1#! /usr/bin/env perl 2# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use POSIX; 14use File::Path 2.00 qw/rmtree/; 15use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/; 16use OpenSSL::Test::Utils; 17use Time::Local qw/timegm/; 18 19setup("test_ca"); 20 21$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); 22 23my $cnf = srctop_file("test","ca-and-certs.cnf"); 24my $std_openssl_cnf = '"' 25 . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf") 26 . '"'; 27 28sub src_file { 29 return srctop_file("test", "certs", shift); 30} 31 32rmtree("demoCA", { safe => 0 }); 33 34plan tests => 20; 35 36require_ok(srctop_file("test", "recipes", "tconversion.pl")); 37 38 SKIP: { 39 my $cakey = src_file("ca-key.pem"); 40 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); 41 skip "failed creating CA structure", 4 42 if !ok(run(perlapp(["CA.pl","-newca", 43 "-extra-req", "-key $cakey"], stdin => undef)), 44 'creating CA structure'); 45 46 my $eekey = src_file("ee-key.pem"); 47 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); 48 skip "failed creating new certificate request", 3 49 if !ok(run(perlapp(["CA.pl","-newreq", 50 '-extra-req', "-outform DER -section userreq -key $eekey"])), 51 'creating certificate request'); 52 $ENV{OPENSSL_CONFIG} = qq(-rand_serial -inform DER -config "$std_openssl_cnf"); 53 skip "failed to sign certificate request", 2 54 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, 55 'signing certificate request'); 56 57 ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), 58 'verifying new certificate'); 59 60 skip "CT not configured, can't use -precert", 1 61 if disabled("ct"); 62 63 my $eekey2 = src_file("ee-key-3072.pem"); 64 $ENV{OPENSSL_CONFIG} = qq(-config "$cnf"); 65 ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)), 66 'creating new pre-certificate'); 67} 68 69SKIP: { 70 skip "SM2 is not supported by this OpenSSL build", 1 71 if disabled("sm2"); 72 73 is(yes(cmdstr(app(["openssl", "ca", "-config", 74 $cnf, 75 "-in", src_file("sm2-csr.pem"), 76 "-out", "sm2-test.crt", 77 "-sigopt", "distid:1234567812345678", 78 "-vfyopt", "distid:1234567812345678", 79 "-md", "sm3", 80 "-cert", src_file("sm2-root.crt"), 81 "-keyfile", src_file("sm2-root.key")]))), 82 0, 83 "Signing SM2 certificate request"); 84} 85 86my $v3_cert = "v3-test.crt"; 87ok(run(app(["openssl", "ca", "-batch", "-config", $cnf, "-extensions", "empty", 88 "-in", src_file("x509-check.csr"), "-out", $v3_cert]))); 89# although no explicit extensions given: 90has_version($v3_cert, 3); 91has_SKID($v3_cert, 1); 92has_AKID($v3_cert, 1); 93 94test_revoke('notimes', { 95 should_succeed => 1, 96}); 97test_revoke('lastupdate_invalid', { 98 lastupdate => '1234567890', 99 should_succeed => 0, 100}); 101test_revoke('lastupdate_utctime', { 102 lastupdate => '200901123456Z', 103 should_succeed => 1, 104}); 105test_revoke('lastupdate_generalizedtime', { 106 lastupdate => '20990901123456Z', 107 should_succeed => 1, 108}); 109test_revoke('nextupdate_invalid', { 110 nextupdate => '1234567890', 111 should_succeed => 0, 112}); 113test_revoke('nextupdate_utctime', { 114 nextupdate => '200901123456Z', 115 should_succeed => 1, 116}); 117test_revoke('nextupdate_generalizedtime', { 118 nextupdate => '20990901123456Z', 119 should_succeed => 1, 120}); 121test_revoke('both_utctime', { 122 lastupdate => '200901123456Z', 123 nextupdate => '200908123456Z', 124 should_succeed => 1, 125}); 126test_revoke('both_generalizedtime', { 127 lastupdate => '20990901123456Z', 128 nextupdate => '20990908123456Z', 129 should_succeed => 1, 130}); 131 132sub test_revoke { 133 my ($filename, $opts) = @_; 134 135 subtest "Revoke certificate and generate CRL: $filename" => sub { 136 # Before Perl 5.12.0, the range of times Perl could represent was 137 # limited by the size of time_t, so Time::Local was hamstrung by the 138 # Y2038 problem 139 # Perl 5.12.0 onwards use an internal time implementation with a 140 # guaranteed >32-bit time range on all architectures, so the tests 141 # involving post-2038 times won't fail provided we're running under 142 # that version or newer 143 plan skip_all => 144 'Perl >= 5.12.0 required to run certificate revocation tests' 145 if $] < 5.012000; 146 147 $ENV{CN2} = $filename; 148 ok( 149 run(app(['openssl', 150 'req', 151 '-config', $cnf, 152 '-new', 153 '-key', data_file('revoked.key'), 154 '-out', "$filename-req.pem", 155 '-section', 'userreq', 156 ])), 157 'Generate CSR' 158 ); 159 delete $ENV{CN2}; 160 161 ok( 162 run(app(['openssl', 163 'ca', 164 '-batch', 165 '-config', $cnf, 166 '-in', "$filename-req.pem", 167 '-out', "$filename-cert.pem", 168 ])), 169 'Sign CSR' 170 ); 171 172 ok( 173 run(app(['openssl', 174 'ca', 175 '-config', $cnf, 176 '-revoke', "$filename-cert.pem", 177 ])), 178 'Revoke certificate' 179 ); 180 181 my @gencrl_opts; 182 183 if (exists $opts->{lastupdate}) { 184 push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate}; 185 } 186 187 if (exists $opts->{nextupdate}) { 188 push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate}; 189 } 190 191 is( 192 run(app(['openssl', 193 'ca', 194 '-config', $cnf, 195 '-gencrl', 196 '-out', "$filename-crl.pem", 197 '-crlsec', '60', 198 @gencrl_opts, 199 ])), 200 $opts->{should_succeed}, 201 'Generate CRL' 202 ); 203 my $crl_gentime = time; 204 205 # The following tests only need to run if the CRL was supposed to be 206 # generated: 207 return unless $opts->{should_succeed}; 208 209 my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate'); 210 if (exists $opts->{lastupdate}) { 211 is( 212 $crl_lastupdate, 213 rfc5280_time($opts->{lastupdate}), 214 'CRL lastUpdate field has expected value' 215 ); 216 } else { 217 diag("CRL lastUpdate: $crl_lastupdate"); 218 diag("openssl run time: $crl_gentime"); 219 ok( 220 # Is the CRL's lastUpdate time within a second of the time that 221 # `openssl ca -gencrl` was executed? 222 $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1, 223 'CRL lastUpdate field has (roughly) expected value' 224 ); 225 } 226 227 my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate'); 228 if (exists $opts->{nextupdate}) { 229 is( 230 $crl_nextupdate, 231 rfc5280_time($opts->{nextupdate}), 232 'CRL nextUpdate field has expected value' 233 ); 234 } else { 235 diag("CRL nextUpdate: $crl_nextupdate"); 236 diag("openssl run time: $crl_gentime"); 237 ok( 238 # Is the CRL's lastUpdate time within a second of the time that 239 # `openssl ca -gencrl` was executed, taking into account the use 240 # of '-crlsec 60'? 241 $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61, 242 'CRL nextUpdate field has (roughly) expected value' 243 ); 244 } 245 }; 246} 247 248sub yes { 249 my $cntr = 10; 250 open(PIPE, "|-", join(" ",@_)); 251 local $SIG{PIPE} = "IGNORE"; 252 1 while $cntr-- > 0 && print PIPE "y\n"; 253 close PIPE; 254 return 0; 255} 256 257# Get the value of the lastUpdate or nextUpdate field from a CRL 258sub crl_field { 259 my ($crl_path, $field_name) = @_; 260 261 my @out = run( 262 app(['openssl', 263 'crl', 264 '-in', $crl_path, 265 '-noout', 266 '-' . lc($field_name), 267 ]), 268 capture => 1, 269 statusvar => \my $exit, 270 ); 271 ok($exit, "CRL $field_name field retrieved"); 272 diag("CRL $field_name: $out[0]"); 273 274 $out[0] =~ s/^\Q$field_name\E=//; 275 $out[0] =~ s/\n?//; 276 my $time = human_time($out[0]); 277 278 return $time; 279} 280 281# Converts human-readable ASN1_TIME_print() output to Unix time 282sub human_time { 283 my ($human) = @_; 284 285 my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/; 286 287 my %months = ( 288 Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5, 289 Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11, 290 ); 291 292 return timegm($s, $m, $h, $d, $months{$mo}, $y); 293} 294 295# Converts an RFC 5280 timestamp to Unix time 296sub rfc5280_time { 297 my ($asn1) = @_; 298 299 my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/; 300 301 return timegm($s, $m, $h, $d, $mo - 1, $y); 302} 303
