OLD | NEW |
(Empty) | |
| 1 $! |
| 2 $! A few very basic tests for the 'ts' time stamping authority command. |
| 3 $! |
| 4 $ |
| 5 $ __arch = "VAX" |
| 6 $ if f$getsyi("cpu") .ge. 128 then - |
| 7 __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE") |
| 8 $ if __arch .eqs. "" then __arch = "UNK" |
| 9 $! |
| 10 $ if (p4 .eqs. "64") then __arch = __arch+ "_64" |
| 11 $! |
| 12 $ exe_dir = "sys$disk:[-.''__arch'.exe.apps]" |
| 13 $ |
| 14 $ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'" |
| 15 $ OPENSSL_CONF = "[-]CAtsa.cnf" |
| 16 $ ! Because that's what ../apps/CA.sh really looks at |
| 17 $ SSLEAY_CONFIG = "-config " + OPENSSL_CONF |
| 18 $ |
| 19 $ error: |
| 20 $ subroutine |
| 21 $ write sys$error "TSA test failed!" |
| 22 $ exit 3 |
| 23 $ endsubroutine |
| 24 $ |
| 25 $ setup_dir: |
| 26 $ subroutine |
| 27 $ |
| 28 $ if f$search("tsa.dir") .nes "" |
| 29 $ then |
| 30 $ @[-.util]deltree [.tsa]*.* |
| 31 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;* |
| 32 $ delete tsa.dir;* |
| 33 $ endif |
| 34 $ |
| 35 $ create/dir [.tsa] |
| 36 $ set default [.tsa] |
| 37 $ endsubroutine |
| 38 $ |
| 39 $ clean_up_dir: |
| 40 $ subroutine |
| 41 $ |
| 42 $ set default [-] |
| 43 $ @[-.util]deltree [.tsa]*.* |
| 44 $ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;* |
| 45 $ delete tsa.dir;* |
| 46 $ endsubroutine |
| 47 $ |
| 48 $ create_ca: |
| 49 $ subroutine |
| 50 $ |
| 51 $ write sys$output "Creating a new CA for the TSA tests..." |
| 52 $ TSDNSECT = "ts_ca_dn" |
| 53 $ openssl req -new -x509 -nodes - |
| 54 -out tsaca.pem -keyout tsacakey.pem |
| 55 $ if $severity .ne. 1 then call error |
| 56 $ endsubroutine |
| 57 $ |
| 58 $ create_tsa_cert: |
| 59 $ subroutine |
| 60 $ |
| 61 $ INDEX=p1 |
| 62 $ EXT=p2 |
| 63 $ TSDNSECT = "ts_cert_dn" |
| 64 $ |
| 65 $ openssl req -new - |
| 66 -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem |
| 67 $ if $severity .ne. 1 then call error |
| 68 $ |
| 69 $ write sys$output "Using extension ''EXT'" |
| 70 $ openssl x509 -req - |
| 71 -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem - |
| 72 "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial"
- |
| 73 -extfile 'OPENSSL_CONF' -extensions "''EXT'" |
| 74 $ if $severity .ne. 1 then call error |
| 75 $ endsubroutine |
| 76 $ |
| 77 $ print_request: |
| 78 $ subroutine |
| 79 $ |
| 80 $ openssl ts -query -in 'p1' -text |
| 81 $ endsubroutine |
| 82 $ |
| 83 $ create_time_stamp_request1: subroutine |
| 84 $ |
| 85 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 - |
| 86 -cert -out req1.tsq |
| 87 $ if $severity .ne. 1 then call error |
| 88 $ endsubroutine |
| 89 $ |
| 90 $ create_time_stamp_request2: subroutine |
| 91 $ |
| 92 $ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 - |
| 93 -no_nonce -out req2.tsq |
| 94 $ if $severity .ne. 1 then call error |
| 95 $ endsubroutine |
| 96 $ |
| 97 $ create_time_stamp_request3: subroutine |
| 98 $ |
| 99 $ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq |
| 100 $ if $severity .ne. 1 then call error |
| 101 $ endsubroutine |
| 102 $ |
| 103 $ print_response: |
| 104 $ subroutine |
| 105 $ |
| 106 $ openssl ts -reply -in 'p1' -text |
| 107 $ if $severity .ne. 1 then call error |
| 108 $ endsubroutine |
| 109 $ |
| 110 $ create_time_stamp_response: |
| 111 $ subroutine |
| 112 $ |
| 113 $ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2' |
| 114 $ if $severity .ne. 1 then call error |
| 115 $ endsubroutine |
| 116 $ |
| 117 $ time_stamp_response_token_test: |
| 118 $ subroutine |
| 119 $ |
| 120 $ RESPONSE2 = p2+ "-copy_tsr" |
| 121 $ TOKEN_DER = p2+ "-token_der" |
| 122 $ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out |
| 123 $ if $severity .ne. 1 then call error |
| 124 $ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2' |
| 125 $ if $severity .ne. 1 then call error |
| 126 $ backup/compare 'RESPONSE2' 'p2' |
| 127 $ if $severity .ne. 1 then call error |
| 128 $ openssl ts -reply -in 'p2' -text -token_out |
| 129 $ if $severity .ne. 1 then call error |
| 130 $ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out |
| 131 $ if $severity .ne. 1 then call error |
| 132 $ openssl ts -reply -queryfile 'p1' -text -token_out |
| 133 $ if $severity .ne. 1 then call error |
| 134 $ endsubroutine |
| 135 $ |
| 136 $ verify_time_stamp_response: |
| 137 $ subroutine |
| 138 $ |
| 139 $ openssl ts -verify -queryfile 'p1' -in 'p2' - |
| 140 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem |
| 141 $ if $severity .ne. 1 then call error |
| 142 $ openssl ts -verify -data 'p3' -in 'p2' - |
| 143 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem |
| 144 $ if $severity .ne. 1 then call error |
| 145 $ endsubroutine |
| 146 $ |
| 147 $ verify_time_stamp_token: |
| 148 $ subroutine |
| 149 $ |
| 150 $ ! create the token from the response first |
| 151 $ openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out |
| 152 $ if $severity .ne. 1 then call error |
| 153 $ openssl ts -verify -queryfile "''p1'" -in "''p2'-token" - |
| 154 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem |
| 155 $ if $severity .ne. 1 then call error |
| 156 $ openssl ts -verify -data "''p3'" -in "''p2'-token" - |
| 157 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem |
| 158 $ if $severity .ne. 1 then call error |
| 159 $ endsubroutine |
| 160 $ |
| 161 $ verify_time_stamp_response_fail: |
| 162 $ subroutine |
| 163 $ |
| 164 $ openssl ts -verify -queryfile 'p1' -in 'p2' - |
| 165 "-CAfile" tsaca.pem -untrusted tsa_cert1.pem |
| 166 $ ! Checks if the verification failed, as it should have. |
| 167 $ if $severity .eq. 1 then call error |
| 168 $ write sys$output "Ok" |
| 169 $ endsubroutine |
| 170 $ |
| 171 $ ! Main body ---------------------------------------------------------- |
| 172 $ |
| 173 $ set noon |
| 174 $ |
| 175 $ write sys$output "Setting up TSA test directory..." |
| 176 $ call setup_dir |
| 177 $ |
| 178 $ write sys$output "Creating CA for TSA tests..." |
| 179 $ call create_ca |
| 180 $ |
| 181 $ write sys$output "Creating tsa_cert1.pem TSA server cert..." |
| 182 $ call create_tsa_cert 1 "tsa_cert" |
| 183 $ |
| 184 $ write sys$output "Creating tsa_cert2.pem non-TSA server cert..." |
| 185 $ call create_tsa_cert 2 "non_tsa_cert" |
| 186 $ |
| 187 $ write sys$output "Creating req1.req time stamp request for file testtsa.
.." |
| 188 $ call create_time_stamp_request1 |
| 189 $ |
| 190 $ write sys$output "Printing req1.req..." |
| 191 $ call print_request "req1.tsq" |
| 192 $ |
| 193 $ write sys$output "Generating valid response for req1.req..." |
| 194 $ call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1" |
| 195 $ |
| 196 $ write sys$output "Printing response..." |
| 197 $ call print_response "resp1.tsr" |
| 198 $ |
| 199 $ write sys$output "Verifying valid response..." |
| 200 $ call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com" |
| 201 $ |
| 202 $ write sys$output "Verifying valid token..." |
| 203 $ call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com" |
| 204 $ |
| 205 $ ! The tests below are commented out, because invalid signer certificates |
| 206 $ ! can no longer be specified in the config file. |
| 207 $ |
| 208 $ ! write sys$output "Generating _invalid_ response for req1.req..." |
| 209 $ ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config
2" |
| 210 $ |
| 211 $ ! write sys$output "Printing response..." |
| 212 $ ! call print_response "resp1_bad.tsr" |
| 213 $ |
| 214 $ ! write sys$output "Verifying invalid response, it should fail..." |
| 215 $ ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr" |
| 216 $ |
| 217 $ write sys$output "Creating req2.req time stamp request for file testtsa.
.." |
| 218 $ call create_time_stamp_request2 |
| 219 $ |
| 220 $ write sys$output "Printing req2.req..." |
| 221 $ call print_request "req2.tsq" |
| 222 $ |
| 223 $ write sys$output "Generating valid response for req2.req..." |
| 224 $ call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1" |
| 225 $ |
| 226 $ write sys$output "Checking '-token_in' and '-token_out' options with '-r
eply'..." |
| 227 $ call time_stamp_response_token_test "req2.tsq" "resp2.tsr" |
| 228 $ |
| 229 $ write sys$output "Printing response..." |
| 230 $ call print_response "resp2.tsr" |
| 231 $ |
| 232 $ write sys$output "Verifying valid response..." |
| 233 $ call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com" |
| 234 $ |
| 235 $ write sys$output "Verifying response against wrong request, it should fa
il..." |
| 236 $ call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr" |
| 237 $ |
| 238 $ write sys$output "Verifying response against wrong request, it should fa
il..." |
| 239 $ call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr" |
| 240 $ |
| 241 $ write sys$output "Creating req3.req time stamp request for file CAtsa.cn
f..." |
| 242 $ call create_time_stamp_request3 |
| 243 $ |
| 244 $ write sys$output "Printing req3.req..." |
| 245 $ call print_request "req3.tsq" |
| 246 $ |
| 247 $ write sys$output "Verifying response against wrong request, it should fa
il..." |
| 248 $ call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr" |
| 249 $ |
| 250 $ write sys$output "Cleaning up..." |
| 251 $ call clean_up_dir |
| 252 $ |
| 253 $ set on |
| 254 $ |
| 255 $ exit |
OLD | NEW |