From: tb Date: Fri, 26 Feb 2021 15:15:40 +0000 (+0000) Subject: zap spades of trailing whitespace X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=0306fa890349457b28d9e2165861fecc320bf09c;p=openbsd zap spades of trailing whitespace --- diff --git a/regress/usr.bin/openssl/appstest.sh b/regress/usr.bin/openssl/appstest.sh index e90dc989f58..1cc8bacfb1d 100755 --- a/regress/usr.bin/openssl/appstest.sh +++ b/regress/usr.bin/openssl/appstest.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $OpenBSD: appstest.sh,v 1.46 2020/08/01 14:31:23 inoguchi Exp $ +# $OpenBSD: appstest.sh,v 1.47 2021/02/26 15:15:40 tb Exp $ # # Copyright (c) 2016 Kinichiro Inoguchi # @@ -64,87 +64,87 @@ function usage { function test_usage_lists_others { # === COMMAND USAGE === section_message "COMMAND USAGE" - + start_message "output usages of all commands." - + cmds=`$openssl_bin list-standard-commands` $openssl_bin -help 2>> $user1_dir/usages.out for c in $cmds ; do $openssl_bin $c -help 2>> $user1_dir/usages.out done - + start_message "check all list-* commands." - + lists="" lists="$lists list-standard-commands" lists="$lists list-message-digest-commands list-message-digest-algorithms" lists="$lists list-cipher-commands list-cipher-algorithms" lists="$lists list-public-key-algorithms" - + listsfile=$user1_dir/lists.out - + for l in $lists ; do echo "" >> $listsfile echo "$l" >> $listsfile $openssl_bin $l >> $listsfile done - + start_message "check interactive mode" $openssl_bin <<__EOF__ help quit __EOF__ check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- listing operations --- section_message "listing operations" - + start_message "ciphers" $openssl_bin ciphers -V > $user1_dir/ciphers-V.out check_exit_status $? - + start_message "errstr" $openssl_bin errstr 2606A074 check_exit_status $? $openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- random number etc. operations --- section_message "random number etc. operations" - + start_message "passwd" - + pass="test-pass-1234" - + echo $pass | $openssl_bin passwd -stdin -1 check_exit_status $? - + echo $pass | $openssl_bin passwd -stdin -apr1 check_exit_status $? - + echo $pass | $openssl_bin passwd -stdin -crypt check_exit_status $? - + start_message "prime" - + $openssl_bin prime 1 check_exit_status $? - + $openssl_bin prime 2 check_exit_status $? - + $openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5 check_exit_status $? - + start_message "rand" - + $openssl_bin rand -base64 100 check_exit_status $? - + $openssl_bin rand -hex 100 check_exit_status $? } @@ -152,9 +152,9 @@ __EOF__ function test_md { # === MESSAGE DIGEST COMMANDS === section_message "MESSAGE DIGEST COMMANDS" - + start_message "dgst - See [MESSAGE DIGEST COMMANDS] section." - + text="1234567890abcdefghijklmnopqrstuvwxyz" dgstdat=$user1_dir/dgst.dat echo $text > $dgstdat @@ -167,24 +167,24 @@ function test_md { $openssl_bin genrsa -aes256 -passout pass:$dgstpass -out $dgstkey check_exit_status $? - + $openssl_bin pkey -in $dgstkey -passin pass:$dgstpass -pubout \ -out $dgstpub check_exit_status $? - + digests=`$openssl_bin list-message-digest-commands` - + for d in $digests ; do - + echo -n "$d ... " $openssl_bin dgst -$d -hex -out $dgstdat.$d $dgstdat check_exit_status $? - + echo -n "$d HMAC ... " $openssl_bin dgst -$d -c -hmac $hmac_key -out $dgstdat.$d.hmac \ $dgstdat check_exit_status $? - + echo -n "$d CMAC ... " $openssl_bin dgst -$d -r -mac cmac -macopt cipher:aes-128-cbc \ -macopt hexkey:$cmac_key -out $dgstdat.$d.cmac $dgstdat @@ -213,27 +213,27 @@ function test_md { function test_encoding_cipher { # === ENCODING AND CIPHER COMMANDS === section_message "ENCODING AND CIPHER COMMANDS" - + start_message "enc - See [ENCODING AND CIPHER COMMANDS] section." - + text="1234567890abcdefghijklmnopqrstuvwxyz" encfile=$user1_dir/encfile.dat echo $text > $encfile pass="test-pass-1234" - + ciphers=`$openssl_bin list-cipher-commands` - + for c in $ciphers ; do echo -n "$c ... encoding ... " $openssl_bin enc -$c -e -base64 -pass pass:$pass \ -in $encfile -out $encfile-$c.enc check_exit_status $? - + echo -n "decoding ... " $openssl_bin enc -$c -d -base64 -pass pass:$pass \ -in $encfile-$c.enc -out $encfile-$c.dec check_exit_status $? - + echo -n "cmp ... " cmp $encfile $encfile-$c.dec check_exit_status $? @@ -243,20 +243,20 @@ function test_encoding_cipher { function test_key { # === various KEY operations === section_message "various KEY operations" - + key_pass=test-key-pass - + # DH - + start_message "gendh - Obsoleted by dhparam." gendh2=$key_dir/gendh2.pem $openssl_bin gendh -2 -out $gendh2 > $gendh2.log 2>&1 check_exit_status $? - + start_message "dh - Obsoleted by dhparam." $openssl_bin dh -in $gendh2 -check -text -out $gendh2.out check_exit_status $? - + if [ $no_long_tests = 0 ] ; then start_message "dhparam - Superseded by genpkey and pkeyparam." dhparam2=$key_dir/dhparam2.pem @@ -268,111 +268,111 @@ function test_key { else start_message "SKIPPING dhparam - Superseded by genpkey and pkeyparam. (quick mode)" fi - + # DSA - + start_message "dsaparam - Superseded by genpkey and pkeyparam." dsaparam512=$key_dir/dsaparam512.pem $openssl_bin dsaparam -genkey -out $dsaparam512 512 \ > $dsaparam512.log 2>&1 check_exit_status $? - + start_message "dsa" $openssl_bin dsa -in $dsaparam512 -text -modulus -out $dsaparam512.out check_exit_status $? - + start_message "gendsa - Superseded by genpkey and pkey." gendsa_des3=$key_dir/gendsa_des3.pem $openssl_bin gendsa -des3 -out $gendsa_des3 \ -passout pass:$key_pass $dsaparam512 check_exit_status $? - + # RSA - + start_message "genrsa - Superseded by genpkey." genrsa_aes256=$key_dir/genrsa_aes256.pem $openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 \ -passout pass:$key_pass 2048 > $genrsa_aes256.log 2>&1 check_exit_status $? - + start_message "rsa" $openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass \ -check -text -out $genrsa_aes256.out check_exit_status $? - + start_message "rsautl - Superseded by pkeyutl." rsautldat=$key_dir/rsautl.dat rsautlsig=$key_dir/rsautl.sig echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat - + $openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 \ -passin pass:$key_pass -out $rsautlsig check_exit_status $? - + $openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 \ -passin pass:$key_pass check_exit_status $? - + # EC - + start_message "ecparam -list-curves" $openssl_bin ecparam -list_curves -out $key_dir/ecparam-list_curves.out check_exit_status $? - + # get all EC curves ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1` - + start_message "ecparam and ec" - + for curve in $ec_curves ; do ecparam=$key_dir/ecparam_$curve.pem - + echo -n "ec - $curve ... ecparam ... " $openssl_bin ecparam -out $ecparam -name $curve -genkey \ -param_enc explicit -conv_form compressed -C check_exit_status $? - + echo -n "ec ... " $openssl_bin ec -in $ecparam -text \ -out $ecparam.out 2> /dev/null check_exit_status $? done - + # PKEY - + start_message "genpkey" - + # DH by GENPKEY - + genpkey_dh_param=$key_dir/genpkey_dh_param.pem $openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \ -pkeyopt dh_paramgen_prime_len:1024 > $genpkey_dh_param.log 2>&1 check_exit_status $? - + genpkey_dh=$key_dir/genpkey_dh.pem $openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh check_exit_status $? - + # DSA by GENPKEY - + genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem $openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \ -pkeyopt dsa_paramgen_bits:1024 > $genpkey_dsa_param.log 2>&1 check_exit_status $? - + genpkey_dsa=$key_dir/genpkey_dsa.pem $openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa check_exit_status $? - + # RSA by GENPKEY - + genpkey_rsa=$key_dir/genpkey_rsa.pem $openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \ -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ > $genpkey_rsa.log 2>&1 check_exit_status $? - + genpkey_rsa_pss=$key_dir/genpkey_rsa_pss.pem $openssl_bin genpkey -algorithm RSA-PSS -out $genpkey_rsa_pss \ -pkeyopt rsa_keygen_bits:2048 \ @@ -381,72 +381,72 @@ function test_key { -pkeyopt rsa_pss_keygen_saltlen:32 \ > $genpkey_rsa_pss.log 2>&1 check_exit_status $? - + # EC by GENPKEY - + genpkey_ec_param=$key_dir/genpkey_ec_param.pem $openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \ -pkeyopt ec_paramgen_curve:secp384r1 check_exit_status $? - + genpkey_ec=$key_dir/genpkey_ec.pem $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec check_exit_status $? - + genpkey_ec_2=$key_dir/genpkey_ec_2.pem $openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec_2 check_exit_status $? - + start_message "pkeyparam" - + $openssl_bin pkeyparam -in $genpkey_dh_param -text \ -out $genpkey_dh_param.out check_exit_status $? - + $openssl_bin pkeyparam -in $genpkey_dsa_param -text \ -out $genpkey_dsa_param.out check_exit_status $? - + $openssl_bin pkeyparam -in $genpkey_ec_param -text \ -out $genpkey_ec_param.out check_exit_status $? - + start_message "pkey" - + $openssl_bin pkey -in $genpkey_dh -pubout -out $genpkey_dh.pub \ -text_pub check_exit_status $? - + $openssl_bin pkey -in $genpkey_dsa -pubout -out $genpkey_dsa.pub \ -text_pub check_exit_status $? - + $openssl_bin pkey -in $genpkey_rsa -pubout -out $genpkey_rsa.pub \ -text_pub check_exit_status $? - + $openssl_bin pkey -in $genpkey_ec -pubout -out $genpkey_ec.pub \ -text_pub check_exit_status $? - + $openssl_bin pkey -in $genpkey_ec_2 -pubout -out $genpkey_ec_2.pub \ -text_pub check_exit_status $? - + start_message "pkeyutl" - + pkeyutldat=$key_dir/pkeyutl.dat pkeyutlsig=$key_dir/pkeyutl.sig echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat - + $openssl_bin pkeyutl -sign -in $pkeyutldat -inkey $genpkey_rsa \ -out $pkeyutlsig check_exit_status $? - + $openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile $pkeyutlsig \ -inkey $genpkey_rsa check_exit_status $? - + $openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa check_exit_status $? @@ -562,16 +562,16 @@ extendedKeyUsage = OCSPSigning __EOF__ #---------#---------#---------#---------#---------#---------#--------- - + # # setup test CA # - + mkdir -p $ca_dir mkdir -p $tsa_dir mkdir -p $ocsp_dir mkdir -p $server_dir - + mkdir -p $ca_dir/certs mkdir -p $ca_dir/private mkdir -p $ca_dir/crl @@ -581,7 +581,7 @@ __EOF__ touch $ca_dir/index.txt touch $ca_dir/crlnumber echo "01" > $ca_dir/crlnumber - + # # setup test TSA # @@ -589,28 +589,28 @@ __EOF__ chmod 700 $tsa_dir/private echo "01" > $tsa_dir/serial touch $tsa_dir/index.txt - + # # setup test OCSP # mkdir -p $ocsp_dir/private chmod 700 $ocsp_dir/private - + #---------#---------#---------#---------#---------#---------#--------- - + # --- CA initiate (generate CA key and cert) --- - + start_message "req ... generate CA key and self signed cert" - + ca_cert=$ca_dir/ca_cert.pem ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass - + if [ $mingw = 0 ] ; then subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test-dummy.com/' else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testCA.test-dummy.com\' fi - + $openssl_bin req -new -x509 -batch -newkey rsa:2048 \ -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 \ -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ @@ -619,33 +619,33 @@ __EOF__ -keyout $ca_key -passout pass:$ca_pass \ -out $ca_cert -outform pem check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- TSA initiate (generate TSA key and cert) --- - + start_message "req ... generate TSA key and cert" - + # generate CSR for TSA - + tsa_csr=$tsa_dir/tsa_csr.pem tsa_key=$tsa_dir/private/tsa_key.pem tsa_pass=test-tsa-pass - + if [ $mingw = 0 ] ; then subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test-dummy.com/' else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test-dummy.com\' fi - + $openssl_bin req -new -keyout $tsa_key -out $tsa_csr \ -passout pass:$tsa_pass -subj $subj -asn1-kludge check_exit_status $? - + start_message "ca ... sign by CA with TSA extensions" - + tsa_cert=$tsa_dir/tsa_cert.pem - + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ -key $ca_pass -config $ssldir/openssl.cnf -create_serial \ -policy policy_match -days 1 -md sha256 -extensions tsa_ext \ @@ -654,55 +654,55 @@ __EOF__ -in $tsa_csr -outdir $tsa_dir -out $tsa_cert -verbose -notext \ > $tsa_cert.log 2>&1 check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- OCSP initiate (generate OCSP key and cert) --- - + start_message "req ... generate OCSP key and cert" - + # generate CSR for OCSP - + ocsp_csr=$ocsp_dir/ocsp_csr.pem ocsp_key=$ocsp_dir/private/ocsp_key.pem - + if [ $mingw = 0 ] ; then subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test-dummy.com/' else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test-dummy.com\' fi - + $openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr \ -subj $subj -no-asn1-kludge check_exit_status $? - + start_message "ca ... sign by CA with OCSP extensions" - + ocsp_cert=$ocsp_dir/ocsp_cert.pem - + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -keyform pem \ -key $ca_pass -out $ocsp_cert -extensions ocsp_ext \ -startdate `date -u '+%y%m%d%H%M%SZ'` -enddate 491223235959Z \ -subj $subj -infiles $ocsp_csr > $ocsp_cert.log 2>&1 check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- server-admin operations (generate server key and csr) --- section_message "server-admin operations (generate server key and csr)" - + # RSA certificate sv_rsa_key=$server_dir/sv_rsa_key.pem sv_rsa_csr=$server_dir/sv_rsa_csr.pem sv_rsa_pass=test-server-pass - + if [ $mingw = 0 ] ; then subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test-dummy.com/' else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test-dummy.com\' fi - + start_message "genrsa ... generate server key#1" $openssl_bin genrsa -aes256 -passout pass:$sv_rsa_pass -out $sv_rsa_key @@ -715,7 +715,7 @@ __EOF__ -addext 'subjectAltName = DNS:localhost.test-dummy.com' \ -out $sv_rsa_csr -outform pem check_exit_status $? - + start_message "req ... verify server csr#1" $openssl_bin req -verify -in $sv_rsa_csr -inform pem \ @@ -725,7 +725,7 @@ __EOF__ check_exit_status $? start_message "req ... generate server csr#2 (interactive mode)" - + # RSA certificate (for revoke test) revoke_key=$server_dir/revoke_key.pem @@ -752,7 +752,7 @@ __EOF__ else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test-dummy.com\' fi - + start_message "ecparam ... generate server key#3" $openssl_bin ecparam -name prime256v1 -genkey -out $sv_ecdsa_key @@ -765,7 +765,7 @@ __EOF__ -addext 'subjectAltName = DNS:ecdsa.test-dummy.com' \ -out $sv_ecdsa_csr -outform pem check_exit_status $? - + start_message "req ... verify server csr#3" $openssl_bin req -verify -in $sv_ecdsa_csr -inform pem \ @@ -785,7 +785,7 @@ __EOF__ else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=gost.test-dummy.com\' fi - + start_message "genpkey ... generate server key#4" $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ @@ -799,7 +799,7 @@ __EOF__ -addext 'subjectAltName = DNS:gost.test-dummy.com' \ -out $sv_gost_csr -outform pem check_exit_status $? - + start_message "req ... verify server csr#4" $openssl_bin req -verify -in $sv_gost_csr -inform pem \ @@ -809,19 +809,19 @@ __EOF__ check_exit_status $? #---------#---------#---------#---------#---------#---------#--------- - + # --- CA operations (issue cert for server) --- section_message "CA operations (issue cert for server)" - + start_message "ca ... issue cert for server csr#1" - + sv_rsa_cert=$server_dir/sv_rsa_cert.pem $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ -in $sv_rsa_csr -out $sv_rsa_cert > $sv_rsa_cert.log 2>&1 check_exit_status $? - + start_message "x509 ... issue cert for server csr#2" - + revoke_cert=$server_dir/revoke_cert.pem $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \ -CAkey $ca_key -CAkeyform pem \ @@ -829,26 +829,26 @@ __EOF__ -passin pass:$ca_pass -CAcreateserial -out $revoke_cert \ > $revoke_cert.log 2>&1 check_exit_status $? - + start_message "ca ... issue cert for server csr#3" - + sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ -in $sv_ecdsa_csr -out $sv_ecdsa_cert > $sv_ecdsa_cert.log 2>&1 check_exit_status $? - + start_message "ca ... issue cert for server csr#4" - + sv_gost_cert=$server_dir/sv_gost_cert.pem $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ -in $sv_gost_csr -out $sv_gost_cert > $sv_gost_cert.log 2>&1 check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- CA operations (revoke cert and generate crl) --- section_message "CA operations (revoke cert and generate crl)" - + start_message "ca ... revoke server cert#2" crl_file=$ca_dir/crl.pem $openssl_bin ca -gencrl -out $crl_file -revoke $revoke_cert \ @@ -860,34 +860,34 @@ __EOF__ -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert \ > $crl_file.log 2>&1 check_exit_status $? - + start_message "ca ... show certificate status by serial number" $openssl_bin ca -config $ssldir/openssl.cnf -status 1 start_message "crl ... CA generates CRL" $openssl_bin crl -in $crl_file -fingerprint >> $crl_file.log 2>&1 check_exit_status $? - + crl_p7=$ca_dir/crl.p7 start_message "crl2pkcs7 ... convert CRL to pkcs7" $openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7 check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- server-admin operations (check csr, verify cert, certhash) --- section_message "server-admin operations (check csr, verify cert, certhash)" - + start_message "asn1parse ... parse server csr#1" $openssl_bin asn1parse -in $sv_rsa_csr -i -dlimit 100 -length 1000 \ -strparse 01 > $sv_rsa_csr.asn1parse.out check_exit_status $? - + start_message "verify ... server cert#1" $openssl_bin verify -verbose -CAfile $ca_cert -CRLfile $crl_file \ -crl_check -issuer_checks -purpose sslserver $sv_rsa_cert check_exit_status $? - + start_message "x509 ... get detail info about server cert#1" $openssl_bin x509 -in $sv_rsa_cert -text -C -dates -startdate -enddate \ -fingerprint -issuer -issuer_hash -issuer_hash_old \ @@ -896,14 +896,14 @@ __EOF__ -alias -clrtrust -clrreject -next_serial -checkend 3600 \ -nameopt multiline -certopt compatible > $sv_rsa_cert.x509.out check_exit_status $? - + if [ $mingw = 0 ] ; then start_message "certhash" $openssl_bin certhash -v $server_dir \ > $server_dir/certhash.log 2>&1 check_exit_status $? fi - + # self signed start_message "x509 ... generate self signed server cert" server_self_cert=$server_dir/server_self_cert.pem @@ -911,23 +911,23 @@ __EOF__ -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:8 \ -passin pass:$sv_rsa_pass -out $server_self_cert -days 1 check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- Netscape SPKAC operations --- section_message "Netscape SPKAC operations" - + # server-admin generates SPKAC - + start_message "spkac" spkacfile=$server_dir/spkac.file - + $openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile check_exit_status $? - + $openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out check_exit_status $? - + spkacreq=$server_dir/spkac.req cat << __EOF__ > $spkacreq countryName = JP @@ -936,30 +936,30 @@ organizationName = TEST_DUMMY_COMPANY commonName = spkac.test-dummy.com __EOF__ cat $spkacfile >> $spkacreq - + # CA signs SPKAC start_message "ca ... CA signs SPKAC csr" spkaccert=$server_dir/spkac.cert $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ -spkac $spkacreq -out $spkaccert > $spkaccert.log 2>&1 check_exit_status $? - + start_message "x509 ... convert DER format SPKAC cert to PEM" spkacpem=$server_dir/spkac.pem $openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM check_exit_status $? - + # server-admin cert verify - + start_message "nseq" $openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- user1 operations (generate user1 key and csr) --- section_message "user1 operations (generate user1 key and csr)" - + # trust start_message "x509 ... trust testCA cert" user1_trust=$user1_dir/user1_trust_ca.pem @@ -967,35 +967,35 @@ __EOF__ -setalias "trusted testCA" -purpose -out $user1_trust \ > $user1_trust.log 2>&1 check_exit_status $? - + start_message "req ... generate private key and csr for user1" - + cl_rsa_key=$user1_dir/cl_rsa_key.pem cl_rsa_csr=$user1_dir/cl_rsa_csr.pem cl_rsa_pass=test-user1-pass - + if [ $mingw = 0 ] ; then subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test-dummy.com/' else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test-dummy.com\' fi - + $openssl_bin req -new -keyout $cl_rsa_key -out $cl_rsa_csr \ -passout pass:$cl_rsa_pass -subj $subj > $cl_rsa_csr.log 2>&1 check_exit_status $? - + start_message "req ... generate private key and csr for user2" - + cl_ecdsa_key=$user1_dir/cl_ecdsa_key.pem cl_ecdsa_csr=$user1_dir/cl_ecdsa_csr.pem cl_ecdsa_pass=test-user1-pass - + if [ $mingw = 0 ] ; then subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user2.test-dummy.com/' else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user2.test-dummy.com\' fi - + $openssl_bin ecparam -name prime256v1 -genkey -out $cl_ecdsa_key check_exit_status $? @@ -1003,19 +1003,19 @@ __EOF__ -key $cl_ecdsa_key -keyform pem -passin pass:$cl_ecdsa_pass \ -out $cl_ecdsa_csr -outform pem check_exit_status $? - + start_message "req ... generate private key and csr for user3" - + cl_gost_key=$user1_dir/cl_gost_key.pem cl_gost_csr=$user1_dir/cl_gost_csr.pem cl_gost_pass=test-user1-pass - + if [ $mingw = 0 ] ; then subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user3.test-dummy.com/' else subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user3.test-dummy.com\' fi - + $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ -pkeyopt dgst:streebog512 -out $cl_gost_key check_exit_status $? @@ -1024,28 +1024,28 @@ __EOF__ -key $cl_gost_key -keyform pem -passin pass:$cl_gost_pass \ -out $cl_gost_csr -outform pem check_exit_status $? - + #---------#---------#---------#---------#---------#---------#--------- - + # --- CA operations (issue cert for user1) --- section_message "CA operations (issue cert for user1)" - + start_message "ca ... issue cert for user1" - + cl_rsa_cert=$user1_dir/cl_rsa_cert.pem $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ -in $cl_rsa_csr -out $cl_rsa_cert > $cl_rsa_cert.log 2>&1 check_exit_status $? start_message "ca ... issue cert for user2" - + cl_ecdsa_cert=$user1_dir/cl_ecdsa_cert.pem $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ -in $cl_ecdsa_csr -out $cl_ecdsa_cert > $cl_ecdsa_cert.log 2>&1 check_exit_status $? - + start_message "ca ... issue cert for user3" - + cl_gost_cert=$user1_dir/cl_gost_cert.pem $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ -in $cl_gost_csr -out $cl_gost_cert > $cl_gost_cert.log 2>&1 @@ -1055,7 +1055,7 @@ __EOF__ function test_tsa { # --- TSA operations --- section_message "TSA operations" - + tsa_dat=$user1_dir/tsa.dat cat << __EOF__ > $tsa_dat Hello Bob, @@ -1065,31 +1065,31 @@ __EOF__ # Query start_message "ts ... create time stamp request" - + tsa_tsq=$user1_dir/tsa.tsq - + $openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq check_exit_status $? - + start_message "ts ... print time stamp request" - + $openssl_bin ts -query -in $tsa_tsq -text -out $tsa_tsq.log check_exit_status $? - + # Reply start_message "ts ... create time stamp response for a request" - + tsa_tsr=$user1_dir/tsa.tsr - + $openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key \ -passin pass:$tsa_pass -signer $tsa_cert -chain $ca_cert \ -config $ssldir/openssl.cnf -section tsa_config1 -cert \ -policy 1.3.6.1.4.1.4146.2.3 -out $tsa_tsr check_exit_status $? - + # Verify start_message "ts ... verify time stamp response" - + $openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr \ -CAfile $ca_cert -untrusted $tsa_cert check_exit_status $? @@ -1098,7 +1098,7 @@ __EOF__ function test_cms { # --- CMS operations --- section_message "CMS operations" - + cms_txt=$user1_dir/cms.txt cms_sig=$user1_dir/cms.sig cms_enc=$user1_dir/cms.enc @@ -1115,16 +1115,16 @@ function test_cms { cms_srp=$user1_dir/cms.srp cms_pwe=$user1_dir/cms.pwe cms_pwd=$user1_dir/cms.pwd - + cat << __EOF__ > $cms_txt Hello Bob, Sincerely yours Alice __EOF__ - + # sign start_message "cms ... sign to message" - + $openssl_bin cms -sign -in $cms_txt -text \ -out $cms_sig -outform smime \ -signer $cl_rsa_cert -inkey $cl_rsa_key -keyform pem \ @@ -1135,7 +1135,7 @@ __EOF__ -receipt_request_from server@test-dummy.com \ -receipt_request_to user1@test-dummy.com check_exit_status $? - + # encrypt start_message "cms ... encrypt message" @@ -1153,7 +1153,7 @@ __EOF__ # verify start_message "cms ... verify message" - + $openssl_bin cms -verify -in $cms_dec \ -CAfile $ca_cert -certfile $cl_rsa_cert -nointern \ -check_ss_sig -issuer_checks -policy_check -x509_strict \ @@ -1166,31 +1166,31 @@ __EOF__ # cmsout start_message "cms ... cmsout" - + $openssl_bin cms -cmsout -in $cms_enc -print -out $cms_out check_exit_status $? # data_create start_message "cms ... data_create" - + $openssl_bin cms -data_create -in $cms_enc -out $cms_dct check_exit_status $? # data_out start_message "cms ... data_out" - + $openssl_bin cms -data_out -in $cms_dct -out $cms_dot check_exit_status $? # digest_create start_message "cms ... digest_create" - + $openssl_bin cms -digest_create -in $cms_txt -md sha256 -out $cms_dgc check_exit_status $? # digest_verify start_message "cms ... digest_verify" - + $openssl_bin cms -digest_verify -in $cms_dgc -md sha256 -out $cms_dgv check_exit_status $? @@ -1203,14 +1203,14 @@ __EOF__ # EncryptedData_encrypt start_message "cms ... EncryptedData_encrypt" - + $openssl_bin cms -EncryptedData_encrypt -in $cms_sig -out $cms_ede \ -aes128 -secretkey 00112233445566778899aabbccddeeff check_exit_status $? # EncryptedData_decrypt start_message "cms ... EncryptedData_decrypt" - + $openssl_bin cms -EncryptedData_decrypt -in $cms_ede -out $cms_edd \ -aes128 -secretkey 00112233445566778899aabbccddeeff check_exit_status $? @@ -1220,7 +1220,7 @@ __EOF__ # sign_receipt start_message "cms ... sign to receipt" - + $openssl_bin cms -sign_receipt -in $cms_sig -out $cms_srp \ -signer $sv_rsa_cert -inkey $sv_rsa_key \ -passin pass:$sv_rsa_pass -md sha256 @@ -1228,11 +1228,11 @@ __EOF__ # verify_receipt start_message "cms ... verify receipt" - + $openssl_bin cms -verify_receipt $cms_srp -rctform smime -in $cms_sig \ -CAfile $ca_cert -certfile $sv_rsa_cert check_exit_status $? - + # encrypt with pwri start_message "cms ... encrypt with pwri" @@ -1254,7 +1254,7 @@ __EOF__ function test_smime { # --- S/MIME operations --- section_message "S/MIME operations" - + smime_txt=$user1_dir/smime.txt smime_enc=$user1_dir/smime.enc smime_sig=$user1_dir/smime.sig @@ -1262,13 +1262,13 @@ function test_smime { smime_sgr=$user1_dir/smime.sgr smime_ver=$user1_dir/smime.ver smime_dec=$user1_dir/smime.dec - + cat << __EOF__ > $smime_txt Hello Bob, Sincerely yours Alice __EOF__ - + # encrypt start_message "smime ... encrypt message" @@ -1278,7 +1278,7 @@ __EOF__ # sign start_message "smime ... sign to message" - + $openssl_bin smime -sign -in $smime_enc -text -inform smime \ -out $smime_sig -outform smime \ -signer $cl_rsa_cert -inkey $cl_rsa_key -keyform pem \ @@ -1286,7 +1286,7 @@ __EOF__ -from user1@test-dummy.com -to server@test-dummy.com \ -subject "test openssl smime" check_exit_status $? - + # pk7out start_message "smime ... pk7out from message" @@ -1295,7 +1295,7 @@ __EOF__ # verify start_message "smime ... verify message" - + $openssl_bin smime -verify -in $smime_sig \ -CAfile $ca_cert -certfile $cl_rsa_cert -nointern \ -check_ss_sig -issuer_checks -policy_check -x509_strict \ @@ -1316,7 +1316,7 @@ __EOF__ function test_ocsp { # --- OCSP operations --- section_message "OCSP operations" - + # get key without pass cl_rsa_key_nopass=$user1_dir/cl_rsa_key_nopass.pem $openssl_bin pkey -in $cl_rsa_key -passin pass:$cl_rsa_pass \ @@ -1325,7 +1325,7 @@ function test_ocsp { # request start_message "ocsp ... create OCSP request" - + ocsp_req=$user1_dir/ocsp_req.der $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ -cert $revoke_cert -serial 1 -nonce -no_certs -CAfile $ca_cert \ @@ -1333,10 +1333,10 @@ function test_ocsp { -sign_other $cl_rsa_cert -sha256 \ -reqout $ocsp_req -req_text -out $ocsp_req.out check_exit_status $? - + # response start_message "ocsp ... create OCPS response for a request" - + ocsp_res=$user1_dir/ocsp_res.der $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ @@ -1344,12 +1344,12 @@ function test_ocsp { -nmin 60 -validity_period 300 -status_age 300 \ -respout $ocsp_res -resp_text -out $ocsp_res.out check_exit_status $? - + # ocsp server start_message "ocsp ... start OCSP server in background" - + ocsp_port=8888 - + ocsp_svr_log=$user1_dir/ocsp_svr.log $openssl_bin ocsp -index $ca_dir/index.txt -CA $ca_cert \ -CAfile $ca_cert -rsigner $ocsp_cert -rkey $ocsp_key \ @@ -1359,10 +1359,10 @@ function test_ocsp { ocsp_svr_pid=$! echo "ocsp server pid = [ $ocsp_svr_pid ]" sleep 1 - + # send query to ocsp server start_message "ocsp ... send OCSP request to server" - + ocsp_qry=$user1_dir/ocsp_qry.der $openssl_bin ocsp -issuer $ca_cert -cert $sv_rsa_cert \ -cert $revoke_cert -CAfile $ca_cert -no_nonce \ @@ -1384,24 +1384,24 @@ function test_ocsp { function test_pkcs { # --- PKCS operations --- section_message "PKCS operations" - + pkcs_pass=test-pkcs-pass - + start_message "pkcs7 ... output certs in crl(pkcs7)" $openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out check_exit_status $? - + start_message "pkcs8 ... convert key to pkcs8" $openssl_bin pkcs8 -in $cl_rsa_key -topk8 -out $cl_rsa_key.p8 \ -passin pass:$cl_rsa_pass -passout pass:$cl_rsa_pass \ -v1 pbeWithSHA1AndDES-CBC -v2 des3 check_exit_status $? - + start_message "pkcs8 ... convert pkcs8 to key in DER format" $openssl_bin pkcs8 -in $cl_rsa_key.p8 -passin pass:$cl_rsa_pass \ -outform DER -out $cl_rsa_key.p8.der check_exit_status $? - + start_message "pkcs12 ... create" $openssl_bin pkcs12 -export -in $sv_rsa_cert -inkey $sv_rsa_key \ -passin pass:$sv_rsa_pass -certfile $ca_cert -CAfile $ca_cert \ @@ -1411,12 +1411,12 @@ function test_pkcs { -CSP "csp_server_p12" -LMK -keyex \ -passout pass:$pkcs_pass -out $sv_rsa_cert.p12 check_exit_status $? - + start_message "pkcs12 ... verify" $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -passin pass:$pkcs_pass -info \ -noout > $sv_rsa_cert.p12.log 2>&1 check_exit_status $? - + start_message "pkcs12 ... private key to PEM without encryption" $openssl_bin pkcs12 -in $sv_rsa_cert.p12 -password pass:$pkcs_pass \ -nocerts -nomacver -nodes -out $sv_rsa_cert.p12.pem @@ -1440,14 +1440,14 @@ function test_sc_by_protocol_version { fi s_client_out=$user1_dir/s_client_${sc}_${ver}.out - + start_message "s_client ... connect to TLS/SSL test server by $ver" sleep $test_pause_sec $c_bin s_client -connect $host:$port -CAfile $ca_cert \ -$ver $groups_and_cipher \ -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 check_exit_status $? - + # check downgrade bits in SH if [ $ver = "tls1" -o $ver = "tls1_1" ] ; then perl -0ne \ @@ -1480,13 +1480,13 @@ function test_sc_by_protocol_version { check_exit_status $? fi - # OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until + # OpenSSL1.1.1 with TLSv1.3 does not call SSL_SESSION_print() until # NewSessionTicket arrival if ! [ $cid = "1" -a $ver = "tls1_3" ] ; then grep "$msg" $s_client_out > /dev/null check_exit_status $? fi - + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null check_exit_status $? } @@ -1548,17 +1548,17 @@ function test_sc_all_cipher { cnum=`expr $cnum + 1` cnstr=`printf %03d $cnum` s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_${cnstr}_${c}.out - + start_message "s_client ... connect to TLS/SSL test server with [ $cnstr ] $ver $c" sleep $test_pause_sec $c_bin s_client -connect $host:$port -CAfile $ca_cert \ -$ver -$copt $c \ -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 check_exit_status $? - + grep "Cipher is $c" $s_client_out > /dev/null check_exit_status $? - + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null check_exit_status $? done @@ -1575,36 +1575,36 @@ function test_sc_session_reuse { sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat # Get session ticket to reuse - + s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_1.out - + start_message "s_client ... connect to TLS/SSL test server to get session id $ver" sleep $test_pause_sec $c_bin s_client -connect $host:$port -CAfile $ca_cert \ -$ver -alpn "spdy/3,http/1.1" -sess_out $sess_dat \ -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 check_exit_status $? - + grep '^New, TLS.*$' $s_client_out > /dev/null check_exit_status $? - + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null check_exit_status $? - + # Reuse session ticket - + s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_reuse_2.out - + start_message "s_client ... connect to TLS/SSL test server reusing session id $ver" sleep $test_pause_sec $c_bin s_client -connect $host:$port -CAfile $ca_cert \ -$ver -sess_in $sess_dat \ -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 check_exit_status $? - + grep '^Reused, TLS.*$' $s_client_out > /dev/null check_exit_status $? - + grep 'Verify return code: 0 (ok)' $s_client_out > /dev/null check_exit_status $? @@ -1624,9 +1624,9 @@ function test_sc_verify { fi # invalid verification pattern - + s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out - + start_message "s_client ... connect to tls/ssl test server but verify error $ver" sleep $test_pause_sec $c_bin s_client -connect $host:$port -CAfile $ca_cert \ @@ -1634,7 +1634,7 @@ function test_sc_verify { -status -servername xyz \ -msg -tlsextdebug < /dev/null > $s_client_out 2>&1 check_exit_status $? - + grep 'verify return code: 0 (ok)' $s_client_out > /dev/null if [ $? -eq 0 ] ; then check_exit_status 1 @@ -1643,9 +1643,9 @@ function test_sc_verify { fi # client certificate pattern - + s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_client_cert.out - + start_message "s_client ... connect to tls/ssl test server with client certificate $ver" if [ $ecdsa_tests = 1 ] ; then @@ -1727,7 +1727,7 @@ function test_server_client { else extra_opts="" fi - + start_message "s_server ... start TLS/SSL test server" $s_bin s_server -accept $port -CAfile $ca_cert \ -cert $crt -key $key -pass pass:$pwd \ @@ -1740,24 +1740,24 @@ function test_server_client { s_server_pid=$! echo "s_server pid = [ $s_server_pid ]" sleep 1 - + # test by protocol version test_sc_by_protocol_version $sc tls1 'Protocol : TLSv1$' $c_id test_sc_by_protocol_version $sc tls1_1 'Protocol : TLSv1\.1$' $c_id test_sc_by_protocol_version $sc tls1_2 'Protocol : TLSv1\.2$' $c_id test_sc_by_protocol_version $sc tls1_3 'Protocol : TLSv1\.3$' $c_id - + # all available ciphers with random order test_sc_all_cipher $sc tls1_2 test_sc_all_cipher $sc tls1_3 - + # session resumption test_sc_session_reuse $sc tls1_2 - + # invalid verification pattern test_sc_verify $sc tls1_2 test_sc_verify $sc tls1_3 - + # s_time if [ $gost_tests != 1 ] ; then start_message "s_time ... connect to TLS/SSL test server" @@ -1765,14 +1765,14 @@ function test_server_client { > $server_dir/s_time_${sc}.log check_exit_status $? fi - + stop_s_server } function test_speed { # === PERFORMANCE === section_message "PERFORMANCE" - + if [ $no_long_tests = 0 ] ; then start_message "speed" $openssl_bin speed sha512 rsa2048 -multi 2 -elapsed @@ -1785,7 +1785,7 @@ function test_speed { function test_version { # --- VERSION INFORMATION --- section_message "VERSION INFORMATION" - + start_message "version" $openssl_bin version -a check_exit_status $?