2016-04-22 19:21:51 +08:00
|
|
|
#! /usr/bin/env perl
|
2022-05-03 18:52:38 +08:00
|
|
|
# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
|
2016-04-22 19:21:51 +08:00
|
|
|
#
|
2018-12-06 20:05:25 +08:00
|
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-04-22 19:21:51 +08:00
|
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
# in the file LICENSE in the source distribution or at
|
|
|
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
|
|
use POSIX;
|
|
|
|
|
use File::Spec::Functions qw/catfile/;
|
2020-09-23 16:19:50 +08:00
|
|
|
use File::Compare qw/compare_text compare/;
|
2023-01-19 00:07:24 +08:00
|
|
|
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
|
2020-07-26 15:36:33 +08:00
|
|
|
|
2015-09-20 05:19:14 +08:00
|
|
|
use OpenSSL::Test::Utils;
|
2015-04-20 04:24:17 +08:00
|
|
|
|
2020-07-26 15:36:33 +08:00
|
|
|
BEGIN {
|
|
|
|
|
setup("test_cms");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
use lib srctop_dir('Configurations');
|
|
|
|
|
use lib bldtop_dir('.');
|
|
|
|
|
|
|
|
|
|
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
2015-04-20 04:24:17 +08:00
|
|
|
|
2016-03-21 19:07:14 +08:00
|
|
|
plan skip_all => "CMS is not supported by this OpenSSL build"
|
|
|
|
|
if disabled("cms");
|
|
|
|
|
|
2020-04-09 10:47:46 +08:00
|
|
|
my $provpath = bldtop_dir("providers");
|
2020-07-26 15:36:33 +08:00
|
|
|
|
|
|
|
|
# Some tests require legacy algorithms to be included.
|
2020-08-17 13:40:00 +08:00
|
|
|
my @legacyprov = ("-provider-path", $provpath,
|
2020-07-26 15:36:33 +08:00
|
|
|
"-provider", "default",
|
|
|
|
|
"-provider", "legacy" );
|
2020-08-17 13:40:00 +08:00
|
|
|
my @defaultprov = ("-provider-path", $provpath,
|
2020-07-26 15:36:33 +08:00
|
|
|
"-provider", "default");
|
|
|
|
|
|
|
|
|
|
my @config = ( );
|
|
|
|
|
my $provname = 'default';
|
2020-04-09 10:47:46 +08:00
|
|
|
|
2019-06-03 13:19:48 +08:00
|
|
|
my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
|
2016-01-30 08:05:33 +08:00
|
|
|
my $smdir = srctop_dir("test", "smime-certs");
|
|
|
|
|
my $smcont = srctop_file("test", "smcont.txt");
|
2020-10-07 18:05:28 +08:00
|
|
|
my $smcont_zero = srctop_file("test", "smcont_zero.txt");
|
2016-03-19 01:43:58 +08:00
|
|
|
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
|
|
|
|
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
|
2015-04-20 04:24:17 +08:00
|
|
|
|
2020-12-02 21:19:52 +08:00
|
|
|
$no_rc2 = 1 if disabled("legacy");
|
|
|
|
|
|
2023-01-19 15:37:53 +08:00
|
|
|
plan tests => 20;
|
2021-05-28 09:42:41 +08:00
|
|
|
|
|
|
|
|
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
2020-07-26 15:36:33 +08:00
|
|
|
|
|
|
|
|
unless ($no_fips) {
|
2020-08-30 15:53:22 +08:00
|
|
|
@config = ( "-config", srctop_file("test", "fips-and-base.cnf") );
|
2020-07-26 15:36:33 +08:00
|
|
|
$provname = 'fips';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$ENV{OPENSSL_TEST_LIBCTX} = "1";
|
2020-08-17 13:40:00 +08:00
|
|
|
my @prov = ("-provider-path", $provpath,
|
2020-07-26 15:36:33 +08:00
|
|
|
@config,
|
|
|
|
|
"-provider", $provname);
|
2015-04-20 04:24:17 +08:00
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
my $smrsa1024 = catfile($smdir, "smrsa1024.pem");
|
2021-05-27 21:11:31 +08:00
|
|
|
my $smrsa1 = catfile($smdir, "smrsa1.pem");
|
|
|
|
|
my $smroot = catfile($smdir, "smroot.pem");
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
my @smime_pkcs7_tests = (
|
|
|
|
|
|
|
|
|
|
[ "signed content DER format, RSA key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed detached content DER format, RSA key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-content", $smcont ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming BER format, RSA",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content DER format, DSA key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed detached content DER format, DSA key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-content", $smcont ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-19 01:43:58 +08:00
|
|
|
[ "signed detached content DER format, add RSA signer (with DSA existing)",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1, "-out", "{output}2.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-content", $smcont ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming BER format, DSA key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-nodetach", "-stream",
|
|
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-nodetach", "-stream",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa2.pem"),
|
|
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-noattr", "-nodetach", "-stream",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa2.pem"),
|
|
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-11-23 06:07:16 +08:00
|
|
|
[ "signed content S/MIME format, RSA key SHA1",
|
2020-08-29 10:25:54 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-certfile", $smroot,
|
|
|
|
|
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2016-11-23 06:07:16 +08:00
|
|
|
],
|
|
|
|
|
|
2020-10-07 18:05:28 +08:00
|
|
|
[ "signed zero-length content S/MIME format, RSA key SHA1",
|
|
|
|
|
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-10-07 18:05:28 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-10-07 18:05:28 +08:00
|
|
|
\&zero_compare
|
|
|
|
|
],
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
[ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa2.pem"),
|
|
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa2.pem"),
|
|
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, 3 recipients",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
$smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
catfile($smdir, "smrsa3.pem") ],
|
2021-05-27 21:11:31 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
$smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
catfile($smdir, "smrsa3.pem") ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
$smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
catfile($smdir, "smrsa3.pem") ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"),
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-aes256", "-stream", "-out", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
$smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
catfile($smdir, "smrsa3.pem") ],
|
2021-05-27 21:11:31 +08:00
|
|
|
[ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
my @smime_cms_tests = (
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-nodetach", "-keyid",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa2.pem"),
|
|
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa1.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smdsa2.pem"),
|
|
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content MIME format, RSA key, signed receipt request",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
|
|
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed receipt MIME format, RSA key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
|
|
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot ]
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms", "-keyid",
|
2021-05-27 21:11:31 +08:00
|
|
|
$smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
catfile($smdir, "smrsa2.pem"),
|
|
|
|
|
catfile($smdir, "smrsa3.pem") ],
|
2021-05-27 21:11:31 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2020-09-07 02:11:34 +08:00
|
|
|
[ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F",
|
|
|
|
|
"-secretkeyid", "C0FEE0" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-inform", "PEM",
|
|
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F",
|
|
|
|
|
"-secretkeyid", "C0FEE0" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2020-09-07 02:11:34 +08:00
|
|
|
[ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK",
|
|
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
|
|
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F",
|
|
|
|
|
"-secretkeyid", "C0FEE0" ],
|
|
|
|
|
[ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
|
|
|
|
|
"-inform", "PEM",
|
|
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F",
|
|
|
|
|
"-secretkeyid", "C0FEE0" ],
|
|
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
[ "enveloped content test streaming PEM format, KEK, key only",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F",
|
|
|
|
|
"-secretkeyid", "C0FEE0" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-inform", "PEM",
|
|
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "data content test streaming PEM format",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-nodetach", "-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "encrypted content test streaming PEM format, 128 bit RC2 key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
|
2020-04-09 10:47:46 +08:00
|
|
|
"-in", $smcont, "-outform", "PEM",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
|
|
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-inform", "PEM",
|
|
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F",
|
|
|
|
|
"-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "encrypted content test streaming PEM format, 40 bit RC2 key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
|
2020-04-09 10:47:46 +08:00
|
|
|
"-in", $smcont, "-outform", "PEM",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-rc2", "-secretkey", "0001020304",
|
|
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-inform", "PEM",
|
|
|
|
|
"-secretkey", "0001020304", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2022-11-09 08:31:50 +08:00
|
|
|
[ "encrypted content test streaming PEM format, triple DES key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
2022-11-09 08:31:50 +08:00
|
|
|
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-inform", "PEM",
|
2022-11-09 08:31:50 +08:00
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2022-11-09 08:31:50 +08:00
|
|
|
[ "encrypted content test streaming PEM format, 128 bit AES key",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
2022-11-09 08:31:50 +08:00
|
|
|
"-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-inform", "PEM",
|
2022-11-09 08:31:50 +08:00
|
|
|
"-secretkey", "000102030405060708090A0B0C0D0E0F",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
2022-11-09 08:31:50 +08:00
|
|
|
);
|
2015-04-20 04:24:17 +08:00
|
|
|
|
2019-06-13 01:52:39 +08:00
|
|
|
my @smime_cms_cades_tests = (
|
|
|
|
|
|
|
|
|
|
[ "signed content DER format, RSA key, CAdES-BES compatible",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER",
|
2019-06-13 01:52:39 +08:00
|
|
|
"-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2019-06-13 01:52:39 +08:00
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
|
2021-05-27 21:11:31 +08:00
|
|
|
"DER", "-nodetach", "-certfile", $smroot,
|
|
|
|
|
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2019-06-13 01:52:39 +08:00
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform",
|
2021-05-27 21:11:31 +08:00
|
|
|
"DER", "-nodetach", "-certfile", $smroot,
|
|
|
|
|
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2019-06-13 01:52:39 +08:00
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
|
2019-06-13 01:52:39 +08:00
|
|
|
"-in", $smcont, "-outform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-certfile", $smroot, "-signer", $smrsa1,
|
2019-06-13 01:52:39 +08:00
|
|
|
"-outform", "DER", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2019-06-13 01:52:39 +08:00
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
|
2019-06-13 01:52:39 +08:00
|
|
|
"-in", $smcont, "-outform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-certfile", $smroot, "-signer", $smrsa1,
|
2019-06-13 01:52:39 +08:00
|
|
|
"-outform", "DER", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
|
2019-06-13 01:52:39 +08:00
|
|
|
"-inform", "DER", "-in", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"),
|
2019-06-13 01:52:39 +08:00
|
|
|
"-outform", "DER", "-out", "{output}2.cms" ],
|
|
|
|
|
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2019-06-13 01:52:39 +08:00
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
my @smime_cms_cades_ko_tests = (
|
2021-03-13 02:45:40 +08:00
|
|
|
[ "sign content DER format, RSA key, not CAdES-BES compatible",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
2022-11-22 22:05:45 +08:00
|
|
|
"-certfile", $smroot, "-signer", $smrsa1, "-out", "cades-ko.cms" ],
|
2021-03-16 03:24:40 +08:00
|
|
|
"fail to verify token since requiring CAdES-BES compatibility",
|
2022-11-22 22:05:45 +08:00
|
|
|
[ @prov, "-verify", "-cades", "-in", "cades-ko.cms", "-inform", "DER",
|
|
|
|
|
"-CAfile", $smroot, "-out", "cades-ko.txt" ],
|
2019-06-13 01:52:39 +08:00
|
|
|
\&final_compare
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
# cades options test - check that some combinations are rejected
|
|
|
|
|
my @smime_cms_cades_invalid_option_tests = (
|
|
|
|
|
[
|
|
|
|
|
[ "-cades", "-noattr" ],
|
|
|
|
|
],[
|
|
|
|
|
[ "-verify", "-cades", "-noattr" ],
|
|
|
|
|
],[
|
|
|
|
|
[ "-verify", "-cades", "-noverify" ],
|
|
|
|
|
],
|
|
|
|
|
);
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
my @smime_cms_comp_tests = (
|
|
|
|
|
|
|
|
|
|
[ "compressed content test streaming PEM format",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
]
|
|
|
|
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
my @smime_cms_param_tests = (
|
|
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-keyopt", "rsa_padding_mode:pss",
|
|
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2019-05-02 19:57:35 +08:00
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
|
|
|
|
|
"-out", "{output}.cms" ],
|
2022-11-21 21:33:57 +08:00
|
|
|
sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; },
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2019-03-31 19:56:23 +08:00
|
|
|
],
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-noattr", "-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-keyopt", "rsa_padding_mode:pss",
|
|
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-signer", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384",
|
|
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
2020-02-14 15:34:40 +08:00
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16",
|
|
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
|
|
|
|
"-signer", $smrsa1, "-md", "sha256",
|
|
|
|
|
"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16",
|
|
|
|
|
"-out", "{output}.cms" ],
|
|
|
|
|
sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; },
|
|
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
|
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest",
|
|
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
|
|
|
|
"-signer", $smrsa1, "-md", "sha256",
|
|
|
|
|
"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest",
|
|
|
|
|
"-out", "{output}.cms" ],
|
|
|
|
|
# digest is SHA-256, which produces 32 bytes of output
|
|
|
|
|
sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
|
|
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
|
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-recip", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-keyopt", "rsa_padding_mode:oaep" ],
|
2021-05-27 21:11:31 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-recip", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-keyopt", "rsa_padding_mode:oaep",
|
|
|
|
|
"-keyopt", "rsa_oaep_md:sha256" ],
|
2021-05-27 21:11:31 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, ECDH",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-recip", catfile($smdir, "smec1.pem") ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2017-08-08 22:25:14 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
catfile($smdir, "smec1.pem"),
|
|
|
|
|
catfile($smdir, "smec3.pem") ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2017-08-08 22:25:14 +08:00
|
|
|
],
|
|
|
|
|
|
2016-03-18 23:56:06 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-recip", catfile($smdir, "smec1.pem") ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2020-09-07 02:11:34 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-recip", catfile($smdir, "smec1.pem"), "-aes128",
|
|
|
|
|
"-keyopt", "ecdh_kdf_md:sha256" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2015-04-20 04:24:17 +08:00
|
|
|
],
|
|
|
|
|
|
2020-09-07 02:11:34 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF",
|
|
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
|
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ],
|
|
|
|
|
[ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
|
2021-01-14 21:43:11 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
2020-09-07 02:11:34 +08:00
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
2020-02-14 15:34:40 +08:00
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-recip", catfile($smdir, "smec2.pem"), "-aes128",
|
|
|
|
|
"-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
|
2020-02-14 15:34:40 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
2021-01-14 21:43:11 +08:00
|
|
|
],
|
2020-07-26 15:36:33 +08:00
|
|
|
|
2021-01-14 21:43:11 +08:00
|
|
|
[ "enveloped content test streaming S/MIME format, X9.42 DH",
|
|
|
|
|
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
|
|
|
|
"-stream", "-out", "{output}.cms",
|
|
|
|
|
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
|
2021-01-16 01:33:40 +08:00
|
|
|
[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
2021-01-14 21:43:11 +08:00
|
|
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
|
|
|
|
]
|
2019-06-13 01:52:39 +08:00
|
|
|
);
|
2015-04-20 04:24:17 +08:00
|
|
|
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
my @smime_cms_param_tests_autodigestmax = (
|
|
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length",
|
|
|
|
|
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
|
|
|
|
"-signer", $smrsa1, "-md", "sha256",
|
|
|
|
|
"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
|
|
|
|
|
"-out", "{output}.cms" ],
|
|
|
|
|
# digest is SHA-256, which produces 32, bytes of output
|
|
|
|
|
sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
|
|
|
|
|
[ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
|
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
|
|
|
|
],
|
|
|
|
|
|
|
|
|
|
[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize > maximum salt length",
|
|
|
|
|
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
|
|
|
|
"-signer", $smrsa1024, "-md", "sha512",
|
|
|
|
|
"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
|
|
|
|
|
"-out", "{output}.cms" ],
|
|
|
|
|
# digest is SHA-512, which produces 64, bytes of output, but an RSA-PSS
|
2023-01-02 05:50:11 +08:00
|
|
|
# signature with a 1024 bit RSA key can only accommodate 62
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 62; },
|
|
|
|
|
[ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
|
|
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
|
|
|
|
\&final_compare
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
2019-06-03 13:19:48 +08:00
|
|
|
my @contenttype_cms_test = (
|
|
|
|
|
[ "signed content test - check that content type is added to additional signerinfo, RSA keys",
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont,
|
2021-05-27 21:11:31 +08:00
|
|
|
"-outform", "DER", "-signer", $smrsa1, "-md", "SHA256",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-out", "{output}.cms" ],
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-inform", "DER", "-outform", "DER",
|
2019-06-03 13:19:48 +08:00
|
|
|
"-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
|
2020-02-14 15:34:40 +08:00
|
|
|
"-out", "{output}2.cms" ],
|
|
|
|
|
sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; },
|
2020-07-26 15:36:33 +08:00
|
|
|
[ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
|
2021-05-27 21:11:31 +08:00
|
|
|
"-CAfile", $smroot, "-out", "{output}.txt" ]
|
2019-06-03 13:19:48 +08:00
|
|
|
],
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
my @incorrect_attribute_cms_test = (
|
|
|
|
|
"bad_signtime_attr.cms",
|
|
|
|
|
"no_ct_attr.cms",
|
|
|
|
|
"no_md_attr.cms",
|
|
|
|
|
"ct_multiple_attr.cms"
|
|
|
|
|
);
|
|
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
# Runs a standard loop on the input array
|
|
|
|
|
sub runner_loop {
|
|
|
|
|
my %opts = ( @_ );
|
|
|
|
|
my $cnt1 = 0;
|
2015-04-20 04:24:17 +08:00
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
foreach (@{$opts{tests}}) {
|
|
|
|
|
$cnt1++;
|
|
|
|
|
$opts{output} = "$opts{prefix}-$cnt1";
|
2015-04-20 04:24:17 +08:00
|
|
|
SKIP: {
|
2020-02-14 15:34:40 +08:00
|
|
|
my $skip_reason = check_availability($$_[0]);
|
|
|
|
|
skip $skip_reason, 1 if $skip_reason;
|
|
|
|
|
my $ok = 1;
|
|
|
|
|
1 while unlink "$opts{output}.txt";
|
|
|
|
|
|
|
|
|
|
foreach (@$_[1..$#$_]) {
|
|
|
|
|
if (ref $_ eq 'CODE') {
|
|
|
|
|
$ok &&= $_->(%opts);
|
|
|
|
|
} else {
|
|
|
|
|
my @cmd = map {
|
|
|
|
|
my $x = $_;
|
|
|
|
|
while ($x =~ /\{([^\}]+)\}/) {
|
|
|
|
|
$x = $`.$opts{$1}.$' if exists $opts{$1};
|
|
|
|
|
}
|
|
|
|
|
$x;
|
|
|
|
|
} @$_;
|
|
|
|
|
|
2019-06-13 01:52:39 +08:00
|
|
|
diag "CMD: openssl ", join(" ", @cmd);
|
2020-02-14 15:34:40 +08:00
|
|
|
$ok &&= run(app(["openssl", @cmd]));
|
|
|
|
|
$opts{input} = $opts{output};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ok($ok, $$_[0]);
|
|
|
|
|
}
|
2015-04-20 04:24:17 +08:00
|
|
|
}
|
2020-02-14 15:34:40 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub final_compare {
|
|
|
|
|
my %opts = @_;
|
|
|
|
|
|
|
|
|
|
diag "Comparing $smcont with $opts{output}.txt";
|
|
|
|
|
return compare_text($smcont, "$opts{output}.txt") == 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-07 18:05:28 +08:00
|
|
|
sub zero_compare {
|
|
|
|
|
my %opts = @_;
|
|
|
|
|
|
|
|
|
|
diag "Checking for zero-length file";
|
|
|
|
|
return (-e "$opts{output}.txt" && -z "$opts{output}.txt");
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
subtest "CMS => PKCS#7 compatibility tests\n" => sub {
|
|
|
|
|
plan tests => scalar @smime_pkcs7_tests;
|
|
|
|
|
|
|
|
|
|
runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime',
|
|
|
|
|
tests => [ @smime_pkcs7_tests ]);
|
2015-04-20 04:24:17 +08:00
|
|
|
};
|
|
|
|
|
subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
|
|
|
|
|
plan tests => scalar @smime_pkcs7_tests;
|
|
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms',
|
|
|
|
|
tests => [ @smime_pkcs7_tests ]);
|
2015-04-20 04:24:17 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
subtest "CMS <=> CMS consistency tests\n" => sub {
|
|
|
|
|
plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
|
|
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms',
|
|
|
|
|
tests => [ @smime_pkcs7_tests ]);
|
|
|
|
|
runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms',
|
|
|
|
|
tests => [ @smime_cms_tests ]);
|
2015-04-20 04:24:17 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
|
|
|
|
|
plan tests =>
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
(scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests) +
|
|
|
|
|
(scalar @smime_cms_param_tests_autodigestmax) + 1;
|
|
|
|
|
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov,
|
|
|
|
|
"-sign", "-in", $smcont,
|
|
|
|
|
"-outform", "PEM",
|
|
|
|
|
"-nodetach",
|
|
|
|
|
"-signer", $smrsa1,
|
|
|
|
|
"-keyopt", "rsa_padding_mode:pss",
|
|
|
|
|
"-keyopt", "rsa_pss_saltlen:auto-digestmax",
|
|
|
|
|
"-out", "digestmaxtest.cms"])));
|
|
|
|
|
# Providers that do not support rsa_pss_saltlen:auto-digestmax will parse
|
|
|
|
|
# it as 0
|
|
|
|
|
my $no_autodigestmax = rsapssSaltlen("digestmaxtest.cms") == 0;
|
|
|
|
|
1 while unlink "digestmaxtest.cms";
|
2015-04-20 04:24:17 +08:00
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms',
|
|
|
|
|
tests => [ @smime_cms_param_tests ]);
|
2015-04-20 04:24:17 +08:00
|
|
|
SKIP: {
|
|
|
|
|
skip("Zlib not supported: compression tests skipped",
|
2020-02-14 15:34:40 +08:00
|
|
|
scalar @smime_cms_comp_tests)
|
|
|
|
|
if $no_zlib;
|
|
|
|
|
|
|
|
|
|
runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms',
|
|
|
|
|
tests => [ @smime_cms_comp_tests ]);
|
2015-04-20 04:24:17 +08:00
|
|
|
}
|
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.
J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-11-18 19:35:33 +08:00
|
|
|
|
|
|
|
|
SKIP: {
|
|
|
|
|
skip("rsa_pss_saltlen:auto-digestmax not supported",
|
|
|
|
|
scalar @smime_cms_param_tests_autodigestmax)
|
|
|
|
|
if $no_autodigestmax;
|
|
|
|
|
|
|
|
|
|
runner_loop(prefix => 'cms2cms-comp', 'cmd1' => 'cms', cmd2 => 'cms',
|
|
|
|
|
tests => [ @smime_cms_param_tests_autodigestmax ]);
|
|
|
|
|
}
|
2015-04-20 04:24:17 +08:00
|
|
|
};
|
|
|
|
|
|
2019-06-03 13:19:48 +08:00
|
|
|
# Returns the number of matches of a Content Type Attribute in a binary file.
|
|
|
|
|
sub contentType_matches {
|
|
|
|
|
# Read in a binary file
|
|
|
|
|
my ($in) = @_;
|
|
|
|
|
open (HEX_IN, "$in") or die("open failed for $in : $!");
|
|
|
|
|
binmode(HEX_IN);
|
|
|
|
|
local $/;
|
|
|
|
|
my $str = <HEX_IN>;
|
|
|
|
|
|
|
|
|
|
# Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
|
|
|
|
|
my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
|
|
|
|
|
|
|
|
|
|
close(HEX_IN);
|
|
|
|
|
return scalar(@c);
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-21 21:33:57 +08:00
|
|
|
sub rsapssSaltlen {
|
|
|
|
|
my ($in) = @_;
|
|
|
|
|
my $exit = 0;
|
|
|
|
|
|
|
|
|
|
my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]),
|
|
|
|
|
capture => 1,
|
|
|
|
|
statusvar => $exit);
|
|
|
|
|
return -1 if $exit != 0;
|
|
|
|
|
|
|
|
|
|
my $pssparam_offset = -1;
|
|
|
|
|
while ($_ = shift @asn1parse) {
|
|
|
|
|
chomp;
|
2022-12-22 18:25:16 +08:00
|
|
|
next unless /:rsassaPss/;
|
2022-11-21 21:33:57 +08:00
|
|
|
# This line contains :rsassaPss, the next line contains a raw dump of the
|
|
|
|
|
# RSA_PSS_PARAMS sequence; obtain its offset
|
|
|
|
|
$_ = shift @asn1parse;
|
|
|
|
|
if (/^\s*(\d+):/) {
|
|
|
|
|
$pssparam_offset = int($1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($pssparam_offset == -1) {
|
|
|
|
|
note "Failed to determine RSA_PSS_PARAM offset in CMS. " +
|
|
|
|
|
"Was the file correctly signed with RSASSA-PSS?";
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my @pssparam = run(app(["openssl", "asn1parse", "-in", $in,
|
|
|
|
|
"-strparse", $pssparam_offset]),
|
|
|
|
|
capture => 1,
|
|
|
|
|
statusvar => $exit);
|
|
|
|
|
return -1 if $exit != 0;
|
|
|
|
|
|
|
|
|
|
my $saltlen = -1;
|
|
|
|
|
# Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated.
|
|
|
|
|
# This assumes the salt length is the last field, which may possibly be
|
|
|
|
|
# incorrect if there is a non-standard trailer field, but there almost never
|
|
|
|
|
# is in PSS.
|
2022-12-22 18:25:16 +08:00
|
|
|
if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) {
|
2022-11-21 21:33:57 +08:00
|
|
|
$saltlen = hex($1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($saltlen == -1) {
|
|
|
|
|
note "Failed to determine salt length from RSA_PSS_PARAM struct. " +
|
|
|
|
|
"Was the file correctly signed with RSASSA-PSS?";
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $saltlen;
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-03 13:19:48 +08:00
|
|
|
subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
|
2020-02-14 15:34:40 +08:00
|
|
|
plan tests => (scalar @contenttype_cms_test);
|
2019-06-03 13:19:48 +08:00
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms',
|
|
|
|
|
tests => [ @contenttype_cms_test ]);
|
2019-06-03 13:19:48 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
|
|
|
|
|
plan tests =>
|
|
|
|
|
(scalar @incorrect_attribute_cms_test);
|
|
|
|
|
|
2020-02-14 15:34:40 +08:00
|
|
|
my $cnt = 0;
|
2019-06-03 13:19:48 +08:00
|
|
|
foreach my $name (@incorrect_attribute_cms_test) {
|
2020-02-14 15:34:40 +08:00
|
|
|
my $out = "incorrect-$cnt.txt";
|
|
|
|
|
|
2020-07-26 15:36:33 +08:00
|
|
|
ok(!run(app(["openssl", "cms", @prov, "-verify", "-in",
|
2019-06-03 13:19:48 +08:00
|
|
|
catfile($datadir, $name), "-inform", "DER", "-CAfile",
|
2021-05-27 21:11:31 +08:00
|
|
|
$smroot, "-out", $out ])),
|
2019-06-03 13:19:48 +08:00
|
|
|
$name);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2022-12-06 23:12:59 +08:00
|
|
|
subtest "CMS Check that bad encryption algorithm fails\n" => sub {
|
|
|
|
|
plan tests => 1;
|
|
|
|
|
|
|
|
|
|
SKIP: {
|
|
|
|
|
skip "DES or Legacy isn't supported in this build", 1
|
|
|
|
|
if disabled("des") || disabled("legacy");
|
|
|
|
|
|
|
|
|
|
my $out = "smtst.txt";
|
|
|
|
|
|
|
|
|
|
ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt",
|
|
|
|
|
"-in", $smcont,
|
|
|
|
|
"-stream", "-recip", $smrsa1,
|
|
|
|
|
"-des-ede3",
|
|
|
|
|
"-out", $out ])),
|
|
|
|
|
"Decrypt message from OpenSSL 1.1.1");
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2020-01-26 00:19:56 +08:00
|
|
|
subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub {
|
|
|
|
|
plan tests => 1;
|
|
|
|
|
|
|
|
|
|
SKIP: {
|
2020-04-20 18:23:34 +08:00
|
|
|
skip "EC or DES isn't supported in this build", 1
|
|
|
|
|
if disabled("ec") || disabled("des");
|
2020-01-26 00:19:56 +08:00
|
|
|
|
|
|
|
|
my $out = "smtst.txt";
|
|
|
|
|
|
2020-07-26 15:36:33 +08:00
|
|
|
ok(run(app(["openssl", "cms", @defaultprov, "-decrypt",
|
2020-01-26 00:19:56 +08:00
|
|
|
"-inkey", catfile($smdir, "smec3.pem"),
|
|
|
|
|
"-in", catfile($datadir, "ciphertext_from_1_1_1.cms"),
|
|
|
|
|
"-out", $out ]))
|
|
|
|
|
&& compare_text($smcont, $out) == 0,
|
|
|
|
|
"Decrypt message from OpenSSL 1.1.1");
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2019-06-13 01:52:39 +08:00
|
|
|
subtest "CAdES <=> CAdES consistency tests\n" => sub {
|
|
|
|
|
plan tests => (scalar @smime_cms_cades_tests);
|
|
|
|
|
|
|
|
|
|
runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms',
|
|
|
|
|
tests => [ @smime_cms_cades_tests ]);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
subtest "CAdES; cms incompatible arguments tests\n" => sub {
|
|
|
|
|
plan tests => (scalar @smime_cms_cades_invalid_option_tests);
|
|
|
|
|
|
|
|
|
|
foreach (@smime_cms_cades_invalid_option_tests) {
|
|
|
|
|
ok(!run(app(["openssl", "cms", @{$$_[0]} ] )));
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
subtest "CAdES ko tests\n" => sub {
|
2021-03-13 02:45:40 +08:00
|
|
|
plan tests => 2 * scalar @smime_cms_cades_ko_tests;
|
2019-06-13 01:52:39 +08:00
|
|
|
|
|
|
|
|
foreach (@smime_cms_cades_ko_tests) {
|
|
|
|
|
SKIP: {
|
|
|
|
|
my $skip_reason = check_availability($$_[0]);
|
|
|
|
|
skip $skip_reason, 1 if $skip_reason;
|
2022-11-22 22:05:45 +08:00
|
|
|
1 while unlink "cades-ko.txt";
|
2019-06-13 01:52:39 +08:00
|
|
|
|
2021-03-13 02:45:40 +08:00
|
|
|
ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]);
|
|
|
|
|
ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]);
|
2019-06-13 01:52:39 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2020-09-23 16:19:50 +08:00
|
|
|
subtest "CMS binary input tests\n" => sub {
|
|
|
|
|
my $input = srctop_file("test", "smcont.bin");
|
|
|
|
|
my $signed = "smcont.signed";
|
|
|
|
|
my $verified = "smcont.verified";
|
|
|
|
|
|
|
|
|
|
plan tests => 11;
|
|
|
|
|
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
|
2020-09-23 16:19:50 +08:00
|
|
|
"-binary", "-in", $input, "-out", $signed])),
|
|
|
|
|
"sign binary input with -binary");
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
|
2020-09-23 16:19:50 +08:00
|
|
|
"-binary", "-in", $signed, "-out", $verified])),
|
|
|
|
|
"verify binary input with -binary");
|
|
|
|
|
is(compare($input, $verified), 0, "binary input retained with -binary");
|
2021-05-20 01:44:22 +08:00
|
|
|
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
|
2021-05-20 01:44:22 +08:00
|
|
|
"-in", $input, "-out", $signed.".nobin"])),
|
2020-09-23 16:19:50 +08:00
|
|
|
"sign binary input without -binary");
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
|
2021-05-20 01:44:22 +08:00
|
|
|
"-in", $signed.".nobin", "-out", $verified.".nobin"])),
|
2020-09-23 16:19:50 +08:00
|
|
|
"verify binary input without -binary");
|
2021-05-20 01:44:22 +08:00
|
|
|
is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary");
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
|
2021-05-20 01:44:22 +08:00
|
|
|
"-binary", "-in", $signed, "-out", $verified.".crlfeol"])),
|
2020-09-23 16:19:50 +08:00
|
|
|
"verify binary input wrong crlfeol");
|
|
|
|
|
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
|
|
|
|
|
"-crlfeol",
|
2020-09-23 16:19:50 +08:00
|
|
|
"-binary", "-in", $input, "-out", $signed.".crlf"])),
|
2021-05-20 01:44:22 +08:00
|
|
|
"sign binary input with -binary -crlfeol");
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
|
2020-09-23 16:19:50 +08:00
|
|
|
"-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])),
|
2021-05-20 01:44:22 +08:00
|
|
|
"verify binary input with -binary -crlfeol");
|
|
|
|
|
is(compare($input, $verified.".crlf"), 0,
|
|
|
|
|
"binary input retained with -binary -crlfeol");
|
2021-05-27 21:11:31 +08:00
|
|
|
ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
|
2021-05-20 01:44:22 +08:00
|
|
|
"-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])),
|
|
|
|
|
"verify binary input with -binary missing -crlfeol");
|
2020-09-23 16:19:50 +08:00
|
|
|
};
|
|
|
|
|
|
2021-04-28 16:54:57 +08:00
|
|
|
subtest "CMS signed digest, DER format" => sub {
|
|
|
|
|
plan tests => 2;
|
|
|
|
|
|
|
|
|
|
# Pre-computed SHA256 digest of $smcont in hexadecimal form
|
|
|
|
|
my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
|
|
|
|
|
|
|
|
|
|
my $sig_file = "signature.der";
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
|
|
|
|
|
"-outform", "DER",
|
|
|
|
|
"-certfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smrsa1.pem"),
|
|
|
|
|
"-out", $sig_file])),
|
|
|
|
|
"CMS sign pre-computed digest, DER format");
|
|
|
|
|
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
|
|
|
|
|
"-inform", "DER",
|
|
|
|
|
"-CAfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-content", $smcont])),
|
|
|
|
|
"Verify CMS signed digest, DER format");
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
subtest "CMS signed digest, S/MIME format" => sub {
|
|
|
|
|
plan tests => 2;
|
|
|
|
|
|
|
|
|
|
# Pre-computed SHA256 digest of $smcont in hexadecimal form
|
|
|
|
|
my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
|
|
|
|
|
|
|
|
|
|
my $sig_file = "signature.smime";
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
|
|
|
|
|
"-outform", "SMIME",
|
|
|
|
|
"-certfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smrsa1.pem"),
|
|
|
|
|
"-out", $sig_file])),
|
|
|
|
|
"CMS sign pre-computed digest, S/MIME format");
|
|
|
|
|
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
|
|
|
|
|
"-inform", "SMIME",
|
|
|
|
|
"-CAfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-content", $smcont])),
|
|
|
|
|
"Verify CMS signed digest, S/MIME format");
|
|
|
|
|
};
|
|
|
|
|
|
2022-06-16 01:01:43 +08:00
|
|
|
subtest "CMS code signing test" => sub {
|
|
|
|
|
plan tests => 7;
|
|
|
|
|
my $sig_file = "signature.p7s";
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
|
|
|
|
|
"-certfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "smrsa1.pem"),
|
|
|
|
|
"-out", $sig_file])),
|
|
|
|
|
"accept perform CMS signature with smime certificate");
|
|
|
|
|
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
|
|
|
|
|
"-CAfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-content", $smcont])),
|
|
|
|
|
"accept verify CMS signature with smime certificate");
|
|
|
|
|
|
|
|
|
|
ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
|
|
|
|
|
"-CAfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-purpose", "codesign",
|
|
|
|
|
"-content", $smcont])),
|
|
|
|
|
"fail verify CMS signature with smime certificate for purpose code signing");
|
|
|
|
|
|
|
|
|
|
ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
|
|
|
|
|
"-CAfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-purpose", "football",
|
|
|
|
|
"-content", $smcont])),
|
|
|
|
|
"fail verify CMS signature with invalid purpose argument");
|
|
|
|
|
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
|
|
|
|
|
"-certfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-signer", catfile($smdir, "csrsa1.pem"),
|
|
|
|
|
"-out", $sig_file])),
|
|
|
|
|
"accept perform CMS signature with code signing certificate");
|
|
|
|
|
|
|
|
|
|
ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
|
|
|
|
|
"-CAfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-purpose", "codesign",
|
|
|
|
|
"-content", $smcont])),
|
|
|
|
|
"accept verify CMS signature with code signing certificate for purpose code signing");
|
|
|
|
|
|
|
|
|
|
ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
|
|
|
|
|
"-CAfile", catfile($smdir, "smroot.pem"),
|
|
|
|
|
"-content", $smcont])),
|
|
|
|
|
"fail verify CMS signature with code signing certificate for purpose smime_sign");
|
|
|
|
|
};
|
|
|
|
|
|
2023-01-19 00:07:24 +08:00
|
|
|
# Test case for missing MD algorithm (must not segfault)
|
|
|
|
|
|
|
|
|
|
with({ exit_checker => sub { return shift == 4; } },
|
|
|
|
|
sub {
|
|
|
|
|
ok(run(app(['openssl', 'smime', '-verify', '-noverify',
|
|
|
|
|
'-inform', 'PEM',
|
|
|
|
|
'-in', data_file("pkcs7-md4.pem"),
|
|
|
|
|
])),
|
2023-01-19 15:37:53 +08:00
|
|
|
"Check failure of EVP_DigestInit in PKCS7 signed is handled");
|
|
|
|
|
|
|
|
|
|
ok(run(app(['openssl', 'smime', '-decrypt',
|
|
|
|
|
'-inform', 'PEM',
|
|
|
|
|
'-in', data_file("pkcs7-md4-encrypted.pem"),
|
|
|
|
|
'-recip', srctop_file("test", "certs", "ee-cert.pem"),
|
|
|
|
|
'-inkey', srctop_file("test", "certs", "ee-key.pem")
|
|
|
|
|
])),
|
|
|
|
|
"Check failure of EVP_DigestInit in PKCS7 signedAndEnveloped is handled");
|
2023-01-19 00:07:24 +08:00
|
|
|
});
|
|
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
sub check_availability {
|
|
|
|
|
my $tnam = shift;
|
|
|
|
|
|
|
|
|
|
return "$tnam: skipped, EC disabled\n"
|
2016-03-17 18:14:30 +08:00
|
|
|
if ($no_ec && $tnam =~ /ECDH/);
|
2015-04-20 04:24:17 +08:00
|
|
|
return "$tnam: skipped, ECDH disabled\n"
|
2016-03-17 18:14:30 +08:00
|
|
|
if ($no_ec && $tnam =~ /ECDH/);
|
2015-04-20 04:24:17 +08:00
|
|
|
return "$tnam: skipped, EC2M disabled\n"
|
2016-03-17 18:14:30 +08:00
|
|
|
if ($no_ec2m && $tnam =~ /K-283/);
|
2015-09-20 05:03:15 +08:00
|
|
|
return "$tnam: skipped, DH disabled\n"
|
2016-03-17 18:14:30 +08:00
|
|
|
if ($no_dh && $tnam =~ /X9\.42/);
|
|
|
|
|
return "$tnam: skipped, RC2 disabled\n"
|
|
|
|
|
if ($no_rc2 && $tnam =~ /RC2/);
|
2016-03-18 23:56:06 +08:00
|
|
|
return "$tnam: skipped, DES disabled\n"
|
|
|
|
|
if ($no_des && $tnam =~ /DES/);
|
2016-03-19 01:43:58 +08:00
|
|
|
return "$tnam: skipped, DSA disabled\n"
|
|
|
|
|
if ($no_dsa && $tnam =~ / DSA/);
|
2016-03-17 18:14:30 +08:00
|
|
|
|
2015-04-20 04:24:17 +08:00
|
|
|
return "";
|
|
|
|
|
}
|
2022-11-14 07:31:23 +08:00
|
|
|
|
|
|
|
|
# Test case for the locking problem reported in #19643.
|
|
|
|
|
# This will fail if the fix is in and deadlock on Windows (and possibly
|
|
|
|
|
# other platforms) if not.
|
|
|
|
|
ok(!run(app(['openssl', 'cms', '-verify',
|
|
|
|
|
'-CAfile', srctop_file("test/certs", "pkitsta.pem"),
|
|
|
|
|
'-policy', 'anyPolicy',
|
|
|
|
|
'-in', srctop_file("test/smime-eml",
|
|
|
|
|
"SignedInvalidMappingFromanyPolicyTest7.eml")
|
|
|
|
|
])),
|
|
|
|
|
"issue#19643");
|
2022-12-15 01:15:18 +08:00
|
|
|
|
|
|
|
|
# Check that we get the expected failure return code
|
|
|
|
|
with({ exit_checker => sub { return shift == 6; } },
|
|
|
|
|
sub {
|
|
|
|
|
ok(run(app(['openssl', 'cms', '-encrypt',
|
|
|
|
|
'-in', srctop_file("test", "smcont.txt"),
|
2023-02-13 19:58:33 +08:00
|
|
|
'-aes128', '-stream', '-recip',
|
2022-12-15 01:15:18 +08:00
|
|
|
srctop_file("test/smime-certs", "badrsa.pem"),
|
|
|
|
|
])),
|
|
|
|
|
"Check failure during BIO setup with -stream is handled correctly");
|
|
|
|
|
});
|
