c.enc -out $encfile-$c.dec 220 check_exit_status $? 221 222 echo -n "cmp ... " 223 cmp $encfile $encfile-$c.dec 224 check_exit_status $? 225done 226 227#---------#---------#---------#---------#---------#---------#---------#--------- 228 229# === various KEY operations === 230section_message "various KEY operations" 231 232key_pass=test-key-pass 233 234# DH 235 236start_message "gendh - Obsoleted by dhparam." 237gendh2=$key_dir/gendh2.pem 238$openssl_bin gendh -2 -out $gendh2 239check_exit_status $? 240 241start_message "dh - Obsoleted by dhparam." 242$openssl_bin dh -in $gendh2 -check -text -out $gendh2.out 243check_exit_status $? 244 245if [ $no_long_tests = 0 ] ; then 246 start_message "dhparam - Superseded by genpkey and pkeyparam." 247 dhparam2=$key_dir/dhparam2.pem 248 $openssl_bin dhparam -2 -out $dhparam2 249 check_exit_status $? 250 $openssl_bin dhparam -in $dhparam2 -check -text -out $dhparam2.out 251 check_exit_status $? 252else 253 start_message "SKIPPNG dhparam - Superseded by genpkey and pkeyparam. (quick mode)" 254fi 255 256# DSA 257 258start_message "dsaparam - Superseded by genpkey and pkeyparam." 259dsaparam512=$key_dir/dsaparam512.pem 260$openssl_bin dsaparam -genkey -out $dsaparam512 512 261check_exit_status $? 262 263start_message "dsa" 264$openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out 265check_exit_status $? 266 267start_message "gendsa - Superseded by genpkey and pkey." 268gendsa_des3=$key_dir/gendsa_des3.pem 269$openssl_bin gendsa -des3 -out $gendsa_des3 -passout pass:$key_pass $dsaparam512 270check_exit_status $? 271 272# RSA 273 274start_message "genrsa - Superseded by genpkey." 275genrsa_aes256=$key_dir/genrsa_aes256.pem 276$openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 -passout pass:$key_pass 2048 277check_exit_status $? 278 279start_message "rsa" 280$openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass -check -text -out $genrsa_aes256.out 281check_exit_status $? 282 283start_message "rsautl - Superseded by pkeyutl." 284rsautldat=$key_dir/rsautl.dat 285rsautlsig=$key_dir/rsautl.sig 286echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat 287 288$openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 -passin pass:$key_pass -out $rsautlsig 289check_exit_status $? 290 291$openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 -passin pass:$key_pass 292check_exit_status $? 293 294# EC 295 296start_message "ecparam -list-curves" 297$openssl_bin ecparam -list_curves 298check_exit_status $? 299 300# get all EC curves 301ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` 302 303start_message "ecparam and ec" 304 305for curve in $ec_curves ; 306do 307 ecparam=$key_dir/ecparam_$curve.pem 308 309 echo -n "ec - $curve ... ecparam ... " 310 $openssl_bin ecparam -out $ecparam -name $curve -genkey -param_enc explicit \ 311 -conv_form compressed -C 312 check_exit_status $? 313 314 echo -n "ec ... " 315 $openssl_bin ec -in $ecparam -text -out $ecparam.out 2> /dev/null 316 check_exit_status $? 317done 318 319# PKEY 320 321start_message "genpkey" 322 323# DH by GENPKEY 324 325genpkey_dh_param=$key_dir/genpkey_dh_param.pem 326$openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ 327 -pkeyopt dh_paramgen_prime_len:1024 328check_exit_status $? 329 330genpkey_dh=$key_dir/genpkey_dh.pem 331$openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh 332check_exit_status $? 333 334# DSA by GENPKEY 335 336genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem 337$openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ 338 -pkeyopt dsa_paramgen_bits:1024 339check_exit_status $? 340 341genpkey_dsa=$key_dir/genpkey_dsa.pem 342$openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa 343check_exit_status $? 344 345# RSA by GENPKEY 346 347genpkey_rsa=$key_dir/genpkey_rsa.pem 348$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ 349 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 350check_exit_status $? 351 352# EC by GENPKEY 353 354genpkey_ec_param=$key_dir/genpkey_ec_param.pem 355$openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ 356 -pkeyopt ec_paramgen_curve:secp384r1 357check_exit_status $? 358 359genpkey_ec=$key_dir/genpkey_ec.pem 360$openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec 361check_exit_status $? 362 363start_message "pkeyparam" 364 365$openssl_bin pkeyparam -in $genpkey_dh_param -text -out $genpkey_dh_param.out 366check_exit_status $? 367 368$openssl_bin pkeyparam -in $genpkey_dsa_param -text -out $genpkey_dsa_param.out 369check_exit_status $? 370 371$openssl_bin pkeyparam -in $genpkey_ec_param -text -out $genpkey_ec_param.out 372check_exit_status $? 373 374start_message "pkey" 375 376$openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out 377check_exit_status $? 378 379$openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out 380check_exit_status $? 381 382$openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out 383check_exit_status $? 384 385$openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out 386check_exit_status $? 387 388start_message "pkeyutl" 389 390pkeyutldat=$key_dir/pkeyutl.dat 391pkeyutlsig=$key_dir/pkeyutl.sig 392echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat 393 394$openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa -out $pkeyutlsig 395check_exit_status $? 396 397$openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig -inkey $genpkey_rsa 398check_exit_status $? 399 400$openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa 401check_exit_status $? 402 403#---------#---------#---------#---------#---------#---------#---------#--------- 404 405section_message "setup local CA" 406 407# 408# prepare test openssl.cnf 409# 410 411ca_dir=$ssldir/testCA 412tsa_dir=$ssldir/testTSA 413ocsp_dir=$ssldir/testOCSP 414server_dir=$ssldir/server 415 416cat << __EOF__ > $ssldir/openssl.cnf 417oid_section = new_oids 418[ new_oids ] 419tsa_policy1 = 1.2.3.4.1 420tsa_policy2 = 1.2.3.4.5.6 421tsa_policy3 = 1.2.3.4.5.7 422[ ca ] 423default_ca = CA_default 424[ CA_default ] 425dir = ./$ca_dir 426crl_dir = \$dir/crl 427database = \$dir/index.txt 428new_certs_dir = \$dir/newcerts 429serial = \$dir/serial 430crlnumber = \$dir/crlnumber 431default_days = 1 432default_md = default 433policy = policy_match 434[ policy_match ] 435countryName = match 436stateOrProvinceName = match 437organizationName = match 438organizationalUnitName = optional 439commonName = supplied 440emailAddress = optional 441[ req ] 442distinguished_name = req_distinguished_name 443[ req_distinguished_name ] 444countryName = Country Name 445countryName_default = JP 446countryName_min = 2 447countryName_max = 2 448stateOrProvinceName = State or Province Name 449stateOrProvinceName_default = Tokyo 450organizationName = Organization Name 451organizationName_default = TEST_DUMMY_COMPANY 452commonName = Common Name 453[ tsa ] 454default_tsa = tsa_config1 455[ tsa_config1 ] 456dir = ./$tsa_dir 457serial = \$dir/serial 458crypto_device = builtin 459digests = sha1, sha256, sha384, sha512 460default_policy = tsa_policy1 461other_policies = tsa_policy2, tsa_policy3 462[ tsa_ext ] 463keyUsage = critical,nonRepudiation 464extendedKeyUsage = critical,timeStamping 465[ ocsp_ext ] 466basicConstraints = CA:FALSE 467keyUsage = nonRepudiation,digitalSignature,keyEncipherment 468extendedKeyUsage = OCSPSigning 469__EOF__ 470 471#---------#---------#---------#---------#---------#---------#---------#--------- 472 473# 474# setup test CA 475# 476 477mkdir -p $ca_dir 478mkdir -p $tsa_dir 479mkdir -p $ocsp_dir 480mkdir -p $server_dir 481 482mkdir -p $ca_dir/certs 483mkdir -p $ca_dir/private 484mkdir -p $ca_dir/crl 485mkdir -p $ca_dir/newcerts 486chmod 700 $ca_dir/private 487echo "01" > $ca_dir/serial 488touch $ca_dir/index.txt 489touch $ca_dir/crlnumber 490echo "01" > $ca_dir/crlnumber 491 492# 493# setup test TSA 494# 495mkdir -p $tsa_dir/private 496chmod 700 $tsa_dir/private 497echo "01" > $tsa_dir/serial 498touch $tsa_dir/index.txt 499 500# 501# setup test OCSP 502# 503mkdir -p $ocsp_dir/private 504chmod 700 $ocsp_dir/private 505 506#---------#---------#---------#---------#---------#---------#---------#--------- 507 508# --- CA initiate (generate CA key and cert) --- 509 510start_message "req ... generate CA key and self signed cert" 511 512ca_cert=$ca_dir/ca_cert.pem 513ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 514 515if [ $mingw = 0 ] ; then 516 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' 517else 518 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 519fi 520 521$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \ 522 -days 1 -passout pass:$ca_pass -batch -subj $subj 523check_exit_status $? 524 525#---------#---------#---------#---------#---------#---------#---------#--------- 526 527# --- TSA initiate (generate TSA key and cert) --- 528 529start_message "req ... generate TSA key and cert" 530 531# generate CSR for TSA 532 533tsa_csr=$tsa_dir/tsa_csr.pem 534tsa_key=$tsa_dir/private/tsa_key.pem 535tsa_pass=test-tsa-pass 536 537if [ $mingw = 0 ] ; then 538 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' 539else 540 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' 541fi 542 543$openssl_bin req -new -keyout $tsa_key -out $tsa_csr -passout pass:$tsa_pass -subj $subj 544check_exit_status $? 545 546start_message "ca ... sign by CA with TSA extensions" 547 548tsa_cert=$tsa_dir/tsa_cert.pem 549 550$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 551-in $tsa_csr -out $tsa_cert -extensions tsa_ext 552check_exit_status $? 553 554#---------#---------#---------#---------#---------#---------#---------#--------- 555 556# --- OCSP initiate (generate OCSP key and cert) --- 557 558start_message "req ... generate OCSP key and cert" 559 560# generate CSR for OCSP 561 562ocsp_csr=$ocsp_dir/ocsp_csr.pem 563ocsp_key=$ocsp_dir/private/ocsp_key.pem 564 565if [ $mingw = 0 ] ; then 566 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' 567else 568 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' 569fi 570 571$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr -subj $subj 572check_exit_status $? 573 574start_message "ca ... sign by CA with OCSP extensions" 575 576ocsp_cert=$ocsp_dir/ocsp_cert.pem 577 578$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 579-in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext 580check_exit_status $? 581 582#---------#---------#---------#---------#---------#---------#---------#--------- 583 584# --- server-admin operations (generate server key and csr) --- 585section_message "server-admin operations (generate server key and csr)" 586 587start_message "req ... generate server csr#1" 588 589server_key=$server_dir/server_key.pem 590server_csr=$server_dir/server_csr.pem 591server_pass=test-server-pass 592 593if [ $mingw = 0 ] ; then 594 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' 595else 596 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' 597fi 598 599$openssl_bin req -new -keyout $server_key -out $server_csr -passout pass:$server_pass -subj $subj 600check_exit_status $? 601 602start_message "req ... generate server csr#2 (interactive mode)" 603 604revoke_key=$server_dir/revoke_key.pem 605revoke_csr=$server_dir/revoke_csr.pem 606revoke_pass=test-revoke-pass 607 608$openssl_bin req -new -keyout $revoke_key -out $revoke_csr -passout pass:$revoke_pass <<__EOF__ 609JP 610Tokyo 611TEST_DUMMY_COMPANY 612revoke.test_dummy.com 613__EOF__ 614check_exit_status $? 615 616#---------#---------#---------#---------#---------#---------#---------#--------- 617 618# --- CA operations (issue cert for server) --- 619section_message "CA operations (issue cert for server)" 620 621start_message "ca ... issue cert for server csr#1" 622 623server_cert=$server_dir/server_cert.pem 624$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 625 -in $server_csr -out $server_cert 626check_exit_status $? 627 628start_message "x509 ... issue cert for server csr#2" 629 630revoke_cert=$server_dir/revoke_cert.pem 631$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key -passin pass:$ca_pass \ 632 -CAcreateserial -out $revoke_cert 633check_exit_status $? 634 635#---------#---------#---------#---------#---------#---------#---------#--------- 636 637# --- CA operations (revoke cert and generate crl) --- 638section_message "CA operations (revoke cert and generate crl)" 639 640start_message "ca ... revoke server cert#2" 641crl_file=$ca_dir/crl.pem 642$openssl_bin ca -gencrl -out $crl_file -crldays 30 -revoke $revoke_cert \ 643 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert 644check_exit_status $? 645 646start_message "crl ... CA generates CRL" 647$openssl_bin crl -in $crl_file -fingerprint 648check_exit_status $? 649 650crl_p7=$ca_dir/crl.p7 651start_message "crl2pkcs7 ... convert CRL to pkcs7" 652$openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 653check_exit_status $? 654 655#---------#---------#---------#---------#---------#---------#---------#--------- 656 657# --- server-admin operations (check csr, verify cert, certhash) --- 658section_message "server-admin operations (check csr, verify cert, certhash)" 659 660start_message "asn1parse ... parse server csr#1" 661$openssl_bin asn1parse -in $server_csr -i \ 662 -dlimit 100 -length 1000 -strparse 01 > $server_csr.asn1parse.out 663check_exit_status $? 664 665start_message "verify ... server cert#1" 666$openssl_bin verify -verbose -CAfile $ca_cert $server_cert 667check_exit_status $? 668 669start_message "x509 ... get detail info about server cert#1" 670$openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ 671 -fingerprint -issuer -issuer_hash -issuer_hash_old \ 672 -subject -subject_hash -subject_hash_old -ocsp_uri -ocspid -modulus \ 673 -pubkey -serial -email > $server_cert.x509.out 674check_exit_status $? 675 676if [ $mingw = 0 ] ; then 677 start_message "certhash" 678 $openssl_bin certhash -v $server_dir 679 check_exit_status $? 680fi 681 682# self signed 683start_message "x509 ... generate self signed server cert" 684server_self_cert=$server_dir/server_self_cert.pem 685$openssl_bin x509 -in $server_cert -signkey $server_key -passin pass:$server_pass -out $server_self_cert 686check_exit_status $? 687 688#---------#---------#---------#---------#---------#---------#---------#--------- 689 690# --- Netscape SPKAC operations --- 691section_message "Netscape SPKAC operations" 692 693# server-admin generates SPKAC 694 695start_message "spkac" 696spkacfile=$server_dir/spkac.file 697 698$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile 699check_exit_status $? 700 701$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out 702check_exit_status $? 703 704spkacreq=$server_dir/spkac.req 705cat << __EOF__ > $spkacreq 706countryName = JP 707stateOrProvinceName = Tokyo 708organizationName = TEST_DUMMY_COMPANY 709commonName = spkac.test_dummy.com 710__EOF__ 711cat $spkacfile >> $spkacreq 712 713# CA signs SPKAC 714start_message "ca ... CA signs SPKAC csr" 715spkaccert=$server_dir/spkac.cert 716$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 717 -spkac $spkacreq -out $spkaccert 718check_exit_status $? 719 720start_message "x509 ... convert DER format SPKAC cert to PEM" 721spkacpem=$server_dir/spkac.pem 722$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM 723check_exit_status $? 724 725# server-admin cert verify 726 727start_message "nseq" 728$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq 729check_exit_status $? 730 731#---------#---------#---------#---------#---------#---------#---------#--------- 732 733# --- user1 operations (generate user1 key and csr) --- 734section_message "user1 operations (generate user1 key and csr)" 735 736# trust 737start_message "x509 ... trust testCA cert" 738user1_trust=$user1_dir/user1_trust_ca.pem 739$openssl_bin x509 -in $ca_cert -addtrust clientAuth -setalias "trusted testCA" -purpose -out $user1_trust 740check_exit_status $? 741 742start_message "req ... generate private key and csr for user1" 743 744user1_key=$user1_dir/user1_key.pem 745user1_csr=$user1_dir/user1_csr.pem 746user1_pass=test-user1-pass 747 748if [ $mingw = 0 ] ; then 749 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' 750else 751 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' 752fi 753 754$openssl_bin req -new -keyout $user1_key -out $user1_csr -passout pass:$user1_pass -subj $subj 755check_exit_status $? 756 757#---------#---------#---------#---------#---------#---------#---------#--------- 758 759# --- CA operations (issue cert for user1) --- 760section_message "CA operations (issue cert for user1)" 761 762start_message "ca ... issue cert for user1" 763 764user1_cert=$user1_dir/user1_cert.pem 765$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ 766 -in $user1_csr -out $user1_cert 767check_exit_status $? 768 769#---------#---------#---------#---------#---------#---------#---------#--------- 770 771# --- TSA operations --- 772section_message "TSA operations" 773 774tsa_dat=$user1_dir/tsa.dat 775cat << __EOF__ > $tsa_dat 776Hello Bob, 777Sincerely yours 778Alice 779__EOF__ 780 781# Query 782start_message "ts ... create time stamp request" 783 784tsa_tsq=$user1_dir/tsa.tsq 785 786$openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq 787check_exit_status $? 788 789start_message "ts ... print time stamp request" 790 791$openssl_bin ts -query -in $tsa_tsq -text 792check_exit_status $? 793 794# Reply 795start_message "ts ... create time stamp response for a request" 796 797tsa_tsr=$user1_dir/tsa.tsr 798 799$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key -passin pass:$tsa_pass \ 800 -signer $tsa_cert -chain $ca_cert -out $tsa_tsr 801check_exit_status $? 802 803# Verify 804start_message "ts ... verify time stamp response" 805 806$openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr -CAfile $ca_cert -untrusted $tsa_cert 807check_exit_status $? 808 809#---------#---------#---------#---------#---------#---------#---------#--------- 810 811# --- S/MIME operations --- 812section_message "S/MIME operations" 813 814smime_txt=$user1_dir/smime.txt 815smime_msg=$user1_dir/smime.msg 816smime_ver=$user1_dir/smime.ver 817 818cat << __EOF__ > $smime_txt 819Hello Bob, 820Sincerely yours 821Alice 822__EOF__ 823 824# sign 825start_message "smime ... sign to message" 826 827$openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \ 828 -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass 829check_exit_status $? 830 831# verify 832start_message "smime ... verify message" 833 834$openssl_bin smime -verify -in $smime_msg -signer $user1_cert -CAfile $ca_cert -out $smime_ver 835check_exit_status $? 836 837#---------#---------#---------#---------#---------#---------#---------#--------- 838 839# --- OCSP operations --- 840section_message "OCSP operations" 841 842# request 843start_message "ocsp ... create OCSP request" 844 845ocsp_req=$user1_dir/ocsp_req.der 846$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ 847 -CAfile $ca_cert -reqout $ocsp_req 848check_exit_status $? 849 850# response 851start_message "ocsp ... create OCPS response for a request" 852 853ocsp_res=$user1_dir/ocsp_res.der 854$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ 855 -rsigner $ocsp_cert -rkey $ocsp_key -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1 856check_exit_status $? 857 858# ocsp server 859start_message "ocsp ... start OCSP server in background" 860 861ocsp_port=8888 862 863$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ 864 -rsigner $ocsp_cert -rkey $ocsp_key -port '*:'$ocsp_port -nrequest 1 & 865check_exit_status $? 866ocsp_svr_pid=$! 867echo "ocsp server pid = [ $ocsp_svr_pid ]" 868sleep 1 869 870# send query to ocsp server 871start_message "ocsp ... send OCSP request to server" 872 873ocsp_qry=$user1_dir/ocsp_qry.der 874$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ 875 -CAfile $ca_cert -url http://localhost:$ocsp_port -resp_text -respout $ocsp_qry > $ocsp_qry.out 2>&1 876check_exit_status $? 877 878#---------#---------#---------#---------#---------#---------#---------#--------- 879 880# --- PKCS operations --- 881section_message "PKCS operations" 882 883pkcs_pass=test-pkcs-pass 884 885start_message "pkcs7 ... output certs in crl(pkcs7)" 886$openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out 887check_exit_status $? 888 889start_message "pkcs8 ... convert key to pkcs8" 890$openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ 891 -passin pass:$user1_pass -passout pass:$user1_pass -v1 pbeWithSHA1AndDES-CBC -v2 des3 892check_exit_status $? 893 894start_message "pkcs8 ... convert pkcs8 to key in DER format" 895$openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass -outform DER -out $user1_key.p8.der 896check_exit_status $? 897 898start_message "pkcs12 ... create" 899$openssl_bin pkcs12 -export -in $server_cert -inkey $server_key -passin pass:$server_pass \ 900 -certfile $ca_cert -CAfile $ca_cert -caname "server_p12" -passout pass:$pkcs_pass \ 901 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain -out $server_cert.p12 902check_exit_status $? 903 904start_message "pkcs12 ... verify" 905$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info -noout 906check_exit_status $? 907 908start_message "pkcs12 ... to PEM" 909$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \ 910 -passout pass:$pkcs_pass -out $server_cert.p12.pem 911check_exit_status $? 912 913#---------#---------#---------#---------#---------#---------#---------#--------- 914 915# --- client/server operations --- 916section_message "client/server operations" 917 918host="localhost" 919port=4433 920sess_dat=$user1_dir/s_client_sess.dat 921s_server_out=$server_dir/s_server.out 922s_client_1_out=$user1_dir/s_client_1.out 923s_client_2_out=$user1_dir/s_client_2.out 924s_client_3_out=$user1_dir/s_client_3.out 925 926start_message "s_server ... start SSL/TLS test server" 927$openssl_bin s_server -accept $port -CAfile $ca_cert \ 928 -cert $server_cert -key $server_key -pass pass:$server_pass \ 929 -context "appstest.sh" -id_prefix "APPSTEST.SH" \ 930 -crl_check -no_ssl2 -no_ssl3 -no_tls1 \ 931 -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" -www \ 932 -msg -tlsextdebug > $s_server_out 2>&1 & 933check_exit_status $? 934s_server_pid=$! 935echo "s_server pid = [ $s_server_pid ]" 936sleep 1 937 938start_message "s_client ... connect to SSL/TLS test server" 939$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 940 -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \ 941 -sess_out $sess_dat \ 942 -msg -tlsextdebug < /dev/null > $s_client_1_out 2>&1 943check_exit_status $? 944 945grep 'New, TLSv1/SSLv3' $s_client_1_out > /dev/null 946check_exit_status $? 947 948grep 'Verify return code: 0 (ok)' $s_client_1_out > /dev/null 949check_exit_status $? 950 951start_message "s_client ... connect to SSL/TLS test server reusing session id" 952$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 953 -sess_in $sess_dat \ 954 -msg -tlsextdebug < /dev/null > $s_client_2_out 2>&1 955check_exit_status $? 956 957grep 'Reused, TLSv1/SSLv3' $s_client_2_out > /dev/null 958check_exit_status $? 959 960grep 'Verify return code: 0 (ok)' $s_client_2_out > /dev/null 961check_exit_status $? 962 963start_message "s_client ... connect to SSL/TLS test server but verify error" 964$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ 965 -showcerts -crl_check -issuer_checks -policy_check \ 966 -msg -tlsextdebug < /dev/null > $s_client_3_out 2>&1 967check_exit_status $? 968 969grep 'Verify return code: 24 (invalid CA certificate)' $s_client_3_out > /dev/null 970check_exit_status $? 971 972start_message "s_time ... connect to SSL/TLS test server" 973$openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2 974check_exit_status $? 975 976start_message "sess_id" 977$openssl_bin sess_id -in $sess_dat -text -out $sess_dat.out 978check_exit_status $? 979 980sleep 1 981kill -TERM $s_server_pid 982wait $s_server_pid 983 984#---------#---------#---------#---------#---------#---------#---------#--------- 985 986# === PERFORMANCE === 987section_message "PERFORMANCE" 988 989if [ $no_long_tests = 0 ] ; then 990 start_message "speed" 991 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed 992 check_exit_status $? 993else 994 start_message "SKIPPNG speed (quick mode)" 995fi 996 997#---------#---------#---------#---------#---------#---------#---------#--------- 998 999# --- VERSION INFORMATION --- 1000section_message "VERSION INFORMATION" 1001 1002start_message "version" 1003$openssl_bin version -a 1004check_exit_status $? 1005 1006#---------#---------#---------#---------#---------#---------#---------#--------- 1007 1008section_message "END" 1009 1010exit 0 1011 1012