Test vectors from rfc9579 and creation tests

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24577)

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 999129a03074d9a944204196102a8b33446fea91..c14ef94998cded9f31ccd716e8747d49da3718b5 100644 (file)
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
 }
 $ENV{OPENSSL_WIN32_UTF8}=1;
 
-plan tests => 31;
+plan tests => 45;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -170,6 +170,59 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,
     ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty");
 }
 
+my %pbmac1_tests = (
+    pbmac1_defaults => {args => [], lookup => "hmacWithSHA256"},
+    pbmac1_nondefaults => {args => ["-pbmac1_pbkdf2_md", "sha512", "-macalg", "sha384"], lookup => "hmacWithSHA512"},
+);
+
+for my $instance (sort keys %pbmac1_tests) {
+    my $extra_args = $pbmac1_tests{$instance}{args};
+    my $lookup     = $pbmac1_tests{$instance}{lookup};
+    # Test export of PEM file with both cert and key, with password.
+    {
+        my $pbmac1_id = $instance;
+        ok(run(app(["openssl", "pkcs12", "-export", "-pbmac1_pbkdf2",
+                "-inkey", srctop_file(@path, "cert-key-cert.pem"),
+                "-in", srctop_file(@path, "cert-key-cert.pem"),
+                "-passout", "pass:1234",
+               @$extra_args,
+                "-out", "$pbmac1_id.p12"], stderr => "${pbmac1_id}_err.txt")),
+        "test_export_pkcs12_${pbmac1_id}");
+        open DATA, "${pbmac1_id}_err.txt";
+        my @match = grep /:error:/, <DATA>;
+        close DATA;
+        ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_${pbmac1_id}_err.empty");
+
+        ok(run(app(["openssl", "pkcs12", "-in", "$pbmac1_id.p12", "-info", "-noout",
+                "-passin", "pass:1234"], stderr => "${pbmac1_id}_info.txt")),
+        "test_export_pkcs12_${pbmac1_id}_info");
+        open DATA, "${pbmac1_id}_info.txt";
+        my @match = grep /$lookup/, <DATA>;
+        close DATA;
+        ok(scalar @match > 0 ? 1 : 0, "test_export_pkcs12_${pbmac1_id}_info");
+    }
+}
+
+# Test pbmac1 pkcs12 good files, RFC 9579
+for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
+{
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+    ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])),
+      "test pbmac1 pkcs12 file $file");
+}
+
+# Test pbmac1 pkcs12 bad files, RFC 9579
+for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
+{
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+    with({ exit_checker => sub { return shift == 1; } },
+        sub {
+            ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])),
+            "test pbmac1 pkcs12 bad file $file");
+            }
+        );
+}
+
 # Test some bad pkcs12 files
 my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
 my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");

diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12
new file mode 100644 (file)
index 0000000..9957d47
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12
new file mode 100644 (file)
index 0000000..fef1e51
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.good.p12
new file mode 100644 (file)
index 0000000..b8c8c2d
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.good.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12
new file mode 100644 (file)
index 0000000..35ebe05
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12
new file mode 100644 (file)
index 0000000..e8d4899
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12 differ

diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12
new file mode 100644 (file)
index 0000000..64e1434
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12 differ