diff options
Diffstat (limited to 'regress/usr.bin/openssl/appstest.sh')
-rwxr-xr-x | regress/usr.bin/openssl/appstest.sh | 1891 |
1 files changed, 961 insertions, 930 deletions
diff --git a/regress/usr.bin/openssl/appstest.sh b/regress/usr.bin/openssl/appstest.sh index f2666011c39..3d54da95097 100755 --- a/regress/usr.bin/openssl/appstest.sh +++ b/regress/usr.bin/openssl/appstest.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $OpenBSD: appstest.sh,v 1.12 2018/09/08 09:34:12 inoguchi Exp $ +# $OpenBSD: appstest.sh,v 1.13 2018/09/08 11:12:27 inoguchi Exp $ # # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> # @@ -24,380 +24,390 @@ # function section_message { - echo "" - echo "#---------#---------#---------#---------#---------#---------#---------#--------" - echo "===" - echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" - echo "===" + echo "" + echo "#---------#---------#---------#---------#---------#---------#---------#--------" + echo "===" + echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" + echo "===" } function start_message { - echo "" - echo "[TEST] $1" + echo "" + echo "[TEST] $1" } function stop_s_server { - if [ ! -z "$s_server_pid" ] ; then - echo ":-| stop s_server [ $s_server_pid ]" - sleep 1 - kill -TERM $s_server_pid - wait $s_server_pid - s_server_pid= - fi + if [ ! -z "$s_server_pid" ] ; then + echo ":-| stop s_server [ $s_server_pid ]" + sleep 1 + kill -TERM $s_server_pid + wait $s_server_pid + s_server_pid= + fi } function check_exit_status { - status=$1 - if [ $status -ne 0 ] ; then - stop_s_server - echo ":-< error occurs, exit status = [ $status ]" - exit $status - else - echo ":-) success. " - fi + status=$1 + if [ $status -ne 0 ] ; then + stop_s_server + echo ":-< error occurs, exit status = [ $status ]" + exit $status + else + echo ":-) success. " + fi } function usage { - echo "usage: appstest.sh [-q]" + echo "usage: appstest.sh [-q]" } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_usage_lists_others { -# === COMMAND USAGE === -section_message "COMMAND USAGE" - -start_message "output usages of all commands." - -cmds=`$openssl_bin list-standard-commands` -$openssl_bin -help 2>> $user1_dir/usages.out -for c in $cmds ; do - $openssl_bin $c -help 2>> $user1_dir/usages.out -done - -start_message "check all list-* commands." - -lists="" -lists="$lists list-standard-commands" -lists="$lists list-message-digest-commands list-message-digest-algorithms" -lists="$lists list-cipher-commands list-cipher-algorithms" -lists="$lists list-public-key-algorithms" - -listsfile=$user1_dir/lists.out - -for l in $lists ; do - echo "" >> $listsfile - echo "$l" >> $listsfile - $openssl_bin $l >> $listsfile -done - -start_message "check interactive mode" -$openssl_bin <<__EOF__ + # === COMMAND USAGE === + section_message "COMMAND USAGE" + + start_message "output usages of all commands." + + cmds=`$openssl_bin list-standard-commands` + $openssl_bin -help 2>> $user1_dir/usages.out + for c in $cmds ; do + $openssl_bin $c -help 2>> $user1_dir/usages.out + done + + start_message "check all list-* commands." + + lists="" + lists="$lists list-standard-commands" + lists="$lists list-message-digest-commands list-message-digest-algorithms" + lists="$lists list-cipher-commands list-cipher-algorithms" + lists="$lists list-public-key-algorithms" + + listsfile=$user1_dir/lists.out + + for l in $lists ; do + echo "" >> $listsfile + echo "$l" >> $listsfile + $openssl_bin $l >> $listsfile + done + + start_message "check interactive mode" + $openssl_bin <<__EOF__ help quit __EOF__ -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- listing operations --- -section_message "listing operations" - -start_message "ciphers" -$openssl_bin ciphers -V -check_exit_status $? - -start_message "errstr" -$openssl_bin errstr 2606A074 -check_exit_status $? -$openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- random number etc. operations --- -section_message "random number etc. operations" - -start_message "passwd" - -pass="test-pass-1234" - -echo $pass | $openssl_bin passwd -stdin -1 -check_exit_status $? - -echo $pass | $openssl_bin passwd -stdin -apr1 -check_exit_status $? - -echo $pass | $openssl_bin passwd -stdin -crypt -check_exit_status $? - -start_message "prime" - -$openssl_bin prime 1 -check_exit_status $? - -$openssl_bin prime 2 -check_exit_status $? - -$openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 -check_exit_status $? - -start_message "rand" - -$openssl_bin rand -base64 100 -check_exit_status $? - -$openssl_bin rand -hex 100 -check_exit_status $? + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- listing operations --- + section_message "listing operations" + + start_message "ciphers" + $openssl_bin ciphers -V + check_exit_status $? + + start_message "errstr" + $openssl_bin errstr 2606A074 + check_exit_status $? + $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- random number etc. operations --- + section_message "random number etc. operations" + + start_message "passwd" + + pass="test-pass-1234" + + echo $pass | $openssl_bin passwd -stdin -1 + check_exit_status $? + + echo $pass | $openssl_bin passwd -stdin -apr1 + check_exit_status $? + + echo $pass | $openssl_bin passwd -stdin -crypt + check_exit_status $? + + start_message "prime" + + $openssl_bin prime 1 + check_exit_status $? + + $openssl_bin prime 2 + check_exit_status $? + + $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 + check_exit_status $? + + start_message "rand" + + $openssl_bin rand -base64 100 + check_exit_status $? + + $openssl_bin rand -hex 100 + check_exit_status $? } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_md { -# === MESSAGE DIGEST COMMANDS === -section_message "MESSAGE DIGEST COMMANDS" - -start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." - -text="1234567890abcdefghijklmnopqrstuvwxyz" -dgstdat=$user1_dir/dgst.dat -echo $text > $dgstdat -hmac_key="test-hmac-key" -cmac_key="1234567890abcde1234567890abcde12" - -digests=`$openssl_bin list-message-digest-commands` - -for d in $digests ; do - - echo -n "$d ... " - $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat - check_exit_status $? - - echo -n "$d HMAC ... " - $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac $dgstdat - check_exit_status $? - - echo -n "$d CMAC ... " - $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:$cmac_key \ - -out $dgstdat.$d.cmac $dgstdat - check_exit_status $? -done + # === MESSAGE DIGEST COMMANDS === + section_message "MESSAGE DIGEST COMMANDS" + + start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." + + text="1234567890abcdefghijklmnopqrstuvwxyz" + dgstdat=$user1_dir/dgst.dat + echo $text > $dgstdat + hmac_key="test-hmac-key" + cmac_key="1234567890abcde1234567890abcde12" + + digests=`$openssl_bin list-message-digest-commands` + + for d in $digests ; do + + echo -n "$d ... " + $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat + check_exit_status $? + + echo -n "$d HMAC ... " + $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac \ + $dgstdat + check_exit_status $? + + echo -n "$d CMAC ... " + $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc \ + -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat + check_exit_status $? + done } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_encoding_cipher { -# === ENCODING AND CIPHER COMMANDS === -section_message "ENCODING AND CIPHER COMMANDS" - -start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." - -text="1234567890abcdefghijklmnopqrstuvwxyz" -encfile=$user1_dir/encfile.dat -echo $text > $encfile -pass="test-pass-1234" - -ciphers=`$openssl_bin list-cipher-commands` - -for c in $ciphers ; do - echo -n "$c ... encoding ... " - $openssl_bin enc -$c -e -base64 -pass pass:$pass -in $encfile -out $encfile-$c.enc - check_exit_status $? - - echo -n "decoding ... " - $openssl_bin enc -$c -d -base64 -pass pass:$pass -in $encfile-$c.enc -out $encfile-$c.dec - check_exit_status $? - - echo -n "cmp ... " - cmp $encfile $encfile-$c.dec - check_exit_status $? -done + # === ENCODING AND CIPHER COMMANDS === + section_message "ENCODING AND CIPHER COMMANDS" + + start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." + + text="1234567890abcdefghijklmnopqrstuvwxyz" + encfile=$user1_dir/encfile.dat + echo $text > $encfile + pass="test-pass-1234" + + ciphers=`$openssl_bin list-cipher-commands` + + for c in $ciphers ; do + echo -n "$c ... encoding ... " + $openssl_bin enc -$c -e -base64 -pass pass:$pass \ + -in $encfile -out $encfile-$c.enc + check_exit_status $? + + echo -n "decoding ... " + $openssl_bin enc -$c -d -base64 -pass pass:$pass \ + -in $encfile-$c.enc -out $encfile-$c.dec + check_exit_status $? + + echo -n "cmp ... " + cmp $encfile $encfile-$c.dec + check_exit_status $? + done } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_key { -# === various KEY operations === -section_message "various KEY operations" - -key_pass=test-key-pass - -# DH - -start_message "gendh - Obsoleted by dhparam." -gendh2=$key_dir/gendh2.pem -$openssl_bin gendh -2 -out $gendh2 -check_exit_status $? - -start_message "dh - Obsoleted by dhparam." -$openssl_bin dh -in $gendh2 -check -text -out $gendh2.out -check_exit_status $? - -if [ $no_long_tests = 0 ] ; then - start_message "dhparam - Superseded by genpkey and pkeyparam." - dhparam2=$key_dir/dhparam2.pem - $openssl_bin dhparam -2 -out $dhparam2 - check_exit_status $? - $openssl_bin dhparam -in $dhparam2 -check -text -out $dhparam2.out - check_exit_status $? -else - start_message "SKIPPNG dhparam - Superseded by genpkey and pkeyparam. (quick mode)" -fi - -# DSA - -start_message "dsaparam - Superseded by genpkey and pkeyparam." -dsaparam512=$key_dir/dsaparam512.pem -$openssl_bin dsaparam -genkey -out $dsaparam512 512 -check_exit_status $? - -start_message "dsa" -$openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out -check_exit_status $? - -start_message "gendsa - Superseded by genpkey and pkey." -gendsa_des3=$key_dir/gendsa_des3.pem -$openssl_bin gendsa -des3 -out $gendsa_des3 -passout pass:$key_pass $dsaparam512 -check_exit_status $? - -# RSA - -start_message "genrsa - Superseded by genpkey." -genrsa_aes256=$key_dir/genrsa_aes256.pem -$openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 -passout pass:$key_pass 2048 -check_exit_status $? - -start_message "rsa" -$openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass -check -text -out $genrsa_aes256.out -check_exit_status $? - -start_message "rsautl - Superseded by pkeyutl." -rsautldat=$key_dir/rsautl.dat -rsautlsig=$key_dir/rsautl.sig -echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat - -$openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 -passin pass:$key_pass -out $rsautlsig -check_exit_status $? - -$openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 -passin pass:$key_pass -check_exit_status $? - -# EC - -start_message "ecparam -list-curves" -$openssl_bin ecparam -list_curves -check_exit_status $? - -# get all EC curves -ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` - -start_message "ecparam and ec" - -for curve in $ec_curves ; -do - ecparam=$key_dir/ecparam_$curve.pem - - echo -n "ec - $curve ... ecparam ... " - $openssl_bin ecparam -out $ecparam -name $curve -genkey -param_enc explicit \ - -conv_form compressed -C - check_exit_status $? - - echo -n "ec ... " - $openssl_bin ec -in $ecparam -text -out $ecparam.out 2> /dev/null - check_exit_status $? -done - -# PKEY - -start_message "genpkey" - -# DH by GENPKEY - -genpkey_dh_param=$key_dir/genpkey_dh_param.pem -$openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ - -pkeyopt dh_paramgen_prime_len:1024 -check_exit_status $? - -genpkey_dh=$key_dir/genpkey_dh.pem -$openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh -check_exit_status $? - -# DSA by GENPKEY - -genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem -$openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ - -pkeyopt dsa_paramgen_bits:1024 -check_exit_status $? - -genpkey_dsa=$key_dir/genpkey_dsa.pem -$openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa -check_exit_status $? - -# RSA by GENPKEY - -genpkey_rsa=$key_dir/genpkey_rsa.pem -$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ - -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 -check_exit_status $? - -# EC by GENPKEY - -genpkey_ec_param=$key_dir/genpkey_ec_param.pem -$openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ - -pkeyopt ec_paramgen_curve:secp384r1 -check_exit_status $? - -genpkey_ec=$key_dir/genpkey_ec.pem -$openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec -check_exit_status $? - -start_message "pkeyparam" - -$openssl_bin pkeyparam -in $genpkey_dh_param -text -out $genpkey_dh_param.out -check_exit_status $? - -$openssl_bin pkeyparam -in $genpkey_dsa_param -text -out $genpkey_dsa_param.out -check_exit_status $? - -$openssl_bin pkeyparam -in $genpkey_ec_param -text -out $genpkey_ec_param.out -check_exit_status $? - -start_message "pkey" - -$openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out -check_exit_status $? - -$openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out -check_exit_status $? - -$openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out -check_exit_status $? - -$openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out -check_exit_status $? - -start_message "pkeyutl" - -pkeyutldat=$key_dir/pkeyutl.dat -pkeyutlsig=$key_dir/pkeyutl.sig -echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat - -$openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa -out $pkeyutlsig -check_exit_status $? - -$openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig -inkey $genpkey_rsa -check_exit_status $? - -$openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa -check_exit_status $? + # === various KEY operations === + section_message "various KEY operations" + + key_pass=test-key-pass + + # DH + + start_message "gendh - Obsoleted by dhparam." + gendh2=$key_dir/gendh2.pem + $openssl_bin gendh -2 -out $gendh2 + check_exit_status $? + + start_message "dh - Obsoleted by dhparam." + $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out + check_exit_status $? + + if [ $no_long_tests = 0 ] ; then + start_message "dhparam - Superseded by genpkey and pkeyparam." + dhparam2=$key_dir/dhparam2.pem + $openssl_bin dhparam -2 -out $dhparam2 + check_exit_status $? + $openssl_bin dhparam -in $dhparam2 -check -text \ + -out $dhparam2.out + check_exit_status $? + else + start_message "SKIPPNG dhparam - Superseded by genpkey and pkeyparam. (quick mode)" + fi + + # DSA + + start_message "dsaparam - Superseded by genpkey and pkeyparam." + dsaparam512=$key_dir/dsaparam512.pem + $openssl_bin dsaparam -genkey -out $dsaparam512 512 + check_exit_status $? + + start_message "dsa" + $openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out + check_exit_status $? + + start_message "gendsa - Superseded by genpkey and pkey." + gendsa_des3=$key_dir/gendsa_des3.pem + $openssl_bin gendsa -des3 -out $gendsa_des3 \ + -passout pass:$key_pass $dsaparam512 + check_exit_status $? + + # RSA + + start_message "genrsa - Superseded by genpkey." + genrsa_aes256=$key_dir/genrsa_aes256.pem + $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ + -passout pass:$key_pass 2048 + check_exit_status $? + + start_message "rsa" + $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ + -check -text -out $genrsa_aes256.out + check_exit_status $? + + start_message "rsautl - Superseded by pkeyutl." + rsautldat=$key_dir/rsautl.dat + rsautlsig=$key_dir/rsautl.sig + echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat + + $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ + -passin pass:$key_pass -out $rsautlsig + check_exit_status $? + + $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ + -passin pass:$key_pass + check_exit_status $? + + # EC + + start_message "ecparam -list-curves" + $openssl_bin ecparam -list_curves + check_exit_status $? + + # get all EC curves + ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` + + start_message "ecparam and ec" + + for curve in $ec_curves ; + do + ecparam=$key_dir/ecparam_$curve.pem + + echo -n "ec - $curve ... ecparam ... " + $openssl_bin ecparam -out $ecparam -name $curve -genkey \ + -param_enc explicit -conv_form compressed -C + check_exit_status $? + + echo -n "ec ... " + $openssl_bin ec -in $ecparam -text \ + -out $ecparam.out 2> /dev/null + check_exit_status $? + done + + # PKEY + + start_message "genpkey" + + # DH by GENPKEY + + genpkey_dh_param=$key_dir/genpkey_dh_param.pem + $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ + -pkeyopt dh_paramgen_prime_len:1024 + check_exit_status $? + + genpkey_dh=$key_dir/genpkey_dh.pem + $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh + check_exit_status $? + + # DSA by GENPKEY + + genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem + $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ + -pkeyopt dsa_paramgen_bits:1024 + check_exit_status $? + + genpkey_dsa=$key_dir/genpkey_dsa.pem + $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa + check_exit_status $? + + # RSA by GENPKEY + + genpkey_rsa=$key_dir/genpkey_rsa.pem + $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 + check_exit_status $? + + # EC by GENPKEY + + genpkey_ec_param=$key_dir/genpkey_ec_param.pem + $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ + -pkeyopt ec_paramgen_curve:secp384r1 + check_exit_status $? + + genpkey_ec=$key_dir/genpkey_ec.pem + $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec + check_exit_status $? + + start_message "pkeyparam" + + $openssl_bin pkeyparam -in $genpkey_dh_param -text \ + -out $genpkey_dh_param.out + check_exit_status $? + + $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ + -out $genpkey_dsa_param.out + check_exit_status $? + + $openssl_bin pkeyparam -in $genpkey_ec_param -text \ + -out $genpkey_ec_param.out + check_exit_status $? + + start_message "pkey" + + $openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out + check_exit_status $? + + $openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out + check_exit_status $? + + $openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out + check_exit_status $? + + $openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out + check_exit_status $? + + start_message "pkeyutl" + + pkeyutldat=$key_dir/pkeyutl.dat + pkeyutlsig=$key_dir/pkeyutl.sig + echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat + + $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ + -out $pkeyutlsig + check_exit_status $? + + $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ + -inkey $genpkey_rsa + check_exit_status $? + + $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa + check_exit_status $? } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_pki { -section_message "setup local CA" + section_message "setup local CA" -# -# prepare test openssl.cnf -# + # + # prepare test openssl.cnf + # -cat << __EOF__ > $ssldir/openssl.cnf -oid_section = new_oids + cat << __EOF__ > $ssldir/openssl.cnf +oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 @@ -451,622 +461,643 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment extendedKeyUsage = OCSPSigning __EOF__ -#---------#---------#---------#---------#---------#---------#---------#--------- - -# -# setup test CA -# - -mkdir -p $ca_dir -mkdir -p $tsa_dir -mkdir -p $ocsp_dir -mkdir -p $server_dir - -mkdir -p $ca_dir/certs -mkdir -p $ca_dir/private -mkdir -p $ca_dir/crl -mkdir -p $ca_dir/newcerts -chmod 700 $ca_dir/private -echo "01" > $ca_dir/serial -touch $ca_dir/index.txt -touch $ca_dir/crlnumber -echo "01" > $ca_dir/crlnumber - -# -# setup test TSA -# -mkdir -p $tsa_dir/private -chmod 700 $tsa_dir/private -echo "01" > $tsa_dir/serial -touch $tsa_dir/index.txt - -# -# setup test OCSP -# -mkdir -p $ocsp_dir/private -chmod 700 $ocsp_dir/private - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- CA initiate (generate CA key and cert) --- - -start_message "req ... generate CA key and self signed cert" - -ca_cert=$ca_dir/ca_cert.pem -ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass - -if [ $mingw = 0 ] ; then - subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' -else - subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' -fi - -$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \ - -days 1 -passout pass:$ca_pass -batch -subj $subj -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- TSA initiate (generate TSA key and cert) --- - -start_message "req ... generate TSA key and cert" - -# generate CSR for TSA - -tsa_csr=$tsa_dir/tsa_csr.pem -tsa_key=$tsa_dir/private/tsa_key.pem -tsa_pass=test-tsa-pass - -if [ $mingw = 0 ] ; then - subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' -else - subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' -fi - -$openssl_bin req -new -keyout $tsa_key -out $tsa_csr -passout pass:$tsa_pass -subj $subj -check_exit_status $? - -start_message "ca ... sign by CA with TSA extensions" - -tsa_cert=$tsa_dir/tsa_cert.pem - -$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ --in $tsa_csr -out $tsa_cert -extensions tsa_ext -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- OCSP initiate (generate OCSP key and cert) --- - -start_message "req ... generate OCSP key and cert" - -# generate CSR for OCSP - -ocsp_csr=$ocsp_dir/ocsp_csr.pem -ocsp_key=$ocsp_dir/private/ocsp_key.pem - -if [ $mingw = 0 ] ; then - subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' -else - subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' -fi - -$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr -subj $subj -check_exit_status $? - -start_message "ca ... sign by CA with OCSP extensions" - -ocsp_cert=$ocsp_dir/ocsp_cert.pem - -$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ --in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- server-admin operations (generate server key and csr) --- -section_message "server-admin operations (generate server key and csr)" - -start_message "req ... generate server csr#1" - -server_key=$server_dir/server_key.pem -server_csr=$server_dir/server_csr.pem -server_pass=test-server-pass - -if [ $mingw = 0 ] ; then - subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' -else - subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' -fi - -$openssl_bin req -new -keyout $server_key -out $server_csr -passout pass:$server_pass -subj $subj -check_exit_status $? - -start_message "req ... generate server csr#2 (interactive mode)" - -revoke_key=$server_dir/revoke_key.pem -revoke_csr=$server_dir/revoke_csr.pem -revoke_pass=test-revoke-pass - -$openssl_bin req -new -keyout $revoke_key -out $revoke_csr -passout pass:$revoke_pass <<__EOF__ + #---------#---------#---------#---------#---------#---------#--------- + + # + # setup test CA + # + + mkdir -p $ca_dir + mkdir -p $tsa_dir + mkdir -p $ocsp_dir + mkdir -p $server_dir + + mkdir -p $ca_dir/certs + mkdir -p $ca_dir/private + mkdir -p $ca_dir/crl + mkdir -p $ca_dir/newcerts + chmod 700 $ca_dir/private + echo "01" > $ca_dir/serial + touch $ca_dir/index.txt + touch $ca_dir/crlnumber + echo "01" > $ca_dir/crlnumber + + # + # setup test TSA + # + mkdir -p $tsa_dir/private + chmod 700 $tsa_dir/private + echo "01" > $tsa_dir/serial + touch $tsa_dir/index.txt + + # + # setup test OCSP + # + mkdir -p $ocsp_dir/private + chmod 700 $ocsp_dir/private + + #---------#---------#---------#---------#---------#---------#--------- + + # --- CA initiate (generate CA key and cert) --- + + start_message "req ... generate CA key and self signed cert" + + ca_cert=$ca_dir/ca_cert.pem + ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass + + if [ $mingw = 0 ] ; then + subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' + else + subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' + fi + + $openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert \ + -keyout $ca_key -days 1 -passout pass:$ca_pass -batch \ + -subj $subj + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- TSA initiate (generate TSA key and cert) --- + + start_message "req ... generate TSA key and cert" + + # generate CSR for TSA + + tsa_csr=$tsa_dir/tsa_csr.pem + tsa_key=$tsa_dir/private/tsa_key.pem + tsa_pass=test-tsa-pass + + if [ $mingw = 0 ] ; then + subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/' + else + subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\' + fi + + $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ + -passout pass:$tsa_pass -subj $subj + check_exit_status $? + + start_message "ca ... sign by CA with TSA extensions" + + tsa_cert=$tsa_dir/tsa_cert.pem + + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ + -in $tsa_csr -out $tsa_cert -extensions tsa_ext + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- OCSP initiate (generate OCSP key and cert) --- + + start_message "req ... generate OCSP key and cert" + + # generate CSR for OCSP + + ocsp_csr=$ocsp_dir/ocsp_csr.pem + ocsp_key=$ocsp_dir/private/ocsp_key.pem + + if [ $mingw = 0 ] ; then + subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/' + else + subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\' + fi + + $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ + -subj $subj + check_exit_status $? + + start_message "ca ... sign by CA with OCSP extensions" + + ocsp_cert=$ocsp_dir/ocsp_cert.pem + + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ + -in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- server-admin operations (generate server key and csr) --- + section_message "server-admin operations (generate server key and csr)" + + start_message "req ... generate server csr#1" + + server_key=$server_dir/server_key.pem + server_csr=$server_dir/server_csr.pem + server_pass=test-server-pass + + if [ $mingw = 0 ] ; then + subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' + else + subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\' + fi + + $openssl_bin req -new -keyout $server_key -out $server_csr \ + -passout pass:$server_pass -subj $subj + check_exit_status $? + + start_message "req ... generate server csr#2 (interactive mode)" + + revoke_key=$server_dir/revoke_key.pem + revoke_csr=$server_dir/revoke_csr.pem + revoke_pass=test-revoke-pass + + $openssl_bin req -new -keyout $revoke_key -out $revoke_csr \ + -passout pass:$revoke_pass <<__EOF__ JP Tokyo TEST_DUMMY_COMPANY revoke.test_dummy.com __EOF__ -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- CA operations (issue cert for server) --- -section_message "CA operations (issue cert for server)" - -start_message "ca ... issue cert for server csr#1" - -server_cert=$server_dir/server_cert.pem -$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ - -in $server_csr -out $server_cert -check_exit_status $? - -start_message "x509 ... issue cert for server csr#2" - -revoke_cert=$server_dir/revoke_cert.pem -$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key -passin pass:$ca_pass \ - -CAcreateserial -out $revoke_cert -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- CA operations (revoke cert and generate crl) --- -section_message "CA operations (revoke cert and generate crl)" - -start_message "ca ... revoke server cert#2" -crl_file=$ca_dir/crl.pem -$openssl_bin ca -gencrl -out $crl_file -crldays 30 -revoke $revoke_cert \ - -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert -check_exit_status $? - -start_message "crl ... CA generates CRL" -$openssl_bin crl -in $crl_file -fingerprint -check_exit_status $? - -crl_p7=$ca_dir/crl.p7 -start_message "crl2pkcs7 ... convert CRL to pkcs7" -$openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- server-admin operations (check csr, verify cert, certhash) --- -section_message "server-admin operations (check csr, verify cert, certhash)" - -start_message "asn1parse ... parse server csr#1" -$openssl_bin asn1parse -in $server_csr -i \ - -dlimit 100 -length 1000 -strparse 01 > $server_csr.asn1parse.out -check_exit_status $? - -start_message "verify ... server cert#1" -$openssl_bin verify -verbose -CAfile $ca_cert $server_cert -check_exit_status $? - -start_message "x509 ... get detail info about server cert#1" -$openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ - -fingerprint -issuer -issuer_hash -issuer_hash_old \ - -subject -subject_hash -subject_hash_old -ocsp_uri -ocspid -modulus \ - -pubkey -serial -email > $server_cert.x509.out -check_exit_status $? - -if [ $mingw = 0 ] ; then - start_message "certhash" - $openssl_bin certhash -v $server_dir - check_exit_status $? -fi - -# self signed -start_message "x509 ... generate self signed server cert" -server_self_cert=$server_dir/server_self_cert.pem -$openssl_bin x509 -in $server_cert -signkey $server_key -passin pass:$server_pass -out $server_self_cert -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- Netscape SPKAC operations --- -section_message "Netscape SPKAC operations" - -# server-admin generates SPKAC - -start_message "spkac" -spkacfile=$server_dir/spkac.file - -$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile -check_exit_status $? - -$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out -check_exit_status $? - -spkacreq=$server_dir/spkac.req -cat << __EOF__ > $spkacreq + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- CA operations (issue cert for server) --- + section_message "CA operations (issue cert for server)" + + start_message "ca ... issue cert for server csr#1" + + server_cert=$server_dir/server_cert.pem + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ + -in $server_csr -out $server_cert + check_exit_status $? + + start_message "x509 ... issue cert for server csr#2" + + revoke_cert=$server_dir/revoke_cert.pem + $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key \ + -passin pass:$ca_pass -CAcreateserial -out $revoke_cert + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- CA operations (revoke cert and generate crl) --- + section_message "CA operations (revoke cert and generate crl)" + + start_message "ca ... revoke server cert#2" + crl_file=$ca_dir/crl.pem + $openssl_bin ca -gencrl -out $crl_file -crldays 30 \ + -revoke $revoke_cert \ + -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert + check_exit_status $? + + start_message "crl ... CA generates CRL" + $openssl_bin crl -in $crl_file -fingerprint + check_exit_status $? + + crl_p7=$ca_dir/crl.p7 + start_message "crl2pkcs7 ... convert CRL to pkcs7" + $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- server-admin operations (check csr, verify cert, certhash) --- + section_message "server-admin operations (check csr, verify cert, certhash)" + + start_message "asn1parse ... parse server csr#1" + $openssl_bin asn1parse -in $server_csr -i -dlimit 100 -length 1000 \ + -strparse 01 > $server_csr.asn1parse.out + check_exit_status $? + + start_message "verify ... server cert#1" + $openssl_bin verify -verbose -CAfile $ca_cert $server_cert + check_exit_status $? + + start_message "x509 ... get detail info about server cert#1" + $openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \ + -fingerprint -issuer -issuer_hash -issuer_hash_old \ + -subject -subject_hash -subject_hash_old -ocsp_uri \ + -ocspid -modulus -pubkey -serial -email > $server_cert.x509.out + check_exit_status $? + + if [ $mingw = 0 ] ; then + start_message "certhash" + $openssl_bin certhash -v $server_dir + check_exit_status $? + fi + + # self signed + start_message "x509 ... generate self signed server cert" + server_self_cert=$server_dir/server_self_cert.pem + $openssl_bin x509 -in $server_cert -signkey $server_key \ + -passin pass:$server_pass -out $server_self_cert + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- Netscape SPKAC operations --- + section_message "Netscape SPKAC operations" + + # server-admin generates SPKAC + + start_message "spkac" + spkacfile=$server_dir/spkac.file + + $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile + check_exit_status $? + + $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out + check_exit_status $? + + spkacreq=$server_dir/spkac.req + cat << __EOF__ > $spkacreq countryName = JP stateOrProvinceName = Tokyo organizationName = TEST_DUMMY_COMPANY commonName = spkac.test_dummy.com __EOF__ -cat $spkacfile >> $spkacreq - -# CA signs SPKAC -start_message "ca ... CA signs SPKAC csr" -spkaccert=$server_dir/spkac.cert -$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ - -spkac $spkacreq -out $spkaccert -check_exit_status $? - -start_message "x509 ... convert DER format SPKAC cert to PEM" -spkacpem=$server_dir/spkac.pem -$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM -check_exit_status $? - -# server-admin cert verify - -start_message "nseq" -$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- user1 operations (generate user1 key and csr) --- -section_message "user1 operations (generate user1 key and csr)" - -# trust -start_message "x509 ... trust testCA cert" -user1_trust=$user1_dir/user1_trust_ca.pem -$openssl_bin x509 -in $ca_cert -addtrust clientAuth -setalias "trusted testCA" -purpose -out $user1_trust -check_exit_status $? - -start_message "req ... generate private key and csr for user1" - -user1_key=$user1_dir/user1_key.pem -user1_csr=$user1_dir/user1_csr.pem -user1_pass=test-user1-pass - -if [ $mingw = 0 ] ; then - subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' -else - subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' -fi - -$openssl_bin req -new -keyout $user1_key -out $user1_csr -passout pass:$user1_pass -subj $subj -check_exit_status $? - -#---------#---------#---------#---------#---------#---------#---------#--------- - -# --- CA operations (issue cert for user1) --- -section_message "CA operations (issue cert for user1)" - -start_message "ca ... issue cert for user1" - -user1_cert=$user1_dir/user1_cert.pem -$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ - -in $user1_csr -out $user1_cert -check_exit_status $? + cat $spkacfile >> $spkacreq + + # CA signs SPKAC + start_message "ca ... CA signs SPKAC csr" + spkaccert=$server_dir/spkac.cert + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ + -spkac $spkacreq -out $spkaccert + check_exit_status $? + + start_message "x509 ... convert DER format SPKAC cert to PEM" + spkacpem=$server_dir/spkac.pem + $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM + check_exit_status $? + + # server-admin cert verify + + start_message "nseq" + $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- user1 operations (generate user1 key and csr) --- + section_message "user1 operations (generate user1 key and csr)" + + # trust + start_message "x509 ... trust testCA cert" + user1_trust=$user1_dir/user1_trust_ca.pem + $openssl_bin x509 -in $ca_cert -addtrust clientAuth \ + -setalias "trusted testCA" -purpose -out $user1_trust + check_exit_status $? + + start_message "req ... generate private key and csr for user1" + + user1_key=$user1_dir/user1_key.pem + user1_csr=$user1_dir/user1_csr.pem + user1_pass=test-user1-pass + + if [ $mingw = 0 ] ; then + subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/' + else + subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\' + fi + + $openssl_bin req -new -keyout $user1_key -out $user1_csr \ + -passout pass:$user1_pass -subj $subj + check_exit_status $? + + #---------#---------#---------#---------#---------#---------#--------- + + # --- CA operations (issue cert for user1) --- + section_message "CA operations (issue cert for user1)" + + start_message "ca ... issue cert for user1" + + user1_cert=$user1_dir/user1_cert.pem + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ + -in $user1_csr -out $user1_cert + check_exit_status $? } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_tsa { -# --- TSA operations --- -section_message "TSA operations" - -tsa_dat=$user1_dir/tsa.dat -cat << __EOF__ > $tsa_dat + # --- TSA operations --- + section_message "TSA operations" + + tsa_dat=$user1_dir/tsa.dat + cat << __EOF__ > $tsa_dat Hello Bob, Sincerely yours Alice __EOF__ -# Query -start_message "ts ... create time stamp request" - -tsa_tsq=$user1_dir/tsa.tsq - -$openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq -check_exit_status $? - -start_message "ts ... print time stamp request" - -$openssl_bin ts -query -in $tsa_tsq -text -check_exit_status $? - -# Reply -start_message "ts ... create time stamp response for a request" - -tsa_tsr=$user1_dir/tsa.tsr - -$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key -passin pass:$tsa_pass \ - -signer $tsa_cert -chain $ca_cert -out $tsa_tsr -check_exit_status $? - -# Verify -start_message "ts ... verify time stamp response" - -$openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr -CAfile $ca_cert -untrusted $tsa_cert -check_exit_status $? + # Query + start_message "ts ... create time stamp request" + + tsa_tsq=$user1_dir/tsa.tsq + + $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq + check_exit_status $? + + start_message "ts ... print time stamp request" + + $openssl_bin ts -query -in $tsa_tsq -text + check_exit_status $? + + # Reply + start_message "ts ... create time stamp response for a request" + + tsa_tsr=$user1_dir/tsa.tsr + + $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ + -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ + -out $tsa_tsr + check_exit_status $? + + # Verify + start_message "ts ... verify time stamp response" + + $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ + -CAfile $ca_cert -untrusted $tsa_cert + check_exit_status $? } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_smime { -# --- S/MIME operations --- -section_message "S/MIME operations" - -smime_txt=$user1_dir/smime.txt -smime_msg=$user1_dir/smime.msg -smime_ver=$user1_dir/smime.ver - -cat << __EOF__ > $smime_txt + # --- S/MIME operations --- + section_message "S/MIME operations" + + smime_txt=$user1_dir/smime.txt + smime_msg=$user1_dir/smime.msg + smime_ver=$user1_dir/smime.ver + + cat << __EOF__ > $smime_txt Hello Bob, Sincerely yours Alice __EOF__ - -# sign -start_message "smime ... sign to message" - -$openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \ - -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass -check_exit_status $? - -# verify -start_message "smime ... verify message" - -$openssl_bin smime -verify -in $smime_msg -signer $user1_cert -CAfile $ca_cert -out $smime_ver -check_exit_status $? + + # sign + start_message "smime ... sign to message" + + $openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \ + -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass + check_exit_status $? + + # verify + start_message "smime ... verify message" + + $openssl_bin smime -verify -in $smime_msg -signer $user1_cert \ + -CAfile $ca_cert -out $smime_ver + check_exit_status $? } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_ocsp { -# --- OCSP operations --- -section_message "OCSP operations" - -# request -start_message "ocsp ... create OCSP request" - -ocsp_req=$user1_dir/ocsp_req.der -$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ - -CAfile $ca_cert -reqout $ocsp_req -check_exit_status $? - -# response -start_message "ocsp ... create OCPS response for a request" - -ocsp_res=$user1_dir/ocsp_res.der -$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ - -rsigner $ocsp_cert -rkey $ocsp_key -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1 -check_exit_status $? - -# ocsp server -start_message "ocsp ... start OCSP server in background" - -ocsp_port=8888 - -$openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \ - -rsigner $ocsp_cert -rkey $ocsp_key -port '*:'$ocsp_port -nrequest 1 & -check_exit_status $? -ocsp_svr_pid=$! -echo "ocsp server pid = [ $ocsp_svr_pid ]" -sleep 1 - -# send query to ocsp server -start_message "ocsp ... send OCSP request to server" - -ocsp_qry=$user1_dir/ocsp_qry.der -$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \ - -CAfile $ca_cert -url http://localhost:$ocsp_port -resp_text -respout $ocsp_qry > $ocsp_qry.out 2>&1 -check_exit_status $? + # --- OCSP operations --- + section_message "OCSP operations" + + # request + start_message "ocsp ... create OCSP request" + + ocsp_req=$user1_dir/ocsp_req.der + $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ + -cert $revoke_cert -CAfile $ca_cert -reqout $ocsp_req + check_exit_status $? + + # response + start_message "ocsp ... create OCPS response for a request" + + ocsp_res=$user1_dir/ocsp_res.der + $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ + -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ + -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1 + check_exit_status $? + + # ocsp server + start_message "ocsp ... start OCSP server in background" + + ocsp_port=8888 + + $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ + -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ + -port '*:'$ocsp_port -nrequest 1 & + check_exit_status $? + ocsp_svr_pid=$! + echo "ocsp server pid = [ $ocsp_svr_pid ]" + sleep 1 + + # send query to ocsp server + start_message "ocsp ... send OCSP request to server" + + ocsp_qry=$user1_dir/ocsp_qry.der + $openssl_bin ocsp -issuer $ca_cert -cert $server_cert \ + -cert $revoke_cert -CAfile $ca_cert \ + -url http://localhost:$ocsp_port -resp_text \ + -respout $ocsp_qry > $ocsp_qry.out 2>&1 + check_exit_status $? } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_pkcs { -# --- PKCS operations --- -section_message "PKCS operations" - -pkcs_pass=test-pkcs-pass - -start_message "pkcs7 ... output certs in crl(pkcs7)" -$openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out -check_exit_status $? - -start_message "pkcs8 ... convert key to pkcs8" -$openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ - -passin pass:$user1_pass -passout pass:$user1_pass -v1 pbeWithSHA1AndDES-CBC -v2 des3 -check_exit_status $? - -start_message "pkcs8 ... convert pkcs8 to key in DER format" -$openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass -outform DER -out $user1_key.p8.der -check_exit_status $? - -start_message "pkcs12 ... create" -$openssl_bin pkcs12 -export -in $server_cert -inkey $server_key -passin pass:$server_pass \ - -certfile $ca_cert -CAfile $ca_cert -caname "server_p12" -passout pass:$pkcs_pass \ - -certpbe AES-256-CBC -keypbe AES-256-CBC -chain -out $server_cert.p12 -check_exit_status $? - -start_message "pkcs12 ... verify" -$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info -noout -check_exit_status $? - -start_message "pkcs12 ... to PEM" -$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \ - -passout pass:$pkcs_pass -out $server_cert.p12.pem -check_exit_status $? + # --- PKCS operations --- + section_message "PKCS operations" + + pkcs_pass=test-pkcs-pass + + start_message "pkcs7 ... output certs in crl(pkcs7)" + $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out + check_exit_status $? + + start_message "pkcs8 ... convert key to pkcs8" + $openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \ + -passin pass:$user1_pass -passout pass:$user1_pass \ + -v1 pbeWithSHA1AndDES-CBC -v2 des3 + check_exit_status $? + + start_message "pkcs8 ... convert pkcs8 to key in DER format" + $openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass \ + -outform DER -out $user1_key.p8.der + check_exit_status $? + + start_message "pkcs12 ... create" + $openssl_bin pkcs12 -export -in $server_cert -inkey $server_key \ + -passin pass:$server_pass -certfile $ca_cert -CAfile $ca_cert \ + -caname "server_p12" -passout pass:$pkcs_pass \ + -certpbe AES-256-CBC -keypbe AES-256-CBC -chain \ + -out $server_cert.p12 + check_exit_status $? + + start_message "pkcs12 ... verify" + $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info \ + -noout + check_exit_status $? + + start_message "pkcs12 ... to PEM" + $openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \ + -passout pass:$pkcs_pass -out $server_cert.p12.pem + check_exit_status $? } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_server_client { -# --- client/server operations (TLS) --- -section_message "client/server operations (TLS)" - -host="localhost" -port=4433 -sess_dat=$user1_dir/s_client_sess.dat -s_server_out=$server_dir/s_server_tls.out - -start_message "s_server ... start SSL/TLS test server" -$openssl_bin s_server -accept $port -CAfile $ca_cert \ - -cert $server_cert -key $server_key -pass pass:$server_pass \ - -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ - -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" -www \ - -cipher ALL \ - -msg -tlsextdebug > $s_server_out 2>&1 & -check_exit_status $? -s_server_pid=$! -echo "s_server pid = [ $s_server_pid ]" -sleep 1 - -# protocol = TLSv1 - -s_client_out=$user1_dir/s_client_tls_1_0.out - -start_message "s_client ... connect to SSL/TLS test server by TLSv1" -$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ - -tls1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 -check_exit_status $? - -grep 'Protocol : TLSv1$' $s_client_out > /dev/null -check_exit_status $? - -grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null -check_exit_status $? - -# protocol = TLSv1.1 - -s_client_out=$user1_dir/s_client_tls_1_1.out - -start_message "s_client ... connect to SSL/TLS test server by TLSv1.1" -$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ - -tls1_1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 -check_exit_status $? - -grep 'Protocol : TLSv1\.1$' $s_client_out > /dev/null -check_exit_status $? - -grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null -check_exit_status $? - -# protocol = TLSv1.2 - -s_client_out=$user1_dir/s_client_tls_1_2.out - -start_message "s_client ... connect to SSL/TLS test server by TLSv1.2" -$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ - -tls1_2 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 -check_exit_status $? - -grep 'Protocol : TLSv1\.2$' $s_client_out > /dev/null -check_exit_status $? - -grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null -check_exit_status $? - -# all available ciphers with random order - -ciphers=`$openssl_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' | sort -R` -cnum=0 -for c in $ciphers ; do - cnum=`expr $cnum + 1` - cnstr=`printf %03d $cnum` - s_client_out=$user1_dir/s_client_tls_${cnstr}_${c}.out - - start_message "s_client ... connect to SSL/TLS test server with [ $cnstr ] $c" - $openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ - -cipher $c -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 - check_exit_status $? - - grep "Cipher : $c" $s_client_out > /dev/null - check_exit_status $? - - grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null - check_exit_status $? -done - -# Get session ticket to reuse - -s_client_out=$user1_dir/s_client_tls_reuse_1.out - -start_message "s_client ... connect to SSL/TLS test server to get session id" -$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ - -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \ - -sess_out $sess_dat \ - -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 -check_exit_status $? - -grep 'New, TLSv1/SSLv3' $s_client_out > /dev/null -check_exit_status $? - -grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null -check_exit_status $? - -# Reuse session ticket - -s_client_out=$user1_dir/s_client_tls_reuse_2.out - -start_message "s_client ... connect to SSL/TLS test server reusing session id" -$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ - -sess_in $sess_dat \ - -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 -check_exit_status $? - -grep 'Reused, TLSv1/SSLv3' $s_client_out > /dev/null -check_exit_status $? - -grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null -check_exit_status $? - -# invalid verification pattern - -s_client_out=$user1_dir/s_client_tls_invalid.out - -start_message "s_client ... connect to SSL/TLS test server but verify error" -$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ - -showcerts -crl_check -issuer_checks -policy_check \ - -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 -check_exit_status $? - -grep 'Verify return code: 24 (invalid CA certificate)' $s_client_out > /dev/null -check_exit_status $? - -# s_time -start_message "s_time ... connect to SSL/TLS test server" -$openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2 -check_exit_status $? - -# sess_id -start_message "sess_id" -$openssl_bin sess_id -in $sess_dat -text -out $sess_dat.out -check_exit_status $? - -stop_s_server + # --- client/server operations (TLS) --- + section_message "client/server operations (TLS)" + + host="localhost" + port=4433 + sess_dat=$user1_dir/s_client_sess.dat + s_server_out=$server_dir/s_server_tls.out + + start_message "s_server ... start SSL/TLS test server" + $openssl_bin s_server -accept $port -CAfile $ca_cert \ + -cert $server_cert -key $server_key -pass pass:$server_pass \ + -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \ + -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" -www \ + -cipher ALL \ + -msg -tlsextdebug > $s_server_out 2>&1 & + check_exit_status $? + s_server_pid=$! + echo "s_server pid = [ $s_server_pid ]" + sleep 1 + + # protocol = TLSv1 + + s_client_out=$user1_dir/s_client_tls_1_0.out + + start_message "s_client ... connect to SSL/TLS test server by TLSv1" + $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ + -pause -prexit \ + -tls1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 + check_exit_status $? + + grep 'Protocol : TLSv1$' $s_client_out > /dev/null + check_exit_status $? + + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null + check_exit_status $? + + # protocol = TLSv1.1 + + s_client_out=$user1_dir/s_client_tls_1_1.out + + start_message "s_client ... connect to SSL/TLS test server by TLSv1.1" + $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ + -pause -prexit \ + -tls1_1 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 + check_exit_status $? + + grep 'Protocol : TLSv1\.1$' $s_client_out > /dev/null + check_exit_status $? + + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null + check_exit_status $? + + # protocol = TLSv1.2 + + s_client_out=$user1_dir/s_client_tls_1_2.out + + start_message "s_client ... connect to SSL/TLS test server by TLSv1.2" + $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ + -pause -prexit \ + -tls1_2 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 + check_exit_status $? + + grep 'Protocol : TLSv1\.2$' $s_client_out > /dev/null + check_exit_status $? + + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null + check_exit_status $? + + # all available ciphers with random order + + ciphers=`$openssl_bin ciphers -v ALL:!ECDSA:!kGOST | awk '{print $1}' | sort -R` + cnum=0 + for c in $ciphers ; do + cnum=`expr $cnum + 1` + cnstr=`printf %03d $cnum` + s_client_out=$user1_dir/s_client_tls_${cnstr}_${c}.out + + start_message "s_client ... connect to SSL/TLS test server with [ $cnstr ] $c" + $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ + -pause -prexit -cipher $c \ + -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 + check_exit_status $? + + grep "Cipher : $c" $s_client_out > /dev/null + check_exit_status $? + + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null + check_exit_status $? + done + + # Get session ticket to reuse + + s_client_out=$user1_dir/s_client_tls_reuse_1.out + + start_message "s_client ... connect to SSL/TLS test server to get session id" + $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ + -pause -prexit \ + -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \ + -sess_out $sess_dat \ + -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 + check_exit_status $? + + grep 'New, TLSv1/SSLv3' $s_client_out > /dev/null + check_exit_status $? + + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null + check_exit_status $? + + # Reuse session ticket + + s_client_out=$user1_dir/s_client_tls_reuse_2.out + + start_message "s_client ... connect to SSL/TLS test server reusing session id" + $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ + -pause -prexit -sess_in $sess_dat \ + -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 + check_exit_status $? + + grep 'Reused, TLSv1/SSLv3' $s_client_out > /dev/null + check_exit_status $? + + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null + check_exit_status $? + + # invalid verification pattern + + s_client_out=$user1_dir/s_client_tls_invalid.out + + start_message "s_client ... connect to SSL/TLS test server but verify error" + $openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ + -pause -prexit \ + -showcerts -crl_check -issuer_checks -policy_check \ + -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 + check_exit_status $? + + grep 'Verify return code: 24 (invalid CA certificate)' $s_client_out \ + > /dev/null + check_exit_status $? + + # s_time + start_message "s_time ... connect to SSL/TLS test server" + $openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2 + check_exit_status $? + + # sess_id + start_message "sess_id" + $openssl_bin sess_id -in $sess_dat -text -out $sess_dat.out + check_exit_status $? + + stop_s_server } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_speed { -# === PERFORMANCE === -section_message "PERFORMANCE" - -if [ $no_long_tests = 0 ] ; then - start_message "speed" - $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed - check_exit_status $? -else - start_message "SKIPPNG speed (quick mode)" -fi + # === PERFORMANCE === + section_message "PERFORMANCE" + + if [ $no_long_tests = 0 ] ; then + start_message "speed" + $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed + check_exit_status $? + else + start_message "SKIPPNG speed (quick mode)" + fi } -#---------#---------#---------#---------#---------#---------#---------#--------- function test_version { -# --- VERSION INFORMATION --- -section_message "VERSION INFORMATION" - -start_message "version" -$openssl_bin version -a -check_exit_status $? + # --- VERSION INFORMATION --- + section_message "VERSION INFORMATION" + + start_message "version" + $openssl_bin version -a + check_exit_status $? } #---------#---------#---------#---------#---------#---------#---------#--------- @@ -1076,13 +1107,13 @@ openssl_bin=${OPENSSL:-/usr/bin/openssl} no_long_tests=0 while [ "$1" != "" ]; do - case $1 in - -q | --quick ) shift - no_long_tests=1 - ;; - * ) usage - exit 1 - esac + case $1 in + -q | --quick ) shift + no_long_tests=1 + ;; + * ) usage + exit 1 + esac done # @@ -1091,8 +1122,8 @@ done ssldir="appstest_dir" if [ -d $ssldir ] ; then - echo "directory [ $ssldir ] exists, this script deletes this directory ..." - /bin/rm -rf $ssldir + echo "directory [ $ssldir ] exists, this script deletes this directory ..." + /bin/rm -rf $ssldir fi mkdir -p $ssldir @@ -1111,9 +1142,9 @@ touch $OPENSSL_CONF uname_s=`uname -s | grep 'MINGW'` if [ "$uname_s" = "" ] ; then - mingw=0 + mingw=0 else - mingw=1 + mingw=1 fi # |