]>
Commit | Line | Data |
---|---|---|
388eb0d9 RL |
1 | /* |
2 | * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include <openssl/asn1.h> | |
11 | #include <openssl/pem.h> | |
12 | #include "internal/sizes.h" | |
13 | #include "crypto/evp.h" | |
14 | #include "testutil.h" | |
15 | ||
16 | /* Collected arguments */ | |
17 | static const char *eecert_filename = NULL; /* For test_x509_file() */ | |
18 | static const char *cacert_filename = NULL; /* For test_x509_file() */ | |
19 | static const char *pubkey_filename = NULL; /* For test_spki_file() */ | |
20 | ||
21 | #define ALGORITHMID_NAME "algorithm-id" | |
22 | ||
23 | static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename) | |
24 | { | |
25 | const ASN1_OBJECT *oid; | |
26 | X509_ALGOR *alg = NULL; | |
27 | EVP_PKEY *pkey = NULL; | |
28 | EVP_KEYMGMT *keymgmt = NULL; | |
29 | void *keydata = NULL; | |
30 | char name[OSSL_MAX_NAME_SIZE] = ""; | |
31 | unsigned char *algid_legacy = NULL; | |
32 | int algid_legacy_len = 0; | |
33 | static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE]; | |
34 | size_t algid_prov_len = 0; | |
35 | const OSSL_PARAM *gettable_params = NULL; | |
36 | OSSL_PARAM params[] = { | |
37 | OSSL_PARAM_octet_string(ALGORITHMID_NAME, | |
38 | &algid_prov, sizeof(algid_prov)), | |
39 | OSSL_PARAM_END | |
40 | }; | |
41 | int ret = 0; | |
42 | ||
43 | if (!TEST_true(X509_PUBKEY_get0_param(NULL, NULL, NULL, &alg, pubkey)) | |
44 | || !TEST_ptr(pkey = X509_PUBKEY_get0(pubkey))) | |
45 | goto end; | |
46 | ||
47 | if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0)) | |
48 | goto end; | |
49 | ||
50 | X509_ALGOR_get0(&oid, NULL, NULL, alg); | |
51 | if (!TEST_true(OBJ_obj2txt(name, sizeof(name), oid, 0))) | |
52 | goto end; | |
53 | ||
54 | /* | |
55 | * We use an internal functions to ensure we have a provided key. | |
56 | * Note that |keydata| should not be freed, as it's cached in |pkey|. | |
57 | * The |keymgmt|, however, should, as its reference count is incremented | |
58 | * in this function. | |
59 | */ | |
60 | if ((keydata = evp_pkey_export_to_provider(pkey, NULL, | |
61 | &keymgmt, NULL)) == NULL) { | |
62 | TEST_info("The public key found in '%s' doesn't have provider support." | |
63 | " Skipping...", | |
64 | filename); | |
65 | ret = 1; | |
66 | goto end; | |
67 | } | |
68 | ||
69 | if (!TEST_true(EVP_KEYMGMT_is_a(keymgmt, name))) { | |
70 | TEST_info("The AlgorithmID key type (%s) for the public key found in" | |
71 | " '%s' doesn't match the key type of the extracted public" | |
72 | " key.", | |
73 | name, filename); | |
74 | ret = 1; | |
75 | goto end; | |
76 | } | |
77 | ||
78 | if (!TEST_ptr(gettable_params = EVP_KEYMGMT_gettable_params(keymgmt)) | |
79 | || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) { | |
80 | TEST_info("The %s provider keymgmt appears to lack support for algorithm-id." | |
81 | " Skipping...", | |
82 | name); | |
83 | ret = 1; | |
84 | goto end; | |
85 | } | |
86 | ||
87 | algid_prov[0] = '\0'; | |
88 | if (!TEST_true(evp_keymgmt_get_params(keymgmt, keydata, params))) | |
89 | goto end; | |
90 | algid_prov_len = params[0].return_size; | |
91 | ||
92 | /* We now have all the algorithm IDs we need, let's compare them */ | |
93 | if (TEST_mem_eq(algid_legacy, algid_legacy_len, | |
94 | algid_prov, algid_prov_len)) | |
95 | ret = 1; | |
96 | ||
97 | end: | |
98 | EVP_KEYMGMT_free(keymgmt); | |
99 | OPENSSL_free(algid_legacy); | |
100 | return ret; | |
101 | } | |
102 | ||
103 | static int test_x509_spki_aid(X509 *cert, const char *filename) | |
104 | { | |
105 | X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert); | |
106 | ||
107 | return test_spki_aid(pubkey, filename); | |
108 | } | |
109 | ||
110 | /* | |
111 | * TODO | |
112 | * When we gain the ability to get an EVP_SIGNATURE with a complete signature | |
113 | * algorithm name (like "sha1WithRSAEncryption" or its corresponding OID in | |
114 | * text form, "1.2.840.113549.1.1.2"), we won't have to limit this test to | |
115 | * what we have in libcrypto's cross-reference db, i.e. won't have to call | |
116 | * OBJ_find_sigid_algs() to find out the EVP_PKEY_METHOD NID any more. | |
117 | * All we'd have to do is used OBJ_obj2txt() on an ASN1_OBJECT and pass the | |
118 | * result. | |
119 | */ | |
120 | static int test_x509_sig_aid(X509 *eecert, const char *ee_filename, | |
121 | X509 *cacert, const char *ca_filename) | |
122 | { | |
123 | const ASN1_OBJECT *sig_oid = NULL; | |
124 | const X509_ALGOR *alg = NULL; | |
125 | int sig_nid = NID_undef, dig_nid = NID_undef, pkey_nid = NID_undef; | |
126 | EVP_MD_CTX *mdctx = NULL; | |
127 | EVP_PKEY_CTX *pctx = NULL; | |
128 | EVP_PKEY *pkey = NULL; | |
129 | unsigned char *algid_legacy = NULL; | |
130 | int algid_legacy_len = 0; | |
131 | static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE]; | |
132 | size_t algid_prov_len = 0; | |
133 | const OSSL_PARAM *gettable_params = NULL; | |
134 | OSSL_PARAM params[] = { | |
135 | OSSL_PARAM_octet_string("algorithm-id", | |
136 | &algid_prov, sizeof(algid_prov)), | |
137 | OSSL_PARAM_END | |
138 | }; | |
139 | int ret = 0; | |
140 | ||
141 | X509_get0_signature(NULL, &alg, eecert); | |
142 | X509_ALGOR_get0(&sig_oid, NULL, NULL, alg); | |
143 | if (!TEST_int_eq(X509_ALGOR_cmp(alg, X509_get0_tbs_sigalg(eecert)), 0)) | |
144 | goto end; | |
145 | if (!TEST_int_ne(sig_nid = OBJ_obj2nid(sig_oid), NID_undef) | |
146 | || !TEST_true(OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) | |
147 | || !TEST_ptr(pkey = X509_get0_pubkey(cacert))) | |
148 | goto end; | |
149 | ||
150 | if (!TEST_true(EVP_PKEY_is_a(pkey, OBJ_nid2sn(pkey_nid)))) { | |
151 | TEST_info("The '%s' pubkey can't be used to verify the '%s' signature", | |
152 | ca_filename, ee_filename); | |
153 | TEST_info("Signature algorithm is %s (pkey type %s, hash type %s)", | |
154 | OBJ_nid2sn(sig_nid), OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid)); | |
ddf0d149 | 155 | TEST_info("Pkey key type is %s", EVP_PKEY_get0_type_name(pkey)); |
388eb0d9 RL |
156 | goto end; |
157 | } | |
158 | ||
159 | if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0)) | |
160 | goto end; | |
161 | ||
162 | if (!TEST_ptr(mdctx = EVP_MD_CTX_new()) | |
163 | || !TEST_true(EVP_DigestVerifyInit_ex(mdctx, &pctx, | |
164 | OBJ_nid2sn(dig_nid), | |
af6171b3 | 165 | NULL, NULL, pkey, NULL))) { |
388eb0d9 RL |
166 | TEST_info("Couldn't initialize a DigestVerify operation with " |
167 | "pkey type %s and hash type %s", | |
168 | OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid)); | |
169 | goto end; | |
170 | } | |
171 | ||
172 | if (!TEST_ptr(gettable_params = EVP_PKEY_CTX_gettable_params(pctx)) | |
173 | || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) { | |
174 | TEST_info("The %s provider keymgmt appears to lack support for algorithm-id" | |
175 | " Skipping...", | |
176 | OBJ_nid2sn(pkey_nid)); | |
177 | ret = 1; | |
178 | goto end; | |
179 | } | |
180 | ||
181 | algid_prov[0] = '\0'; | |
182 | if (!TEST_true(EVP_PKEY_CTX_get_params(pctx, params))) | |
183 | goto end; | |
184 | algid_prov_len = params[0].return_size; | |
185 | ||
186 | /* We now have all the algorithm IDs we need, let's compare them */ | |
187 | if (TEST_mem_eq(algid_legacy, algid_legacy_len, | |
188 | algid_prov, algid_prov_len)) | |
189 | ret = 1; | |
190 | ||
191 | end: | |
192 | EVP_MD_CTX_free(mdctx); | |
193 | /* pctx is free by EVP_MD_CTX_free() */ | |
194 | OPENSSL_free(algid_legacy); | |
195 | return ret; | |
196 | } | |
197 | ||
198 | static int test_spki_file(void) | |
199 | { | |
200 | X509_PUBKEY *pubkey = NULL; | |
201 | BIO *b = BIO_new_file(pubkey_filename, "r"); | |
202 | int ret = 0; | |
203 | ||
204 | if (b == NULL) { | |
205 | TEST_error("Couldn't open '%s' for reading\n", pubkey_filename); | |
206 | TEST_openssl_errors(); | |
207 | goto end; | |
208 | } | |
209 | ||
210 | if ((pubkey = PEM_read_bio_X509_PUBKEY(b, NULL, NULL, NULL)) == NULL) { | |
211 | TEST_error("'%s' doesn't appear to be a SubjectPublicKeyInfo in PEM format\n", | |
212 | pubkey_filename); | |
213 | TEST_openssl_errors(); | |
214 | goto end; | |
215 | } | |
216 | ||
217 | ret = test_spki_aid(pubkey, pubkey_filename); | |
218 | end: | |
219 | BIO_free(b); | |
220 | X509_PUBKEY_free(pubkey); | |
221 | return ret; | |
222 | } | |
223 | ||
224 | static int test_x509_files(void) | |
225 | { | |
226 | X509 *eecert = NULL, *cacert = NULL; | |
227 | BIO *bee = NULL, *bca = NULL; | |
228 | int ret = 0; | |
229 | ||
230 | if ((bee = BIO_new_file(eecert_filename, "r")) == NULL) { | |
231 | TEST_error("Couldn't open '%s' for reading\n", eecert_filename); | |
232 | TEST_openssl_errors(); | |
233 | goto end; | |
234 | } | |
235 | if ((bca = BIO_new_file(cacert_filename, "r")) == NULL) { | |
236 | TEST_error("Couldn't open '%s' for reading\n", cacert_filename); | |
237 | TEST_openssl_errors(); | |
238 | goto end; | |
239 | } | |
240 | ||
241 | if ((eecert = PEM_read_bio_X509(bee, NULL, NULL, NULL)) == NULL) { | |
242 | TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n", | |
243 | eecert_filename); | |
244 | TEST_openssl_errors(); | |
245 | goto end; | |
246 | } | |
247 | if ((cacert = PEM_read_bio_X509(bca, NULL, NULL, NULL)) == NULL) { | |
248 | TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n", | |
249 | cacert_filename); | |
250 | TEST_openssl_errors(); | |
251 | goto end; | |
252 | } | |
253 | ||
254 | ret = test_x509_sig_aid(eecert, eecert_filename, cacert, cacert_filename) | |
255 | & test_x509_spki_aid(eecert, eecert_filename) | |
256 | & test_x509_spki_aid(cacert, cacert_filename); | |
257 | end: | |
258 | BIO_free(bee); | |
259 | BIO_free(bca); | |
260 | X509_free(eecert); | |
261 | X509_free(cacert); | |
262 | return ret; | |
263 | } | |
264 | ||
265 | typedef enum OPTION_choice { | |
266 | OPT_ERR = -1, | |
267 | OPT_EOF = 0, | |
268 | OPT_X509, | |
269 | OPT_SPKI, | |
270 | OPT_TEST_ENUM | |
271 | } OPTION_CHOICE; | |
272 | ||
273 | const OPTIONS *test_get_options(void) | |
274 | { | |
275 | static const OPTIONS test_options[] = { | |
276 | OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file...\n"), | |
277 | { "x509", OPT_X509, '-', "Test X.509 certificates. Requires two files" }, | |
278 | { "spki", OPT_SPKI, '-', "Test public keys in SubjectPublicKeyInfo form. Requires one file" }, | |
279 | { OPT_HELP_STR, 1, '-', | |
280 | "file...\tFile(s) to run tests on. All files must be PEM encoded.\n" }, | |
281 | { NULL } | |
282 | }; | |
283 | return test_options; | |
284 | } | |
285 | ||
286 | int setup_tests(void) | |
287 | { | |
288 | OPTION_CHOICE o; | |
289 | int n, x509 = 0, spki = 0, testcount = 0; | |
290 | ||
291 | while ((o = opt_next()) != OPT_EOF) { | |
292 | switch (o) { | |
293 | case OPT_X509: | |
294 | x509 = 1; | |
295 | break; | |
296 | case OPT_SPKI: | |
297 | spki = 1; | |
298 | break; | |
299 | case OPT_TEST_CASES: | |
300 | break; | |
301 | default: | |
302 | case OPT_ERR: | |
303 | return 0; | |
304 | } | |
305 | } | |
306 | ||
307 | /* |testcount| adds all the given test types together */ | |
308 | testcount = x509 + spki; | |
309 | ||
310 | if (testcount < 1) | |
311 | BIO_printf(bio_err, "No test type given\n"); | |
312 | else if (testcount > 1) | |
313 | BIO_printf(bio_err, "Only one test type may be given\n"); | |
314 | if (testcount != 1) | |
315 | return 0; | |
316 | ||
317 | n = test_get_argument_count(); | |
318 | if (spki && n == 1) { | |
319 | pubkey_filename = test_get_argument(0); | |
320 | } else if (x509 && n == 2) { | |
321 | eecert_filename = test_get_argument(0); | |
322 | cacert_filename = test_get_argument(1); | |
323 | } | |
324 | ||
325 | if (spki && pubkey_filename == NULL) { | |
326 | BIO_printf(bio_err, "Missing -spki argument\n"); | |
327 | return 0; | |
328 | } else if (x509 && (eecert_filename == NULL || cacert_filename == NULL)) { | |
329 | BIO_printf(bio_err, "Missing -x509 argument(s)\n"); | |
330 | return 0; | |
331 | } | |
332 | ||
333 | if (x509) | |
334 | ADD_TEST(test_x509_files); | |
335 | if (spki) | |
336 | ADD_TEST(test_spki_file); | |
337 | return 1; | |
338 | } |