1 files changed, 255 insertions, 0 deletions
diff --git a/src/lib/libssl/test/testtsa.com b/src/lib/libssl/test/testtsa.com
new file mode 100644
index 0000000000..29fb1d0e63
--- /dev/null
+++ b/src/lib/libssl/test/testtsa.com
@@ -0,0 +1,255 @@
+$!
+$! A few very basic tests for the 'ts' time stamping authority command.
+$!
+$
+$       __arch = "VAX"
+$       if f$getsyi("cpu") .ge. 128 then -
+           __arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
+$       if __arch .eqs. "" then __arch = "UNK"
+$!
+$       if (p4 .eqs. "64") then __arch = __arch+ "_64"
+$!
+$       exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
+$
+$       openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
+$       OPENSSL_CONF = "[-]CAtsa.cnf"
+$       ! Because that's what ../apps/CA.sh really looks at
+$       SSLEAY_CONFIG = "-config " + OPENSSL_CONF
+$
+$ error:
+$       subroutine
+$               write sys$error "TSA test failed!"
+$               exit 3
+$       endsubroutine
+$
+$ setup_dir:
+$       subroutine
+$
+$               if f$search("tsa.dir") .nes ""
+$               then
+$                       @[-.util]deltree [.tsa]*.*
+$                       set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
+$                       delete tsa.dir;*
+$               endif
+$
+$               create/dir [.tsa]
+$               set default [.tsa]
+$       endsubroutine
+$
+$ clean_up_dir:
+$       subroutine
+$
+$               set default [-]
+$               @[-.util]deltree [.tsa]*.*
+$               set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
+$               delete tsa.dir;*
+$       endsubroutine
+$
+$ create_ca:
+$       subroutine
+$
+$               write sys$output "Creating a new CA for the TSA tests..."
+$               TSDNSECT = "ts_ca_dn"
+$               openssl req -new -x509 -nodes -
+                        -out tsaca.pem -keyout tsacakey.pem
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ create_tsa_cert:
+$       subroutine
+$
+$               INDEX=p1
+$               EXT=p2
+$               TSDNSECT = "ts_cert_dn"
+$
+$               openssl req -new -
+                        -out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
+$               if $severity .ne. 1 then call error
+$
+$               write sys$output "Using extension ''EXT'"
+$               openssl x509 -req -
+                        -in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
+                        "-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" -
+                        -extfile 'OPENSSL_CONF' -extensions "''EXT'"
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ print_request:
+$       subroutine
+$
+$               openssl ts -query -in 'p1' -text
+$       endsubroutine
+$
+$ create_time_stamp_request1: subroutine
+$
+$               openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
+                        -cert -out req1.tsq
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ create_time_stamp_request2: subroutine
+$
+$               openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
+                        -no_nonce -out req2.tsq
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ create_time_stamp_request3: subroutine
+$
+$               openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ print_response:
+$       subroutine
+$
+$               openssl ts -reply -in 'p1' -text
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ create_time_stamp_response:
+$       subroutine
+$
+$               openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ time_stamp_response_token_test:
+$       subroutine
+$
+$               RESPONSE2 = p2+ "-copy_tsr"
+$               TOKEN_DER = p2+ "-token_der"
+$               openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
+$               if $severity .ne. 1 then call error
+$               openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
+$               if $severity .ne. 1 then call error
+$               backup/compare 'RESPONSE2' 'p2'
+$               if $severity .ne. 1 then call error
+$               openssl ts -reply -in 'p2' -text -token_out
+$               if $severity .ne. 1 then call error
+$               openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
+$               if $severity .ne. 1 then call error
+$               openssl ts -reply -queryfile 'p1' -text -token_out
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ verify_time_stamp_response:
+$       subroutine
+$
+$               openssl ts -verify -queryfile 'p1' -in 'p2' -
+                        "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
+$               if $severity .ne. 1 then call error
+$               openssl ts -verify -data 'p3' -in 'p2' -
+                        "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ verify_time_stamp_token:
+$       subroutine
+$
+$               ! create the token from the response first
+$               openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out
+$               if $severity .ne. 1 then call error
+$               openssl ts -verify -queryfile "''p1'" -in "''p2'-token" -
+                 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
+$               if $severity .ne. 1 then call error
+$               openssl ts -verify -data "''p3'" -in "''p2'-token" -
+                 -token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
+$               if $severity .ne. 1 then call error
+$       endsubroutine
+$
+$ verify_time_stamp_response_fail:
+$       subroutine
+$
+$               openssl ts -verify -queryfile 'p1' -in 'p2' -
+                        "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
+$               ! Checks if the verification failed, as it should have.
+$               if $severity .eq. 1 then call error
+$               write sys$output "Ok"
+$       endsubroutine
+$
+$       ! Main body ----------------------------------------------------------
+$
+$       set noon
+$
+$       write sys$output "Setting up TSA test directory..."
+$       call setup_dir
+$
+$       write sys$output "Creating CA for TSA tests..."
+$       call create_ca
+$
+$       write sys$output "Creating tsa_cert1.pem TSA server cert..."
+$       call create_tsa_cert 1 "tsa_cert"
+$
+$       write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
+$       call create_tsa_cert 2 "non_tsa_cert"
+$
+$       write sys$output "Creating req1.req time stamp request for file testtsa..."
+$       call create_time_stamp_request1
+$
+$       write sys$output "Printing req1.req..."
+$       call print_request "req1.tsq"
+$
+$       write sys$output "Generating valid response for req1.req..."
+$       call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1"
+$
+$       write sys$output "Printing response..."
+$       call print_response "resp1.tsr"
+$
+$       write sys$output "Verifying valid response..."
+$       call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com"
+$
+$       write sys$output "Verifying valid token..."
+$       call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com"
+$
+$       ! The tests below are commented out, because invalid signer certificates
+$       ! can no longer be specified in the config file.
+$
+$       ! write sys$output "Generating _invalid_ response for req1.req..."
+$       ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2"
+$
+$       ! write sys$output "Printing response..."
+$       ! call print_response "resp1_bad.tsr"
+$
+$       ! write sys$output "Verifying invalid response, it should fail..."
+$       ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr"
+$
+$       write sys$output "Creating req2.req time stamp request for file testtsa..."
+$       call create_time_stamp_request2
+$
+$       write sys$output "Printing req2.req..."
+$       call print_request "req2.tsq"
+$
+$       write sys$output "Generating valid response for req2.req..."
+$       call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1"
+$
+$       write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
+$       call time_stamp_response_token_test "req2.tsq" "resp2.tsr"
+$
+$       write sys$output "Printing response..."
+$       call print_response "resp2.tsr"
+$
+$       write sys$output "Verifying valid response..."
+$       call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com"
+$
+$       write sys$output "Verifying response against wrong request, it should fail..."
+$       call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr"
+$
+$       write sys$output "Verifying response against wrong request, it should fail..."
+$       call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr"
+$
+$       write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
+$       call create_time_stamp_request3
+$
+$       write sys$output "Printing req3.req..."
+$       call print_request "req3.tsq"
+$
+$       write sys$output "Verifying response against wrong request, it should fail..."
+$       call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr"
+$
+$       write sys$output "Cleaning up..."
+$       call clean_up_dir
+$
+$       set on
+$
+$       exit

diff --git a/src/lib/libssl/test/testtsa.com b/src/lib/libssl/test/testtsa.com new file mode 100644 index 0000000000..29fb1d0e63 --- /dev/null +++ b/src/lib/libssl/test/testtsa.com
@@ -0,0 +1,255 @@
	1	$!
	2	$! A few very basic tests for the 'ts' time stamping authority command.
	3	$!
	4	$
	5	$ __arch = "VAX"
	6	$ if f$getsyi("cpu") .ge. 128 then -
	7	__arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
	8	$ if __arch .eqs. "" then __arch = "UNK"
	9	$!
	10	$ if (p4 .eqs. "64") then __arch = __arch+ "_64"
	11	$!
	12	$ exe_dir = "sys$disk:[-.''__arch'.exe.apps]"
	13	$
	14	$ openssl = "mcr ''f$parse(exe_dir+"openssl.exe")'"
	15	$ OPENSSL_CONF = "[-]CAtsa.cnf"
	16	$ ! Because that's what ../apps/CA.sh really looks at
	17	$ SSLEAY_CONFIG = "-config " + OPENSSL_CONF
	18	$
	19	$ error:
	20	$ subroutine
	21	$ write sys$error "TSA test failed!"
	22	$ exit 3
	23	$ endsubroutine
	24	$
	25	$ setup_dir:
	26	$ subroutine
	27	$
	28	$ if f$search("tsa.dir") .nes ""
	29	$ then
	30	$ @[-.util]deltree [.tsa].
	31	$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
	32	$ delete tsa.dir;*
	33	$ endif
	34	$
	35	$ create/dir [.tsa]
	36	$ set default [.tsa]
	37	$ endsubroutine
	38	$
	39	$ clean_up_dir:
	40	$ subroutine
	41	$
	42	$ set default [-]
	43	$ @[-.util]deltree [.tsa].
	44	$ set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) tsa.dir;*
	45	$ delete tsa.dir;*
	46	$ endsubroutine
	47	$
	48	$ create_ca:
	49	$ subroutine
	50	$
	51	$ write sys$output "Creating a new CA for the TSA tests..."
	52	$ TSDNSECT = "ts_ca_dn"
	53	$ openssl req -new -x509 -nodes -
	54	-out tsaca.pem -keyout tsacakey.pem
	55	$ if $severity .ne. 1 then call error
	56	$ endsubroutine
	57	$
	58	$ create_tsa_cert:
	59	$ subroutine
	60	$
	61	$ INDEX=p1
	62	$ EXT=p2
	63	$ TSDNSECT = "ts_cert_dn"
	64	$
	65	$ openssl req -new -
	66	-out tsa_req'INDEX'.pem -keyout tsa_key'INDEX'.pem
	67	$ if $severity .ne. 1 then call error
	68	$
	69	$ write sys$output "Using extension ''EXT'"
	70	$ openssl x509 -req -
	71	-in tsa_req'INDEX'.pem -out tsa_cert'INDEX'.pem -
	72	"-CA" tsaca.pem "-CAkey" tsacakey.pem "-CAcreateserial" -
	73	-extfile 'OPENSSL_CONF' -extensions "''EXT'"
	74	$ if $severity .ne. 1 then call error
	75	$ endsubroutine
	76	$
	77	$ print_request:
	78	$ subroutine
	79	$
	80	$ openssl ts -query -in 'p1' -text
	81	$ endsubroutine
	82	$
	83	$ create_time_stamp_request1: subroutine
	84	$
	85	$ openssl ts -query -data [-]testtsa.com -policy tsa_policy1 -
	86	-cert -out req1.tsq
	87	$ if $severity .ne. 1 then call error
	88	$ endsubroutine
	89	$
	90	$ create_time_stamp_request2: subroutine
	91	$
	92	$ openssl ts -query -data [-]testtsa.com -policy tsa_policy2 -
	93	-no_nonce -out req2.tsq
	94	$ if $severity .ne. 1 then call error
	95	$ endsubroutine
	96	$
	97	$ create_time_stamp_request3: subroutine
	98	$
	99	$ openssl ts -query -data [-]CAtsa.cnf -no_nonce -out req3.tsq
	100	$ if $severity .ne. 1 then call error
	101	$ endsubroutine
	102	$
	103	$ print_response:
	104	$ subroutine
	105	$
	106	$ openssl ts -reply -in 'p1' -text
	107	$ if $severity .ne. 1 then call error
	108	$ endsubroutine
	109	$
	110	$ create_time_stamp_response:
	111	$ subroutine
	112	$
	113	$ openssl ts -reply -section 'p3' -queryfile 'p1' -out 'p2'
	114	$ if $severity .ne. 1 then call error
	115	$ endsubroutine
	116	$
	117	$ time_stamp_response_token_test:
	118	$ subroutine
	119	$
	120	$ RESPONSE2 = p2+ "-copy_tsr"
	121	$ TOKEN_DER = p2+ "-token_der"
	122	$ openssl ts -reply -in 'p2' -out 'TOKEN_DER' -token_out
	123	$ if $severity .ne. 1 then call error
	124	$ openssl ts -reply -in 'TOKEN_DER' -token_in -out 'RESPONSE2'
	125	$ if $severity .ne. 1 then call error
	126	$ backup/compare 'RESPONSE2' 'p2'
	127	$ if $severity .ne. 1 then call error
	128	$ openssl ts -reply -in 'p2' -text -token_out
	129	$ if $severity .ne. 1 then call error
	130	$ openssl ts -reply -in 'TOKEN_DER' -token_in -text -token_out
	131	$ if $severity .ne. 1 then call error
	132	$ openssl ts -reply -queryfile 'p1' -text -token_out
	133	$ if $severity .ne. 1 then call error
	134	$ endsubroutine
	135	$
	136	$ verify_time_stamp_response:
	137	$ subroutine
	138	$
	139	$ openssl ts -verify -queryfile 'p1' -in 'p2' -
	140	"-CAfile" tsaca.pem -untrusted tsa_cert1.pem
	141	$ if $severity .ne. 1 then call error
	142	$ openssl ts -verify -data 'p3' -in 'p2' -
	143	"-CAfile" tsaca.pem -untrusted tsa_cert1.pem
	144	$ if $severity .ne. 1 then call error
	145	$ endsubroutine
	146	$
	147	$ verify_time_stamp_token:
	148	$ subroutine
	149	$
	150	$ ! create the token from the response first
	151	$ openssl ts -reply -in "''p2'" -out "''p2'-token" -token_out
	152	$ if $severity .ne. 1 then call error
	153	$ openssl ts -verify -queryfile "''p1'" -in "''p2'-token" -
	154	-token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
	155	$ if $severity .ne. 1 then call error
	156	$ openssl ts -verify -data "''p3'" -in "''p2'-token" -
	157	-token_in "-CAfile" tsaca.pem -untrusted tsa_cert1.pem
	158	$ if $severity .ne. 1 then call error
	159	$ endsubroutine
	160	$
	161	$ verify_time_stamp_response_fail:
	162	$ subroutine
	163	$
	164	$ openssl ts -verify -queryfile 'p1' -in 'p2' -
	165	"-CAfile" tsaca.pem -untrusted tsa_cert1.pem
	166	$ ! Checks if the verification failed, as it should have.
	167	$ if $severity .eq. 1 then call error
	168	$ write sys$output "Ok"
	169	$ endsubroutine
	170	$
	171	$ ! Main body ----------------------------------------------------------
	172	$
	173	$ set noon
	174	$
	175	$ write sys$output "Setting up TSA test directory..."
	176	$ call setup_dir
	177	$
	178	$ write sys$output "Creating CA for TSA tests..."
	179	$ call create_ca
	180	$
	181	$ write sys$output "Creating tsa_cert1.pem TSA server cert..."
	182	$ call create_tsa_cert 1 "tsa_cert"
	183	$
	184	$ write sys$output "Creating tsa_cert2.pem non-TSA server cert..."
	185	$ call create_tsa_cert 2 "non_tsa_cert"
	186	$
	187	$ write sys$output "Creating req1.req time stamp request for file testtsa..."
	188	$ call create_time_stamp_request1
	189	$
	190	$ write sys$output "Printing req1.req..."
	191	$ call print_request "req1.tsq"
	192	$
	193	$ write sys$output "Generating valid response for req1.req..."
	194	$ call create_time_stamp_response "req1.tsq" "resp1.tsr" "tsa_config1"
	195	$
	196	$ write sys$output "Printing response..."
	197	$ call print_response "resp1.tsr"
	198	$
	199	$ write sys$output "Verifying valid response..."
	200	$ call verify_time_stamp_response "req1.tsq" "resp1.tsr" "[-]testtsa.com"
	201	$
	202	$ write sys$output "Verifying valid token..."
	203	$ call verify_time_stamp_token "req1.tsq" "resp1.tsr" "[-]testtsa.com"
	204	$
	205	$ ! The tests below are commented out, because invalid signer certificates
	206	$ ! can no longer be specified in the config file.
	207	$
	208	$ ! write sys$output "Generating _invalid_ response for req1.req..."
	209	$ ! call create_time_stamp_response "req1.tsq" "resp1_bad.tsr" "tsa_config2"
	210	$
	211	$ ! write sys$output "Printing response..."
	212	$ ! call print_response "resp1_bad.tsr"
	213	$
	214	$ ! write sys$output "Verifying invalid response, it should fail..."
	215	$ ! call verify_time_stamp_response_fail "req1.tsq" "resp1_bad.tsr"
	216	$
	217	$ write sys$output "Creating req2.req time stamp request for file testtsa..."
	218	$ call create_time_stamp_request2
	219	$
	220	$ write sys$output "Printing req2.req..."
	221	$ call print_request "req2.tsq"
	222	$
	223	$ write sys$output "Generating valid response for req2.req..."
	224	$ call create_time_stamp_response "req2.tsq" "resp2.tsr" "tsa_config1"
	225	$
	226	$ write sys$output "Checking '-token_in' and '-token_out' options with '-reply'..."
	227	$ call time_stamp_response_token_test "req2.tsq" "resp2.tsr"
	228	$
	229	$ write sys$output "Printing response..."
	230	$ call print_response "resp2.tsr"
	231	$
	232	$ write sys$output "Verifying valid response..."
	233	$ call verify_time_stamp_response "req2.tsq" "resp2.tsr" "[-]testtsa.com"
	234	$
	235	$ write sys$output "Verifying response against wrong request, it should fail..."
	236	$ call verify_time_stamp_response_fail "req1.tsq" "resp2.tsr"
	237	$
	238	$ write sys$output "Verifying response against wrong request, it should fail..."
	239	$ call verify_time_stamp_response_fail "req2.tsq" "resp1.tsr"
	240	$
	241	$ write sys$output "Creating req3.req time stamp request for file CAtsa.cnf..."
	242	$ call create_time_stamp_request3
	243	$
	244	$ write sys$output "Printing req3.req..."
	245	$ call print_request "req3.tsq"
	246	$
	247	$ write sys$output "Verifying response against wrong request, it should fail..."
	248	$ call verify_time_stamp_response_fail "req3.tsq" "resp1.tsr"
	249	$
	250	$ write sys$output "Cleaning up..."
	251	$ call clean_up_dir
	252	$
	253	$ set on
	254	$
	255	$ exit