VirtualBox

source: vbox/trunk/src/libs/openssl-3.1.5/test/recipes/80-test_ca.t@ 105770

Last change on this file since 105770 was 104078, checked in by vboxsync, 8 months ago

openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638
File size: 9.0 KB
Line 
1#! /usr/bin/env perl
2# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License"). You may not use
5# this file except in compliance with the License. You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10use strict;
11use warnings;
12
13use POSIX;
14use File::Path 2.00 qw/rmtree/;
15use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
16use OpenSSL::Test::Utils;
17use Time::Local qw/timegm/;
18
19setup("test_ca");
20
21$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
22
23my $cnf = srctop_file("test","ca-and-certs.cnf");
24my $std_openssl_cnf = '"'
25 . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
26 . '"';
27
28rmtree("demoCA", { safe => 0 });
29
30plan tests => 15;
31 SKIP: {
32 my $cakey = srctop_file("test", "certs", "ca-key.pem");
33 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
34 skip "failed creating CA structure", 4
35 if !ok(run(perlapp(["CA.pl","-newca",
36 "-extra-req", "-key $cakey"], stdin => undef)),
37 'creating CA structure');
38
39 my $eekey = srctop_file("test", "certs", "ee-key.pem");
40 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
41 skip "failed creating new certificate request", 3
42 if !ok(run(perlapp(["CA.pl","-newreq",
43 '-extra-req', "-outform DER -section userreq -key $eekey"])),
44 'creating certificate request');
45 $ENV{OPENSSL_CONFIG} = qq(-rand_serial -inform DER -config "$std_openssl_cnf");
46 skip "failed to sign certificate request", 2
47 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
48 'signing certificate request');
49
50 ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
51 'verifying new certificate');
52
53 skip "CT not configured, can't use -precert", 1
54 if disabled("ct");
55
56 my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem");
57 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
58 ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
59 'creating new pre-certificate');
60}
61
62SKIP: {
63 skip "SM2 is not supported by this OpenSSL build", 1
64 if disabled("sm2");
65
66 is(yes(cmdstr(app(["openssl", "ca", "-config",
67 $cnf,
68 "-in", srctop_file("test", "certs", "sm2-csr.pem"),
69 "-out", "sm2-test.crt",
70 "-sigopt", "distid:1234567812345678",
71 "-vfyopt", "distid:1234567812345678",
72 "-md", "sm3",
73 "-cert", srctop_file("test", "certs", "sm2-root.crt"),
74 "-keyfile", srctop_file("test", "certs", "sm2-root.key")]))),
75 0,
76 "Signing SM2 certificate request");
77}
78
79test_revoke('notimes', {
80 should_succeed => 1,
81});
82test_revoke('lastupdate_invalid', {
83 lastupdate => '1234567890',
84 should_succeed => 0,
85});
86test_revoke('lastupdate_utctime', {
87 lastupdate => '200901123456Z',
88 should_succeed => 1,
89});
90test_revoke('lastupdate_generalizedtime', {
91 lastupdate => '20990901123456Z',
92 should_succeed => 1,
93});
94test_revoke('nextupdate_invalid', {
95 nextupdate => '1234567890',
96 should_succeed => 0,
97});
98test_revoke('nextupdate_utctime', {
99 nextupdate => '200901123456Z',
100 should_succeed => 1,
101});
102test_revoke('nextupdate_generalizedtime', {
103 nextupdate => '20990901123456Z',
104 should_succeed => 1,
105});
106test_revoke('both_utctime', {
107 lastupdate => '200901123456Z',
108 nextupdate => '200908123456Z',
109 should_succeed => 1,
110});
111test_revoke('both_generalizedtime', {
112 lastupdate => '20990901123456Z',
113 nextupdate => '20990908123456Z',
114 should_succeed => 1,
115});
116
117sub test_revoke {
118 my ($filename, $opts) = @_;
119
120 subtest "Revoke certificate and generate CRL: $filename" => sub {
121 # Before Perl 5.12.0, the range of times Perl could represent was
122 # limited by the size of time_t, so Time::Local was hamstrung by the
123 # Y2038 problem
124 # Perl 5.12.0 onwards use an internal time implementation with a
125 # guaranteed >32-bit time range on all architectures, so the tests
126 # involving post-2038 times won't fail provided we're running under
127 # that version or newer
128 plan skip_all =>
129 'Perl >= 5.12.0 required to run certificate revocation tests'
130 if $] < 5.012000;
131
132 $ENV{CN2} = $filename;
133 ok(
134 run(app(['openssl',
135 'req',
136 '-config', $cnf,
137 '-new',
138 '-key', data_file('revoked.key'),
139 '-out', "$filename-req.pem",
140 '-section', 'userreq',
141 ])),
142 'Generate CSR'
143 );
144 delete $ENV{CN2};
145
146 ok(
147 run(app(['openssl',
148 'ca',
149 '-batch',
150 '-config', $cnf,
151 '-in', "$filename-req.pem",
152 '-out', "$filename-cert.pem",
153 ])),
154 'Sign CSR'
155 );
156
157 ok(
158 run(app(['openssl',
159 'ca',
160 '-config', $cnf,
161 '-revoke', "$filename-cert.pem",
162 ])),
163 'Revoke certificate'
164 );
165
166 my @gencrl_opts;
167
168 if (exists $opts->{lastupdate}) {
169 push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
170 }
171
172 if (exists $opts->{nextupdate}) {
173 push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
174 }
175
176 is(
177 run(app(['openssl',
178 'ca',
179 '-config', $cnf,
180 '-gencrl',
181 '-out', "$filename-crl.pem",
182 '-crlsec', '60',
183 @gencrl_opts,
184 ])),
185 $opts->{should_succeed},
186 'Generate CRL'
187 );
188 my $crl_gentime = time;
189
190 # The following tests only need to run if the CRL was supposed to be
191 # generated:
192 return unless $opts->{should_succeed};
193
194 my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
195 if (exists $opts->{lastupdate}) {
196 is(
197 $crl_lastupdate,
198 rfc5280_time($opts->{lastupdate}),
199 'CRL lastUpdate field has expected value'
200 );
201 } else {
202 diag("CRL lastUpdate: $crl_lastupdate");
203 diag("openssl run time: $crl_gentime");
204 ok(
205 # Is the CRL's lastUpdate time within a second of the time that
206 # `openssl ca -gencrl` was executed?
207 $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
208 'CRL lastUpdate field has (roughly) expected value'
209 );
210 }
211
212 my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
213 if (exists $opts->{nextupdate}) {
214 is(
215 $crl_nextupdate,
216 rfc5280_time($opts->{nextupdate}),
217 'CRL nextUpdate field has expected value'
218 );
219 } else {
220 diag("CRL nextUpdate: $crl_nextupdate");
221 diag("openssl run time: $crl_gentime");
222 ok(
223 # Is the CRL's lastUpdate time within a second of the time that
224 # `openssl ca -gencrl` was executed, taking into account the use
225 # of '-crlsec 60'?
226 $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
227 'CRL nextUpdate field has (roughly) expected value'
228 );
229 }
230 };
231}
232
233sub yes {
234 my $cntr = 10;
235 open(PIPE, "|-", join(" ",@_));
236 local $SIG{PIPE} = "IGNORE";
237 1 while $cntr-- > 0 && print PIPE "y\n";
238 close PIPE;
239 return 0;
240}
241
242# Get the value of the lastUpdate or nextUpdate field from a CRL
243sub crl_field {
244 my ($crl_path, $field_name) = @_;
245
246 my @out = run(
247 app(['openssl',
248 'crl',
249 '-in', $crl_path,
250 '-noout',
251 '-' . lc($field_name),
252 ]),
253 capture => 1,
254 statusvar => \my $exit,
255 );
256 ok($exit, "CRL $field_name field retrieved");
257 diag("CRL $field_name: $out[0]");
258
259 $out[0] =~ s/^\Q$field_name\E=//;
260 $out[0] =~ s/\n?//;
261 my $time = human_time($out[0]);
262
263 return $time;
264}
265
266# Converts human-readable ASN1_TIME_print() output to Unix time
267sub human_time {
268 my ($human) = @_;
269
270 my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
271
272 my %months = (
273 Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5,
274 Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
275 );
276
277 return timegm($s, $m, $h, $d, $months{$mo}, $y);
278}
279
280# Converts an RFC 5280 timestamp to Unix time
281sub rfc5280_time {
282 my ($asn1) = @_;
283
284 my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
285
286 return timegm($s, $m, $h, $d, $mo - 1, $y);
287}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette