]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/90-test_store.t
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix 90-test_store.t for latest config, limits, providers, and disabled algos
[thirdparty/openssl.git] / test / recipes / 90-test_store.t
1 #! /usr/bin/env perl
2 # Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 use File::Spec::Functions;
10 use File::Copy;
11 use MIME::Base64;
12 use OpenSSL::Test qw(:DEFAULT srctop_file srctop_dir bldtop_file data_file);
13 use OpenSSL::Test::Utils;
14
15 my $test_name = "test_store";
16 setup($test_name);
17
18 my $mingw = config('target') =~ m|^mingw|;
19
20 my $use_md5 = !disabled("md5");
21 my $use_des = !disabled("des"); # also affects 3des and pkcs12 app
22 my $use_dsa = !disabled("dsa");
23 my $use_ecc = !disabled("ec");
24
25 my @noexist_files =
26 ( "test/blahdiblah.pem",
27 "test/blahdibleh.der" );
28 my @src_files =
29 ( "test/testx509.pem",
30 "test/testrsa.pem",
31 "test/testrsapub.pem",
32 "test/testcrl.pem",
33 "apps/server.pem" );
34 my @generated_files =
35 (
36 ### generated from the source files
37
38 "testx509.der",
39 "testrsa.der",
40 "testrsapub.der",
41 "testcrl.der",
42
43 ### generated locally
44
45 "rsa-key-pkcs1.pem", "rsa-key-pkcs1.der",
46 "rsa-key-pkcs1-aes128.pem",
47 "rsa-key-pkcs8.pem", "rsa-key-pkcs8.der",
48 "rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der",
49 "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der",
50 );
51 push(@generated_files, (
52 "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der",
53 )) if $use_des;
54 push(@generated_files, (
55 "rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12",
56 "rsa-key-aes256-cbc-sha256.p12",
57 "rsa-key-md5-des-sha1.p12",
58 "rsa-key-aes256-cbc-md5-des-sha256.p12"
59 )) if $use_des;
60 push(@generated_files, (
61 "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der"
62 )) if $use_md5 && $use_des;
63 push(@generated_files, (
64 "dsa-key-pkcs1.pem", "dsa-key-pkcs1.der",
65 "dsa-key-pkcs1-aes128.pem",
66 "dsa-key-pkcs8.pem", "dsa-key-pkcs8.der",
67 "dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der",
68 )) if $use_dsa;
69 push(@generated_files, "dsa-key-aes256-cbc-sha256.p12") if $use_dsa && $use_des;
70 push(@generated_files, (
71 "ec-key-pkcs1.pem", "ec-key-pkcs1.der",
72 "ec-key-pkcs1-aes128.pem",
73 "ec-key-pkcs8.pem", "ec-key-pkcs8.der",
74 "ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der",
75 )) if $use_ecc;
76 push(@generated_files, "ec-key-aes256-cbc-sha256.p12") if $use_ecc && $use_des;
77 my %generated_file_files =
78 $^O eq 'linux'
79 ? ( "test/testx509.pem" => "file:testx509.pem",
80 "test/testrsa.pem" => "file:testrsa.pem",
81 "test/testrsapub.pem" => "file:testrsapub.pem",
82 "test/testcrl.pem" => "file:testcrl.pem",
83 "apps/server.pem" => "file:server.pem" )
84 : ();
85 my @noexist_file_files =
86 ( "file:blahdiblah.pem",
87 "file:test/blahdibleh.der" );
88
89 my $n = (3 * scalar @noexist_files)
90 + (6 * scalar @src_files)
91 + (4 * scalar @generated_files)
92 + (scalar keys %generated_file_files)
93 + (scalar @noexist_file_files)
94 + 3
95 + 11;
96
97 plan tests => $n;
98
99 indir "store_$$" => sub {
100 SKIP:
101 {
102 init() or die "init failed";
103
104 my $rehash = init_rehash();
105
106 foreach (@noexist_files) {
107 my $file = srctop_file($_);
108
109 ok(!run(app(["openssl", "storeutl", "-noout", $file])));
110 ok(!run(app(["openssl", "storeutl", "-noout",
111 to_abs_file($file)])));
112 {
113 local $ENV{MSYS2_ARG_CONV_EXCL} = "file:";
114
115 ok(!run(app(["openssl", "storeutl", "-noout",
116 to_abs_file_uri($file)])));
117 }
118 }
119 foreach (@src_files) {
120 my $file = srctop_file($_);
121
122 ok(run(app(["openssl", "storeutl", "-noout", $file])));
123 ok(run(app(["openssl", "storeutl", "-noout", to_abs_file($file)])));
124 SKIP:
125 {
126 skip "file: tests disabled on MingW", 4 if $mingw;
127
128 ok(run(app(["openssl", "storeutl", "-noout",
129 to_abs_file_uri($file)])));
130 ok(run(app(["openssl", "storeutl", "-noout",
131 to_abs_file_uri($file, 0, "")])));
132 ok(run(app(["openssl", "storeutl", "-noout",
133 to_abs_file_uri($file, 0, "localhost")])));
134 ok(!run(app(["openssl", "storeutl", "-noout",
135 to_abs_file_uri($file, 0, "dummy")])));
136 }
137 }
138 foreach (@generated_files) {
139 ok(run(app(["openssl", "storeutl", "-noout", "-passin",
140 "pass:password", $_])));
141 ok(run(app(["openssl", "storeutl", "-noout", "-passin",
142 "pass:password", to_abs_file($_)])));
143
144 SKIP:
145 {
146 skip "file: tests disabled on MingW", 2 if $mingw;
147
148 ok(run(app(["openssl", "storeutl", "-noout", "-passin",
149 "pass:password", to_abs_file_uri($_)])));
150 ok(!run(app(["openssl", "storeutl", "-noout", "-passin",
151 "pass:password", to_file_uri($_)])));
152 }
153 }
154 foreach (values %generated_file_files) {
155 SKIP:
156 {
157 skip "file: tests disabled on MingW", 1 if $mingw;
158
159 ok(run(app(["openssl", "storeutl", "-noout", $_])));
160 }
161 }
162 foreach (@noexist_file_files) {
163 SKIP:
164 {
165 skip "file: tests disabled on MingW", 1 if $mingw;
166
167 ok(!run(app(["openssl", "storeutl", "-noout", $_])));
168 }
169 }
170 {
171 my $dir = srctop_dir("test", "certs");
172
173 ok(run(app(["openssl", "storeutl", "-noout", $dir])));
174 ok(run(app(["openssl", "storeutl", "-noout",
175 to_abs_file($dir, 1)])));
176 SKIP:
177 {
178 skip "file: tests disabled on MingW", 1 if $mingw;
179
180 ok(run(app(["openssl", "storeutl", "-noout",
181 to_abs_file_uri($dir, 1)])));
182 }
183 }
184
185 ok(!run(app(['openssl', 'storeutl', '-noout',
186 '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
187 srctop_file('test', 'testx509.pem')])),
188 "Checking that -subject can't be used with a single file");
189
190 ok(run(app(['openssl', 'storeutl', '-certs', '-noout',
191 srctop_file('test', 'testx509.pem')])),
192 "Checking that -certs returns 1 object on a certificate file");
193 ok(run(app(['openssl', 'storeutl', '-certs', '-noout',
194 srctop_file('test', 'testcrl.pem')])),
195 "Checking that -certs returns 0 objects on a CRL file");
196
197 ok(run(app(['openssl', 'storeutl', '-crls', '-noout',
198 srctop_file('test', 'testx509.pem')])),
199 "Checking that -crls returns 0 objects on a certificate file");
200 ok(run(app(['openssl', 'storeutl', '-crls', '-noout',
201 srctop_file('test', 'testcrl.pem')])),
202 "Checking that -crls returns 1 object on a CRL file");
203
204 SKIP: {
205 skip "failed rehash initialisation", 6 unless $rehash;
206
207 # subject from testx509.pem:
208 # '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert'
209 # issuer from testcrl.pem:
210 # '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority'
211 ok(run(app(['openssl', 'storeutl', '-noout',
212 '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
213 catdir(curdir(), 'rehash')])));
214 ok(run(app(['openssl', 'storeutl', '-noout',
215 '-subject',
216 '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority',
217 catdir(curdir(), 'rehash')])));
218 ok(run(app(['openssl', 'storeutl', '-noout', '-certs',
219 '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
220 catdir(curdir(), 'rehash')])));
221 ok(run(app(['openssl', 'storeutl', '-noout', '-crls',
222 '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
223 catdir(curdir(), 'rehash')])));
224 ok(run(app(['openssl', 'storeutl', '-noout', '-certs',
225 '-subject',
226 '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority',
227 catdir(curdir(), 'rehash')])));
228 ok(run(app(['openssl', 'storeutl', '-noout', '-crls',
229 '-subject',
230 '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority',
231 catdir(curdir(), 'rehash')])));
232 }
233 }
234 }, create => 1, cleanup => 1;
235
236 sub init {
237 my $cnf = srctop_file('test', 'ca-and-certs.cnf');
238 my $cakey = srctop_file('test', 'certs', 'ca-key.pem');
239 return (
240 # rsa-key-pkcs1.pem
241 run(app(["openssl", "pkey",
242 "-in", data_file("rsa-key-2432.pem"),
243 "-out", "rsa-key-pkcs1.pem"]))
244 # rsa-key-pkcs1-aes128.pem
245 && run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128",
246 "-in", "rsa-key-pkcs1.pem",
247 "-out", "rsa-key-pkcs1-aes128.pem"]))
248 # dsa-key-pkcs1.pem
249 && (!$use_dsa || run(app(["openssl", "gendsa",
250 "-out", "dsa-key-pkcs1.pem",
251 data_file("dsaparam.pem")])))
252 # dsa-key-pkcs1-aes128.pem
253 && (!$use_dsa || run(app(["openssl", "dsa",
254 "-passout", "pass:password", "-aes128",
255 "-in", "dsa-key-pkcs1.pem",
256 "-out", "dsa-key-pkcs1-aes128.pem"])))
257 # ec-key-pkcs1.pem (one might think that 'genec' would be practical)
258 && (!$use_ecc || run(app(["openssl", "ecparam", "-genkey",
259 "-name", "prime256v1",
260 "-out", "ec-key-pkcs1.pem"])))
261 # ec-key-pkcs1-aes128.pem
262 && (!$use_ecc || run(app(["openssl", "ec",
263 "-passout", "pass:password", "-aes128",
264 "-in", "ec-key-pkcs1.pem",
265 "-out", "ec-key-pkcs1-aes128.pem"])))
266 # *-key-pkcs8.pem
267 && runall(sub {
268 my $dstfile = shift;
269 (my $srcfile = $dstfile)
270 =~ s/-key-pkcs8\.pem$/-key-pkcs1.pem/i;
271 run(app(["openssl", "pkcs8", "-topk8", "-nocrypt",
272 "-in", $srcfile, "-out", $dstfile]));
273 }, grep(/-key-pkcs8\.pem$/, @generated_files))
274 # *-key-pkcs8-pbes1-sha1-3des.pem
275 && runall(sub {
276 my $dstfile = shift;
277 (my $srcfile = $dstfile)
278 =~ s/-key-pkcs8-pbes1-sha1-3des\.pem$
279 /-key-pkcs8.pem/ix;
280 run(app(["openssl", "pkcs8", "-topk8",
281 "-passout", "pass:password",
282 "-v1", "pbeWithSHA1And3-KeyTripleDES-CBC",
283 "-in", $srcfile, "-out", $dstfile]));
284 }, grep(/-key-pkcs8-pbes1-sha1-3des\.pem$/, @generated_files))
285 # *-key-pkcs8-pbes1-md5-des.pem
286 && runall(sub {
287 my $dstfile = shift;
288 (my $srcfile = $dstfile)
289 =~ s/-key-pkcs8-pbes1-md5-des\.pem$
290 /-key-pkcs8.pem/ix;
291 run(app(["openssl", "pkcs8", "-topk8",
292 "-passout", "pass:password",
293 "-v1", "pbeWithSHA1And3-KeyTripleDES-CBC",
294 "-in", $srcfile, "-out", $dstfile]));
295 }, grep(/-key-pkcs8-pbes1-md5-des\.pem$/, @generated_files))
296 # *-key-pkcs8-pbes2-sha1.pem
297 && runall(sub {
298 my $dstfile = shift;
299 (my $srcfile = $dstfile)
300 =~ s/-key-pkcs8-pbes2-sha1\.pem$
301 /-key-pkcs8.pem/ix;
302 run(app(["openssl", "pkcs8", "-topk8",
303 "-passout", "pass:password",
304 "-v2", "aes256", "-v2prf", "hmacWithSHA1",
305 "-in", $srcfile, "-out", $dstfile]));
306 }, grep(/-key-pkcs8-pbes2-sha1\.pem$/, @generated_files))
307 # *-key-pkcs8-pbes2-sha1.pem
308 && runall(sub {
309 my $dstfile = shift;
310 (my $srcfile = $dstfile)
311 =~ s/-key-pkcs8-pbes2-sha256\.pem$
312 /-key-pkcs8.pem/ix;
313 run(app(["openssl", "pkcs8", "-topk8",
314 "-passout", "pass:password",
315 "-v2", "aes256", "-v2prf", "hmacWithSHA256",
316 "-in", $srcfile, "-out", $dstfile]));
317 }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
318 # *-cert.pem (intermediary for the .p12 inits)
319 && run(app(["openssl", "req", "-x509",
320 "-config", $cnf, "-nodes",
321 "-key", $cakey, "-out", "cacert.pem"]))
322 && runall(sub {
323 my $srckey = shift;
324 (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|;
325 (my $csr = $dstfile) =~ s|\.pem|.csr|;
326
327 (run(app(["openssl", "req", "-new",
328 "-config", $cnf, "-section", "userreq",
329 "-key", $srckey, "-out", $csr]))
330 &&
331 run(app(["openssl", "x509", "-days", "3650",
332 "-CA", "cacert.pem",
333 "-CAkey", $cakey,
334 "-set_serial", time(), "-req",
335 "-in", $csr, "-out", $dstfile])));
336 }, grep(/-key-pkcs8\.pem$/, @generated_files))
337 # *.p12
338 && runall(sub {
339 my $dstfile = shift;
340 my ($type, $certpbe_index, $keypbe_index,
341 $macalg_index) =
342 $dstfile =~ m{^(.*)-key-(?|
343 # cert and key PBE are same
344 () #
345 ([^-]*-[^-]*)- # key & cert PBE
346 ([^-]*) # MACalg
347 |
348 # cert and key PBE are not same
349 ([^-]*-[^-]*)- # cert PBE
350 ([^-]*-[^-]*)- # key PBE
351 ([^-]*) # MACalg
352 )\.}x;
353 if (!$certpbe_index) {
354 $certpbe_index = $keypbe_index;
355 }
356 my $srckey = "$type-key-pkcs8.pem";
357 my $srccert = "$type-cert.pem";
358 my %pbes =
359 (
360 "sha1-3des" => "pbeWithSHA1And3-KeyTripleDES-CBC",
361 "md5-des" => "pbeWithMD5AndDES-CBC",
362 "aes256-cbc" => "AES-256-CBC",
363 );
364 my %macalgs =
365 (
366 "sha1" => "SHA1",
367 "sha256" => "SHA256",
368 );
369 my $certpbe = $pbes{$certpbe_index};
370 my $keypbe = $pbes{$keypbe_index};
371 my $macalg = $macalgs{$macalg_index};
372 if (!defined($certpbe) || !defined($keypbe)
373 || !defined($macalg)) {
374 print STDERR "Cert PBE for $certpbe_index not defined\n"
375 unless defined $certpbe;
376 print STDERR "Key PBE for $keypbe_index not defined\n"
377 unless defined $keypbe;
378 print STDERR "MACALG for $macalg_index not defined\n"
379 unless defined $macalg;
380 print STDERR "(destination file was $dstfile)\n";
381 return 0;
382 }
383 run(app(["openssl", "pkcs12",
384 "-provider", "default",
385 "-provider", "legacy",
386 "-inkey", $srckey,
387 "-in", $srccert, "-passout", "pass:password",
388 "-chain", "-CAfile", "cacert.pem",
389 "-export", "-macalg", $macalg,
390 "-certpbe", $certpbe, "-keypbe", $keypbe,
391 "-out", $dstfile]));
392 }, grep(/\.p12/, @generated_files))
393 # *.der (the end all init)
394 && runall(sub {
395 my $dstfile = shift;
396 (my $srcfile = $dstfile) =~ s/\.der$/.pem/i;
397 if (! -f $srcfile) {
398 $srcfile = srctop_file("test", $srcfile);
399 }
400 my $infh;
401 unless (open $infh, $srcfile) {
402 return 0;
403 }
404 my $l;
405 while (($l = <$infh>) !~ /^-----BEGIN\s/
406 || $l =~ /^-----BEGIN.*PARAMETERS-----/) {
407 }
408 my $b64 = "";
409 while (($l = <$infh>) !~ /^-----END\s/) {
410 $l =~ s|\R$||;
411 $b64 .= $l unless $l =~ /:/;
412 }
413 close $infh;
414 my $der = decode_base64($b64);
415 unless (length($b64) / 4 * 3 - length($der) < 3) {
416 print STDERR "Length error, ",length($b64),
417 " bytes of base64 became ",length($der),
418 " bytes of der? ($srcfile => $dstfile)\n";
419 return 0;
420 }
421 my $outfh;
422 unless (open $outfh, ">:raw", $dstfile) {
423 return 0;
424 }
425 print $outfh $der;
426 close $outfh;
427 return 1;
428 }, grep(/\.der$/, @generated_files))
429 && runall(sub {
430 my $srcfile = shift;
431 my $dstfile = $generated_file_files{$srcfile};
432
433 unless (copy srctop_file($srcfile), $dstfile) {
434 warn "$!\n";
435 return 0;
436 }
437 return 1;
438 }, keys %generated_file_files)
439 );
440 }
441
442 sub init_rehash {
443 return (
444 mkdir(catdir(curdir(), 'rehash'))
445 && copy(srctop_file('test', 'testx509.pem'),
446 catdir(curdir(), 'rehash'))
447 && copy(srctop_file('test', 'testcrl.pem'),
448 catdir(curdir(), 'rehash'))
449 && run(app(['openssl', 'rehash', catdir(curdir(), 'rehash')]))
450 );
451 }
452
453 sub runall {
454 my ($function, @items) = @_;
455
456 foreach (@items) {
457 return 0 unless $function->($_);
458 }
459 return 1;
460 }
461
462 # According to RFC8089, a relative file: path is invalid. We still produce
463 # them for testing purposes.
464 sub to_file_uri {
465 my ($file, $isdir, $authority) = @_;
466 my $vol;
467 my $dir;
468
469 die "to_file_uri: No file given\n" if !defined($file) || $file eq '';
470
471 ($vol, $dir, $file) = File::Spec->splitpath($file, $isdir // 0);
472
473 # Make sure we have a Unix style directory.
474 $dir = join('/', File::Spec->splitdir($dir));
475 # Canonicalise it (note: it seems to be only needed on Unix)
476 while (1) {
477 my $newdir = $dir;
478 $newdir =~ s|/[^/]*[^/\.]+[^/]*/\.\./|/|g;
479 last if $newdir eq $dir;
480 $dir = $newdir;
481 }
482 # Take care of the corner cases the loop can't handle, and that $dir
483 # ends with a / unless it's empty
484 $dir =~ s|/[^/]*[^/\.]+[^/]*/\.\.$|/|;
485 $dir =~ s|^[^/]*[^/\.]+[^/]*/\.\./|/|;
486 $dir =~ s|^[^/]*[^/\.]+[^/]*/\.\.$||;
487 if ($isdir // 0) {
488 $dir =~ s|/$|| if $dir ne '/';
489 } else {
490 $dir .= '/' if $dir ne '' && $dir !~ m|/$|;
491 }
492
493 # If the file system has separate volumes (at present, Windows and VMS)
494 # we need to handle them. In URIs, they are invariably the first
495 # component of the path, which is always absolute.
496 # On VMS, user:[foo.bar] translates to /user/foo/bar
497 # On Windows, c:\Users\Foo translates to /c:/Users/Foo
498 if ($vol ne '') {
499 $vol =~ s|:||g if ($^O eq "VMS");
500 $dir = '/' . $dir if $dir ne '' && $dir !~ m|^/|;
501 $dir = '/' . $vol . $dir;
502 }
503 $file = $dir . $file;
504
505 return "file://$authority$file" if defined $authority;
506 return "file:$file";
507 }
508
509 sub to_abs_file {
510 my ($file) = @_;
511
512 return File::Spec->rel2abs($file);
513 }
514
515 sub to_abs_file_uri {
516 my ($file, $isdir, $authority) = @_;
517
518 die "to_abs_file_uri: No file given\n" if !defined($file) || $file eq '';
519 return to_file_uri(to_abs_file($file), $isdir, $authority);
520 }
A mirror of the official openssl repository