2 # Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
14 use File::Spec::Functions qw/catfile/;
15 use File::Compare qw/compare_text compare/;
16 use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
18 use OpenSSL::Test::Utils;
24 use lib srctop_dir('Configurations');
25 use lib bldtop_dir('.');
27 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
29 plan skip_all => "CMS is not supported by this OpenSSL build"
32 my $provpath = bldtop_dir("providers");
34 # Some tests require legacy algorithms to be included.
35 my @legacyprov = ("-provider-path", $provpath,
36 "-provider", "default",
37 "-provider", "legacy" );
38 my @defaultprov = ("-provider-path", $provpath,
39 "-provider", "default");
42 my $provname = 'default';
44 my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
45 my $smdir = srctop_dir("test", "smime-certs");
46 my $smcont = srctop_file("test", "smcont.txt");
47 my $smcont_zero = srctop_file("test", "smcont_zero.txt");
48 my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
49 = disabled qw/des dh dsa ec ec2m rc2 zlib/;
51 $no_rc2 = 1 if disabled("legacy");
55 ok(run(test(["pkcs7_test"])), "test pkcs7");
58 @config = ( "-config", srctop_file("test", "fips-and-base.cnf") );
62 $ENV{OPENSSL_TEST_LIBCTX} = "1";
63 my @prov = ("-provider-path", $provpath,
65 "-provider", $provname);
67 my $smrsa1024 = catfile($smdir, "smrsa1024.pem");
68 my $smrsa1 = catfile($smdir, "smrsa1.pem");
69 my $smroot = catfile($smdir, "smroot.pem");
71 my @smime_pkcs7_tests = (
73 [ "signed content DER format, RSA key",
74 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
75 "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
76 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
77 "-CAfile", $smroot, "-out", "{output}.txt" ],
81 [ "signed detached content DER format, RSA key",
82 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
83 "-signer", $smrsa1, "-out", "{output}.cms" ],
84 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
85 "-CAfile", $smroot, "-out", "{output}.txt",
86 "-content", $smcont ],
90 [ "signed content test streaming BER format, RSA",
91 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
93 "-signer", $smrsa1, "-out", "{output}.cms" ],
94 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
95 "-CAfile", $smroot, "-out", "{output}.txt" ],
99 [ "signed content DER format, DSA key",
100 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
101 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
102 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
103 "-CAfile", $smroot, "-out", "{output}.txt" ],
107 [ "signed detached content DER format, DSA key",
108 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
109 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
110 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
111 "-CAfile", $smroot, "-out", "{output}.txt",
112 "-content", $smcont ],
116 [ "signed detached content DER format, add RSA signer (with DSA existing)",
117 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
118 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
119 [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
120 "-signer", $smrsa1, "-out", "{output}2.cms" ],
121 [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
122 "-CAfile", $smroot, "-out", "{output}.txt",
123 "-content", $smcont ],
127 [ "signed content test streaming BER format, DSA key",
128 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
129 "-nodetach", "-stream",
130 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
131 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
132 "-CAfile", $smroot, "-out", "{output}.txt" ],
136 [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
137 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
138 "-nodetach", "-stream",
140 "-signer", catfile($smdir, "smrsa2.pem"),
141 "-signer", catfile($smdir, "smdsa1.pem"),
142 "-signer", catfile($smdir, "smdsa2.pem"),
143 "-out", "{output}.cms" ],
144 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
145 "-CAfile", $smroot, "-out", "{output}.txt" ],
149 [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
150 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
151 "-noattr", "-nodetach", "-stream",
153 "-signer", catfile($smdir, "smrsa2.pem"),
154 "-signer", catfile($smdir, "smdsa1.pem"),
155 "-signer", catfile($smdir, "smdsa2.pem"),
156 "-out", "{output}.cms" ],
157 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
158 "-CAfile", $smroot, "-out", "{output}.txt" ],
162 [ "signed content S/MIME format, RSA key SHA1",
163 [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
164 "-certfile", $smroot,
165 "-signer", $smrsa1, "-out", "{output}.cms" ],
166 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
167 "-CAfile", $smroot, "-out", "{output}.txt" ],
171 [ "signed zero-length content S/MIME format, RSA key SHA1",
172 [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
173 "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
174 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
175 "-CAfile", $smroot, "-out", "{output}.txt" ],
179 [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
180 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
182 "-signer", catfile($smdir, "smrsa2.pem"),
183 "-signer", catfile($smdir, "smdsa1.pem"),
184 "-signer", catfile($smdir, "smdsa2.pem"),
185 "-stream", "-out", "{output}.cms" ],
186 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
187 "-CAfile", $smroot, "-out", "{output}.txt" ],
191 [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
192 [ "{cmd1}", @prov, "-sign", "-in", $smcont,
194 "-signer", catfile($smdir, "smrsa2.pem"),
195 "-signer", catfile($smdir, "smdsa1.pem"),
196 "-signer", catfile($smdir, "smdsa2.pem"),
197 "-stream", "-out", "{output}.cms" ],
198 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
199 "-CAfile", $smroot, "-out", "{output}.txt" ],
203 [ "enveloped content test streaming S/MIME format, DES, 3 recipients",
204 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
205 "-stream", "-out", "{output}.cms",
207 catfile($smdir, "smrsa2.pem"),
208 catfile($smdir, "smrsa3.pem") ],
209 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
210 "-in", "{output}.cms", "-out", "{output}.txt" ],
214 [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
215 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
216 "-stream", "-out", "{output}.cms",
218 catfile($smdir, "smrsa2.pem"),
219 catfile($smdir, "smrsa3.pem") ],
220 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
221 "-in", "{output}.cms", "-out", "{output}.txt" ],
225 [ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used",
226 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
227 "-stream", "-out", "{output}.cms",
229 catfile($smdir, "smrsa2.pem"),
230 catfile($smdir, "smrsa3-cert.pem") ],
231 [ "{cmd2}", @defaultprov, "-decrypt",
232 "-recip", catfile($smdir, "smrsa3-cert.pem"),
233 "-inkey", catfile($smdir, "smrsa3-key.pem"),
234 "-in", "{output}.cms", "-out", "{output}.txt" ],
238 [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
239 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
240 "-aes256", "-stream", "-out", "{output}.cms",
242 catfile($smdir, "smrsa2.pem"),
243 catfile($smdir, "smrsa3.pem") ],
244 [ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1,
245 "-in", "{output}.cms", "-out", "{output}.txt" ],
251 my @smime_cms_tests = (
253 [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
254 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
255 "-nodetach", "-keyid",
257 "-signer", catfile($smdir, "smrsa2.pem"),
258 "-signer", catfile($smdir, "smdsa1.pem"),
259 "-signer", catfile($smdir, "smdsa2.pem"),
260 "-stream", "-out", "{output}.cms" ],
261 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
262 "-CAfile", $smroot, "-out", "{output}.txt" ],
266 [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
267 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
269 "-signer", catfile($smdir, "smrsa2.pem"),
270 "-signer", catfile($smdir, "smdsa1.pem"),
271 "-signer", catfile($smdir, "smdsa2.pem"),
272 "-stream", "-out", "{output}.cms" ],
273 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
274 "-CAfile", $smroot, "-out", "{output}.txt" ],
278 [ "signed content MIME format, RSA key, signed receipt request",
279 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
281 "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
282 "-out", "{output}.cms" ],
283 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
284 "-CAfile", $smroot, "-out", "{output}.txt" ],
288 [ "signed receipt MIME format, RSA key",
289 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
291 "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
292 "-out", "{output}.cms" ],
293 [ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms",
294 "-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ],
295 [ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms",
299 [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
300 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
301 "-stream", "-out", "{output}.cms", "-keyid",
303 catfile($smdir, "smrsa2.pem"),
304 catfile($smdir, "smrsa3.pem") ],
305 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
306 "-in", "{output}.cms", "-out", "{output}.txt" ],
310 [ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK",
311 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
312 "-stream", "-out", "{output}.cms",
313 "-secretkey", "000102030405060708090A0B0C0D0E0F",
314 "-secretkeyid", "C0FEE0" ],
315 [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
317 "-secretkey", "000102030405060708090A0B0C0D0E0F",
318 "-secretkeyid", "C0FEE0" ],
322 [ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK",
323 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
324 "-stream", "-out", "{output}.cms",
325 "-secretkey", "000102030405060708090A0B0C0D0E0F",
326 "-secretkeyid", "C0FEE0" ],
327 [ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
329 "-secretkey", "000102030405060708090A0B0C0D0E0F",
330 "-secretkeyid", "C0FEE0" ],
334 [ "enveloped content test streaming PEM format, KEK, key only",
335 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
336 "-stream", "-out", "{output}.cms",
337 "-secretkey", "000102030405060708090A0B0C0D0E0F",
338 "-secretkeyid", "C0FEE0" ],
339 [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
341 "-secretkey", "000102030405060708090A0B0C0D0E0F" ],
345 [ "data content test streaming PEM format",
346 [ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM",
347 "-nodetach", "-stream", "-out", "{output}.cms" ],
348 [ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM",
349 "-out", "{output}.txt" ],
353 [ "encrypted content test streaming PEM format, 128 bit RC2 key",
354 [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
355 "-in", $smcont, "-outform", "PEM",
356 "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
357 "-stream", "-out", "{output}.cms" ],
358 [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
360 "-secretkey", "000102030405060708090A0B0C0D0E0F",
361 "-out", "{output}.txt" ],
365 [ "encrypted content test streaming PEM format, 40 bit RC2 key",
366 [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
367 "-in", $smcont, "-outform", "PEM",
368 "-rc2", "-secretkey", "0001020304",
369 "-stream", "-out", "{output}.cms" ],
370 [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
372 "-secretkey", "0001020304", "-out", "{output}.txt" ],
376 [ "encrypted content test streaming PEM format, triple DES key",
377 [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
378 "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
379 "-stream", "-out", "{output}.cms" ],
380 [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
382 "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
383 "-out", "{output}.txt" ],
387 [ "encrypted content test streaming PEM format, 128 bit AES key",
388 [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
389 "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
390 "-stream", "-out", "{output}.cms" ],
391 [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
393 "-secretkey", "000102030405060708090A0B0C0D0E0F",
394 "-out", "{output}.txt" ],
398 [ "encrypted content test streaming PEM format -noout, 128 bit AES key",
399 [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
400 "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
401 "-stream", "-noout" ],
402 [ "{cmd2}", @prov, "-help" ]
406 my @smime_cms_cades_tests = (
408 [ "signed content DER format, RSA key, CAdES-BES compatible",
409 [ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER",
411 "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
412 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
413 "-CAfile", $smroot, "-out", "{output}.txt" ],
417 [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
418 [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
419 "DER", "-nodetach", "-certfile", $smroot,
420 "-signer", $smrsa1, "-out", "{output}.cms" ],
421 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
422 "-CAfile", $smroot, "-out", "{output}.txt" ],
426 [ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible",
427 [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform",
428 "DER", "-nodetach", "-certfile", $smroot,
429 "-signer", $smrsa1, "-out", "{output}.cms" ],
430 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
431 "-CAfile", $smroot, "-out", "{output}.txt" ],
435 [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
436 [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
437 "-in", $smcont, "-outform", "DER",
438 "-certfile", $smroot, "-signer", $smrsa1,
439 "-outform", "DER", "-out", "{output}.cms" ],
440 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
441 "-CAfile", $smroot, "-out", "{output}.txt" ],
445 [ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible",
446 [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
447 "-in", $smcont, "-outform", "DER",
448 "-certfile", $smroot, "-signer", $smrsa1,
449 "-outform", "DER", "-out", "{output}.cms" ],
450 [ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
451 "-inform", "DER", "-in", "{output}.cms",
452 "-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"),
453 "-outform", "DER", "-out", "{output}2.cms" ],
455 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER",
456 "-CAfile", $smroot, "-out", "{output}.txt" ],
461 my @smime_cms_cades_ko_tests = (
462 [ "sign content DER format, RSA key, not CAdES-BES compatible",
463 [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
464 "-certfile", $smroot, "-signer", $smrsa1, "-out", "cades-ko.cms" ],
465 "fail to verify token since requiring CAdES-BES compatibility",
466 [ @prov, "-verify", "-cades", "-in", "cades-ko.cms", "-inform", "DER",
467 "-CAfile", $smroot, "-out", "cades-ko.txt" ],
472 # cades options test - check that some combinations are rejected
473 my @smime_cms_cades_invalid_option_tests = (
475 [ "-cades", "-noattr" ],
477 [ "-verify", "-cades", "-noattr" ],
479 [ "-verify", "-cades", "-noverify" ],
483 my @smime_cms_comp_tests = (
485 [ "compressed content test streaming PEM format",
486 [ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
487 "-stream", "-out", "{output}.cms" ],
488 [ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM",
489 "-out", "{output}.txt" ],
495 my @smime_cms_param_tests = (
496 [ "signed content test streaming PEM format, RSA keys, PSS signature",
497 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
499 "-keyopt", "rsa_padding_mode:pss",
500 "-out", "{output}.cms" ],
501 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
502 "-CAfile", $smroot, "-out", "{output}.txt" ],
506 [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
507 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
509 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
510 "-out", "{output}.cms" ],
511 sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; },
512 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
513 "-CAfile", $smroot, "-out", "{output}.txt" ],
517 [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
518 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
519 "-noattr", "-signer", $smrsa1,
520 "-keyopt", "rsa_padding_mode:pss",
521 "-out", "{output}.cms" ],
522 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
523 "-CAfile", $smroot, "-out", "{output}.txt" ],
527 [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
528 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
530 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384",
531 "-out", "{output}.cms" ],
532 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
533 "-CAfile", $smroot, "-out", "{output}.txt" ],
537 [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16",
538 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
539 "-signer", $smrsa1, "-md", "sha256",
540 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16",
541 "-out", "{output}.cms" ],
542 sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; },
543 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
544 "-CAfile", $smroot, "-out", "{output}.txt" ],
548 [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest",
549 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
550 "-signer", $smrsa1, "-md", "sha256",
551 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest",
552 "-out", "{output}.cms" ],
553 # digest is SHA-256, which produces 32 bytes of output
554 sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
555 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
556 "-CAfile", $smroot, "-out", "{output}.txt" ],
560 [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
561 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
562 "-stream", "-out", "{output}.cms",
564 "-keyopt", "rsa_padding_mode:oaep" ],
565 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
566 "-in", "{output}.cms", "-out", "{output}.txt" ],
570 [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
571 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
572 "-stream", "-out", "{output}.cms",
574 "-keyopt", "rsa_padding_mode:oaep",
575 "-keyopt", "rsa_oaep_md:sha256" ],
576 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
577 "-in", "{output}.cms", "-out", "{output}.txt" ],
581 [ "enveloped content test streaming S/MIME format, DES, ECDH",
582 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
583 "-stream", "-out", "{output}.cms",
584 "-recip", catfile($smdir, "smec1.pem") ],
585 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
586 "-in", "{output}.cms", "-out", "{output}.txt" ],
590 [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
591 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
592 "-stream", "-out", "{output}.cms",
593 catfile($smdir, "smec1.pem"),
594 catfile($smdir, "smec3.pem") ],
595 [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
596 "-in", "{output}.cms", "-out", "{output}.txt" ],
600 [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
601 [ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont,
602 "-stream", "-out", "{output}.cms",
603 "-recip", catfile($smdir, "smec1.pem") ],
604 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
605 "-in", "{output}.cms", "-out", "{output}.txt" ],
609 [ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF",
610 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
611 "-stream", "-out", "{output}.cms",
612 "-recip", catfile($smdir, "smec1.pem"), "-aes128",
613 "-keyopt", "ecdh_kdf_md:sha256" ],
614 [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
615 "-in", "{output}.cms", "-out", "{output}.txt" ],
619 [ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF",
620 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
621 "-stream", "-out", "{output}.cms",
622 "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ],
623 [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
624 "-in", "{output}.cms", "-out", "{output}.txt" ],
628 [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
629 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
630 "-stream", "-out", "{output}.cms",
631 "-recip", catfile($smdir, "smec2.pem"), "-aes128",
632 "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
633 [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
634 "-in", "{output}.cms", "-out", "{output}.txt" ],
638 [ "enveloped content test streaming S/MIME format, X9.42 DH",
639 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
640 "-stream", "-out", "{output}.cms",
641 "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
642 [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
643 "-in", "{output}.cms", "-out", "{output}.txt" ],
648 my @smime_cms_param_tests_autodigestmax = (
649 [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length",
650 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
651 "-signer", $smrsa1, "-md", "sha256",
652 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
653 "-out", "{output}.cms" ],
654 # digest is SHA-256, which produces 32, bytes of output
655 sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
656 [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
657 "-CAfile", $smroot, "-out", "{output}.txt" ],
661 [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize > maximum salt length",
662 [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
663 "-signer", $smrsa1024, "-md", "sha512",
664 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
665 "-out", "{output}.cms" ],
666 # digest is SHA-512, which produces 64, bytes of output, but an RSA-PSS
667 # signature with a 1024 bit RSA key can only accommodate 62
668 sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 62; },
669 [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
670 "-CAfile", $smroot, "-out", "{output}.txt" ],
676 my @contenttype_cms_test = (
677 [ "signed content test - check that content type is added to additional signerinfo, RSA keys",
678 [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont,
679 "-outform", "DER", "-signer", $smrsa1, "-md", "SHA256",
680 "-out", "{output}.cms" ],
681 [ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms",
682 "-inform", "DER", "-outform", "DER",
683 "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
684 "-out", "{output}2.cms" ],
685 sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; },
686 [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
687 "-CAfile", $smroot, "-out", "{output}.txt" ]
691 my @incorrect_attribute_cms_test = (
692 "bad_signtime_attr.cms",
695 "ct_multiple_attr.cms"
698 # Runs a standard loop on the input array
703 foreach (@{$opts{tests}}) {
705 $opts{output} = "$opts{prefix}-$cnt1";
707 my $skip_reason = check_availability($$_[0]);
708 skip $skip_reason, 1 if $skip_reason;
710 1 while unlink "$opts{output}.txt";
712 foreach (@$_[1..$#$_]) {
713 if (ref $_ eq 'CODE') {
718 while ($x =~ /\{([^\}]+)\}/) {
719 $x = $`.$opts{$1}.$' if exists $opts{$1};
724 diag "CMD: openssl ", join(" ", @cmd);
725 $ok &&= run(app(["openssl", @cmd]));
726 $opts{input} = $opts{output};
738 diag "Comparing $smcont with $opts{output}.txt";
739 return compare_text($smcont, "$opts{output}.txt") == 0;
745 diag "Checking for zero-length file";
746 return (-e "$opts{output}.txt" && -z "$opts{output}.txt");
749 subtest "CMS => PKCS#7 compatibility tests\n" => sub {
750 plan tests => scalar @smime_pkcs7_tests;
752 runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime',
753 tests => [ @smime_pkcs7_tests ]);
755 subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
756 plan tests => scalar @smime_pkcs7_tests;
758 runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms',
759 tests => [ @smime_pkcs7_tests ]);
762 subtest "CMS <=> CMS consistency tests\n" => sub {
763 plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
765 runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms',
766 tests => [ @smime_pkcs7_tests ]);
767 runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms',
768 tests => [ @smime_cms_tests ]);
771 subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
773 (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests) +
774 (scalar @smime_cms_param_tests_autodigestmax) + 1;
776 ok(run(app(["openssl", "cms", @prov,
777 "-sign", "-in", $smcont,
781 "-keyopt", "rsa_padding_mode:pss",
782 "-keyopt", "rsa_pss_saltlen:auto-digestmax",
783 "-out", "digestmaxtest.cms"])));
784 # Providers that do not support rsa_pss_saltlen:auto-digestmax will parse
786 my $no_autodigestmax = rsapssSaltlen("digestmaxtest.cms") == 0;
787 1 while unlink "digestmaxtest.cms";
789 runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms',
790 tests => [ @smime_cms_param_tests ]);
792 skip("Zlib not supported: compression tests skipped",
793 scalar @smime_cms_comp_tests)
796 runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms',
797 tests => [ @smime_cms_comp_tests ]);
801 skip("rsa_pss_saltlen:auto-digestmax not supported",
802 scalar @smime_cms_param_tests_autodigestmax)
803 if $no_autodigestmax;
805 runner_loop(prefix => 'cms2cms-comp', 'cmd1' => 'cms', cmd2 => 'cms',
806 tests => [ @smime_cms_param_tests_autodigestmax ]);
810 # Returns the number of matches of a Content Type Attribute in a binary file.
811 sub contentType_matches {
812 # Read in a binary file
814 open (HEX_IN, "$in") or die("open failed for $in : $!");
819 # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
820 my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
830 my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]),
833 return -1 if $exit != 0;
835 my $pssparam_offset = -1;
836 while ($_ = shift @asn1parse) {
838 next unless /:rsassaPss/;
839 # This line contains :rsassaPss, the next line contains a raw dump of the
840 # RSA_PSS_PARAMS sequence; obtain its offset
841 $_ = shift @asn1parse;
843 $pssparam_offset = int($1);
847 if ($pssparam_offset == -1) {
848 note "Failed to determine RSA_PSS_PARAM offset in CMS. " +
849 "Was the file correctly signed with RSASSA-PSS?";
853 my @pssparam = run(app(["openssl", "asn1parse", "-in", $in,
854 "-strparse", $pssparam_offset]),
857 return -1 if $exit != 0;
860 # Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated.
861 # This assumes the salt length is the last field, which may possibly be
862 # incorrect if there is a non-standard trailer field, but there almost never
864 if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) {
868 if ($saltlen == -1) {
869 note "Failed to determine salt length from RSA_PSS_PARAM struct. " +
870 "Was the file correctly signed with RSASSA-PSS?";
877 subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
878 plan tests => (scalar @contenttype_cms_test);
880 runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms',
881 tests => [ @contenttype_cms_test ]);
884 subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
886 (scalar @incorrect_attribute_cms_test);
889 foreach my $name (@incorrect_attribute_cms_test) {
890 my $out = "incorrect-$cnt.txt";
892 ok(!run(app(["openssl", "cms", @prov, "-verify", "-in",
893 catfile($datadir, $name), "-inform", "DER", "-CAfile",
894 $smroot, "-out", $out ])),
899 subtest "CMS Check that bad encryption algorithm fails\n" => sub {
903 skip "DES or Legacy isn't supported in this build", 1
904 if disabled("des") || disabled("legacy");
906 my $out = "smtst.txt";
908 ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt",
910 "-stream", "-recip", $smrsa1,
913 "Decrypt message from OpenSSL 1.1.1");
917 subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub {
921 skip "EC or DES isn't supported in this build", 1
922 if disabled("ec") || disabled("des");
924 my $out = "smtst.txt";
926 ok(run(app(["openssl", "cms", @defaultprov, "-decrypt",
927 "-inkey", catfile($smdir, "smec3.pem"),
928 "-in", catfile($datadir, "ciphertext_from_1_1_1.cms"),
930 && compare_text($smcont, $out) == 0,
931 "Decrypt message from OpenSSL 1.1.1");
935 subtest "CAdES <=> CAdES consistency tests\n" => sub {
936 plan tests => (scalar @smime_cms_cades_tests);
938 runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms',
939 tests => [ @smime_cms_cades_tests ]);
942 subtest "CAdES; cms incompatible arguments tests\n" => sub {
943 plan tests => (scalar @smime_cms_cades_invalid_option_tests);
945 foreach (@smime_cms_cades_invalid_option_tests) {
946 ok(!run(app(["openssl", "cms", @{$$_[0]} ] )));
950 subtest "CAdES ko tests\n" => sub {
951 plan tests => 2 * scalar @smime_cms_cades_ko_tests;
953 foreach (@smime_cms_cades_ko_tests) {
955 my $skip_reason = check_availability($$_[0]);
956 skip $skip_reason, 1 if $skip_reason;
957 1 while unlink "cades-ko.txt";
959 ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]);
960 ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]);
965 subtest "CMS binary input tests\n" => sub {
966 my $input = srctop_file("test", "smcont.bin");
967 my $signed = "smcont.signed";
968 my $verified = "smcont.verified";
972 ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
973 "-binary", "-in", $input, "-out", $signed])),
974 "sign binary input with -binary");
975 ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
976 "-binary", "-in", $signed, "-out", $verified])),
977 "verify binary input with -binary");
978 is(compare($input, $verified), 0, "binary input retained with -binary");
980 ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
981 "-in", $input, "-out", $signed.".nobin"])),
982 "sign binary input without -binary");
983 ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
984 "-in", $signed.".nobin", "-out", $verified.".nobin"])),
985 "verify binary input without -binary");
986 is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary");
987 ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
988 "-binary", "-in", $signed, "-out", $verified.".crlfeol"])),
989 "verify binary input wrong crlfeol");
991 ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
993 "-binary", "-in", $input, "-out", $signed.".crlf"])),
994 "sign binary input with -binary -crlfeol");
995 ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
996 "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])),
997 "verify binary input with -binary -crlfeol");
998 is(compare($input, $verified.".crlf"), 0,
999 "binary input retained with -binary -crlfeol");
1000 ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
1001 "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])),
1002 "verify binary input with -binary missing -crlfeol");
1005 subtest "CMS signed digest, DER format" => sub {
1008 # Pre-computed SHA256 digest of $smcont in hexadecimal form
1009 my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
1011 my $sig_file = "signature.der";
1012 ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
1014 "-certfile", catfile($smdir, "smroot.pem"),
1015 "-signer", catfile($smdir, "smrsa1.pem"),
1016 "-out", $sig_file])),
1017 "CMS sign pre-computed digest, DER format");
1019 ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1021 "-CAfile", catfile($smdir, "smroot.pem"),
1022 "-content", $smcont])),
1023 "Verify CMS signed digest, DER format");
1026 subtest "CMS signed digest, S/MIME format" => sub {
1029 # Pre-computed SHA256 digest of $smcont in hexadecimal form
1030 my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
1032 my $sig_file = "signature.smime";
1033 ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
1034 "-outform", "SMIME",
1035 "-certfile", catfile($smdir, "smroot.pem"),
1036 "-signer", catfile($smdir, "smrsa1.pem"),
1037 "-out", $sig_file])),
1038 "CMS sign pre-computed digest, S/MIME format");
1040 ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1042 "-CAfile", catfile($smdir, "smroot.pem"),
1043 "-content", $smcont])),
1044 "Verify CMS signed digest, S/MIME format");
1047 subtest "CMS code signing test" => sub {
1049 my $sig_file = "signature.p7s";
1050 ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
1051 "-certfile", catfile($smdir, "smroot.pem"),
1052 "-signer", catfile($smdir, "smrsa1.pem"),
1053 "-out", $sig_file])),
1054 "accept perform CMS signature with smime certificate");
1056 ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1057 "-CAfile", catfile($smdir, "smroot.pem"),
1058 "-content", $smcont])),
1059 "accept verify CMS signature with smime certificate");
1061 ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1062 "-CAfile", catfile($smdir, "smroot.pem"),
1063 "-purpose", "codesign",
1064 "-content", $smcont])),
1065 "fail verify CMS signature with smime certificate for purpose code signing");
1067 ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1068 "-CAfile", catfile($smdir, "smroot.pem"),
1069 "-purpose", "football",
1070 "-content", $smcont])),
1071 "fail verify CMS signature with invalid purpose argument");
1073 ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
1074 "-certfile", catfile($smdir, "smroot.pem"),
1075 "-signer", catfile($smdir, "csrsa1.pem"),
1076 "-out", $sig_file])),
1077 "accept perform CMS signature with code signing certificate");
1079 ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1080 "-CAfile", catfile($smdir, "smroot.pem"),
1081 "-purpose", "codesign",
1082 "-content", $smcont])),
1083 "accept verify CMS signature with code signing certificate for purpose code signing");
1085 ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1086 "-CAfile", catfile($smdir, "smroot.pem"),
1087 "-content", $smcont])),
1088 "fail verify CMS signature with code signing certificate for purpose smime_sign");
1091 # Test case for missing MD algorithm (must not segfault)
1093 with({ exit_checker => sub { return shift == 4; } },
1095 ok(run(app(['openssl', 'smime', '-verify', '-noverify',
1097 '-in', data_file("pkcs7-md4.pem"),
1099 "Check failure of EVP_DigestInit in PKCS7 signed is handled");
1101 ok(run(app(['openssl', 'smime', '-decrypt',
1103 '-in', data_file("pkcs7-md4-encrypted.pem"),
1104 '-recip', srctop_file("test", "certs", "ee-cert.pem"),
1105 '-inkey', srctop_file("test", "certs", "ee-key.pem")
1107 "Check failure of EVP_DigestInit in PKCS7 signedAndEnveloped is handled");
1110 sub check_availability {
1113 return "$tnam: skipped, EC disabled\n"
1114 if ($no_ec && $tnam =~ /ECDH/);
1115 return "$tnam: skipped, ECDH disabled\n"
1116 if ($no_ec && $tnam =~ /ECDH/);
1117 return "$tnam: skipped, EC2M disabled\n"
1118 if ($no_ec2m && $tnam =~ /K-283/);
1119 return "$tnam: skipped, DH disabled\n"
1120 if ($no_dh && $tnam =~ /X9\.42/);
1121 return "$tnam: skipped, RC2 disabled\n"
1122 if ($no_rc2 && $tnam =~ /RC2/);
1123 return "$tnam: skipped, DES disabled\n"
1124 if ($no_des && $tnam =~ /DES/);
1125 return "$tnam: skipped, DSA disabled\n"
1126 if ($no_dsa && $tnam =~ / DSA/);
1131 # Test case for the locking problem reported in #19643.
1132 # This will fail if the fix is in and deadlock on Windows (and possibly
1133 # other platforms) if not.
1134 ok(!run(app(['openssl', 'cms', '-verify',
1135 '-CAfile', srctop_file("test/certs", "pkitsta.pem"),
1136 '-policy', 'anyPolicy',
1137 '-in', srctop_file("test/smime-eml",
1138 "SignedInvalidMappingFromanyPolicyTest7.eml")
1142 # Check that we get the expected failure return code
1143 with({ exit_checker => sub { return shift == 6; } },
1145 ok(run(app(['openssl', 'cms', '-encrypt',
1146 '-in', srctop_file("test", "smcont.txt"),
1147 '-aes128', '-stream', '-recip',
1148 srctop_file("test/smime-certs", "badrsa.pem"),
1150 "Check failure during BIO setup with -stream is handled correctly");
1153 # Test case for return value mis-check reported in #21986
1154 with({ exit_checker => sub { return shift == 3; } },
1157 skip "DSA is not supported in this build", 1 if $no_dsa;
1159 ok(run(app(['openssl', 'cms', '-sign',
1160 '-in', srctop_file("test", "smcont.txt"),
1161 '-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
1162 '-md', 'SHAKE256'])),
1167 # Test for problem reported in #22225
1168 with({ exit_checker => sub { return shift == 3; } },
1170 ok(run(app(['openssl', 'cms', '-encrypt',
1171 '-in', srctop_file("test", "smcont.txt"),
1172 '-aes-256-ctr', '-recip',
1173 catfile($smdir, "smec1.pem"),
1175 "Check for failure when cipher does not have an assigned OID (issue#22225)");
1178 # Test encrypt to three recipients, and decrypt using key-only;
1179 # i.e. do not follow the recommended practice of providing the
1180 # recipient cert in the decrypt op.
1182 # Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5.
1184 # Because the cert is not provided during decrypt, all RSA ciphertexts
1185 # are decrypted in turn, and when/if there is a valid decryption, it
1186 # is assumed the correct content-key has been recovered.
1188 # That process may fail with RSAES-PKCS-v1_5 b/c there is a
1189 # non-negligible chance that decrypting a random input using
1190 # RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys
1191 # could be recovered and the wrong one might be used).
1193 # See https://github.com/openssl/project/issues/380
1194 subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub {
1197 my $pt = srctop_file("test", "smcont.txt");
1198 my $ct = "smtst.cms";
1199 my $ptpt = "smtst.txt";
1201 ok(run(app(['openssl', 'cms',
1203 '-encrypt', '-aes128',
1207 '-recip', catfile($smdir, "smrsa1.pem"),
1208 '-keyopt', 'rsa_padding_mode:oaep',
1209 '-recip', catfile($smdir, "smrsa2.pem"),
1210 '-keyopt', 'rsa_padding_mode:oaep',
1211 '-recip', catfile($smdir, "smrsa3-cert.pem"),
1212 '-keyopt', 'rsa_padding_mode:oaep',
1214 "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)");
1215 ok(run(app(['openssl', 'cms',
1217 '-decrypt', '-aes128',
1220 '-inkey', catfile($smdir, "smrsa3-key.pem"),
1222 "decrypt with key only");
1223 is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext");