| Index: openssl/test/testtsa.com
|
| ===================================================================
|
| --- openssl/test/testtsa.com (revision 0)
|
| +++ openssl/test/testtsa.com (revision 0)
|
| @@ -0,0 +1,255 @@
|
| +$!
|
| +$! A few very basic tests for the 'ts' time stamping authority command.
|
| +$!
|
| +$
|
| +$ __arch = "VAX"
|
| +$ if f$getsyi("cpu") .ge. 128 then -
|
| + __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
|
| +$ if __arch .eqs. "" then __arch = "UNK"
|
| +$!
|
| +$ if (p4 .eqs. "64") then __arch = __arch+ "_64"
|
| +$!
|
| +$ exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
|
| +$
|
| +$ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
|
| +$ OPENSSL_CONF = "[-]CAtsa.cnf"
|
| +$ ! Because that's what ../apps/CA.sh really looks at
|
| +$ SSLEAY_CONFIG = "-config " + OPENSSL_CONF
|
| +$
|
| +$ error:
|
| +$ subroutine
|
| +$ write sys$error "TSA test failed!"
|
| +$ exit 3
|
| +$ endsubroutine
|
| +$
|
| +$ setup_dir:
|
| +$ subroutine
|
| +$
|
| +$ if f$search("tsa.dir") .nes ""
|
| +$ then
|
| +$ @[-.util]deltree [.tsa]*.*
|
| +$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
|
| +$ delete tsa.dir;*
|
| +$ endif
|
| +$
|
| +$ create/dir [.tsa]
|
| +$ set default [.tsa]
|
| +$ endsubroutine
|
| +$
|
| +$ clean_up_dir:
|
| +$ subroutine
|
| +$
|
| +$ set default [-]
|
| +$ @[-.util]deltree [.tsa]*.*
|
| +$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
|
| +$ delete tsa.dir;*
|
| +$ endsubroutine
|
| +$
|
| +$ create_ca:
|
| +$ subroutine
|
| +$
|
| +$ write sys$output "Creating a new CA for the TSA tests..."
|
| +$ TSDNSECT = "ts_ca_dn"
|
| +$ openssl req -new -x509 -nodes -
|
| + -out tsaca.pem -keyout tsacakey.pem
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ create_tsa_cert:
|
| +$ subroutine
|
| +$
|
| +$ INDEX=p1
|
| +$ EXT=p2
|
| +$ TSDNSECT = "ts_cert_dn"
|
| +$
|
| +$ openssl req -new -
|
| + -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
|
| +$ if $severity .ne. 1 then call error
|
| +$
|
| +$ write sys$output "Using extension ''EXT'"
|
| +$ openssl x509 -req -
|
| + -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
|
| + "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" -
|
| + -extfile 'OPENSSL_CONF' -extensions "''EXT'"
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ print_request:
|
| +$ subroutine
|
| +$
|
| +$ openssl ts -query -in 'p1' -text
|
| +$ endsubroutine
|
| +$
|
| +$ create_time_stamp_request1: subroutine
|
| +$
|
| +$ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
|
| + -cert -out req1.tsq
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ create_time_stamp_request2: subroutine
|
| +$
|
| +$ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
|
| + -no_nonce -out req2.tsq
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ create_time_stamp_request3: subroutine
|
| +$
|
| +$ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ print_response:
|
| +$ subroutine
|
| +$
|
| +$ openssl ts -reply -in 'p1' -text
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ create_time_stamp_response:
|
| +$ subroutine
|
| +$
|
| +$ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ time_stamp_response_token_test:
|
| +$ subroutine
|
| +$
|
| +$ RESPONSE2 = p2+ "-copy_tsr"
|
| +$ TOKEN_DER = p2+ "-token_der"
|
| +$ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
|
| +$ if $severity .ne. 1 then call error
|
| +$ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
|
| +$ if $severity .ne. 1 then call error
|
| +$ backup/compare 'RESPONSE2' 'p2'
|
| +$ if $severity .ne. 1 then call error
|
| +$ openssl ts -reply -in 'p2' -text -token_out
|
| +$ if $severity .ne. 1 then call error
|
| +$ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
|
| +$ if $severity .ne. 1 then call error
|
| +$ openssl ts -reply -queryfile 'p1' -text -token_out
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ verify_time_stamp_response:
|
| +$ subroutine
|
| +$
|
| +$ openssl ts -verify -queryfile 'p1' -in 'p2' -
|
| + "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
|
| +$ if $severity .ne. 1 then call error
|
| +$ openssl ts -verify -data 'p3' -in 'p2' -
|
| + "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ verify_time_stamp_token:
|
| +$ subroutine
|
| +$
|
| +$ ! create the token from the response first
|
| +$ openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out
|
| +$ if $severity .ne. 1 then call error
|
| +$ openssl ts -verify -queryfile "''p1'" -in "''p2'-token" -
|
| + -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
|
| +$ if $severity .ne. 1 then call error
|
| +$ openssl ts -verify -data "''p3'" -in "''p2'-token" -
|
| + -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
|
| +$ if $severity .ne. 1 then call error
|
| +$ endsubroutine
|
| +$
|
| +$ verify_time_stamp_response_fail:
|
| +$ subroutine
|
| +$
|
| +$ openssl ts -verify -queryfile 'p1' -in 'p2' -
|
| + "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
|
| +$ ! Checks if the verification failed, as it should have.
|
| +$ if $severity .eq. 1 then call error
|
| +$ write sys$output "Ok"
|
| +$ endsubroutine
|
| +$
|
| +$ ! Main body ----------------------------------------------------------
|
| +$
|
| +$ set noon
|
| +$
|
| +$ write sys$output "Setting up TSA test directory..."
|
| +$ call setup_dir
|
| +$
|
| +$ write sys$output "Creating CA for TSA tests..."
|
| +$ call create_ca
|
| +$
|
| +$ write sys$output "Creating tsa_cert1.pem TSA server cert..."
|
| +$ call create_tsa_cert 1 "tsa_cert"
|
| +$
|
| +$ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
|
| +$ call create_tsa_cert 2 "non_tsa_cert"
|
| +$
|
| +$ write sys$output "Creating req1.req time stamp request for file testtsa..."
|
| +$ call create_time_stamp_request1
|
| +$
|
| +$ write sys$output "Printing req1.req..."
|
| +$ call print_request "req1.tsq"
|
| +$
|
| +$ write sys$output "Generating valid response for req1.req..."
|
| +$ call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1"
|
| +$
|
| +$ write sys$output "Printing response..."
|
| +$ call print_response "resp1.tsr"
|
| +$
|
| +$ write sys$output "Verifying valid response..."
|
| +$ call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com"
|
| +$
|
| +$ write sys$output "Verifying valid token..."
|
| +$ call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com"
|
| +$
|
| +$ ! The tests below are commented out, because invalid signer certificates
|
| +$ ! can no longer be specified in the config file.
|
| +$
|
| +$ ! write sys$output "Generating _invalid_ response for req1.req..."
|
| +$ ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2"
|
| +$
|
| +$ ! write sys$output "Printing response..."
|
| +$ ! call print_response "resp1_bad.tsr"
|
| +$
|
| +$ ! write sys$output "Verifying invalid response, it should fail..."
|
| +$ ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr"
|
| +$
|
| +$ write sys$output "Creating req2.req time stamp request for file testtsa..."
|
| +$ call create_time_stamp_request2
|
| +$
|
| +$ write sys$output "Printing req2.req..."
|
| +$ call print_request "req2.tsq"
|
| +$
|
| +$ write sys$output "Generating valid response for req2.req..."
|
| +$ call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1"
|
| +$
|
| +$ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
|
| +$ call time_stamp_response_token_test "req2.tsq" "resp2.tsr"
|
| +$
|
| +$ write sys$output "Printing response..."
|
| +$ call print_response "resp2.tsr"
|
| +$
|
| +$ write sys$output "Verifying valid response..."
|
| +$ call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com"
|
| +$
|
| +$ write sys$output "Verifying response against wrong request, it should fail..."
|
| +$ call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr"
|
| +$
|
| +$ write sys$output "Verifying response against wrong request, it should fail..."
|
| +$ call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr"
|
| +$
|
| +$ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
|
| +$ call create_time_stamp_request3
|
| +$
|
| +$ write sys$output "Printing req3.req..."
|
| +$ call print_request "req3.tsq"
|
| +$
|
| +$ write sys$output "Verifying response against wrong request, it should fail..."
|
| +$ call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr"
|
| +$
|
| +$ write sys$output "Cleaning up..."
|
| +$ call clean_up_dir
|
| +$
|
| +$ set on
|
| +$
|
| +$ exit
|
|
|
Chromium Code Reviews
Issue 9254031:
Upgrade chrome's OpenSSL to same version Android ships with. (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/