test: Add test cases for req -cipher option

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25796)

diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index a0f1efdab1e0d59af9c86e6eb81462ffcbe1d94e..72234feb2c22f9bf792c3c9d3051da4f10f9ddea 100644 (file)
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_req");
 
-plan tests => 110;
+plan tests => 111;
 
 require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
 
@@ -355,6 +355,56 @@ subtest "generating SM2 certificate requests" => sub {
     }
 };
 
+subtest "generating certificate requests with -cipher flag" => sub {
+    plan tests => 6;
+
+    diag("Testing -cipher flag with aes-256-cbc...");
+    ok(run(app(["openssl", "req",
+                "-config", srctop_file("test", "test.cnf"),
+                "-newkey", "rsa:2048",
+                "-keyout", "privatekey-aes256.pem",
+                "-out", "testreq-rsa-cipher.pem",
+                "-utf8",
+                "-cipher", "aes-256-cbc",
+                "-passout", "pass:password"])),
+       "Generating request with -cipher flag (AES-256-CBC)");
+
+    diag("Verifying signature for aes-256-cbc...");
+    ok(run(app(["openssl", "req",
+                "-config", srctop_file("test", "test.cnf"),
+                "-verify", "-in", "testreq-rsa-cipher.pem", "-noout"])),
+       "Verifying signature on request with -cipher (AES-256-CBC)");
+
+    open my $fh, '<', "privatekey-aes256.pem" or BAIL_OUT("Could not open key file: $!");
+    my $first_line = <$fh>;
+    close $fh;
+    ok($first_line =~ /^-----BEGIN ENCRYPTED PRIVATE KEY-----/,
+       "Check that the key file is encrypted (AES-256-CBC)");
+
+    diag("Testing -cipher flag with aes-128-cbc...");
+    ok(run(app(["openssl", "req",
+                "-config", srctop_file("test", "test.cnf"),
+                "-newkey", "rsa:2048",
+                "-keyout", "privatekey-aes128.pem",
+                "-out", "testreq-rsa-cipher-aes128.pem",
+                "-utf8",
+                "-cipher", "aes-128-cbc",
+                "-passout", "pass:password"])),
+       "Generating request with -cipher flag (AES-128-CBC)");
+
+    diag("Verifying signature for aes-128-cbc...");
+    ok(run(app(["openssl", "req",
+                "-config", srctop_file("test", "test.cnf"),
+                "-verify", "-in", "testreq-rsa-cipher-aes128.pem", "-noout"])),
+       "Verifying signature on request with -cipher (AES-128-CBC)");
+
+    open my $fh_aes128, '<', "privatekey-aes128.pem" or BAIL_OUT("Could not open key file: $!");
+    my $first_line_aes128 = <$fh_aes128>;
+    close $fh_aes128;
+    ok($first_line_aes128 =~ /^-----BEGIN ENCRYPTED PRIVATE KEY-----/,
+       "Check that the key file is encrypted (AES-128-CBC)");
+};
+
 my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf"));
 
 run_conversion('req conversions',

diff --git a/test/test.cnf b/test/test.cnf
index e0135ca206594ad5cb60dc1bfa216cf849d89a89..3d1a823a7a4f1a8d2c9f0ff54ac54cc646320549 100644 (file)
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -50,7 +50,6 @@ emailAddress          = optional
 ####################################################################
 [ req ]
 distinguished_name     = req_distinguished_name
-encrypt_rsa_key                = no
 
 # Make altreq be identical to req
 [ altreq ]