1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
|
#!/usr/bin/tclsh
lappend auto_path [file dirname [info script]]
package require ossltest
cd $::test::dir
set env(LC_TIME) C
if [file exists tsa.serial] {
file delete tsa.serial
}
set testname [file rootname [file tail $::argv0]]
#
# Formats 64 hex digits into format
#
proc format_hash {hash} {
# Split hash into list of two-digit hexadecimal numbers
set list [regexp -all -inline {[[:xdigit:]]{2}} $hash]
for {set i 0} {$i<[llength $list]} {incr i 16} {
append out [format " %04x - " $i]
set hex [join [lrange $list $i [expr $i+15]] " "]
if {[string length $hex]>24} {
set hex [string replace $hex 23 23 "-"]
}
append out $hex [string repeat " " [expr 50-[string length $hex]]]
foreach char [lrange $list $i [expr $i+15]] {
set n [scan $char "%x"]
if {$n>=32 && $n <=126 } {
append out [format %c $n]
} else {
append out "."
}
}
append out "\n"
}
# Chop newline from last line
return [string trim $out "\n"]
}
#
# Replace Nonce with equvalent number of X-es because we cannot
# predict nonce for comparing output, and chop out STDERR
# If output contains timestamp, extract it, replace with word
# "extracted" and return two-element list where element 0 is modified
# output and element 1 is timestamp in unix time
#
proc cleanup_print {output} {
set data [regsub {STDERR CONTENTS:.*$} [regsub {Nonce: 0x[[:xdigit:]]+} $output {Nonce: 0xXXXXXXXXXXXXXXXX}] {}]
if {[regexp "\nTime stamp: (\[^\n\]+)\n" $data -> time]} {
return [list [regsub "\nTime stamp: (\[^\n\]+)\n" $data "\nTime stamp: extracted\n"] [clock scan $time]]
} else {
return $data
}
}
start_tests "Тесты на timestamping protocol"
test "Creating CA 2001" {
makeCA ${testname}CA gost2001:A
} 0 1
test "Creating CA 2012" {
makeCA
} 0 1
set serial_num 0
if {[info exists env(ALG_LIST)]} {
set alg_list $env(ALG_LIST)
} else {
switch -exact [engine_name] {
"ccore" {set alg_list {gost2001:A gost2012_256:A gost2012_512:A}}
"open" {set alg_list {gost2001:A gost2012_256:A gost2012_512:A}}
}
}
foreach alg $alg_list {
set alg_fn [string map {":" "_"} $alg]
set username U_tsa_$alg_fn
set hash_alg [alg_hash $alg]
switch -glob $alg {
gost2012* {set ::test::ca ${testname}CA-2012}
* {set ::test::ca ${testname}CA}
}
test "Creating Timestamping authority certificate" {
makeRegisteredUser $username $alg CN "Timestamping authority $alg" \
extensions "keyUsage=digitalSignature,nonRepudiation\nextendedKeyUsage=critical,timeStamping"
openssl "verify -CAfile $::test::ca/cacert.pem -purpose timestampsign $username/cert.pem"
} 0 "$username/cert.pem: OK\n"
test "creating TSA configuration file" {
makeFile tsa.cnf "\[ tsa \]
default_tsa = tsa_section
\[ tsa_section \]
serial = [pwd]/tsa.serial
digests=[hash_short_name $hash_alg]
default_policy = 1.2.3.4
other_policies = 1.2.3.4.5,1.2.3.4.6
signer_digest = md_gost94
"
} 0 ""
test "Creating request with [hash_short_name $hash_alg], no cert request, no policy" {
makeFile testdata [string repeat "Test data for timestamp\n" 100]
set hash1 [regsub {^[^=]+= } [openssl "dgst -[hash_short_name $hash_alg] testdata"] {}]
set sha1hash1 [regsub {^[^=]+= } [openssl "dgst -sha1 testdata"] {}]
openssl "ts -query -[hash_short_name $hash_alg] -data testdata -out req1.tsq"
file exists req1.tsq
} 0 1
test "Printing request 1" {
cleanup_print [openssl "ts -query -text -in req1.tsq"]
} 0 "Version: 1
Hash Algorithm: [hash_long_name $hash_alg]
Message data:
[format_hash $hash1]
Policy OID: unspecified
Nonce: 0xXXXXXXXXXXXXXXXX
Certificate required: no
Extensions:
"
test "Creating reply for request1" {
incr serial_num
openssl "ts -reply -config tsa.cnf -queryfile req1.tsq -signer $username/cert.pem -inkey $username/seckey.pem -out resp1.tsr -[hash_short_name $hash_alg]"
file exists resp1.tsr
} 0 1
set creation_time1 $::test::timestamp
test -time 1 "printing reply 1" {
cleanup_print [openssl "ts -reply -text -in resp1.tsr"]
} 0 [list "Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 1.2.3.4
Hash Algorithm: [hash_long_name $hash_alg]
Message data:
[format_hash $hash1]
Serial number: 0x[format "%02X" $serial_num]
Time stamp: extracted
Accuracy: unspecified
Ordering: no
Nonce: 0xXXXXXXXXXXXXXXXX
TSA: unspecified
Extensions:
" $creation_time1]
test "Verifying reply against query file" {
grep "Verification" [openssl "ts -verify -in resp1.tsr -queryfile req1.tsq -untrusted $username/cert.pem -CAfile $::test::ca/cacert.pem"]
} 0 "Verification: OK\n"
test "Verifying reply against data file" {
grep "Verification" [openssl "ts -verify -in resp1.tsr -data testdata -untrusted $username/cert.pem -CAfile $::test::ca/cacert.pem"]
} 0 "Verification: OK\n"
test "Verifying reply against other data file" {
makeFile testdata2 [string repeat "Test data for timestamp 2\n" 100]
set hash2 [regsub {^[^=]+= } [openssl "dgst -[hash_short_name $hash_alg] testdata2"] {}]
openssl "ts -verify -in resp1.tsr -data testdata2 -untrusted $username/cert.pem -CAfile $::test::ca/cacert.pem"
} 1 "message imprint mismatch"
test "Verifying reply against explicit hash value" {
grep "Verification" [openssl "ts -verify -in resp1.tsr -digest $hash1 -untrusted $username/cert.pem -CAfile $::test::ca/cacert.pem"]
} 0 "Verification: OK\n"
test "Creating request 2 with [hash_short_name $hash_alg], cert requested, no policy" {
openssl "ts -query -[hash_short_name $hash_alg] -data testdata -cert -out req2.tsq"
file exists req2.tsq
} 0 1
test "Printing request 2" {
cleanup_print [openssl "ts -query -text -in req2.tsq"]
} 0 "Version: 1
Hash Algorithm: [hash_long_name $hash_alg]
Message data:
[format_hash $hash1]
Policy OID: unspecified
Nonce: 0xXXXXXXXXXXXXXXXX
Certificate required: yes
Extensions:
"
test "Replying to request 2" {
incr serial_num
openssl "ts -reply -config tsa.cnf -queryfile req2.tsq -signer $username/cert.pem -inkey $username/seckey.pem -out resp2.tsr -[hash_short_name $hash_alg]"
file exists resp2.tsr
} 0 1
set creation_time2 $::test::timestamp
test -time 1 "Printing reply 2" {
cleanup_print [openssl "ts -reply -text -in resp2.tsr"]
} 0 [list "Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 1.2.3.4
Hash Algorithm: [hash_long_name $hash_alg]
Message data:
[format_hash $hash1]
Serial number: 0x[format "%02X" $serial_num]
Time stamp: extracted
Accuracy: unspecified
Ordering: no
Nonce: 0xXXXXXXXXXXXXXXXX
TSA: unspecified
Extensions:
" $creation_time2]
test "Verifying reply2 against request file" {
grep "Verification" [openssl "ts -verify -in resp2.tsr -queryfile req2.tsq -CAfile $::test::ca/cacert.pem"]
} 0 "Verification: OK\n"
test "Verifying reply2 against data file" {
grep "Verification" [openssl "ts -verify -in resp2.tsr -data testdata -CAfile $::test::ca/cacert.pem"]
} 0 "Verification: OK\n"
test "Verifying reply2 against explicit digest" {
grep "Verification" [openssl "ts -verify -in resp2.tsr -digest $hash1 -CAfile $::test::ca/cacert.pem"]
} 0 "Verification: OK\n"
test "Verifying reply2 against request 1" {
grep "Verification" [openssl "ts -verify -in resp2.tsr -queryfile req1.tsq -CAfile $::test::ca/cacert.pem"]
} 1 "nonce mismatch"
test "Creating request 3 with sha1 digest" {
openssl "ts -query -sha1 -data testdata -cert -out req3.tsq"
file exists req3.tsq
} 0 1
test "Printing request 3" {
cleanup_print [openssl "ts -query -text -in req3.tsq"]
} 0 "Version: 1
Hash Algorithm: sha1
Message data:
[format_hash $sha1hash1]
Policy OID: unspecified
Nonce: 0xXXXXXXXXXXXXXXXX
Certificate required: yes
Extensions:
"
test "Replying to request 3 (with badAlg status)" {
set creation_time3 [clock format [clock seconds] -gmt y -format "%B %d %H:%M:%S %Y GMT"]
openssl "ts -reply -config tsa.cnf -queryfile req3.tsq -signer $username/cert.pem -inkey $username/seckey.pem -out resp3.tsr -[hash_short_name $hash_alg]"
file exists resp3.tsr
} 0 1
test "Printing reply 3" {
cleanup_print [openssl "ts -reply -text -in resp3.tsr"]
} 0 "Status info:
Status: Rejected.
Status description: Message digest algorithm is not supported.
Failure info: unrecognized or unsupported algorithm identifier
TST info:
Not included.
"
test "Verifying response 3 against request file" {
openssl "ts -verify -in resp3.tsr -queryfile req3.tsq -CAfile $::test::ca/cacert.pem"
} 1 "status code: rejection, status text: Message digest algorithm is not supported., failure codes: badAlg"
test "Creating request 4 with specific (valid) policy" {
openssl "ts -query -[hash_short_name $hash_alg] -data testdata -tspolicy 1.2.3.4.5 -cert -out req4.tsq"
file exists req4.tsq
} 0 1
test "Replying to request 4" {
incr serial_num
openssl "ts -reply -config tsa.cnf -queryfile req4.tsq -signer $username/cert.pem -inkey $username/seckey.pem -out resp4.tsr -[hash_short_name $hash_alg]"
file exists resp4.tsr
} 0 1
test "Verifying reply 4 against request file" {
grep "Verification" [openssl "ts -verify -in resp4.tsr -queryfile req4.tsq -CAfile $::test::ca/cacert.pem"]
} 0 "Verification: OK\n"
test "Creating request 5 with specific (invalid) policy" {
openssl "ts -query -[hash_short_name $hash_alg] -data testdata -tspolicy 1.2.3.4.9 -cert -out req5.tsq"
file exists req5.tsq
} 0 1
test "Replying to request 5" {
openssl "ts -reply -config tsa.cnf -queryfile req5.tsq -signer $username/cert.pem -inkey $username/seckey.pem -out resp5.tsr -[hash_short_name $hash_alg]"
file exists resp5.tsr
} 0 1
test "Verifying reply 5" {
openssl "ts -verify -in resp5.tsr -queryfile req5.tsq -CAfile $::test::ca/cacert.pem"
} 1 "status code: rejection, status text: Requested policy is not supported., failure codes: unacceptedPolicy"
}
end_tests
|
