cms: Create test for for purpose verification in cms application

The tests only cover the correct handling of the codesigning purpose in the certificates
in the context of the cms command line tool.
The interpretation of the certificate purpose is tested in the context of the "verify"
app. The correct handling of the cms objects is tested by other tests in 80-test_cms.t.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18567)

diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 11a6636863375f05724496aeaaeb003cef720c99..e10e08600592cb5b662dea30f0c6efc6c86c074d 100644 (file)
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
 
 $no_rc2 = 1 if disabled("legacy");
 
-plan tests => 14;
+plan tests => 15;
 
 ok(run(test(["pkcs7_test"])), "test pkcs7");
 
@@ -889,6 +889,50 @@ subtest "CMS signed digest, S/MIME format" => sub {
        "Verify CMS signed digest, S/MIME format");
 };
 
+subtest "CMS code signing test" => sub {
+    plan tests => 7;
+    my $sig_file = "signature.p7s";
+    ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
+                   "-certfile", catfile($smdir, "smroot.pem"),
+                   "-signer", catfile($smdir, "smrsa1.pem"),
+                   "-out", $sig_file])),
+       "accept perform CMS signature with smime certificate");
+
+    ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-content", $smcont])),
+       "accept verify CMS signature with smime certificate");
+
+    ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-purpose", "codesign",
+                    "-content", $smcont])),
+       "fail verify CMS signature with smime certificate for purpose code signing");
+
+    ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-purpose", "football",
+                    "-content", $smcont])),
+       "fail verify CMS signature with invalid purpose argument");
+
+    ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
+                   "-certfile", catfile($smdir, "smroot.pem"),
+                   "-signer", catfile($smdir, "csrsa1.pem"),
+                   "-out", $sig_file])),
+        "accept perform CMS signature with code signing certificate");
+
+    ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-purpose", "codesign",
+                    "-content", $smcont])),
+       "accept verify CMS signature with code signing certificate for purpose code signing");
+
+    ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
+                    "-CAfile", catfile($smdir, "smroot.pem"),
+                    "-content", $smcont])),
+       "fail verify CMS signature with code signing certificate for purpose smime_sign");
+};
+
 sub check_availability {
     my $tnam = shift;
 

diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 31bddea1fa037a414d442a9f9d60a643bbdee016..7d453e895758d4e7445102add690f2ebb4baf69f 100644 (file)
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -54,6 +54,15 @@ keyUsage=critical, keyAgreement
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 
+[ codesign_cert ]
+
+# These extensions are added when 'ca' signs a request for a code-signing
+# end-entity certificate
+
+basicConstraints=CA:FALSE
+keyUsage=critical, digitalSignature
+extendedKeyUsage=codeSigning
+
 [ v3_ca ]
 
 

diff --git a/test/smime-certs/csrsa1.pem b/test/smime-certs/csrsa1.pem
new file mode 100644 (file)
index 0000000..d3276d9
--- /dev/null
+++ b/test/smime-certs/csrsa1.pem
@@ -0,0 +1,50 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCo/4lYYYWu3tss
+D9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT5Rcf/w3G
+Q/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1lDz9mjsI2
+oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1U7OWaoIb
+FYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5ep5LR2in
+Kcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tniIQPYf55
+NB9KiR+3AgMBAAECggEAFvp/40uHUMquhGQ2wsl5/zzVV6ZECFGhIaoVdwiq7Npl
+cERPGSxdt7mXg+AliGQO2JXIf4iDx273oYC3PFuWbn9YMQd5RUuAZ/oD+hB25QB8
+vmGJTeqDUgZ0+4qs0fsM5upPUqFrHnfEwoarS9oMh0HEQi9yWzHy7E/E9Rk0dm8Q
+qAwfKKqqwBe0RIp6GOwRJ2AO4NLvPh1oddVX15zvVeDP5pmHScZKtGXf9sIKfJJo
+JN7N5UaviOKEGpQtxKVNOjn1wYusvzrvz3U3TmvyXTGkPCdSxK/6bz0LN+Lwyfzw
+RpSoNUe/cREZJkXDIIaqvmzlQVk1aKDdAx4+8ltyWQKBgQDahgSMZAAeGuQwtI+S
+jor9dNWcxEr5Uf/iw5gWmp5E59CSyc35Zj5rdf4M12X7jPRqAbFcM6FgERtbKyYd
+lg+PGgcKMYXKXJWimA6xU06+wwRl1iI/j718FCLeov6Lt17VHr8sjO3GiZ/WtHz1
+H6mqV8i9vcClmA6IyS+EQvtkBQKBgQDF+y0JwcbEzS3YqTHy4DGQtcCOkcLi+WM5
+APch7pev4I9MTgZdRnC6ZjnYKXQU9nzALZrH1PoHnFRZbsXbCFsmTdh/6g1L0b7B
+/zfZhB+9LiB7NBpfHiUydj1JQfkw/EvnLbs7r5EYGbpkMhpzmmzE9Yv0d+xj1CPd
+6kz/6CRdiwKBgBE1ZpxLr7qvMXModPn8obNuBPhweNsDexw3fP2itX4Fp2Y34DGY
+vKenxhbqy4wwwHqsoXP6WOYA0t+uGTVRQO5rBUznM3sJKXuBb/7E6bmaD/mZEF9j
+CXABAfH4cgU8roon/rQacQsmgWDeG80N7kWM3jEbBVXFELfy5/wJblSlAoGAUZax
+eNPiljf4LNGNRAogYwKD2D05k1AzE8rSDanF2TUx2MBO3yGoUyjNrcdnjzwFLS2e
+G7wpTfmeyTxdTWakKaTrE8vgrt5BPrFu0rUgX1YjDKLsO0axDZqspwQJLabLoPm3
+r2Eq6kOwDJqZTArXyFNo2daSFJHYNhvYn52LXwECgYB9CRrPMe0sWdbVPm55bXGM
+Ern05LQuaLaDZjsbsaH9Q5YPk99Sq7jklyQ3ZuHodSLAArHGu/96uu66xtMrRYcj
+c89fqFeqc/BwnkodvWJ3K80UNulnjfOcPVAPHaAr9GE9rJcjICNpu2+wJ2wi4JAF
+rLxFTZXBDbnGZ9QtcGcJSw==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIUGi+UX00em2j4v8bJ1scHsD41/ccwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDgxNjExNTgwMFoYDzIxMjIw
+ODE2MTE1ODAwWjBHMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEgMB4GA1UEAwwXVGVzdCBDb2RlU2lnbiBFRSBSU0EgIzEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lYYYWu3tssD9Vz++K3qBt6dWAr1H08c3a1
+rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJT
+YgVFTeAxl++qnRDSWA2eBp4yuxsIVl1lDz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4
+I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFk
+ijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5ep5LR2inKcc/SuIiJ7TvkGPX79ByST5b
+rbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tniIQPYf55NB9KiR+3AgMBAAGjcjBwMAkG
+A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0G
+A1UdDgQWBBTnm+IqrYpsOst2UeWOB5gil+FzojAfBgNVHSMEGDAWgBQVwRMha+JV
+X6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAMpLHe2q3OYJ8kKYAvjS5
+VDiESqPPVyYMSKb6B7bsex/BgFArxmk+8hOpuyuqSoejiyVAO9re/JrmQetM1tNo
+7kd9R3WDL1D34hG7kgDTAaqbcBPDUc7gin8bTkZ3TJ6b7cUJrwh9XCwWXTcOlJ1O
+5wXeF9mATyHZGwChOrroiEzDkRoOdePj0sKNZZRopjOVZ50d/X8JMCmW/x8lvOui
+R+uDTotH9+sb3tghJ0cmpVKkFC0pXS/0DB5qVHrohJdkwLRu8AX3CWbcQgHWg7BR
+ZbQ6TamQB8AlXdYj8Fs7m7DMkkmBxjrQUu3s7FRTALxp/lqMcoaZy+bdBzd59GaO
+FQ==
+-----END CERTIFICATE-----

diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
index 109b9c4abc284375a706ee2f129342e3a01bccc7..498190bcca7800839681bad00e4d9cf825fc08fd 100644 (file)
--- a/test/smime-certs/mksmime-certs.sh
+++ b/test/smime-certs/mksmime-certs.sh
@@ -81,5 +81,14 @@ CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \
 $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
        -force_pubkey dhpub.pem \
        -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem
+
+# EE RSA code signing certificates: create request first
+CN="Test CodeSign EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
+       -new -out req.pem -key ../certs/ee-key.pem
+cat ../certs/ee-key.pem > csrsa1.pem
+# Sign request: end entity extensions
+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36524 -extfile ca.cnf \
+       -extensions codesign_cert >>csrsa1.pem
+
 # Remove temp files.
 rm -f req.pem ecp.pem ecp2.pem dsap.pem dhp.pem dhpub.pem smtmp.pem smroot.srl