mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 06:01:37 +08:00
233 lines
8.8 KiB
Perl
233 lines
8.8 KiB
Perl
#! /usr/bin/env perl
|
|
# Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use File::Spec;
|
|
use File::Basename;
|
|
use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
|
|
use OpenSSL::Test::Utils;
|
|
use File::Compare qw/compare_text compare/;
|
|
|
|
setup("test_pkeyutl");
|
|
|
|
plan tests => 19;
|
|
|
|
# For the tests below we use the cert itself as the TBS file
|
|
|
|
SKIP: {
|
|
skip "Skipping tests that require EC, SM2 or SM3", 4
|
|
if disabled("ec") || disabled("sm2") || disabled("sm3");
|
|
|
|
# SM2
|
|
ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign',
|
|
'-in', srctop_file('test', 'certs', 'sm2.pem'),
|
|
'-inkey', srctop_file('test', 'certs', 'sm2.key'),
|
|
'-out', 'sm2.sig', '-rawin',
|
|
'-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
|
|
"Sign a piece of data using SM2");
|
|
ok_nofips(run(app(([ 'openssl', 'pkeyutl',
|
|
'-verify', '-certin',
|
|
'-in', srctop_file('test', 'certs', 'sm2.pem'),
|
|
'-inkey', srctop_file('test', 'certs', 'sm2.pem'),
|
|
'-sigfile', 'sm2.sig', '-rawin',
|
|
'-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
|
|
"Verify an SM2 signature against a piece of data");
|
|
ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-encrypt',
|
|
'-in', srctop_file('test', 'data2.bin'),
|
|
'-inkey', srctop_file('test', 'certs', 'sm2-pub.key'),
|
|
'-pubin', '-out', 'sm2.enc']))),
|
|
"Encrypt a piece of data using SM2");
|
|
ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-decrypt',
|
|
'-in', 'sm2.enc',
|
|
'-inkey', srctop_file('test', 'certs', 'sm2.key'),
|
|
'-out', 'sm2.dat'])))
|
|
&& compare_text('sm2.dat',
|
|
srctop_file('test', 'data2.bin')) == 0,
|
|
"Decrypt a piece of data using SM2");
|
|
}
|
|
|
|
SKIP: {
|
|
skip "Skipping tests that require ECX", 4
|
|
if disabled("ecx");
|
|
|
|
# Ed25519
|
|
ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',
|
|
srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
|
|
'-inkey', srctop_file('test', 'certs', 'server-ed25519-key.pem'),
|
|
'-out', 'Ed25519.sig', '-rawin']))),
|
|
"Sign a piece of data using Ed25519");
|
|
ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',
|
|
srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
|
|
'-inkey', srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
|
|
'-sigfile', 'Ed25519.sig', '-rawin']))),
|
|
"Verify an Ed25519 signature against a piece of data");
|
|
|
|
# Ed448
|
|
ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',
|
|
srctop_file('test', 'certs', 'server-ed448-cert.pem'),
|
|
'-inkey', srctop_file('test', 'certs', 'server-ed448-key.pem'),
|
|
'-out', 'Ed448.sig', '-rawin']))),
|
|
"Sign a piece of data using Ed448");
|
|
ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',
|
|
srctop_file('test', 'certs', 'server-ed448-cert.pem'),
|
|
'-inkey', srctop_file('test', 'certs', 'server-ed448-cert.pem'),
|
|
'-sigfile', 'Ed448.sig', '-rawin']))),
|
|
"Verify an Ed448 signature against a piece of data");
|
|
}
|
|
|
|
sub tsignverify {
|
|
my $testtext = shift;
|
|
my $privkey = shift;
|
|
my $pubkey = shift;
|
|
my @extraopts = @_;
|
|
|
|
my $data_to_sign = srctop_file('test', 'data.bin');
|
|
my $other_data = srctop_file('test', 'data2.bin');
|
|
my $sigfile = basename($privkey, '.pem') . '.sig';
|
|
|
|
my @args = ();
|
|
plan tests => 5;
|
|
|
|
@args = ('openssl', 'pkeyutl', '-sign',
|
|
'-inkey', $privkey,
|
|
'-out', $sigfile,
|
|
'-in', $data_to_sign);
|
|
push(@args, @extraopts);
|
|
ok(run(app([@args])),
|
|
$testtext.": Generating signature");
|
|
|
|
@args = ('openssl', 'pkeyutl', '-sign',
|
|
'-inkey', $privkey,
|
|
'-keyform', 'DER',
|
|
'-out', $sigfile,
|
|
'-in', $data_to_sign);
|
|
push(@args, @extraopts);
|
|
ok(!run(app([@args])),
|
|
$testtext.": Checking that mismatching keyform fails");
|
|
|
|
@args = ('openssl', 'pkeyutl', '-verify',
|
|
'-inkey', $privkey,
|
|
'-sigfile', $sigfile,
|
|
'-in', $data_to_sign);
|
|
push(@args, @extraopts);
|
|
ok(run(app([@args])),
|
|
$testtext.": Verify signature with private key");
|
|
|
|
@args = ('openssl', 'pkeyutl', '-verify',
|
|
'-keyform', 'PEM',
|
|
'-inkey', $pubkey, '-pubin',
|
|
'-sigfile', $sigfile,
|
|
'-in', $data_to_sign);
|
|
push(@args, @extraopts);
|
|
ok(run(app([@args])),
|
|
$testtext.": Verify signature with public key");
|
|
|
|
@args = ('openssl', 'pkeyutl', '-verify',
|
|
'-inkey', $pubkey, '-pubin',
|
|
'-sigfile', $sigfile,
|
|
'-in', $other_data);
|
|
push(@args, @extraopts);
|
|
ok(!run(app([@args])),
|
|
$testtext.": Expect failure verifying mismatching data");
|
|
}
|
|
|
|
SKIP: {
|
|
skip "RSA is not supported by this OpenSSL build", 1
|
|
if disabled("rsa");
|
|
|
|
subtest "RSA CLI signature generation and verification" => sub {
|
|
tsignverify("RSA",
|
|
srctop_file("test","testrsa.pem"),
|
|
srctop_file("test","testrsapub.pem"),
|
|
"-rawin", "-digest", "sha256");
|
|
};
|
|
|
|
subtest "RSA CLI signature and verification with pkeyopt" => sub {
|
|
tsignverify("RSA",
|
|
srctop_file("test","testrsa.pem"),
|
|
srctop_file("test","testrsapub.pem"),
|
|
"-rawin", "-digest", "sha256",
|
|
"-pkeyopt", "rsa_padding_mode:pss");
|
|
};
|
|
}
|
|
|
|
SKIP: {
|
|
skip "DSA is not supported by this OpenSSL build", 1
|
|
if disabled("dsa");
|
|
|
|
subtest "DSA CLI signature generation and verification" => sub {
|
|
tsignverify("DSA",
|
|
srctop_file("test","testdsa.pem"),
|
|
srctop_file("test","testdsapub.pem"),
|
|
"-rawin", "-digest", "sha256");
|
|
};
|
|
}
|
|
|
|
SKIP: {
|
|
skip "ECDSA is not supported by this OpenSSL build", 1
|
|
if disabled("ec");
|
|
|
|
subtest "ECDSA CLI signature generation and verification" => sub {
|
|
tsignverify("ECDSA",
|
|
srctop_file("test","testec-p256.pem"),
|
|
srctop_file("test","testecpub-p256.pem"),
|
|
"-rawin", "-digest", "sha256");
|
|
};
|
|
}
|
|
|
|
SKIP: {
|
|
skip "EdDSA is not supported by this OpenSSL build", 2
|
|
if disabled("ecx");
|
|
|
|
subtest "Ed2559 CLI signature generation and verification" => sub {
|
|
tsignverify("Ed25519",
|
|
srctop_file("test","tested25519.pem"),
|
|
srctop_file("test","tested25519pub.pem"),
|
|
"-rawin");
|
|
};
|
|
|
|
subtest "Ed448 CLI signature generation and verification" => sub {
|
|
tsignverify("Ed448",
|
|
srctop_file("test","tested448.pem"),
|
|
srctop_file("test","tested448pub.pem"),
|
|
"-rawin");
|
|
};
|
|
}
|
|
|
|
#Encap/decap tests
|
|
# openssl pkeyutl -encap -pubin -inkey rsa_pub.pem -secret secret.bin -out encap_out.bin
|
|
# openssl pkeyutl -decap -inkey rsa_priv.pem -in encap_out.bin -out decap_out.bin
|
|
# decap_out is equal to secret
|
|
SKIP: {
|
|
skip "RSA is not supported by this OpenSSL build", 3
|
|
if disabled("rsa");
|
|
|
|
# Self-compat
|
|
ok(run(app(([ 'openssl', 'pkeyutl', '-encap', '-pubin', '-kemop', 'RSASVE',
|
|
'-inkey', srctop_file('test', 'testrsa2048pub.pem'),
|
|
'-out', 'encap_out.bin', '-secret', 'secret.bin']))),
|
|
"RSA pubkey encapsulation");
|
|
ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
|
|
'-inkey', srctop_file('test', 'testrsa2048.pem'),
|
|
'-in', 'encap_out.bin', '-out', 'decap_out.bin']))),
|
|
"RSA pubkey decapsulation");
|
|
is(compare("secret.bin", "decap_out.bin"), 0, "Secret is correctly decapsulated");
|
|
|
|
# Pregenerated
|
|
ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
|
|
'-inkey', srctop_file('test', 'testrsa2048.pem'),
|
|
'-in', srctop_file('test', 'encap_out.bin'), '-out', 'decap_out_etl.bin']))),
|
|
"RSA pubkey decapsulation - pregenerated");
|
|
|
|
is(compare(srctop_file('test', 'encap_secret.bin'), "decap_out_etl.bin"), 0,
|
|
"Secret is correctly decapsulated - pregenerated");
|
|
}
|
|
|