Add regress test script for openssl command.

ok beck@

3 files changed, 966 insertions, 2 deletions

diff --git a/regress/usr.bin/openssl/Makefile b/regress/usr.bin/openssl/Makefile
index b25182b49f8..d1c609980c2 100644
--- a/regress/usr.bin/openssl/Makefile
+++ b/regress/usr.bin/openssl/Makefile
@@ -1,10 +1,11 @@
-#	$OpenBSD: Makefile,v 1.3 2015/09/16 01:39:05 lteo Exp $
+#	$OpenBSD: Makefile,v 1.4 2016/11/06 11:56:43 inoguchi Exp $
 
 SUBDIR= options
 
 CLEANFILES+= testdsa.key testdsa.pem rsakey.pem rsacert.pem dsa512.pem
+CLEANFILES+= appstest_dir
 
-REGRESS_TARGETS=ssl-enc ssl-dsa ssl-rsa 
+REGRESS_TARGETS=ssl-enc ssl-dsa ssl-rsa appstest
 
 OPENSSL=/usr/bin/openssl
 CLEAR1=p
@@ -56,5 +57,10 @@ ssl-dsa:
 	sh ${.CURDIR}/testdsa.sh ${.OBJDIR} ${.CURDIR}
 ssl-rsa:
 	sh ${.CURDIR}/testrsa.sh ${.OBJDIR} ${.CURDIR}
+appstest:
+	sh ${.CURDIR}/appstest.sh ${.OBJDIR} ${.CURDIR}
+
+clean:
+	rm -rf ${CLEANFILES}
 
 .include <bsd.regress.mk>
diff --git a/regress/usr.bin/openssl/README b/regress/usr.bin/openssl/README
index 878feca400d..2682d873e7f 100644
--- a/regress/usr.bin/openssl/README
+++ b/regress/usr.bin/openssl/README
@@ -3,4 +3,5 @@ testdsa.sh tests DSA certificate generation
 test_server.sh starts a tls1 server using the above generated certificate
 test_client.sh starts a client to talk to the server.
 testrsa.sh tests RSA certificate generation
+appstest.sh tests openssl command
 
diff --git a/regress/usr.bin/openssl/appstest.sh b/regress/usr.bin/openssl/appstest.sh
new file mode 100755
index 00000000000..69cb511052d
--- /dev/null
+++ b/regress/usr.bin/openssl/appstest.sh
@@ -0,0 +1,957 @@
+#!/bin/sh
+#
+# appstest.sh - test script for openssl command according to man OPENSSL(1)
+#
+# input  : none
+# output : all files generated by this script go under $ssldir
+#
+
+openssl_bin=/usr/bin/openssl
+
+uname_s=`uname -s | grep 'MINGW'`
+if [ "$uname_s" = "" ] ; then
+    mingw=0
+else
+    mingw=1
+fi
+
+function section_message {
+    echo ""
+    echo "#---------#---------#---------#---------#---------#---------#---------#--------"
+    echo "==="
+    echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
+    echo "==="
+}
+
+function start_message {
+    echo ""
+    echo "[TEST] $1"
+}
+
+function check_exit_status {
+    status=$1
+    if [ $status -ne 0 ] ; then
+        echo ":-< error occurs, exit status = [ $status ]"
+        exit $status
+    else
+        echo ":-) success. "
+    fi
+}
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+#
+# create ssldir, and all files generated by this script goes under this dir.
+#
+ssldir="appstest_dir"
+
+if [ -d $ssldir ] ; then
+    echo "directory [ $ssldir ] exists, this script deletes this directory ..."
+    /bin/rm -rf $ssldir
+fi
+
+mkdir -p $ssldir
+
+export OPENSSL_CONF=$ssldir/openssl.cnf
+touch $OPENSSL_CONF
+
+user1_dir=$ssldir/user1
+mkdir -p $user1_dir
+
+key_dir=$ssldir/key
+mkdir -p $key_dir
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# === COMMAND USAGE ===
+section_message "COMMAND USAGE"
+
+start_message "output usages of all commands."
+
+cmds=`$openssl_bin list-standard-commands`
+$openssl_bin -help 2>> $user1_dir/usages.out
+for c in $cmds ; do
+    $openssl_bin $c -help 2>> $user1_dir/usages.out
+done 
+
+start_message "check all list-* commands."
+
+lists=""
+lists="$lists list-standard-commands"
+lists="$lists list-message-digest-commands list-message-digest-algorithms"
+lists="$lists list-cipher-commands list-cipher-algorithms"
+lists="$lists list-public-key-algorithms"
+
+listsfile=$user1_dir/lists.out
+
+for l in $lists ; do
+    echo "" >> $listsfile
+    echo "$l" >> $listsfile
+    $openssl_bin $l >> $listsfile
+done
+
+start_message "check interactive mode"
+$openssl_bin <<__EOF__
+help
+quit
+__EOF__
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- listing operations ---
+section_message "listing operations"
+
+start_message "ciphers"
+$openssl_bin ciphers -V
+check_exit_status $?
+
+start_message "errstr"
+$openssl_bin errstr 2606A074
+check_exit_status $?
+$openssl_bin errstr -stats 2606A074 > $user1_dir/errstr-stats.out
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- random number etc. operations ---
+section_message "random number etc. operations"
+
+start_message "passwd"
+
+pass="test-pass-1234"
+
+echo $pass | $openssl_bin passwd -stdin -1
+check_exit_status $?
+
+echo $pass | $openssl_bin passwd -stdin -apr1
+check_exit_status $?
+
+echo $pass | $openssl_bin passwd -stdin -crypt
+check_exit_status $?
+
+start_message "prime"
+
+$openssl_bin prime 1
+check_exit_status $?
+
+$openssl_bin prime 2
+check_exit_status $?
+
+$openssl_bin prime -bits 64 -checks 3 -generate -hex -safe 5
+check_exit_status $?
+
+start_message "rand"
+
+$openssl_bin rand -base64 100
+check_exit_status $?
+
+$openssl_bin rand -hex 100
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# === MESSAGE DIGEST COMMANDS ===
+section_message "MESSAGE DIGEST COMMANDS"
+
+start_message "dgst - See [MESSAGE DIGEST COMMANDS] section."
+
+text="1234567890abcdefghijklmnopqrstuvwxyz"
+dgstdat=$user1_dir/dgst.dat
+echo $text > $dgstdat
+hmac_key="test-hmac-key"
+cmac_key="1234567890abcde1234567890abcde12"
+
+digests=`$openssl_bin list-message-digest-commands`
+
+for d in $digests ; do
+
+    echo -n "$d ... "
+    $openssl_bin dgst -$d -out $dgstdat.$d $dgstdat
+    check_exit_status $?
+
+    echo -n "$d HMAC ... "
+    $openssl_bin dgst -$d -hmac $hmac_key -out $dgstdat.$d.hmac $dgstdat
+    check_exit_status $?
+
+    echo -n "$d CMAC ... "
+    $openssl_bin dgst -$d -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:$cmac_key \
+        -out $dgstdat.$d.cmac $dgstdat
+    check_exit_status $?
+done
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# === ENCODING AND CIPHER COMMANDS ===
+section_message "ENCODING AND CIPHER COMMANDS"
+
+start_message "enc - See [ENCODING AND CIPHER COMMANDS] section."
+
+text="1234567890abcdefghijklmnopqrstuvwxyz"
+encfile=$user1_dir/encfile.dat
+echo $text > $encfile
+pass="test-pass-1234"
+
+ciphers=`$openssl_bin list-cipher-commands`
+
+for c in $ciphers ; do
+    echo -n "$c ... encoding ... "
+    $openssl_bin enc -$c -e -base64 -pass pass:$pass -in $encfile -out $encfile-$c.enc
+    check_exit_status $?
+
+    echo -n "decoding ... "
+    $openssl_bin enc -$c -d -base64 -pass pass:$pass -in $encfile-$c.enc -out $encfile-$c.dec
+    check_exit_status $?
+
+    echo -n "cmp ... "
+    cmp $encfile $encfile-$c.dec
+    check_exit_status $?
+done
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# === various KEY operations ===
+section_message "various KEY operations"
+
+key_pass=test-key-pass
+
+# DH
+
+start_message "gendh - Obsoleted by dhparam."
+gendh2=$key_dir/gendh2.pem
+$openssl_bin gendh -2 -out $gendh2
+check_exit_status $?
+
+start_message "dh - Obsoleted by dhparam."
+$openssl_bin dh -in $gendh2 -check -text -out $gendh2.out
+check_exit_status $?
+
+start_message "dhparam - Superseded by genpkey and pkeyparam."
+dhparam2=$key_dir/dhparam2.pem
+$openssl_bin dhparam -2 -out $dhparam2
+check_exit_status $?
+$openssl_bin dhparam -in $dhparam2 -check -text -out $dhparam2.out
+check_exit_status $?
+
+# DSA
+
+start_message "dsaparam - Superseded by genpkey and pkeyparam."
+dsaparam512=$key_dir/dsaparam512.pem
+$openssl_bin dsaparam -genkey -out $dsaparam512 512
+check_exit_status $?
+
+start_message "dsa"
+$openssl_bin dsa -in $dsaparam512 -text -out $dsaparam512.out
+check_exit_status $?
+
+start_message "gendsa - Superseded by genpkey and pkey."
+gendsa_des3=$key_dir/gendsa_des3.pem
+$openssl_bin gendsa -des3 -out $gendsa_des3 -passout pass:$key_pass $dsaparam512
+check_exit_status $?
+
+# RSA
+
+start_message "genrsa - Superseded by genpkey."
+genrsa_aes256=$key_dir/genrsa_aes256.pem
+$openssl_bin genrsa -f4 -aes256 -out $genrsa_aes256 -passout pass:$key_pass 2048
+check_exit_status $?
+
+start_message "rsa"
+$openssl_bin rsa -in $genrsa_aes256 -passin pass:$key_pass -check -text -out $genrsa_aes256.out
+check_exit_status $?
+
+start_message "rsautl - Superseded by pkeyutl."
+rsautldat=$key_dir/rsautl.dat
+rsautlsig=$key_dir/rsautl.sig
+echo "abcdefghijklmnopqrstuvwxyz1234567890" > $rsautldat
+
+$openssl_bin rsautl -sign -in $rsautldat -inkey $genrsa_aes256 -passin pass:$key_pass -out $rsautlsig
+check_exit_status $?
+
+$openssl_bin rsautl -verify -in $rsautlsig -inkey $genrsa_aes256 -passin pass:$key_pass
+check_exit_status $?
+
+# EC
+
+start_message "ecparam -list-curves"
+$openssl_bin ecparam -list_curves
+check_exit_status $?
+
+# get all EC curves
+ec_curves=`$openssl_bin ecparam -list_curves | grep ':' | cut -d ':' -f 1`
+
+start_message "ecparam and ec"
+
+for curve in $ec_curves ;
+do
+    ecparam=$key_dir/ecparam_$curve.pem
+
+    echo -n "ec - $curve ... ecparam ... "
+    $openssl_bin ecparam -out $ecparam -name $curve -genkey -param_enc explicit \
+        -conv_form compressed -C
+    check_exit_status $?
+
+    echo -n "ec ... "
+    $openssl_bin ec -in $ecparam -text -out $ecparam.out 2> /dev/null
+    check_exit_status $?
+done
+
+# PKEY
+
+start_message "genpkey"
+
+# DH by GENPKEY
+
+genpkey_dh_param=$key_dir/genpkey_dh_param.pem
+$openssl_bin genpkey -genparam -algorithm DH -out $genpkey_dh_param \
+    -pkeyopt dh_paramgen_prime_len:1024
+check_exit_status $?
+
+genpkey_dh=$key_dir/genpkey_dh.pem
+$openssl_bin genpkey -paramfile $genpkey_dh_param -out $genpkey_dh
+check_exit_status $?
+
+# DSA by GENPKEY
+
+genpkey_dsa_param=$key_dir/genpkey_dsa_param.pem
+$openssl_bin genpkey -genparam -algorithm DSA -out $genpkey_dsa_param \
+    -pkeyopt dsa_paramgen_bits:1024
+check_exit_status $?
+
+genpkey_dsa=$key_dir/genpkey_dsa.pem
+$openssl_bin genpkey -paramfile $genpkey_dsa_param -out $genpkey_dsa
+check_exit_status $?
+
+# RSA by GENPKEY
+
+genpkey_rsa=$key_dir/genpkey_rsa.pem
+$openssl_bin genpkey -algorithm RSA -out $genpkey_rsa \
+    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
+check_exit_status $?
+
+# EC by GENPKEY
+
+genpkey_ec_param=$key_dir/genpkey_ec_param.pem
+$openssl_bin genpkey -genparam -algorithm EC -out $genpkey_ec_param \
+    -pkeyopt ec_paramgen_curve:secp384r1
+check_exit_status $?
+
+genpkey_ec=$key_dir/genpkey_ec.pem
+$openssl_bin genpkey -paramfile $genpkey_ec_param -out $genpkey_ec
+check_exit_status $?
+
+start_message "pkeyparam"
+
+$openssl_bin pkeyparam -in $genpkey_dh_param -text -out $genpkey_dh_param.out
+check_exit_status $?
+
+$openssl_bin pkeyparam -in $genpkey_dsa_param -text -out $genpkey_dsa_param.out
+check_exit_status $?
+
+$openssl_bin pkeyparam -in $genpkey_ec_param -text -out $genpkey_ec_param.out
+check_exit_status $?
+
+start_message "pkey"
+
+$openssl_bin pkey -in $genpkey_dh -text -out $genpkey_dh.out
+check_exit_status $?
+
+$openssl_bin pkey -in $genpkey_dsa -text -out $genpkey_dsa.out
+check_exit_status $?
+
+$openssl_bin pkey -in $genpkey_rsa -text -out $genpkey_rsa.out
+check_exit_status $?
+
+$openssl_bin pkey -in $genpkey_ec -text -out $genpkey_ec.out
+check_exit_status $?
+
+start_message "pkeyutl"
+
+pkeyutldat=$key_dir/pkeyutl.dat
+pkeyutlsig=$key_dir/pkeyutl.sig
+echo "abcdefghijklmnopqrstuvwxyz1234567890" > $pkeyutldat
+
+$openssl_bin pkeyutl -sign -in  $pkeyutldat -inkey $genpkey_rsa -out $pkeyutlsig
+check_exit_status $?
+
+$openssl_bin pkeyutl -verify -in $pkeyutldat -sigfile  $pkeyutlsig -inkey $genpkey_rsa
+check_exit_status $?
+
+$openssl_bin pkeyutl -verifyrecover -in $pkeyutlsig -inkey $genpkey_rsa
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+section_message "setup local CA"
+
+#
+# prepare test openssl.cnf
+#
+
+ca_dir=$ssldir/testCA
+tsa_dir=$ssldir/testTSA
+ocsp_dir=$ssldir/testOCSP
+server_dir=$ssldir/server
+
+cat << __EOF__ > $ssldir/openssl.cnf
+oid_section             = new_oids
+[ new_oids ]
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+[ ca ]
+default_ca    = CA_default
+[ CA_default ]
+dir           = ./$ca_dir
+crl_dir       = \$dir/crl
+database      = \$dir/index.txt
+new_certs_dir = \$dir/newcerts
+serial        = \$dir/serial
+crlnumber     = \$dir/crlnumber
+default_days  = 1
+default_md    = default
+policy        = policy_match
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ req ]
+distinguished_name      = req_distinguished_name 
+[ req_distinguished_name ]
+countryName                     = Country Name
+countryName_default             = JP
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province Name
+stateOrProvinceName_default     = Tokyo
+organizationName                = Organization Name
+organizationName_default        = TEST_DUMMY_COMPANY
+commonName                      = Common Name
+[ tsa ]
+default_tsa   = tsa_config1 
+[ tsa_config1 ]
+dir           = ./$tsa_dir
+serial        = \$dir/serial
+crypto_device = builtin
+digests       = sha1, sha256, sha384, sha512
+default_policy = tsa_policy1
+other_policies = tsa_policy2, tsa_policy3
+[ tsa_ext ]
+keyUsage = critical,nonRepudiation
+extendedKeyUsage = critical,timeStamping
+[ ocsp_ext ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment
+extendedKeyUsage = OCSPSigning
+__EOF__
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+#
+# setup test CA
+#
+
+mkdir -p $ca_dir
+mkdir -p $tsa_dir
+mkdir -p $ocsp_dir
+mkdir -p $server_dir
+
+mkdir -p $ca_dir/certs
+mkdir -p $ca_dir/private
+mkdir -p $ca_dir/crl
+mkdir -p $ca_dir/newcerts
+chmod 700 $ca_dir/private
+echo "01" > $ca_dir/serial
+touch $ca_dir/index.txt 
+touch $ca_dir/crlnumber
+echo "01" > $ca_dir/crlnumber
+
+# 
+# setup test TSA 
+#
+mkdir -p $tsa_dir/private
+chmod 700 $tsa_dir/private
+echo "01" > $tsa_dir/serial
+touch $tsa_dir/index.txt 
+
+# 
+# setup test OCSP 
+#
+mkdir -p $ocsp_dir/private
+chmod 700 $ocsp_dir/private
+
+#---------#---------#---------#---------#---------#---------#---------#--------- 
+
+# --- CA initiate (generate CA key and cert) --- 
+
+start_message "req ... generate CA key and self signed cert"
+
+ca_cert=$ca_dir/ca_cert.pem 
+ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass 
+
+if [ $mingw = 0 ] ; then
+    subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/'
+else
+    subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\'
+fi
+
+$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \
+    -days 1 -passout pass:$ca_pass -batch -subj $subj
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- TSA initiate (generate TSA key and cert) ---
+
+start_message "req ... generate TSA key and cert"
+
+# generate CSR for TSA
+
+tsa_csr=$tsa_dir/tsa_csr.pem
+tsa_key=$tsa_dir/private/tsa_key.pem
+tsa_pass=test-tsa-pass
+
+if [ $mingw = 0 ] ; then
+    subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/'
+else
+    subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testTSA.test_dummy.com\'
+fi
+
+$openssl_bin req -new -keyout $tsa_key -out $tsa_csr -passout pass:$tsa_pass -subj $subj
+check_exit_status $?
+
+start_message "ca ... sign by CA with TSA extensions"
+
+tsa_cert=$tsa_dir/tsa_cert.pem
+
+$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+-in $tsa_csr -out $tsa_cert -extensions tsa_ext
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- OCSP initiate (generate OCSP key and cert) ---
+
+start_message "req ... generate OCSP key and cert"
+
+# generate CSR for OCSP 
+
+ocsp_csr=$ocsp_dir/ocsp_csr.pem
+ocsp_key=$ocsp_dir/private/ocsp_key.pem
+
+if [ $mingw = 0 ] ; then
+    subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/'
+else
+    subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=testOCSP.test_dummy.com\'
+fi
+
+$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr -subj $subj
+check_exit_status $?
+
+start_message "ca ... sign by CA with OCSP extensions"
+
+ocsp_cert=$ocsp_dir/ocsp_cert.pem
+
+$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+-in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- server-admin operations (generate server key and csr) ---
+section_message "server-admin operations (generate server key and csr)"
+
+start_message "req ... generate server csr#1"
+
+server_key=$server_dir/server_key.pem
+server_csr=$server_dir/server_csr.pem
+server_pass=test-server-pass
+
+if [ $mingw = 0 ] ; then
+    subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/'
+else
+    subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=localhost.test_dummy.com\'
+fi
+
+$openssl_bin req -new -keyout $server_key -out $server_csr -passout pass:$server_pass -subj $subj
+check_exit_status $?
+
+start_message "req ... generate server csr#2 (interactive mode)"
+
+revoke_key=$server_dir/revoke_key.pem
+revoke_csr=$server_dir/revoke_csr.pem
+revoke_pass=test-revoke-pass
+
+$openssl_bin req -new -keyout $revoke_key -out $revoke_csr -passout pass:$revoke_pass <<__EOF__
+JP
+Tokyo
+TEST_DUMMY_COMPANY
+revoke.test_dummy.com
+__EOF__
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- CA operations (issue cert for server) ---
+section_message "CA operations (issue cert for server)"
+
+start_message "ca ... issue cert for server csr#1"
+
+server_cert=$server_dir/server_cert.pem
+$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+    -in $server_csr -out $server_cert
+check_exit_status $?
+
+start_message "x509 ... issue cert for server csr#2"
+
+revoke_cert=$server_dir/revoke_cert.pem
+$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAkey $ca_key -passin pass:$ca_pass \
+    -CAcreateserial -out $revoke_cert
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- CA operations (revoke cert and generate crl) ---
+section_message "CA operations (revoke cert and generate crl)"
+
+start_message "ca ... revoke server cert#2"
+crl_file=$ca_dir/crl.pem
+$openssl_bin ca -gencrl -out $crl_file -crldays 30 -revoke $revoke_cert \
+    -keyfile $ca_key -passin pass:$ca_pass -cert $ca_cert
+check_exit_status $?
+
+start_message "crl ... CA generates CRL"
+$openssl_bin crl -in $crl_file -fingerprint
+check_exit_status $?
+
+crl_p7=$ca_dir/crl.p7
+start_message "crl2pkcs7 ... convert CRL to pkcs7"
+$openssl_bin crl2pkcs7 -in $crl_file -certfile $ca_cert -out $crl_p7
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- server-admin operations (check csr, verify cert, certhash) ---
+section_message "server-admin operations (check csr, verify cert, certhash)"
+
+start_message "asn1parse ... parse server csr#1"
+$openssl_bin asn1parse -in $server_csr -i \
+    -dlimit 100 -length 1000 -strparse 01 > $server_csr.asn1parse.out
+check_exit_status $?
+
+start_message "verify ... server cert#1"
+$openssl_bin verify -verbose -CAfile $ca_cert $server_cert
+check_exit_status $?
+
+start_message "x509 ... get detail info about server cert#1"
+$openssl_bin x509 -in $server_cert -text -C -dates -startdate -enddate \
+    -fingerprint -issuer -issuer_hash -issuer_hash_old \
+    -subject -subject_hash -subject_hash_old -ocsp_uri -ocspid -modulus \
+    -pubkey -serial -email > $server_cert.x509.out
+check_exit_status $?
+
+if [ $mingw = 0 ] ; then
+    start_message "certhash"
+    $openssl_bin certhash -v $server_dir
+    check_exit_status $?
+fi
+
+# self signed
+start_message "x509 ... generate self signed server cert"
+server_self_cert=$server_dir/server_self_cert.pem
+$openssl_bin x509 -in $server_cert -signkey $server_key -passin pass:$server_pass -out $server_self_cert
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- Netscape SPKAC operations ---
+section_message "Netscape SPKAC operations"
+
+# server-admin generates SPKAC
+
+start_message "spkac"
+spkacfile=$server_dir/spkac.file
+
+$openssl_bin spkac -key $genpkey_rsa -challenge hello -out $spkacfile
+check_exit_status $?
+
+$openssl_bin spkac -in $spkacfile -verify -out $spkacfile.out
+check_exit_status $?
+
+spkacreq=$server_dir/spkac.req
+cat << __EOF__ > $spkacreq
+countryName = JP
+stateOrProvinceName = Tokyo
+organizationName = TEST_DUMMY_COMPANY
+commonName = spkac.test_dummy.com
+__EOF__
+cat $spkacfile >> $spkacreq
+
+# CA signs SPKAC
+start_message "ca ... CA signs SPKAC csr"
+spkaccert=$server_dir/spkac.cert
+$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+    -spkac $spkacreq -out $spkaccert
+check_exit_status $?
+
+start_message "x509 ... convert DER format SPKAC cert to PEM"
+spkacpem=$server_dir/spkac.pem
+$openssl_bin x509 -in $spkaccert -inform DER -out $spkacpem -outform PEM
+check_exit_status $?
+
+# server-admin cert verify
+
+start_message "nseq"
+$openssl_bin nseq -in $spkacpem -toseq -out $spkacpem.nseq
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- user1 operations (generate user1 key and csr) ---
+section_message "user1 operations (generate user1 key and csr)"
+
+# trust
+start_message "x509 ... trust testCA cert"
+user1_trust=$user1_dir/user1_trust_ca.pem
+$openssl_bin x509 -in $ca_cert -addtrust clientAuth -setalias "trusted testCA" -purpose -out $user1_trust
+check_exit_status $?
+
+start_message "req ... generate private key and csr for user1"
+
+user1_key=$user1_dir/user1_key.pem
+user1_csr=$user1_dir/user1_csr.pem
+user1_pass=test-user1-pass
+
+if [ $mingw = 0 ] ; then
+    subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=user1.test_dummy.com/'
+else
+    subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=user1.test_dummy.com\'
+fi
+
+$openssl_bin req -new -keyout $user1_key -out $user1_csr -passout pass:$user1_pass -subj $subj
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- CA operations (issue cert for user1) ---
+section_message "CA operations (issue cert for user1)"
+
+start_message "ca ... issue cert for user1"
+
+user1_cert=$user1_dir/user1_cert.pem
+$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+    -in $user1_csr -out $user1_cert
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- TSA operations ---
+section_message "TSA operations"
+
+tsa_dat=$user1_dir/tsa.dat
+cat << __EOF__ > $tsa_dat
+Hello Bob,
+Sincerely yours
+Alice
+__EOF__
+
+# Query
+start_message "ts ... create time stamp request"
+
+tsa_tsq=$user1_dir/tsa.tsq
+
+$openssl_bin ts -query -sha1 -data $tsa_dat -no_nonce -out $tsa_tsq
+check_exit_status $?
+
+start_message "ts ... print time stamp request"
+
+$openssl_bin ts -query -in $tsa_tsq -text
+check_exit_status $?
+
+# Reply
+start_message "ts ... create time stamp response for a request"
+
+tsa_tsr=$user1_dir/tsa.tsr
+
+$openssl_bin ts -reply -queryfile $tsa_tsq -inkey $tsa_key -passin pass:$tsa_pass \
+    -signer $tsa_cert -chain $ca_cert -out $tsa_tsr
+check_exit_status $?
+
+# Verify
+start_message "ts ... verify time stamp response"
+
+$openssl_bin ts -verify -queryfile $tsa_tsq -in $tsa_tsr -CAfile $ca_cert -untrusted $tsa_cert
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- S/MIME operations ---
+section_message "S/MIME operations"
+
+smime_txt=$user1_dir/smime.txt
+smime_msg=$user1_dir/smime.msg
+smime_ver=$user1_dir/smime.ver
+
+cat << __EOF__ > $smime_txt
+Hello Bob,
+Sincerely yours
+Alice
+__EOF__
+
+# sign
+start_message "smime ... sign to message"
+
+$openssl_bin smime -sign -in $smime_txt -text -out $smime_msg \
+    -signer $user1_cert -inkey $user1_key -passin pass:$user1_pass
+check_exit_status $?
+
+# verify
+start_message "smime ... verify message"
+
+$openssl_bin smime -verify -in $smime_msg -signer $user1_cert -CAfile $ca_cert -out $smime_ver
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- OCSP operations ---
+section_message "OCSP operations"
+
+# request
+start_message "ocsp ... create OCSP request"
+
+ocsp_req=$user1_dir/ocsp_req.der
+$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \
+    -CAfile $ca_cert -reqout $ocsp_req
+check_exit_status $?
+
+# response
+start_message "ocsp ... create OCPS response for a request"
+
+ocsp_res=$user1_dir/ocsp_res.der
+$openssl_bin ocsp -index  $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \
+    -rsigner $ocsp_cert -rkey $ocsp_key -reqin $ocsp_req -respout $ocsp_res -text > $ocsp_res.out 2>&1
+check_exit_status $?
+
+# ocsp server
+start_message "ocsp ... start OCSP server in background"
+
+ocsp_port=8888
+
+$openssl_bin ocsp -index  $ca_dir/index.txt -CA $ca_cert -CAfile $ca_cert \
+    -rsigner $ocsp_cert -rkey $ocsp_key -port '*:'$ocsp_port -nrequest 1 &
+check_exit_status $?
+ocsp_svr_pid=$!
+echo "ocsp server pid = [ $ocsp_svr_pid ]"
+sleep 1
+
+# send query to oscp server
+start_message "ocsp ... send OCSP request to server"
+
+ocsp_qry=$user1_dir/ocsp_qry.der
+$openssl_bin ocsp -issuer $ca_cert -cert $server_cert -cert $revoke_cert \
+    -CAfile $ca_cert -url http://localhost:$ocsp_port -resp_text -respout $ocsp_qry > $ocsp_qry.out 2>&1
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- PKCS operations ---
+section_message "PKCS operations"
+
+pkcs_pass=test-pkcs-pass
+
+start_message "pkcs7 ... output certs in crl(pkcs7)"
+$openssl_bin pkcs7 -in $crl_p7 -print_certs -text -out $crl_p7.out
+check_exit_status $?
+
+start_message "pkcs8 ... convert key to pkcs8"
+$openssl_bin pkcs8 -in $user1_key -topk8 -out $user1_key.p8 \
+    -passin pass:$user1_pass -passout pass:$user1_pass -v1 pbeWithSHA1AndDES-CBC -v2 des3
+check_exit_status $?
+
+start_message "pkcs8 ... convert pkcs8 to key in DER format"
+$openssl_bin pkcs8 -in $user1_key.p8 -passin pass:$user1_pass -outform DER -out $user1_key.p8.der
+check_exit_status $?
+
+start_message "pkcs12 ... create"
+$openssl_bin pkcs12 -export -in $server_cert -inkey $server_key -passin pass:$server_pass \
+    -certfile $ca_cert -CAfile $ca_cert -caname "server_p12" -passout pass:$pkcs_pass \
+    -certpbe AES-256-CBC -keypbe AES-256-CBC -chain -out $server_cert.p12
+check_exit_status $?
+
+start_message "pkcs12 ... verify"
+$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass -info -noout
+check_exit_status $?
+
+start_message "pkcs12 ... to PEM"
+$openssl_bin pkcs12 -in $server_cert.p12 -passin pass:$pkcs_pass \
+    -passout pass:$pkcs_pass -out $server_cert.p12.pem
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- client/server operations ---
+section_message "client/server operations"
+
+host="localhost"
+port=4433
+sess_log=$user1_dir/s_client_sess.log
+s_client_out=$user1_dir/s_client.out
+
+start_message "s_server ... start SSL/TLS test server"
+$openssl_bin s_server -accept $port -CAfile $ca_cert \
+    -cert $server_cert -key $server_key -pass pass:$server_pass \
+    -context "appstest.sh" -id_prefix "APPSTEST.SH" \
+    -crl_check -no_ssl2 -no_ssl3 -no_tls1 \
+    -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" \
+    -www -quiet &
+check_exit_status $?
+s_server_pid=$!
+echo "s_server pid = [ $s_server_pid ]"
+sleep 1
+
+start_message "s_client ... connect to SSL/TLS test server"
+$openssl_bin s_client -connect $host:$port -CAfile $ca_cert \
+    -showcerts -crl_check -issuer_checks -policy_check -pause -prexit \
+    -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \
+    -sess_out $sess_log < /dev/null > $s_client_out 2>&1
+check_exit_status $?
+
+start_message "s_time ... connect to SSL/TLS test server"
+$openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2
+check_exit_status $?
+
+start_message "sess_id"
+$openssl_bin sess_id -in $sess_log -text -out $sess_log.out
+check_exit_status $?
+
+sleep 1
+kill -TERM $s_server_pid
+wait $s_server_pid
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# === PERFORMANCE ===
+section_message "PERFORMANCE"
+
+start_message "speed"
+$openssl_bin speed sha512 rsa2048 -multi 2 -elapsed
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+# --- VERSION INFORMATION ---
+section_message "VERSION INFORMATION"
+
+start_message "version"
+$openssl_bin version -a
+check_exit_status $?
+
+#---------#---------#---------#---------#---------#---------#---------#---------
+
+section_message "END"
+
+exit 0
+