diff options
author | Ulf Möller <ulf@openssl.org> | 2006-02-12 23:19:25 +0000 |
---|---|---|
committer | Ulf Möller <ulf@openssl.org> | 2006-02-12 23:19:25 +0000 |
commit | 8573552e8c3eed250dfc2031dd794500f343ac94 (patch) | |
tree | 6720736b321526101dfef38620c540cdc2d0d3d4 /test | |
parent | c7235be6e36c4bef84594aa3b2f0561db84b63d8 (diff) |
time stamp Makefile, test files
Submitted by: Zoltan Glozik <zglozik@opentsa.org>
Diffstat (limited to 'test')
-rw-r--r-- | test/CAtsa.cnf | 172 | ||||
-rw-r--r-- | test/testtsa | 234 |
2 files changed, 406 insertions, 0 deletions
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf new file mode 100644 index 0000000000..732e9996d6 --- /dev/null +++ b/test/CAtsa.cnf @@ -0,0 +1,172 @@ + +# +# This config is used by the Time Stamp Authority tests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] + +# Policies used by the TSA tests. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#---------------------------------------------------------------------- +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] + +dir = ./demoCA +certs = $dir/certs # Where the issued certs are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +default_days = 365 # how long to certify for +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = supplied +stateOrProvinceName = supplied +organizationName = supplied +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#---------------------------------------------------------------------- +[ req ] +default_bits = 1024 +default_md = sha1 +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +# attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +string_mask = nombstr + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = HU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ tsa_cert ] + +# TSA server cert is not a CA cert. +basicConstraints=CA:FALSE + +# The following key usage flags are needed for TSA server certificates. +keyUsage = nonRepudiation, digitalSignature +extendedKeyUsage = critical,timeStamping + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +[ non_tsa_cert ] + +# This is not a CA cert and not a TSA cert, either (timeStamping usage missing) +basicConstraints=CA:FALSE + +# The following key usage flags are needed for TSA server certificates. +keyUsage = nonRepudiation, digitalSignature +# timeStamping is not supported by this certificate +# extendedKeyUsage = critical,timeStamping + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +[ v3_req ] + +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature + +[ v3_ca ] + +# Extensions for a typical CA + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = cRLSign, keyCertSign + +#---------------------------------------------------------------------- +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = . # TSA root directory +serial = $dir/tsa_serial # The current serial number (mandatory) +signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate + # (optional) +certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply + # (optional) +signer_key = $dir/tsa_key1.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = yes # Must the ESS cert id chain be included? + # (optional, default: no) + +[ tsa_config2 ] + +# This configuration uses a certificate which doesn't have timeStamping usage. +# These are used by the TSA reply generation only. +dir = . # TSA root directory +serial = $dir/tsa_serial # The current serial number (mandatory) +signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate + # (optional) +certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply + # (optional) +signer_key = $dir/tsa_key2.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) diff --git a/test/testtsa b/test/testtsa new file mode 100644 index 0000000000..b135438b7d --- /dev/null +++ b/test/testtsa @@ -0,0 +1,234 @@ +#!/bin/sh + +# +# A few very basic tests for the 'ts' time stamping authority command. +# + +SH="/bin/sh" +PATH=../../apps:$PATH +export SH PATH + +OPENSSL_CONF="../CAtsa.cnf" +export OPENSSL_CONF + +error () { + + echo "ERROR DURING TSA TESTS!!!!!!!!!!!!!!!!" >&2 + exit 1 +} + +setup_dir () { + + rm -rf tsa 2>/dev/null + mkdir tsa + cd ./tsa +} + +clean_up_dir () { + + cd .. + rm -rf tsa +} + +create_ca () { + + echo "Creating a new CA for the TSA tests..." + /bin/rm -fr demoCA + $SH ../../apps/CA.sh -newca <<EOF + +HU +Budapest +Budapest +Gov-CA Ltd. +ca1 +EOF + test $? != 0 && error +} + +create_tsa_cert () { + + INDEX=$1 + EXT=$2 + openssl req -new -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem <<EOF +HU +Budapest +Buda +Hun-TSA Ltd. +tsa${INDEX} +EOF + test $? != 0 && error + + openssl ca -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \ + -extensions $EXT <<EOF +y +y +EOF + test $? != 0 && error +} + +print_request () { + + openssl ts -query -in $1 -text +} + +create_time_stamp_request1 () { + + openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq + test $? != 0 && error +} + +create_time_stamp_request2 () { + + openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \ + -out req2.tsq + test $? != 0 && error +} + +create_time_stamp_request3 () { + + openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq + test $? != 0 && error +} + +print_response () { + + openssl ts -reply -in $1 -text + test $? != 0 && error +} + +create_time_stamp_response () { + + openssl ts -reply -section $3 -queryfile $1 -out $2 + test $? != 0 && error +} + +time_stamp_response_token_test () { + + RESPONSE2=$2.copy.tsr + TOKEN_DER=$2.token.der + openssl ts -reply -in $2 -out $TOKEN_DER -token_out + test $? != 0 && error + openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2 + test $? != 0 && error + cmp $RESPONSE2 $2 + test $? != 0 && error + openssl ts -reply -in $2 -text -token_out + test $? != 0 && error + openssl ts -reply -in $TOKEN_DER -token_in -text -token_out + test $? != 0 && error + openssl ts -reply -queryfile $1 -text -token_out + test $? != 0 && error +} + +verify_time_stamp_response () { + + openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \ + -untrusted tsa_cert1.pem + test $? != 0 && error + openssl ts -verify -data $3 -in $2 -CAfile demoCA/cacert.pem \ + -untrusted tsa_cert1.pem + test $? != 0 && error +} + +verify_time_stamp_token () { + + # create the token from the response first + openssl ts -reply -in $2 -out $2.token -token_out + test $? != 0 && error + openssl ts -verify -queryfile $1 -in $2.token -token_in \ + -CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem + test $? != 0 && error + openssl ts -verify -data $3 -in $2.token -token_in \ + -CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem + test $? != 0 && error +} + +verify_time_stamp_response_fail () { + + openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \ + -untrusted tsa_cert1.pem + # Checks if the verification failed, as it should have. + test $? == 0 && error +} + +# main functions + +echo "Setting up TSA test directory..." +setup_dir + +echo "Creating CA for TSA tests..." +create_ca + +echo "Creating tsa_cert1.pem TSA server cert..." +create_tsa_cert 1 tsa_cert + +echo "Creating tsa_cert2.pem non-TSA server cert..." +create_tsa_cert 2 non_tsa_cert + +echo "Creating req1.req time stamp request for file testtsa..." +create_time_stamp_request1 + +echo "Printing req1.req..." +print_request req1.tsq + +echo "Generating valid response for req1.req..." +create_time_stamp_response req1.tsq resp1.tsr tsa_config1 + +echo "Printing response..." +print_response resp1.tsr + +echo "Verifying valid response..." +verify_time_stamp_response req1.tsq resp1.tsr ../testtsa + +echo "Verifying valid token..." +verify_time_stamp_token req1.tsq resp1.tsr ../testtsa + +# The tests below are commented out, because invalid signer certificates +# can no longer be specified in the config file. + +# echo "Generating _invalid_ response for req1.req..." +# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2 + +# echo "Printing response..." +# print_response resp1_bad.tsr + +# echo "Verifying invalid response, it should fail..." +# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr + +echo "Creating req2.req time stamp request for file testtsa..." +create_time_stamp_request2 + +echo "Printing req2.req..." +print_request req2.tsq + +echo "Generating valid response for req2.req..." +create_time_stamp_response req2.tsq resp2.tsr tsa_config1 + +echo "Checking '-token_in' and '-token_out' options with '-reply'..." +time_stamp_response_token_test req2.tsq resp2.tsr + +echo "Printing response..." +print_response resp2.tsr + +echo "Verifying valid response..." +verify_time_stamp_response req2.tsq resp2.tsr ../testtsa + +echo "Verifying response against wrong request, it should fail..." +verify_time_stamp_response_fail req1.tsq resp2.tsr + +echo "Verifying response against wrong request, it should fail..." +verify_time_stamp_response_fail req2.tsq resp1.tsr + +echo "Creating req3.req time stamp request for file CAtsa.cnf..." +create_time_stamp_request3 + +echo "Printing req3.req..." +print_request req3.tsq + +echo "Verifying response against wrong request, it should fail..." +verify_time_stamp_response_fail req3.tsq resp1.tsr + +echo "Cleaning up..." +clean_up_dir + +exit 0 |