test/recipes/25-test_req.t

   1 #! /usr/bin/env perl
   2 # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the Apache License 2.0 (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 use strict;
  11 use warnings;
  12
  13 use OpenSSL::Test::Utils;
  14 use OpenSSL::Test qw/:DEFAULT srctop_file/;
  15
  16 setup("test_req");
  17
  18 plan tests => 43;
  19
  20 require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
  21
  22 my @certs = qw(test certs);
  23
  24 # What type of key to generate?
  25 my @req_new;
  26 if (disabled("rsa")) {
  27     @req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem"));
  28 } else {
  29     @req_new = ("-new");
  30     note("There should be a 2 sequences of .'s and some +'s.");
  31     note("There should not be more that at most 80 per line");
  32 }
  33
  34 # Check for duplicate -addext parameters, and one "working" case.
  35 my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
  36     "-config", srctop_file("test", "test.cnf"), @req_new );
  37 my $val = "subjectAltName=DNS:example.com";
  38 my $val2 = " " . $val;
  39 my $val3 = $val;
  40 $val3 =~ s/=/    =/;
  41 ok( run(app([@addext_args, "-addext", $val])));
  42 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val])));
  43 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2])));
  44 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3])));
  45 ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
  46
  47 subtest "generating alt certificate requests with RSA" => sub {
  48     plan tests => 3;
  49
  50     SKIP: {
  51         skip "RSA is not supported by this OpenSSL build", 2
  52             if disabled("rsa");
  53
  54         ok(run(app(["openssl", "req",
  55                     "-config", srctop_file("test", "test.cnf"),
  56                     "-section", "altreq",
  57                     "-new", "-out", "testreq-rsa.pem", "-utf8",
  58                     "-key", srctop_file("test", "testrsa.pem")])),
  59            "Generating request");
  60
  61         ok(run(app(["openssl", "req",
  62                     "-config", srctop_file("test", "test.cnf"),
  63                     "-verify", "-in", "testreq-rsa.pem", "-noout"])),
  64            "Verifying signature on request");
  65
  66         ok(run(app(["openssl", "req",
  67                     "-config", srctop_file("test", "test.cnf"),
  68                     "-section", "altreq",
  69                     "-verify", "-in", "testreq-rsa.pem", "-noout"])),
  70            "Verifying signature on request");
  71     }
  72 };
  73
  74
  75 subtest "generating certificate requests with RSA" => sub {
  76     plan tests => 7;
  77
  78     SKIP: {
  79         skip "RSA is not supported by this OpenSSL build", 2
  80             if disabled("rsa");
  81
  82         ok(!run(app(["openssl", "req",
  83                      "-config", srctop_file("test", "test.cnf"),
  84                      "-new", "-out", "testreq-rsa.pem", "-utf8",
  85                      "-key", srctop_file("test", "testrsa.pem"),
  86                      "-keyform", "DER"])),
  87            "Checking that mismatching keyform fails");
  88
  89         ok(run(app(["openssl", "req",
  90                     "-config", srctop_file("test", "test.cnf"),
  91                     "-new", "-out", "testreq-rsa.pem", "-utf8",
  92                     "-key", srctop_file("test", "testrsa.pem"),
  93                     "-keyform", "PEM"])),
  94            "Generating request");
  95
  96         ok(run(app(["openssl", "req",
  97                     "-config", srctop_file("test", "test.cnf"),
  98                     "-verify", "-in", "testreq-rsa.pem", "-noout"])),
  99            "Verifying signature on request");
 100
 101         ok(run(app(["openssl", "req",
 102                     "-config", srctop_file("test", "test.cnf"),
 103                     "-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
 104                     "-key", srctop_file("test", "testrsa_withattrs.pem")])),
 105            "Generating request from a key with extra attributes - PEM");
 106
 107         ok(run(app(["openssl", "req",
 108                     "-config", srctop_file("test", "test.cnf"),
 109                     "-verify", "-in", "testreq_withattrs_pem.pem", "-noout"])),
 110            "Verifying signature on request from a key with extra attributes - PEM");
 111
 112         ok(run(app(["openssl", "req",
 113                     "-config", srctop_file("test", "test.cnf"),
 114                     "-new", "-out", "testreq_withattrs_der.pem", "-utf8",
 115                     "-key", srctop_file("test", "testrsa_withattrs.der"),
 116                     "-keyform", "DER"])),
 117            "Generating request from a key with extra attributes - PEM");
 118
 119         ok(run(app(["openssl", "req",
 120                     "-config", srctop_file("test", "test.cnf"),
 121                     "-verify", "-in", "testreq_withattrs_der.pem", "-noout"])),
 122            "Verifying signature on request from a key with extra attributes - PEM");
 123     }
 124 };
 125
 126 subtest "generating certificate requests with RSA-PSS" => sub {
 127     plan tests => 12;
 128
 129     SKIP: {
 130         skip "RSA is not supported by this OpenSSL build", 2
 131             if disabled("rsa");
 132
 133         ok(run(app(["openssl", "req",
 134                     "-config", srctop_file("test", "test.cnf"),
 135                     "-new", "-out", "testreq-rsapss.pem", "-utf8",
 136                     "-key", srctop_file("test", "testrsapss.pem")])),
 137            "Generating request");
 138         ok(run(app(["openssl", "req",
 139                     "-config", srctop_file("test", "test.cnf"),
 140                     "-verify", "-in", "testreq-rsapss.pem", "-noout"])),
 141            "Verifying signature on request");
 142
 143         ok(run(app(["openssl", "req",
 144                     "-config", srctop_file("test", "test.cnf"),
 145                     "-new", "-out", "testreq-rsapss2.pem", "-utf8",
 146                     "-sigopt", "rsa_padding_mode:pss",
 147                     "-sigopt", "rsa_pss_saltlen:-1",
 148                     "-key", srctop_file("test", "testrsapss.pem")])),
 149            "Generating request");
 150         ok(run(app(["openssl", "req",
 151                     "-config", srctop_file("test", "test.cnf"),
 152                     "-verify", "-in", "testreq-rsapss2.pem", "-noout"])),
 153            "Verifying signature on request");
 154
 155         ok(run(app(["openssl", "req",
 156                     "-config", srctop_file("test", "test.cnf"),
 157                     "-new", "-out", "testreq-rsapssmand.pem", "-utf8",
 158                     "-sigopt", "rsa_padding_mode:pss",
 159                     "-key", srctop_file("test", "testrsapssmandatory.pem")])),
 160            "Generating request");
 161         ok(run(app(["openssl", "req",
 162                     "-config", srctop_file("test", "test.cnf"),
 163                     "-verify", "-in", "testreq-rsapssmand.pem", "-noout"])),
 164            "Verifying signature on request");
 165
 166         ok(run(app(["openssl", "req",
 167                     "-config", srctop_file("test", "test.cnf"),
 168                     "-new", "-out", "testreq-rsapssmand2.pem", "-utf8",
 169                     "-sigopt", "rsa_pss_saltlen:100",
 170                     "-key", srctop_file("test", "testrsapssmandatory.pem")])),
 171            "Generating request");
 172         ok(run(app(["openssl", "req",
 173                     "-config", srctop_file("test", "test.cnf"),
 174                     "-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])),
 175            "Verifying signature on request");
 176
 177         ok(!run(app(["openssl", "req",
 178                      "-config", srctop_file("test", "test.cnf"),
 179                      "-new", "-out", "testreq-rsapss3.pem", "-utf8",
 180                      "-sigopt", "rsa_padding_mode:pkcs1",
 181                      "-key", srctop_file("test", "testrsapss.pem")])),
 182            "Generating request with expected failure");
 183
 184         ok(!run(app(["openssl", "req",
 185                      "-config", srctop_file("test", "test.cnf"),
 186                      "-new", "-out", "testreq-rsapss3.pem", "-utf8",
 187                      "-sigopt", "rsa_pss_saltlen:-4",
 188                      "-key", srctop_file("test", "testrsapss.pem")])),
 189            "Generating request with expected failure");
 190
 191         ok(!run(app(["openssl", "req",
 192                      "-config", srctop_file("test", "test.cnf"),
 193                      "-new", "-out", "testreq-rsapssmand3.pem", "-utf8",
 194                      "-sigopt", "rsa_pss_saltlen:10",
 195                      "-key", srctop_file("test", "testrsapssmandatory.pem")])),
 196            "Generating request with expected failure");
 197
 198         ok(!run(app(["openssl", "req",
 199                      "-config", srctop_file("test", "test.cnf"),
 200                      "-new", "-out", "testreq-rsapssmand3.pem", "-utf8",
 201                      "-sha256",
 202                      "-key", srctop_file("test", "testrsapssmandatory.pem")])),
 203            "Generating request with expected failure");
 204     }
 205 };
 206
 207 subtest "generating certificate requests with DSA" => sub {
 208     plan tests => 2;
 209
 210     SKIP: {
 211         skip "DSA is not supported by this OpenSSL build", 2
 212             if disabled("dsa");
 213
 214         ok(run(app(["openssl", "req",
 215                     "-config", srctop_file("test", "test.cnf"),
 216                     "-new", "-out", "testreq-dsa.pem", "-utf8",
 217                     "-key", srctop_file("test", "testdsa.pem")])),
 218            "Generating request");
 219
 220         ok(run(app(["openssl", "req",
 221                     "-config", srctop_file("test", "test.cnf"),
 222                     "-verify", "-in", "testreq-dsa.pem", "-noout"])),
 223            "Verifying signature on request");
 224     }
 225 };
 226
 227 subtest "generating certificate requests with ECDSA" => sub {
 228     plan tests => 2;
 229
 230     SKIP: {
 231         skip "ECDSA is not supported by this OpenSSL build", 2
 232             if disabled("ec");
 233
 234         ok(run(app(["openssl", "req",
 235                     "-config", srctop_file("test", "test.cnf"),
 236                     "-new", "-out", "testreq-ec.pem", "-utf8",
 237                     "-key", srctop_file("test", "testec-p256.pem")])),
 238            "Generating request");
 239
 240         ok(run(app(["openssl", "req",
 241                     "-config", srctop_file("test", "test.cnf"),
 242                     "-verify", "-in", "testreq-ec.pem", "-noout"])),
 243            "Verifying signature on request");
 244     }
 245 };
 246
 247 subtest "generating certificate requests with Ed25519" => sub {
 248     plan tests => 2;
 249
 250     SKIP: {
 251         skip "Ed25519 is not supported by this OpenSSL build", 2
 252             if disabled("ec");
 253
 254         ok(run(app(["openssl", "req",
 255                     "-config", srctop_file("test", "test.cnf"),
 256                     "-new", "-out", "testreq-ed25519.pem", "-utf8",
 257                     "-key", srctop_file("test", "tested25519.pem")])),
 258            "Generating request");
 259
 260         ok(run(app(["openssl", "req",
 261                     "-config", srctop_file("test", "test.cnf"),
 262                     "-verify", "-in", "testreq-ed25519.pem", "-noout"])),
 263            "Verifying signature on request");
 264     }
 265 };
 266
 267 subtest "generating certificate requests with Ed448" => sub {
 268     plan tests => 2;
 269
 270     SKIP: {
 271         skip "Ed448 is not supported by this OpenSSL build", 2
 272             if disabled("ec");
 273
 274         ok(run(app(["openssl", "req",
 275                     "-config", srctop_file("test", "test.cnf"),
 276                     "-new", "-out", "testreq-ed448.pem", "-utf8",
 277                     "-key", srctop_file("test", "tested448.pem")])),
 278            "Generating request");
 279
 280         ok(run(app(["openssl", "req",
 281                     "-config", srctop_file("test", "test.cnf"),
 282                     "-verify", "-in", "testreq-ed448.pem", "-noout"])),
 283            "Verifying signature on request");
 284     }
 285 };
 286
 287 subtest "generating certificate requests" => sub {
 288     plan tests => 2;
 289
 290     ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
 291                 @req_new, "-out", "testreq.pem"])),
 292        "Generating request");
 293
 294     ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
 295                 "-verify", "-in", "testreq.pem", "-noout"])),
 296        "Verifying signature on request");
 297 };
 298
 299 subtest "generating SM2 certificate requests" => sub {
 300     plan tests => 4;
 301
 302     SKIP: {
 303         skip "SM2 is not supported by this OpenSSL build", 4
 304         if disabled("sm2");
 305         ok(run(app(["openssl", "req",
 306                     "-config", srctop_file("test", "test.cnf"),
 307                     "-new", "-key", srctop_file(@certs, "sm2.key"),
 308                     "-sigopt", "distid:1234567812345678",
 309                     "-out", "testreq-sm2.pem", "-sm3"])),
 310            "Generating SM2 certificate request");
 311
 312         ok(run(app(["openssl", "req",
 313                     "-config", srctop_file("test", "test.cnf"),
 314                     "-verify", "-in", "testreq-sm2.pem", "-noout",
 315                     "-vfyopt", "distid:1234567812345678", "-sm3"])),
 316            "Verifying signature on SM2 certificate request");
 317
 318         ok(run(app(["openssl", "req",
 319                     "-config", srctop_file("test", "test.cnf"),
 320                     "-new", "-key", srctop_file(@certs, "sm2.key"),
 321                     "-sigopt", "hexdistid:DEADBEEF",
 322                     "-out", "testreq-sm2.pem", "-sm3"])),
 323            "Generating SM2 certificate request with hex id");
 324
 325         ok(run(app(["openssl", "req",
 326                     "-config", srctop_file("test", "test.cnf"),
 327                     "-verify", "-in", "testreq-sm2.pem", "-noout",
 328                     "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])),
 329            "Verifying signature on SM2 certificate request");
 330     }
 331 };
 332
 333 my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf"));
 334
 335 run_conversion('req conversions',
 336                "testreq.pem");
 337 run_conversion('req conversions -- testreq2',
 338                srctop_file("test", "testreq2.pem"));
 339
 340 sub run_conversion {
 341     my $title = shift;
 342     my $reqfile = shift;
 343
 344     subtest $title => sub {
 345         run(app(["openssl", @openssl_args,
 346                  "-in", $reqfile, "-inform", "p",
 347                  "-noout", "-text"],
 348                 stderr => "req-check.err", stdout => undef));
 349         open DATA, "req-check.err";
 350         SKIP: {
 351             plan skip_all => "skipping req conversion test for $reqfile"
 352                 if grep /Unknown Public Key/, map { s/\R//; } <DATA>;
 353
 354             tconversion( -type => 'req', -in => $reqfile,
 355                          -args => [ @openssl_args ] );
 356         }
 357         close DATA;
 358         unlink "req-check.err";
 359
 360         done_testing();
 361     };
 362 }
 363
 364 # Test both generation and verification of certs w.r.t. RFC 5280 requirements
 365
 366 my $ca_cert; # will be set below
 367 sub generate_cert {
 368     my $cert = shift @_;
 369     my $ss = $cert =~ m/self-signed/;
 370     my $is_ca = $cert =~ m/CA/;
 371     my $cn = $is_ca ? "CA" : "EE";
 372     my $ca_key = srctop_file(@certs, "ca-key.pem");
 373     my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem");
 374     my @cmd = ("openssl", "req", "-config", "\"\"", "-x509",
 375                "-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert);
 376     push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss;
 377     ok(run(app([@cmd])), "generate $cert");
 378 }
 379 sub has_SKID {
 380     my $cert = shift @_;
 381     my $expect = shift @_;
 382     cert_contains($cert, "Subject Key Identifier", $expect);
 383 }
 384 sub has_AKID {
 385     my $cert = shift @_;
 386     my $expect = shift @_;
 387     cert_contains($cert, "Authority Key Identifier", $expect);
 388 }
 389 sub has_keyUsage {
 390     my $cert = shift @_;
 391     my $expect = shift @_;
 392     cert_contains($cert, "Key Usage", $expect);
 393 }
 394 sub strict_verify {
 395     my $cert = shift @_;
 396     my $expect = shift @_;
 397     my $trusted = shift @_;
 398     $trusted = $cert unless $trusted;
 399     ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
 400                 "-partial_chain", $cert])) == $expect,
 401        "strict verify allow $cert");
 402 }
 403
 404 my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
 405              "-addext", "keyUsage = keyCertSign");
 406 my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier";
 407 my $cert = "self-signed_v1_CA_no_KIDs.pem";
 408 generate_cert($cert);
 409 cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
 410 #TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA
 411
 412 $ca_cert = "self-signed_v3_CA_default_SKID.pem";
 413 generate_cert($ca_cert, @v3_ca);
 414 has_SKID($ca_cert, 1);
 415 has_AKID($ca_cert, 0);
 416 strict_verify($ca_cert, 1);
 417
 418 $cert = "self-signed_v3_CA_no_SKID.pem";
 419 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
 420 cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
 421 #TODO strict_verify($cert, 0);
 422
 423 $cert = "self-signed_v3_CA_both_KIDs.pem";
 424 generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash",
 425             "-addext", "authorityKeyIdentifier = keyid");
 426 cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID
 427 strict_verify($cert, 1);
 428
 429 $cert = "self-signed_v3_EE_wrong_keyUsage.pem";
 430 generate_cert($cert, "-addext", "keyUsage = keyCertSign");
 431 #TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply
 432
 433 $cert = "v3_EE_default_KIDs.pem";
 434 generate_cert($cert, "-addext", "keyUsage = dataEncipherment");
 435 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
 436 strict_verify($cert, 1, $ca_cert);
 437
 438 $cert = "v3_EE_no_AKID.pem";
 439 generate_cert($cert, "-addext", "authorityKeyIdentifier = none");
 440 has_SKID($cert, 1);
 441 has_AKID($cert, 0);
 442 strict_verify($cert, 0, $ca_cert);
 443
 444 $cert = "self-issued_v3_EE_default_KIDs.pem";
 445 generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
 446     "-in", srctop_file(@certs, "x509-check.csr"));
 447 cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
 448 strict_verify($cert, 1);
 449
 450 my $cert = "self-signed_CA_no_keyUsage.pem";
 451 generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"));
 452 has_keyUsage($cert, 0);
 453 my $cert = "self-signed_CA_with_keyUsages.pem";
 454 generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
 455     "-copy_extensions", "copy");
 456 has_keyUsage($cert, 1);