1#! /usr/bin/env perl 2# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use POSIX; 14use File::Path 2.00 qw/rmtree/; 15use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/; 16use OpenSSL::Test::Utils; 17use Time::Local qw/timegm/; 18 19setup("test_ca"); 20 21$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); 22 23my $cnf = srctop_file("test","ca-and-certs.cnf"); 24my $std_openssl_cnf = srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf"); 25 26sub src_file { 27 return srctop_file("test", "certs", shift); 28} 29 30rmtree("demoCA", { safe => 0 }); 31 32plan tests => 20; 33 34require_ok(srctop_file("test", "recipes", "tconversion.pl")); 35 36 SKIP: { 37 my $cakey = src_file("ca-key.pem"); 38 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); 39 skip "failed creating CA structure", 4 40 if !ok(run(perlapp(["CA.pl","-newca", 41 "-extra-req", qq{-key "$cakey"}], stdin => undef)), 42 'creating CA structure'); 43 44 my $eekey = src_file("ee-key.pem"); 45 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); 46 skip "failed creating new certificate request", 3 47 if !ok(run(perlapp(["CA.pl","-newreq", 48 '-extra-req', qq{-outform DER -section userreq -key "$eekey"}])), 49 'creating certificate request'); 50 $ENV{OPENSSL_CONFIG} = qq(-rand_serial -inform DER -config "$std_openssl_cnf"); 51 skip "failed to sign certificate request", 2 52 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, 53 'signing certificate request'); 54 55 ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), 56 'verifying new certificate'); 57 58 skip "CT not configured, can't use -precert", 1 59 if disabled("ct"); 60 61 my $eekey2 = src_file("ee-key-3072.pem"); 62 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); 63 ok(run(perlapp(["CA.pl", "-precert", 64 '-extra-req', qq{-section userreq -key "$eekey2"}], stderr => undef)), 65 'creating new pre-certificate'); 66} 67 68SKIP: { 69 skip "SM2 is not supported by this OpenSSL build", 1 70 if disabled("sm2"); 71 72 is(yes(cmdstr(app(["openssl", "ca", "-config", 73 $cnf, 74 "-in", src_file("sm2-csr.pem"), 75 "-out", "sm2-test.crt", 76 "-sigopt", "distid:1234567812345678", 77 "-vfyopt", "distid:1234567812345678", 78 "-md", "sm3", 79 "-cert", src_file("sm2-root.crt"), 80 "-keyfile", src_file("sm2-root.key")]))), 81 0, 82 "Signing SM2 certificate request"); 83} 84 85my $v3_cert = "v3-test.crt"; 86ok(run(app(["openssl", "ca", "-batch", "-config", $cnf, "-extensions", "empty", 87 "-in", src_file("x509-check.csr"), "-out", $v3_cert]))); 88# although no explicit extensions given: 89has_version($v3_cert, 3); 90has_SKID($v3_cert, 1); 91has_AKID($v3_cert, 1); 92 93test_revoke('notimes', { 94 should_succeed => 1, 95}); 96test_revoke('lastupdate_invalid', { 97 lastupdate => '1234567890', 98 should_succeed => 0, 99}); 100test_revoke('lastupdate_utctime', { 101 lastupdate => '200901123456Z', 102 should_succeed => 1, 103}); 104test_revoke('lastupdate_generalizedtime', { 105 lastupdate => '20990901123456Z', 106 should_succeed => 1, 107}); 108test_revoke('nextupdate_invalid', { 109 nextupdate => '1234567890', 110 should_succeed => 0, 111}); 112test_revoke('nextupdate_utctime', { 113 nextupdate => '200901123456Z', 114 should_succeed => 1, 115}); 116test_revoke('nextupdate_generalizedtime', { 117 nextupdate => '20990901123456Z', 118 should_succeed => 1, 119}); 120test_revoke('both_utctime', { 121 lastupdate => '200901123456Z', 122 nextupdate => '200908123456Z', 123 should_succeed => 1, 124}); 125test_revoke('both_generalizedtime', { 126 lastupdate => '20990901123456Z', 127 nextupdate => '20990908123456Z', 128 should_succeed => 1, 129}); 130 131sub test_revoke { 132 my ($filename, $opts) = @_; 133 134 subtest "Revoke certificate and generate CRL: $filename" => sub { 135 # Before Perl 5.12.0, the range of times Perl could represent was 136 # limited by the size of time_t, so Time::Local was hamstrung by the 137 # Y2038 problem 138 # Perl 5.12.0 onwards use an internal time implementation with a 139 # guaranteed >32-bit time range on all architectures, so the tests 140 # involving post-2038 times won't fail provided we're running under 141 # that version or newer 142 plan skip_all => 143 'Perl >= 5.12.0 required to run certificate revocation tests' 144 if $] < 5.012000; 145 146 $ENV{CN2} = $filename; 147 ok( 148 run(app(['openssl', 149 'req', 150 '-config', $cnf, 151 '-new', 152 '-key', data_file('revoked.key'), 153 '-out', "$filename-req.pem", 154 '-section', 'userreq', 155 ])), 156 'Generate CSR' 157 ); 158 delete $ENV{CN2}; 159 160 ok( 161 run(app(['openssl', 162 'ca', 163 '-batch', 164 '-config', $cnf, 165 '-in', "$filename-req.pem", 166 '-out', "$filename-cert.pem", 167 ])), 168 'Sign CSR' 169 ); 170 171 ok( 172 run(app(['openssl', 173 'ca', 174 '-config', $cnf, 175 '-revoke', "$filename-cert.pem", 176 ])), 177 'Revoke certificate' 178 ); 179 180 my @gencrl_opts; 181 182 if (exists $opts->{lastupdate}) { 183 push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate}; 184 } 185 186 if (exists $opts->{nextupdate}) { 187 push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate}; 188 } 189 190 is( 191 run(app(['openssl', 192 'ca', 193 '-config', $cnf, 194 '-gencrl', 195 '-out', "$filename-crl.pem", 196 '-crlsec', '60', 197 @gencrl_opts, 198 ])), 199 $opts->{should_succeed}, 200 'Generate CRL' 201 ); 202 my $crl_gentime = time; 203 204 # The following tests only need to run if the CRL was supposed to be 205 # generated: 206 return unless $opts->{should_succeed}; 207 208 my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate'); 209 if (exists $opts->{lastupdate}) { 210 is( 211 $crl_lastupdate, 212 rfc5280_time($opts->{lastupdate}), 213 'CRL lastUpdate field has expected value' 214 ); 215 } else { 216 diag("CRL lastUpdate: $crl_lastupdate"); 217 diag("openssl run time: $crl_gentime"); 218 ok( 219 # Is the CRL's lastUpdate time within a second of the time that 220 # `openssl ca -gencrl` was executed? 221 $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1, 222 'CRL lastUpdate field has (roughly) expected value' 223 ); 224 } 225 226 my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate'); 227 if (exists $opts->{nextupdate}) { 228 is( 229 $crl_nextupdate, 230 rfc5280_time($opts->{nextupdate}), 231 'CRL nextUpdate field has expected value' 232 ); 233 } else { 234 diag("CRL nextUpdate: $crl_nextupdate"); 235 diag("openssl run time: $crl_gentime"); 236 ok( 237 # Is the CRL's lastUpdate time within a second of the time that 238 # `openssl ca -gencrl` was executed, taking into account the use 239 # of '-crlsec 60'? 240 $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61, 241 'CRL nextUpdate field has (roughly) expected value' 242 ); 243 } 244 }; 245} 246 247sub yes { 248 my $cntr = 10; 249 open(PIPE, "|-", join(" ",@_)); 250 local $SIG{PIPE} = "IGNORE"; 251 1 while $cntr-- > 0 && print PIPE "y\n"; 252 close PIPE; 253 return 0; 254} 255 256# Get the value of the lastUpdate or nextUpdate field from a CRL 257sub crl_field { 258 my ($crl_path, $field_name) = @_; 259 260 my @out = run( 261 app(['openssl', 262 'crl', 263 '-in', $crl_path, 264 '-noout', 265 '-' . lc($field_name), 266 ]), 267 capture => 1, 268 statusvar => \my $exit, 269 ); 270 ok($exit, "CRL $field_name field retrieved"); 271 diag("CRL $field_name: $out[0]"); 272 273 $out[0] =~ s/^\Q$field_name\E=//; 274 $out[0] =~ s/\n?//; 275 my $time = human_time($out[0]); 276 277 return $time; 278} 279 280# Converts human-readable ASN1_TIME_print() output to Unix time 281sub human_time { 282 my ($human) = @_; 283 284 my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/; 285 286 my %months = ( 287 Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5, 288 Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11, 289 ); 290 291 return timegm($s, $m, $h, $d, $months{$mo}, $y); 292} 293 294# Converts an RFC 5280 timestamp to Unix time 295sub rfc5280_time { 296 my ($asn1) = @_; 297 298 my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/; 299 300 return timegm($s, $m, $h, $d, $mo - 1, $y); 301} 302