mirror of
https://github.com/openssl/openssl.git
synced 2025-01-18 13:44:20 +08:00
79c98fc6cc
At some point in time it was decided that the EC keymanagers ec_export() function would only allow the selection to be both the public + private parts. If just the private element is selected it returns an error. Many openssl commandline apps use EVP_PKEY_print_private() which passes EVP_PKEY_PRIVATE_KEY to the encoder. This selection propagates to encoder_construct_pkey(). For external providers (such as the fips provider this will call the keymanagers export() with the selection set to just the private part. So we either need to 1) change the selection in EVP_PKEY_print_private() or 2) modify the selection used in the export used in encoder_construct_pkey 3) Change the ec_export to allow this. I have chosen 2) but I am not sure if this is the correct thing to do or whether it should conditionally do this when the output_type == 'text'. Issue was reported by Ilia Okomin (Oracle). Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26004)
88 lines
2.9 KiB
Perl
88 lines
2.9 KiB
Perl
#! /usr/bin/env perl
|
|
# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
|
|
use OpenSSL::Test::Utils;
|
|
|
|
BEGIN {
|
|
setup("test_encoder_decoder");
|
|
}
|
|
|
|
use lib srctop_dir('Configurations');
|
|
use lib bldtop_dir('.');
|
|
use platform;
|
|
|
|
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
|
|
my $rsa_key = srctop_file("test", "certs", "ee-key.pem");
|
|
my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem");
|
|
|
|
plan tests => ($no_fips ? 0 : 5) + 2; # FIPS install test + test
|
|
|
|
my $conf = srctop_file("test", "default.cnf");
|
|
|
|
# Check if the specified pattern occurs in the given file
|
|
# Returns 1 if the pattern is found and 0 if not
|
|
sub find_line_file {
|
|
my ($key, $file) = @_;
|
|
|
|
open(my $in, $file) or return -1;
|
|
while (my $line = <$in>) {
|
|
if ($line =~ /$key/) {
|
|
close($in);
|
|
return 1;
|
|
}
|
|
}
|
|
close($in);
|
|
return 0;
|
|
}
|
|
|
|
ok(run(test(["endecode_test", "-rsa", $rsa_key,
|
|
"-pss", $pss_key,
|
|
"-config", $conf,
|
|
"-provider", "default"])));
|
|
|
|
# Run with non-default library context
|
|
ok(run(test(["endecode_test", "-rsa", $rsa_key,
|
|
"-pss", $pss_key,
|
|
"-context",
|
|
"-config", $conf,
|
|
"-provider", "default"])));
|
|
|
|
unless ($no_fips) {
|
|
# Run with fips library context
|
|
my $conf = srctop_file("test", "fips-and-base.cnf");
|
|
ok(run(test(["endecode_test", "-rsa", $rsa_key,
|
|
"-pss", $pss_key,
|
|
"-config", $conf,
|
|
"-provider", "fips"])));
|
|
SKIP: {
|
|
skip "EC disabled", 2 if disabled("ec");
|
|
ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'EC',
|
|
'-pkeyopt', 'group:P-256', '-text',
|
|
'-config', $conf, '-provider', 'fips', '-out', 'ec.txt' ])),
|
|
'Print a FIPS provider EC private key');
|
|
ok(find_line_file('NIST CURVE: P-256', 'ec.txt') == 1,
|
|
'Printing an FIPS provider EC private key');
|
|
}
|
|
my $no_des = disabled("des");
|
|
SKIP: {
|
|
skip "MD5 disabled", 2 if disabled("md5");
|
|
ok(run(app([ 'openssl', 'genrsa', '-aes128', '-out', 'epki.pem',
|
|
'-traditional', '-passout', 'pass:pass' ])),
|
|
"rsa encrypted using a non fips algorithm MD5 in pbe");
|
|
|
|
my $conf2 = srctop_file("test", "default-and-fips.cnf");
|
|
ok(run(test(['decoder_propq_test', '-config', $conf2,
|
|
'-provider', 'fips', 'epki.pem'])));
|
|
}
|
|
}
|