summaryrefslogtreecommitdiff
path: root/src/regress/usr.bin/openssl/appstest.sh
diff options
context:
space:
mode:
Diffstat (limited to 'src/regress/usr.bin/openssl/appstest.sh')
-rwxr-xr-xsrc/regress/usr.bin/openssl/appstest.sh1485
1 files changed, 0 insertions, 1485 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
deleted file mode 100755
index 97c4a6e4a5..0000000000
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ /dev/null
@@ -1,1485 +0,0 @@
1#!/bin/sh
2#
3# $OpenBSD: appstest.sh,v 1.28 2019/11/09 14:49:31 inoguchi Exp $
4#
5# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19#
20# appstest.sh - test script for openssl command according to man OPENSSL(1)
21#
22# input : none
23# output : all files generated by this script go under $ssldir
24#
25
26function section_message {
27 echo ""
28 echo "#---------#---------#---------#---------#---------#---------#---------#--------"
29 echo "==="
30 echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
31 echo "==="
32}
33
34function start_message {
35 echo ""
36 echo "[TEST] $1"
37}
38
39function stop_s_server {
40 if [ ! -z "$s_server_pid" ] ; then
41 echo ":-| stop s_server [ $s_server_pid ]"
42 sleep 1
43 kill -TERM $s_server_pid
44 wait $s_server_pid
45 s_server_pid=
46 fi
47}
48
49function check_exit_status {
50 status=$1
51 if [ $status -ne 0 ] ; then
52 stop_s_server
53 echo ":-< error occurs, exit status = [ $status ]"
54 exit $status
55 else
56 echo ":-) success. "
57 fi
58}
59
60function usage {
61 echo "usage: appstest.sh [-iq]"
62}
63
64function test_usage_lists_others {
65 # === COMMAND USAGE ===
66 section_message "COMMAND USAGE"
67
68 start_message "output usages of all commands."
69
70 cmds=`$openssl_bin list-standard-commands`
71 $openssl_bin -help 2>> $user1_dir/usages.out
72 for c in $cmds ; do
73 $openssl_bin $c -help 2>> $user1_dir/usages.out
74 done
75
76 start_message "check all list-* commands."
77
78 lists=""
79 lists="$lists list-standard-commands"
80 lists="$lists list-message-digest-commands list-message-digest-algorithms"
81 lists="$lists list-cipher-commands list-cipher-algorithms"
82 lists="$lists list-public-key-algorithms"
83
84 listsfile=$user1_dir/lists.out
85
86 for l in $lists ; do
87 echo "" >> $listsfile
88 echo "$l" >> $listsfile
89 $openssl_bin $l >> $listsfile
90 done
91
92 start_message "check interactive mode"
93 $openssl_bin <<__EOF__
94help
95quit
96__EOF__
97 check_exit_status $?
98
99 #---------#---------#---------#---------#---------#---------#---------
100
101 # --- listing operations ---
102 section_message "listing operations"
103
104 start_message "ciphers"
105 $openssl_bin ciphers -V
106 check_exit_status $?
107
108 start_message "errstr"
109 $openssl_bin errstr 2606A074
110 check_exit_status $?
111 $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out
112 check_exit_status $?
113
114 #---------#---------#---------#---------#---------#---------#---------
115
116 # --- random number etc. operations ---
117 section_message "random number etc. operations"
118
119 start_message "passwd"
120
121 pass="test-pass-1234"
122
123 echo $pass | $openssl_bin passwd -stdin -1
124 check_exit_status $?
125
126 echo $pass | $openssl_bin passwd -stdin -apr1
127 check_exit_status $?
128
129 echo $pass | $openssl_bin passwd -stdin -crypt
130 check_exit_status $?
131
132 start_message "prime"
133
134 $openssl_bin prime 1
135 check_exit_status $?
136
137 $openssl_bin prime 2
138 check_exit_status $?
139
140 $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5
141 check_exit_status $?
142
143 start_message "rand"
144
145 $openssl_bin rand -base64 100
146 check_exit_status $?
147
148 $openssl_bin rand -hex 100
149 check_exit_status $?
150}
151
152function test_md {
153 # === MESSAGE DIGEST COMMANDS ===
154 section_message "MESSAGE DIGEST COMMANDS"
155
156 start_message "dgst - See [MESSAGE DIGEST COMMANDS] section."
157
158 text="1234567890abcdefghijklmnopqrstuvwxyz"
159 dgstdat=$user1_dir/dgst.dat
160 echo $text > $dgstdat
161 hmac_key="test-hmac-key"
162 cmac_key="1234567890abcde1234567890abcde12"
163 dgstkey=$user1_dir/dgstkey.pem
164 dgstpass=test-dgst-pass
165 dgstpub=$user1_dir/dgstpub.pem
166 dgstsig=$user1_dir/dgst.sig
167
168 $openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey
169 check_exit_status $?
170
171 $openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \
172 -out $dgstpub
173 check_exit_status $?
174
175 digests=`$openssl_bin list-message-digest-commands`
176
177 for d in $digests ; do
178
179 echo -n "$d ... "
180 $openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat
181 check_exit_status $?
182
183 echo -n "$d HMAC ... "
184 $openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \
185 $dgstdat
186 check_exit_status $?
187
188 echo -n "$d CMAC ... "
189 $openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \
190 -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat
191 check_exit_status $?
192
193 echo -n "$d sign ... "
194 $openssl_bin dgst -sign $dgstkey -keyform pem \
195 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
196 -passin pass:$dgstpass -binary -out $dgstsig.$d $dgstdat
197 check_exit_status $?
198
199 echo -n "$d verify ... "
200 $openssl_bin dgst -verify $dgstpub \
201 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
202 -signature $dgstsig.$d $dgstdat
203 check_exit_status $?
204
205 echo -n "$d prverify ... "
206 $openssl_bin dgst -prverify $dgstkey -passin pass:$dgstpass \
207 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
208 -signature $dgstsig.$d $dgstdat
209 check_exit_status $?
210 done
211}
212
213function test_encoding_cipher {
214 # === ENCODING AND CIPHER COMMANDS ===
215 section_message "ENCODING AND CIPHER COMMANDS"
216
217 start_message "enc - See [ENCODING AND CIPHER COMMANDS] section."
218
219 text="1234567890abcdefghijklmnopqrstuvwxyz"
220 encfile=$user1_dir/encfile.dat
221 echo $text > $encfile
222 pass="test-pass-1234"
223
224 ciphers=`$openssl_bin list-cipher-commands`
225
226 for c in $ciphers ; do
227 echo -n "$c ... encoding ... "
228 $openssl_bin enc -$c -e -base64 -pass pass:$pass \
229 -in $encfile -out $encfile-$c.enc
230 check_exit_status $?
231
232 echo -n "decoding ... "
233 $openssl_bin enc -$c -d -base64 -pass pass:$pass \
234 -in $encfile-$c.enc -out $encfile-$c.dec
235 check_exit_status $?
236
237 echo -n "cmp ... "
238 cmp $encfile $encfile-$c.dec
239 check_exit_status $?
240 done
241}
242
243function test_key {
244 # === various KEY operations ===
245 section_message "various KEY operations"
246
247 key_pass=test-key-pass
248
249 # DH
250
251 start_message "gendh - Obsoleted by dhparam."
252 gendh2=$key_dir/gendh2.pem
253 $openssl_bin gendh -2 -out $gendh2
254 check_exit_status $?
255
256 start_message "dh - Obsoleted by dhparam."
257 $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out
258 check_exit_status $?
259
260 if [ $no_long_tests = 0 ] ; then
261 start_message "dhparam - Superseded by genpkey and pkeyparam."
262 dhparam2=$key_dir/dhparam2.pem
263 $openssl_bin dhparam -2 -out $dhparam2
264 check_exit_status $?
265 $openssl_bin dhparam -in $dhparam2 -check -text \
266 -out $dhparam2.out
267 check_exit_status $?
268 else
269 start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)"
270 fi
271
272 # DSA
273
274 start_message "dsaparam - Superseded by genpkey and pkeyparam."
275 dsaparam512=$key_dir/dsaparam512.pem
276 $openssl_bin dsaparam -genkey -out $dsaparam512 512
277 check_exit_status $?
278
279 start_message "dsa"
280 $openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out
281 check_exit_status $?
282
283 start_message "gendsa - Superseded by genpkey and pkey."
284 gendsa_des3=$key_dir/gendsa_des3.pem
285 $openssl_bin gendsa -des3 -out $gendsa_des3 \
286 -passout pass:$key_pass $dsaparam512
287 check_exit_status $?
288
289 # RSA
290
291 start_message "genrsa - Superseded by genpkey."
292 genrsa_aes256=$key_dir/genrsa_aes256.pem
293 $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \
294 -passout pass:$key_pass 2048
295 check_exit_status $?
296
297 start_message "rsa"
298 $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \
299 -check -text -out $genrsa_aes256.out
300 check_exit_status $?
301
302 start_message "rsautl - Superseded by pkeyutl."
303 rsautldat=$key_dir/rsautl.dat
304 rsautlsig=$key_dir/rsautl.sig
305 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat
306
307 $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \
308 -passin pass:$key_pass -out $rsautlsig
309 check_exit_status $?
310
311 $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \
312 -passin pass:$key_pass
313 check_exit_status $?
314
315 # EC
316
317 start_message "ecparam -list-curves"
318 $openssl_bin ecparam -list_curves
319 check_exit_status $?
320
321 # get all EC curves
322 ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1`
323
324 start_message "ecparam and ec"
325
326 for curve in $ec_curves ;
327 do
328 ecparam=$key_dir/ecparam_$curve.pem
329
330 echo -n "ec - $curve ... ecparam ... "
331 $openssl_bin ecparam -out $ecparam -name $curve -genkey \
332 -param_enc explicit -conv_form compressed -C
333 check_exit_status $?
334
335 echo -n "ec ... "
336 $openssl_bin ec -in $ecparam -text \
337 -out $ecparam.out 2> /dev/null
338 check_exit_status $?
339 done
340
341 # PKEY
342
343 start_message "genpkey"
344
345 # DH by GENPKEY
346
347 genpkey_dh_param=$key_dir/genpkey_dh_param.pem
348 $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \
349 -pkeyopt dh_paramgen_prime_len:1024
350 check_exit_status $?
351
352 genpkey_dh=$key_dir/genpkey_dh.pem
353 $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh
354 check_exit_status $?
355
356 # DSA by GENPKEY
357
358 genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem
359 $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \
360 -pkeyopt dsa_paramgen_bits:1024
361 check_exit_status $?
362
363 genpkey_dsa=$key_dir/genpkey_dsa.pem
364 $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa
365 check_exit_status $?
366
367 # RSA by GENPKEY
368
369 genpkey_rsa=$key_dir/genpkey_rsa.pem
370 $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \
371 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
372 check_exit_status $?
373
374 genpkey_rsa_pss=$key_dir/genpkey_rsa_pss.pem
375 $openssl_bin genpkey -algorithm RSA-PSS -out $genpkey_rsa_pss \
376 -pkeyopt rsa_keygen_bits:2048 \
377 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 \
378 -pkeyopt rsa_pss_keygen_md:sha256 \
379 -pkeyopt rsa_pss_keygen_saltlen:32
380 check_exit_status $?
381
382 # EC by GENPKEY
383
384 genpkey_ec_param=$key_dir/genpkey_ec_param.pem
385 $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \
386 -pkeyopt ec_paramgen_curve:secp384r1
387 check_exit_status $?
388
389 genpkey_ec=$key_dir/genpkey_ec.pem
390 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec
391 check_exit_status $?
392
393 genpkey_ec_2=$key_dir/genpkey_ec_2.pem
394 $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2
395 check_exit_status $?
396
397 start_message "pkeyparam"
398
399 $openssl_bin pkeyparam -in $genpkey_dh_param -text \
400 -out $genpkey_dh_param.out
401 check_exit_status $?
402
403 $openssl_bin pkeyparam -in $genpkey_dsa_param -text \
404 -out $genpkey_dsa_param.out
405 check_exit_status $?
406
407 $openssl_bin pkeyparam -in $genpkey_ec_param -text \
408 -out $genpkey_ec_param.out
409 check_exit_status $?
410
411 start_message "pkey"
412
413 $openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \
414 -text_pub
415 check_exit_status $?
416
417 $openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \
418 -text_pub
419 check_exit_status $?
420
421 $openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \
422 -text_pub
423 check_exit_status $?
424
425 $openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \
426 -text_pub
427 check_exit_status $?
428
429 $openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \
430 -text_pub
431 check_exit_status $?
432
433 start_message "pkeyutl"
434
435 pkeyutldat=$key_dir/pkeyutl.dat
436 pkeyutlsig=$key_dir/pkeyutl.sig
437 echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat
438
439 $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \
440 -out $pkeyutlsig
441 check_exit_status $?
442
443 $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \
444 -inkey $genpkey_rsa
445 check_exit_status $?
446
447 $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa
448 check_exit_status $?
449
450 pkeyutlenc=$key_dir/pkeyutl.enc
451 pkeyutldec=$key_dir/pkeyutl.dec
452
453 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \
454 -pubin -inkey $genpkey_rsa.pub -out $pkeyutlenc
455 check_exit_status $?
456
457 $openssl_bin pkeyutl -decrypt -in $pkeyutlenc \
458 -inkey $genpkey_rsa -out $pkeyutldec
459 check_exit_status $?
460
461 diff $pkeyutldat $pkeyutldec
462 check_exit_status $?
463
464 pkeyutl_rsa_oaep_enc=$key_dir/pkeyutl_rsa_oaep.enc
465 pkeyutl_rsa_oaep_dec=$key_dir/pkeyutl_rsa_oaep.dec
466
467 $openssl_bin pkeyutl -encrypt -in $pkeyutldat \
468 -inkey $genpkey_rsa \
469 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \
470 -pkeyopt rsa_oaep_label:0011223344556677 \
471 -out $pkeyutl_rsa_oaep_enc
472 check_exit_status $?
473
474 $openssl_bin pkeyutl -decrypt -in $pkeyutl_rsa_oaep_enc \
475 -inkey $genpkey_rsa \
476 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 \
477 -pkeyopt rsa_oaep_label:0011223344556677 \
478 -out $pkeyutl_rsa_oaep_dec
479 check_exit_status $?
480
481 diff $pkeyutldat $pkeyutl_rsa_oaep_dec
482 check_exit_status $?
483
484 pkeyutlsc1=$key_dir/pkeyutl.sc1
485 pkeyutlsc2=$key_dir/pkeyutl.sc2
486
487 $openssl_bin pkeyutl -derive -inkey $genpkey_ec \
488 -peerkey $genpkey_ec_2.pub -out $pkeyutlsc1 -hexdump
489 check_exit_status $?
490
491 $openssl_bin pkeyutl -derive -inkey $genpkey_ec_2 \
492 -peerkey $genpkey_ec.pub -out $pkeyutlsc2 -hexdump
493 check_exit_status $?
494
495 diff $pkeyutlsc1 $pkeyutlsc2
496 check_exit_status $?
497}
498
499function test_pki {
500 section_message "setup local CA"
501
502 #
503 # prepare test openssl.cnf
504 #
505
506 cat << __EOF__ > $ssldir/openssl.cnf
507oid_section = new_oids
508[ new_oids ]
509tsa_policy1 = 1.2.3.4.1
510tsa_policy2 = 1.2.3.4.5.6
511tsa_policy3 = 1.2.3.4.5.7
512[ ca ]
513default_ca = CA_default
514[ CA_default ]
515dir = ./$ca_dir
516crl_dir = \$dir/crl
517database = \$dir/index.txt
518new_certs_dir = \$dir/newcerts
519serial = \$dir/serial
520crlnumber = \$dir/crlnumber
521default_days = 1
522default_md = default
523policy = policy_match
524[ policy_match ]
525countryName = match
526stateOrProvinceName = match
527organizationName = match
528organizationalUnitName = optional
529commonName = supplied
530emailAddress = optional
531[ req ]
532distinguished_name = req_distinguished_name
533[ req_distinguished_name ]
534countryName = Country Name
535countryName_default = JP
536countryName_min = 2
537countryName_max = 2
538stateOrProvinceName = State or Province Name
539stateOrProvinceName_default = Tokyo
540organizationName = Organization Name
541organizationName_default = TEST_DUMMY_COMPANY
542commonName = Common Name
543[ tsa ]
544default_tsa = tsa_config1
545[ tsa_config1 ]
546dir = ./$tsa_dir
547serial = \$dir/serial
548crypto_device = builtin
549digests = sha1, sha256, sha384, sha512
550default_policy = tsa_policy1
551other_policies = tsa_policy2, tsa_policy3
552[ tsa_ext ]
553keyUsage = critical,nonRepudiation
554extendedKeyUsage = critical,timeStamping
555[ ocsp_ext ]
556basicConstraints = CA:FALSE
557keyUsage = nonRepudiation,digitalSignature,keyEncipherment
558extendedKeyUsage = OCSPSigning
559__EOF__
560
561 #---------#---------#---------#---------#---------#---------#---------
562
563 #
564 # setup test CA
565 #
566
567 mkdir -p $ca_dir
568 mkdir -p $tsa_dir
569 mkdir -p $ocsp_dir
570 mkdir -p $server_dir
571
572 mkdir -p $ca_dir/certs
573 mkdir -p $ca_dir/private
574 mkdir -p $ca_dir/crl
575 mkdir -p $ca_dir/newcerts
576 chmod 700 $ca_dir/private
577 echo "01" > $ca_dir/serial
578 touch $ca_dir/index.txt
579 touch $ca_dir/crlnumber
580 echo "01" > $ca_dir/crlnumber
581
582 #
583 # setup test TSA
584 #
585 mkdir -p $tsa_dir/private
586 chmod 700 $tsa_dir/private
587 echo "01" > $tsa_dir/serial
588 touch $tsa_dir/index.txt
589
590 #
591 # setup test OCSP
592 #
593 mkdir -p $ocsp_dir/private
594 chmod 700 $ocsp_dir/private
595
596 #---------#---------#---------#---------#---------#---------#---------
597
598 # --- CA initiate (generate CA key and cert) ---
599
600 start_message "req ... generate CA key and self signed cert"
601
602 ca_cert=$ca_dir/ca_cert.pem
603 ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass
604
605 if [ $mingw = 0 ] ; then
606 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/'
607 else
608 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test_dummy.com\'
609 fi
610
611 $openssl_bin req -new -x509 -batch -newkey rsa:2048 \
612 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \
613 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
614 -config $ssldir/openssl.cnf -verbose \
615 -subj $subj -days 1 -set_serial 1 -multivalue-rdn \
616 -keyout $ca_key -passout pass:$ca_pass \
617 -out $ca_cert -outform pem
618 check_exit_status $?
619
620 #---------#---------#---------#---------#---------#---------#---------
621
622 # --- TSA initiate (generate TSA key and cert) ---
623
624 start_message "req ... generate TSA key and cert"
625
626 # generate CSR for TSA
627
628 tsa_csr=$tsa_dir/tsa_csr.pem
629 tsa_key=$tsa_dir/private/tsa_key.pem
630 tsa_pass=test-tsa-pass
631
632 if [ $mingw = 0 ] ; then
633 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/'
634 else
635 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\'
636 fi
637
638 $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \
639 -passout pass:$tsa_pass -subj $subj -asn1-kludge
640 check_exit_status $?
641
642 start_message "ca ... sign by CA with TSA extensions"
643
644 tsa_cert=$tsa_dir/tsa_cert.pem
645
646 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \
647 -key $ca_pass -config $ssldir/openssl.cnf -create_serial \
648 -policy policy_match -days 1 -md sha256 -extensions tsa_ext \
649 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \
650 -multivalue-rdn -preserveDN -noemailDN \
651 -in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext
652 check_exit_status $?
653
654 #---------#---------#---------#---------#---------#---------#---------
655
656 # --- OCSP initiate (generate OCSP key and cert) ---
657
658 start_message "req ... generate OCSP key and cert"
659
660 # generate CSR for OCSP
661
662 ocsp_csr=$ocsp_dir/ocsp_csr.pem
663 ocsp_key=$ocsp_dir/private/ocsp_key.pem
664
665 if [ $mingw = 0 ] ; then
666 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/'
667 else
668 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\'
669 fi
670
671 $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \
672 -subj $subj -no-asn1-kludge
673 check_exit_status $?
674
675 start_message "ca ... sign by CA with OCSP extensions"
676
677 ocsp_cert=$ocsp_dir/ocsp_cert.pem
678
679 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \
680 -key $ca_pass -out $ocsp_cert -extensions ocsp_ext \
681 -startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \
682 -subj $subj -infiles $ocsp_csr
683 check_exit_status $?
684
685 #---------#---------#---------#---------#---------#---------#---------
686
687 # --- server-admin operations (generate server key and csr) ---
688 section_message "server-admin operations (generate server key and csr)"
689
690 server_key=$server_dir/server_key.pem
691 server_csr=$server_dir/server_csr.pem
692 server_pass=test-server-pass
693
694 if [ $mingw = 0 ] ; then
695 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/'
696 else
697 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\'
698 fi
699
700 start_message "genrsa ... generate server key#1"
701
702 $openssl_bin genrsa -aes256 -passout pass:$server_pass -out $server_key
703 check_exit_status $?
704
705 start_message "req ... generate server csr#1"
706
707 $openssl_bin req -new -subj $subj -sha256 \
708 -key $server_key -keyform pem -passin pass:$server_pass \
709 -addext 'subjectAltName = DNS:localhost.test_dummy.com' \
710 -out $server_csr -outform pem
711 check_exit_status $?
712
713 start_message "req ... verify server csr#1"
714
715 $openssl_bin req -verify -in $server_csr -inform pem \
716 -newhdr -noout -pubkey -subject -modulus -text \
717 -nameopt multiline -reqopt compatible \
718 -out $server_csr.verify.out
719 check_exit_status $?
720
721 start_message "req ... generate server csr#2 (interactive mode)"
722
723 revoke_key=$server_dir/revoke_key.pem
724 revoke_csr=$server_dir/revoke_csr.pem
725 revoke_pass=test-revoke-pass
726
727 $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \
728 -passout pass:$revoke_pass <<__EOF__
729JP
730Tokyo
731TEST_DUMMY_COMPANY
732revoke.test_dummy.com
733__EOF__
734 check_exit_status $?
735
736 #---------#---------#---------#---------#---------#---------#---------
737
738 # --- CA operations (issue cert for server) ---
739 section_message "CA operations (issue cert for server)"
740
741 start_message "ca ... issue cert for server csr#1"
742
743 server_cert=$server_dir/server_cert.pem
744 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
745 -in $server_csr -out $server_cert
746 check_exit_status $?
747
748 start_message "x509 ... issue cert for server csr#2"
749
750 revoke_cert=$server_dir/revoke_cert.pem
751 $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \
752 -CAkey $ca_key -CAkeyform pem \
753 -CAserial $ca_dir/serial -set_serial 10 \
754 -passin pass:$ca_pass -CAcreateserial -out $revoke_cert
755 check_exit_status $?
756
757 #---------#---------#---------#---------#---------#---------#---------
758
759 # --- CA operations (revoke cert and generate crl) ---
760 section_message "CA operations (revoke cert and generate crl)"
761
762 start_message "ca ... revoke server cert#2"
763 crl_file=$ca_dir/crl.pem
764 $openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \
765 -config $ssldir/openssl.cnf -name CA_default \
766 -crldays 30 -crlhours 12 -crlsec 30 -updatedb \
767 -crl_reason unspecified -crl_hold 1.2.840.10040.2.2 \
768 -crl_compromise `date -u '+%Y%m%d%H%M%SZ'` \
769 -crl_CA_compromise `date -u '+%Y%m%d%H%M%SZ'` \
770 -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert
771 check_exit_status $?
772
773 start_message "ca ... show certificate status by serial number"
774 $openssl_bin ca -config $ssldir/openssl.cnf -status 1
775
776 start_message "crl ... CA generates CRL"
777 $openssl_bin crl -in $crl_file -fingerprint
778 check_exit_status $?
779
780 crl_p7=$ca_dir/crl.p7
781 start_message "crl2pkcs7 ... convert CRL to pkcs7"
782 $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7
783 check_exit_status $?
784
785 #---------#---------#---------#---------#---------#---------#---------
786
787 # --- server-admin operations (check csr, verify cert, certhash) ---
788 section_message "server-admin operations (check csr, verify cert, certhash)"
789
790 start_message "asn1parse ... parse server csr#1"
791 $openssl_bin asn1parse -in $server_csr -i -dlimit 100 -length 1000 \
792 -strparse 01 > $server_csr.asn1parse.out
793 check_exit_status $?
794
795 start_message "verify ... server cert#1"
796 $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \
797 -crl_check -issuer_checks -purpose sslserver $server_cert
798 check_exit_status $?
799
800 start_message "x509 ... get detail info about server cert#1"
801 $openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \
802 -fingerprint -issuer -issuer_hash -issuer_hash_old \
803 -subject -hash -subject_hash -subject_hash_old -ocsp_uri \
804 -ocspid -modulus -pubkey -serial -email -noout -trustout \
805 -alias -clrtrust -clrreject -next_serial -checkend 3600 \
806 -nameopt multiline -certopt compatible > $server_cert.x509.out
807 check_exit_status $?
808
809 if [ $mingw = 0 ] ; then
810 start_message "certhash"
811 $openssl_bin certhash -v $server_dir
812 check_exit_status $?
813 fi
814
815 # self signed
816 start_message "x509 ... generate self signed server cert"
817 server_self_cert=$server_dir/server_self_cert.pem
818 $openssl_bin x509 -in $server_cert -signkey $server_key -keyform pem \
819 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \
820 -passin pass:$server_pass -out $server_self_cert -days 1
821 check_exit_status $?
822
823 #---------#---------#---------#---------#---------#---------#---------
824
825 # --- Netscape SPKAC operations ---
826 section_message "Netscape SPKAC operations"
827
828 # server-admin generates SPKAC
829
830 start_message "spkac"
831 spkacfile=$server_dir/spkac.file
832
833 $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile
834 check_exit_status $?
835
836 $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out
837 check_exit_status $?
838
839 spkacreq=$server_dir/spkac.req
840 cat << __EOF__ > $spkacreq
841countryName = JP
842stateOrProvinceName = Tokyo
843organizationName = TEST_DUMMY_COMPANY
844commonName = spkac.test_dummy.com
845__EOF__
846 cat $spkacfile >> $spkacreq
847
848 # CA signs SPKAC
849 start_message "ca ... CA signs SPKAC csr"
850 spkaccert=$server_dir/spkac.cert
851 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
852 -spkac $spkacreq -out $spkaccert
853 check_exit_status $?
854
855 start_message "x509 ... convert DER format SPKAC cert to PEM"
856 spkacpem=$server_dir/spkac.pem
857 $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM
858 check_exit_status $?
859
860 # server-admin cert verify
861
862 start_message "nseq"
863 $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq
864 check_exit_status $?
865
866 #---------#---------#---------#---------#---------#---------#---------
867
868 # --- user1 operations (generate user1 key and csr) ---
869 section_message "user1 operations (generate user1 key and csr)"
870
871 # trust
872 start_message "x509 ... trust testCA cert"
873 user1_trust=$user1_dir/user1_trust_ca.pem
874 $openssl_bin x509 -in $ca_cert -addtrust clientAuth \
875 -setalias "trusted testCA" -purpose -out $user1_trust
876 check_exit_status $?
877
878 start_message "req ... generate private key and csr for user1"
879
880 user1_key=$user1_dir/user1_key.pem
881 user1_csr=$user1_dir/user1_csr.pem
882 user1_pass=test-user1-pass
883
884 if [ $mingw = 0 ] ; then
885 subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/'
886 else
887 subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\'
888 fi
889
890 $openssl_bin req -new -keyout $user1_key -out $user1_csr \
891 -passout pass:$user1_pass -subj $subj
892 check_exit_status $?
893
894 #---------#---------#---------#---------#---------#---------#---------
895
896 # --- CA operations (issue cert for user1) ---
897 section_message "CA operations (issue cert for user1)"
898
899 start_message "ca ... issue cert for user1"
900
901 user1_cert=$user1_dir/user1_cert.pem
902 $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
903 -in $user1_csr -out $user1_cert
904 check_exit_status $?
905}
906
907function test_tsa {
908 # --- TSA operations ---
909 section_message "TSA operations"
910
911 tsa_dat=$user1_dir/tsa.dat
912 cat << __EOF__ > $tsa_dat
913Hello Bob,
914Sincerely yours
915Alice
916__EOF__
917
918 # Query
919 start_message "ts ... create time stamp request"
920
921 tsa_tsq=$user1_dir/tsa.tsq
922
923 $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq
924 check_exit_status $?
925
926 start_message "ts ... print time stamp request"
927
928 $openssl_bin ts -query -in $tsa_tsq -text
929 check_exit_status $?
930
931 # Reply
932 start_message "ts ... create time stamp response for a request"
933
934 tsa_tsr=$user1_dir/tsa.tsr
935
936 $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \
937 -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \
938 -config $ssldir/openssl.cnf -section tsa_config1 -cert \
939 -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr
940 check_exit_status $?
941
942 # Verify
943 start_message "ts ... verify time stamp response"
944
945 $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \
946 -CAfile $ca_cert -untrusted $tsa_cert
947 check_exit_status $?
948}
949
950function test_cms {
951 # --- CMS operations ---
952 section_message "CMS operations"
953
954 cms_txt=$user1_dir/cms.txt
955 cms_sig=$user1_dir/cms.sig
956 cms_enc=$user1_dir/cms.enc
957 cms_dec=$user1_dir/cms.dec
958 cms_sgr=$user1_dir/cms.sgr
959 cms_ver=$user1_dir/cms.ver
960
961 cat << __EOF__ > $cms_txt
962Hello Bob,
963Sincerely yours
964Alice
965__EOF__
966
967 # sign
968 start_message "cms ... sign to message"
969
970 $openssl_bin cms -sign -in $cms_txt -text \
971 -out $cms_sig -outform smime \
972 -signer $user1_cert -inkey $user1_key -keyform pem \
973 -passin pass:$user1_pass -md sha256 \
974 -from user1@test_dummy.com -to server@test_dummy.com \
975 -subject "test openssl cms"
976 check_exit_status $?
977
978 # encrypt
979 start_message "cms ... encrypt message"
980
981 $openssl_bin cms -encrypt -aes256 -binary -in $cms_sig -inform smime \
982 -out $cms_enc $server_cert
983 check_exit_status $?
984
985 # decrypt
986 start_message "cms ... decrypt message"
987
988 $openssl_bin cms -decrypt -in $cms_enc -out $cms_dec \
989 -recip $server_cert -inkey $server_key -passin pass:$server_pass
990 check_exit_status $?
991
992 # verify
993 start_message "cms ... verify message"
994
995 $openssl_bin cms -verify -in $cms_dec \
996 -CAfile $ca_cert -certfile $user1_cert -nointern \
997 -check_ss_sig -issuer_checks -policy_check -x509_strict \
998 -signer $cms_sgr -text -out $cms_ver
999 check_exit_status $?
1000
1001 diff -b $cms_ver $cms_txt
1002 check_exit_status $?
1003}
1004
1005function test_smime {
1006 # --- S/MIME operations ---
1007 section_message "S/MIME operations"
1008
1009 smime_txt=$user1_dir/smime.txt
1010 smime_enc=$user1_dir/smime.enc
1011 smime_sig=$user1_dir/smime.sig
1012 smime_p7o=$user1_dir/smime.p7o
1013 smime_sgr=$user1_dir/smime.sgr
1014 smime_ver=$user1_dir/smime.ver
1015 smime_dec=$user1_dir/smime.dec
1016
1017 cat << __EOF__ > $smime_txt
1018Hello Bob,
1019Sincerely yours
1020Alice
1021__EOF__
1022
1023 # encrypt
1024 start_message "smime ... encrypt message"
1025
1026 $openssl_bin smime -encrypt -aes256 -binary -in $smime_txt \
1027 -out $smime_enc $server_cert
1028 check_exit_status $?
1029
1030 # sign
1031 start_message "smime ... sign to message"
1032
1033 $openssl_bin smime -sign -in $smime_enc -text -inform smime \
1034 -out $smime_sig -outform smime \
1035 -signer $user1_cert -inkey $user1_key -keyform pem \
1036 -passin pass:$user1_pass -md sha256 \
1037 -from user1@test_dummy.com -to server@test_dummy.com \
1038 -subject "test openssl smime"
1039 check_exit_status $?
1040
1041 # pk7out
1042 start_message "smime ... pk7out from message"
1043
1044 $openssl_bin smime -pk7out -in $smime_sig -out $smime_p7o
1045 check_exit_status $?
1046
1047 # verify
1048 start_message "smime ... verify message"
1049
1050 $openssl_bin smime -verify -in $smime_sig \
1051 -CAfile $ca_cert -certfile $user1_cert -nointern \
1052 -check_ss_sig -issuer_checks -policy_check -x509_strict \
1053 -signer $smime_sgr -text -out $smime_ver
1054 check_exit_status $?
1055
1056 # decrypt
1057 start_message "smime ... decrypt message"
1058
1059 $openssl_bin smime -decrypt -in $smime_ver -out $smime_dec \
1060 -recip $server_cert -inkey $server_key -passin pass:$server_pass
1061 check_exit_status $?
1062
1063 diff $smime_dec $smime_txt
1064 check_exit_status $?
1065}
1066
1067function test_ocsp {
1068 # --- OCSP operations ---
1069 section_message "OCSP operations"
1070
1071 # get key without pass
1072 user1_key_nopass=$user1_dir/user1_key_nopass.pem
1073 $openssl_bin pkey -in $user1_key -passin pass:$user1_pass \
1074 -out $user1_key_nopass
1075 check_exit_status $?
1076
1077 # request
1078 start_message "ocsp ... create OCSP request"
1079
1080 ocsp_req=$user1_dir/ocsp_req.der
1081 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \
1082 -cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \
1083 -signer $user1_cert -signkey $user1_key_nopass \
1084 -sign_other $user1_cert -sha256 \
1085 -reqout $ocsp_req -req_text -out $ocsp_req.out
1086 check_exit_status $?
1087
1088 # response
1089 start_message "ocsp ... create OCPS response for a request"
1090
1091 ocsp_res=$user1_dir/ocsp_res.der
1092 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \
1093 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \
1094 -reqin $ocsp_req -rother $ocsp_cert -resp_no_certs -noverify \
1095 -nmin 60 -validity_period 300 -status_age 300 \
1096 -respout $ocsp_res -resp_text -out $ocsp_res.out
1097 check_exit_status $?
1098
1099 # ocsp server
1100 start_message "ocsp ... start OCSP server in background"
1101
1102 ocsp_port=8888
1103
1104 ocsp_svr_log=$user1_dir/ocsp_svr.log
1105 $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \
1106 -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \
1107 -host localhost -port $ocsp_port -path / -ndays 1 -nrequest 1 \
1108 -resp_key_id -text -out $ocsp_svr_log &
1109 check_exit_status $?
1110 ocsp_svr_pid=$!
1111 echo "ocsp server pid = [ $ocsp_svr_pid ]"
1112 sleep 1
1113
1114 # send query to ocsp server
1115 start_message "ocsp ... send OCSP request to server"
1116
1117 ocsp_qry=$user1_dir/ocsp_qry.der
1118 $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \
1119 -cert $revoke_cert -CAfile $ca_cert -no_nonce \
1120 -url http://localhost:$ocsp_port -timeout 10 -text \
1121 -header Host localhost \
1122 -respout $ocsp_qry -out $ocsp_qry.out
1123 check_exit_status $?
1124
1125 # verify response from server
1126 start_message "ocsp ... verify OCSP response from server"
1127
1128 $openssl_bin ocsp -respin $ocsp_qry -CAfile $ca_cert \
1129 -ignore_err -no_signature_verify -no_cert_verify -no_chain \
1130 -no_cert_checks -no_explicit -trust_other -no_intern \
1131 -verify_other $ocsp_cert -VAfile $ocsp_cert
1132 check_exit_status $?
1133}
1134
1135function test_pkcs {
1136 # --- PKCS operations ---
1137 section_message "PKCS operations"
1138
1139 pkcs_pass=test-pkcs-pass
1140
1141 start_message "pkcs7 ... output certs in crl(pkcs7)"
1142 $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out
1143 check_exit_status $?
1144
1145 start_message "pkcs8 ... convert key to pkcs8"
1146 $openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \
1147 -passin pass:$user1_pass -passout pass:$user1_pass \
1148 -v1 pbeWithSHA1AndDES-CBC -v2 des3
1149 check_exit_status $?
1150
1151 start_message "pkcs8 ... convert pkcs8 to key in DER format"
1152 $openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass \
1153 -outform DER -out $user1_key.p8.der
1154 check_exit_status $?
1155
1156 start_message "pkcs12 ... create"
1157 $openssl_bin pkcs12 -export -in $server_cert -inkey $server_key \
1158 -passin pass:$server_pass -certfile $ca_cert -CAfile $ca_cert \
1159 -caname "caname_server_p12" \
1160 -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \
1161 -name "name_server_p12" -des3 -maciter -macalg sha256 \
1162 -CSP "csp_server_p12" -LMK -keyex \
1163 -passout pass:$pkcs_pass -out $server_cert.p12
1164 check_exit_status $?
1165
1166 start_message "pkcs12 ... verify"
1167 $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info \
1168 -noout
1169 check_exit_status $?
1170
1171 start_message "pkcs12 ... private key to PEM without encryption"
1172 $openssl_bin pkcs12 -in $server_cert.p12 -password pass:$pkcs_pass \
1173 -nocerts -nomacver -nodes -out $server_cert.p12.pem
1174 check_exit_status $?
1175}
1176
1177function test_server_client {
1178 # --- client/server operations (TLS) ---
1179 section_message "client/server operations (TLS)"
1180
1181 s_id="$1"
1182 c_id="$2"
1183 sc="$1$2"
1184
1185 test_pause_sec=0.2
1186
1187 if [ $s_id = "0" ] ; then
1188 s_bin=$openssl_bin
1189 else
1190 s_bin=$other_openssl_bin
1191 fi
1192
1193 if [ $c_id = "0" ] ; then
1194 c_bin=$openssl_bin
1195 else
1196 c_bin=$other_openssl_bin
1197 fi
1198
1199 echo "s_server is [`$s_bin version`]"
1200 echo "s_client is [`$c_bin version`]"
1201
1202 host="localhost"
1203 port=4433
1204 sess_dat=$user1_dir/s_client_${sc}_sess.dat
1205 s_server_out=$server_dir/s_server_${sc}_tls.out
1206
1207 $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null
1208 if [ $? -eq 0 ] ; then
1209 extra_opts="-4"
1210 else
1211 extra_opts=""
1212 fi
1213
1214 start_message "s_server ... start TLS/SSL test server"
1215 $s_bin s_server -accept $port -CAfile $ca_cert \
1216 -cert $server_cert -key $server_key -pass pass:$server_pass \
1217 -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
1218 -alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \
1219 -msg -tlsextdebug > $s_server_out 2>&1 &
1220 check_exit_status $?
1221 s_server_pid=$!
1222 echo "s_server pid = [ $s_server_pid ]"
1223 sleep 1
1224
1225 # protocol = TLSv1
1226
1227 s_client_out=$user1_dir/s_client_${sc}_tls_1_0.out
1228
1229 start_message "s_client ... connect to TLS/SSL test server by TLSv1"
1230 sleep $test_pause_sec
1231 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1232 -tls1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1233 check_exit_status $?
1234
1235 grep 'Protocol : TLSv1$' $s_client_out > /dev/null
1236 check_exit_status $?
1237
1238 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1239 check_exit_status $?
1240
1241 # protocol = TLSv1.1
1242
1243 s_client_out=$user1_dir/s_client_${sc}_tls_1_1.out
1244
1245 start_message "s_client ... connect to TLS/SSL test server by TLSv1.1"
1246 sleep $test_pause_sec
1247 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1248 -tls1_1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1249 check_exit_status $?
1250
1251 grep 'Protocol : TLSv1\.1$' $s_client_out > /dev/null
1252 check_exit_status $?
1253
1254 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1255 check_exit_status $?
1256
1257 # protocol = TLSv1.2
1258
1259 s_client_out=$user1_dir/s_client_${sc}_tls_1_2.out
1260
1261 start_message "s_client ... connect to TLS/SSL test server by TLSv1.2"
1262 sleep $test_pause_sec
1263 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1264 -tls1_2 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1265 check_exit_status $?
1266
1267 grep 'Protocol : TLSv1\.2$' $s_client_out > /dev/null
1268 check_exit_status $?
1269
1270 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1271 check_exit_status $?
1272
1273 # all available ciphers with random order
1274
1275 s_ciph=$server_dir/s_ciph_${sc}
1276 if [ $s_id = "0" ] ; then
1277 $s_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' > $s_ciph
1278 else
1279 $s_bin ciphers -v | awk '{print $1}' > $s_ciph
1280 fi
1281
1282 c_ciph=$user1_dir/c_ciph_${sc}
1283 if [ $c_id = "0" ] ; then
1284 $c_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' > $c_ciph
1285 else
1286 $c_bin ciphers -v | awk '{print $1}' > $c_ciph
1287 fi
1288
1289 ciphers=$user1_dir/ciphers_${sc}
1290 grep -x -f $s_ciph $c_ciph | sort -R > $ciphers
1291
1292 cnum=0
1293 for c in `cat $ciphers` ; do
1294 cnum=`expr $cnum + 1`
1295 cnstr=`printf %03d $cnum`
1296 s_client_out=$user1_dir/s_client_${sc}_tls_${cnstr}_${c}.out
1297
1298 start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $c"
1299 sleep $test_pause_sec
1300 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1301 -cipher $c \
1302 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1303 check_exit_status $?
1304
1305 grep "Cipher : $c" $s_client_out > /dev/null
1306 check_exit_status $?
1307
1308 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1309 check_exit_status $?
1310 done
1311
1312 # Get session ticket to reuse
1313
1314 s_client_out=$user1_dir/s_client_${sc}_tls_reuse_1.out
1315
1316 start_message "s_client ... connect to TLS/SSL test server to get session id"
1317 sleep $test_pause_sec
1318 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1319 -alpn "spdy/3,http/1.1" -sess_out $sess_dat \
1320 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1321 check_exit_status $?
1322
1323 grep '^New, TLS.*$' $s_client_out > /dev/null
1324 check_exit_status $?
1325
1326 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1327 check_exit_status $?
1328
1329 # Reuse session ticket
1330
1331 s_client_out=$user1_dir/s_client_${sc}_tls_reuse_2.out
1332
1333 start_message "s_client ... connect to TLS/SSL test server reusing session id"
1334 sleep $test_pause_sec
1335 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1336 -sess_in $sess_dat \
1337 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1338 check_exit_status $?
1339
1340 grep '^Reused, TLS.*$' $s_client_out > /dev/null
1341 check_exit_status $?
1342
1343 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1344 check_exit_status $?
1345
1346 # invalid verification pattern
1347
1348 s_client_out=$user1_dir/s_client_${sc}_tls_invalid.out
1349
1350 start_message "s_client ... connect to TLS/SSL test server but verify error"
1351 sleep $test_pause_sec
1352 $c_bin s_client -connect $host:$port -CAfile $ca_cert \
1353 -showcerts -crl_check -issuer_checks -policy_check \
1354 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
1355 check_exit_status $?
1356
1357 grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null
1358 if [ $? -eq 0 ] ; then
1359 check_exit_status 1
1360 else
1361 check_exit_status 0
1362 fi
1363
1364 # s_time
1365 start_message "s_time ... connect to TLS/SSL test server"
1366 $c_bin s_time -connect $host:$port -CApath $ca_dir -time 2
1367 check_exit_status $?
1368
1369 # sess_id
1370 start_message "sess_id"
1371 $c_bin sess_id -in $sess_dat -text -out $sess_dat.out
1372 check_exit_status $?
1373
1374 stop_s_server
1375}
1376
1377function test_speed {
1378 # === PERFORMANCE ===
1379 section_message "PERFORMANCE"
1380
1381 if [ $no_long_tests = 0 ] ; then
1382 start_message "speed"
1383 $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed
1384 check_exit_status $?
1385 else
1386 start_message "SKIPPING speed (quick mode)"
1387 fi
1388}
1389
1390function test_version {
1391 # --- VERSION INFORMATION ---
1392 section_message "VERSION INFORMATION"
1393
1394 start_message "version"
1395 $openssl_bin version -a
1396 check_exit_status $?
1397}
1398
1399#---------#---------#---------#---------#---------#---------#---------#---------
1400
1401openssl_bin=${OPENSSL:-/usr/bin/openssl}
1402other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl}
1403
1404interop_tests=0
1405no_long_tests=0
1406
1407while [ "$1" != "" ]; do
1408 case $1 in
1409 -i | --interop) shift
1410 interop_tests=1
1411 ;;
1412 -q | --quick ) shift
1413 no_long_tests=1
1414 ;;
1415 * ) usage
1416 exit 1
1417 esac
1418done
1419
1420if [ ! -x $openssl_bin ] ; then
1421 echo ":-< \$OPENSSL [$openssl_bin] is not executable."
1422 exit 1
1423fi
1424
1425if [ $interop_tests = 1 -a ! -x $other_openssl_bin ] ; then
1426 echo ":-< \$OTHER_OPENSSL [$other_openssl_bin] is not executable."
1427 exit 1
1428fi
1429
1430#
1431# create ssldir, and all files generated by this script goes under this dir.
1432#
1433ssldir="appstest_dir"
1434
1435if [ -d $ssldir ] ; then
1436 echo "directory [ $ssldir ] exists, this script deletes this directory ..."
1437 /bin/rm -rf $ssldir
1438fi
1439
1440mkdir -p $ssldir
1441
1442ca_dir=$ssldir/testCA
1443tsa_dir=$ssldir/testTSA
1444ocsp_dir=$ssldir/testOCSP
1445server_dir=$ssldir/server
1446user1_dir=$ssldir/user1
1447mkdir -p $user1_dir
1448key_dir=$ssldir/key
1449mkdir -p $key_dir
1450
1451export OPENSSL_CONF=$ssldir/openssl.cnf
1452touch $OPENSSL_CONF
1453
1454uname_s=`uname -s | grep 'MINGW'`
1455if [ "$uname_s" = "" ] ; then
1456 mingw=0
1457else
1458 mingw=1
1459fi
1460
1461#
1462# process tests
1463#
1464test_usage_lists_others
1465test_md
1466test_encoding_cipher
1467test_key
1468test_pki
1469test_tsa
1470test_cms
1471test_smime
1472test_ocsp
1473test_pkcs
1474test_server_client 0 0
1475if [ $interop_tests = 1 ] ; then
1476 test_server_client 0 1
1477 test_server_client 1 0
1478fi
1479test_speed
1480test_version
1481
1482section_message "END"
1483
1484exit 0
1485
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-01-04 20:05:07 +0000