From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Thu, 6 Jun 2024 15:01:45 +0000 (+0200)
Subject: Test vectors from rfc9579 and creation tests
X-Git-Tag: openssl-3.4.0-alpha1~224
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5569e0bf11d39addb7e4a561f934eaa8122463d;p=thirdparty%2Fopenssl.git

Test vectors from rfc9579 and creation tests

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24577)
---

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 999129a0307..c14ef94998c 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
 }
 $ENV{OPENSSL_WIN32_UTF8}=1;
 
-plan tests => 31;
+plan tests => 45;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -170,6 +170,59 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,
     ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty");
 }
 
+my %pbmac1_tests = (
+    pbmac1_defaults => {args => [], lookup => "hmacWithSHA256"},
+    pbmac1_nondefaults => {args => ["-pbmac1_pbkdf2_md", "sha512", "-macalg", "sha384"], lookup => "hmacWithSHA512"},
+);
+
+for my $instance (sort keys %pbmac1_tests) {
+    my $extra_args = $pbmac1_tests{$instance}{args};
+    my $lookup     = $pbmac1_tests{$instance}{lookup};
+    # Test export of PEM file with both cert and key, with password.
+    {
+        my $pbmac1_id = $instance;
+        ok(run(app(["openssl", "pkcs12", "-export", "-pbmac1_pbkdf2",
+                "-inkey", srctop_file(@path, "cert-key-cert.pem"),
+                "-in", srctop_file(@path, "cert-key-cert.pem"),
+                "-passout", "pass:1234",
+		@$extra_args,
+                "-out", "$pbmac1_id.p12"], stderr => "${pbmac1_id}_err.txt")),
+        "test_export_pkcs12_${pbmac1_id}");
+        open DATA, "${pbmac1_id}_err.txt";
+        my @match = grep /:error:/, <DATA>;
+        close DATA;
+        ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_${pbmac1_id}_err.empty");
+
+        ok(run(app(["openssl", "pkcs12", "-in", "$pbmac1_id.p12", "-info", "-noout",
+                "-passin", "pass:1234"], stderr => "${pbmac1_id}_info.txt")),
+        "test_export_pkcs12_${pbmac1_id}_info");
+        open DATA, "${pbmac1_id}_info.txt";
+        my @match = grep /$lookup/, <DATA>;
+        close DATA;
+        ok(scalar @match > 0 ? 1 : 0, "test_export_pkcs12_${pbmac1_id}_info");
+    }
+}
+
+# Test pbmac1 pkcs12 good files, RFC 9579
+for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
+{
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+    ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])),
+      "test pbmac1 pkcs12 file $file");
+}
+
+# Test pbmac1 pkcs12 bad files, RFC 9579
+for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
+{
+    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+    with({ exit_checker => sub { return shift == 1; } },
+        sub {
+            ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])),
+            "test pbmac1 pkcs12 bad file $file");
+            }
+        );
+}
+
 # Test some bad pkcs12 files
 my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
 my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12
new file mode 100644
index 00000000000..9957d473c43
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 differ
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12
new file mode 100644
index 00000000000..fef1e51f71c
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12 differ
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.good.p12
new file mode 100644
index 00000000000..b8c8c2d7759
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.good.p12 differ
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12
new file mode 100644
index 00000000000..35ebe05d177
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12 differ
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12
new file mode 100644
index 00000000000..e8d4899691b
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12 differ
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12
new file mode 100644
index 00000000000..64e14341a10
Binary files /dev/null and b/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12 differ