wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add recipes for the larger protocols

Browse source 
This covers the certificate authority commands, the cms and smime
commands, OCSP, SSL and TSA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Richard Levitte 2015-04-19 22:24:17 +02:00
parent 4fb35f8fcb
commit 88b8a5279f
5 changed files with 1423 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
test/recipes/80-test_ca.t Normal file
View file

@ -0,0 +1,55 @@
#! /usr/bin/perl
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/splitdir curdir catfile devnull/;
use File::Path qw/remove_tree/;
use Test::More;
use OpenSSL::Test qw/:DEFAULT cmdstr top_file quotify/;
setup("test_ca");
my $perl = $^X;
$ENV{OPENSSL} = cmdstr(app(["openssl"]));
my $CA_pl = top_file("apps", "CA.pl");
my $std_openssl_cnf = top_file("apps", "openssl.cnf");
($perl) = quotify($perl) unless $^O eq "VMS"; # never quotify a command on VMS. Ever!
remove_tree("demoCA", { safe => 0 });
plan tests => 4;
SKIP: {
$ENV{SSLEAY_CONFIG} = "-config CAss.cnf";
skip "failed creating CA structure", 3
if !is(system("$perl ".$CA_pl." -newca < ".devnull()." 2>&1"), 0,
'creating CA structure');
$ENV{SSLEAY_CONFIG} = "-config Uss.cnf";
skip "failed creating new certificate request", 2
if !is(system("$perl ".$CA_pl." -newreq 2>&1"), 0,
'creating new certificate request');
$ENV{SSLEAY_CONFIG} = "-config ".$std_openssl_cnf;
skip "failed to sign certificate request", 1
if !is(yes("$perl ".$CA_pl." -sign 2>&1"), 0,
'signing certificate request');
is(system("$perl ".$CA_pl." -verify newcert.pem 2>&1"), 0,
'verifying new certificate');
}
remove_tree("demoCA", { safe => 0 });
unlink "newcert.pem", "newreq.pem";
sub yes {
open(PIPE, "|-", join(" ",@_));
local $SIG{PIPE} = "IGNORE";
1 while print PIPE "y\n";
close PIPE;
return 0;
}

477
test/recipes/80-test_cms.t Normal file
View file

@ -0,0 +1,477 @@
#! /usr/bin/perl
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/catfile/;
use File::Compare qw/compare_text/;
use Test::More;
use OpenSSL::Test qw/:DEFAULT top_dir top_file/;
setup("test_cms");
my $smdir = top_dir("test", "smime-certs");
my $smcont = top_file("test", "smcont.txt");
my $no_ec = run(app(["openssl", "no-ec"], stdout => undef));
my $no_ec2m = run(app(["openssl", "no-ec2m"], stdout => undef));
my $no_ecdh = run(app(["openssl", "no-ecdh"], stdout => undef));
plan tests => 4;
my @smime_pkcs7_tests = (
[ "signed content DER format, RSA key",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-certfile", catfile($smdir, "smroot.pem"),
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed detached content DER format, RSA key",
[ "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt",
"-content", $smcont ]
],
[ "signed content test streaming BER format, RSA",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-stream",
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content DER format, DSA key",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed detached content DER format, DSA key",
[ "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt",
"-content", $smcont ]
],
[ "signed detached content DER format, add RSA signer",
[ "-resign", "-inform", "DER", "-in", "test.cms", "-outform", "DER",
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test2.cms" ],
[ "-verify", "-in", "test2.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt",
"-content", $smcont ]
],
[ "signed content test streaming BER format, DSA key",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-stream",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
[ "-sign", "-in", $smcont, "-outform", "DER", "-noattr", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont,
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, 3 recipients",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, 3 recipients, 3rd used",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, 3 recipients, key only used",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
[ "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
);
my @smime_cms_tests = (
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", "-keyid",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content MIME format, RSA key, signed receipt request",
[ "-sign", "-in", $smcont, "-signer", catfile($smdir, "smrsa1.pem"), "-nodetach",
"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
"-out", "test.cms" ],
[ "-verify", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed receipt MIME format, RSA key",
[ "-sign_receipt", "-in", "test.cms",
"-signer", catfile($smdir, "smrsa2.pem"),
"-out", "test2.cms" ],
[ "-verify_receipt", "test2.cms", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem") ]
],
[ "enveloped content test streaming S/MIME format, 3 recipients, keyid",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms", "-keyid",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming PEM format, KEK",
[ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
"-stream", "-out", "test.cms",
"-secretkey", "000102030405060708090A0B0C0D0E0F",
"-secretkeyid", "C0FEE0" ],
[ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F",
"-secretkeyid", "C0FEE0" ]
],
[ "enveloped content test streaming PEM format, KEK, key only",
[ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
"-stream", "-out", "test.cms",
"-secretkey", "000102030405060708090A0B0C0D0E0F",
"-secretkeyid", "C0FEE0" ],
[ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F" ]
],
[ "data content test streaming PEM format",
[ "-data_create", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-stream", "-out", "test.cms" ],
[ "-data_out", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, 128 bit RC2 key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, 40 bit RC2 key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-rc2", "-secretkey", "0001020304",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "0001020304", "-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, triple DES key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, 128 bit AES key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ]
],
);
my @smime_cms_comp_tests = (
[ "compressed content test streaming PEM format",
[ "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-stream", "-out", "test.cms" ],
[ "-uncompress", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ]
]
);
my @smime_cms_param_tests = (
[ "signed content test streaming PEM format, RSA keys, PSS signature",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-keyopt", "rsa_mgf1_md:sha384", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, OAEP default parameters",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep" ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, OAEP SHA256",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep",
"-keyopt", "rsa_oaep_md:sha256" ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, ECDH",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, ECDH, key identifier",
[ "-encrypt", "-keyid", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem"), "-aes128", "-keyopt", "ecdh_kdf_md:sha256" ],
[ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec2.pem"), "-aes128",
"-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
[ "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, X9.42 DH",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
[ "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
]
);
subtest "CMS => PKCS#7 compatibility tests\n" => sub {
plan tests => scalar @smime_pkcs7_tests;
foreach (@smime_pkcs7_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "smime", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
};
subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
plan tests => scalar @smime_pkcs7_tests;
foreach (@smime_pkcs7_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "smime", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
};
subtest "CMS <=> CMS consistency tests\n" => sub {
plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
foreach (@smime_pkcs7_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
foreach (@smime_cms_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
};
subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
plan tests =>
(scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests);
foreach (@smime_cms_param_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
SKIP: {
skip("Zlib not supported: compression tests skipped",
scalar @smime_cms_comp_tests)
unless grep /ZLIB/, run(app(["openssl", "version", "-f"]),
capture => 1);
foreach (@smime_cms_param_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
}
};
unlink "test.cms";
unlink "test2.cms";
unlink "smtst.txt";
sub check_availability {
my $tnam = shift;
return "$tnam: skipped, EC disabled\n"
if ($no_ec && $tnam =~ /ECDH/);
return "$tnam: skipped, ECDH disabled\n"
if ($no_ecdh && $tnam =~ /ECDH/);
return "$tnam: skipped, EC2M disabled\n"
if ($no_ec2m && $tnam =~ /K-283/);
return "";
}

194
test/recipes/80-test_ocsp.t Normal file
View file

@ -0,0 +1,194 @@
#! /usr/bin/perl
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Copy;
use Test::More;
use OpenSSL::Test qw/:DEFAULT with pipe top_dir/;
setup("test_ocsp");
my $ocspdir=top_dir("test", "ocsp-tests");
# 17 December 2012 so we don't get certificate expiry errors.
my @check_time=("-attime", "1355875200");
sub test_ocsp {
my $title = shift;
my $inputfile = shift;
my $CAfile = shift;
my $expected_exit = shift;
with({ exit_checker => sub { return shift == $expected_exit; } },
sub { ok(run(pipe(app(["openssl", "base64", "-d",
"-in", catfile($ocspdir,$inputfile)]),
app(["openssl", "ocsp", "-respin", "-",
"-partial_chain", @check_time,
"-CAfile", catfile($ocspdir, $CAfile),
"-verify_other", catfile($ocspdir, $CAfile),
"-CApath", devnull()]))),
$title); });
}
plan tests => 10;
subtest "=== VALID OCSP RESPONSES ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "ND1_Issuer_ICA.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "ND2_Issuer_Root.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "ND3_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "D1_Issuer_ICA.pem", 0);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "D2_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "D3_Issuer_Root.pem", 0);
};
subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"ISOP_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"ISOP_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"ISOP_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"WRID_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"WRID_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WRID_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WRID_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WRID_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"WINH_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"WINH_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WINH_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WINH_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WINH_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WIKH_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WIKH_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WIKH_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
plan tests => 3;
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
plan tests => 3;
test_ocsp("DELEGATED; Intermediate CA -> EE",
"ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "WSNIC_D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "WSNIC_D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "WKIC_D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "WKIC_D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "WKIC_D3_Issuer_Root.pem", 1);
};
subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
plan tests => 6;
# Expect success, because we're explicitly trusting the issuer certificate.
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "ISIC_D1_Issuer_ICA.pem", 0);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "ISIC_D2_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "ISIC_D3_Issuer_Root.pem", 0);
};

476
test/recipes/80-test_ssl.t Normal file
View file

@ -0,0 +1,476 @@
#! /usr/bin/perl
use strict;
use warnings;
use POSIX;
use File::Spec;
use File::Copy;
use Test::More;
use OpenSSL::Test qw/:DEFAULT with top_file/;
setup("test_ssl");
my $digest = "-sha1";
my @reqcmd = ("openssl", "req");
my @x509cmd = ("openssl", "x509", $digest);
my @verifycmd = ("openssl", "verify");
my $dummycnf = top_file("apps", "openssl.cnf");
my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss";
my $CAserial="certCA.srl";
my $CAreq="reqCA.ss";
my $CAconf=top_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp
my $Uconf=top_file("test","Uss.cnf");
my $Ukey="keyU.ss";
my $Ureq="reqU.ss";
my $Ucert="certU.ss";
my $P1conf=top_file("test","P1ss.cnf");
my $P1key="keyP1.ss";
my $P1req="reqP1.ss";
my $P1cert="certP1.ss";
my $P1intermediate="tmp_intP1.ss";
my $P2conf=top_file("test","P2ss.cnf");
my $P2key="keyP2.ss";
my $P2req="reqP2.ss";
my $P2cert="certP2.ss";
my $P2intermediate="tmp_intP2.ss";
plan tests =>
1 # For testss
+ 1 # For ssltest -test_cipherlist
+ 8 # For the first testssl
+ 8 * 4 * 4 # For the first testsslproxy (16 times testssl)
+ 8 * 4 * 4 # For the second testsslproxy (16 times testssl)
;
subtest 'test_ss' => sub {
if (testss()) {
open OUT, ">", "intP1.ss";
copy($CAcert, \*OUT); copy($Ucert, \*OUT);
close OUT;
open OUT, ">", "intP2.ss";
copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT);
close OUT;
}
};
my $check = ok(run(test(["ssltest","-test_cipherlist"])), "running ssltest");
SKIP: {
skip "ssltest ended with error, skipping the rest", 3
if !$check;
note('test_ssl -- key U');
testssl("keyU.ss", $Ucert, $CAcert);
note('test_ssl -- key P1');
testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss");
note('test_ssl -- key P2');
testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss");
}
# -----------
# subtest functions
sub testss {
open RND, ">>", ".rnd";
print RND "string to make the random number generator think it has entropy";
close RND;
my @req_new;
if (run(app(["openssl", "no-rsa"], stdout => undef))) {
@req_new = ("-newkey",
"dsa:".File::Spec->catfile("..", "apps", "dsa512.pem"));
} else {
@req_new = ("-new");
}
plan tests => 15;
SKIP: {
skip 'failure', 14 unless
ok(run(app([@reqcmd, "-config", $CAconf,
"-out", $CAreq, "-keyout", $CAkey,
@req_new])),
'make cert request');
skip 'failure', 13 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
"-req", "-out", $CAcert, "-signkey", $CAkey,
"-extfile", $CAconf, "-extensions", "v3_ca"],
stdout => "err.ss")),
'convert request into self-signed cert');
skip 'failure', 12 unless
ok(run(app([@x509cmd, "-in", $CAcert,
"-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
stdout => "err.ss")),
'convert cert into a cert request');
skip 'failure', 11 unless
ok(run(app([@reqcmd, "-config", $dummycnf,
"-verify", "-in", $CAreq, "-noout"])),
'verify request 1');
skip 'failure', 10 unless
ok(run(app([@reqcmd, "-config", $dummycnf,
"-verify", "-in", $CAreq2, "-noout"])),
'verify request 2');
skip 'failure', 9 unless
ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
'verify signature');
skip 'failure', 8 unless
ok(run(app([@reqcmd, "-config", $Uconf,
"-out", $Ureq, "-keyout", $Ukey, @req_new],
stdout => "err.ss")),
'make a user cert request');
skip 'failure', 7 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
"-req", "-out", $Ucert,
"-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
"-extfile", $Uconf, "-extensions", "v3_ee"],
stdout => "err.ss"))
&& run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
'sign user cert request');
skip 'failure', 6 unless
ok(run(app([@x509cmd,
"-subject", "-issuer", "-startdate", "-enddate",
"-noout", "-in", $Ucert])),
'Certificate details');
skip 'failure', 5 unless
ok(run(app([@reqcmd, "-config", $P1conf,
"-out", $P1req, "-keyout", $P1key, @req_new],
stdout => "err.ss")),
'make a proxy cert request');
skip 'failure', 4 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
"-req", "-out", $P1cert,
"-CA", $Ucert, "-CAkey", $Ukey,
"-extfile", $P1conf, "-extensions", "v3_proxy"],
stdout => "err.ss")),
'sign proxy with user cert');
copy($Ucert, $P1intermediate);
run(app([@verifycmd, "-CAfile", $CAcert,
"-untrusted", $P1intermediate, $P1cert]));
ok(run(app([@x509cmd,
"-subject", "-issuer", "-startdate", "-enddate",
"-noout", "-in", $P1cert])),
'Certificate details');
skip 'failure', 2 unless
ok(run(app([@reqcmd, "-config", $P2conf,
"-out", $P2req, "-keyout", $P2key,
@req_new],
stdout => "err.ss")),
'make another proxy cert request');
skip 'failure', 1 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
"-req", "-out", $P2cert,
"-CA", $P1cert, "-CAkey", $P1key,
"-extfile", $P2conf, "-extensions", "v3_proxy"],
stdout => "err.ss")),
'sign second proxy cert request with the first proxy cert');
open OUT, ">", $P2intermediate;
copy($Ucert, \*OUT); copy($P1cert, \*OUT);
close OUT;
run(app([@verifycmd, "-CAfile", $CAcert,
"-untrusted", $P2intermediate, $P2cert]));
ok(run(app([@x509cmd,
"-subject", "-issuer", "-startdate", "-enddate",
"-noout", "-in", $P2cert])),
'Certificate details');
}
}
sub testssl {
my $key = shift || top_file("apps","server.pem");
my $cert = shift || top_file("apps","server.pem");
my $CAtmp = shift;
my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs"));
my @extra = @_;
my @ssltest = ("ssltest",
"-key", $key, "-cert", $cert,
"-c_key", $key, "-c_cert", $cert);
my $serverinfo = top_file("test","serverinfo.pem");
my $dsa_cert = 0;
if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert,
"-text", "-noout"]), capture => 1)) {
$dsa_cert = 1;
}
# plan tests => 7;
subtest 'standard SSL tests' => sub {
######################################################################
plan tests => 27;
ok(run(test([@ssltest, "-ssl3", @extra])),
'test sslv3');
ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
'test sslv3 with server authentication');
ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
'test sslv3 with client authentication');
ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
'test sslv3 with both server and client authentication');
ok(run(test([@ssltest, @extra])),
'test sslv2/sslv3');
ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
'test sslv2/sslv3 with client authentication');
ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
'test sslv2/sslv3 with both server and client authentication');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
'test sslv3 via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
'test sslv3 with server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
'test sslv3 with client authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
'test sslv3 with both server and client authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", @extra])),
'test sslv2/sslv3 via BIO pair');
ok(run(test([@ssltest, "-dtls1", @extra])),
'test dtlsv1');
ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
'test dtlsv1 with server authentication');
ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
'test dtlsv1 with client authentication');
ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
'test dtlsv1 with both server and client authentication');
ok(run(test([@ssltest, "-dtls12", @extra])),
'test dtlsv1.2');
ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
'test dtlsv1.2 with server authentication');
ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
'test dtlsv1.2 with client authentication');
ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
'test dtlsv1.2 with both server and client authentication');
{
SKIP: {
skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
}
}
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
'test sslv2/sslv3 with client authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
'test sslv2/sslv3 with both client and server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
};
subtest "Testing ciphersuites" => sub {
my $no_dh = run(app(["openssl", "no-dhparam"], stdout => undef));
my $no_ec = run(app(["openssl", "no-ec"], stdout => undef));
my @protocols = ("TLSv1.2", "SSLv3");
my $protocolciphersuitcount = 0;
my %ciphersuites =
map { my @c =
map { split(/:/, $_) }
map { run(app(["openssl",
"ciphers", "$_"]),
capture => 1);
}
( "RSA+$_",
$no_dh ? () : "EDH+aRSA+$_:-EXP",
$no_ec ? () : "EECDH+aRSA+$_:-EXP" );
chomp @c;
$protocolciphersuitcount += scalar @c;
$_ => [ @c ] } @protocols;
plan tests => $protocolciphersuitcount + ($no_dh ? 0 : 2);
foreach my $protocol (@protocols) {
note "Testing ciphersuites for $protocol";
foreach my $cipher (@{$ciphersuites{$protocol}}) {
ok(run(test([@ssltest, "-cipher", $cipher,
$protocol eq "SSLv3" ? ("-ssl3") : ()])),
"Testing $cipher");
}
if (!$no_dh) {
is(run(test([@ssltest,
"-s_cipher", "EDH",
"-c_cipher", 'EDH:@SECLEVEL=1',
"-dhe512",
$protocol eq "SSLv3" ? ("-ssl3") : ()])), 0,
"testing connection with weak DH, expecting failure");
}
}
};
subtest 'RSA/(EC)DHE/PSK tests' => sub {
######################################################################
plan tests => 5;
{
SKIP: {
skip "skipping anonymous DH tests", 1
if (run(app(["openssl", "no-dhparam"], stdout => undef)));
ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
}
}
{
SKIP: {
skip "skipping RSA tests", 2
if (run(app(["openssl", "no-rsa"], stdout => undef)));
ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-cert", top_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
skip "skipping RSA+DHE tests", 1
if (run(app(["openssl", "no-dhparam"], stdout => undef)));
ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-cert", top_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
}
}
ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
'test tls1 with PSK');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
'test tls1 with PSK via BIO pair');
};
subtest 'Next Protocol Negotiation Tests' => sub {
######################################################################
plan tests => 7;
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server_reject"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server_reject"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2", "-reuse"])));
};
subtest 'Custom Extension tests' => sub {
######################################################################
plan tests => 1;
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
'test tls1 with custom extensions');
};
subtest 'Serverinfo tests' => sub {
######################################################################
plan tests => 5;
note('echo test tls1 with serverinfo');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
};
subtest 'ALPN tests' => sub {
######################################################################
plan tests => 12;
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "bar"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "foo", "-alpn_expected", "foo"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "foo", "-alpn_expected", "foo"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo", "-alpn_expected", "foo"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo,bar", "-alpn_expected", "foo"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "bar,foo", "-alpn_expected", "bar"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "bar,foo", "-alpn_expected", "bar"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "baz", "-alpn_server", "bar,foo"])));
{
SKIP: {
skip "skipping SRP tests", 4
if run(app(["openssl", "no-srp"], stdout => undef));
ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP via BIO pair');
ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP auth');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP auth via BIO pair');
}
}
};
subtest 'Multi-buffer tests' => sub {
######################################################################
plan tests => 2;
{
SKIP: {
skip "skipping multi-buffer tests", 2
if @extra || (POSIX::uname())[4] ne "x86_64";
ok(run(test([@ssltest, "-cipher", "AES128-SHA", "-bytes", "8m"])));
ok(run(test([@ssltest, "-cipher", "AES128-SHA256", "-bytes", "8m"])));
}
}
};
}
sub testsslproxy {
my ($a1, $a2, $a3, @rest) = @_;
# plan tests => 16;
note('Testing a lot of proxy conditions.');
note('Some of them may turn out being invalid, which is fine.');
foreach my $auth (('A', 'B', 'C', 'BC')) {
foreach my $cond (('A', 'B', 'C', 'A|B&!C')) {
# Exit code 3 is when ssltest couldn't parse the condition
with({ exit_checker => sub { return shift == 3 ? 0 : 1; } },
sub {
testssl($a1, $a2, $a3,
"-proxy", "-proxy_auth", $auth,
"-proxy_cond", $cond);
});
}
}
}

221
test/recipes/80-test_tsa.t Normal file
View file

@ -0,0 +1,221 @@
#! /usr/bin/perl
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/splitdir curdir catfile/;
use File::Compare;
use Test::More;
use OpenSSL::Test qw/:DEFAULT cmdstr top_file/;
setup("test_tsa");
# All these are modified inside indir further down. They need to exist
# here, however, to be available in all subroutines.
my $testtsa;
my $CAtsa;
sub create_ca {
$ENV{TSDNSECT} = "ts_ca_dn";
return
ok(run(app(["openssl", "req", "-new", "-x509", "-nodes",
"-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
'creating a new CA for the TSA tests');
}
sub create_tsa_cert {
my $INDEX = shift;
my $EXT = shift;
my $r = 1;
$ENV{TSDNSECT} = "ts_ca_dn";
$r *= ok(run(app(["openssl", "req", "-new",
"-out", "tsa_req${INDEX}.pem",
"-keyout", "tsa_key${INDEX}.pem"])));
note "using extension $EXT";
$r *= ok(run(app(["openssl", "x509", "-req",
"-in", "tsa_req${INDEX}.pem",
"-out", "tsa_cert${INDEX}.pem",
"-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
"-CAcreateserial",
"-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT])));
return $r;
}
sub print_request {
my $input = shift;
return ok(run(app(["openssl", "ts", "-query", "-in", $input, "-text"])));
}
sub create_time_stamp_request1 {
return
ok(run(app(["openssl", "ts", "-query", "-data", $testtsa, "-policy", "tsa_policy1", "-cert", "-out", "req1.tsq"])));
}
sub create_time_stamp_request2 {
return
ok(run(app(["openssl", "ts", "-query", "-data", $testtsa, "-policy", "tsa_policy2", "-no_nonce", "-out", "req2.tsq"])));
}
sub create_time_stamp_request3 {
return
ok(run(app(["openssl", "ts", "-query", "-data", $CAtsa, "-no_nonce", "-out", "req3.tsq"])))
}
sub print_response {
my $inputfile = shift;
return
ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-text"])));
}
sub create_time_stamp_response {
my $queryfile = shift;
my $outputfile = shift;
my $datafile = shift;
return
ok(run(app(["openssl", "ts", "-reply", "-section", "$datafile", "-queryfile", "$queryfile", "-out", "$outputfile"])));
}
sub time_stamp_response_token_test {
my $queryfile = shift;
my $inputfile = shift;
my $RESPONSE2="$inputfile.copy.tsr";
my $TOKEN_DER="$inputfile.token.der";
ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-out", "$TOKEN_DER", "-token_out"])));
ok(run(app(["openssl", "ts", "-reply", "-in", "$TOKEN_DER", "-token_in", "-out", "$RESPONSE2"])));
is(compare($RESPONSE2, $inputfile), 0);
ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-text", "-token_out"])));
ok(run(app(["openssl", "ts", "-reply", "-in", "$TOKEN_DER", "-token_in", "-text", "-token_out"])));
ok(run(app(["openssl", "ts", "-reply", "-queryfile", "$queryfile", "-text", "-token_out"])));
}
sub verify_time_stamp_response {
my $queryfile = shift;
my $inputfile = shift;
my $datafile = shift;
ok(run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"])));
ok(run(app(["openssl", "ts", "-verify", "-data", "$datafile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"])));
}
sub verify_time_stamp_token {
my $queryfile = shift;
my $inputfile = shift;
my $datafile = shift;
# create the token from the response first
ok(run(app(["openssl", "ts", "-reply", "-in", "$inputfile", "-out", "$inputfile.token", "-token_out"])));
ok(run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile.token", "-token_in", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"])));
ok(run(app(["openssl", "ts", "-verify", "-data", "$datafile", "-in", "$inputfile.token", "-token_in", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"])));
}
sub verify_time_stamp_response_fail {
my $queryfile = shift;
my $inputfile = shift;
ok(!run(app(["openssl", "ts", "-verify", "-queryfile", "$queryfile", "-in", "$inputfile", "-CAfile", "tsaca.pem", "-untrusted", "tsa_cert1.pem"])));
}
# main functions
indir "tsa" => sub {
$ENV{OPENSSL_CONF} = top_file("test", "CAtsa.cnf");
# Because that's what ../apps/CA.pl really looks at
$ENV{SSLEAY_CONFIG} = "-config ".$ENV{OPENSSL_CONF};
$ENV{OPENSSL} = cmdstr(app(["openssl"]));
$testtsa = top_file("test", "recipes", "80-test_tsa.t");
$CAtsa = top_file("test", "CAtsa.cnf");
plan tests => 20;
SKIP: {
skip "failed", 19
if !subtest 'creating CA for TSA tests' => sub { create_ca };
skip "failed", 18
if !subtest 'creating tsa_cert1.pem TSA server cert' => sub {
create_tsa_cert("1", "tsa_cert")
};
skip "failed", 17
if !subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
create_tsa_cert("2", "non_tsa_cert")
};
skip "failed", 16
if !subtest 'creating req1.req time stamp request for file testtsa' => sub {
create_time_stamp_request1()
};
subtest 'printing req1.req' => sub {
print_request("req1.tsq")
};
subtest 'generating valid response for req1.req' => sub {
create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
};
subtest 'printing response' => sub {
print_response("resp1.tsr")
};
subtest 'verifying valid response' => sub {
verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
};
subtest 'verifying valid token' => sub {
verify_time_stamp_token("req1.tsq", "resp1.tsr", $testtsa)
};
subtest 'creating req2.req time stamp request for file testtsa' => sub {
create_time_stamp_request2()
};
subtest 'printing req2.req' => sub {
print_request("req2.tsq")
};
subtest 'generating valid response for req2.req' => sub {
create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
};
subtest 'checking -token_in and -token_out options with -reply' => sub {
time_stamp_response_token_test("req2.tsq", "resp2.tsr")
};
subtest 'printing response' => sub {
print_response("resp2.tsr")
};
subtest 'verifying valid response' => sub {
verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
};
subtest 'verifying response against wrong request, it should fail' => sub {
verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
};
subtest 'verifying response against wrong request, it should fail' => sub {
verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
};
subtest 'creating req3.req time stamp request for file CAtsa.cnf' => sub {
create_time_stamp_request3()
};
subtest 'printing req3.req' => sub {
print_request("req3.tsq")
};
subtest 'verifying response against wrong request, it should fail' => sub {
verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
};
}
}, cleanup => 1, create => 1;