From a77ed9c9e1acbb687167ea7324587a01fbe37237 Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Fri, 6 Dec 2019 14:02:57 +0100
Subject: [PATCH] new verify tests

---
 tests/recipes/45_verify_fake_pe   | 30 +++++++++++++++++++++
 tests/recipes/46_verify_timestamp | 31 +++++++++++++++++++++
 tests/recipes/47_verify_rfc3161   | 32 ++++++++++++++++++++++
 tests/recipes/51_verify_time      | 43 +++++++++++++++++++++++++++++
 tests/recipes/52_verify_timestamp | 45 +++++++++++++++++++++++++++++++
 tests/recipes/53_verify_rfc3161   | 45 +++++++++++++++++++++++++++++++
 tests/recipes/54_verify_expired   | 45 +++++++++++++++++++++++++++++++
 7 files changed, 271 insertions(+)
 create mode 100644 tests/recipes/45_verify_fake_pe
 create mode 100644 tests/recipes/46_verify_timestamp
 create mode 100755 tests/recipes/47_verify_rfc3161
 create mode 100644 tests/recipes/51_verify_time
 create mode 100644 tests/recipes/52_verify_timestamp
 create mode 100644 tests/recipes/53_verify_rfc3161
 create mode 100644 tests/recipes/54_verify_expired

diff --git a/tests/recipes/45_verify_fake_pe b/tests/recipes/45_verify_fake_pe
new file mode 100644
index 0000000..0e9ce27
--- /dev/null
+++ b/tests/recipes/45_verify_fake_pe
@@ -0,0 +1,30 @@
+#!/bin/sh
+# Verify changed PE file after signing.
+
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+
+# PE file
+test_name="451. Verify changed PE file after signing"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ]
+  then
+    ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -in "test.exe" -out "test_451.exe"
+    verify_signature "$?" "451" "exe" "fail" "@2019-09-01 12:00:00" \
+	"UNUSED_PATTERN" "ASCII" "Hello world!" "MODIFY"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE files
+
+# MSI file
+# Command is not supported for non-PE files
+
+exit 0
diff --git a/tests/recipes/46_verify_timestamp b/tests/recipes/46_verify_timestamp
new file mode 100644
index 0000000..c3ebdb5
--- /dev/null
+++ b/tests/recipes/46_verify_timestamp
@@ -0,0 +1,31 @@
+#!/bin/sh
+# Verify changed PE file after signing with Authenticode timestamping.
+
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+
+# PE file
+test_name="461. Verify changed PE file after signing with Authenticode timestamping"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ]
+  then
+    ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -t http://time.certum.pl/ \
+        -in "test.exe" -out "test_461.exe"
+    verify_signature "$?" "461" "exe" "fail" "@2019-09-01 12:00:00" \
+	"UNUSED_PATTERN" "ASCII" "Hello world!" "MODIFY"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE files
+
+# MSI file
+# Command is not supported for non-PE files
+
+exit 0
diff --git a/tests/recipes/47_verify_rfc3161 b/tests/recipes/47_verify_rfc3161
new file mode 100755
index 0000000..6157ef5
--- /dev/null
+++ b/tests/recipes/47_verify_rfc3161
@@ -0,0 +1,32 @@
+#!/bin/sh
+# Verify changed PE file after signing with RFC 3161 timestamping.
+
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+
+# PE file
+test_name="471. Verify changed PE file after signing with RFC 3161 timestamping"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ]
+  then
+    ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -ts http://time.certum.pl/ \
+        -in "test.exe" -out "test_471.exe"
+    verify_signature "$?" "471" "exe" "fail" "@2019-09-01 12:00:00" \
+	"UNUSED_PATTERN" "ASCII" "Hello world!" "MODIFY"
+
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE files
+
+# MSI file
+# Command is not supported for non-PE files
+
+exit 0
diff --git a/tests/recipes/51_verify_time b/tests/recipes/51_verify_time
new file mode 100644
index 0000000..252bdd3
--- /dev/null
+++ b/tests/recipes/51_verify_time
@@ -0,0 +1,43 @@
+#!/bin/sh
+# Verify PE/MSI file signature after the cert has been expired.
+
+. $(dirname $0)/../test_library
+
+# PE file
+test_name="511. Verify PE file signature after the cert has been expired"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+            -in "test.exe" -out "test_511.exe" 2>> "results.log" 1>&2'
+    verify_signature "$?" "511" "exe" "fail" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE/non-MSI files
+
+# MSI file
+test_name="513. Verify MSI file signature after the cert has been expired"
+printf "\n%s\n" "$test_name"
+if [ -s "sample.msi" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+            -in "sample.msi" -out "test_513.msi"'
+    verify_signature "$?" "513" "msi" "fail" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+exit 0
diff --git a/tests/recipes/52_verify_timestamp b/tests/recipes/52_verify_timestamp
new file mode 100644
index 0000000..85a20b0
--- /dev/null
+++ b/tests/recipes/52_verify_timestamp
@@ -0,0 +1,45 @@
+#!/bin/sh
+# Verify PE/MSI file signature with Authenticode timestamping after the cert has been expired.
+
+. $(dirname $0)/../test_library
+
+# PE file
+test_name="521. Verify PE file signature with timestamping after the cert has been expired"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+            -t http://time.certum.pl/ \
+            -in "test.exe" -out "test_521.exe" 2>> "results.log" 1>&2'
+    verify_signature "$?" "521" "exe" "success" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE/non-MSI files
+
+# MSI file
+test_name="523. Verify MSI file signature with timestamping after the cert has been expired"
+printf "\n%s\n" "$test_name"
+if [ -s "sample.msi" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+            -t http://time.certum.pl/ \
+            -in "sample.msi" -out "test_523.msi"'
+    verify_signature "$?" "523" "msi" "success" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+exit 0
diff --git a/tests/recipes/53_verify_rfc3161 b/tests/recipes/53_verify_rfc3161
new file mode 100644
index 0000000..a75109c
--- /dev/null
+++ b/tests/recipes/53_verify_rfc3161
@@ -0,0 +1,45 @@
+#!/bin/sh
+# Verify PE/MSI file signature with RFC3161 timestamping after the cert has been expired.
+
+. $(dirname $0)/../test_library
+
+# PE file
+test_name="531. Verify PE file signature with RFC3161 after the cert has been expired"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+            -ts http://time.certum.pl/ \
+            -in "test.exe" -out "test_531.exe" 2>> "results.log" 1>&2'
+    verify_signature "$?" "531" "exe" "success" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE/non-MSI files
+
+# MSI file
+test_name="533. Verify MSI file signature with RFC3161 after the cert has been expired"
+printf "\n%s\n" "$test_name"
+if [ -s "sample.msi" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+            -ts http://time.certum.pl/ \
+            -in "sample.msi" -out "test_533.msi"'
+    verify_signature "$?" "533" "msi" "success" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+exit 0
diff --git a/tests/recipes/54_verify_expired b/tests/recipes/54_verify_expired
new file mode 100644
index 0000000..405b512
--- /dev/null
+++ b/tests/recipes/54_verify_expired
@@ -0,0 +1,45 @@
+#!/bin/sh
+# Verify PE/MSI file signed with the expired cert.
+
+. $(dirname $0)/../test_library
+
+# PE file
+test_name="541. Verify PE file signed with the expired cert"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
+            -t http://time.certum.pl/ \
+            -in "test.exe" -out "test_541.exe" 2>> "results.log" 1>&2'
+    verify_signature "$?" "541" "exe" "fail" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE/non-MSI files
+
+# MSI file
+test_name="543. Verify MSI file signed with the expired cert"
+printf "\n%s\n" "$test_name"
+if [ -s "sample.msi" ]
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
+            -t http://time.certum.pl/ \
+            -in "sample.msi" -out "test_543.msi"'
+    verify_signature "$?" "543" "msi" "fail" "@2025-01-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+exit 0