openssl/test/recipes/20-test_pkeyutl.t

#! /usr/bin/env perl
# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use warnings;

use File::Spec;
use File::Basename;
use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
use OpenSSL::Test::Utils;

setup("test_pkeyutl");

plan tests => 11;

# For the tests below we use the cert itself as the TBS file

SKIP: {
    skip "Skipping tests that require EC, SM2 or SM3", 2
        if disabled("ec") || disabled("sm2") || disabled("sm3");

    # SM2
    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign',
                      '-in', srctop_file('test', 'certs', 'sm2.pem'),
                      '-inkey', srctop_file('test', 'certs', 'sm2.key'),
                      '-out', 'sm2.sig', '-rawin',
                      '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),
                      "Sign a piece of data using SM2");
    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',
                      '-in', srctop_file('test', 'certs', 'sm2.pem'),
                      '-inkey', srctop_file('test', 'certs', 'sm2.pem'),
                      '-sigfile', 'sm2.sig', '-rawin',
                      '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),
                      "Verify an SM2 signature against a piece of data");
}

SKIP: {
    skip "Skipping tests that require EC", 4
        if disabled("ec");

    # Ed25519
    ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',
                  srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
                  '-inkey', srctop_file('test', 'certs', 'server-ed25519-key.pem'),
                  '-out', 'Ed25519.sig', '-rawin']))),
                  "Sign a piece of data using Ed25519");
    ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',
                  srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
                  '-inkey', srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
                  '-sigfile', 'Ed25519.sig', '-rawin']))),
                  "Verify an Ed25519 signature against a piece of data");

    # Ed448
    ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',
                  srctop_file('test', 'certs', 'server-ed448-cert.pem'),
                  '-inkey', srctop_file('test', 'certs', 'server-ed448-key.pem'),
                  '-out', 'Ed448.sig', '-rawin']))),
                  "Sign a piece of data using Ed448");
    ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',
                  srctop_file('test', 'certs', 'server-ed448-cert.pem'),
                  '-inkey', srctop_file('test', 'certs', 'server-ed448-cert.pem'),
                  '-sigfile', 'Ed448.sig', '-rawin']))),
                  "Verify an Ed448 signature against a piece of data");
}

sub tsignverify {
    my $testtext = shift;
    my $privkey = shift;
    my $pubkey = shift;
    my @extraopts = @_;

    my $data_to_sign = srctop_file('test', 'README');
    my $other_data = srctop_file('test', 'README.external');
    my $sigfile = basename($privkey, '.pem') . '.sig';

    my @args = ();
    plan tests => 4;

    @args = ('openssl', 'pkeyutl', '-sign',
             '-inkey', $privkey,
             '-out', $sigfile,
             '-in', $data_to_sign);
    push(@args, @extraopts);
    ok(run(app([@args])),
       $testtext.": Generating signature");

    @args = ('openssl', 'pkeyutl', '-verify',
             '-inkey', $privkey,
             '-sigfile', $sigfile,
             '-in', $data_to_sign);
    push(@args, @extraopts);
    ok(run(app([@args])),
       $testtext.": Verify signature with private key");

    @args = ('openssl', 'pkeyutl', '-verify',
             '-inkey', $pubkey, '-pubin',
             '-sigfile', $sigfile,
             '-in', $data_to_sign);
    push(@args, @extraopts);
    ok(run(app([@args])),
       $testtext.": Verify signature with public key");

    @args = ('openssl', 'pkeyutl', '-verify',
             '-inkey', $pubkey, '-pubin',
             '-sigfile', $sigfile,
             '-in', $other_data);
    push(@args, @extraopts);
    ok(!run(app([@args])),
       $testtext.": Expect failure verifying mismatching data");
}

SKIP: {
    skip "RSA is not supported by this OpenSSL build", 1
        if disabled("rsa");

    subtest "RSA CLI signature generation and verification" => sub {
        tsignverify("RSA",
                    srctop_file("test","testrsa.pem"),
                    srctop_file("test","testrsapub.pem"),
                    "-rawin", "-digest", "sha256");
    };
}

SKIP: {
    skip "DSA is not supported by this OpenSSL build", 1
        if disabled("dsa");

    subtest "DSA CLI signature generation and verification" => sub {
        tsignverify("DSA",
                    srctop_file("test","testdsa.pem"),
                    srctop_file("test","testdsapub.pem"),
                    "-rawin", "-digest", "sha256");
    };
}

SKIP: {
    skip "ECDSA is not supported by this OpenSSL build", 1
        if disabled("ec");

    subtest "ECDSA CLI signature generation and verification" => sub {
        tsignverify("ECDSA",
                    srctop_file("test","testec-p256.pem"),
                    srctop_file("test","testecpub-p256.pem"),
                    "-rawin", "-digest", "sha256");
    };
}

SKIP: {
    skip "EdDSA is not supported by this OpenSSL build", 2
        if disabled("ec");

    subtest "Ed2559 CLI signature generation and verification" => sub {
        tsignverify("Ed25519",
                    srctop_file("test","tested25519.pem"),
                    srctop_file("test","tested25519pub.pem"),
                    "-rawin");
    };

    subtest "Ed448 CLI signature generation and verification" => sub {
        tsignverify("Ed448",
                    srctop_file("test","tested448.pem"),
                    srctop_file("test","tested448pub.pem"),
                    "-rawin");
    };
}
Support raw input data in apps/pkeyutl Some signature algorithms require special treatment for digesting, such as SM2. This patch adds the ability of handling raw input data in apps/pkeyutl other than accepting only pre-hashed input data. Beside, SM2 requries an ID string when signing or verifying a piece of data, this patch also adds the ability for apps/pkeyutil to specify that ID string. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8186) 2019-01-16 16:16:28 +08:00			`#! /usr/bin/env perl`
			`# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.`
			`#`
			`# Licensed under the Apache License 2.0 (the "License"). You may not use`
			`# this file except in compliance with the License. You can obtain a copy`
			`# in the file LICENSE in the source distribution or at`
			`# https://www.openssl.org/source/license.html`

			`use strict;`
			`use warnings;`

			`use File::Spec;`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`use File::Basename;`
EC only uses approved curves in FIPS mode. Once there are buildable fips tests, some tests that are data driven from files will need to be modified to exclude non approved curves in fips mode. These changes were tested by temporarily adding #define FIPS_MODE 1 to all the modified source files. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9081) 2019-06-05 06:24:16 +08:00			`use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;`
Support raw input data in apps/pkeyutl Some signature algorithms require special treatment for digesting, such as SM2. This patch adds the ability of handling raw input data in apps/pkeyutl other than accepting only pre-hashed input data. Beside, SM2 requries an ID string when signing or verifying a piece of data, this patch also adds the ability for apps/pkeyutil to specify that ID string. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8186) 2019-01-16 16:16:28 +08:00			`use OpenSSL::Test::Utils;`

			`setup("test_pkeyutl");`

More testing for sign/verify through `dgst` and `pkeyutl` Add tests for signature generation and verification with `dgst` and `pkeyutl` CLI for common key types: - RSA - DSA - ECDSA - EdDSA Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10410) 2019-11-11 21:52:52 +08:00			`plan tests => 11;`
Support raw input data in apps/pkeyutl Some signature algorithms require special treatment for digesting, such as SM2. This patch adds the ability of handling raw input data in apps/pkeyutl other than accepting only pre-hashed input data. Beside, SM2 requries an ID string when signing or verifying a piece of data, this patch also adds the ability for apps/pkeyutil to specify that ID string. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8186) 2019-01-16 16:16:28 +08:00
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`# For the tests below we use the cert itself as the TBS file`

			`SKIP: {`
			`skip "Skipping tests that require EC, SM2 or SM3", 2`
			`if disabled("ec") \|\| disabled("sm2") \|\| disabled("sm3");`

			`# SM2`
EC only uses approved curves in FIPS mode. Once there are buildable fips tests, some tests that are data driven from files will need to be modified to exclude non approved curves in fips mode. These changes were tested by temporarily adding #define FIPS_MODE 1 to all the modified source files. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9081) 2019-06-05 06:24:16 +08:00			`ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign',`
Add test cases for SM2 cert verification This follows #8321 which added the SM2 certificate verification feature. This commit adds some test cases for #8321. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8465) 2019-03-13 16:54:11 +08:00			`'-in', srctop_file('test', 'certs', 'sm2.pem'),`
Support raw input data in apps/pkeyutl Some signature algorithms require special treatment for digesting, such as SM2. This patch adds the ability of handling raw input data in apps/pkeyutl other than accepting only pre-hashed input data. Beside, SM2 requries an ID string when signing or verifying a piece of data, this patch also adds the ability for apps/pkeyutil to specify that ID string. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8186) 2019-01-16 16:16:28 +08:00			`'-inkey', srctop_file('test', 'certs', 'sm2.key'),`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`'-out', 'sm2.sig', '-rawin',`
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`'-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),`
			`"Sign a piece of data using SM2");`
EC only uses approved curves in FIPS mode. Once there are buildable fips tests, some tests that are data driven from files will need to be modified to exclude non approved curves in fips mode. These changes were tested by temporarily adding #define FIPS_MODE 1 to all the modified source files. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9081) 2019-06-05 06:24:16 +08:00			`ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',`
Add test cases for SM2 cert verification This follows #8321 which added the SM2 certificate verification feature. This commit adds some test cases for #8321. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8465) 2019-03-13 16:54:11 +08:00			`'-in', srctop_file('test', 'certs', 'sm2.pem'),`
			`'-inkey', srctop_file('test', 'certs', 'sm2.pem'),`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`'-sigfile', 'sm2.sig', '-rawin',`
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`'-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),`
			`"Verify an SM2 signature against a piece of data");`
Support raw input data in apps/pkeyutl Some signature algorithms require special treatment for digesting, such as SM2. This patch adds the ability of handling raw input data in apps/pkeyutl other than accepting only pre-hashed input data. Beside, SM2 requries an ID string when signing or verifying a piece of data, this patch also adds the ability for apps/pkeyutil to specify that ID string. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8186) 2019-01-16 16:16:28 +08:00			`}`

Fix no-ec, no-sm2 and no-sm3 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8372) 2019-02-28 21:47:26 +08:00			`SKIP: {`
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`skip "Skipping tests that require EC", 4`
			`if disabled("ec");`

			`# Ed25519`
			`ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',`
			`srctop_file('test', 'certs', 'server-ed25519-cert.pem'),`
			`'-inkey', srctop_file('test', 'certs', 'server-ed25519-key.pem'),`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`'-out', 'Ed25519.sig', '-rawin']))),`
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`"Sign a piece of data using Ed25519");`
			`ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',`
			`srctop_file('test', 'certs', 'server-ed25519-cert.pem'),`
			`'-inkey', srctop_file('test', 'certs', 'server-ed25519-cert.pem'),`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`'-sigfile', 'Ed25519.sig', '-rawin']))),`
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`"Verify an Ed25519 signature against a piece of data");`
Fix no-ec, no-sm2 and no-sm3 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8372) 2019-02-28 21:47:26 +08:00
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`# Ed448`
			`ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',`
			`srctop_file('test', 'certs', 'server-ed448-cert.pem'),`
			`'-inkey', srctop_file('test', 'certs', 'server-ed448-key.pem'),`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`'-out', 'Ed448.sig', '-rawin']))),`
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`"Sign a piece of data using Ed448");`
			`ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',`
			`srctop_file('test', 'certs', 'server-ed448-cert.pem'),`
			`'-inkey', srctop_file('test', 'certs', 'server-ed448-cert.pem'),`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`'-sigfile', 'Ed448.sig', '-rawin']))),`
Enable pkeyutl to use Ed448 and Ed25519 With the recent addition of the -rawin option it should be possible for pkeyutl to sign and verify with Ed448 and Ed2559. The main remaining stumbling block is that those algorirthms only support "oneshot" operation. This commit enables pkeyutl to handle that. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8431) 2019-03-07 18:37:34 +08:00			`"Verify an Ed448 signature against a piece of data");`
Fix no-ec, no-sm2 and no-sm3 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8372) 2019-02-28 21:47:26 +08:00			`}`
Support raw input data in apps/pkeyutl Some signature algorithms require special treatment for digesting, such as SM2. This patch adds the ability of handling raw input data in apps/pkeyutl other than accepting only pre-hashed input data. Beside, SM2 requries an ID string when signing or verifying a piece of data, this patch also adds the ability for apps/pkeyutil to specify that ID string. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8186) 2019-01-16 16:16:28 +08:00
More testing for sign/verify through `dgst` and `pkeyutl` Add tests for signature generation and verification with `dgst` and `pkeyutl` CLI for common key types: - RSA - DSA - ECDSA - EdDSA Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10410) 2019-11-11 21:52:52 +08:00			`sub tsignverify {`
			`my $testtext = shift;`
			`my $privkey = shift;`
			`my $pubkey = shift;`
			`my @extraopts = @_;`

			`my $data_to_sign = srctop_file('test', 'README');`
			`my $other_data = srctop_file('test', 'README.external');`
TEST: Modify test/recipes/20-test_pkeyutl.t to leave artifacts behind Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11080) 2020-02-14 14:01:15 +08:00			`my $sigfile = basename($privkey, '.pem') . '.sig';`
More testing for sign/verify through `dgst` and `pkeyutl` Add tests for signature generation and verification with `dgst` and `pkeyutl` CLI for common key types: - RSA - DSA - ECDSA - EdDSA Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10410) 2019-11-11 21:52:52 +08:00
			`my @args = ();`
			`plan tests => 4;`

			`@args = ('openssl', 'pkeyutl', '-sign',`
			`'-inkey', $privkey,`
			`'-out', $sigfile,`
			`'-in', $data_to_sign);`
			`push(@args, @extraopts);`
			`ok(run(app([@args])),`
			`$testtext.": Generating signature");`

			`@args = ('openssl', 'pkeyutl', '-verify',`
			`'-inkey', $privkey,`
			`'-sigfile', $sigfile,`
			`'-in', $data_to_sign);`
			`push(@args, @extraopts);`
			`ok(run(app([@args])),`
			`$testtext.": Verify signature with private key");`

			`@args = ('openssl', 'pkeyutl', '-verify',`
			`'-inkey', $pubkey, '-pubin',`
			`'-sigfile', $sigfile,`
			`'-in', $data_to_sign);`
			`push(@args, @extraopts);`
			`ok(run(app([@args])),`
			`$testtext.": Verify signature with public key");`

			`@args = ('openssl', 'pkeyutl', '-verify',`
			`'-inkey', $pubkey, '-pubin',`
			`'-sigfile', $sigfile,`
			`'-in', $other_data);`
			`push(@args, @extraopts);`
			`ok(!run(app([@args])),`
			`$testtext.": Expect failure verifying mismatching data");`
			`}`

			`SKIP: {`
			`skip "RSA is not supported by this OpenSSL build", 1`
			`if disabled("rsa");`

			`subtest "RSA CLI signature generation and verification" => sub {`
			`tsignverify("RSA",`
			`srctop_file("test","testrsa.pem"),`
			`srctop_file("test","testrsapub.pem"),`
			`"-rawin", "-digest", "sha256");`
			`};`
			`}`

			`SKIP: {`
			`skip "DSA is not supported by this OpenSSL build", 1`
			`if disabled("dsa");`

			`subtest "DSA CLI signature generation and verification" => sub {`
			`tsignverify("DSA",`
			`srctop_file("test","testdsa.pem"),`
			`srctop_file("test","testdsapub.pem"),`
			`"-rawin", "-digest", "sha256");`
			`};`
			`}`

			`SKIP: {`
			`skip "ECDSA is not supported by this OpenSSL build", 1`
			`if disabled("ec");`

			`subtest "ECDSA CLI signature generation and verification" => sub {`
			`tsignverify("ECDSA",`
			`srctop_file("test","testec-p256.pem"),`
			`srctop_file("test","testecpub-p256.pem"),`
			`"-rawin", "-digest", "sha256");`
			`};`
			`}`

			`SKIP: {`
			`skip "EdDSA is not supported by this OpenSSL build", 2`
			`if disabled("ec");`

			`subtest "Ed2559 CLI signature generation and verification" => sub {`
			`tsignverify("Ed25519",`
			`srctop_file("test","tested25519.pem"),`
			`srctop_file("test","tested25519pub.pem"),`
			`"-rawin");`
			`};`

			`subtest "Ed448 CLI signature generation and verification" => sub {`
			`tsignverify("Ed448",`
			`srctop_file("test","tested448.pem"),`
			`srctop_file("test","tested448pub.pem"),`
			`"-rawin");`
			`};`
			`}`