From: Nicola Tuveri <nic.tuv@gmail.com>
Date: Mon, 9 Nov 2020 21:34:00 +0000 (+0200)
Subject: [test][pkey_check] Add invalid SM2 key test
X-Git-Tag: openssl-3.0.0-alpha11~155
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4554988e582e676a51c451de031939b45e60d00c;p=thirdparty%2Fopenssl.git

[test][pkey_check] Add invalid SM2 key test

SM2 private keys have different validation requirements than EC keys:
this test checks one corner case highlighted in
https://github.com/openssl/openssl/issues/8435

As @bbbrumley mentioned in
https://github.com/openssl/openssl/issues/8435#issuecomment-720504282
this only fixes the absence of a regression test for validation of this
kind of boundary issues for decoded SM2 keys.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13359)
---

diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
index f06f3bd22a1..c85ab5c3773 100644
--- a/test/recipes/91-test_pkey_check.t
+++ b/test/recipes/91-test_pkey_check.t
@@ -44,6 +44,11 @@ push(@tests, (
     "ec_p256_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid)
     )) unless disabled("ec");
 
+push(@tests, (
+    # For SM2 keys the range for the secret scalar `k` is `1 <= k < n-1`
+    "sm2_bad_max.pem", # `k` set to `n-1` (invalid, because SM2 range)
+    )) unless disabled("sm2");
+
 plan skip_all => "No tests within the current enabled feature set"
     unless @tests;
 
diff --git a/test/recipes/91-test_pkey_check_data/sm2_bad_max.pem b/test/recipes/91-test_pkey_check_data/sm2_bad_max.pem
new file mode 100644
index 00000000000..36adb93fb9e
--- /dev/null
+++ b/test/recipes/91-test_pkey_check_data/sm2_bad_max.pem
@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MEECAQAwEwYHKoZIzj0CAQYIKoEcz1UBgi0EJzAlAgEBBCD////+////////////////cgPfayHG
+BStTu/QJOdVBIg==
+-----END PRIVATE KEY-----