From: Dr. David von Oheimb Date: Tue, 5 May 2020 12:04:30 +0000 (+0200) Subject: Fix 90-test_store.t for latest config, limits, providers, and disabled algos X-Git-Tag: openssl-3.0.0-alpha4~160 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=71273ab57a27e0e6a1d4356891a2eb8e2298f458 Fix 90-test_store.t for latest config, limits, providers, and disabled algos Also make sure that the test do not 'pass' if their initialization fails. Leave out the expensive parts of DSA key gen and RSA keygen for efficiency. Fix use of the new CA configuration file test/ca-and-certs.cnf. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11733) --- diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 0905232e35..9f4eaa2961 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -16,7 +16,11 @@ my $test_name = "test_store"; setup($test_name); my $mingw = config('target') =~ m|^mingw|; -my $cnf = srctop_file("test", "ca-and-certs.cnf"); + +my $use_md5 = !disabled("md5"); +my $use_des = !disabled("des"); # also affects 3des and pkcs12 app +my $use_dsa = !disabled("dsa"); +my $use_ecc = !disabled("ec"); my @noexist_files = ( "test/blahdiblah.pem", @@ -41,25 +45,35 @@ my @generated_files = "rsa-key-pkcs1.pem", "rsa-key-pkcs1.der", "rsa-key-pkcs1-aes128.pem", "rsa-key-pkcs8.pem", "rsa-key-pkcs8.der", - "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der", "rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der", + "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der", + ); +push(@generated_files, ( + "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der", + )) if $use_des; +push(@generated_files, ( "rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12", "rsa-key-aes256-cbc-sha256.p12", "rsa-key-md5-des-sha1.p12", - "rsa-key-aes256-cbc-md5-des-sha256.p12", - "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der", - "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der", + "rsa-key-aes256-cbc-md5-des-sha256.p12" + )) if $use_des; +push(@generated_files, ( + "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der" + )) if $use_md5 && $use_des; +push(@generated_files, ( "dsa-key-pkcs1.pem", "dsa-key-pkcs1.der", "dsa-key-pkcs1-aes128.pem", "dsa-key-pkcs8.pem", "dsa-key-pkcs8.der", "dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der", - "dsa-key-aes256-cbc-sha256.p12", + )) if $use_dsa; +push(@generated_files, "dsa-key-aes256-cbc-sha256.p12") if $use_dsa && $use_des; +push(@generated_files, ( "ec-key-pkcs1.pem", "ec-key-pkcs1.der", "ec-key-pkcs1-aes128.pem", "ec-key-pkcs8.pem", "ec-key-pkcs8.der", "ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der", - "ec-key-aes256-cbc-sha256.p12", - ); + )) if $use_ecc; +push(@generated_files, "ec-key-aes256-cbc-sha256.p12") if $use_ecc && $use_des; my %generated_file_files = $^O eq 'linux' ? ( "test/testx509.pem" => "file:testx509.pem", @@ -85,7 +99,7 @@ plan tests => $n; indir "store_$$" => sub { SKIP: { - skip "failed initialisation", $n unless init(); + init() or die "init failed"; my $rehash = init_rehash(); @@ -220,28 +234,35 @@ indir "store_$$" => sub { }, create => 1, cleanup => 1; sub init { + my $cnf = srctop_file('test', 'ca-and-certs.cnf'); + my $cakey = srctop_file('test', 'certs', 'ca-key.pem'); return ( # rsa-key-pkcs1.pem - run(app(["openssl", "genrsa", - "-out", "rsa-key-pkcs1.pem", "2432"])) - # dsa-key-pkcs1.pem - && run(app(["openssl", "dsaparam", "-genkey", - "-out", "dsa-key-pkcs1.pem", "1024"])) - # ec-key-pkcs1.pem (one might think that 'genec' would be practical) - && run(app(["openssl", "ecparam", "-genkey", "-name", "prime256v1", - "-out", "ec-key-pkcs1.pem"])) + run(app(["openssl", "pkey", + "-in", data_file("rsa-key-2432.pem"), + "-out", "rsa-key-pkcs1.pem"])) # rsa-key-pkcs1-aes128.pem && run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128", "-in", "rsa-key-pkcs1.pem", "-out", "rsa-key-pkcs1-aes128.pem"])) + # dsa-key-pkcs1.pem + && (!$use_dsa || run(app(["openssl", "gendsa", + "-out", "dsa-key-pkcs1.pem", + data_file("dsaparam.pem")]))) # dsa-key-pkcs1-aes128.pem - && run(app(["openssl", "dsa", "-passout", "pass:password", "-aes128", - "-in", "dsa-key-pkcs1.pem", - "-out", "dsa-key-pkcs1-aes128.pem"])) + && (!$use_dsa || run(app(["openssl", "dsa", + "-passout", "pass:password", "-aes128", + "-in", "dsa-key-pkcs1.pem", + "-out", "dsa-key-pkcs1-aes128.pem"]))) + # ec-key-pkcs1.pem (one might think that 'genec' would be practical) + && (!$use_ecc || run(app(["openssl", "ecparam", "-genkey", + "-name", "prime256v1", + "-out", "ec-key-pkcs1.pem"]))) # ec-key-pkcs1-aes128.pem - && run(app(["openssl", "ec", "-passout", "pass:password", "-aes128", - "-in", "ec-key-pkcs1.pem", - "-out", "ec-key-pkcs1-aes128.pem"])) + && (!$use_ecc || run(app(["openssl", "ec", + "-passout", "pass:password", "-aes128", + "-in", "ec-key-pkcs1.pem", + "-out", "ec-key-pkcs1-aes128.pem"]))) # *-key-pkcs8.pem && runall(sub { my $dstfile = shift; @@ -297,19 +318,19 @@ sub init { # *-cert.pem (intermediary for the .p12 inits) && run(app(["openssl", "req", "-x509", "-config", $cnf, "-nodes", - "-out", "cacert.pem", "-keyout", "cakey.pem"])) + "-key", $cakey, "-out", "cacert.pem"])) && runall(sub { my $srckey = shift; (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|; (my $csr = $dstfile) =~ s|\.pem|.csr|; (run(app(["openssl", "req", "-new", - "-config", $cnf, + "-config", $cnf, "-section", "userreq", "-key", $srckey, "-out", $csr])) && run(app(["openssl", "x509", "-days", "3650", "-CA", "cacert.pem", - "-CAkey", "cakey.pem", + "-CAkey", $cakey, "-set_serial", time(), "-req", "-in", $csr, "-out", $dstfile]))); }, grep(/-key-pkcs8\.pem$/, @generated_files)) @@ -350,16 +371,19 @@ sub init { my $macalg = $macalgs{$macalg_index}; if (!defined($certpbe) || !defined($keypbe) || !defined($macalg)) { - print STDERR "Cert PBE for $pbe_index not defined\n" + print STDERR "Cert PBE for $certpbe_index not defined\n" unless defined $certpbe; - print STDERR "Key PBE for $pbe_index not defined\n" + print STDERR "Key PBE for $keypbe_index not defined\n" unless defined $keypbe; print STDERR "MACALG for $macalg_index not defined\n" unless defined $macalg; print STDERR "(destination file was $dstfile)\n"; return 0; } - run(app(["openssl", "pkcs12", "-inkey", $srckey, + run(app(["openssl", "pkcs12", + "-provider", "default", + "-provider", "legacy", + "-inkey", $srckey, "-in", $srccert, "-passout", "pass:password", "-chain", "-CAfile", "cacert.pem", "-export", "-macalg", $macalg, diff --git a/test/recipes/90-test_store_data/ca.cnf b/test/recipes/90-test_store_data/ca.cnf deleted file mode 100644 index bda6eec4b0..0000000000 --- a/test/recipes/90-test_store_data/ca.cnf +++ /dev/null @@ -1,56 +0,0 @@ -#################################################################### -[ req ] -default_bits = 2432 -default_keyfile = cakey.pem -default_md = sha256 -distinguished_name = req_DN -string_mask = utf8only -x509_extensions = v3_selfsign - -[ req_DN ] -commonName = "Common Name" -commonName_value = "CA" - -[ v3_selfsign ] -basicConstraints = critical,CA:true -keyUsage = keyCertSign -subjectKeyIdentifier=hash - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = ./demoCA -certificate = ./demoCA/cacert.pem -serial = ./demoCA/serial -private_key = ./demoCA/private/cakey.pem -new_certs_dir = ./demoCA/newcerts - -certificate = cacert.pem -private_key = cakey.pem - -x509_extensions = v3_user - -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -policy = policy_anything - -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[ v3_user ] -basicConstraints=critical,CA:FALSE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -issuerAltName=issuer:copy - diff --git a/test/recipes/90-test_store_data/dsaparam.pem b/test/recipes/90-test_store_data/dsaparam.pem new file mode 100644 index 0000000000..60563cbb03 --- /dev/null +++ b/test/recipes/90-test_store_data/dsaparam.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICLAKCAQEArjV9Th2W4p8AlmBabk0HjaV8vPmt15/V6e6mM1Hee3LSdapxd/Fj ++7bsWroNcqIaHGS45YkJbclvC3/Szp/vh1q2Zy/v7utZ9V7/qCiEnls3CRGAfAhc +1eFIS9Jo+z+fK2tsDUgbGoDC6xEbN3nWjItyPmelBQ5Bip41ULTSQCdr/eBka1s4 +QpS1Sdrvbng3zTCJw0VQe5yM5xyYcHFdeV/v6JSFUz7voyzOGqt91l4UzVFUiZ13 +5Pgi8DUQdQVxUU+MTFwNLCy+bDTuEoKHAxkGEqiq9A08ScxwWtgy7jJQhXDoGP10 +gFMyV+5Qya7rrrYiMhZrjFna7h0z30yiPQIhAK0tbhew8+vHuO6VePIX9TMBZ7ze +k//uQOh/8ZNtS4cTAoIBAGZv2mOljtJM1UUtdl1fzUq0GkI1hjpvqfonq94DITYK +BynJL21JqPfG9JLXc8HYdg5hpwtulrjIyzg1EiB5pQgoNVy8UhavUroPw7FjEicL +dKRHQ9YwuJwuQBTNmX/ojjewqT9U6WYiYUz4SQNXFDIdNz3ikviOoGpmY/Cwbgcr +Pb/QhGqqHzB3ZeX89exVznPbvqeNOp967U+vooBMMJ4oSWVA8ANFVpmikxucRt69 +qKtfkD+3P9RvjVow4dRjOmp8jyT82RQoCeSEThdDVrjUS6IpRdMT8MJ2mwGggG6T +Y16HJCAq/7ufqJlsp5oAuX3aZsnAcnIiDxrMI9m3Xxs= +-----END DSA PARAMETERS----- diff --git a/test/recipes/90-test_store_data/rsa-key-2432.pem b/test/recipes/90-test_store_data/rsa-key-2432.pem new file mode 100644 index 0000000000..b5e37f4b8a --- /dev/null +++ b/test/recipes/90-test_store_data/rsa-key-2432.pem @@ -0,0 +1,32 @@ +-----BEGIN PRIVATE KEY----- +MIIFlQIBADANBgkqhkiG9w0BAQEFAASCBX8wggV7AgEAAoIBMQCrCYwxGQmujZVF +lnZeobOyrk+JiHh4/6IjpepHlb1hRMZbDS2V2kZAupNr3oV14Dx4bDwbxAMOvGQr +sVDiM+LAAZtxXXq6sQNOrq3yTPuCdW6IbsHaB5ZuPwz4cNWOOHs19Jx9UufxoFZ+ +1Cj3WG0joTCTbPNe08llJ67YKCj4b3l19AJKauPFWyLl8sQE5f29rBGGnnJYzrf3 +ZRrrZApbXy2PxDVKfkjLf89la6Hcr/RihgPiZHLoN7TyAPOL4OPY+Jv6fVG9PTrf +3hwoTRD9Wp0ZdmOSCiU93vvoTFovnBMpfh7Qb6k+ufqZV0cvdDWYV7UQO1MBx24R +mqcVGwHzPCMET71GoRNKvtMI3zrN/ZN8lyyqKU3pEPcLvykZ8Pi2lZB31uLA0x6Z +zUe+rEavAgMBAAECggEwM8aFIMvCiYukl1cv5/+tRTbNLwYX6hEAhSgRnq/uj0Zh +gWig1w8nWyrfu7S10/QYeh/RploUzt4quKtJn+AzEQqrgorYvzEcnjH0yDeTn29r +EXPtzNGlMSR3CbImg5IHglLVGH8DZbqy1FvnNtEW4MVHzikaFyenfK6hmB+4H1Sn +gRRnqR1oa/LlwpRV0GHLCSLQf17xoH4chaLLZXi3kdIOIcg9bzDef7APQmKHdu01 +hlAhFZ3rPib63anYtg9jG4hLrZCUHwEwHsOaDEh9QVNSxqZJS2KTtMbYIclK3hDG +wZFmlv9bemE+KiR3EAJt9/xMROjLTNDgTOZZujR/O4IObszQ6obExiL0Z37K0AAz +f0hhMbweg0W1hC3j/pseOZpEvfoK5QZYY0nbdNqVkQKBmQDczLiFYgDEcCbc2ak4 +VGDA/N+R1lUFvfBoBKLlWaOFSnfYC9XrGa1lVe5nMZN4OAgkR4Ogvo1uh5BzXptP +s+fYfh40JS6RFXeO8/K8meFOUnjKiMZroBuFcJHSCDDJZFyfEM1vVqnsaLsqQHAd +casa3PewKvUbUDMWQFNImW6dMuDL3GpKpGc4/eU3208JnpoApcnp2qLPlwKBmQDG +TexoAiQLKRlSHrZcZJTemrTZQFoCPEoXZjbzXHERYoSOcriINWWVuhvAtA64WY/+ +lOYXb3H1kD+CccR1NLUu9lrrFbizeHl9ovrvhLCR8smgVhwP4QjW1fjNYEOfIXXX +BPLCizKSdqDLID/Jph+ym29vOedbjHZmr6Pto3fVBKQPpkLkQmyj061pmknE8DES +k6GFHAAkqQKBmQDTVtxzRwfm/lYkY+417YWikyhHRfihg1k9ptpoXnFG3q1xTHrY +Cf7PFP4ZJfm6Qx9/4jeaP2nOVtGrq+1Kz69lp+mvDbvRwNNsMBGx9jQSrJvTeDE7 +yMcu5T2d5JsV2QtScVnBbRk+IEytt3nYpPkawFAP/j4Xg58yeCV/QuT+cDl8x5+x +jEUE5vhki3TOh1Fut0FZphzaRwKBmHPpKkzlK3JGlKFWiFtbA1VWcm0mWzZBTUF+ +IpJ/LyvtPPQShGBBbd5lyUELPittVmiFWjTKlH7n0OeLXjzwEROhNiWBLdPhkInq +UOjd02OL2WTZ0E9LxyHkMijBouUJ5tpG7yrduDK6GmSAtihE7PQ2PJ1z6BKv+Kku +8w+9ZBbkPo1TLnhDh0L/QLagU4xEpTpphpjKdB75AoGYcaonPrYPhvM+EAe4DDTf +qpxI6wX6P+ws9Fx8VuD/UN3DB8AhE+tlFYQYJQkgqpAvNiOg9ix0mwNDe6oB4xwB +iQKxoBtCKYhwwP7AvXrzyqe73aWtvW9VFYUbdiVQQVqR/+Gd1wL572qFTcnw56je +wxTi4bfTajt7O/nY7jYs3WWstBh0wyl5XNZ14Acic6ZsSp+PLCEfpLo= +-----END PRIVATE KEY----- diff --git a/test/recipes/90-test_store_data/user.cnf b/test/recipes/90-test_store_data/user.cnf deleted file mode 100644 index 91f796947a..0000000000 --- a/test/recipes/90-test_store_data/user.cnf +++ /dev/null @@ -1,19 +0,0 @@ -#################################################################### -[ req ] -default_bits = 2432 -default_md = sha256 -distinguished_name = req_DN -string_mask = utf8only - -req_extensions = v3_req # The extensions to add to a certificate request - -[ req_DN ] -commonName = "Common Name" -commonName_value = "A user" -userId = "User ID" -userId_value = "test" - -[ v3_req ] -extendedKeyUsage = clientAuth -subjectKeyIdentifier = hash -basicConstraints = CA:false