4 # A few very basic tests for the 'ts' time stamping authority command.
8 if test "$OSTYPE" = msdosdjgpp; then
15 OPENSSL_CONF="../CAtsa.cnf"
17 # Because that's what ../apps/CA.sh really looks at
18 SSLEAY_CONFIG="-config $OPENSSL_CONF"
21 OPENSSL="`pwd`/../util/opensslwrap.sh"
26 echo "TSA test failed!" >&2
32 rm -rf tsa 2>/dev/null
45 echo "Creating a new CA for the TSA tests..."
48 ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
49 -out tsaca.pem -keyout tsacakey.pem
61 ../../util/shlib_wrap.sh ../../apps/openssl req -new \
62 -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
64 echo Using extension $EXT
65 ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
66 -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
67 -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
68 -extfile $OPENSSL_CONF -extensions $EXT
74 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
77 create_time_stamp_request1 () {
79 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
83 create_time_stamp_request2 () {
85 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
90 create_time_stamp_request3 () {
92 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
98 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
102 create_time_stamp_response () {
104 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
105 test $? != 0 && error
108 time_stamp_response_token_test () {
110 RESPONSE2=$2.copy.tsr
111 TOKEN_DER=$2.token.der
112 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
113 test $? != 0 && error
114 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
115 test $? != 0 && error
117 test $? != 0 && error
118 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
119 test $? != 0 && error
120 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
121 test $? != 0 && error
122 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
123 test $? != 0 && error
126 verify_time_stamp_response () {
128 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
129 -untrusted tsa_cert1.pem
130 test $? != 0 && error
131 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \
132 -untrusted tsa_cert1.pem
133 test $? != 0 && error
136 verify_time_stamp_token () {
138 # create the token from the response first
139 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
140 test $? != 0 && error
141 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
142 -CAfile tsaca.pem -untrusted tsa_cert1.pem
143 test $? != 0 && error
144 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
145 -CAfile tsaca.pem -untrusted tsa_cert1.pem
146 test $? != 0 && error
149 verify_time_stamp_response_fail () {
151 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
152 -untrusted tsa_cert1.pem
153 # Checks if the verification failed, as it should have.
160 echo "Setting up TSA test directory..."
163 echo "Creating CA for TSA tests..."
166 echo "Creating tsa_cert1.pem TSA server cert..."
167 create_tsa_cert 1 tsa_cert
169 echo "Creating tsa_cert2.pem non-TSA server cert..."
170 create_tsa_cert 2 non_tsa_cert
172 echo "Creating req1.req time stamp request for file testtsa..."
173 create_time_stamp_request1
175 echo "Printing req1.req..."
176 print_request req1.tsq
178 echo "Generating valid response for req1.req..."
179 create_time_stamp_response req1.tsq resp1.tsr tsa_config1
181 echo "Printing response..."
182 print_response resp1.tsr
184 echo "Verifying valid response..."
185 verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
187 echo "Verifying valid token..."
188 verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
190 # The tests below are commented out, because invalid signer certificates
191 # can no longer be specified in the config file.
193 # echo "Generating _invalid_ response for req1.req..."
194 # create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
196 # echo "Printing response..."
197 # print_response resp1_bad.tsr
199 # echo "Verifying invalid response, it should fail..."
200 # verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
202 echo "Creating req2.req time stamp request for file testtsa..."
203 create_time_stamp_request2
205 echo "Printing req2.req..."
206 print_request req2.tsq
208 echo "Generating valid response for req2.req..."
209 create_time_stamp_response req2.tsq resp2.tsr tsa_config1
211 echo "Checking '-token_in' and '-token_out' options with '-reply'..."
212 time_stamp_response_token_test req2.tsq resp2.tsr
214 echo "Printing response..."
215 print_response resp2.tsr
217 echo "Verifying valid response..."
218 verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
220 echo "Verifying response against wrong request, it should fail..."
221 verify_time_stamp_response_fail req1.tsq resp2.tsr
223 echo "Verifying response against wrong request, it should fail..."
224 verify_time_stamp_response_fail req2.tsq resp1.tsr
226 echo "Creating req3.req time stamp request for file CAtsa.cnf..."
227 create_time_stamp_request3
229 echo "Printing req3.req..."
230 print_request req3.tsq
232 echo "Verifying response against wrong request, it should fail..."
233 verify_time_stamp_response_fail req3.tsq resp1.tsr
235 echo "Cleaning up..."