summaryrefslogtreecommitdiff
path: root/src/regress/usr.bin/openssl/appstest.sh
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2018-11-07 01:08:50 +0000
committercvs2svn <admin@example.com>2018-11-07 01:08:50 +0000
commit2035faf3f8aa95b888d9416c3cc7328c0ea18beb (patch)
treef08a08d357c5d30455c569890f747c1d9b241316 /src/regress/usr.bin/openssl/appstest.sh
parentbe03b61c1b8f59ccdd34dbe5f6c6b30de697d28b (diff)
downloadopenbsd-bluhm_20181106.tar.gz
openbsd-bluhm_20181106.tar.bz2
openbsd-bluhm_20181106.zip
This commit was manufactured by cvs2git to create tag 'bluhm_20181106'.bluhm_20181106
Diffstat (limited to 'src/regress/usr.bin/openssl/appstest.sh')
-rwxr-xr-xsrc/regress/usr.bin/openssl/appstest.sh1237
1 files changed, 0 insertions, 1237 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
deleted file mode 100755
index 788870fab1..0000000000
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ /dev/null
@@ -1,1237 +0,0 @@
1#!/bin/sh
2#
3# $OpenBSD: appstest.sh,v 1.15 2018/09/15 13:26:13 inoguchi Exp $
4#
5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19#
20# appstest.sh - test script for openssl command according to man OPENSSL(1)
21#
22# input : none
23# output : all files generated by this script go under $ssldir
24#
25
26function section_message {
27 echo ""
28 echo "#---------#---------#---------#---------#---------#---------#---------#--------"
29 echo "==="
30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
31 echo "==="
32}
33
34function start_message {
35 echo ""
36 echo "[TEST] $1"
37}
38
39function stop_s_server {
40 if [ ! -z "$s_server_pid" ] ; then
41 echo ":-| stop s_server [ $s_server_pid ]"
42 sleep 1
43 kill -TERM $s_server_pid
44 wait $s_server_pid
45 s_server_pid=
46 fi
47}
48
49function check_exit_status {
50 status=$1
51 if [ $status -ne 0 ] ; then
52 stop_s_server
53 echo ":-< error occurs, exit status = [ $status ]"
54 exit $status
55 else
56 echo ":-) success. "
57 fi
58}
59
60function usage {
61 echo "usage: appstest.sh [-iq]"
62}
63
64function test_usage_lists_others {
65 # === COMMAND USAGE ===
66 section_message "COMMAND USAGE"
67
68 start_message "output usages of all commands."
69
70 cmds=`$openssl_bin list-standard-commands`
71 $openssl_bin -help 2>> $user1_dir/usages.out
72 for c in $cmds ; do
73 $openssl_bin $c -help 2>> $user1_dir/usages.out
74 done
75
76 start_message "check all list-* commands."
77
78 lists=""
79 lists="$lists list-standard-commands"
80 lists="$lists list-message-digest-commands list-message-digest-algorithms"
81 lists="$lists list-cipher-commands list-cipher-algorithms"
82 lists="$lists list-public-key-algorithms"
83
84 listsfile=$user1_dir/lists.out
85
86 for l in $lists ; do
87 echo "" >> $listsfile
88 echo "$l" >> $listsfile
89 $openssl_bin $l >> $listsfile
90 done
91
92 start_message "check interactive mode"
93 $openssl_bin <<__EOF__
94help
95quit
96__EOF__
97 check_exit_status $?
98
99 #---------#---------#---------#---------#---------#---------#---------
100
101 # --- listing operations ---
102 section_message "listing operations"
103
104 start_message "ciphers"
105 $openssl_bin ciphers -V
106 check_exit_status $?
107
108 start_message "errstr"
109 $openssl_bin errstr 2606A074
110 check_exit_status $?
111 $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out
112 check_exit_status $?
113
114 #---------#---------#---------#---------#---------#---------#---------
115
116 # --- random number etc. operations ---
117 section_message "random number etc. operations"
118
119 start_message "passwd"
120
121 pass="test-pass-1234"
122
123 echo $pass | $openssl_bin passwd -stdin -1
124 check_exit_status $?
125
126 echo $pass | $openssl_bin passwd -stdin -apr1
127 check_exit_status $?
128
129 echo $pass | $openssl_bin passwd -stdin -crypt
130 check_exit_status $?
131
132 start_message "prime"
133
134 $openssl_bin prime 1
135 check_exit_status $?
136
137 $openssl_bin prime 2
138 check_exit_status $?
139
140 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5
141 check_exit_status $?
142
143 start_message "rand"
144
145 $openssl_bin rand -base64 100
146 check_exit_status $?
147
148 $openssl_bin rand -hex 100
149 check_exit_status $?
150}
151
152function test_md {
153 # === MESSAGE DIGEST COMMANDS ===
154 section_message "MESSAGE DIGEST COMMANDS"
155
156 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section."
157
158 text="1234567890abcdefghijklmnopqrstuvwxyz"
159 dgstdat=$user1_dir/dgst.dat
160 echo $text > $dgstdat
161 hmac_key="test-hmac-key"
162 cmac_key="1234567890abcde1234567890abcde12"
163
164 digests=`$openssl_bin list-message-digest-commands`
165
166 for d in $digests ; do
167
168 echo -n "$d ... "
169 $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat
170 check_exit_status $?
171
172 echo -n "$d HMAC ... "
173 $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac \
174 $dgstdat
175 check_exit_status $?
176
177 echo -n "$d CMAC ... "
178 $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc \
179 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat
180 check_exit_status $?
181 done
182}
183
184function test_encoding_cipher {
185 # === ENCODING AND CIPHER COMMANDS ===
186 section_message "ENCODING AND CIPHER COMMANDS"
187
188 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section."
189
190 text="1234567890abcdefghijklmnopqrstuvwxyz"
191 encfile=$user1_dir/encfile.dat
192 echo $text > $encfile
193 pass="test-pass-1234"
194
195 ciphers=`$openssl_bin list-cipher-commands`
196
197 for c in $ciphers ; do
198 echo -n "$c ... encoding ... "
199 $openssl_bin enc -$c -e -base64 -pass pass:$pass \
200 -in $encfile -out $encfile-$c.enc
201 check_exit_status $?
202
203 echo -n "decoding ... "
204 $openssl_bin enc -$c -d -base64 -pass pass:$pass \
205 -in $encfile-$c.enc -out $encfile-$c.dec
206 check_exit_status $?
207
208 echo -n "cmp ... "
209 cmp $encfile $encfile-$c.dec
210 check_exit_status $?
211 done
212}
213
214function test_key {
215 # === various KEY operations ===
216 section_message "various KEY operations"
217
218 key_pass=test-key-pass
219
220 # DH
221
222 start_message "gendh - Obsoleted by dhparam."
223 gendh2=$key_dir/gendh2.pem
224 $openssl_bin gendh -2 -out $gendh2
225 check_exit_status $?
226
227 start_message "dh - Obsoleted by dhparam."
228 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out
229 check_exit_status $?
230
231 if [ $no_long_tests = 0 ] ; then
232 start_message "dhparam - Superseded by genpkey and pkeyparam."
233 dhparam2=$key_dir/dhparam2.pem
234 $openssl_bin dhparam -2 -out $dhparam2
235 check_exit_status $?
236 $openssl_bin dhparam -in $dhparam2 -check -text \
237 -out $dhparam2.out
238 check_exit_status $?
239 else
240 start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)"
241 fi
242
243 # DSA
244
245 start_message "dsaparam - Superseded by genpkey and pkeyparam."
246 dsaparam512=$key_dir/dsaparam512.pem
247 $openssl_bin dsaparam -genkey -out $dsaparam512 512
248 check_exit_status $?
249
250 start_message "dsa"
251 $openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out
252 check_exit_status $?
253
254 start_message "gendsa - Superseded by genpkey and pkey."
255 gendsa_des3=$key_dir/gendsa_des3.pem
256 $openssl_bin gendsa -des3 -out $gendsa_des3 \
257 -passout pass:$key_pass $dsaparam512
258 check_exit_status $?
259
260 # RSA
261
262 start_message "genrsa - Superseded by genpkey."
263 genrsa_aes256=$key_dir/genrsa_aes256.pem
264 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \
265 -passout pass:$key_pass 2048
266 check_exit_status $?
267
268 start_message "rsa"
269 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \
270 -check -text -out $genrsa_aes256.out
271 check_exit_status $?
272
273 start_message "rsautl - Superseded by pkeyutl."
274 rsautldat=$key_dir/rsautl.dat
275 rsautlsig=$key_dir/rsautl.sig
276 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat
277
278 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \
279 -passin pass:$key_pass -out $rsautlsig
280 check_exit_status $?
281
282 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \
283 -passin pass:$key_pass
284 check_exit_status $?
285
286 # EC
287
288 start_message "ecparam -list-curves"
289 $openssl_bin ecparam -list_curves
290 check_exit_status $?
291
292 # get all EC curves
293 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1`
294
295 start_message "ecparam and ec"
296
297 for curve in $ec_curves ;
298 do
299 ecparam=$key_dir/ecparam_$curve.pem
300
301 echo -n "ec - $curve ... ecparam ... "
302 $openssl_bin ecparam -out $ecparam -name $curve -genkey \
303 -param_enc explicit -conv_form compressed -C
304 check_exit_status $?
305
306 echo -n "ec ... "
307 $openssl_bin ec -in $ecparam -text \
308 -out $ecparam.out 2> /dev/null
309 check_exit_status $?
310 done
311
312 # PKEY
313
314 start_message "genpkey"
315
316 # DH by GENPKEY
317
318 genpkey_dh_param=$key_dir/genpkey_dh_param.pem
319 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \
320 -pkeyopt dh_paramgen_prime_len:1024
321 check_exit_status $?
322
323 genpkey_dh=$key_dir/genpkey_dh.pem
324 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh
325 check_exit_status $?
326
327 # DSA by GENPKEY
328
329 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem
330 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \
331 -pkeyopt dsa_paramgen_bits:1024
332 check_exit_status $?
333
334 genpkey_dsa=$key_dir/genpkey_dsa.pem
335 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa
336 check_exit_status $?
337
338 # RSA by GENPKEY
339
340 genpkey_rsa=$key_dir/genpkey_rsa.pem
341 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \
342 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
343 check_exit_status $?
344
345 # EC by GENPKEY
346
347 genpkey_ec_param=$key_dir/genpkey_ec_param.pem
348 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \
349 -pkeyopt ec_paramgen_curve:secp384r1
350 check_exit_status $?
351
352 genpkey_ec=$key_dir/genpkey_ec.pem
353 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec
354 check_exit_status $?
355
356 start_message "pkeyparam"
357
358 $openssl_bin pkeyparam -in $genpkey_dh_param -text \
359 -out $genpkey_dh_param.out
360 check_exit_status $?
361
362 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \
363 -out $genpkey_dsa_param.out
364 check_exit_status $?
365
366 $openssl_bin pkeyparam -in $genpkey_ec_param -text \
367 -out $genpkey_ec_param.out
368 check_exit_status $?
369
370 start_message "pkey"
371
372 $openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out
373 check_exit_status $?
374
375 $openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out
376 check_exit_status $?
377
378 $openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out
379 check_exit_status $?
380
381 $openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out
382 check_exit_status $?
383
384 start_message "pkeyutl"
385
386 pkeyutldat=$key_dir/pkeyutl.dat
387 pkeyutlsig=$key_dir/pkeyutl.sig
388 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat
389
390 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \
391 -out $pkeyutlsig
392 check_exit_status $?
393
394 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \
395 -inkey $genpkey_rsa
396 check_exit_status $?
397
398 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa
399 check_exit_status $?
400}
401
402function test_pki {
403 section_message "setup local CA"
404
405 #
406 # prepare test openssl.cnf
407 #
408
409 cat << __EOF__ > $ssldir/openssl.cnf
410oid_section = new_oids
411[ new_oids ]
412tsa_policy1 = 1.2.3.4.1
413tsa_policy2 = 1.2.3.4.5.6
414tsa_policy3 = 1.2.3.4.5.7
415[ ca ]
416default_ca = CA_default
417[ CA_default ]
418dir = ./$ca_dir
419crl_dir = \$dir/crl
420database = \$dir/index.txt
421new_certs_dir = \$dir/newcerts
422serial = \$dir/serial
423crlnumber = \$dir/crlnumber
424default_days = 1
425default_md = default
426policy = policy_match
427[ policy_match ]
428countryName = match
429stateOrProvinceName = match
430organizationName = match
431organizationalUnitName = optional
432commonName = supplied
433emailAddress = optional
434[ req ]
435distinguished_name = req_distinguished_name
436[ req_distinguished_name ]
437countryName = Country Name
438countryName_default = JP
439countryName_min = 2
440countryName_max = 2
441stateOrProvinceName = State or Province Name
442stateOrProvinceName_default = Tokyo
443organizationName = Organization Name
444organizationName_default = TEST_DUMMY_COMPANY
445commonName = Common Name
446[ tsa ]
447default_tsa = tsa_config1
448[ tsa_config1 ]
449dir = ./$tsa_dir
450serial = \$dir/serial
451crypto_device = builtin
452digests = sha1, sha256, sha384, sha512
453default_policy = tsa_policy1
454other_policies = tsa_policy2, tsa_policy3
455[ tsa_ext ]
456keyUsage = critical,nonRepudiation
457extendedKeyUsage = critical,timeStamping
458[ ocsp_ext ]
459basicConstraints = CA:FALSE
460keyUsage = nonRepudiation,digitalSignature,keyEncipherment
461extendedKeyUsage = OCSPSigning
462__EOF__
463
464 #---------#---------#---------#---------#---------#---------#---------
465
466 #
467 # setup test CA
468 #
469
470 mkdir -p $ca_dir
471 mkdir -p $tsa_dir
472 mkdir -p $ocsp_dir
473 mkdir -p $server_dir
474
475 mkdir -p $ca_dir/certs
476 mkdir -p $ca_dir/private
477 mkdir -p $ca_dir/crl
478 mkdir -p $ca_dir/newcerts
479 chmod 700 $ca_dir/private
480 echo "01" > $ca_dir/serial
481 touch $ca_dir/index.txt
482 touch $ca_dir/crlnumber
483 echo "01" > $ca_dir/crlnumber
484
485 #
486 # setup test TSA
487 #
488 mkdir -p $tsa_dir/private
489 chmod 700 $tsa_dir/private
490 echo "01" > $tsa_dir/serial
491 touch $tsa_dir/index.txt
492
493 #
494 # setup test OCSP
495 #
496 mkdir -p $ocsp_dir/private
497 chmod 700 $ocsp_dir/private
498
499 #---------#---------#---------#---------#---------#---------#---------
500
501 # --- CA initiate (generate CA key and cert) ---
502
503 start_message "req ... generate CA key and self signed cert"
504
505 ca_cert=$ca_dir/ca_cert.pem
506 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass
507
508 if [ $mingw = 0 ] ; then
509 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/'
510 else
511 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\'
512 fi
513
514 $openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert \
515 -keyout $ca_key -days 1 -passout pass:$ca_pass -batch \
516 -subj $subj
517 check_exit_status $?
518
519 #---------#---------#---------#---------#---------#---------#---------
520
521 # --- TSA initiate (generate TSA key and cert) ---
522
523 start_message "req ... generate TSA key and cert"
524
525 # generate CSR for TSA
526
527 tsa_csr=$tsa_dir/tsa_csr.pem
528 tsa_key=$tsa_dir/private/tsa_key.pem
529 tsa_pass=test-tsa-pass
530
531 if [ $mingw = 0 ] ; then
532 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/'
533 else
534 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\'
535 fi
536
537 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \
538 -passout pass:$tsa_pass -subj $subj
539 check_exit_status $?
540
541 start_message "ca ... sign by CA with TSA extensions"
542
543 tsa_cert=$tsa_dir/tsa_cert.pem
544
545 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
546 -in $tsa_csr -out $tsa_cert -extensions tsa_ext
547 check_exit_status $?
548
549 #---------#---------#---------#---------#---------#---------#---------
550
551 # --- OCSP initiate (generate OCSP key and cert) ---
552
553 start_message "req ... generate OCSP key and cert"
554
555 # generate CSR for OCSP
556
557 ocsp_csr=$ocsp_dir/ocsp_csr.pem
558 ocsp_key=$ocsp_dir/private/ocsp_key.pem
559
560 if [ $mingw = 0 ] ; then
561 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/'
562 else
563 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\'
564 fi
565
566 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \
567 -subj $subj
568 check_exit_status $?
569
570 start_message "ca ... sign by CA with OCSP extensions"
571
572 ocsp_cert=$ocsp_dir/ocsp_cert.pem
573
574 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
575 -in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext
576 check_exit_status $?
577
578 #---------#---------#---------#---------#---------#---------#---------
579
580 # --- server-admin operations (generate server key and csr) ---
581 section_message "server-admin operations (generate server key and csr)"
582
583 start_message "req ... generate server csr#1"
584
585 server_key=$server_dir/server_key.pem
586 server_csr=$server_dir/server_csr.pem
587 server_pass=test-server-pass
588
589 if [ $mingw = 0 ] ; then
590 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/'
591 else
592 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\'
593 fi
594
595 $openssl_bin req -new -keyout $server_key -out $server_csr \
596 -passout pass:$server_pass -subj $subj
597 check_exit_status $?
598
599 start_message "req ... generate server csr#2 (interactive mode)"
600
601 revoke_key=$server_dir/revoke_key.pem
602 revoke_csr=$server_dir/revoke_csr.pem
603 revoke_pass=test-revoke-pass
604
605 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \
606 -passout pass:$revoke_pass <<__EOF__
607JP
608Tokyo
609TEST_DUMMY_COMPANY
610revoke.test_dummy.com
611__EOF__
612 check_exit_status $?
613
614 #---------#---------#---------#---------#---------#---------#---------
615
616 # --- CA operations (issue cert for server) ---
617 section_message "CA operations (issue cert for server)"
618
619 start_message "ca ... issue cert for server csr#1"
620
621 server_cert=$server_dir/server_cert.pem
622 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
623 -in $server_csr -out $server_cert
624 check_exit_status $?
625
626 start_message "x509 ... issue cert for server csr#2"
627
628 revoke_cert=$server_dir/revoke_cert.pem
629 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key \
630 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert
631 check_exit_status $?
632
633 #---------#---------#---------#---------#---------#---------#---------
634
635 # --- CA operations (revoke cert and generate crl) ---
636 section_message "CA operations (revoke cert and generate crl)"
637
638 start_message "ca ... revoke server cert#2"
639 crl_file=$ca_dir/crl.pem
640 $openssl_bin ca -gencrl -out $crl_file -crldays 30 \
641 -revoke $revoke_cert \
642 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert
643 check_exit_status $?
644
645 start_message "crl ... CA generates CRL"
646 $openssl_bin crl -in $crl_file -fingerprint
647 check_exit_status $?
648
649 crl_p7=$ca_dir/crl.p7
650 start_message "crl2pkcs7 ... convert CRL to pkcs7"
651 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7
652 check_exit_status $?
653
654 #---------#---------#---------#---------#---------#---------#---------
655
656 # --- server-admin operations (check csr, verify cert, certhash) ---
657 section_message "server-admin operations (check csr, verify cert, certhash)"
658
659 start_message "asn1parse ... parse server csr#1"
660 $openssl_bin asn1parse -in $server_csr -i -dlimit 100 -length 1000 \
661 -strparse 01 > $server_csr.asn1parse.out
662 check_exit_status $?
663
664 start_message "verify ... server cert#1"
665 $openssl_bin verify -verbose -CAfile $ca_cert $server_cert
666 check_exit_status $?
667
668 start_message "x509 ... get detail info about server cert#1"
669 $openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \
670 -fingerprint -issuer -issuer_hash -issuer_hash_old \
671 -subject -subject_hash -subject_hash_old -ocsp_uri \
672 -ocspid -modulus -pubkey -serial -email > $server_cert.x509.out
673 check_exit_status $?
674
675 if [ $mingw = 0 ] ; then
676 start_message "certhash"
677 $openssl_bin certhash -v $server_dir
678 check_exit_status $?
679 fi
680
681 # self signed
682 start_message "x509 ... generate self signed server cert"
683 server_self_cert=$server_dir/server_self_cert.pem
684 $openssl_bin x509 -in $server_cert -signkey $server_key \
685 -passin pass:$server_pass -out $server_self_cert
686 check_exit_status $?
687
688 #---------#---------#---------#---------#---------#---------#---------
689
690 # --- Netscape SPKAC operations ---
691 section_message "Netscape SPKAC operations"
692
693 # server-admin generates SPKAC
694
695 start_message "spkac"
696 spkacfile=$server_dir/spkac.file
697
698 $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile
699 check_exit_status $?
700
701 $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out
702 check_exit_status $?
703
704 spkacreq=$server_dir/spkac.req
705 cat << __EOF__ > $spkacreq
706countryName = JP
707stateOrProvinceName = Tokyo
708organizationName = TEST_DUMMY_COMPANY
709commonName = spkac.test_dummy.com
710__EOF__
711 cat $spkacfile >> $spkacreq
712
713 # CA signs SPKAC
714 start_message "ca ... CA signs SPKAC csr"
715 spkaccert=$server_dir/spkac.cert
716 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
717 -spkac $spkacreq -out $spkaccert
718 check_exit_status $?
719
720 start_message "x509 ... convert DER format SPKAC cert to PEM"
721 spkacpem=$server_dir/spkac.pem
722 $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM
723 check_exit_status $?
724
725 # server-admin cert verify
726
727 start_message "nseq"
728 $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq
729 check_exit_status $?
730
731 #---------#---------#---------#---------#---------#---------#---------
732
733 # --- user1 operations (generate user1 key and csr) ---
734 section_message "user1 operations (generate user1 key and csr)"
735
736 # trust
737 start_message "x509 ... trust testCA cert"
738 user1_trust=$user1_dir/user1_trust_ca.pem
739 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \
740 -setalias "trusted testCA" -purpose -out $user1_trust
741 check_exit_status $?
742
743 start_message "req ... generate private key and csr for user1"
744
745 user1_key=$user1_dir/user1_key.pem
746 user1_csr=$user1_dir/user1_csr.pem
747 user1_pass=test-user1-pass
748
749 if [ $mingw = 0 ] ; then
750 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/'
751 else
752 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\'
753 fi
754
755 $openssl_bin req -new -keyout $user1_key -out $user1_csr \
756 -passout pass:$user1_pass -subj $subj
757 check_exit_status $?
758
759 #---------#---------#---------#---------#---------#---------#---------
760
761 # --- CA operations (issue cert for user1) ---
762 section_message "CA operations (issue cert for user1)"
763
764 start_message "ca ... issue cert for user1"
765
766 user1_cert=$user1_dir/user1_cert.pem
767 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
768 -in $user1_csr -out $user1_cert
769 check_exit_status $?
770}
771
772function test_tsa {
773 # --- TSA operations ---
774 section_message "TSA operations"
775
776 tsa_dat=$user1_dir/tsa.dat
777 cat << __EOF__ > $tsa_dat
778Hello Bob,
779Sincerely yours
780Alice
781__EOF__
782
783 # Query
784 start_message "ts ... create time stamp request"
785
786 tsa_tsq=$user1_dir/tsa.tsq
787
788 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq
789 check_exit_status $?
790
791 start_message "ts ... print time stamp request"
792
793 $openssl_bin ts -query -in $tsa_tsq -text
794 check_exit_status $?
795
796 # Reply
797 start_message "ts ... create time stamp response for a request"
798
799 tsa_tsr=$user1_dir/tsa.tsr
800
801 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \
802 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \
803 -out $tsa_tsr
804 check_exit_status $?
805
806 # Verify
807 start_message "ts ... verify time stamp response"
808
809 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \
810 -CAfile $ca_cert -untrusted $tsa_cert
811 check_exit_status $?
812}
813
814function test_smime {
815 # --- S/MIME operations ---
816 section_message "S/MIME operations"
817
818 smime_txt=$user1_dir/smime.txt
819 smime_msg=$user1_dir/smime.msg
820 smime_ver=$user1_dir/smime.ver
821
822 cat << __EOF__ > $smime_txt
823Hello Bob,
824Sincerely yours
825Alice
826__EOF__
827
828 # sign
829 start_message "smime ... sign to message"
830
831 $openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \
832 -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass
833 check_exit_status $?
834
835 # verify
836 start_message "smime ... verify message"
837
838 $openssl_bin smime -verify -in $smime_msg -signer $user1_cert \
839 -CAfile $ca_cert -out $smime_ver
840 check_exit_status $?
841}
842
843function test_ocsp {
844 # --- OCSP operations ---
845 section_message "OCSP operations"
846
847 # request
848 start_message "ocsp ... create OCSP request"
849
850 ocsp_req=$user1_dir/ocsp_req.der
851 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \
852 -cert $revoke_cert -CAfile $ca_cert -reqout $ocsp_req
853 check_exit_status $?
854
855 # response
856 start_message "ocsp ... create OCPS response for a request"
857
858 ocsp_res=$user1_dir/ocsp_res.der
859 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \
860 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \
861 -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1
862 check_exit_status $?
863
864 # ocsp server
865 start_message "ocsp ... start OCSP server in background"
866
867 ocsp_port=8888
868
869 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \
870 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \
871 -port '*:'$ocsp_port -nrequest 1 &
872 check_exit_status $?
873 ocsp_svr_pid=$!
874 echo "ocsp server pid = [ $ocsp_svr_pid ]"
875 sleep 1
876
877 # send query to ocsp server
878 start_message "ocsp ... send OCSP request to server"
879
880 ocsp_qry=$user1_dir/ocsp_qry.der
881 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \
882 -cert $revoke_cert -CAfile $ca_cert \
883 -url http://localhost:$ocsp_port -resp_text \
884 -respout $ocsp_qry > $ocsp_qry.out 2>&1
885 check_exit_status $?
886}
887
888function test_pkcs {
889 # --- PKCS operations ---
890 section_message "PKCS operations"
891
892 pkcs_pass=test-pkcs-pass
893
894 start_message "pkcs7 ... output certs in crl(pkcs7)"
895 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out
896 check_exit_status $?
897
898 start_message "pkcs8 ... convert key to pkcs8"
899 $openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \
900 -passin pass:$user1_pass -passout pass:$user1_pass \
901 -v1 pbeWithSHA1AndDES-CBC -v2 des3
902 check_exit_status $?
903
904 start_message "pkcs8 ... convert pkcs8 to key in DER format"
905 $openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass \
906 -outform DER -out $user1_key.p8.der
907 check_exit_status $?
908
909 start_message "pkcs12 ... create"
910 $openssl_bin pkcs12 -export -in $server_cert -inkey $server_key \
911 -passin pass:$server_pass -certfile $ca_cert -CAfile $ca_cert \
912 -caname "server_p12" -passout pass:$pkcs_pass \
913 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \
914 -out $server_cert.p12
915 check_exit_status $?
916
917 start_message "pkcs12 ... verify"
918 $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info \
919 -noout
920 check_exit_status $?
921
922 start_message "pkcs12 ... to PEM"
923 $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \
924 -passout pass:$pkcs_pass -out $server_cert.p12.pem
925 check_exit_status $?
926}
927
928function test_server_client {
929 # --- client/server operations (TLS) ---
930 section_message "client/server operations (TLS)"
931
932 s_id="$1"
933 c_id="$2"
934 sc="$1$2"
935
936 test_pause_sec=0.2
937
938 if [ $s_id = "0" ] ; then
939 s_bin=$openssl_bin
940 else
941 s_bin=$other_openssl_bin
942 fi
943
944 if [ $c_id = "0" ] ; then
945 c_bin=$openssl_bin
946 else
947 c_bin=$other_openssl_bin
948 fi
949
950 echo "s_server is [`$s_bin version`]"
951 echo "s_client is [`$c_bin version`]"
952
953 host="localhost"
954 port=4433
955 sess_dat=$user1_dir/s_client_${sc}_sess.dat
956 s_server_out=$server_dir/s_server_${sc}_tls.out
957
958 $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null
959 if [ $? -eq 0 ] ; then
960 extra_opts="-4"
961 else
962 extra_opts=""
963 fi
964
965 start_message "s_server ... start TLS/SSL test server"
966 $s_bin s_server -accept $port -CAfile $ca_cert \
967 -cert $server_cert -key $server_key -pass pass:$server_pass \
968 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
969 -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" -www \
970 -cipher ALL $extra_opts \
971 -msg -tlsextdebug > $s_server_out 2>&1 &
972 check_exit_status $?
973 s_server_pid=$!
974 echo "s_server pid = [ $s_server_pid ]"
975 sleep 1
976
977 # protocol = TLSv1
978
979 s_client_out=$user1_dir/s_client_${sc}_tls_1_0.out
980
981 start_message "s_client ... connect to TLS/SSL test server by TLSv1"
982 sleep $test_pause_sec
983 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
984 -tls1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
985 check_exit_status $?
986
987 grep 'Protocol : TLSv1$' $s_client_out > /dev/null
988 check_exit_status $?
989
990 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
991 check_exit_status $?
992
993 # protocol = TLSv1.1
994
995 s_client_out=$user1_dir/s_client_${sc}_tls_1_1.out
996
997 start_message "s_client ... connect to TLS/SSL test server by TLSv1.1"
998 sleep $test_pause_sec
999 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1000 -tls1_1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1001 check_exit_status $?
1002
1003 grep 'Protocol : TLSv1\.1$' $s_client_out > /dev/null
1004 check_exit_status $?
1005
1006 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1007 check_exit_status $?
1008
1009 # protocol = TLSv1.2
1010
1011 s_client_out=$user1_dir/s_client_${sc}_tls_1_2.out
1012
1013 start_message "s_client ... connect to TLS/SSL test server by TLSv1.2"
1014 sleep $test_pause_sec
1015 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1016 -tls1_2 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1017 check_exit_status $?
1018
1019 grep 'Protocol : TLSv1\.2$' $s_client_out > /dev/null
1020 check_exit_status $?
1021
1022 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1023 check_exit_status $?
1024
1025 # all available ciphers with random order
1026
1027 s_ciph=$server_dir/s_ciph_${sc}
1028 if [ $s_id = "0" ] ; then
1029 $s_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' > $s_ciph
1030 else
1031 $s_bin ciphers -v | awk '{print $1}' > $s_ciph
1032 fi
1033
1034 c_ciph=$user1_dir/c_ciph_${sc}
1035 if [ $c_id = "0" ] ; then
1036 $c_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' > $c_ciph
1037 else
1038 $c_bin ciphers -v | awk '{print $1}' > $c_ciph
1039 fi
1040
1041 ciphers=$user1_dir/ciphers_${sc}
1042 grep -x -f $s_ciph $c_ciph | sort -R > $ciphers
1043
1044 cnum=0
1045 for c in `cat $ciphers` ; do
1046 cnum=`expr $cnum + 1`
1047 cnstr=`printf %03d $cnum`
1048 s_client_out=$user1_dir/s_client_${sc}_tls_${cnstr}_${c}.out
1049
1050 start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $c"
1051 sleep $test_pause_sec
1052 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1053 -cipher $c \
1054 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1055 check_exit_status $?
1056
1057 grep "Cipher : $c" $s_client_out > /dev/null
1058 check_exit_status $?
1059
1060 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1061 check_exit_status $?
1062 done
1063
1064 # Get session ticket to reuse
1065
1066 s_client_out=$user1_dir/s_client_${sc}_tls_reuse_1.out
1067
1068 start_message "s_client ... connect to TLS/SSL test server to get session id"
1069 sleep $test_pause_sec
1070 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1071 -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \
1072 -sess_out $sess_dat \
1073 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1074 check_exit_status $?
1075
1076 grep '^New, TLS.*$' $s_client_out > /dev/null
1077 check_exit_status $?
1078
1079 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1080 check_exit_status $?
1081
1082 # Reuse session ticket
1083
1084 s_client_out=$user1_dir/s_client_${sc}_tls_reuse_2.out
1085
1086 start_message "s_client ... connect to TLS/SSL test server reusing session id"
1087 sleep $test_pause_sec
1088 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1089 -sess_in $sess_dat \
1090 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1091 check_exit_status $?
1092
1093 grep '^Reused, TLS.*$' $s_client_out > /dev/null
1094 check_exit_status $?
1095
1096 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1097 check_exit_status $?
1098
1099 # invalid verification pattern
1100
1101 s_client_out=$user1_dir/s_client_${sc}_tls_invalid.out
1102
1103 start_message "s_client ... connect to TLS/SSL test server but verify error"
1104 sleep $test_pause_sec
1105 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1106 -showcerts -crl_check -issuer_checks -policy_check \
1107 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1108 check_exit_status $?
1109
1110 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1111 if [ $? -eq 0 ] ; then
1112 check_exit_status 1
1113 else
1114 check_exit_status 0
1115 fi
1116
1117 # s_time
1118 start_message "s_time ... connect to TLS/SSL test server"
1119 $c_bin s_time -connect $host:$port -CApath $ca_dir -time 2
1120 check_exit_status $?
1121
1122 # sess_id
1123 start_message "sess_id"
1124 $c_bin sess_id -in $sess_dat -text -out $sess_dat.out
1125 check_exit_status $?
1126
1127 stop_s_server
1128}
1129
1130function test_speed {
1131 # === PERFORMANCE ===
1132 section_message "PERFORMANCE"
1133
1134 if [ $no_long_tests = 0 ] ; then
1135 start_message "speed"
1136 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed
1137 check_exit_status $?
1138 else
1139 start_message "SKIPPING speed (quick mode)"
1140 fi
1141}
1142
1143function test_version {
1144 # --- VERSION INFORMATION ---
1145 section_message "VERSION INFORMATION"
1146
1147 start_message "version"
1148 $openssl_bin version -a
1149 check_exit_status $?
1150}
1151
1152#---------#---------#---------#---------#---------#---------#---------#---------
1153
1154openssl_bin=${OPENSSL:-/usr/bin/openssl}
1155other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl}
1156
1157interop_tests=0
1158no_long_tests=0
1159
1160while [ "$1" != "" ]; do
1161 case $1 in
1162 -i | --interop) shift
1163 interop_tests=1
1164 ;;
1165 -q | --quick ) shift
1166 no_long_tests=1
1167 ;;
1168 * ) usage
1169 exit 1
1170 esac
1171done
1172
1173if [ ! -x $openssl_bin ] ; then
1174 echo ":-< \$OPENSSL [$openssl_bin] is not executable."
1175 exit 1
1176fi
1177
1178if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then
1179 echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable."
1180 exit 1
1181fi
1182
1183#
1184# create ssldir, and all files generated by this script goes under this dir.
1185#
1186ssldir="appstest_dir"
1187
1188if [ -d $ssldir ] ; then
1189 echo "directory [ $ssldir ] exists, this script deletes this directory ..."
1190 /bin/rm -rf $ssldir
1191fi
1192
1193mkdir -p $ssldir
1194
1195ca_dir=$ssldir/testCA
1196tsa_dir=$ssldir/testTSA
1197ocsp_dir=$ssldir/testOCSP
1198server_dir=$ssldir/server
1199user1_dir=$ssldir/user1
1200mkdir -p $user1_dir
1201key_dir=$ssldir/key
1202mkdir -p $key_dir
1203
1204export OPENSSL_CONF=$ssldir/openssl.cnf
1205touch $OPENSSL_CONF
1206
1207uname_s=`uname -s | grep 'MINGW'`
1208if [ "$uname_s" = "" ] ; then
1209 mingw=0
1210else
1211 mingw=1
1212fi
1213
1214#
1215# process tests
1216#
1217test_usage_lists_others
1218test_md
1219test_encoding_cipher
1220test_key
1221test_pki
1222test_tsa
1223test_smime
1224test_ocsp
1225test_pkcs
1226test_server_client 0 0
1227if [ $interop_tests = 1 ] ; then
1228 test_server_client 0 1
1229 test_server_client 1 0
1230fi
1231test_speed
1232test_version
1233
1234section_message "END"
1235
1236exit 0
1237
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-01-08 06:03:24 +0000