From 71273ab57a27e0e6a1d4356891a2eb8e2298f458 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 5 May 2020 14:04:30 +0200 Subject: [PATCH] Fix 90-test_store.t for latest config, limits, providers, and disabled algos Also make sure that the test do not 'pass' if their initialization fails. Leave out the expensive parts of DSA key gen and RSA keygen for efficiency. Fix use of the new CA configuration file test/ca-and-certs.cnf. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11733) --- test/recipes/90-test_store.t | 82 ++++++++++++------- test/recipes/90-test_store_data/ca.cnf | 56 ------------- test/recipes/90-test_store_data/dsaparam.pem | 14 ++++ .../90-test_store_data/rsa-key-2432.pem | 32 ++++++++ test/recipes/90-test_store_data/user.cnf | 19 ----- 5 files changed, 99 insertions(+), 104 deletions(-) delete mode 100644 test/recipes/90-test_store_data/ca.cnf create mode 100644 test/recipes/90-test_store_data/dsaparam.pem create mode 100644 test/recipes/90-test_store_data/rsa-key-2432.pem delete mode 100644 test/recipes/90-test_store_data/user.cnf diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 0905232e35..9f4eaa2961 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -16,7 +16,11 @@ my $test_name = "test_store"; setup($test_name); my $mingw = config('target') =~ m|^mingw|; -my $cnf = srctop_file("test", "ca-and-certs.cnf"); + +my $use_md5 = !disabled("md5"); +my $use_des = !disabled("des"); # also affects 3des and pkcs12 app +my $use_dsa = !disabled("dsa"); +my $use_ecc = !disabled("ec"); my @noexist_files = ( "test/blahdiblah.pem", @@ -41,25 +45,35 @@ my @generated_files = "rsa-key-pkcs1.pem", "rsa-key-pkcs1.der", "rsa-key-pkcs1-aes128.pem", "rsa-key-pkcs8.pem", "rsa-key-pkcs8.der", - "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der", "rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der", + "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der", + ); +push(@generated_files, ( + "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der", + )) if $use_des; +push(@generated_files, ( "rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12", "rsa-key-aes256-cbc-sha256.p12", "rsa-key-md5-des-sha1.p12", - "rsa-key-aes256-cbc-md5-des-sha256.p12", - "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der", - "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der", + "rsa-key-aes256-cbc-md5-des-sha256.p12" + )) if $use_des; +push(@generated_files, ( + "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der" + )) if $use_md5 && $use_des; +push(@generated_files, ( "dsa-key-pkcs1.pem", "dsa-key-pkcs1.der", "dsa-key-pkcs1-aes128.pem", "dsa-key-pkcs8.pem", "dsa-key-pkcs8.der", "dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der", - "dsa-key-aes256-cbc-sha256.p12", + )) if $use_dsa; +push(@generated_files, "dsa-key-aes256-cbc-sha256.p12") if $use_dsa && $use_des; +push(@generated_files, ( "ec-key-pkcs1.pem", "ec-key-pkcs1.der", "ec-key-pkcs1-aes128.pem", "ec-key-pkcs8.pem", "ec-key-pkcs8.der", "ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der", - "ec-key-aes256-cbc-sha256.p12", - ); + )) if $use_ecc; +push(@generated_files, "ec-key-aes256-cbc-sha256.p12") if $use_ecc && $use_des; my %generated_file_files = $^O eq 'linux' ? ( "test/testx509.pem" => "file:testx509.pem", @@ -85,7 +99,7 @@ plan tests => $n; indir "store_$$" => sub { SKIP: { - skip "failed initialisation", $n unless init(); + init() or die "init failed"; my $rehash = init_rehash(); @@ -220,28 +234,35 @@ indir "store_$$" => sub { }, create => 1, cleanup => 1; sub init { + my $cnf = srctop_file('test', 'ca-and-certs.cnf'); + my $cakey = srctop_file('test', 'certs', 'ca-key.pem'); return ( # rsa-key-pkcs1.pem - run(app(["openssl", "genrsa", - "-out", "rsa-key-pkcs1.pem", "2432"])) - # dsa-key-pkcs1.pem - && run(app(["openssl", "dsaparam", "-genkey", - "-out", "dsa-key-pkcs1.pem", "1024"])) - # ec-key-pkcs1.pem (one might think that 'genec' would be practical) - && run(app(["openssl", "ecparam", "-genkey", "-name", "prime256v1", - "-out", "ec-key-pkcs1.pem"])) + run(app(["openssl", "pkey", + "-in", data_file("rsa-key-2432.pem"), + "-out", "rsa-key-pkcs1.pem"])) # rsa-key-pkcs1-aes128.pem && run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128", "-in", "rsa-key-pkcs1.pem", "-out", "rsa-key-pkcs1-aes128.pem"])) + # dsa-key-pkcs1.pem + && (!$use_dsa || run(app(["openssl", "gendsa", + "-out", "dsa-key-pkcs1.pem", + data_file("dsaparam.pem")]))) # dsa-key-pkcs1-aes128.pem - && run(app(["openssl", "dsa", "-passout", "pass:password", "-aes128", - "-in", "dsa-key-pkcs1.pem", - "-out", "dsa-key-pkcs1-aes128.pem"])) + && (!$use_dsa || run(app(["openssl", "dsa", + "-passout", "pass:password", "-aes128", + "-in", "dsa-key-pkcs1.pem", + "-out", "dsa-key-pkcs1-aes128.pem"]))) + # ec-key-pkcs1.pem (one might think that 'genec' would be practical) + && (!$use_ecc || run(app(["openssl", "ecparam", "-genkey", + "-name", "prime256v1", + "-out", "ec-key-pkcs1.pem"]))) # ec-key-pkcs1-aes128.pem - && run(app(["openssl", "ec", "-passout", "pass:password", "-aes128", - "-in", "ec-key-pkcs1.pem", - "-out", "ec-key-pkcs1-aes128.pem"])) + && (!$use_ecc || run(app(["openssl", "ec", + "-passout", "pass:password", "-aes128", + "-in", "ec-key-pkcs1.pem", + "-out", "ec-key-pkcs1-aes128.pem"]))) # *-key-pkcs8.pem && runall(sub { my $dstfile = shift; @@ -297,19 +318,19 @@ sub init { # *-cert.pem (intermediary for the .p12 inits) && run(app(["openssl", "req", "-x509", "-config", $cnf, "-nodes", - "-out", "cacert.pem", "-keyout", "cakey.pem"])) + "-key", $cakey, "-out", "cacert.pem"])) && runall(sub { my $srckey = shift; (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|; (my $csr = $dstfile) =~ s|\.pem|.csr|; (run(app(["openssl", "req", "-new", - "-config", $cnf, + "-config", $cnf, "-section", "userreq", "-key", $srckey, "-out", $csr])) && run(app(["openssl", "x509", "-days", "3650", "-CA", "cacert.pem", - "-CAkey", "cakey.pem", + "-CAkey", $cakey, "-set_serial", time(), "-req", "-in", $csr, "-out", $dstfile]))); }, grep(/-key-pkcs8\.pem$/, @generated_files)) @@ -350,16 +371,19 @@ sub init { my $macalg = $macalgs{$macalg_index}; if (!defined($certpbe) || !defined($keypbe) || !defined($macalg)) { - print STDERR "Cert PBE for $pbe_index not defined\n" + print STDERR "Cert PBE for $certpbe_index not defined\n" unless defined $certpbe; - print STDERR "Key PBE for $pbe_index not defined\n" + print STDERR "Key PBE for $keypbe_index not defined\n" unless defined $keypbe; print STDERR "MACALG for $macalg_index not defined\n" unless defined $macalg; print STDERR "(destination file was $dstfile)\n"; return 0; } - run(app(["openssl", "pkcs12", "-inkey", $srckey, + run(app(["openssl", "pkcs12", + "-provider", "default", + "-provider", "legacy", + "-inkey", $srckey, "-in", $srccert, "-passout", "pass:password", "-chain", "-CAfile", "cacert.pem", "-export", "-macalg", $macalg, diff --git a/test/recipes/90-test_store_data/ca.cnf b/test/recipes/90-test_store_data/ca.cnf deleted file mode 100644 index bda6eec4b0..0000000000 --- a/test/recipes/90-test_store_data/ca.cnf +++ /dev/null @@ -1,56 +0,0 @@ -#################################################################### -[ req ] -default_bits = 2432 -default_keyfile = cakey.pem -default_md = sha256 -distinguished_name = req_DN -string_mask = utf8only -x509_extensions = v3_selfsign - -[ req_DN ] -commonName = "Common Name" -commonName_value = "CA" - -[ v3_selfsign ] -basicConstraints = critical,CA:true -keyUsage = keyCertSign -subjectKeyIdentifier=hash - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = ./demoCA -certificate = ./demoCA/cacert.pem -serial = ./demoCA/serial -private_key = ./demoCA/private/cakey.pem -new_certs_dir = ./demoCA/newcerts - -certificate = cacert.pem -private_key = cakey.pem - -x509_extensions = v3_user - -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -policy = policy_anything - -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[ v3_user ] -basicConstraints=critical,CA:FALSE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -issuerAltName=issuer:copy - diff --git a/test/recipes/90-test_store_data/dsaparam.pem b/test/recipes/90-test_store_data/dsaparam.pem new file mode 100644 index 0000000000..60563cbb03 --- /dev/null +++ b/test/recipes/90-test_store_data/dsaparam.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICLAKCAQEArjV9Th2W4p8AlmBabk0HjaV8vPmt15/V6e6mM1Hee3LSdapxd/Fj ++7bsWroNcqIaHGS45YkJbclvC3/Szp/vh1q2Zy/v7utZ9V7/qCiEnls3CRGAfAhc +1eFIS9Jo+z+fK2tsDUgbGoDC6xEbN3nWjItyPmelBQ5Bip41ULTSQCdr/eBka1s4 +QpS1Sdrvbng3zTCJw0VQe5yM5xyYcHFdeV/v6JSFUz7voyzOGqt91l4UzVFUiZ13 +5Pgi8DUQdQVxUU+MTFwNLCy+bDTuEoKHAxkGEqiq9A08ScxwWtgy7jJQhXDoGP10 +gFMyV+5Qya7rrrYiMhZrjFna7h0z30yiPQIhAK0tbhew8+vHuO6VePIX9TMBZ7ze +k//uQOh/8ZNtS4cTAoIBAGZv2mOljtJM1UUtdl1fzUq0GkI1hjpvqfonq94DITYK +BynJL21JqPfG9JLXc8HYdg5hpwtulrjIyzg1EiB5pQgoNVy8UhavUroPw7FjEicL +dKRHQ9YwuJwuQBTNmX/ojjewqT9U6WYiYUz4SQNXFDIdNz3ikviOoGpmY/Cwbgcr +Pb/QhGqqHzB3ZeX89exVznPbvqeNOp967U+vooBMMJ4oSWVA8ANFVpmikxucRt69 +qKtfkD+3P9RvjVow4dRjOmp8jyT82RQoCeSEThdDVrjUS6IpRdMT8MJ2mwGggG6T +Y16HJCAq/7ufqJlsp5oAuX3aZsnAcnIiDxrMI9m3Xxs= +-----END DSA PARAMETERS----- diff --git a/test/recipes/90-test_store_data/rsa-key-2432.pem b/test/recipes/90-test_store_data/rsa-key-2432.pem new file mode 100644 index 0000000000..b5e37f4b8a --- /dev/null +++ b/test/recipes/90-test_store_data/rsa-key-2432.pem @@ -0,0 +1,32 @@ +-----BEGIN PRIVATE KEY----- +MIIFlQIBADANBgkqhkiG9w0BAQEFAASCBX8wggV7AgEAAoIBMQCrCYwxGQmujZVF +lnZeobOyrk+JiHh4/6IjpepHlb1hRMZbDS2V2kZAupNr3oV14Dx4bDwbxAMOvGQr +sVDiM+LAAZtxXXq6sQNOrq3yTPuCdW6IbsHaB5ZuPwz4cNWOOHs19Jx9UufxoFZ+ +1Cj3WG0joTCTbPNe08llJ67YKCj4b3l19AJKauPFWyLl8sQE5f29rBGGnnJYzrf3 +ZRrrZApbXy2PxDVKfkjLf89la6Hcr/RihgPiZHLoN7TyAPOL4OPY+Jv6fVG9PTrf +3hwoTRD9Wp0ZdmOSCiU93vvoTFovnBMpfh7Qb6k+ufqZV0cvdDWYV7UQO1MBx24R +mqcVGwHzPCMET71GoRNKvtMI3zrN/ZN8lyyqKU3pEPcLvykZ8Pi2lZB31uLA0x6Z +zUe+rEavAgMBAAECggEwM8aFIMvCiYukl1cv5/+tRTbNLwYX6hEAhSgRnq/uj0Zh +gWig1w8nWyrfu7S10/QYeh/RploUzt4quKtJn+AzEQqrgorYvzEcnjH0yDeTn29r +EXPtzNGlMSR3CbImg5IHglLVGH8DZbqy1FvnNtEW4MVHzikaFyenfK6hmB+4H1Sn +gRRnqR1oa/LlwpRV0GHLCSLQf17xoH4chaLLZXi3kdIOIcg9bzDef7APQmKHdu01 +hlAhFZ3rPib63anYtg9jG4hLrZCUHwEwHsOaDEh9QVNSxqZJS2KTtMbYIclK3hDG +wZFmlv9bemE+KiR3EAJt9/xMROjLTNDgTOZZujR/O4IObszQ6obExiL0Z37K0AAz +f0hhMbweg0W1hC3j/pseOZpEvfoK5QZYY0nbdNqVkQKBmQDczLiFYgDEcCbc2ak4 +VGDA/N+R1lUFvfBoBKLlWaOFSnfYC9XrGa1lVe5nMZN4OAgkR4Ogvo1uh5BzXptP +s+fYfh40JS6RFXeO8/K8meFOUnjKiMZroBuFcJHSCDDJZFyfEM1vVqnsaLsqQHAd +casa3PewKvUbUDMWQFNImW6dMuDL3GpKpGc4/eU3208JnpoApcnp2qLPlwKBmQDG +TexoAiQLKRlSHrZcZJTemrTZQFoCPEoXZjbzXHERYoSOcriINWWVuhvAtA64WY/+ +lOYXb3H1kD+CccR1NLUu9lrrFbizeHl9ovrvhLCR8smgVhwP4QjW1fjNYEOfIXXX +BPLCizKSdqDLID/Jph+ym29vOedbjHZmr6Pto3fVBKQPpkLkQmyj061pmknE8DES +k6GFHAAkqQKBmQDTVtxzRwfm/lYkY+417YWikyhHRfihg1k9ptpoXnFG3q1xTHrY +Cf7PFP4ZJfm6Qx9/4jeaP2nOVtGrq+1Kz69lp+mvDbvRwNNsMBGx9jQSrJvTeDE7 +yMcu5T2d5JsV2QtScVnBbRk+IEytt3nYpPkawFAP/j4Xg58yeCV/QuT+cDl8x5+x +jEUE5vhki3TOh1Fut0FZphzaRwKBmHPpKkzlK3JGlKFWiFtbA1VWcm0mWzZBTUF+ +IpJ/LyvtPPQShGBBbd5lyUELPittVmiFWjTKlH7n0OeLXjzwEROhNiWBLdPhkInq +UOjd02OL2WTZ0E9LxyHkMijBouUJ5tpG7yrduDK6GmSAtihE7PQ2PJ1z6BKv+Kku +8w+9ZBbkPo1TLnhDh0L/QLagU4xEpTpphpjKdB75AoGYcaonPrYPhvM+EAe4DDTf +qpxI6wX6P+ws9Fx8VuD/UN3DB8AhE+tlFYQYJQkgqpAvNiOg9ix0mwNDe6oB4xwB +iQKxoBtCKYhwwP7AvXrzyqe73aWtvW9VFYUbdiVQQVqR/+Gd1wL572qFTcnw56je +wxTi4bfTajt7O/nY7jYs3WWstBh0wyl5XNZ14Acic6ZsSp+PLCEfpLo= +-----END PRIVATE KEY----- diff --git a/test/recipes/90-test_store_data/user.cnf b/test/recipes/90-test_store_data/user.cnf deleted file mode 100644 index 91f796947a..0000000000 --- a/test/recipes/90-test_store_data/user.cnf +++ /dev/null @@ -1,19 +0,0 @@ -#################################################################### -[ req ] -default_bits = 2432 -default_md = sha256 -distinguished_name = req_DN -string_mask = utf8only - -req_extensions = v3_req # The extensions to add to a certificate request - -[ req_DN ] -commonName = "Common Name" -commonName_value = "A user" -userId = "User ID" -userId_value = "test" - -[ v3_req ] -extendedKeyUsage = clientAuth -subjectKeyIdentifier = hash -basicConstraints = CA:false