]>
Commit | Line | Data |
---|---|---|
388eb0d9 RL |
1 | /* |
2 | * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/asn1.h> | |
11 | #include <openssl/pem.h> | |
12 | #include "internal/sizes.h" | |
13 | #include "crypto/evp.h" | |
14 | #include "testutil.h" | |
15 | ||
16 | /* Collected arguments */ | |
17 | static const char *eecert_filename = NULL; /* For test_x509_file() */ | |
18 | static const char *cacert_filename = NULL; /* For test_x509_file() */ | |
19 | static const char *pubkey_filename = NULL; /* For test_spki_file() */ | |
20 | ||
21 | #define ALGORITHMID_NAME "algorithm-id" | |
22 | ||
23 | static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename) | |
24 | { | |
25 | const ASN1_OBJECT *oid; | |
26 | X509_ALGOR *alg = NULL; | |
27 | EVP_PKEY *pkey = NULL; | |
28 | EVP_KEYMGMT *keymgmt = NULL; | |
29 | void *keydata = NULL; | |
30 | char name[OSSL_MAX_NAME_SIZE] = ""; | |
31 | unsigned char *algid_legacy = NULL; | |
32 | int algid_legacy_len = 0; | |
33 | static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE]; | |
34 | size_t algid_prov_len = 0; | |
35 | const OSSL_PARAM *gettable_params = NULL; | |
36 | OSSL_PARAM params[] = { | |
37 | OSSL_PARAM_octet_string(ALGORITHMID_NAME, | |
38 | &algid_prov, sizeof(algid_prov)), | |
39 | OSSL_PARAM_END | |
40 | }; | |
41 | int ret = 0; | |
42 | ||
43 | if (!TEST_true(X509_PUBKEY_get0_param(NULL, NULL, NULL, &alg, pubkey)) | |
44 | || !TEST_ptr(pkey = X509_PUBKEY_get0(pubkey))) | |
45 | goto end; | |
46 | ||
47 | if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0)) | |
48 | goto end; | |
49 | ||
50 | X509_ALGOR_get0(&oid, NULL, NULL, alg); | |
2349d7ba | 51 | if (!TEST_int_gt(OBJ_obj2txt(name, sizeof(name), oid, 0), 0)) |
388eb0d9 RL |
52 | goto end; |
53 | ||
54 | /* | |
55 | * We use an internal functions to ensure we have a provided key. | |
56 | * Note that |keydata| should not be freed, as it's cached in |pkey|. | |
57 | * The |keymgmt|, however, should, as its reference count is incremented | |
58 | * in this function. | |
59 | */ | |
60 | if ((keydata = evp_pkey_export_to_provider(pkey, NULL, | |
61 | &keymgmt, NULL)) == NULL) { | |
62 | TEST_info("The public key found in '%s' doesn't have provider support." | |
63 | " Skipping...", | |
64 | filename); | |
65 | ret = 1; | |
66 | goto end; | |
67 | } | |
68 | ||
69 | if (!TEST_true(EVP_KEYMGMT_is_a(keymgmt, name))) { | |
70 | TEST_info("The AlgorithmID key type (%s) for the public key found in" | |
71 | " '%s' doesn't match the key type of the extracted public" | |
72 | " key.", | |
73 | name, filename); | |
74 | ret = 1; | |
75 | goto end; | |
76 | } | |
77 | ||
78 | if (!TEST_ptr(gettable_params = EVP_KEYMGMT_gettable_params(keymgmt)) | |
79 | || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) { | |
80 | TEST_info("The %s provider keymgmt appears to lack support for algorithm-id." | |
81 | " Skipping...", | |
82 | name); | |
83 | ret = 1; | |
84 | goto end; | |
85 | } | |
86 | ||
87 | algid_prov[0] = '\0'; | |
88 | if (!TEST_true(evp_keymgmt_get_params(keymgmt, keydata, params))) | |
89 | goto end; | |
90 | algid_prov_len = params[0].return_size; | |
91 | ||
92 | /* We now have all the algorithm IDs we need, let's compare them */ | |
93 | if (TEST_mem_eq(algid_legacy, algid_legacy_len, | |
94 | algid_prov, algid_prov_len)) | |
95 | ret = 1; | |
96 | ||
97 | end: | |
98 | EVP_KEYMGMT_free(keymgmt); | |
99 | OPENSSL_free(algid_legacy); | |
100 | return ret; | |
101 | } | |
102 | ||
103 | static int test_x509_spki_aid(X509 *cert, const char *filename) | |
104 | { | |
105 | X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert); | |
106 | ||
107 | return test_spki_aid(pubkey, filename); | |
108 | } | |
109 | ||
388eb0d9 RL |
110 | static int test_x509_sig_aid(X509 *eecert, const char *ee_filename, |
111 | X509 *cacert, const char *ca_filename) | |
112 | { | |
113 | const ASN1_OBJECT *sig_oid = NULL; | |
114 | const X509_ALGOR *alg = NULL; | |
115 | int sig_nid = NID_undef, dig_nid = NID_undef, pkey_nid = NID_undef; | |
116 | EVP_MD_CTX *mdctx = NULL; | |
117 | EVP_PKEY_CTX *pctx = NULL; | |
118 | EVP_PKEY *pkey = NULL; | |
119 | unsigned char *algid_legacy = NULL; | |
120 | int algid_legacy_len = 0; | |
121 | static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE]; | |
122 | size_t algid_prov_len = 0; | |
123 | const OSSL_PARAM *gettable_params = NULL; | |
124 | OSSL_PARAM params[] = { | |
125 | OSSL_PARAM_octet_string("algorithm-id", | |
126 | &algid_prov, sizeof(algid_prov)), | |
127 | OSSL_PARAM_END | |
128 | }; | |
129 | int ret = 0; | |
130 | ||
131 | X509_get0_signature(NULL, &alg, eecert); | |
132 | X509_ALGOR_get0(&sig_oid, NULL, NULL, alg); | |
133 | if (!TEST_int_eq(X509_ALGOR_cmp(alg, X509_get0_tbs_sigalg(eecert)), 0)) | |
134 | goto end; | |
135 | if (!TEST_int_ne(sig_nid = OBJ_obj2nid(sig_oid), NID_undef) | |
136 | || !TEST_true(OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) | |
137 | || !TEST_ptr(pkey = X509_get0_pubkey(cacert))) | |
138 | goto end; | |
139 | ||
140 | if (!TEST_true(EVP_PKEY_is_a(pkey, OBJ_nid2sn(pkey_nid)))) { | |
141 | TEST_info("The '%s' pubkey can't be used to verify the '%s' signature", | |
142 | ca_filename, ee_filename); | |
143 | TEST_info("Signature algorithm is %s (pkey type %s, hash type %s)", | |
144 | OBJ_nid2sn(sig_nid), OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid)); | |
ddf0d149 | 145 | TEST_info("Pkey key type is %s", EVP_PKEY_get0_type_name(pkey)); |
388eb0d9 RL |
146 | goto end; |
147 | } | |
148 | ||
149 | if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0)) | |
150 | goto end; | |
151 | ||
152 | if (!TEST_ptr(mdctx = EVP_MD_CTX_new()) | |
153 | || !TEST_true(EVP_DigestVerifyInit_ex(mdctx, &pctx, | |
154 | OBJ_nid2sn(dig_nid), | |
af6171b3 | 155 | NULL, NULL, pkey, NULL))) { |
388eb0d9 RL |
156 | TEST_info("Couldn't initialize a DigestVerify operation with " |
157 | "pkey type %s and hash type %s", | |
158 | OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid)); | |
159 | goto end; | |
160 | } | |
161 | ||
162 | if (!TEST_ptr(gettable_params = EVP_PKEY_CTX_gettable_params(pctx)) | |
163 | || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) { | |
164 | TEST_info("The %s provider keymgmt appears to lack support for algorithm-id" | |
165 | " Skipping...", | |
166 | OBJ_nid2sn(pkey_nid)); | |
167 | ret = 1; | |
168 | goto end; | |
169 | } | |
170 | ||
171 | algid_prov[0] = '\0'; | |
172 | if (!TEST_true(EVP_PKEY_CTX_get_params(pctx, params))) | |
173 | goto end; | |
174 | algid_prov_len = params[0].return_size; | |
175 | ||
176 | /* We now have all the algorithm IDs we need, let's compare them */ | |
177 | if (TEST_mem_eq(algid_legacy, algid_legacy_len, | |
178 | algid_prov, algid_prov_len)) | |
179 | ret = 1; | |
180 | ||
181 | end: | |
182 | EVP_MD_CTX_free(mdctx); | |
183 | /* pctx is free by EVP_MD_CTX_free() */ | |
184 | OPENSSL_free(algid_legacy); | |
185 | return ret; | |
186 | } | |
187 | ||
188 | static int test_spki_file(void) | |
189 | { | |
190 | X509_PUBKEY *pubkey = NULL; | |
191 | BIO *b = BIO_new_file(pubkey_filename, "r"); | |
192 | int ret = 0; | |
193 | ||
194 | if (b == NULL) { | |
195 | TEST_error("Couldn't open '%s' for reading\n", pubkey_filename); | |
196 | TEST_openssl_errors(); | |
197 | goto end; | |
198 | } | |
199 | ||
200 | if ((pubkey = PEM_read_bio_X509_PUBKEY(b, NULL, NULL, NULL)) == NULL) { | |
201 | TEST_error("'%s' doesn't appear to be a SubjectPublicKeyInfo in PEM format\n", | |
202 | pubkey_filename); | |
203 | TEST_openssl_errors(); | |
204 | goto end; | |
205 | } | |
206 | ||
207 | ret = test_spki_aid(pubkey, pubkey_filename); | |
208 | end: | |
209 | BIO_free(b); | |
210 | X509_PUBKEY_free(pubkey); | |
211 | return ret; | |
212 | } | |
213 | ||
214 | static int test_x509_files(void) | |
215 | { | |
216 | X509 *eecert = NULL, *cacert = NULL; | |
217 | BIO *bee = NULL, *bca = NULL; | |
218 | int ret = 0; | |
219 | ||
220 | if ((bee = BIO_new_file(eecert_filename, "r")) == NULL) { | |
221 | TEST_error("Couldn't open '%s' for reading\n", eecert_filename); | |
222 | TEST_openssl_errors(); | |
223 | goto end; | |
224 | } | |
225 | if ((bca = BIO_new_file(cacert_filename, "r")) == NULL) { | |
226 | TEST_error("Couldn't open '%s' for reading\n", cacert_filename); | |
227 | TEST_openssl_errors(); | |
228 | goto end; | |
229 | } | |
230 | ||
231 | if ((eecert = PEM_read_bio_X509(bee, NULL, NULL, NULL)) == NULL) { | |
232 | TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n", | |
233 | eecert_filename); | |
234 | TEST_openssl_errors(); | |
235 | goto end; | |
236 | } | |
237 | if ((cacert = PEM_read_bio_X509(bca, NULL, NULL, NULL)) == NULL) { | |
238 | TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n", | |
239 | cacert_filename); | |
240 | TEST_openssl_errors(); | |
241 | goto end; | |
242 | } | |
243 | ||
244 | ret = test_x509_sig_aid(eecert, eecert_filename, cacert, cacert_filename) | |
245 | & test_x509_spki_aid(eecert, eecert_filename) | |
246 | & test_x509_spki_aid(cacert, cacert_filename); | |
247 | end: | |
248 | BIO_free(bee); | |
249 | BIO_free(bca); | |
250 | X509_free(eecert); | |
251 | X509_free(cacert); | |
252 | return ret; | |
253 | } | |
254 | ||
255 | typedef enum OPTION_choice { | |
256 | OPT_ERR = -1, | |
257 | OPT_EOF = 0, | |
258 | OPT_X509, | |
259 | OPT_SPKI, | |
260 | OPT_TEST_ENUM | |
261 | } OPTION_CHOICE; | |
262 | ||
263 | const OPTIONS *test_get_options(void) | |
264 | { | |
265 | static const OPTIONS test_options[] = { | |
266 | OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file...\n"), | |
267 | { "x509", OPT_X509, '-', "Test X.509 certificates. Requires two files" }, | |
268 | { "spki", OPT_SPKI, '-', "Test public keys in SubjectPublicKeyInfo form. Requires one file" }, | |
269 | { OPT_HELP_STR, 1, '-', | |
270 | "file...\tFile(s) to run tests on. All files must be PEM encoded.\n" }, | |
271 | { NULL } | |
272 | }; | |
273 | return test_options; | |
274 | } | |
275 | ||
276 | int setup_tests(void) | |
277 | { | |
278 | OPTION_CHOICE o; | |
279 | int n, x509 = 0, spki = 0, testcount = 0; | |
280 | ||
281 | while ((o = opt_next()) != OPT_EOF) { | |
282 | switch (o) { | |
283 | case OPT_X509: | |
284 | x509 = 1; | |
285 | break; | |
286 | case OPT_SPKI: | |
287 | spki = 1; | |
288 | break; | |
289 | case OPT_TEST_CASES: | |
290 | break; | |
291 | default: | |
292 | case OPT_ERR: | |
293 | return 0; | |
294 | } | |
295 | } | |
296 | ||
297 | /* |testcount| adds all the given test types together */ | |
298 | testcount = x509 + spki; | |
299 | ||
300 | if (testcount < 1) | |
301 | BIO_printf(bio_err, "No test type given\n"); | |
302 | else if (testcount > 1) | |
303 | BIO_printf(bio_err, "Only one test type may be given\n"); | |
304 | if (testcount != 1) | |
305 | return 0; | |
306 | ||
307 | n = test_get_argument_count(); | |
308 | if (spki && n == 1) { | |
309 | pubkey_filename = test_get_argument(0); | |
310 | } else if (x509 && n == 2) { | |
311 | eecert_filename = test_get_argument(0); | |
312 | cacert_filename = test_get_argument(1); | |
313 | } | |
314 | ||
315 | if (spki && pubkey_filename == NULL) { | |
316 | BIO_printf(bio_err, "Missing -spki argument\n"); | |
317 | return 0; | |
318 | } else if (x509 && (eecert_filename == NULL || cacert_filename == NULL)) { | |
319 | BIO_printf(bio_err, "Missing -x509 argument(s)\n"); | |
320 | return 0; | |
321 | } | |
322 | ||
323 | if (x509) | |
324 | ADD_TEST(test_x509_files); | |
325 | if (spki) | |
326 | ADD_TEST(test_spki_file); | |
327 | return 1; | |
328 | } |