Fix 90-test_store.t for latest config, limits, providers, and disabled algos
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>
Tue, 5 May 2020 12:04:30 +0000 (14:04 +0200)
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>
Mon, 8 Jun 2020 03:39:16 +0000 (05:39 +0200)
Also make sure that the test do not 'pass' if their initialization fails.
Leave out the expensive parts of DSA key gen and RSA keygen for efficiency.
Fix use of the new CA configuration file test/ca-and-certs.cnf.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)

test/recipes/90-test_store.t
test/recipes/90-test_store_data/ca.cnf [deleted file]
test/recipes/90-test_store_data/dsaparam.pem [new file with mode: 0644]
test/recipes/90-test_store_data/rsa-key-2432.pem [new file with mode: 0644]
test/recipes/90-test_store_data/user.cnf [deleted file]

index 0905232..9f4eaa2 100644 (file)
@@ -16,7 +16,11 @@ my $test_name = "test_store";
 setup($test_name);
 
 my $mingw = config('target') =~ m|^mingw|;
-my $cnf = srctop_file("test", "ca-and-certs.cnf");
+
+my $use_md5 = !disabled("md5");
+my $use_des = !disabled("des"); # also affects 3des and pkcs12 app
+my $use_dsa = !disabled("dsa");
+my $use_ecc = !disabled("ec");
 
 my @noexist_files =
     ( "test/blahdiblah.pem",
@@ -41,25 +45,35 @@ my @generated_files =
      "rsa-key-pkcs1.pem", "rsa-key-pkcs1.der",
      "rsa-key-pkcs1-aes128.pem",
      "rsa-key-pkcs8.pem", "rsa-key-pkcs8.der",
-     "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der",
      "rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der",
+     "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der",
+    );
+push(@generated_files, (
+     "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der",
+    )) if $use_des;
+push(@generated_files, (
      "rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12",
      "rsa-key-aes256-cbc-sha256.p12",
      "rsa-key-md5-des-sha1.p12",
-     "rsa-key-aes256-cbc-md5-des-sha256.p12",
-     "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der",
-     "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der",
+     "rsa-key-aes256-cbc-md5-des-sha256.p12"
+     )) if $use_des;
+push(@generated_files, (
+     "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der"
+     )) if $use_md5 && $use_des;
+push(@generated_files, (
      "dsa-key-pkcs1.pem", "dsa-key-pkcs1.der",
      "dsa-key-pkcs1-aes128.pem",
      "dsa-key-pkcs8.pem", "dsa-key-pkcs8.der",
      "dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der",
-     "dsa-key-aes256-cbc-sha256.p12",
+     )) if $use_dsa;
+push(@generated_files, "dsa-key-aes256-cbc-sha256.p12") if $use_dsa && $use_des;
+push(@generated_files, (
      "ec-key-pkcs1.pem", "ec-key-pkcs1.der",
      "ec-key-pkcs1-aes128.pem",
      "ec-key-pkcs8.pem", "ec-key-pkcs8.der",
      "ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der",
-     "ec-key-aes256-cbc-sha256.p12",
-    );
+     )) if $use_ecc;
+push(@generated_files, "ec-key-aes256-cbc-sha256.p12") if $use_ecc && $use_des;
 my %generated_file_files =
     $^O eq 'linux'
     ? ( "test/testx509.pem" => "file:testx509.pem",
@@ -85,7 +99,7 @@ plan tests => $n;
 indir "store_$$" => sub {
  SKIP:
     {
-        skip "failed initialisation", $n unless init();
+        init() or die "init failed";
 
         my $rehash = init_rehash();
 
@@ -220,28 +234,35 @@ indir "store_$$" => sub {
 }, create => 1, cleanup => 1;
 
 sub init {
+    my $cnf = srctop_file('test', 'ca-and-certs.cnf');
+    my $cakey = srctop_file('test', 'certs', 'ca-key.pem');
     return (
             # rsa-key-pkcs1.pem
-            run(app(["openssl", "genrsa",
-                     "-out", "rsa-key-pkcs1.pem", "2432"]))
-            # dsa-key-pkcs1.pem
-            && run(app(["openssl", "dsaparam", "-genkey",
-                        "-out", "dsa-key-pkcs1.pem", "1024"]))
-            # ec-key-pkcs1.pem (one might think that 'genec' would be practical)
-            && run(app(["openssl", "ecparam", "-genkey", "-name", "prime256v1",
-                        "-out", "ec-key-pkcs1.pem"]))
+            run(app(["openssl", "pkey",
+                     "-in", data_file("rsa-key-2432.pem"),
+                     "-out", "rsa-key-pkcs1.pem"]))
             # rsa-key-pkcs1-aes128.pem
             && run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128",
                         "-in", "rsa-key-pkcs1.pem",
                         "-out", "rsa-key-pkcs1-aes128.pem"]))
+            # dsa-key-pkcs1.pem
+            && (!$use_dsa || run(app(["openssl", "gendsa",
+                                      "-out", "dsa-key-pkcs1.pem",
+                                      data_file("dsaparam.pem")])))
             # dsa-key-pkcs1-aes128.pem
-            && run(app(["openssl", "dsa", "-passout", "pass:password", "-aes128",
-                        "-in", "dsa-key-pkcs1.pem",
-                        "-out", "dsa-key-pkcs1-aes128.pem"]))
+            && (!$use_dsa || run(app(["openssl", "dsa",
+                                      "-passout", "pass:password", "-aes128",
+                                      "-in", "dsa-key-pkcs1.pem",
+                                      "-out", "dsa-key-pkcs1-aes128.pem"])))
+            # ec-key-pkcs1.pem (one might think that 'genec' would be practical)
+            && (!$use_ecc || run(app(["openssl", "ecparam", "-genkey",
+                                      "-name", "prime256v1",
+                                      "-out", "ec-key-pkcs1.pem"])))
             # ec-key-pkcs1-aes128.pem
-            && run(app(["openssl", "ec", "-passout", "pass:password", "-aes128",
-                        "-in", "ec-key-pkcs1.pem",
-                        "-out", "ec-key-pkcs1-aes128.pem"]))
+            && (!$use_ecc || run(app(["openssl", "ec",
+                                      "-passout", "pass:password", "-aes128",
+                                      "-in", "ec-key-pkcs1.pem",
+                                      "-out", "ec-key-pkcs1-aes128.pem"])))
             # *-key-pkcs8.pem
             && runall(sub {
                           my $dstfile = shift;
@@ -297,19 +318,19 @@ sub init {
             # *-cert.pem (intermediary for the .p12 inits)
             && run(app(["openssl", "req", "-x509",
                         "-config", $cnf, "-nodes",
-                        "-out", "cacert.pem", "-keyout", "cakey.pem"]))
+                        "-key", $cakey, "-out", "cacert.pem"]))
             && runall(sub {
                           my $srckey = shift;
                           (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|;
                           (my $csr = $dstfile) =~ s|\.pem|.csr|;
 
                           (run(app(["openssl", "req", "-new",
-                                    "-config", $cnf,
+                                    "-config", $cnf, "-section", "userreq",
                                     "-key", $srckey, "-out", $csr]))
                            &&
                            run(app(["openssl", "x509", "-days", "3650",
                                     "-CA", "cacert.pem",
-                                    "-CAkey", "cakey.pem",
+                                    "-CAkey", $cakey,
                                     "-set_serial", time(), "-req",
                                     "-in", $csr, "-out", $dstfile])));
                       }, grep(/-key-pkcs8\.pem$/, @generated_files))
@@ -350,16 +371,19 @@ sub init {
                           my $macalg = $macalgs{$macalg_index};
                           if (!defined($certpbe) || !defined($keypbe)
                               || !defined($macalg)) {
-                              print STDERR "Cert PBE for $pbe_index not defined\n"
+                              print STDERR "Cert PBE for $certpbe_index not defined\n"
                                   unless defined $certpbe;
-                              print STDERR "Key PBE for $pbe_index not defined\n"
+                              print STDERR "Key PBE for $keypbe_index not defined\n"
                                   unless defined $keypbe;
                               print STDERR "MACALG for $macalg_index not defined\n"
                                   unless defined $macalg;
                               print STDERR "(destination file was $dstfile)\n";
                               return 0;
                           }
-                          run(app(["openssl", "pkcs12", "-inkey", $srckey,
+                          run(app(["openssl", "pkcs12",
+                                   "-provider", "default",
+                                   "-provider", "legacy",
+                                   "-inkey", $srckey,
                                    "-in", $srccert, "-passout", "pass:password",
                                    "-chain", "-CAfile", "cacert.pem",
                                    "-export", "-macalg", $macalg,
diff --git a/test/recipes/90-test_store_data/ca.cnf b/test/recipes/90-test_store_data/ca.cnf
deleted file mode 100644 (file)
index bda6eec..0000000
+++ /dev/null
@@ -1,56 +0,0 @@
-####################################################################
-[ req ]
-default_bits           = 2432
-default_keyfile        = cakey.pem
-default_md             = sha256
-distinguished_name     = req_DN
-string_mask             = utf8only
-x509_extensions         = v3_selfsign
-
-[ req_DN ]
-commonName                      = "Common Name"
-commonName_value              = "CA"
-
-[ v3_selfsign ]
-basicConstraints = critical,CA:true
-keyUsage = keyCertSign
-subjectKeyIdentifier=hash
-
-####################################################################
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir             = ./demoCA
-certificate    = ./demoCA/cacert.pem
-serial         = ./demoCA/serial
-private_key    = ./demoCA/private/cakey.pem
-new_certs_dir   = ./demoCA/newcerts
-
-certificate     = cacert.pem
-private_key     = cakey.pem
-
-x509_extensions = v3_user
-
-name_opt        = ca_default            # Subject Name options
-cert_opt        = ca_default            # Certificate field options
-
-policy          = policy_anything
-
-[ policy_anything ]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ v3_user ]
-basicConstraints=critical,CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-
diff --git a/test/recipes/90-test_store_data/dsaparam.pem b/test/recipes/90-test_store_data/dsaparam.pem
new file mode 100644 (file)
index 0000000..60563cb
--- /dev/null
@@ -0,0 +1,14 @@
+-----BEGIN DSA PARAMETERS-----
+MIICLAKCAQEArjV9Th2W4p8AlmBabk0HjaV8vPmt15/V6e6mM1Hee3LSdapxd/Fj
++7bsWroNcqIaHGS45YkJbclvC3/Szp/vh1q2Zy/v7utZ9V7/qCiEnls3CRGAfAhc
+1eFIS9Jo+z+fK2tsDUgbGoDC6xEbN3nWjItyPmelBQ5Bip41ULTSQCdr/eBka1s4
+QpS1Sdrvbng3zTCJw0VQe5yM5xyYcHFdeV/v6JSFUz7voyzOGqt91l4UzVFUiZ13
+5Pgi8DUQdQVxUU+MTFwNLCy+bDTuEoKHAxkGEqiq9A08ScxwWtgy7jJQhXDoGP10
+gFMyV+5Qya7rrrYiMhZrjFna7h0z30yiPQIhAK0tbhew8+vHuO6VePIX9TMBZ7ze
+k//uQOh/8ZNtS4cTAoIBAGZv2mOljtJM1UUtdl1fzUq0GkI1hjpvqfonq94DITYK
+BynJL21JqPfG9JLXc8HYdg5hpwtulrjIyzg1EiB5pQgoNVy8UhavUroPw7FjEicL
+dKRHQ9YwuJwuQBTNmX/ojjewqT9U6WYiYUz4SQNXFDIdNz3ikviOoGpmY/Cwbgcr
+Pb/QhGqqHzB3ZeX89exVznPbvqeNOp967U+vooBMMJ4oSWVA8ANFVpmikxucRt69
+qKtfkD+3P9RvjVow4dRjOmp8jyT82RQoCeSEThdDVrjUS6IpRdMT8MJ2mwGggG6T
+Y16HJCAq/7ufqJlsp5oAuX3aZsnAcnIiDxrMI9m3Xxs=
+-----END DSA PARAMETERS-----
diff --git a/test/recipes/90-test_store_data/rsa-key-2432.pem b/test/recipes/90-test_store_data/rsa-key-2432.pem
new file mode 100644 (file)
index 0000000..b5e37f4
--- /dev/null
@@ -0,0 +1,32 @@
+-----BEGIN PRIVATE KEY-----
+MIIFlQIBADANBgkqhkiG9w0BAQEFAASCBX8wggV7AgEAAoIBMQCrCYwxGQmujZVF
+lnZeobOyrk+JiHh4/6IjpepHlb1hRMZbDS2V2kZAupNr3oV14Dx4bDwbxAMOvGQr
+sVDiM+LAAZtxXXq6sQNOrq3yTPuCdW6IbsHaB5ZuPwz4cNWOOHs19Jx9UufxoFZ+
+1Cj3WG0joTCTbPNe08llJ67YKCj4b3l19AJKauPFWyLl8sQE5f29rBGGnnJYzrf3
+ZRrrZApbXy2PxDVKfkjLf89la6Hcr/RihgPiZHLoN7TyAPOL4OPY+Jv6fVG9PTrf
+3hwoTRD9Wp0ZdmOSCiU93vvoTFovnBMpfh7Qb6k+ufqZV0cvdDWYV7UQO1MBx24R
+mqcVGwHzPCMET71GoRNKvtMI3zrN/ZN8lyyqKU3pEPcLvykZ8Pi2lZB31uLA0x6Z
+zUe+rEavAgMBAAECggEwM8aFIMvCiYukl1cv5/+tRTbNLwYX6hEAhSgRnq/uj0Zh
+gWig1w8nWyrfu7S10/QYeh/RploUzt4quKtJn+AzEQqrgorYvzEcnjH0yDeTn29r
+EXPtzNGlMSR3CbImg5IHglLVGH8DZbqy1FvnNtEW4MVHzikaFyenfK6hmB+4H1Sn
+gRRnqR1oa/LlwpRV0GHLCSLQf17xoH4chaLLZXi3kdIOIcg9bzDef7APQmKHdu01
+hlAhFZ3rPib63anYtg9jG4hLrZCUHwEwHsOaDEh9QVNSxqZJS2KTtMbYIclK3hDG
+wZFmlv9bemE+KiR3EAJt9/xMROjLTNDgTOZZujR/O4IObszQ6obExiL0Z37K0AAz
+f0hhMbweg0W1hC3j/pseOZpEvfoK5QZYY0nbdNqVkQKBmQDczLiFYgDEcCbc2ak4
+VGDA/N+R1lUFvfBoBKLlWaOFSnfYC9XrGa1lVe5nMZN4OAgkR4Ogvo1uh5BzXptP
+s+fYfh40JS6RFXeO8/K8meFOUnjKiMZroBuFcJHSCDDJZFyfEM1vVqnsaLsqQHAd
+casa3PewKvUbUDMWQFNImW6dMuDL3GpKpGc4/eU3208JnpoApcnp2qLPlwKBmQDG
+TexoAiQLKRlSHrZcZJTemrTZQFoCPEoXZjbzXHERYoSOcriINWWVuhvAtA64WY/+
+lOYXb3H1kD+CccR1NLUu9lrrFbizeHl9ovrvhLCR8smgVhwP4QjW1fjNYEOfIXXX
+BPLCizKSdqDLID/Jph+ym29vOedbjHZmr6Pto3fVBKQPpkLkQmyj061pmknE8DES
+k6GFHAAkqQKBmQDTVtxzRwfm/lYkY+417YWikyhHRfihg1k9ptpoXnFG3q1xTHrY
+Cf7PFP4ZJfm6Qx9/4jeaP2nOVtGrq+1Kz69lp+mvDbvRwNNsMBGx9jQSrJvTeDE7
+yMcu5T2d5JsV2QtScVnBbRk+IEytt3nYpPkawFAP/j4Xg58yeCV/QuT+cDl8x5+x
+jEUE5vhki3TOh1Fut0FZphzaRwKBmHPpKkzlK3JGlKFWiFtbA1VWcm0mWzZBTUF+
+IpJ/LyvtPPQShGBBbd5lyUELPittVmiFWjTKlH7n0OeLXjzwEROhNiWBLdPhkInq
+UOjd02OL2WTZ0E9LxyHkMijBouUJ5tpG7yrduDK6GmSAtihE7PQ2PJ1z6BKv+Kku
+8w+9ZBbkPo1TLnhDh0L/QLagU4xEpTpphpjKdB75AoGYcaonPrYPhvM+EAe4DDTf
+qpxI6wX6P+ws9Fx8VuD/UN3DB8AhE+tlFYQYJQkgqpAvNiOg9ix0mwNDe6oB4xwB
+iQKxoBtCKYhwwP7AvXrzyqe73aWtvW9VFYUbdiVQQVqR/+Gd1wL572qFTcnw56je
+wxTi4bfTajt7O/nY7jYs3WWstBh0wyl5XNZ14Acic6ZsSp+PLCEfpLo=
+-----END PRIVATE KEY-----
diff --git a/test/recipes/90-test_store_data/user.cnf b/test/recipes/90-test_store_data/user.cnf
deleted file mode 100644 (file)
index 91f7969..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-####################################################################
-[ req ]
-default_bits            = 2432
-default_md             = sha256
-distinguished_name     = req_DN
-string_mask = utf8only
-
-req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_DN ]
-commonName                      = "Common Name"
-commonName_value              = "A user"
-userId = "User ID"
-userId_value = "test"
-
-[ v3_req ]
-extendedKeyUsage = clientAuth
-subjectKeyIdentifier = hash
-basicConstraints = CA:false