Add a testcase to the test_req covering the issue.
Fixes #13957
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13967)
return 0;
/*
- * For RSA-PSS keys, we ignore the default digest request
- * TODO(3.0) with RSA-OAEP keys, this may need to be amended
+ * For restricted RSA-PSS keys, we ignore the default digest request.
+ * With RSA-OAEP keys, this may need to be amended.
*/
if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_DEFAULT_DIGEST)) != NULL
- && rsa_type != RSA_FLAG_TYPE_RSASSAPSS) {
+ && (rsa_type != RSA_FLAG_TYPE_RSASSAPSS
+ || ossl_rsa_pss_params_30_is_unrestricted(pss_params))) {
if (!OSSL_PARAM_set_utf8_string(p, RSA_DEFAULT_MD))
return 0;
}
/*
- * For non-RSA-PSS keys, we ignore the mandatory digest request
- * TODO(3.0) with RSA-OAEP keys, this may need to be amended
+ * For non-RSA-PSS keys, we ignore the mandatory digest request.
+ * With RSA-OAEP keys, this may need to be amended.
*/
if ((p = OSSL_PARAM_locate(params,
OSSL_PKEY_PARAM_MANDATORY_DIGEST)) != NULL
setup("test_req");
-plan tests => 42;
+plan tests => 43;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
}
};
+subtest "generating certificate requests with RSA-PSS" => sub {
+ plan tests => 4;
+
+ SKIP: {
+ skip "RSA is not supported by this OpenSSL build", 2
+ if disabled("rsa");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss.pem", "-utf8",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapss.pem", "-noout"])),
+ "Verifying signature on request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq-rsapss2.pem", "-utf8",
+ "-sigopt", "rsa_padding_mode:pss",
+ "-sigopt", "rsa_pss_saltlen:-1",
+ "-key", srctop_file("test", "testrsapss.pem")])),
+ "Generating request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq-rsapss2.pem", "-noout"])),
+ "Verifying signature on request");
+ }
+};
+
subtest "generating certificate requests with DSA" => sub {
plan tests => 2;
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAzs95rRH49f5zZ1G9
+Cb/Ie5P5GfNto2etu2L90qrewOJKZ4CQ49D8QEKzjnFJhagj/i5MNdWHeTCrDAsQ
+jrbKS6ik/HY11yiB0wZ4ItXsfMQX+qIVp2X9BQFx/ID5nVCXrQcfMfcqFk19cv4N
+mgKgdeEZT9O5baSX2jKKsR8E/4+QilI9xBxzig+HJ2cG2clMkGZut5hiBwwWZ0+1
+v1v5ZbkUGwroGJqBsqzI8vTW+bT/VVlhCgdoAj6/p543tgBM439O1ZDDIxVZbadI
+uacwSwV2yBlSzDGExJwjisABwOZWNta4lQ5NI1ZEzA0I1+MPyyzvX0/1ZupgDtcq
+T5zWUwIDAQABAoIBAHm4Cvkd1tWRiQKKTSRrx+dT1Ay+BQ1jfBEJ1jIjdy83AGui
+c6Rh39VCbMOtUYRkzapQPXKB1lYxmrpf2MLmOnIFM/WS7WVQ5ff5msOF/MYB88sD
+kpMPp7dGfnwKvN8mC98+jdGukwrFWMxRUlgOq7o1Xdxp1Hz/npBBpvdQNnTiTpbq
+q8tanx2QRHqhc1+5hYik6OamK0D+Gp9Ver+UZSDf86yJro/fLDzkJlZb5tv11ggn
+nv2obfb9cMG/U+QQuWZ18wWrc3EjWDgy5BmUSprPdbJknyIhVhnTwpUQk+MXbx6K
+9RdlpxURXKnlkvL84cdtB6zBfFcNNPSe5si2HCECgYEA+Mb7mAoiZAzwUGKCTvHZ
+AKH2jBEjFA4ZSMqu+bZqLCv8xflbcTAb/b4zxU5PSZCONf0InrhVjqDoz6u/wPC4
+1Drvg8dRIvRoc207lWanMfriE6kj5QdspEARom/56x2ADPy9mRsWy8ZtENrw4LGh
+XaoKr1dvoC1lvAtB/O4RZhcCgYEA1NCT0mthIQkcwgvDXHDyF++/i38zRIbqtWrS
+18UzSk9kMIcP8euP7hesJnvT8ySFXOkmJ9RJd0N5Mc0XXxgT2k52goebw/3IUDIY
+8vuMkANZMjUp7hvXsqYVxWgPU8526rQtbzXTuqKK8mZ9Q03XJ5Mcd/tI80lUkAm3
+WSJhsyUCgYAIA2jRQepPrLcE79dgsZua0Jy/cEHgAIBB/v1Z381VtOkEe369i54r
+Mzg5r8cQCI78IDVp32gqGvbE0bRwg5CAjZFvfjkX1iWTKj6UFmVmT71+gqE8XFvc
+go/O2qqDL0UTpgR5bQzz7WVP+K1vn2kiOjrz4O4gi7XOM9KhUg3PawKBgQDQ7K+i
+jN5/AyYjbk7tqshRLYJbXZYkOVuknOm/AI847bYLWh0SQFM9yCmuYjSS6BCxRQa7
+ZVJ2blxFwvWl2spqsEryHFWUVMpZyMTrjn7RRyhC/SRb6SOZ9Ck9cspRWUkvY5GT
+M0HYYQiNroZdE8ccx/TT6XMVvLDy80b3j6RgrQKBgQCvKd8TNakeskEfjAnn4WLO
+0+I7oxkhth0i6eIUaXpqoVsZypAhXGC13V2Y5HyvIPNUSjsG2XafQOzZXHgGTixP
+YaYHAo9cWis8t21eTRrOMtnALqL59oVMFTbiy/dJhN4m0sxezzTVIpqBxTYzagbZ
+46EVSoOEYkU7U/TiD+HGHQ==
+-----END PRIVATE KEY-----