Add more option tests to req, ts, x509 and verify in appstest.sh

author: inoguchi <> 2019-06-27 09:34:06 +0000
committer: inoguchi <> 2019-06-27 09:34:06 +0000
commit: 2fcc42bbd981d41372ccd00c22185ea1559bcb97 (patch)
tree: ef94d00159ef160a386c23c4f8a3440dacf8827b
parent: 87695df387167f446663078bc72a06660561bb7c (diff)
download: openbsd-2fcc42bbd981d41372ccd00c22185ea1559bcb97.tar.gz
openbsd-2fcc42bbd981d41372ccd00c22185ea1559bcb97.tar.bz2
openbsd-2fcc42bbd981d41372ccd00c22185ea1559bcb97.zip
1 files changed, 42 insertions, 17 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
index d1a81f7883..7c916958a0 100755
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.21 2019/06/24 15:17:36 inoguchi Exp $
+# $OpenBSD: appstest.sh,v 1.22 2019/06/27 09:34:06 inoguchi Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -580,9 +580,13 @@ __EOF__
                subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\'
        fi
        
-        $openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert \
+        $openssl_bin req -new -x509 -batch -newkey rsa:2048 \
-                -keyout $ca_key -days 1 -passout pass:$ca_pass -batch \
+                -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \
-                -subj $subj
+                -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
+                -config $ssldir/openssl.cnf -verbose \
+                -subj $subj -days 1 -set_serial 1 -multivalue-rdn \
+                -keyout $ca_key -passout pass:$ca_pass \
+                -out $ca_cert -outform pem
        check_exit_status $?
        
        #---------#---------#---------#---------#---------#---------#---------
@@ -604,7 +608,7 @@ __EOF__
        fi
        
        $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \
-                -passout pass:$tsa_pass -subj $subj
+                -passout pass:$tsa_pass -subj $subj -asn1-kludge
        check_exit_status $?
        
        start_message "ca ... sign by CA with TSA extensions"
@@ -637,7 +641,7 @@ __EOF__
        fi
        
        $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \
-                -subj $subj
+                -subj $subj -no-asn1-kludge
        check_exit_status $?
        
        start_message "ca ... sign by CA with OCSP extensions"
@@ -655,8 +659,6 @@ __EOF__
        # --- server-admin operations (generate server key and csr) ---
        section_message "server-admin operations (generate server key and csr)"
        
-        start_message "req ... generate server csr#1"
-        
        server_key=$server_dir/server_key.pem
        server_csr=$server_dir/server_csr.pem
        server_pass=test-server-pass
@@ -667,10 +669,26 @@ __EOF__
                subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\'
        fi
        
-        $openssl_bin req -new -keyout $server_key -out $server_csr \
+        start_message "genrsa ... generate server key#1"
-                -passout pass:$server_pass -subj $subj
+        $openssl_bin genrsa -aes256 -passout pass:$server_pass -out $server_key
+        check_exit_status $?
+        start_message "req ... generate server csr#1"
+        $openssl_bin req -new -subj $subj -sha256 \
+                -key $server_key -keyform pem -passin pass:$server_pass \
+                -out $server_csr -outform pem
        check_exit_status $?
        
+        start_message "req ... verify server csr#1"
+        $openssl_bin req -verify -in $server_csr -inform pem \
+                -newhdr -noout -pubkey -subject -modulus -text \
+                -nameopt multiline -reqopt compatible \
+                -out $server_csr.verify.out
+        check_exit_status $?
        start_message "req ... generate server csr#2 (interactive mode)"
        
        revoke_key=$server_dir/revoke_key.pem
@@ -701,7 +719,9 @@ __EOF__
        start_message "x509 ... issue cert for server csr#2"
        
        revoke_cert=$server_dir/revoke_cert.pem
-        $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key \
+        $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \
+                -CAkey $ca_key -CAkeyform pem \
+                -CAserial $ca_dir/serial -set_serial 10 \
                -passin pass:$ca_pass -CAcreateserial -out $revoke_cert
        check_exit_status $?
        
@@ -744,14 +764,17 @@ __EOF__
        check_exit_status $?
        
        start_message "verify ... server cert#1"
-        $openssl_bin verify -verbose -CAfile $ca_cert $server_cert
+        $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \
+                -crl_check -issuer_checks -purpose sslserver $server_cert
        check_exit_status $?
        
        start_message "x509 ... get detail info about server cert#1"
        $openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \
                -fingerprint -issuer -issuer_hash -issuer_hash_old \
-                -subject -subject_hash -subject_hash_old -ocsp_uri \
+                -subject -hash -subject_hash -subject_hash_old -ocsp_uri \
-                -ocspid -modulus -pubkey -serial -email > $server_cert.x509.out
+                -ocspid -modulus -pubkey -serial -email -noout -trustout \
+                -alias -clrtrust -clrreject -next_serial -checkend 3600 \
+                -nameopt multiline -certopt compatible > $server_cert.x509.out
        check_exit_status $?
        
        if [ $mingw = 0 ] ; then
@@ -763,8 +786,9 @@ __EOF__
        # self signed
        start_message "x509 ... generate self signed server cert"
        server_self_cert=$server_dir/server_self_cert.pem
-        $openssl_bin x509 -in $server_cert -signkey $server_key \
+        $openssl_bin x509 -in $server_cert -signkey $server_key -keyform pem \
-                -passin pass:$server_pass -out $server_self_cert
+                -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
+                -passin pass:$server_pass -out $server_self_cert -days 1
        check_exit_status $?
        
        #---------#---------#---------#---------#---------#---------#---------
@@ -882,7 +906,8 @@ __EOF__
        
        $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \
                -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \
-                -out $tsa_tsr
+                -config $ssldir/openssl.cnf -section tsa_config1 -cert \
+                -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr
        check_exit_status $?
        
        # Verify
author	inoguchi <>	2019-06-27 09:34:06 +0000
committer	inoguchi <>	2019-06-27 09:34:06 +0000
commit	2fcc42bbd981d41372ccd00c22185ea1559bcb97 (patch)
tree	ef94d00159ef160a386c23c4f8a3440dacf8827b
parent	87695df387167f446663078bc72a06660561bb7c (diff)
download	openbsd-2fcc42bbd981d41372ccd00c22185ea1559bcb97.tar.gz openbsd-2fcc42bbd981d41372ccd00c22185ea1559bcb97.tar.bz2 openbsd-2fcc42bbd981d41372ccd00c22185ea1559bcb97.zip

diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh index d1a81f7883..7c916958a0 100755 --- a/src/regress/usr.bin/openssl/appstest.sh +++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $OpenBSD: appstest.sh,v 1.21 2019/06/24 15:17:36 inoguchi Exp $	3	# $OpenBSD: appstest.sh,v 1.22 2019/06/27 09:34:06 inoguchi Exp $
4	#	4	#
5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>	5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6	#	6	#
@@ -580,9 +580,13 @@ __EOF__
580	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\'	580	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\'
581	fi	581	fi
582		582
583	$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert \	583	$openssl_bin req -new -x509 -batch -newkey rsa:2048 \
584	-keyout $ca_key -days 1 -passout pass:$ca_pass -batch \	584	-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \
585	-subj $subj	585	-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
		586	-config $ssldir/openssl.cnf -verbose \
		587	-subj $subj -days 1 -set_serial 1 -multivalue-rdn \
		588	-keyout $ca_key -passout pass:$ca_pass \
		589	-out $ca_cert -outform pem
586	check_exit_status $?	590	check_exit_status $?
587		591
588	#---------#---------#---------#---------#---------#---------#---------	592	#---------#---------#---------#---------#---------#---------#---------
@@ -604,7 +608,7 @@ __EOF__
604	fi	608	fi
605		609
606	$openssl_bin req -new -keyout $tsa_key -out $tsa_csr \	610	$openssl_bin req -new -keyout $tsa_key -out $tsa_csr \
607	-passout pass:$tsa_pass -subj $subj	611	-passout pass:$tsa_pass -subj $subj -asn1-kludge
608	check_exit_status $?	612	check_exit_status $?
609		613
610	start_message "ca ... sign by CA with TSA extensions"	614	start_message "ca ... sign by CA with TSA extensions"
@@ -637,7 +641,7 @@ __EOF__
637	fi	641	fi
638		642
639	$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \	643	$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \
640	-subj $subj	644	-subj $subj -no-asn1-kludge
641	check_exit_status $?	645	check_exit_status $?
642		646
643	start_message "ca ... sign by CA with OCSP extensions"	647	start_message "ca ... sign by CA with OCSP extensions"
@@ -655,8 +659,6 @@ __EOF__
655	# --- server-admin operations (generate server key and csr) ---	659	# --- server-admin operations (generate server key and csr) ---
656	section_message "server-admin operations (generate server key and csr)"	660	section_message "server-admin operations (generate server key and csr)"
657		661
658	start_message "req ... generate server csr#1"
659
660	server_key=$server_dir/server_key.pem	662	server_key=$server_dir/server_key.pem
661	server_csr=$server_dir/server_csr.pem	663	server_csr=$server_dir/server_csr.pem
662	server_pass=test-server-pass	664	server_pass=test-server-pass
@@ -667,10 +669,26 @@ __EOF__
667	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\'	669	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\'
668	fi	670	fi
669		671
670	$openssl_bin req -new -keyout $server_key -out $server_csr \	672	start_message "genrsa ... generate server key#1"
671	-passout pass:$server_pass -subj $subj	673
		674	$openssl_bin genrsa -aes256 -passout pass:$server_pass -out $server_key
		675	check_exit_status $?
		676
		677	start_message "req ... generate server csr#1"
		678
		679	$openssl_bin req -new -subj $subj -sha256 \
		680	-key $server_key -keyform pem -passin pass:$server_pass \
		681	-out $server_csr -outform pem
672	check_exit_status $?	682	check_exit_status $?
673		683
		684	start_message "req ... verify server csr#1"
		685
		686	$openssl_bin req -verify -in $server_csr -inform pem \
		687	-newhdr -noout -pubkey -subject -modulus -text \
		688	-nameopt multiline -reqopt compatible \
		689	-out $server_csr.verify.out
		690	check_exit_status $?
		691
674	start_message "req ... generate server csr#2 (interactive mode)"	692	start_message "req ... generate server csr#2 (interactive mode)"
675		693
676	revoke_key=$server_dir/revoke_key.pem	694	revoke_key=$server_dir/revoke_key.pem
@@ -701,7 +719,9 @@ __EOF__
701	start_message "x509 ... issue cert for server csr#2"	719	start_message "x509 ... issue cert for server csr#2"
702		720
703	revoke_cert=$server_dir/revoke_cert.pem	721	revoke_cert=$server_dir/revoke_cert.pem
704	$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key \	722	$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \
		723	-CAkey $ca_key -CAkeyform pem \
		724	-CAserial $ca_dir/serial -set_serial 10 \
705	-passin pass:$ca_pass -CAcreateserial -out $revoke_cert	725	-passin pass:$ca_pass -CAcreateserial -out $revoke_cert
706	check_exit_status $?	726	check_exit_status $?
707		727
@@ -744,14 +764,17 @@ __EOF__
744	check_exit_status $?	764	check_exit_status $?
745		765
746	start_message "verify ... server cert#1"	766	start_message "verify ... server cert#1"
747	$openssl_bin verify -verbose -CAfile $ca_cert $server_cert	767	$openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \
		768	-crl_check -issuer_checks -purpose sslserver $server_cert
748	check_exit_status $?	769	check_exit_status $?
749		770
750	start_message "x509 ... get detail info about server cert#1"	771	start_message "x509 ... get detail info about server cert#1"
751	$openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \	772	$openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \
752	-fingerprint -issuer -issuer_hash -issuer_hash_old \	773	-fingerprint -issuer -issuer_hash -issuer_hash_old \
753	-subject -subject_hash -subject_hash_old -ocsp_uri \	774	-subject -hash -subject_hash -subject_hash_old -ocsp_uri \
754	-ocspid -modulus -pubkey -serial -email > $server_cert.x509.out	775	-ocspid -modulus -pubkey -serial -email -noout -trustout \
		776	-alias -clrtrust -clrreject -next_serial -checkend 3600 \
		777	-nameopt multiline -certopt compatible > $server_cert.x509.out
755	check_exit_status $?	778	check_exit_status $?
756		779
757	if [ $mingw = 0 ] ; then	780	if [ $mingw = 0 ] ; then
@@ -763,8 +786,9 @@ __EOF__
763	# self signed	786	# self signed
764	start_message "x509 ... generate self signed server cert"	787	start_message "x509 ... generate self signed server cert"
765	server_self_cert=$server_dir/server_self_cert.pem	788	server_self_cert=$server_dir/server_self_cert.pem
766	$openssl_bin x509 -in $server_cert -signkey $server_key \	789	$openssl_bin x509 -in $server_cert -signkey $server_key -keyform pem \
767	-passin pass:$server_pass -out $server_self_cert	790	-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
		791	-passin pass:$server_pass -out $server_self_cert -days 1
768	check_exit_status $?	792	check_exit_status $?
769		793
770	#---------#---------#---------#---------#---------#---------#---------	794	#---------#---------#---------#---------#---------#---------#---------
@@ -882,7 +906,8 @@ __EOF__
882		906
883	$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \	907	$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \
884	-passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \	908	-passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \
885	-out $tsa_tsr	909	-config $ssldir/openssl.cnf -section tsa_config1 -cert \
		910	-policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr
886	check_exit_status $?	911	check_exit_status $?
887		912
888	# Verify	913	# Verify