test/recipes/25-test_req.t

   1 #! /usr/bin/env perl
   2 # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the Apache License 2.0 (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 use strict;
  11 use warnings;
  12
  13 use OpenSSL::Test::Utils;
  14 use OpenSSL::Test qw/:DEFAULT srctop_file/;
  15
  16 setup("test_req");
  17
  18 plan tests => 16;
  19
  20 require_ok(srctop_file('test','recipes','tconversion.pl'));
  21
  22 # What type of key to generate?
  23 my @req_new;
  24 if (disabled("rsa")) {
  25     @req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem"));
  26 } else {
  27     @req_new = ("-new");
  28     note("There should be a 2 sequences of .'s and some +'s.");
  29     note("There should not be more that at most 80 per line");
  30 }
  31
  32 # TODO(3.0) This should be removed as soon as missing support is added
  33 # Identified problems:
  34 # - SM2 lacks provider-native keymgmt and decoder
  35 # - ED25519, ED448, X25519 and X448 signature implementations do not
  36 #   respond to the "algorithm-id" parameter request.
  37 my @tmp_loader_hack = qw(-engine loader_attic)
  38     unless disabled('dynamic-engine') || disabled('deprecated-3.0');
  39
  40 # Check for duplicate -addext parameters, and one "working" case.
  41 my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
  42     "-config", srctop_file("test", "test.cnf"), @req_new );
  43 my $val = "subjectAltName=DNS:example.com";
  44 my $val2 = " " . $val;
  45 my $val3 = $val;
  46 $val3 =~ s/=/    =/;
  47 ok( run(app([@addext_args, "-addext", $val])));
  48 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val])));
  49 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2])));
  50 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3])));
  51 ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
  52
  53 subtest "generating alt certificate requests with RSA" => sub {
  54     plan tests => 3;
  55
  56     SKIP: {
  57         skip "RSA is not supported by this OpenSSL build", 2
  58             if disabled("rsa");
  59
  60         ok(run(app(["openssl", "req",
  61                     "-config", srctop_file("test", "test.cnf"),
  62                     "-section", "altreq",
  63                     "-new", "-out", "testreq-rsa.pem", "-utf8",
  64                     "-key", srctop_file("test", "testrsa.pem")])),
  65            "Generating request");
  66
  67         ok(run(app(["openssl", "req",
  68                     "-config", srctop_file("test", "test.cnf"),
  69                     "-verify", "-in", "testreq-rsa.pem", "-noout"])),
  70            "Verifying signature on request");
  71
  72         ok(run(app(["openssl", "req",
  73                     "-config", srctop_file("test", "test.cnf"),
  74                     "-section", "altreq",
  75                     "-verify", "-in", "testreq-rsa.pem", "-noout"])),
  76            "Verifying signature on request");
  77     }
  78 };
  79
  80
  81 subtest "generating certificate requests with RSA" => sub {
  82     plan tests => 2;
  83
  84     SKIP: {
  85         skip "RSA is not supported by this OpenSSL build", 2
  86             if disabled("rsa");
  87
  88         ok(run(app(["openssl", "req",
  89                     "-config", srctop_file("test", "test.cnf"),
  90                     "-new", "-out", "testreq-rsa.pem", "-utf8",
  91                     "-key", srctop_file("test", "testrsa.pem")])),
  92            "Generating request");
  93
  94         ok(run(app(["openssl", "req",
  95                     "-config", srctop_file("test", "test.cnf"),
  96                     "-verify", "-in", "testreq-rsa.pem", "-noout"])),
  97            "Verifying signature on request");
  98     }
  99 };
 100
 101 subtest "generating certificate requests with DSA" => sub {
 102     plan tests => 2;
 103
 104     SKIP: {
 105         skip "DSA is not supported by this OpenSSL build", 2
 106             if disabled("dsa");
 107
 108         ok(run(app(["openssl", "req",
 109                     "-config", srctop_file("test", "test.cnf"),
 110                     "-new", "-out", "testreq-dsa.pem", "-utf8",
 111                     "-key", srctop_file("test", "testdsa.pem")])),
 112            "Generating request");
 113
 114         ok(run(app(["openssl", "req",
 115                     "-config", srctop_file("test", "test.cnf"),
 116                     "-verify", "-in", "testreq-dsa.pem", "-noout"])),
 117            "Verifying signature on request");
 118     }
 119 };
 120
 121 subtest "generating certificate requests with ECDSA" => sub {
 122     plan tests => 2;
 123
 124     SKIP: {
 125         skip "ECDSA is not supported by this OpenSSL build", 2
 126             if disabled("ec");
 127
 128         ok(run(app(["openssl", "req",
 129                     "-config", srctop_file("test", "test.cnf"),
 130                     "-new", "-out", "testreq-ec.pem", "-utf8",
 131                     "-key", srctop_file("test", "testec-p256.pem")])),
 132            "Generating request");
 133
 134         ok(run(app(["openssl", "req",
 135                     "-config", srctop_file("test", "test.cnf"),
 136                     "-verify", "-in", "testreq-ec.pem", "-noout"])),
 137            "Verifying signature on request");
 138     }
 139 };
 140
 141 subtest "generating certificate requests with Ed25519" => sub {
 142     plan tests => 2;
 143
 144     SKIP: {
 145         skip "Ed25519 is not supported by this OpenSSL build", 2
 146             if disabled("ec") || !@tmp_loader_hack;
 147
 148         ok(run(app(["openssl", "req", @tmp_loader_hack,
 149                     "-config", srctop_file("test", "test.cnf"),
 150                     "-new", "-out", "testreq-ed25519.pem", "-utf8",
 151                     "-key", srctop_file("test", "tested25519.pem")])),
 152            "Generating request");
 153
 154         ok(run(app(["openssl", "req", @tmp_loader_hack,
 155                     "-config", srctop_file("test", "test.cnf"),
 156                     "-verify", "-in", "testreq-ed25519.pem", "-noout"])),
 157            "Verifying signature on request");
 158     }
 159 };
 160
 161 subtest "generating certificate requests with Ed448" => sub {
 162     plan tests => 2;
 163
 164     SKIP: {
 165         skip "Ed448 is not supported by this OpenSSL build", 2
 166             if disabled("ec") || !@tmp_loader_hack;
 167
 168         ok(run(app(["openssl", "req", @tmp_loader_hack,
 169                     "-config", srctop_file("test", "test.cnf"),
 170                     "-new", "-out", "testreq-ed448.pem", "-utf8",
 171                     "-key", srctop_file("test", "tested448.pem")])),
 172            "Generating request");
 173
 174         ok(run(app(["openssl", "req", @tmp_loader_hack,
 175                     "-config", srctop_file("test", "test.cnf"),
 176                     "-verify", "-in", "testreq-ed448.pem", "-noout"])),
 177            "Verifying signature on request");
 178     }
 179 };
 180
 181 subtest "generating certificate requests" => sub {
 182     plan tests => 2;
 183
 184     ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
 185                 @req_new, "-out", "testreq.pem"])),
 186        "Generating request");
 187
 188     ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
 189                 "-verify", "-in", "testreq.pem", "-noout"])),
 190        "Verifying signature on request");
 191 };
 192
 193 subtest "generating SM2 certificate requests" => sub {
 194     plan tests => 4;
 195
 196     SKIP: {
 197         skip "SM2 is not supported by this OpenSSL build", 4
 198         if disabled("sm2") || !@tmp_loader_hack;
 199         ok(run(app(["openssl", "req", @tmp_loader_hack,
 200                     "-config", srctop_file("test", "test.cnf"),
 201                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
 202                     "-sigopt", "distid:1234567812345678",
 203                     "-out", "testreq-sm2.pem", "-sm3"])),
 204            "Generating SM2 certificate request");
 205
 206         ok(run(app(["openssl", "req", @tmp_loader_hack,
 207                     "-config", srctop_file("test", "test.cnf"),
 208                     "-verify", "-in", "testreq-sm2.pem", "-noout",
 209                     "-vfyopt", "distid:1234567812345678", "-sm3"])),
 210            "Verifying signature on SM2 certificate request");
 211
 212         ok(run(app(["openssl", "req", @tmp_loader_hack,
 213                     "-config", srctop_file("test", "test.cnf"),
 214                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
 215                     "-sigopt", "hexdistid:DEADBEEF",
 216                     "-out", "testreq-sm2.pem", "-sm3"])),
 217            "Generating SM2 certificate request with hex id");
 218
 219         ok(run(app(["openssl", "req", @tmp_loader_hack,
 220                     "-config", srctop_file("test", "test.cnf"),
 221                     "-verify", "-in", "testreq-sm2.pem", "-noout",
 222                     "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])),
 223            "Verifying signature on SM2 certificate request");
 224     }
 225 };
 226
 227 my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf"));
 228
 229 run_conversion('req conversions',
 230                "testreq.pem");
 231 run_conversion('req conversions -- testreq2',
 232                srctop_file("test", "testreq2.pem"));
 233
 234 sub run_conversion {
 235     my $title = shift;
 236     my $reqfile = shift;
 237
 238     subtest $title => sub {
 239         run(app(["openssl", @openssl_args,
 240                  "-in", $reqfile, "-inform", "p",
 241                  "-noout", "-text"],
 242                 stderr => "req-check.err", stdout => undef));
 243         open DATA, "req-check.err";
 244         SKIP: {
 245             plan skip_all => "skipping req conversion test for $reqfile"
 246                 if grep /Unknown Public Key/, map { s/\R//; } <DATA>;
 247
 248             tconversion("req", $reqfile, @openssl_args);
 249         }
 250         close DATA;
 251         unlink "req-check.err";
 252
 253         done_testing();
 254     };
 255 }