1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
#!/usr/bin/tclsh
lappend auto_path [file dirname [info script]]
package require ossltest
cd $::test::dir
start_tests "Тесты на команду cms - вторая подпись"
test "Creating CA" {
makeCA
} 0 1
makeFile cms_signed2.dat "Test data for 2 signatures"
foreach length {256 512} {
test "Creating users $length" {
makeRegisteredUser U_cms_1_$length gost2012_$length:A CN USER1_$length emailAddress test@cryptocom.ru
makeRegisteredUser U_cms_2_$length gost2012_$length:A CN USER2_$length emailAddress test@cryptocom.ru
} 0 1
test -createsfiles cms_signed2_1_$length.asn "Signing in DER format with 1st signature" {
openssl "cms -sign -binary -outform der -inform der -nodetach -inkey U_cms_1_$length/seckey.pem -signer U_cms_1_$length/cert.pem -in cms_signed2.dat -out cms_signed2_1_$length.asn"
file isfile cms_signed2_1_$length.asn
} 0 1
test -createsfiles cms_signed2_2_$length.asn "Signing in DER format with 2nd signature" {
openssl "cms -resign -binary -outform der -inform der -nodetach -inkey U_cms_2_$length/seckey.pem -signer U_cms_2_$length/cert.pem -in cms_signed2_1_$length.asn -out cms_signed2_2_$length.asn"
file isfile cms_signed2_2_$length.asn
} 0 1
test -createsfiles {was_signed.dat signer.certs} "Verifying signature in DER format" {
grep "Verif" [openssl "cms -verify -inform der -in cms_signed2_2_$length.asn -noverify -signer signer.certs -out was_signed.dat"]
} 0 {CMS Verification successful
}
test "Signed data is extracted correctly" {
string eq [getFile cms_signed2.dat] [getFile was_signed.dat]
} 0 1
### Test extracted sertificates
test "Extracting signer certificates" {
set i 0
set subjs {}
set certs [regexp -all -inline -- {-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----} [getFile signer.certs]]
foreach cert $certs {
makeFile cert[incr i].pem $cert
lappend subjs [regsub -all " = " [grep subject [openssl "x509 -in cert$i.pem -subject -noout"]] "=" ]
}
lsort $subjs
} 0 "{subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER1_$length, emailAddress=test@cryptocom.ru
} {subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER2_$length, emailAddress=test@cryptocom.ru
}"
test -createsfiles cms_signed2_1_$length\_op.msg "Signing opaque in S/MIME format with 1st signature" {
openssl "cms -sign -binary -inform der -nodetach -inkey U_cms_1_$length/seckey.pem -signer U_cms_1_$length/cert.pem -in cms_signed2.dat -out cms_signed2_1_$length\_op.msg"
file isfile cms_signed2_1_$length\_op.msg
} 0 1
test -createsfiles cms_signed2_2_$length\_op.msg "Signing opaque in S/MIME format with 2nd signature" {
openssl "cms -resign -binary -nodetach -inkey U_cms_2_$length/seckey.pem -signer U_cms_2_$length/cert.pem -in cms_signed2_1_$length\_op.msg -out cms_signed2_2_$length\_op.msg"
file isfile cms_signed2_2_$length\_op.msg
} 0 1
test -createsfiles {was_signed.dat signer.certs} "Verifying opaque signature in S/MIME format" {
grep "Verif" [openssl "cms -verify -in cms_signed2_2_$length\_op.msg -noverify -signer signer.certs -out was_signed.dat"]
} 0 {CMS Verification successful
}
test "Signed data is extracted correctly" {
string eq [getFile cms_signed2.dat] [getFile was_signed.dat]
} 0 1
### Test extracted sertificates
test "Extracting signer certificates" {
set i 0
set subjs {}
set certs [regexp -all -inline -- {-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----} [getFile signer.certs]]
foreach cert $certs {
makeFile cert[incr i].pem $cert
lappend subjs [regsub -all " = " [grep subject [openssl "x509 -in cert$i.pem -subject -noout"]] "=" ]
}
lsort $subjs
} 0 "{subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER1_$length, emailAddress=test@cryptocom.ru
} {subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER2_$length, emailAddress=test@cryptocom.ru
}"
test -createsfiles cms_signed2_1_$length\_det.asn "Signing detached in DER format with 1st signature" {
openssl "cms -sign -binary -outform der -inkey U_cms_1_$length/seckey.pem -signer U_cms_1_$length/cert.pem -in cms_signed2.dat -out cms_signed2_1_$length\_det.asn"
file isfile cms_signed2_1_$length\_det.asn
} 0 1
test -createsfiles cms_signed2_2_$length\_det.asn "Signing detached in DER format with 2nd signature" {
openssl "cms -resign -binary -inkey U_cms_2_$length/seckey.pem -signer U_cms_2_$length/cert.pem -in cms_signed2_1_$length\_det.asn -content cms_signed2.dat -inform der -outform der -out cms_signed2_2_$length\_det.asn"
file isfile cms_signed2_2_$length\_det.asn
} 0 1
test -createsfiles {was_signed.dat signer.certs} "Verifying detached signature in DER format" {
grep "Verif" [openssl "cms -verify -in cms_signed2_2_$length\_det.asn -noverify -signer signer.certs -out was_signed.dat -content signed2.dat -inform der"]
} 0 {CMS Verification successful
}
test "Signed data is extracted correctly" {
string eq [getFile cms_signed2.dat] [getFile was_signed.dat]
} 0 1
### Test extracted sertificates
test "Extracting signer certificates" {
set i 0
set subjs {}
set certs [regexp -all -inline -- {-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----} [getFile signer.certs]]
foreach cert $certs {
makeFile cert_asn[incr i].pem $cert
lappend subjs [regsub -all " = " [grep subject [openssl "x509 -in cert$i.pem -subject -noout"]] "=" ]
}
lsort $subjs
} 0 "{subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER1_$length, emailAddress=test@cryptocom.ru
} {subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER2_$length, emailAddress=test@cryptocom.ru
}"
test -createsfiles cms_signed2_1_$length.msg "Signing in S/MIME format with 1st signature" {
openssl "cms -sign -binary -inform der -inkey U_cms_1_$length/seckey.pem -signer U_cms_1_$length/cert.pem -in cms_signed2.dat -out cms_signed2_1_$length.msg"
file isfile cms_signed2_1_$length.msg
} 0 1
test -createsfiles cms_signed2_2_$length.msg "Signing in S/MIME format with 2nd signature" {
grep "SMIME" [openssl "cms -resign -binary -inkey U_cms_2_$length/seckey.pem -signer U_cms_2_$length/cert.pem -in cms_signed2_1_$length.msg -inform smime -out cms_signed2_2_$length.msg"]
} 0 ""
test -createsfiles {was_signed.dat signer.certs} "Verifying signature in S/MIME format" {
grep "Verif" [openssl "cms -verify -in cms_signed2_2_$length.msg -noverify -signer signer.certs -out was_signed.dat -inform smime"]
} 0 {CMS Verification successful
}
test "Signed data is extracted correctly" {
string eq [getFile cms_signed2.dat] [getFile was_signed.dat]
} 0 1
### Test extracted sertificates
test "Extracting signer certificates" {
set i 0
set subjs {}
set certs [regexp -all -inline -- {-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----} [getFile signer.certs]]
foreach cert $certs {
makeFile cert_cms[incr i].pem $cert
lappend subjs [regsub -all " = " [grep subject [openssl "x509 -in cert$i.pem -subject -noout"]] "=" ]
}
lsort $subjs
} 0 "{subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER1_$length, emailAddress=test@cryptocom.ru
} {subject=C=RU, O=Cryptocom, OU=OpenSSL Team, CN=USER2_$length, emailAddress=test@cryptocom.ru
}"
}
test "Resigning in DER format with a unsuitable key length 512" {
openssl "cms -resign -binary -inform der -nodetach -inkey U_cms_2_512/seckey.pem -signer U_cms_2_512/cert.pem -in cms_signed2_1_256.asn"
} 1 "no matching digest"
test "Resigning in DER format with a unsuitable key length 256" {
openssl "cms -resign -binary -inform der -nodetach -inkey U_cms_2_256/seckey.pem -signer U_cms_2_256/cert.pem -in cms_signed2_1_512.asn"
} 1 "no matching digest"
test "Resigning opaque in S/MIME format with a unsuitable key length 512" {
openssl "cms -resign -binary -nodetach -inkey U_cms_2_512/seckey.pem -signer U_cms_2_512/cert.pem -in cms_signed2_1_256_op.msg"
} 1 "no matching digest"
test "Resigning opaque in S/MIME format with a unsuitable key length 256" {
openssl "cms -resign -binary -nodetach -inkey U_cms_2_256/seckey.pem -signer U_cms_2_256/cert.pem -in cms_signed2_1_512_op.msg"
} 1 "no matching digest"
test "Resigning detached in DER format with a unsuitable key length 512" {
openssl "cms -resign -binary -inform der -inkey U_cms_2_512/seckey.pem -signer U_cms_2_512/cert.pem -in cms_signed2_1_256_det.asn -content cms_signed2.dat"
} 1 "no matching digest"
test "Resigning detached in DER format with a unsuitable key length 256" {
openssl "cms -resign -binary -inform der -inkey U_cms_2_256/seckey.pem -signer U_cms_2_256/cert.pem -in cms_signed2_1_512_det.asn -content cms_signed2.dat"
} 1 "no matching digest"
test "Resigning in S/MIME format with a unsuitable key length 512" {
openssl "cms -resign -binary -inkey U_cms_2_512/seckey.pem -signer U_cms_2_512/cert.pem -in cms_signed2_1_256.msg"
} 1 "no matching digest"
test "Resigning in S/MIME format with a unsuitable key length 256" {
openssl "cms -resign -binary -inkey U_cms_2_256/seckey.pem -signer U_cms_2_256/cert.pem -in cms_signed2_1_512.msg"
} 1 "no matching digest"
end_tests
#./load_engine cms -sign -binary -outform der -inform der -nodetach -inkey certs/fstek.key -signer certs/fstek.crt -out cms_signed2 -in cms_signed1
#./load_engine cms -verify -inform der -in cms_signed2 -noverify
#./load_engine cms -verify -inform der -in cms_signed2 -noverify -signer sss
#cat sss
#history
#vim sss
#./load_engine x509 -in sss sss2
#./load_engine x509 -in sss
#./load_engine x509 -in sss -subject -noout
#./load_engine x509 -in sss2 -subject -noout
#./load_engine cms -verify -inform der -in cms_signed2 -noverify -signer sss -out qqq
|
