#! /usr/bin/env perl
-# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
setup("test_req");
-plan tests => 38;
+plan tests => 43;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
# Check for duplicate -addext parameters, and one "working" case.
my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
+ "-key", srctop_file("test", "certs", "ee-key.pem"),
"-config", srctop_file("test", "test.cnf"), @req_new );
my $val = "subjectAltName=DNS:example.com";
my $val2 = " " . $val;
subtest "generating certificate requests with RSA" => sub {
- plan tests => 2;
+ plan tests => 7;
SKIP: {
skip "RSA is not supported by this OpenSSL build", 2
if disabled("rsa");
+ ok(!run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsa.pem", "-utf8",
+ "-key", srctop_file("test", "testrsa.pem"),
+ "-keyform", "DER"])),
+ "Checking that mismatching keyform fails");
+
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
"-new", "-out", "testreq-rsa.pem", "-utf8",
- "-key", srctop_file("test", "testrsa.pem")])),
+ "-key", srctop_file("test", "testrsa.pem"),
+ "-keyform", "PEM"])),
"Generating request");
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
"-verify", "-in", "testreq-rsa.pem", "-noout"])),
"Verifying signature on request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
+ "-key", srctop_file("test", "testrsa_withattrs.pem")])),
+ "Generating request from a key with extra attributes - PEM");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq_withattrs_pem.pem", "-noout"])),
+ "Verifying signature on request from a key with extra attributes - PEM");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq_withattrs_der.pem", "-utf8",
+ "-key", srctop_file("test", "testrsa_withattrs.der"),
+ "-keyform", "DER"])),
+ "Generating request from a key with extra attributes - PEM");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq_withattrs_der.pem", "-noout"])),
+ "Verifying signature on request from a key with extra attributes - PEM");
+ }
+};
+
+subtest "generating certificate requests with RSA-PSS" => sub {
+ plan tests => 12;
+
+ SKIP: {
+ skip "RSA is not supported by this OpenSSL build", 2
+ if disabled("rsa");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss.pem", "-utf8",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request");
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapss.pem", "-noout"])),
+ "Verifying signature on request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss2.pem", "-utf8",
+ "-sigopt", "rsa_padding_mode:pss",
+ "-sigopt", "rsa_pss_saltlen:-1",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request");
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapss2.pem", "-noout"])),
+ "Verifying signature on request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapssmand.pem", "-utf8",
+ "-sigopt", "rsa_padding_mode:pss",
+ "-key", srctop_file("test", "testrsapssmandatory.pem")])),
+ "Generating request");
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapssmand.pem", "-noout"])),
+ "Verifying signature on request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapssmand2.pem", "-utf8",
+ "-sigopt", "rsa_pss_saltlen:100",
+ "-key", srctop_file("test", "testrsapssmandatory.pem")])),
+ "Generating request");
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])),
+ "Verifying signature on request");
+
+ ok(!run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss3.pem", "-utf8",
+ "-sigopt", "rsa_padding_mode:pkcs1",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request with expected failure");
+
+ ok(!run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss3.pem", "-utf8",
+ "-sigopt", "rsa_pss_saltlen:-4",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request with expected failure");
+
+ ok(!run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapssmand3.pem", "-utf8",
+ "-sigopt", "rsa_pss_saltlen:10",
+ "-key", srctop_file("test", "testrsapssmandatory.pem")])),
+ "Generating request with expected failure");
+
+ ok(!run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapssmand3.pem", "-utf8",
+ "-sha256",
+ "-key", srctop_file("test", "testrsapssmandatory.pem")])),
+ "Generating request with expected failure");
}
};
plan tests => 2;
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
+ "-key", srctop_file("test", "certs", "ee-key.pem"),
@req_new, "-out", "testreq.pem"])),
"Generating request");
my $expect = shift @_;
cert_contains($cert, "Authority Key Identifier", $expect);
}
+sub has_keyUsage {
+ my $cert = shift @_;
+ my $expect = shift @_;
+ cert_contains($cert, "Key Usage", $expect);
+}
sub strict_verify {
my $cert = shift @_;
my $expect = shift @_;
"-in", srctop_file(@certs, "x509-check.csr"));
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
strict_verify($cert, 1);
+
+my $cert = "self-signed_CA_no_keyUsage.pem";
+generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"));
+has_keyUsage($cert, 0);
+my $cert = "self-signed_CA_with_keyUsages.pem";
+generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
+ "-copy_extensions", "copy");
+has_keyUsage($cert, 1);