1 files changed, 207 insertions, 0 deletions
diff --git a/openssl-1.1.0h/test/recipes/80-test_tsa.t b/openssl-1.1.0h/test/recipes/80-test_tsa.t
new file mode 100644
index 0000000..3ba14d4
--- /dev/null
+++ b/openssl-1.1.0h/test/recipes/80-test_tsa.t
@@ -0,0 +1,207 @@
+#! /usr/bin/env perl
+# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use POSIX;
+use File::Spec::Functions qw/splitdir curdir catfile/;
+use File::Compare;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
+use OpenSSL::Test::Utils;
+
+setup("test_tsa");
+
+plan skip_all => "TS is not supported by this OpenSSL build"
+    if disabled("ts");
+
+# All these are modified inside indir further down. They need to exist
+# here, however, to be available in all subroutines.
+my $openssl_conf;
+my $testtsa;
+my $CAtsa;
+my @RUN;
+
+sub create_tsa_cert {
+    my $INDEX = shift;
+    my $EXT = shift;
+    my $r = 1;
+    $ENV{TSDNSECT} = "ts_cert_dn";
+
+    ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new",
+                "-out", "tsa_req${INDEX}.pem",
+                "-keyout", "tsa_key${INDEX}.pem"])));
+    note "using extension $EXT";
+    ok(run(app(["openssl", "x509", "-req",
+                "-in", "tsa_req${INDEX}.pem",
+                "-out", "tsa_cert${INDEX}.pem",
+                "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
+                "-CAcreateserial",
+                "-extfile", $openssl_conf, "-extensions", $EXT])));
+}
+
+sub create_time_stamp_response {
+    my $queryfile = shift;
+    my $outputfile = shift;
+    my $datafile = shift;
+
+    ok(run(app([@RUN, "-reply", "-section", "$datafile",
+                "-queryfile", "$queryfile", "-out", "$outputfile"])));
+}
+
+sub verify_time_stamp_response {
+    my $queryfile = shift;
+    my $inputfile = shift;
+    my $datafile = shift;
+
+    ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
+                "-in", "$inputfile", "-CAfile", "tsaca.pem",
+                "-untrusted", "tsa_cert1.pem"])));
+    ok(run(app([@RUN, "-verify", "-data", "$datafile",
+                "-in", "$inputfile", "-CAfile", "tsaca.pem",
+                "-untrusted", "tsa_cert1.pem"])));
+}
+
+sub verify_time_stamp_response_fail {
+    my $queryfile = shift;
+    my $inputfile = shift;
+
+    ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
+                 "-in", "$inputfile", "-CAfile", "tsaca.pem",
+                 "-untrusted", "tsa_cert1.pem"])));
+}
+
+# main functions
+
+plan tests => 20;
+
+note "setting up TSA test directory";
+indir "tsa" => sub
+{
+    $openssl_conf = srctop_file("test", "CAtsa.cnf");
+    $testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
+    $CAtsa = srctop_file("test", "CAtsa.cnf");
+    @RUN = ("openssl", "ts", "-config", $openssl_conf);
+
+    # ../apps/CA.pl needs these
+    $ENV{OPENSSL_CONFIG} = "-config $openssl_conf";
+    $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
+
+ SKIP: {
+     $ENV{TSDNSECT} = "ts_ca_dn";
+     skip "failed", 19
+         unless ok(run(app(["openssl", "req", "-config", $openssl_conf,
+                            "-new", "-x509", "-nodes",
+                            "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
+                   'creating a new CA for the TSA tests');
+
+     skip "failed", 18
+         unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
+             create_tsa_cert("1", "tsa_cert")
+     };
+
+     skip "failed", 17
+         unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
+             create_tsa_cert("2", "non_tsa_cert")
+     };
+
+     skip "failed", 16
+         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
+                            "-tspolicy", "tsa_policy1", "-cert",
+                            "-out", "req1.tsq"])),
+                   'creating req1.req time stamp request for file testtsa');
+
+     ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
+        'printing req1.req');
+
+     subtest 'generating valid response for req1.req' => sub {
+         create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
+     };
+
+     ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
+        'printing response');
+
+     subtest 'verifying valid response' => sub {
+         verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
+     };
+
+     skip "failed", 11
+         unless subtest 'verifying valid token' => sub {
+             ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
+                         "-out", "resp1.tsr.token", "-token_out"])));
+             ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
+                         "-in", "resp1.tsr.token", "-token_in",
+                         "-CAfile", "tsaca.pem",
+                         "-untrusted", "tsa_cert1.pem"])));
+             ok(run(app([@RUN, "-verify", "-data", $testtsa,
+                         "-in", "resp1.tsr.token", "-token_in",
+                         "-CAfile", "tsaca.pem",
+                         "-untrusted", "tsa_cert1.pem"])));
+     };
+
+     skip "failed", 10
+         unless ok(run(app([@RUN, "-query", "-data", $testtsa,
+                            "-tspolicy", "tsa_policy2", "-no_nonce",
+                            "-out", "req2.tsq"])),
+                   'creating req2.req time stamp request for file testtsa');
+
+     ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
+        'printing req2.req');
+
+     skip "failed", 8
+         unless subtest 'generating valid response for req2.req' => sub {
+             create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
+     };
+
+     skip "failed", 7
+         unless subtest 'checking -token_in and -token_out options with -reply' => sub {
+             my $RESPONSE2="resp2.tsr.copy.tsr";
+             my $TOKEN_DER="resp2.tsr.token.der";
+
+             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
+                         "-out", "$TOKEN_DER", "-token_out"])));
+             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
+                         "-token_in", "-out", "$RESPONSE2"])));
+             is(compare($RESPONSE2, "resp2.tsr"), 0);
+             ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
+                         "-text", "-token_out"])));
+             ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
+                         "-token_in", "-text", "-token_out"])));
+             ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
+                         "-text", "-token_out"])));
+     };
+
+     ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
+        'printing response');
+
+     subtest 'verifying valid response' => sub {
+         verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
+     };
+
+     subtest 'verifying response against wrong request, it should fail' => sub {
+         verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
+     };
+
+     subtest 'verifying response against wrong request, it should fail' => sub {
+         verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
+     };
+
+     skip "failure", 2
+         unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
+                            "-no_nonce", "-out", "req3.tsq"])),
+                   "creating req3.req time stamp request for file CAtsa.cnf");
+
+     ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
+        'printing req3.req');
+
+     subtest 'verifying response against wrong request, it should fail' => sub {
+         verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
+     };
+    }
+}, create => 1, cleanup => 1