-#! /usr/bin/perl
+#! /usr/bin/env perl
+# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/catfile/;
use File::Compare qw/compare_text/;
-use Test::More 0.96;
-use OpenSSL::Test qw/:DEFAULT top_dir top_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
+use OpenSSL::Test::Utils;
setup("test_cms");
-my $smdir = top_dir("test", "smime-certs");
-my $smcont = top_file("test", "smcont.txt");
-my $no_ec = run(app(["openssl", "no-ec"], stdout => undef));
-my $no_ec2m = run(app(["openssl", "no-ec2m"], stdout => undef));
-my $no_ecdh = run(app(["openssl", "no-ecdh"], stdout => undef));
+plan skip_all => "CMS is not supported by this OpenSSL build"
+ if disabled("cms");
+
+my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
+my $smdir = srctop_dir("test", "smime-certs");
+my $smcont = srctop_file("test", "smcont.txt");
+my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
+ = disabled qw/des dh dsa ec ec2m rc2 zlib/;
-plan tests => 4;
+plan tests => 6;
my @smime_pkcs7_tests = (
"-content", $smcont ]
],
- [ "signed detached content DER format, add RSA signer",
+ [ "signed detached content DER format, add RSA signer (with DSA existing)",
[ "-resign", "-inform", "DER", "-in", "test.cms", "-outform", "DER",
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test2.cms" ],
[ "-verify", "-in", "test2.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
+ [ "signed content S/MIME format, RSA key SHA1",
+ [ "-sign", "-in", $smcont, "-md", "sha1",
+ "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
[ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
- [ "enveloped content test streaming S/MIME format, 3 recipients",
+ [ "enveloped content test streaming S/MIME format, DES, 3 recipients",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
- [ "enveloped content test streaming S/MIME format, 3 recipients, 3rd used",
+ [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
- [ "enveloped content test streaming S/MIME format, 3 recipients, key only used",
+ [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
"-CAfile", catfile($smdir, "smroot.pem") ]
],
- [ "enveloped content test streaming S/MIME format, 3 recipients, keyid",
+ [ "signed content DER format, RSA key, CAdES-BES compatible",
+ [ "-sign", "-cades", "-in", $smcont, "-outform", "DER", "-nodetach",
+ "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
+ [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
+ [ "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
+ "DER", "-nodetach", "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
+ [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms", "-keyid",
catfile($smdir, "smrsa1.pem"),
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
+ [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
+ [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+ "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
+ "-keyopt", "rsa_pss_saltlen:max", "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "PEM",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
- [ "enveloped content test streaming S/MIME format, OAEP default parameters",
+ [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep" ],
"-in", "test.cms", "-out", "smtst.txt" ]
],
- [ "enveloped content test streaming S/MIME format, OAEP SHA256",
+ [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep",
"-in", "test.cms", "-out", "smtst.txt" ]
],
- [ "enveloped content test streaming S/MIME format, ECDH",
+ [ "enveloped content test streaming S/MIME format, DES, ECDH",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem") ],
"-in", "test.cms", "-out", "smtst.txt" ]
],
- [ "enveloped content test streaming S/MIME format, ECDH, key identifier",
+ [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
+ [ "-encrypt", "-in", $smcont,
+ "-stream", "-out", "test.cms",
+ catfile($smdir, "smec1.pem"),
+ catfile($smdir, "smec3.pem") ],
+ [ "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
+ "-in", "test.cms", "-out", "smtst.txt" ]
+ ],
+
+ [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
[ "-encrypt", "-keyid", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem") ],
]
);
+my @contenttype_cms_test = (
+ [ "signed content test - check that content type is added to additional signerinfo, RSA keys",
+ [ "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont, "-outform", "DER",
+ "-signer", catfile($smdir, "smrsa1.pem"), "-md", "SHA256",
+ "-out", "test.cms" ],
+ [ "-resign", "-binary", "-nodetach", "-in", "test.cms", "-inform", "DER", "-outform", "DER",
+ "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
+ "-out", "test2.cms" ],
+ [ "-verify", "-in", "test2.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+);
+
+my @incorrect_attribute_cms_test = (
+ "bad_signtime_attr.cms",
+ "no_ct_attr.cms",
+ "no_md_attr.cms",
+ "ct_multiple_attr.cms"
+);
+
subtest "CMS => PKCS#7 compatibility tests\n" => sub {
plan tests => scalar @smime_pkcs7_tests;
SKIP: {
skip("Zlib not supported: compression tests skipped",
scalar @smime_cms_comp_tests)
- unless grep /ZLIB/, run(app(["openssl", "version", "-f"]),
- capture => 1);
+ if $no_zlib;
- foreach (@smime_cms_param_tests) {
+ foreach (@smime_cms_comp_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
}
};
+# Returns the number of matches of a Content Type Attribute in a binary file.
+sub contentType_matches {
+ # Read in a binary file
+ my ($in) = @_;
+ open (HEX_IN, "$in") or die("open failed for $in : $!");
+ binmode(HEX_IN);
+ local $/;
+ my $str = <HEX_IN>;
+
+ # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
+ my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
+
+ close(HEX_IN);
+ return scalar(@c);
+}
+
+subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
+ plan tests =>
+ (scalar @contenttype_cms_test);
+
+ foreach (@contenttype_cms_test) {
+ SKIP: {
+ my $skip_reason = check_availability($$_[0]);
+ skip $skip_reason, 1 if $skip_reason;
+
+ ok(run(app(["openssl", "cms", @{$$_[1]}]))
+ && run(app(["openssl", "cms", @{$$_[2]}]))
+ && contentType_matches("test2.cms") == 2
+ && run(app(["openssl", "cms", @{$$_[3]}])),
+ $$_[0]);
+ }
+ }
+};
+
+subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
+ plan tests =>
+ (scalar @incorrect_attribute_cms_test);
+
+ foreach my $name (@incorrect_attribute_cms_test) {
+ ok(!run(app(["openssl", "cms", "-verify", "-in",
+ catfile($datadir, $name), "-inform", "DER", "-CAfile",
+ catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ])),
+ $name);
+ }
+};
+
unlink "test.cms";
unlink "test2.cms";
unlink "smtst.txt";
my $tnam = shift;
return "$tnam: skipped, EC disabled\n"
- if ($no_ec && $tnam =~ /ECDH/);
+ if ($no_ec && $tnam =~ /ECDH/);
return "$tnam: skipped, ECDH disabled\n"
- if ($no_ecdh && $tnam =~ /ECDH/);
+ if ($no_ec && $tnam =~ /ECDH/);
return "$tnam: skipped, EC2M disabled\n"
- if ($no_ec2m && $tnam =~ /K-283/);
+ if ($no_ec2m && $tnam =~ /K-283/);
+ return "$tnam: skipped, DH disabled\n"
+ if ($no_dh && $tnam =~ /X9\.42/);
+ return "$tnam: skipped, RC2 disabled\n"
+ if ($no_rc2 && $tnam =~ /RC2/);
+ return "$tnam: skipped, DES disabled\n"
+ if ($no_des && $tnam =~ /DES/);
+ return "$tnam: skipped, DSA disabled\n"
+ if ($no_dsa && $tnam =~ / DSA/);
+
return "";
}