80-test_cms.t@ 105770

Last change on this file since 105770 was 104078, checked in by vboxsync, 8 months ago
openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638
File size: 42.9 KB

Line
1	#! /usr/bin/env perl
2	# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
3	#
4	# Licensed under the Apache License 2.0 (the "License"). You may not use
5	# this file except in compliance with the License. You can obtain a copy
6	# in the file LICENSE in the source distribution or at
7	# https://www.openssl.org/source/license.html
8
9
10	use strict;
11	use warnings;
12
13	use POSIX;
14	use File::Spec::Functions qw/catfile/;
15	use File::Compare qw/compare_text compare/;
16	use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
17
18	use OpenSSL::Test::Utils;
19
20	BEGIN {
21	setup("test_cms");
22	}
23
24	use lib srctop_dir('Configurations');
25	use lib bldtop_dir('.');
26
27	my $no_fips = disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
28
29	plan skip_all => "CMS is not supported by this OpenSSL build"
30	if disabled("cms");
31
32	my $provpath = bldtop_dir("providers");
33
34	# Some tests require legacy algorithms to be included.
35	my @legacyprov = ("-provider-path", $provpath,
36	"-provider", "default",
37	"-provider", "legacy" );
38	my @defaultprov = ("-provider-path", $provpath,
39	"-provider", "default");
40
41	my @config = ( );
42	my $provname = 'default';
43
44	my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
45	my $smdir = srctop_dir("test", "smime-certs");
46	my $smcont = srctop_file("test", "smcont.txt");
47	my $smcont_zero = srctop_file("test", "smcont_zero.txt");
48	my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
49	= disabled qw/des dh dsa ec ec2m rc2 zlib/;
50
51	$no_rc2 = 1 if disabled("legacy");
52
53	plan tests => 19;
54
55	ok(run(test(["pkcs7_test"])), "test pkcs7");
56
57	unless ($no_fips) {
58	@config = ( "-config", srctop_file("test", "fips-and-base.cnf") );
59	$provname = 'fips';
60	}
61
62	$ENV{OPENSSL_TEST_LIBCTX} = "1";
63	my @prov = ("-provider-path", $provpath,
64	@config,
65	"-provider", $provname);
66
67	my $smrsa1024 = catfile($smdir, "smrsa1024.pem");
68	my $smrsa1 = catfile($smdir, "smrsa1.pem");
69	my $smroot = catfile($smdir, "smroot.pem");
70
71	my @smime_pkcs7_tests = (
72
73	[ "signed content DER format, RSA key",
74	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
75	"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
76	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
77	"-CAfile", $smroot, "-out", "{output}.txt" ],
78	\&final_compare
79	],
80
81	[ "signed detached content DER format, RSA key",
82	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
83	"-signer", $smrsa1, "-out", "{output}.cms" ],
84	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
85	"-CAfile", $smroot, "-out", "{output}.txt",
86	"-content", $smcont ],
87	\&final_compare
88	],
89
90	[ "signed content test streaming BER format, RSA",
91	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
92	"-stream",
93	"-signer", $smrsa1, "-out", "{output}.cms" ],
94	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
95	"-CAfile", $smroot, "-out", "{output}.txt" ],
96	\&final_compare
97	],
98
99	[ "signed content DER format, DSA key",
100	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
101	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
102	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
103	"-CAfile", $smroot, "-out", "{output}.txt" ],
104	\&final_compare
105	],
106
107	[ "signed detached content DER format, DSA key",
108	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
109	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
110	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
111	"-CAfile", $smroot, "-out", "{output}.txt",
112	"-content", $smcont ],
113	\&final_compare
114	],
115
116	[ "signed detached content DER format, add RSA signer (with DSA existing)",
117	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
118	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
119	[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
120	"-signer", $smrsa1, "-out", "{output}2.cms" ],
121	[ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
122	"-CAfile", $smroot, "-out", "{output}.txt",
123	"-content", $smcont ],
124	\&final_compare
125	],
126
127	[ "signed content test streaming BER format, DSA key",
128	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
129	"-nodetach", "-stream",
130	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
131	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
132	"-CAfile", $smroot, "-out", "{output}.txt" ],
133	\&final_compare
134	],
135
136	[ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
137	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
138	"-nodetach", "-stream",
139	"-signer", $smrsa1,
140	"-signer", catfile($smdir, "smrsa2.pem"),
141	"-signer", catfile($smdir, "smdsa1.pem"),
142	"-signer", catfile($smdir, "smdsa2.pem"),
143	"-out", "{output}.cms" ],
144	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
145	"-CAfile", $smroot, "-out", "{output}.txt" ],
146	\&final_compare
147	],
148
149	[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
150	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
151	"-noattr", "-nodetach", "-stream",
152	"-signer", $smrsa1,
153	"-signer", catfile($smdir, "smrsa2.pem"),
154	"-signer", catfile($smdir, "smdsa1.pem"),
155	"-signer", catfile($smdir, "smdsa2.pem"),
156	"-out", "{output}.cms" ],
157	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
158	"-CAfile", $smroot, "-out", "{output}.txt" ],
159	\&final_compare
160	],
161
162	[ "signed content S/MIME format, RSA key SHA1",
163	[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
164	"-certfile", $smroot,
165	"-signer", $smrsa1, "-out", "{output}.cms" ],
166	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
167	"-CAfile", $smroot, "-out", "{output}.txt" ],
168	\&final_compare
169	],
170
171	[ "signed zero-length content S/MIME format, RSA key SHA1",
172	[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
173	"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
174	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
175	"-CAfile", $smroot, "-out", "{output}.txt" ],
176	\&zero_compare
177	],
178
179	[ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
180	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
181	"-signer", $smrsa1,
182	"-signer", catfile($smdir, "smrsa2.pem"),
183	"-signer", catfile($smdir, "smdsa1.pem"),
184	"-signer", catfile($smdir, "smdsa2.pem"),
185	"-stream", "-out", "{output}.cms" ],
186	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
187	"-CAfile", $smroot, "-out", "{output}.txt" ],
188	\&final_compare
189	],
190
191	[ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
192	[ "{cmd1}", @prov, "-sign", "-in", $smcont,
193	"-signer", $smrsa1,
194	"-signer", catfile($smdir, "smrsa2.pem"),
195	"-signer", catfile($smdir, "smdsa1.pem"),
196	"-signer", catfile($smdir, "smdsa2.pem"),
197	"-stream", "-out", "{output}.cms" ],
198	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
199	"-CAfile", $smroot, "-out", "{output}.txt" ],
200	\&final_compare
201	],
202
203	[ "enveloped content test streaming S/MIME format, DES, 3 recipients",
204	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
205	"-stream", "-out", "{output}.cms",
206	$smrsa1,
207	catfile($smdir, "smrsa2.pem"),
208	catfile($smdir, "smrsa3.pem") ],
209	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
210	"-in", "{output}.cms", "-out", "{output}.txt" ],
211	\&final_compare
212	],
213
214	[ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
215	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
216	"-stream", "-out", "{output}.cms",
217	$smrsa1,
218	catfile($smdir, "smrsa2.pem"),
219	catfile($smdir, "smrsa3.pem") ],
220	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
221	"-in", "{output}.cms", "-out", "{output}.txt" ],
222	\&final_compare
223	],
224
225	[ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used",
226	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
227	"-stream", "-out", "{output}.cms",
228	$smrsa1,
229	catfile($smdir, "smrsa2.pem"),
230	catfile($smdir, "smrsa3-cert.pem") ],
231	[ "{cmd2}", @defaultprov, "-decrypt",
232	"-recip", catfile($smdir, "smrsa3-cert.pem"),
233	"-inkey", catfile($smdir, "smrsa3-key.pem"),
234	"-in", "{output}.cms", "-out", "{output}.txt" ],
235	\&final_compare
236	],
237
238	[ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
239	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
240	"-aes256", "-stream", "-out", "{output}.cms",
241	$smrsa1,
242	catfile($smdir, "smrsa2.pem"),
243	catfile($smdir, "smrsa3.pem") ],
244	[ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1,
245	"-in", "{output}.cms", "-out", "{output}.txt" ],
246	\&final_compare
247	],
248
249	);
250
251	my @smime_cms_tests = (
252
253	[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
254	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
255	"-nodetach", "-keyid",
256	"-signer", $smrsa1,
257	"-signer", catfile($smdir, "smrsa2.pem"),
258	"-signer", catfile($smdir, "smdsa1.pem"),
259	"-signer", catfile($smdir, "smdsa2.pem"),
260	"-stream", "-out", "{output}.cms" ],
261	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
262	"-CAfile", $smroot, "-out", "{output}.txt" ],
263	\&final_compare
264	],
265
266	[ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
267	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
268	"-signer", $smrsa1,
269	"-signer", catfile($smdir, "smrsa2.pem"),
270	"-signer", catfile($smdir, "smdsa1.pem"),
271	"-signer", catfile($smdir, "smdsa2.pem"),
272	"-stream", "-out", "{output}.cms" ],
273	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
274	"-CAfile", $smroot, "-out", "{output}.txt" ],
275	\&final_compare
276	],
277
278	[ "signed content MIME format, RSA key, signed receipt request",
279	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
280	"-signer", $smrsa1,
281	"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
282	"-out", "{output}.cms" ],
283	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
284	"-CAfile", $smroot, "-out", "{output}.txt" ],
285	\&final_compare
286	],
287
288	[ "signed receipt MIME format, RSA key",
289	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
290	"-signer", $smrsa1,
291	"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
292	"-out", "{output}.cms" ],
293	[ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms",
294	"-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ],
295	[ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms",
296	"-CAfile", $smroot ]
297	],
298
299	[ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
300	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
301	"-stream", "-out", "{output}.cms", "-keyid",
302	$smrsa1,
303	catfile($smdir, "smrsa2.pem"),
304	catfile($smdir, "smrsa3.pem") ],
305	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
306	"-in", "{output}.cms", "-out", "{output}.txt" ],
307	\&final_compare
308	],
309
310	[ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK",
311	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
312	"-stream", "-out", "{output}.cms",
313	"-secretkey", "000102030405060708090A0B0C0D0E0F",
314	"-secretkeyid", "C0FEE0" ],
315	[ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
316	"-inform", "PEM",
317	"-secretkey", "000102030405060708090A0B0C0D0E0F",
318	"-secretkeyid", "C0FEE0" ],
319	\&final_compare
320	],
321
322	[ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK",
323	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
324	"-stream", "-out", "{output}.cms",
325	"-secretkey", "000102030405060708090A0B0C0D0E0F",
326	"-secretkeyid", "C0FEE0" ],
327	[ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
328	"-inform", "PEM",
329	"-secretkey", "000102030405060708090A0B0C0D0E0F",
330	"-secretkeyid", "C0FEE0" ],
331	\&final_compare
332	],
333
334	[ "enveloped content test streaming PEM format, KEK, key only",
335	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
336	"-stream", "-out", "{output}.cms",
337	"-secretkey", "000102030405060708090A0B0C0D0E0F",
338	"-secretkeyid", "C0FEE0" ],
339	[ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
340	"-inform", "PEM",
341	"-secretkey", "000102030405060708090A0B0C0D0E0F" ],
342	\&final_compare
343	],
344
345	[ "data content test streaming PEM format",
346	[ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM",
347	"-nodetach", "-stream", "-out", "{output}.cms" ],
348	[ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM",
349	"-out", "{output}.txt" ],
350	\&final_compare
351	],
352
353	[ "encrypted content test streaming PEM format, 128 bit RC2 key",
354	[ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
355	"-in", $smcont, "-outform", "PEM",
356	"-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
357	"-stream", "-out", "{output}.cms" ],
358	[ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
359	"-inform", "PEM",
360	"-secretkey", "000102030405060708090A0B0C0D0E0F",
361	"-out", "{output}.txt" ],
362	\&final_compare
363	],
364
365	[ "encrypted content test streaming PEM format, 40 bit RC2 key",
366	[ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
367	"-in", $smcont, "-outform", "PEM",
368	"-rc2", "-secretkey", "0001020304",
369	"-stream", "-out", "{output}.cms" ],
370	[ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
371	"-inform", "PEM",
372	"-secretkey", "0001020304", "-out", "{output}.txt" ],
373	\&final_compare
374	],
375
376	[ "encrypted content test streaming PEM format, triple DES key",
377	[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
378	"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
379	"-stream", "-out", "{output}.cms" ],
380	[ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
381	"-inform", "PEM",
382	"-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
383	"-out", "{output}.txt" ],
384	\&final_compare
385	],
386
387	[ "encrypted content test streaming PEM format, 128 bit AES key",
388	[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
389	"-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
390	"-stream", "-out", "{output}.cms" ],
391	[ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
392	"-inform", "PEM",
393	"-secretkey", "000102030405060708090A0B0C0D0E0F",
394	"-out", "{output}.txt" ],
395	\&final_compare
396	],
397	);
398
399	my @smime_cms_cades_tests = (
400
401	[ "signed content DER format, RSA key, CAdES-BES compatible",
402	[ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER",
403	"-nodetach",
404	"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
405	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
406	"-CAfile", $smroot, "-out", "{output}.txt" ],
407	\&final_compare
408	],
409
410	[ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
411	[ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
412	"DER", "-nodetach", "-certfile", $smroot,
413	"-signer", $smrsa1, "-out", "{output}.cms" ],
414	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
415	"-CAfile", $smroot, "-out", "{output}.txt" ],
416	\&final_compare
417	],
418
419	[ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible",
420	[ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform",
421	"DER", "-nodetach", "-certfile", $smroot,
422	"-signer", $smrsa1, "-out", "{output}.cms" ],
423	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
424	"-CAfile", $smroot, "-out", "{output}.txt" ],
425	\&final_compare
426	],
427
428	[ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
429	[ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
430	"-in", $smcont, "-outform", "DER",
431	"-certfile", $smroot, "-signer", $smrsa1,
432	"-outform", "DER", "-out", "{output}.cms" ],
433	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
434	"-CAfile", $smroot, "-out", "{output}.txt" ],
435	\&final_compare
436	],
437
438	[ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible",
439	[ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
440	"-in", $smcont, "-outform", "DER",
441	"-certfile", $smroot, "-signer", $smrsa1,
442	"-outform", "DER", "-out", "{output}.cms" ],
443	[ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
444	"-inform", "DER", "-in", "{output}.cms",
445	"-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"),
446	"-outform", "DER", "-out", "{output}2.cms" ],
447
448	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER",
449	"-CAfile", $smroot, "-out", "{output}.txt" ],
450	\&final_compare
451	],
452	);
453
454	my @smime_cms_cades_ko_tests = (
455	[ "sign content DER format, RSA key, not CAdES-BES compatible",
456	[ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
457	"-certfile", $smroot, "-signer", $smrsa1, "-out", "cades-ko.cms" ],
458	"fail to verify token since requiring CAdES-BES compatibility",
459	[ @prov, "-verify", "-cades", "-in", "cades-ko.cms", "-inform", "DER",
460	"-CAfile", $smroot, "-out", "cades-ko.txt" ],
461	\&final_compare
462	]
463	);
464
465	# cades options test - check that some combinations are rejected
466	my @smime_cms_cades_invalid_option_tests = (
467	[
468	[ "-cades", "-noattr" ],
469	],[
470	[ "-verify", "-cades", "-noattr" ],
471	],[
472	[ "-verify", "-cades", "-noverify" ],
473	],
474	);
475
476	my @smime_cms_comp_tests = (
477
478	[ "compressed content test streaming PEM format",
479	[ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
480	"-stream", "-out", "{output}.cms" ],
481	[ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM",
482	"-out", "{output}.txt" ],
483	\&final_compare
484	]
485
486	);
487
488	my @smime_cms_param_tests = (
489	[ "signed content test streaming PEM format, RSA keys, PSS signature",
490	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
491	"-signer", $smrsa1,
492	"-keyopt", "rsa_padding_mode:pss",
493	"-out", "{output}.cms" ],
494	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
495	"-CAfile", $smroot, "-out", "{output}.txt" ],
496	\&final_compare
497	],
498
499	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
500	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
501	"-signer", $smrsa1,
502	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
503	"-out", "{output}.cms" ],
504	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; },
505	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
506	"-CAfile", $smroot, "-out", "{output}.txt" ],
507	\&final_compare
508	],
509
510	[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
511	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
512	"-noattr", "-signer", $smrsa1,
513	"-keyopt", "rsa_padding_mode:pss",
514	"-out", "{output}.cms" ],
515	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
516	"-CAfile", $smroot, "-out", "{output}.txt" ],
517	\&final_compare
518	],
519
520	[ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
521	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
522	"-signer", $smrsa1,
523	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384",
524	"-out", "{output}.cms" ],
525	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
526	"-CAfile", $smroot, "-out", "{output}.txt" ],
527	\&final_compare
528	],
529
530	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16",
531	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
532	"-signer", $smrsa1, "-md", "sha256",
533	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16",
534	"-out", "{output}.cms" ],
535	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; },
536	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
537	"-CAfile", $smroot, "-out", "{output}.txt" ],
538	\&final_compare
539	],
540
541	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest",
542	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
543	"-signer", $smrsa1, "-md", "sha256",
544	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest",
545	"-out", "{output}.cms" ],
546	# digest is SHA-256, which produces 32 bytes of output
547	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
548	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
549	"-CAfile", $smroot, "-out", "{output}.txt" ],
550	\&final_compare
551	],
552
553	[ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
554	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
555	"-stream", "-out", "{output}.cms",
556	"-recip", $smrsa1,
557	"-keyopt", "rsa_padding_mode:oaep" ],
558	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
559	"-in", "{output}.cms", "-out", "{output}.txt" ],
560	\&final_compare
561	],
562
563	[ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
564	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
565	"-stream", "-out", "{output}.cms",
566	"-recip", $smrsa1,
567	"-keyopt", "rsa_padding_mode:oaep",
568	"-keyopt", "rsa_oaep_md:sha256" ],
569	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
570	"-in", "{output}.cms", "-out", "{output}.txt" ],
571	\&final_compare
572	],
573
574	[ "enveloped content test streaming S/MIME format, DES, ECDH",
575	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
576	"-stream", "-out", "{output}.cms",
577	"-recip", catfile($smdir, "smec1.pem") ],
578	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
579	"-in", "{output}.cms", "-out", "{output}.txt" ],
580	\&final_compare
581	],
582
583	[ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
584	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
585	"-stream", "-out", "{output}.cms",
586	catfile($smdir, "smec1.pem"),
587	catfile($smdir, "smec3.pem") ],
588	[ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
589	"-in", "{output}.cms", "-out", "{output}.txt" ],
590	\&final_compare
591	],
592
593	[ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
594	[ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont,
595	"-stream", "-out", "{output}.cms",
596	"-recip", catfile($smdir, "smec1.pem") ],
597	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
598	"-in", "{output}.cms", "-out", "{output}.txt" ],
599	\&final_compare
600	],
601
602	[ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF",
603	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
604	"-stream", "-out", "{output}.cms",
605	"-recip", catfile($smdir, "smec1.pem"), "-aes128",
606	"-keyopt", "ecdh_kdf_md:sha256" ],
607	[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
608	"-in", "{output}.cms", "-out", "{output}.txt" ],
609	\&final_compare
610	],
611
612	[ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF",
613	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
614	"-stream", "-out", "{output}.cms",
615	"-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ],
616	[ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
617	"-in", "{output}.cms", "-out", "{output}.txt" ],
618	\&final_compare
619	],
620
621	[ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
622	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
623	"-stream", "-out", "{output}.cms",
624	"-recip", catfile($smdir, "smec2.pem"), "-aes128",
625	"-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
626	[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
627	"-in", "{output}.cms", "-out", "{output}.txt" ],
628	\&final_compare
629	],
630
631	[ "enveloped content test streaming S/MIME format, X9.42 DH",
632	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
633	"-stream", "-out", "{output}.cms",
634	"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
635	[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
636	"-in", "{output}.cms", "-out", "{output}.txt" ],
637	\&final_compare
638	]
639	);
640
641	my @smime_cms_param_tests_autodigestmax = (
642	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length",
643	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
644	"-signer", $smrsa1, "-md", "sha256",
645	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
646	"-out", "{output}.cms" ],
647	# digest is SHA-256, which produces 32, bytes of output
648	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
649	[ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
650	"-CAfile", $smroot, "-out", "{output}.txt" ],
651	\&final_compare
652	],
653
654	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize > maximum salt length",
655	[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
656	"-signer", $smrsa1024, "-md", "sha512",
657	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
658	"-out", "{output}.cms" ],
659	# digest is SHA-512, which produces 64, bytes of output, but an RSA-PSS
660	# signature with a 1024 bit RSA key can only accomodate 62
661	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 62; },
662	[ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
663	"-CAfile", $smroot, "-out", "{output}.txt" ],
664	\&final_compare
665	]
666	);
667
668
669	my @contenttype_cms_test = (
670	[ "signed content test - check that content type is added to additional signerinfo, RSA keys",
671	[ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont,
672	"-outform", "DER", "-signer", $smrsa1, "-md", "SHA256",
673	"-out", "{output}.cms" ],
674	[ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms",
675	"-inform", "DER", "-outform", "DER",
676	"-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
677	"-out", "{output}2.cms" ],
678	sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; },
679	[ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
680	"-CAfile", $smroot, "-out", "{output}.txt" ]
681	],
682	);
683
684	my @incorrect_attribute_cms_test = (
685	"bad_signtime_attr.cms",
686	"no_ct_attr.cms",
687	"no_md_attr.cms",
688	"ct_multiple_attr.cms"
689	);
690
691	# Runs a standard loop on the input array
692	sub runner_loop {
693	my %opts = ( @_ );
694	my $cnt1 = 0;
695
696	foreach (@{$opts{tests}}) {
697	$cnt1++;
698	$opts{output} = "$opts{prefix}-$cnt1";
699	SKIP: {
700	my $skip_reason = check_availability($$_[0]);
701	skip $skip_reason, 1 if $skip_reason;
702	my $ok = 1;
703	1 while unlink "$opts{output}.txt";
704
705	foreach (@$_[1..$#$_]) {
706	if (ref $_ eq 'CODE') {
707	$ok &&= $_->(%opts);
708	} else {
709	my @cmd = map {
710	my $x = $_;
711	while ($x =~ /\{([^\}]+)\}/) {
712	$x = $`.$opts{$1}.$' if exists $opts{$1};
713	}
714	$x;
715	} @$_;
716
717	diag "CMD: openssl ", join(" ", @cmd);
718	$ok &&= run(app(["openssl", @cmd]));
719	$opts{input} = $opts{output};
720	}
721	}
722
723	ok($ok, $$_[0]);
724	}
725	}
726	}
727
728	sub final_compare {
729	my %opts = @_;
730
731	diag "Comparing $smcont with $opts{output}.txt";
732	return compare_text($smcont, "$opts{output}.txt") == 0;
733	}
734
735	sub zero_compare {
736	my %opts = @_;
737
738	diag "Checking for zero-length file";
739	return (-e "$opts{output}.txt" && -z "$opts{output}.txt");
740	}
741
742	subtest "CMS => PKCS#7 compatibility tests\n" => sub {
743	plan tests => scalar @smime_pkcs7_tests;
744
745	runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime',
746	tests => [ @smime_pkcs7_tests ]);
747	};
748	subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
749	plan tests => scalar @smime_pkcs7_tests;
750
751	runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms',
752	tests => [ @smime_pkcs7_tests ]);
753	};
754
755	subtest "CMS <=> CMS consistency tests\n" => sub {
756	plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
757
758	runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms',
759	tests => [ @smime_pkcs7_tests ]);
760	runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms',
761	tests => [ @smime_cms_tests ]);
762	};
763
764	subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
765	plan tests =>
766	(scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests) +
767	(scalar @smime_cms_param_tests_autodigestmax) + 1;
768
769	ok(run(app(["openssl", "cms", @prov,
770	"-sign", "-in", $smcont,
771	"-outform", "PEM",
772	"-nodetach",
773	"-signer", $smrsa1,
774	"-keyopt", "rsa_padding_mode:pss",
775	"-keyopt", "rsa_pss_saltlen:auto-digestmax",
776	"-out", "digestmaxtest.cms"])));
777	# Providers that do not support rsa_pss_saltlen:auto-digestmax will parse
778	# it as 0
779	my $no_autodigestmax = rsapssSaltlen("digestmaxtest.cms") == 0;
780	1 while unlink "digestmaxtest.cms";
781
782	runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms',
783	tests => [ @smime_cms_param_tests ]);
784	SKIP: {
785	skip("Zlib not supported: compression tests skipped",
786	scalar @smime_cms_comp_tests)
787	if $no_zlib;
788
789	runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms',
790	tests => [ @smime_cms_comp_tests ]);
791	}
792
793	SKIP: {
794	skip("rsa_pss_saltlen:auto-digestmax not supported",
795	scalar @smime_cms_param_tests_autodigestmax)
796	if $no_autodigestmax;
797
798	runner_loop(prefix => 'cms2cms-comp', 'cmd1' => 'cms', cmd2 => 'cms',
799	tests => [ @smime_cms_param_tests_autodigestmax ]);
800	}
801	};
802
803	# Returns the number of matches of a Content Type Attribute in a binary file.
804	sub contentType_matches {
805	# Read in a binary file
806	my ($in) = @_;
807	open (HEX_IN, "$in") or die("open failed for $in : $!");
808	binmode(HEX_IN);
809	local $/;
810	my $str = <HEX_IN>;
811
812	# Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
813	my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
814
815	close(HEX_IN);
816	return scalar(@c);
817	}
818
819	sub rsapssSaltlen {
820	my ($in) = @_;
821	my $exit = 0;
822
823	my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]),
824	capture => 1,
825	statusvar => $exit);
826	return -1 if $exit != 0;
827
828	my $pssparam_offset = -1;
829	while ($_ = shift @asn1parse) {
830	chomp;
831	next unless /:rsassaPss/;
832	# This line contains :rsassaPss, the next line contains a raw dump of the
833	# RSA_PSS_PARAMS sequence; obtain its offset
834	$_ = shift @asn1parse;
835	if (/^\s*(\d+):/) {
836	$pssparam_offset = int($1);
837	}
838	}
839
840	if ($pssparam_offset == -1) {
841	note "Failed to determine RSA_PSS_PARAM offset in CMS. " +
842	"Was the file correctly signed with RSASSA-PSS?";
843	return -1;
844	}
845
846	my @pssparam = run(app(["openssl", "asn1parse", "-in", $in,
847	"-strparse", $pssparam_offset]),
848	capture => 1,
849	statusvar => $exit);
850	return -1 if $exit != 0;
851
852	my $saltlen = -1;
853	# Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated.
854	# This assumes the salt length is the last field, which may possibly be
855	# incorrect if there is a non-standard trailer field, but there almost never
856	# is in PSS.
857	if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) {
858	$saltlen = hex($1);
859	}
860
861	if ($saltlen == -1) {
862	note "Failed to determine salt length from RSA_PSS_PARAM struct. " +
863	"Was the file correctly signed with RSASSA-PSS?";
864	return -1;
865	}
866
867	return $saltlen;
868	}
869
870	subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
871	plan tests => (scalar @contenttype_cms_test);
872
873	runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms',
874	tests => [ @contenttype_cms_test ]);
875	};
876
877	subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
878	plan tests =>
879	(scalar @incorrect_attribute_cms_test);
880
881	my $cnt = 0;
882	foreach my $name (@incorrect_attribute_cms_test) {
883	my $out = "incorrect-$cnt.txt";
884
885	ok(!run(app(["openssl", "cms", @prov, "-verify", "-in",
886	catfile($datadir, $name), "-inform", "DER", "-CAfile",
887	$smroot, "-out", $out ])),
888	$name);
889	}
890	};
891
892	subtest "CMS Check that bad encryption algorithm fails\n" => sub {
893	plan tests => 1;
894
895	SKIP: {
896	skip "DES or Legacy isn't supported in this build", 1
897	if disabled("des") \|\| disabled("legacy");
898
899	my $out = "smtst.txt";
900
901	ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt",
902	"-in", $smcont,
903	"-stream", "-recip", $smrsa1,
904	"-des-ede3",
905	"-out", $out ])),
906	"Decrypt message from OpenSSL 1.1.1");
907	}
908	};
909
910	subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub {
911	plan tests => 1;
912
913	SKIP: {
914	skip "EC or DES isn't supported in this build", 1
915	if disabled("ec") \|\| disabled("des");
916
917	my $out = "smtst.txt";
918
919	ok(run(app(["openssl", "cms", @defaultprov, "-decrypt",
920	"-inkey", catfile($smdir, "smec3.pem"),
921	"-in", catfile($datadir, "ciphertext_from_1_1_1.cms"),
922	"-out", $out ]))
923	&& compare_text($smcont, $out) == 0,
924	"Decrypt message from OpenSSL 1.1.1");
925	}
926	};
927
928	subtest "CAdES <=> CAdES consistency tests\n" => sub {
929	plan tests => (scalar @smime_cms_cades_tests);
930
931	runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms',
932	tests => [ @smime_cms_cades_tests ]);
933	};
934
935	subtest "CAdES; cms incompatible arguments tests\n" => sub {
936	plan tests => (scalar @smime_cms_cades_invalid_option_tests);
937
938	foreach (@smime_cms_cades_invalid_option_tests) {
939	ok(!run(app(["openssl", "cms", @{$$_[0]} ] )));
940	}
941	};
942
943	subtest "CAdES ko tests\n" => sub {
944	plan tests => 2 * scalar @smime_cms_cades_ko_tests;
945
946	foreach (@smime_cms_cades_ko_tests) {
947	SKIP: {
948	my $skip_reason = check_availability($$_[0]);
949	skip $skip_reason, 1 if $skip_reason;
950	1 while unlink "cades-ko.txt";
951
952	ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]);
953	ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]);
954	}
955	}
956	};
957
958	subtest "CMS binary input tests\n" => sub {
959	my $input = srctop_file("test", "smcont.bin");
960	my $signed = "smcont.signed";
961	my $verified = "smcont.verified";
962
963	plan tests => 11;
964
965	ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
966	"-binary", "-in", $input, "-out", $signed])),
967	"sign binary input with -binary");
968	ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
969	"-binary", "-in", $signed, "-out", $verified])),
970	"verify binary input with -binary");
971	is(compare($input, $verified), 0, "binary input retained with -binary");
972
973	ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
974	"-in", $input, "-out", $signed.".nobin"])),
975	"sign binary input without -binary");
976	ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
977	"-in", $signed.".nobin", "-out", $verified.".nobin"])),
978	"verify binary input without -binary");
979	is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary");
980	ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
981	"-binary", "-in", $signed, "-out", $verified.".crlfeol"])),
982	"verify binary input wrong crlfeol");
983
984	ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
985	"-crlfeol",
986	"-binary", "-in", $input, "-out", $signed.".crlf"])),
987	"sign binary input with -binary -crlfeol");
988	ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
989	"-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])),
990	"verify binary input with -binary -crlfeol");
991	is(compare($input, $verified.".crlf"), 0,
992	"binary input retained with -binary -crlfeol");
993	ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
994	"-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])),
995	"verify binary input with -binary missing -crlfeol");
996	};
997
998	# Test case for missing MD algorithm (must not segfault)
999
1000	with({ exit_checker => sub { return shift == 4; } },
1001	sub {
1002	ok(run(app(['openssl', 'smime', '-verify', '-noverify',
1003	'-inform', 'PEM',
1004	'-in', data_file("pkcs7-md4.pem"),
1005	])),
1006	"Check failure of EVP_DigestInit is handled correctly");
1007	});
1008
1009	sub check_availability {
1010	my $tnam = shift;
1011
1012	return "$tnam: skipped, EC disabled\n"
1013	if ($no_ec && $tnam =~ /ECDH/);
1014	return "$tnam: skipped, ECDH disabled\n"
1015	if ($no_ec && $tnam =~ /ECDH/);
1016	return "$tnam: skipped, EC2M disabled\n"
1017	if ($no_ec2m && $tnam =~ /K-283/);
1018	return "$tnam: skipped, DH disabled\n"
1019	if ($no_dh && $tnam =~ /X9\.42/);
1020	return "$tnam: skipped, RC2 disabled\n"
1021	if ($no_rc2 && $tnam =~ /RC2/);
1022	return "$tnam: skipped, DES disabled\n"
1023	if ($no_des && $tnam =~ /DES/);
1024	return "$tnam: skipped, DSA disabled\n"
1025	if ($no_dsa && $tnam =~ / DSA/);
1026
1027	return "";
1028	}
1029
1030	# Test case for the locking problem reported in #19643.
1031	# This will fail if the fix is in and deadlock on Windows (and possibly
1032	# other platforms) if not.
1033	ok(!run(app(['openssl', 'cms', '-verify',
1034	'-CAfile', srctop_file("test/certs", "pkitsta.pem"),
1035	'-policy', 'anyPolicy',
1036	'-in', srctop_file("test/smime-eml",
1037	"SignedInvalidMappingFromanyPolicyTest7.eml")
1038	])),
1039	"issue#19643");
1040
1041	# Check that we get the expected failure return code
1042	with({ exit_checker => sub { return shift == 6; } },
1043	sub {
1044	ok(run(app(['openssl', 'cms', '-encrypt',
1045	'-in', srctop_file("test", "smcont.txt"),
1046	'-aes128', '-stream', '-recip',
1047	srctop_file("test/smime-certs", "badrsa.pem"),
1048	])),
1049	"Check failure during BIO setup with -stream is handled correctly");
1050	});
1051
1052	# Test case for return value mis-check reported in #21986
1053	with({ exit_checker => sub { return shift == 3; } },
1054	sub {
1055	SKIP: {
1056	skip "DSA is not supported in this build", 1 if $no_dsa;
1057
1058	ok(run(app(['openssl', 'cms', '-sign',
1059	'-in', srctop_file("test", "smcont.txt"),
1060	'-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
1061	'-md', 'SHAKE256'])),
1062	"issue#21986");
1063	}
1064	});
1065
1066	# Test for problem reported in #22225
1067	with({ exit_checker => sub { return shift == 3; } },
1068	sub {
1069	ok(run(app(['openssl', 'cms', '-encrypt',
1070	'-in', srctop_file("test", "smcont.txt"),
1071	'-aes-256-ctr', '-recip',
1072	catfile($smdir, "smec1.pem"),
1073	])),
1074	"Check for failure when cipher does not have an assigned OID (issue#22225)");
1075	});
1076
1077	# Test encrypt to three recipients, and decrypt using key-only;
1078	# i.e. do not follow the recommended practice of providing the
1079	# recipient cert in the decrypt op.
1080	#
1081	# Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5.
1082	#
1083	# Because the cert is not provided during decrypt, all RSA ciphertexts
1084	# are decrypted in turn, and when/if there is a valid decryption, it
1085	# is assumed the correct content-key has been recovered.
1086	#
1087	# That process may fail with RSAES-PKCS-v1_5 b/c there is a
1088	# non-negligible chance that decrypting a random input using
1089	# RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys
1090	# could be recovered and the wrong one might be used).
1091	#
1092	# See https://github.com/openssl/project/issues/380
1093	subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub {
1094	plan tests => 3;
1095
1096	my $pt = srctop_file("test", "smcont.txt");
1097	my $ct = "smtst.cms";
1098	my $ptpt = "smtst.txt";
1099
1100	ok(run(app(['openssl', 'cms',
1101	@defaultprov,
1102	'-encrypt', '-aes128',
1103	'-in', $pt,
1104	'-out', $ct,
1105	'-stream',
1106	'-recip', catfile($smdir, "smrsa1.pem"),
1107	'-keyopt', 'rsa_padding_mode:oaep',
1108	'-recip', catfile($smdir, "smrsa2.pem"),
1109	'-keyopt', 'rsa_padding_mode:oaep',
1110	'-recip', catfile($smdir, "smrsa3-cert.pem"),
1111	'-keyopt', 'rsa_padding_mode:oaep',
1112	])),
1113	"encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)");
1114	ok(run(app(['openssl', 'cms',
1115	@defaultprov,
1116	'-decrypt', '-aes128',
1117	'-in', $ct,
1118	'-out', $ptpt,
1119	'-inkey', catfile($smdir, "smrsa3-key.pem"),
1120	])),
1121	"decrypt with key only");
1122	is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext");
1123	};

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.1.5/test/recipes/80-test_cms.t@ 105770

Download in other formats: