blob: fc68ff906cdf61cb96c98b8d104c388a03050659 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
#!/bin/sh
#
# A few very basic tests for the 'ts' time stamping authority command.
#
SH="/bin/sh"
if test "$OSTYPE" = msdosdjgpp; then
PATH="../apps\;$PATH"
else
PATH="../apps:$PATH"
fi
export SH PATH
OPENSSL_CONF="../CAtsa.cnf"
export OPENSSL_CONF
# Because that's what ../apps/CA.pl really looks at
SSLEAY_CONFIG="-config $OPENSSL_CONF"
export SSLEAY_CONFIG
OPENSSL="`pwd`/../util/opensslwrap.sh"
export OPENSSL
RUN () {
../../util/shlib_wrap.sh ../../apps/openssl ts $*
}
create_tsa_cert () {
INDEX=$1
export INDEX
EXT=$2
TSDNSECT=ts_cert_dn
export TSDNSECT
../../util/shlib_wrap.sh ../../apps/openssl req -new \
-out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem || exit 1
echo using extension $EXT
../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
-in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
-CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
-extfile $OPENSSL_CONF -extensions $EXT || exit 1
}
create_time_stamp_response () {
RUN -reply -section $3 -queryfile $1 -out $2 || exit 1
}
verify_time_stamp_response () {
RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
-untrusted tsa_cert1.pem || exit 1
RUN -verify -data $3 -in $2 -CAfile tsaca.pem \
-untrusted tsa_cert1.pem || exit 1
}
verify_time_stamp_response_fail () {
RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
-untrusted tsa_cert1.pem && exit 1
echo ok
}
# main functions
echo setting up TSA test directory
rm -rf tsa 2>/dev/null
mkdir tsa
cd ./tsa
echo creating a new CA for the TSA tests
TSDNSECT=ts_ca_dn
export TSDNSECT
../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
-out tsaca.pem -keyout tsacakey.pem || exit 1
echo creating tsa_cert1.pem TSA server cert
create_tsa_cert 1 tsa_cert
echo creating tsa_cert2.pem non-TSA server cert
create_tsa_cert 2 non_tsa_cert
echo creating req1.req time stamp request for file testtsa
RUN -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq || exit 1
echo printing req1.req
RUN -query -in req1.tsq -text
echo generating valid response for req1.req
create_time_stamp_response req1.tsq resp1.tsr tsa_config1
echo printing response
RUN -reply -in resp1.tsr -text || exit 1
echo verifying valid response
verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
echo verifying valid token
RUN -reply -in resp1.tsr -out resp1.tsr.token -token_out || exit 1
RUN -verify -queryfile req1.tsq -in resp1.tsr.token -token_in \
-CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1
RUN -verify -data ../testtsa -in resp1.tsr.token -token_in \
-CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1
echo creating req2.req time stamp request for file testtsa
RUN -query -data ../testtsa -policy tsa_policy2 -no_nonce \
-out req2.tsq || exit 1
echo printing req2.req
RUN -query -in req2.tsq -text
echo generating valid response for req2.req
create_time_stamp_response req2.tsq resp2.tsr tsa_config1
echo checking -token_in and -token_out options with -reply
RESPONSE2=resp2.tsr.copy.tsr
TOKEN_DER=resp2.tsr.token.der
RUN -reply -in resp2.tsr -out $TOKEN_DER -token_out || exit 1
RUN -reply -in $TOKEN_DER -token_in -out $RESPONSE2 || exit 1
cmp $RESPONSE2 resp2.tsr || exit 1
RUN -reply -in resp2.tsr -text -token_out || exit 1
RUN -reply -in $TOKEN_DER -token_in -text -token_out || exit 1
RUN -reply -queryfile req2.tsq -text -token_out || exit 1
echo printing response
RUN -reply -in resp2.tsr -text || exit 1
echo verifying valid response
verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
echo verifying response against wrong request, it should fail
verify_time_stamp_response_fail req1.tsq resp2.tsr
echo verifying response against wrong request, it should fail
verify_time_stamp_response_fail req2.tsq resp1.tsr
echo creating req3.req time stamp request for file CAtsa.cnf
RUN -query -data ../CAtsa.cnf -no_nonce -out req3.tsq || exit 1
echo printing req3.req
RUN -query -in req3.tsq -text
echo verifying response against wrong request, it should fail
verify_time_stamp_response_fail req3.tsq resp1.tsr
echo cleaning up
cd ..
rm -rf tsa
exit 0
|