1*ebfedea0SLionel Sambuc$! 2*ebfedea0SLionel Sambuc$! A few very basic tests for the 'ts' time stamping authority command. 3*ebfedea0SLionel Sambuc$! 4*ebfedea0SLionel Sambuc$ 5*ebfedea0SLionel Sambuc$ __arch = "VAX" 6*ebfedea0SLionel Sambuc$ if f$getsyi("cpu") .ge. 128 then - 7*ebfedea0SLionel Sambuc __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE") 8*ebfedea0SLionel Sambuc$ if __arch .eqs. "" then __arch = "UNK" 9*ebfedea0SLionel Sambuc$! 10*ebfedea0SLionel Sambuc$ if (p4 .eqs. "64") then __arch = __arch+ "_64" 11*ebfedea0SLionel Sambuc$! 12*ebfedea0SLionel Sambuc$ exe_dir = "sys$disk:[-.''__arch'.exe.apps]" 13*ebfedea0SLionel Sambuc$ 14*ebfedea0SLionel Sambuc$ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'" 15*ebfedea0SLionel Sambuc$ OPENSSL_CONF = "[-]CAtsa.cnf" 16*ebfedea0SLionel Sambuc$ ! Because that's what ../apps/CA.sh really looks at 17*ebfedea0SLionel Sambuc$ SSLEAY_CONFIG = "-config " + OPENSSL_CONF 18*ebfedea0SLionel Sambuc$ 19*ebfedea0SLionel Sambuc$ error: 20*ebfedea0SLionel Sambuc$ subroutine 21*ebfedea0SLionel Sambuc$ write sys$error "TSA test failed!" 22*ebfedea0SLionel Sambuc$ exit 3 23*ebfedea0SLionel Sambuc$ endsubroutine 24*ebfedea0SLionel Sambuc$ 25*ebfedea0SLionel Sambuc$ setup_dir: 26*ebfedea0SLionel Sambuc$ subroutine 27*ebfedea0SLionel Sambuc$ 28*ebfedea0SLionel Sambuc$ if f$search("tsa.dir") .nes "" 29*ebfedea0SLionel Sambuc$ then 30*ebfedea0SLionel Sambuc$ @[-.util]deltree [.tsa]*.* 31*ebfedea0SLionel Sambuc$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;* 32*ebfedea0SLionel Sambuc$ delete tsa.dir;* 33*ebfedea0SLionel Sambuc$ endif 34*ebfedea0SLionel Sambuc$ 35*ebfedea0SLionel Sambuc$ create/dir [.tsa] 36*ebfedea0SLionel Sambuc$ set default [.tsa] 37*ebfedea0SLionel Sambuc$ endsubroutine 38*ebfedea0SLionel Sambuc$ 39*ebfedea0SLionel Sambuc$ clean_up_dir: 40*ebfedea0SLionel Sambuc$ subroutine 41*ebfedea0SLionel Sambuc$ 42*ebfedea0SLionel Sambuc$ set default [-] 43*ebfedea0SLionel Sambuc$ @[-.util]deltree [.tsa]*.* 44*ebfedea0SLionel Sambuc$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;* 45*ebfedea0SLionel Sambuc$ delete tsa.dir;* 46*ebfedea0SLionel Sambuc$ endsubroutine 47*ebfedea0SLionel Sambuc$ 48*ebfedea0SLionel Sambuc$ create_ca: 49*ebfedea0SLionel Sambuc$ subroutine 50*ebfedea0SLionel Sambuc$ 51*ebfedea0SLionel Sambuc$ write sys$output "Creating a new CA for the TSA tests..." 52*ebfedea0SLionel Sambuc$ TSDNSECT = "ts_ca_dn" 53*ebfedea0SLionel Sambuc$ openssl req -new -x509 -nodes - 54*ebfedea0SLionel Sambuc -out tsaca.pem -keyout tsacakey.pem 55*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 56*ebfedea0SLionel Sambuc$ endsubroutine 57*ebfedea0SLionel Sambuc$ 58*ebfedea0SLionel Sambuc$ create_tsa_cert: 59*ebfedea0SLionel Sambuc$ subroutine 60*ebfedea0SLionel Sambuc$ 61*ebfedea0SLionel Sambuc$ INDEX=p1 62*ebfedea0SLionel Sambuc$ EXT=p2 63*ebfedea0SLionel Sambuc$ TSDNSECT = "ts_cert_dn" 64*ebfedea0SLionel Sambuc$ 65*ebfedea0SLionel Sambuc$ openssl req -new - 66*ebfedea0SLionel Sambuc -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem 67*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 68*ebfedea0SLionel Sambuc$ 69*ebfedea0SLionel Sambuc$ write sys$output "Using extension ''EXT'" 70*ebfedea0SLionel Sambuc$ openssl x509 -req - 71*ebfedea0SLionel Sambuc -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem - 72*ebfedea0SLionel Sambuc "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" - 73*ebfedea0SLionel Sambuc -extfile 'OPENSSL_CONF' -extensions "''EXT'" 74*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 75*ebfedea0SLionel Sambuc$ endsubroutine 76*ebfedea0SLionel Sambuc$ 77*ebfedea0SLionel Sambuc$ print_request: 78*ebfedea0SLionel Sambuc$ subroutine 79*ebfedea0SLionel Sambuc$ 80*ebfedea0SLionel Sambuc$ openssl ts -query -in 'p1' -text 81*ebfedea0SLionel Sambuc$ endsubroutine 82*ebfedea0SLionel Sambuc$ 83*ebfedea0SLionel Sambuc$ create_time_stamp_request1: subroutine 84*ebfedea0SLionel Sambuc$ 85*ebfedea0SLionel Sambuc$ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 - 86*ebfedea0SLionel Sambuc -cert -out req1.tsq 87*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 88*ebfedea0SLionel Sambuc$ endsubroutine 89*ebfedea0SLionel Sambuc$ 90*ebfedea0SLionel Sambuc$ create_time_stamp_request2: subroutine 91*ebfedea0SLionel Sambuc$ 92*ebfedea0SLionel Sambuc$ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 - 93*ebfedea0SLionel Sambuc -no_nonce -out req2.tsq 94*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 95*ebfedea0SLionel Sambuc$ endsubroutine 96*ebfedea0SLionel Sambuc$ 97*ebfedea0SLionel Sambuc$ create_time_stamp_request3: subroutine 98*ebfedea0SLionel Sambuc$ 99*ebfedea0SLionel Sambuc$ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq 100*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 101*ebfedea0SLionel Sambuc$ endsubroutine 102*ebfedea0SLionel Sambuc$ 103*ebfedea0SLionel Sambuc$ print_response: 104*ebfedea0SLionel Sambuc$ subroutine 105*ebfedea0SLionel Sambuc$ 106*ebfedea0SLionel Sambuc$ openssl ts -reply -in 'p1' -text 107*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 108*ebfedea0SLionel Sambuc$ endsubroutine 109*ebfedea0SLionel Sambuc$ 110*ebfedea0SLionel Sambuc$ create_time_stamp_response: 111*ebfedea0SLionel Sambuc$ subroutine 112*ebfedea0SLionel Sambuc$ 113*ebfedea0SLionel Sambuc$ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2' 114*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 115*ebfedea0SLionel Sambuc$ endsubroutine 116*ebfedea0SLionel Sambuc$ 117*ebfedea0SLionel Sambuc$ time_stamp_response_token_test: 118*ebfedea0SLionel Sambuc$ subroutine 119*ebfedea0SLionel Sambuc$ 120*ebfedea0SLionel Sambuc$ RESPONSE2 = p2+ "-copy_tsr" 121*ebfedea0SLionel Sambuc$ TOKEN_DER = p2+ "-token_der" 122*ebfedea0SLionel Sambuc$ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out 123*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 124*ebfedea0SLionel Sambuc$ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2' 125*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 126*ebfedea0SLionel Sambuc$ backup/compare 'RESPONSE2' 'p2' 127*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 128*ebfedea0SLionel Sambuc$ openssl ts -reply -in 'p2' -text -token_out 129*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 130*ebfedea0SLionel Sambuc$ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out 131*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 132*ebfedea0SLionel Sambuc$ openssl ts -reply -queryfile 'p1' -text -token_out 133*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 134*ebfedea0SLionel Sambuc$ endsubroutine 135*ebfedea0SLionel Sambuc$ 136*ebfedea0SLionel Sambuc$ verify_time_stamp_response: 137*ebfedea0SLionel Sambuc$ subroutine 138*ebfedea0SLionel Sambuc$ 139*ebfedea0SLionel Sambuc$ openssl ts -verify -queryfile 'p1' -in 'p2' - 140*ebfedea0SLionel Sambuc "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 141*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 142*ebfedea0SLionel Sambuc$ openssl ts -verify -data 'p3' -in 'p2' - 143*ebfedea0SLionel Sambuc "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 144*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 145*ebfedea0SLionel Sambuc$ endsubroutine 146*ebfedea0SLionel Sambuc$ 147*ebfedea0SLionel Sambuc$ verify_time_stamp_token: 148*ebfedea0SLionel Sambuc$ subroutine 149*ebfedea0SLionel Sambuc$ 150*ebfedea0SLionel Sambuc$ ! create the token from the response first 151*ebfedea0SLionel Sambuc$ openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out 152*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 153*ebfedea0SLionel Sambuc$ openssl ts -verify -queryfile "''p1'" -in "''p2'-token" - 154*ebfedea0SLionel Sambuc -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 155*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 156*ebfedea0SLionel Sambuc$ openssl ts -verify -data "''p3'" -in "''p2'-token" - 157*ebfedea0SLionel Sambuc -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 158*ebfedea0SLionel Sambuc$ if $severity .ne. 1 then call error 159*ebfedea0SLionel Sambuc$ endsubroutine 160*ebfedea0SLionel Sambuc$ 161*ebfedea0SLionel Sambuc$ verify_time_stamp_response_fail: 162*ebfedea0SLionel Sambuc$ subroutine 163*ebfedea0SLionel Sambuc$ 164*ebfedea0SLionel Sambuc$ openssl ts -verify -queryfile 'p1' -in 'p2' - 165*ebfedea0SLionel Sambuc "-CAfile" tsaca.pem -untrusted tsa_cert1.pem 166*ebfedea0SLionel Sambuc$ ! Checks if the verification failed, as it should have. 167*ebfedea0SLionel Sambuc$ if $severity .eq. 1 then call error 168*ebfedea0SLionel Sambuc$ write sys$output "Ok" 169*ebfedea0SLionel Sambuc$ endsubroutine 170*ebfedea0SLionel Sambuc$ 171*ebfedea0SLionel Sambuc$ ! Main body ---------------------------------------------------------- 172*ebfedea0SLionel Sambuc$ 173*ebfedea0SLionel Sambuc$ set noon 174*ebfedea0SLionel Sambuc$ 175*ebfedea0SLionel Sambuc$ write sys$output "Setting up TSA test directory..." 176*ebfedea0SLionel Sambuc$ call setup_dir 177*ebfedea0SLionel Sambuc$ 178*ebfedea0SLionel Sambuc$ write sys$output "Creating CA for TSA tests..." 179*ebfedea0SLionel Sambuc$ call create_ca 180*ebfedea0SLionel Sambuc$ 181*ebfedea0SLionel Sambuc$ write sys$output "Creating tsa_cert1.pem TSA server cert..." 182*ebfedea0SLionel Sambuc$ call create_tsa_cert 1 "tsa_cert" 183*ebfedea0SLionel Sambuc$ 184*ebfedea0SLionel Sambuc$ write sys$output "Creating tsa_cert2.pem non-TSA server cert..." 185*ebfedea0SLionel Sambuc$ call create_tsa_cert 2 "non_tsa_cert" 186*ebfedea0SLionel Sambuc$ 187*ebfedea0SLionel Sambuc$ write sys$output "Creating req1.req time stamp request for file testtsa..." 188*ebfedea0SLionel Sambuc$ call create_time_stamp_request1 189*ebfedea0SLionel Sambuc$ 190*ebfedea0SLionel Sambuc$ write sys$output "Printing req1.req..." 191*ebfedea0SLionel Sambuc$ call print_request "req1.tsq" 192*ebfedea0SLionel Sambuc$ 193*ebfedea0SLionel Sambuc$ write sys$output "Generating valid response for req1.req..." 194*ebfedea0SLionel Sambuc$ call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1" 195*ebfedea0SLionel Sambuc$ 196*ebfedea0SLionel Sambuc$ write sys$output "Printing response..." 197*ebfedea0SLionel Sambuc$ call print_response "resp1.tsr" 198*ebfedea0SLionel Sambuc$ 199*ebfedea0SLionel Sambuc$ write sys$output "Verifying valid response..." 200*ebfedea0SLionel Sambuc$ call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com" 201*ebfedea0SLionel Sambuc$ 202*ebfedea0SLionel Sambuc$ write sys$output "Verifying valid token..." 203*ebfedea0SLionel Sambuc$ call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com" 204*ebfedea0SLionel Sambuc$ 205*ebfedea0SLionel Sambuc$ ! The tests below are commented out, because invalid signer certificates 206*ebfedea0SLionel Sambuc$ ! can no longer be specified in the config file. 207*ebfedea0SLionel Sambuc$ 208*ebfedea0SLionel Sambuc$ ! write sys$output "Generating _invalid_ response for req1.req..." 209*ebfedea0SLionel Sambuc$ ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2" 210*ebfedea0SLionel Sambuc$ 211*ebfedea0SLionel Sambuc$ ! write sys$output "Printing response..." 212*ebfedea0SLionel Sambuc$ ! call print_response "resp1_bad.tsr" 213*ebfedea0SLionel Sambuc$ 214*ebfedea0SLionel Sambuc$ ! write sys$output "Verifying invalid response, it should fail..." 215*ebfedea0SLionel Sambuc$ ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr" 216*ebfedea0SLionel Sambuc$ 217*ebfedea0SLionel Sambuc$ write sys$output "Creating req2.req time stamp request for file testtsa..." 218*ebfedea0SLionel Sambuc$ call create_time_stamp_request2 219*ebfedea0SLionel Sambuc$ 220*ebfedea0SLionel Sambuc$ write sys$output "Printing req2.req..." 221*ebfedea0SLionel Sambuc$ call print_request "req2.tsq" 222*ebfedea0SLionel Sambuc$ 223*ebfedea0SLionel Sambuc$ write sys$output "Generating valid response for req2.req..." 224*ebfedea0SLionel Sambuc$ call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1" 225*ebfedea0SLionel Sambuc$ 226*ebfedea0SLionel Sambuc$ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..." 227*ebfedea0SLionel Sambuc$ call time_stamp_response_token_test "req2.tsq" "resp2.tsr" 228*ebfedea0SLionel Sambuc$ 229*ebfedea0SLionel Sambuc$ write sys$output "Printing response..." 230*ebfedea0SLionel Sambuc$ call print_response "resp2.tsr" 231*ebfedea0SLionel Sambuc$ 232*ebfedea0SLionel Sambuc$ write sys$output "Verifying valid response..." 233*ebfedea0SLionel Sambuc$ call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com" 234*ebfedea0SLionel Sambuc$ 235*ebfedea0SLionel Sambuc$ write sys$output "Verifying response against wrong request, it should fail..." 236*ebfedea0SLionel Sambuc$ call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr" 237*ebfedea0SLionel Sambuc$ 238*ebfedea0SLionel Sambuc$ write sys$output "Verifying response against wrong request, it should fail..." 239*ebfedea0SLionel Sambuc$ call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr" 240*ebfedea0SLionel Sambuc$ 241*ebfedea0SLionel Sambuc$ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..." 242*ebfedea0SLionel Sambuc$ call create_time_stamp_request3 243*ebfedea0SLionel Sambuc$ 244*ebfedea0SLionel Sambuc$ write sys$output "Printing req3.req..." 245*ebfedea0SLionel Sambuc$ call print_request "req3.tsq" 246*ebfedea0SLionel Sambuc$ 247*ebfedea0SLionel Sambuc$ write sys$output "Verifying response against wrong request, it should fail..." 248*ebfedea0SLionel Sambuc$ call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr" 249*ebfedea0SLionel Sambuc$ 250*ebfedea0SLionel Sambuc$ write sys$output "Cleaning up..." 251*ebfedea0SLionel Sambuc$ call clean_up_dir 252*ebfedea0SLionel Sambuc$ 253*ebfedea0SLionel Sambuc$ set on 254*ebfedea0SLionel Sambuc$ 255*ebfedea0SLionel Sambuc$ exit 256