xref: /freebsd/crypto/openssl/test/recipes/80-test_ca.t (revision 1719886f6d08408b834d270c59ffcfd821c8f63a)
1#! /usr/bin/env perl
2# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10use strict;
11use warnings;
12
13use POSIX;
14use File::Path 2.00 qw/rmtree/;
15use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
16use OpenSSL::Test::Utils;
17use Time::Local qw/timegm/;
18
19setup("test_ca");
20
21$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
22
23my $cnf = srctop_file("test","ca-and-certs.cnf");
24my $std_openssl_cnf = '"'
25    . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
26    . '"';
27
28rmtree("demoCA", { safe => 0 });
29
30plan tests => 15;
31 SKIP: {
32     my $cakey = srctop_file("test", "certs", "ca-key.pem");
33     $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
34     skip "failed creating CA structure", 4
35         if !ok(run(perlapp(["CA.pl","-newca",
36                             "-extra-req", "-key $cakey"], stdin => undef)),
37                'creating CA structure');
38
39     my $eekey = srctop_file("test", "certs", "ee-key.pem");
40     $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
41     skip "failed creating new certificate request", 3
42         if !ok(run(perlapp(["CA.pl","-newreq",
43                             '-extra-req', "-outform DER -section userreq -key $eekey"])),
44                'creating certificate request');
45     $ENV{OPENSSL_CONFIG} = qq(-rand_serial -inform DER -config "$std_openssl_cnf");
46     skip "failed to sign certificate request", 2
47         if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
48                'signing certificate request');
49
50     ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
51        'verifying new certificate');
52
53     skip "CT not configured, can't use -precert", 1
54         if disabled("ct");
55
56     my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem");
57     $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
58     ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)),
59        'creating new pre-certificate');
60}
61
62SKIP: {
63    skip "SM2 is not supported by this OpenSSL build", 1
64        if disabled("sm2");
65
66    is(yes(cmdstr(app(["openssl", "ca", "-config",
67                       $cnf,
68                       "-in", srctop_file("test", "certs", "sm2-csr.pem"),
69                       "-out", "sm2-test.crt",
70                       "-sigopt", "distid:1234567812345678",
71                       "-vfyopt", "distid:1234567812345678",
72                       "-md", "sm3",
73                       "-cert", srctop_file("test", "certs", "sm2-root.crt"),
74                       "-keyfile", srctop_file("test", "certs", "sm2-root.key")]))),
75       0,
76       "Signing SM2 certificate request");
77}
78
79test_revoke('notimes', {
80    should_succeed => 1,
81});
82test_revoke('lastupdate_invalid', {
83    lastupdate     => '1234567890',
84    should_succeed => 0,
85});
86test_revoke('lastupdate_utctime', {
87    lastupdate     => '200901123456Z',
88    should_succeed => 1,
89});
90test_revoke('lastupdate_generalizedtime', {
91    lastupdate     => '20990901123456Z',
92    should_succeed => 1,
93});
94test_revoke('nextupdate_invalid', {
95    nextupdate     => '1234567890',
96    should_succeed => 0,
97});
98test_revoke('nextupdate_utctime', {
99    nextupdate     => '200901123456Z',
100    should_succeed => 1,
101});
102test_revoke('nextupdate_generalizedtime', {
103    nextupdate     => '20990901123456Z',
104    should_succeed => 1,
105});
106test_revoke('both_utctime', {
107    lastupdate     => '200901123456Z',
108    nextupdate     => '200908123456Z',
109    should_succeed => 1,
110});
111test_revoke('both_generalizedtime', {
112    lastupdate     => '20990901123456Z',
113    nextupdate     => '20990908123456Z',
114    should_succeed => 1,
115});
116
117sub test_revoke {
118    my ($filename, $opts) = @_;
119
120    subtest "Revoke certificate and generate CRL: $filename" => sub {
121        # Before Perl 5.12.0, the range of times Perl could represent was
122        # limited by the size of time_t, so Time::Local was hamstrung by the
123        # Y2038 problem
124        # Perl 5.12.0 onwards use an internal time implementation with a
125        # guaranteed >32-bit time range on all architectures, so the tests
126        # involving post-2038 times won't fail provided we're running under
127        # that version or newer
128        plan skip_all =>
129            'Perl >= 5.12.0 required to run certificate revocation tests'
130            if $] < 5.012000;
131
132        $ENV{CN2} = $filename;
133        ok(
134            run(app(['openssl',
135                     'req',
136                     '-config',  $cnf,
137                     '-new',
138                     '-key',     data_file('revoked.key'),
139                     '-out',     "$filename-req.pem",
140                     '-section', 'userreq',
141            ])),
142            'Generate CSR'
143        );
144        delete $ENV{CN2};
145
146        ok(
147            run(app(['openssl',
148                     'ca',
149                     '-batch',
150                     '-config',  $cnf,
151                     '-in',      "$filename-req.pem",
152                     '-out',     "$filename-cert.pem",
153            ])),
154            'Sign CSR'
155        );
156
157        ok(
158            run(app(['openssl',
159                     'ca',
160                     '-config', $cnf,
161                     '-revoke', "$filename-cert.pem",
162            ])),
163            'Revoke certificate'
164        );
165
166        my @gencrl_opts;
167
168        if (exists $opts->{lastupdate}) {
169            push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
170        }
171
172        if (exists $opts->{nextupdate}) {
173            push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
174        }
175
176        is(
177            run(app(['openssl',
178                     'ca',
179                     '-config', $cnf,
180                     '-gencrl',
181                     '-out',    "$filename-crl.pem",
182                     '-crlsec', '60',
183                     @gencrl_opts,
184            ])),
185            $opts->{should_succeed},
186            'Generate CRL'
187        );
188        my $crl_gentime = time;
189
190        # The following tests only need to run if the CRL was supposed to be
191        # generated:
192        return unless $opts->{should_succeed};
193
194        my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
195        if (exists $opts->{lastupdate}) {
196            is(
197                $crl_lastupdate,
198                rfc5280_time($opts->{lastupdate}),
199                'CRL lastUpdate field has expected value'
200            );
201        } else {
202            diag("CRL lastUpdate:   $crl_lastupdate");
203            diag("openssl run time: $crl_gentime");
204            ok(
205                # Is the CRL's lastUpdate time within a second of the time that
206                # `openssl ca -gencrl` was executed?
207                $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
208                'CRL lastUpdate field has (roughly) expected value'
209            );
210        }
211
212        my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
213        if (exists $opts->{nextupdate}) {
214            is(
215                $crl_nextupdate,
216                rfc5280_time($opts->{nextupdate}),
217                'CRL nextUpdate field has expected value'
218            );
219        } else {
220            diag("CRL nextUpdate:   $crl_nextupdate");
221            diag("openssl run time: $crl_gentime");
222            ok(
223                # Is the CRL's lastUpdate time within a second of the time that
224                # `openssl ca -gencrl` was executed, taking into account the use
225                # of '-crlsec 60'?
226                $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
227                'CRL nextUpdate field has (roughly) expected value'
228            );
229        }
230    };
231}
232
233sub yes {
234    my $cntr = 10;
235    open(PIPE, "|-", join(" ",@_));
236    local $SIG{PIPE} = "IGNORE";
237    1 while $cntr-- > 0 && print PIPE "y\n";
238    close PIPE;
239    return 0;
240}
241
242# Get the value of the lastUpdate or nextUpdate field from a CRL
243sub crl_field {
244    my ($crl_path, $field_name) = @_;
245
246    my @out = run(
247        app(['openssl',
248             'crl',
249             '-in', $crl_path,
250             '-noout',
251             '-' . lc($field_name),
252        ]),
253        capture => 1,
254        statusvar => \my $exit,
255    );
256    ok($exit, "CRL $field_name field retrieved");
257    diag("CRL $field_name: $out[0]");
258
259    $out[0] =~ s/^\Q$field_name\E=//;
260    $out[0] =~ s/\n?//;
261    my $time = human_time($out[0]);
262
263    return $time;
264}
265
266# Converts human-readable ASN1_TIME_print() output to Unix time
267sub human_time {
268    my ($human) = @_;
269
270    my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
271
272    my %months = (
273        Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4,  Jun => 5,
274        Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
275    );
276
277    return timegm($s, $m, $h, $d, $months{$mo}, $y);
278}
279
280# Converts an RFC 5280 timestamp to Unix time
281sub rfc5280_time {
282    my ($asn1) = @_;
283
284    my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
285
286    return timegm($s, $m, $h, $d, $mo - 1, $y);
287}
288