mirror of
https://github.com/openssl/openssl.git
synced 2025-01-06 13:26:43 +08:00
da1c088f59
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
303 lines
9.3 KiB
Perl
303 lines
9.3 KiB
Perl
#! /usr/bin/env perl
|
|
# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use POSIX;
|
|
use File::Path 2.00 qw/rmtree/;
|
|
use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
|
|
use OpenSSL::Test::Utils;
|
|
use Time::Local qw/timegm/;
|
|
|
|
setup("test_ca");
|
|
|
|
$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
|
|
|
|
my $cnf = srctop_file("test","ca-and-certs.cnf");
|
|
my $std_openssl_cnf = '"'
|
|
. srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
|
|
. '"';
|
|
|
|
sub src_file {
|
|
return srctop_file("test", "certs", shift);
|
|
}
|
|
|
|
rmtree("demoCA", { safe => 0 });
|
|
|
|
plan tests => 20;
|
|
|
|
require_ok(srctop_file("test", "recipes", "tconversion.pl"));
|
|
|
|
SKIP: {
|
|
my $cakey = src_file("ca-key.pem");
|
|
$ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
|
|
skip "failed creating CA structure", 4
|
|
if !ok(run(perlapp(["CA.pl","-newca",
|
|
"-extra-req", "-key $cakey"], stdin => undef)),
|
|
'creating CA structure');
|
|
|
|
my $eekey = src_file("ee-key.pem");
|
|
$ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
|
|
skip "failed creating new certificate request", 3
|
|
if !ok(run(perlapp(["CA.pl","-newreq",
|
|
'-extra-req', "-outform DER -section userreq -key $eekey"])),
|
|
'creating certificate request');
|
|
$ENV{OPENSSL_CONFIG} = qq(-rand_serial -inform DER -config "$std_openssl_cnf");
|
|
skip "failed to sign certificate request", 2
|
|
if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
|
|
'signing certificate request');
|
|
|
|
ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
|
|
'verifying new certificate');
|
|
|
|
skip "CT not configured, can't use -precert", 1
|
|
if disabled("ct");
|
|
|
|
my $eekey2 = src_file("ee-key-3072.pem");
|
|
$ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
|
|
ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
|
|
'creating new pre-certificate');
|
|
}
|
|
|
|
SKIP: {
|
|
skip "SM2 is not supported by this OpenSSL build", 1
|
|
if disabled("sm2");
|
|
|
|
is(yes(cmdstr(app(["openssl", "ca", "-config",
|
|
$cnf,
|
|
"-in", src_file("sm2-csr.pem"),
|
|
"-out", "sm2-test.crt",
|
|
"-sigopt", "distid:1234567812345678",
|
|
"-vfyopt", "distid:1234567812345678",
|
|
"-md", "sm3",
|
|
"-cert", src_file("sm2-root.crt"),
|
|
"-keyfile", src_file("sm2-root.key")]))),
|
|
0,
|
|
"Signing SM2 certificate request");
|
|
}
|
|
|
|
my $v3_cert = "v3-test.crt";
|
|
ok(run(app(["openssl", "ca", "-batch", "-config", $cnf, "-extensions", "empty",
|
|
"-in", src_file("x509-check.csr"), "-out", $v3_cert])));
|
|
# although no explicit extensions given:
|
|
has_version($v3_cert, 3);
|
|
has_SKID($v3_cert, 1);
|
|
has_AKID($v3_cert, 1);
|
|
|
|
test_revoke('notimes', {
|
|
should_succeed => 1,
|
|
});
|
|
test_revoke('lastupdate_invalid', {
|
|
lastupdate => '1234567890',
|
|
should_succeed => 0,
|
|
});
|
|
test_revoke('lastupdate_utctime', {
|
|
lastupdate => '200901123456Z',
|
|
should_succeed => 1,
|
|
});
|
|
test_revoke('lastupdate_generalizedtime', {
|
|
lastupdate => '20990901123456Z',
|
|
should_succeed => 1,
|
|
});
|
|
test_revoke('nextupdate_invalid', {
|
|
nextupdate => '1234567890',
|
|
should_succeed => 0,
|
|
});
|
|
test_revoke('nextupdate_utctime', {
|
|
nextupdate => '200901123456Z',
|
|
should_succeed => 1,
|
|
});
|
|
test_revoke('nextupdate_generalizedtime', {
|
|
nextupdate => '20990901123456Z',
|
|
should_succeed => 1,
|
|
});
|
|
test_revoke('both_utctime', {
|
|
lastupdate => '200901123456Z',
|
|
nextupdate => '200908123456Z',
|
|
should_succeed => 1,
|
|
});
|
|
test_revoke('both_generalizedtime', {
|
|
lastupdate => '20990901123456Z',
|
|
nextupdate => '20990908123456Z',
|
|
should_succeed => 1,
|
|
});
|
|
|
|
sub test_revoke {
|
|
my ($filename, $opts) = @_;
|
|
|
|
subtest "Revoke certificate and generate CRL: $filename" => sub {
|
|
# Before Perl 5.12.0, the range of times Perl could represent was
|
|
# limited by the size of time_t, so Time::Local was hamstrung by the
|
|
# Y2038 problem
|
|
# Perl 5.12.0 onwards use an internal time implementation with a
|
|
# guaranteed >32-bit time range on all architectures, so the tests
|
|
# involving post-2038 times won't fail provided we're running under
|
|
# that version or newer
|
|
plan skip_all =>
|
|
'Perl >= 5.12.0 required to run certificate revocation tests'
|
|
if $] < 5.012000;
|
|
|
|
$ENV{CN2} = $filename;
|
|
ok(
|
|
run(app(['openssl',
|
|
'req',
|
|
'-config', $cnf,
|
|
'-new',
|
|
'-key', data_file('revoked.key'),
|
|
'-out', "$filename-req.pem",
|
|
'-section', 'userreq',
|
|
])),
|
|
'Generate CSR'
|
|
);
|
|
delete $ENV{CN2};
|
|
|
|
ok(
|
|
run(app(['openssl',
|
|
'ca',
|
|
'-batch',
|
|
'-config', $cnf,
|
|
'-in', "$filename-req.pem",
|
|
'-out', "$filename-cert.pem",
|
|
])),
|
|
'Sign CSR'
|
|
);
|
|
|
|
ok(
|
|
run(app(['openssl',
|
|
'ca',
|
|
'-config', $cnf,
|
|
'-revoke', "$filename-cert.pem",
|
|
])),
|
|
'Revoke certificate'
|
|
);
|
|
|
|
my @gencrl_opts;
|
|
|
|
if (exists $opts->{lastupdate}) {
|
|
push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
|
|
}
|
|
|
|
if (exists $opts->{nextupdate}) {
|
|
push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
|
|
}
|
|
|
|
is(
|
|
run(app(['openssl',
|
|
'ca',
|
|
'-config', $cnf,
|
|
'-gencrl',
|
|
'-out', "$filename-crl.pem",
|
|
'-crlsec', '60',
|
|
@gencrl_opts,
|
|
])),
|
|
$opts->{should_succeed},
|
|
'Generate CRL'
|
|
);
|
|
my $crl_gentime = time;
|
|
|
|
# The following tests only need to run if the CRL was supposed to be
|
|
# generated:
|
|
return unless $opts->{should_succeed};
|
|
|
|
my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
|
|
if (exists $opts->{lastupdate}) {
|
|
is(
|
|
$crl_lastupdate,
|
|
rfc5280_time($opts->{lastupdate}),
|
|
'CRL lastUpdate field has expected value'
|
|
);
|
|
} else {
|
|
diag("CRL lastUpdate: $crl_lastupdate");
|
|
diag("openssl run time: $crl_gentime");
|
|
ok(
|
|
# Is the CRL's lastUpdate time within a second of the time that
|
|
# `openssl ca -gencrl` was executed?
|
|
$crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
|
|
'CRL lastUpdate field has (roughly) expected value'
|
|
);
|
|
}
|
|
|
|
my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
|
|
if (exists $opts->{nextupdate}) {
|
|
is(
|
|
$crl_nextupdate,
|
|
rfc5280_time($opts->{nextupdate}),
|
|
'CRL nextUpdate field has expected value'
|
|
);
|
|
} else {
|
|
diag("CRL nextUpdate: $crl_nextupdate");
|
|
diag("openssl run time: $crl_gentime");
|
|
ok(
|
|
# Is the CRL's lastUpdate time within a second of the time that
|
|
# `openssl ca -gencrl` was executed, taking into account the use
|
|
# of '-crlsec 60'?
|
|
$crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
|
|
'CRL nextUpdate field has (roughly) expected value'
|
|
);
|
|
}
|
|
};
|
|
}
|
|
|
|
sub yes {
|
|
my $cntr = 10;
|
|
open(PIPE, "|-", join(" ",@_));
|
|
local $SIG{PIPE} = "IGNORE";
|
|
1 while $cntr-- > 0 && print PIPE "y\n";
|
|
close PIPE;
|
|
return 0;
|
|
}
|
|
|
|
# Get the value of the lastUpdate or nextUpdate field from a CRL
|
|
sub crl_field {
|
|
my ($crl_path, $field_name) = @_;
|
|
|
|
my @out = run(
|
|
app(['openssl',
|
|
'crl',
|
|
'-in', $crl_path,
|
|
'-noout',
|
|
'-' . lc($field_name),
|
|
]),
|
|
capture => 1,
|
|
statusvar => \my $exit,
|
|
);
|
|
ok($exit, "CRL $field_name field retrieved");
|
|
diag("CRL $field_name: $out[0]");
|
|
|
|
$out[0] =~ s/^\Q$field_name\E=//;
|
|
$out[0] =~ s/\n?//;
|
|
my $time = human_time($out[0]);
|
|
|
|
return $time;
|
|
}
|
|
|
|
# Converts human-readable ASN1_TIME_print() output to Unix time
|
|
sub human_time {
|
|
my ($human) = @_;
|
|
|
|
my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
|
|
|
|
my %months = (
|
|
Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5,
|
|
Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
|
|
);
|
|
|
|
return timegm($s, $m, $h, $d, $months{$mo}, $y);
|
|
}
|
|
|
|
# Converts an RFC 5280 timestamp to Unix time
|
|
sub rfc5280_time {
|
|
my ($asn1) = @_;
|
|
|
|
my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
|
|
|
|
return timegm($s, $m, $h, $d, $mo - 1, $y);
|
|
}
|