STORE tests: add PKCS#12 tests

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3542)

diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t
index 41cc96c1ba0826f811b974e14215c87e6db2b423..53413b785b586b4d0be6ab5872547006e412dc24 100644 (file)
--- a/test/recipes/90-test_store.t
+++ b/test/recipes/90-test_store.t
@@ -8,7 +8,7 @@
 
 use File::Spec;
 use MIME::Base64;
 
 use File::Spec;
 use MIME::Base64;

-use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_file);
+use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_file data_file);

 
 my $test_name = "test_store";
 setup($test_name);
 
 my $test_name = "test_store";
 setup($test_name);


@@ -85,17 +85,12 @@ indir "store_$$" => sub {
                                                             "dummy")])));
         }
         foreach (@generated_files) {
                                                             "dummy")])));
         }
         foreach (@generated_files) {

-        SKIP:
-            {
-                skip "PKCS#12 files not currently supported", 3 if m|\.p12$|;
-
-                ok(run(app(["openssl", "storeutl", "-passin", "pass:password",
-                            $_])));
-                ok(run(app(["openssl", "storeutl", "-passin", "pass:password",
-                            to_file_uri($_)])));
-                ok(!run(app(["openssl", "storeutl", "-passin", "pass:password",
-                             to_rel_file_uri($_)])));
-            }
+            ok(run(app(["openssl", "storeutl", "-passin", "pass:password",
+                        $_])));
+            ok(run(app(["openssl", "storeutl", "-passin", "pass:password",
+                        to_file_uri($_)])));
+            ok(!run(app(["openssl", "storeutl", "-passin", "pass:password",
+                         to_rel_file_uri($_)])));

         }
     }
 }, create => 1, cleanup => 1;
         }
     }
 }, create => 1, cleanup => 1;


@@ -175,6 +170,77 @@ sub init {
                                    "-v2", "aes256", "-v2prf", "hmacWithSHA256",
                                    "-in", $srcfile, "-out", $dstfile]));
                       }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
                                    "-v2", "aes256", "-v2prf", "hmacWithSHA256",
                                    "-in", $srcfile, "-out", $dstfile]));
                       }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))

+            # *-cert.pem (intermediary for the .p12 inits)
+            && run(app(["openssl", "req", "-x509",
+                        "-config", data_file("ca.cnf"), "-nodes",
+                        "-out", "cacert.pem", "-keyout", "cakey.pem"]))
+            && runall(sub {
+                          my $srckey = shift;
+                          (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|;
+                          (my $csr = $dstfile) =~ s|\.pem|.csr|;
+
+                          (run(app(["openssl", "req", "-new",
+                                    "-config", data_file("user.cnf"),
+                                    "-key", $srckey, "-out", $csr]))
+                           &&
+                           run(app(["openssl", "x509", "-days", "3650",
+                                    "-CA", "cacert.pem",
+                                    "-CAkey", "cakey.pem",
+                                    "-set_serial", time(), "-req",
+                                    "-in", $csr, "-out", $dstfile])));
+                      }, grep(/-key-pkcs8\.pem$/, @generated_files))
+            # *.p12
+            && runall(sub {
+                          my $dstfile = shift;
+                          my ($type, $certpbe_index, $keypbe_index,
+                              $macalg_index) =
+                              $dstfile =~ m{^(.*)-key-(?|
+                                                # cert and key PBE are same
+                                                ()             #
+                                                ([^-]*-[^-]*)- # key & cert PBE
+                                                ([^-]*)        # MACalg
+                                            |
+                                                # cert and key PBE are not same
+                                                ([^-]*-[^-]*)- # cert PBE
+                                                ([^-]*-[^-]*)- # key PBE
+                                                ([^-]*)        # MACalg
+                                            )\.}x;
+                          if (!$certpbe_index) {
+                              $certpbe_index = $keypbe_index;
+                          }
+                          my $srckey = "$type-key-pkcs8.pem";
+                          my $srccert = "$type-cert.pem";
+                          my %pbes =
+                              (
+                               "sha1-3des" => "pbeWithSHA1And3-KeyTripleDES-CBC",
+                               "md5-des" => "pbeWithMD5AndDES-CBC",
+                               "aes256-cbc" => "AES-256-CBC",
+                              );
+                          my %macalgs =
+                              (
+                               "sha1" => "SHA1",
+                               "sha256" => "SHA256",
+                              );
+                          my $certpbe = $pbes{$certpbe_index};
+                          my $keypbe = $pbes{$keypbe_index};
+                          my $macalg = $macalgs{$macalg_index};
+                          if (!defined($certpbe) || !defined($keypbe)
+                              || !defined($macalg)) {
+                              print STDERR "Cert PBE for $pbe_index not defined\n"
+                                  unless defined $certpbe;
+                              print STDERR "Key PBE for $pbe_index not defined\n"
+                                  unless defined $keypbe;
+                              print STDERR "MACALG for $macalg_index not defined\n"
+                                  unless defined $macalg;
+                              print STDERR "(destination file was $dstfile)\n";
+                              return 0;
+                          }
+                          run(app(["openssl", "pkcs12", "-inkey", $srckey,
+                                   "-in", $srccert, "-passout", "pass:password",
+                                   "-export", "-macalg", $macalg,
+                                   "-certpbe", $certpbe, "-keypbe", $keypbe,
+                                   "-out", $dstfile]));
+                      }, grep(/\.p12/, @generated_files))

             # *.der (the end all init)
             && runall(sub {
                           my $dstfile = shift;
             # *.der (the end all init)
             && runall(sub {
                           my $dstfile = shift;

diff --git a/test/recipes/90-test_store_data/ca.cnf b/test/recipes/90-test_store_data/ca.cnf
new file mode 100644 (file)
index 0000000..bda6eec
--- /dev/null
+++ b/test/recipes/90-test_store_data/ca.cnf
@@ -0,0 +1,56 @@
+####################################################################
+[ req ]
+default_bits           = 2432
+default_keyfile        = cakey.pem
+default_md             = sha256
+distinguished_name     = req_DN
+string_mask             = utf8only
+x509_extensions         = v3_selfsign
+
+[ req_DN ]
+commonName                      = "Common Name"
+commonName_value              = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = ./demoCA
+certificate    = ./demoCA/cacert.pem
+serial         = ./demoCA/serial
+private_key    = ./demoCA/private/cakey.pem
+new_certs_dir   = ./demoCA/newcerts
+
+certificate     = cacert.pem
+private_key     = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+
+policy          = policy_anything
+
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+

diff --git a/test/recipes/90-test_store_data/user.cnf b/test/recipes/90-test_store_data/user.cnf
new file mode 100644 (file)
index 0000000..91f7969
--- /dev/null
+++ b/test/recipes/90-test_store_data/user.cnf
@@ -0,0 +1,19 @@
+####################################################################
+[ req ]
+default_bits            = 2432
+default_md             = sha256
+distinguished_name     = req_DN
+string_mask = utf8only
+
+req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_DN ]
+commonName                      = "Common Name"
+commonName_value              = "A user"
+userId = "User ID"
+userId_value = "test"
+
+[ v3_req ]
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+basicConstraints = CA:false