#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
-# Licensed under the OpenSSL license (the "License"). You may not use
+# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
plan skip_all => "CMS is not supported by this OpenSSL build"
if disabled("cms");
+my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
my $smdir = srctop_dir("test", "smime-certs");
my $smcont = srctop_file("test", "smcont.txt");
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
-plan tests => 4;
+plan tests => 6;
my @smime_pkcs7_tests = (
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
+ [ "signed content S/MIME format, RSA key SHA1",
+ [ "-sign", "-in", $smcont, "-md", "sha1",
+ "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
[ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-CAfile", catfile($smdir, "smroot.pem") ]
],
+ [ "signed content DER format, RSA key, CAdES-BES compatible",
+ [ "-sign", "-cades", "-in", $smcont, "-outform", "DER", "-nodetach",
+ "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
+ [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
+ [ "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
+ "DER", "-nodetach", "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms", "-keyid",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
+ [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
+ [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+ "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
+ "-keyopt", "rsa_pss_saltlen:max", "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "PEM",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-in", "test.cms", "-out", "smtst.txt" ]
],
+ [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
+ [ "-encrypt", "-in", $smcont,
+ "-stream", "-out", "test.cms",
+ catfile($smdir, "smec1.pem"),
+ catfile($smdir, "smec3.pem") ],
+ [ "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
+ "-in", "test.cms", "-out", "smtst.txt" ]
+ ],
+
[ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
[ "-encrypt", "-keyid", "-in", $smcont,
"-stream", "-out", "test.cms",
]
);
+my @contenttype_cms_test = (
+ [ "signed content test - check that content type is added to additional signerinfo, RSA keys",
+ [ "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont, "-outform", "DER",
+ "-signer", catfile($smdir, "smrsa1.pem"), "-md", "SHA256",
+ "-out", "test.cms" ],
+ [ "-resign", "-binary", "-nodetach", "-in", "test.cms", "-inform", "DER", "-outform", "DER",
+ "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
+ "-out", "test2.cms" ],
+ [ "-verify", "-in", "test2.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+);
+
+my @incorrect_attribute_cms_test = (
+ "bad_signtime_attr.cms",
+ "no_ct_attr.cms",
+ "no_md_attr.cms",
+ "ct_multiple_attr.cms"
+);
+
subtest "CMS => PKCS#7 compatibility tests\n" => sub {
plan tests => scalar @smime_pkcs7_tests;
}
};
+# Returns the number of matches of a Content Type Attribute in a binary file.
+sub contentType_matches {
+ # Read in a binary file
+ my ($in) = @_;
+ open (HEX_IN, "$in") or die("open failed for $in : $!");
+ binmode(HEX_IN);
+ local $/;
+ my $str = <HEX_IN>;
+
+ # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
+ my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
+
+ close(HEX_IN);
+ return scalar(@c);
+}
+
+subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
+ plan tests =>
+ (scalar @contenttype_cms_test);
+
+ foreach (@contenttype_cms_test) {
+ SKIP: {
+ my $skip_reason = check_availability($$_[0]);
+ skip $skip_reason, 1 if $skip_reason;
+
+ ok(run(app(["openssl", "cms", @{$$_[1]}]))
+ && run(app(["openssl", "cms", @{$$_[2]}]))
+ && contentType_matches("test2.cms") == 2
+ && run(app(["openssl", "cms", @{$$_[3]}])),
+ $$_[0]);
+ }
+ }
+};
+
+subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
+ plan tests =>
+ (scalar @incorrect_attribute_cms_test);
+
+ foreach my $name (@incorrect_attribute_cms_test) {
+ ok(!run(app(["openssl", "cms", "-verify", "-in",
+ catfile($datadir, $name), "-inform", "DER", "-CAfile",
+ catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ])),
+ $name);
+ }
+};
+
unlink "test.cms";
unlink "test2.cms";
unlink "smtst.txt";