From: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date: Mon, 15 Jun 2026 16:11:30 +0000 (+0200)
Subject: apps: test pkeyutl -derive peer key setup
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb3d8b9c52a40af636e88dcaa28fc4c428b4a8ec;p=thirdparty%2Fopenssl.git

apps: test pkeyutl -derive peer key setup

This tests currently uncovered setup_peer function and some failure
scenarios in it.

Assisted-by: Claude:claude-opus-4-8

Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Jun 21 16:04:59 2026
(Merged from https://github.com/openssl/openssl/pull/31518)
---

diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 09797eb321e..4458887f5cf 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text compare/;
 
 setup("test_pkeyutl");
 
-plan tests => 30;
+plan tests => 31;
 
 # For the tests below we use the cert itself as the TBS file
 
@@ -370,3 +370,52 @@ subtest "pkeyutl -pkeyopt_passin" => sub {
                "Fail on unknown pkey option via passin");
         });
 };
+
+SKIP: {
+    skip "EC is not supported by this OpenSSL build", 1
+        if disabled("ec");
+
+    subtest "pkeyutl -derive peer key setup" => sub {
+        my $eckey = srctop_file("test", "testec-p256.pem");
+        my $ecpub = srctop_file("test", "testecpub-p256.pem");
+        my $rsapub = srctop_file("test", "testrsapub.pem");
+
+        plan tests => 5;
+
+        # ECDH derive against a matching peer public key
+        ok(run(app(['openssl', 'pkeyutl', '-derive',
+                    '-inkey', $eckey, '-peerkey', $ecpub,
+                    '-out', 'derive_secret.bin'])),
+           "Derive shared secret with matching peer key");
+
+        # setup_peer: peer key file cannot be loaded
+        with({ exit_checker => sub { return shift == 1; } },
+            sub {
+                ok(run(app(['openssl', 'pkeyutl', '-derive',
+                            '-inkey', $eckey, '-peerkey', 'no_such_peer.pem'])),
+                   "Fail when the peer key cannot be read");
+            });
+
+        # setup_peer: peer key type does not match the private key type
+        with({ exit_checker => sub { return shift == 1; } },
+            sub {
+                ok(run(app(['openssl', 'pkeyutl', '-derive',
+                            '-inkey', $eckey, '-peerkey', $rsapub])),
+                   "Fail when peer key type does not match private key");
+            });
+
+        # main: -derive requires -peerkey
+        with({ exit_checker => sub { return shift == 1; } },
+            sub {
+                ok(run(app(['openssl', 'pkeyutl', '-derive', '-inkey', $eckey])),
+                   "Fail when -derive is given without -peerkey");
+            });
+
+        # main: -peerkey is only valid with -derive
+        with({ exit_checker => sub { return shift == 1; } },
+            sub {
+                ok(run(app(['openssl', 'pkeyutl', '-inkey', $eckey, '-peerkey', $ecpub])),
+                   "Fail when -peerkey is given without -derive");
+            });
+    };
+}