time stamp Makefile, test files

#

# SSLeay/crypto/ts/Makefile

#

DIR=	ts

TOP=	../..

CC=	cc

INCLUDES= -I.. -I../../include

CFLAG = -g

INSTALL_PREFIX=

OPENSSLDIR=     /usr/local/ssl

INSTALLTOP=/usr/local/ssl

MAKEDEPPROG=	makedepend

MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)

MAKEFILE=	Makefile

AR=		ar r

PEX_LIBS=

EX_LIBS=

CFLAGS= $(INCLUDES) $(CFLAG)

GENERAL= Makefile

TEST=

APPS=

LIB=$(TOP)/libcrypto.a

LIBSRC=	ts_err.c ts_req_utils.c ts_req_print.c ts_resp_utils.c ts_resp_print.c \

	ts_resp_sign.c ts_resp_verify.c ts_verify_ctx.c ts_lib.c ts_conf.c \

	ts_asn1.c

LIBOBJ= ts_err.o ts_req_utils.o ts_req_print.o ts_resp_utils.o ts_resp_print.o \

	ts_resp_sign.o ts_resp_verify.o ts_verify_ctx.o ts_lib.o ts_conf.o \

	ts_asn1.o

SRC= $(LIBSRC)

EXHEADER= ts.h

HEADER=	$(EXHEADER)

ALL=    $(GENERAL) $(SRC) $(HEADER)

top:

	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)

test:

all:	lib

lib:	$(LIBOBJ)

	$(AR) $(LIB) $(LIBOBJ)

	$(RANLIB) $(LIB) || echo Never mind.

	@touch lib

files:

	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

links:

	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)

	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)

	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

install:

	@for i in $(EXHEADER) ; \

	do  \

	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \

	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

	done;

tags:

	ctags $(SRC)

lint:

	lint -DLINT $(INCLUDES) $(SRC)>fluff

depend:

	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)

dclean:

	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new

	mv -f Makefile.new $(MAKEFILE)

clean:

	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify

# DO NOT DELETE THIS LINE -- make depend depends on it.

ts_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h

ts_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h

ts_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h

ts_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h

ts_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h

ts_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h

ts_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h

ts_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h

ts_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h

ts_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h

ts_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h

ts_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h

ts_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h

ts_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h

ts_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ts.h ts_lib.c

ts_resp_print.o: ../../e_os.h ../../include/openssl/asn1.h

ts_resp_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h

ts_resp_print.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h

ts_resp_print.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h

ts_resp_print.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h

ts_resp_print.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h

ts_resp_print.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h

ts_resp_print.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h

ts_resp_print.o: ../../include/openssl/obj_mac.h

ts_resp_print.o: ../../include/openssl/objects.h

ts_resp_print.o: ../../include/openssl/opensslconf.h

ts_resp_print.o: ../../include/openssl/opensslv.h

ts_resp_print.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h

ts_resp_print.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h

ts_resp_print.o: ../../include/openssl/sha.h ../../include/openssl/stack.h

ts_resp_print.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h

ts_resp_print.o: ../../include/openssl/x509_vfy.h

ts_resp_print.o: ../../include/openssl/x509v3.h ../cryptlib.h ts.h

ts_resp_print.o: ts_resp_print.c

#

# This config is used by the Time Stamp Authority tests.

#

# This definition stops the following lines choking if HOME isn't

# defined.

HOME			= .

RANDFILE		= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:

oid_section		= new_oids

[ new_oids ]

# Policies used by the TSA tests.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

#----------------------------------------------------------------------

[ ca ]

default_ca	= CA_default		# The default ca section

[ CA_default ]

dir		= ./demoCA

certs		= $dir/certs		# Where the issued certs are kept

database	= $dir/index.txt	# database index file.

new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate

serial		= $dir/serial 		# The current serial number

private_key	= $dir/private/cakey.pem# The private key

RANDFILE	= $dir/private/.rand	# private random number file

default_days	= 365			# how long to certify for

default_md	= sha1			# which md to use.

preserve	= no			# keep passed DN ordering

policy		= policy_match

# For the CA policy

[ policy_match ]

countryName		= supplied

stateOrProvinceName	= supplied

organizationName	= supplied

organizationalUnitName	= optional

commonName		= supplied

emailAddress		= optional

#----------------------------------------------------------------------

[ req ]

default_bits		= 1024

default_md		= sha1

distinguished_name	= req_distinguished_name

encrypt_rsa_key		= no

# attributes		= req_attributes

x509_extensions	= v3_ca	# The extentions to add to the self signed cert

string_mask = nombstr

[ req_distinguished_name ]

countryName			= Country Name (2 letter code)

countryName_default		= HU

countryName_min			= 2

countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)

stateOrProvinceName_default	= 

localityName			= Locality Name (eg, city)

0.organizationName		= Organization Name (eg, company)

0.organizationName_default	= 

commonName			= Common Name (eg, YOUR name)

commonName_max			= 64

[ req_attributes ]

challengePassword		= A challenge password

challengePassword_min		= 4

challengePassword_max		= 20

unstructuredName		= An optional company name

[ tsa_cert ]

# TSA server cert is not a CA cert.

basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.

keyUsage = nonRepudiation, digitalSignature

extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

[ non_tsa_cert ]

# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)

basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.

keyUsage = nonRepudiation, digitalSignature

# timeStamping is not supported by this certificate

# extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature

[ v3_ca ]

# Extensions for a typical CA

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

basicConstraints = critical,CA:true

keyUsage = cRLSign, keyCertSign

#----------------------------------------------------------------------

[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.

dir		= .			# TSA root directory

serial		= $dir/tsa_serial	# The current serial number (mandatory)

signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate

					# (optional)

certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply

					# (optional)

signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)

default_policy	= tsa_policy1		# Policy if request did not specify it

					# (optional)

other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)

digests		= md5, sha1		# Acceptable message digests (mandatory)

accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)

ordering		= yes	# Is ordering defined for timestamps?

				# (optional, default: no)

tsa_name		= yes	# Must the TSA name be included in the reply?

				# (optional, default: no)

ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?

				# (optional, default: no)

[ tsa_config2 ]

# This configuration uses a certificate which doesn't have timeStamping usage.

# These are used by the TSA reply generation only.

dir		= .			# TSA root directory

serial		= $dir/tsa_serial	# The current serial number (mandatory)

signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate

					# (optional)

certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply

					# (optional)

signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)

default_policy	= tsa_policy1		# Policy if request did not specify it

					# (optional)

other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)

digests		= md5, sha1		# Acceptable message digests (mandatory)

#!/bin/sh

#

# A few very basic tests for the 'ts' time stamping authority command.

#

SH="/bin/sh"

PATH=../../apps:$PATH

export SH PATH

OPENSSL_CONF="../CAtsa.cnf"

export OPENSSL_CONF

error () {

    echo "ERROR DURING TSA TESTS!!!!!!!!!!!!!!!!" >&2

    exit 1

}

setup_dir () {

    rm -rf tsa 2>/dev/null

    mkdir tsa

    cd ./tsa

}

clean_up_dir () {

    cd ..

    rm -rf tsa

}

create_ca () {

    echo "Creating a new CA for the TSA tests..."

    /bin/rm -fr demoCA

    $SH ../../apps/CA.sh -newca <<EOF

HU

Budapest

Budapest

Gov-CA Ltd.

ca1

EOF

    test $? != 0 && error

}

create_tsa_cert () {

    INDEX=$1

    EXT=$2

    openssl req -new -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem <<EOF

HU

Budapest

Buda

Hun-TSA Ltd.

tsa${INDEX}

EOF

    test $? != 0 && error

    openssl ca -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \

	-extensions $EXT <<EOF

y

y

EOF

    test $? != 0 && error

}

print_request () {

    openssl ts -query -in $1 -text

}

create_time_stamp_request1 () {

    openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq

    test $? != 0 && error

}

create_time_stamp_request2 () {

    openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \

	-out req2.tsq

    test $? != 0 && error

}

create_time_stamp_request3 () {

    openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq

    test $? != 0 && error

}

print_response () {

    openssl ts -reply -in $1 -text

    test $? != 0 && error

}

create_time_stamp_response () {

    openssl ts -reply -section $3 -queryfile $1 -out $2

    test $? != 0 && error

}

time_stamp_response_token_test () {

    RESPONSE2=$2.copy.tsr

    TOKEN_DER=$2.token.der

    openssl ts -reply -in $2 -out $TOKEN_DER -token_out

    test $? != 0 && error

    openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2

    test $? != 0 && error

    cmp $RESPONSE2 $2

    test $? != 0 && error

    openssl ts -reply -in $2 -text -token_out

    test $? != 0 && error

    openssl ts -reply -in $TOKEN_DER -token_in -text -token_out

    test $? != 0 && error

    openssl ts -reply -queryfile $1 -text -token_out

    test $? != 0 && error

}

verify_time_stamp_response () {

    openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \

	-untrusted tsa_cert1.pem

    test $? != 0 && error

    openssl ts -verify -data $3 -in $2 -CAfile demoCA/cacert.pem \

	-untrusted tsa_cert1.pem

    test $? != 0 && error

}

verify_time_stamp_token () {

    # create the token from the response first

    openssl ts -reply -in $2 -out $2.token -token_out

    test $? != 0 && error

    openssl ts -verify -queryfile $1 -in $2.token -token_in \

	-CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem

    test $? != 0 && error

    openssl ts -verify -data $3 -in $2.token -token_in \

	-CAfile demoCA/cacert.pem -untrusted tsa_cert1.pem

    test $? != 0 && error

}

verify_time_stamp_response_fail () {

    openssl ts -verify -queryfile $1 -in $2 -CAfile demoCA/cacert.pem \

	-untrusted tsa_cert1.pem

    # Checks if the verification failed, as it should have.

    test $? == 0 && error

}

# main functions

echo "Setting up TSA test directory..."

setup_dir

echo "Creating CA for TSA tests..."

create_ca

echo "Creating tsa_cert1.pem TSA server cert..."

create_tsa_cert 1 tsa_cert

echo "Creating tsa_cert2.pem non-TSA server cert..."

create_tsa_cert 2 non_tsa_cert

echo "Creating req1.req time stamp request for file testtsa..."

create_time_stamp_request1

echo "Printing req1.req..."

print_request req1.tsq

echo "Generating valid response for req1.req..."

create_time_stamp_response req1.tsq resp1.tsr tsa_config1

echo "Printing response..."

print_response resp1.tsr

echo "Verifying valid response..."

verify_time_stamp_response req1.tsq resp1.tsr ../testtsa

echo "Verifying valid token..."

verify_time_stamp_token req1.tsq resp1.tsr ../testtsa

# The tests below are commented out, because invalid signer certificates

# can no longer be specified in the config file.

# echo "Generating _invalid_ response for req1.req..."

# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2

# echo "Printing response..."

# print_response resp1_bad.tsr

# echo "Verifying invalid response, it should fail..."

# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr

echo "Creating req2.req time stamp request for file testtsa..."

create_time_stamp_request2

echo "Printing req2.req..."

print_request req2.tsq

echo "Generating valid response for req2.req..."

create_time_stamp_response req2.tsq resp2.tsr tsa_config1

echo "Checking '-token_in' and '-token_out' options with '-reply'..."

time_stamp_response_token_test req2.tsq resp2.tsr

echo "Printing response..."

print_response resp2.tsr

echo "Verifying valid response..."

verify_time_stamp_response req2.tsq resp2.tsr ../testtsa

echo "Verifying response against wrong request, it should fail..."

verify_time_stamp_response_fail req1.tsq resp2.tsr

echo "Verifying response against wrong request, it should fail..."

verify_time_stamp_response_fail req2.tsq resp1.tsr

echo "Creating req3.req time stamp request for file CAtsa.cnf..."

create_time_stamp_request3

echo "Printing req3.req..."

print_request req3.tsq

echo "Verifying response against wrong request, it should fail..."

verify_time_stamp_response_fail req3.tsq resp1.tsr

echo "Cleaning up..."

clean_up_dir

exit 0