From: Richard Levitte Date: Mon, 5 Dec 2016 14:13:01 +0000 (+0100) Subject: STORE tests: add PKCS#12 tests X-Git-Tag: OpenSSL_1_1_1-pre1~1170 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=6d737ea09ba62b15df00cd99c4728a4dc55086df;ds=sidebyside STORE tests: add PKCS#12 tests Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3542) --- diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 41cc96c1ba..53413b785b 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -8,7 +8,7 @@ use File::Spec; use MIME::Base64; -use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_file); +use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_file data_file); my $test_name = "test_store"; setup($test_name); @@ -85,17 +85,12 @@ indir "store_$$" => sub { "dummy")]))); } foreach (@generated_files) { - SKIP: - { - skip "PKCS#12 files not currently supported", 3 if m|\.p12$|; - - ok(run(app(["openssl", "storeutl", "-passin", "pass:password", - $_]))); - ok(run(app(["openssl", "storeutl", "-passin", "pass:password", - to_file_uri($_)]))); - ok(!run(app(["openssl", "storeutl", "-passin", "pass:password", - to_rel_file_uri($_)]))); - } + ok(run(app(["openssl", "storeutl", "-passin", "pass:password", + $_]))); + ok(run(app(["openssl", "storeutl", "-passin", "pass:password", + to_file_uri($_)]))); + ok(!run(app(["openssl", "storeutl", "-passin", "pass:password", + to_rel_file_uri($_)]))); } } }, create => 1, cleanup => 1; @@ -175,6 +170,77 @@ sub init { "-v2", "aes256", "-v2prf", "hmacWithSHA256", "-in", $srcfile, "-out", $dstfile])); }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files)) + # *-cert.pem (intermediary for the .p12 inits) + && run(app(["openssl", "req", "-x509", + "-config", data_file("ca.cnf"), "-nodes", + "-out", "cacert.pem", "-keyout", "cakey.pem"])) + && runall(sub { + my $srckey = shift; + (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|; + (my $csr = $dstfile) =~ s|\.pem|.csr|; + + (run(app(["openssl", "req", "-new", + "-config", data_file("user.cnf"), + "-key", $srckey, "-out", $csr])) + && + run(app(["openssl", "x509", "-days", "3650", + "-CA", "cacert.pem", + "-CAkey", "cakey.pem", + "-set_serial", time(), "-req", + "-in", $csr, "-out", $dstfile]))); + }, grep(/-key-pkcs8\.pem$/, @generated_files)) + # *.p12 + && runall(sub { + my $dstfile = shift; + my ($type, $certpbe_index, $keypbe_index, + $macalg_index) = + $dstfile =~ m{^(.*)-key-(?| + # cert and key PBE are same + () # + ([^-]*-[^-]*)- # key & cert PBE + ([^-]*) # MACalg + | + # cert and key PBE are not same + ([^-]*-[^-]*)- # cert PBE + ([^-]*-[^-]*)- # key PBE + ([^-]*) # MACalg + )\.}x; + if (!$certpbe_index) { + $certpbe_index = $keypbe_index; + } + my $srckey = "$type-key-pkcs8.pem"; + my $srccert = "$type-cert.pem"; + my %pbes = + ( + "sha1-3des" => "pbeWithSHA1And3-KeyTripleDES-CBC", + "md5-des" => "pbeWithMD5AndDES-CBC", + "aes256-cbc" => "AES-256-CBC", + ); + my %macalgs = + ( + "sha1" => "SHA1", + "sha256" => "SHA256", + ); + my $certpbe = $pbes{$certpbe_index}; + my $keypbe = $pbes{$keypbe_index}; + my $macalg = $macalgs{$macalg_index}; + if (!defined($certpbe) || !defined($keypbe) + || !defined($macalg)) { + print STDERR "Cert PBE for $pbe_index not defined\n" + unless defined $certpbe; + print STDERR "Key PBE for $pbe_index not defined\n" + unless defined $keypbe; + print STDERR "MACALG for $macalg_index not defined\n" + unless defined $macalg; + print STDERR "(destination file was $dstfile)\n"; + return 0; + } + run(app(["openssl", "pkcs12", "-inkey", $srckey, + "-in", $srccert, "-passout", "pass:password", + "-export", "-macalg", $macalg, + "-certpbe", $certpbe, "-keypbe", $keypbe, + "-out", $dstfile])); + }, grep(/\.p12/, @generated_files)) # *.der (the end all init) && runall(sub { my $dstfile = shift; diff --git a/test/recipes/90-test_store_data/ca.cnf b/test/recipes/90-test_store_data/ca.cnf new file mode 100644 index 0000000000..bda6eec4b0 --- /dev/null +++ b/test/recipes/90-test_store_data/ca.cnf @@ -0,0 +1,56 @@ +#################################################################### +[ req ] +default_bits = 2432 +default_keyfile = cakey.pem +default_md = sha256 +distinguished_name = req_DN +string_mask = utf8only +x509_extensions = v3_selfsign + +[ req_DN ] +commonName = "Common Name" +commonName_value = "CA" + +[ v3_selfsign ] +basicConstraints = critical,CA:true +keyUsage = keyCertSign +subjectKeyIdentifier=hash + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA +certificate = ./demoCA/cacert.pem +serial = ./demoCA/serial +private_key = ./demoCA/private/cakey.pem +new_certs_dir = ./demoCA/newcerts + +certificate = cacert.pem +private_key = cakey.pem + +x509_extensions = v3_user + +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ v3_user ] +basicConstraints=critical,CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +issuerAltName=issuer:copy + diff --git a/test/recipes/90-test_store_data/user.cnf b/test/recipes/90-test_store_data/user.cnf new file mode 100644 index 0000000000..91f796947a --- /dev/null +++ b/test/recipes/90-test_store_data/user.cnf @@ -0,0 +1,19 @@ +#################################################################### +[ req ] +default_bits = 2432 +default_md = sha256 +distinguished_name = req_DN +string_mask = utf8only + +req_extensions = v3_req # The extensions to add to a certificate request + +[ req_DN ] +commonName = "Common Name" +commonName_value = "A user" +userId = "User ID" +userId_value = "test" + +[ v3_req ] +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +basicConstraints = CA:false