2 # Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
14 use File::Spec::Functions qw/catfile/;
15 use File::Compare qw/compare_text/;
16 use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
18 use OpenSSL::Test::Utils;
24 use lib srctop_dir('Configurations');
25 use lib bldtop_dir('.');
28 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
30 plan skip_all => "CMS is not supported by this OpenSSL build"
33 my $provpath = bldtop_dir("providers");
35 # Some tests require legacy algorithms to be included.
36 my @legacyprov = ("-provider-path", $provpath,
37 "-provider", "default",
38 "-provider", "legacy" );
39 my @defaultprov = ("-provider-path", $provpath,
40 "-provider", "default");
43 my $provname = 'default';
45 my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
46 my $smdir = srctop_dir("test", "smime-certs");
47 my $smcont = srctop_file("test", "smcont.txt");
48 my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
49 = disabled qw/des dh dsa ec ec2m rc2 zlib/;
52 ($no_fips ? 0 : 1) # FIPS install test
56 my $infile = bldtop_file('providers', platform->dso('fips'));
58 ok(run(app(['openssl', 'fipsinstall',
59 '-out', bldtop_file('providers', 'fipsmodule.cnf'),
60 '-module', $infile])),
62 @config = ( "-config", srctop_file("test", "fips-and-base.cnf") );
66 $ENV{OPENSSL_TEST_LIBCTX} = "1";
67 my @prov = ("-provider-path", $provpath,
69 "-provider", $provname);
71 my @smime_pkcs7_tests = (
73 [ "signed content DER format, RSA key",
74 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
75 "-certfile", catfile($smdir, "smroot.pem"),
76 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
77 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
78 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
82 [ "signed detached content DER format, RSA key",
83 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
84 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
85 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
86 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt",
87 "-content", $smcont ],
91 [ "signed content test streaming BER format, RSA",
92 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
94 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
95 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
96 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
100 [ "signed content DER format, DSA key",
101 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
102 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
103 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
104 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
108 [ "signed detached content DER format, DSA key",
109 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
110 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
111 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
112 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt",
113 "-content", $smcont ],
117 [ "signed detached content DER format, add RSA signer (with DSA existing)",
118 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
119 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
120 [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
121 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}2.cms" ],
122 [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
123 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt",
124 "-content", $smcont ],
128 [ "signed content test streaming BER format, DSA key",
129 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
130 "-nodetach", "-stream",
131 "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
132 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
133 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
137 [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
138 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
139 "-nodetach", "-stream",
140 "-signer", catfile($smdir, "smrsa1.pem"),
141 "-signer", catfile($smdir, "smrsa2.pem"),
142 "-signer", catfile($smdir, "smdsa1.pem"),
143 "-signer", catfile($smdir, "smdsa2.pem"),
144 "-out", "{output}.cms" ],
145 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
146 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
150 [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
151 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
152 "-noattr", "-nodetach", "-stream",
153 "-signer", catfile($smdir, "smrsa1.pem"),
154 "-signer", catfile($smdir, "smrsa2.pem"),
155 "-signer", catfile($smdir, "smdsa1.pem"),
156 "-signer", catfile($smdir, "smdsa2.pem"),
157 "-out", "{output}.cms" ],
158 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
159 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
163 [ "signed content S/MIME format, RSA key SHA1",
164 [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
165 "-certfile", catfile($smdir, "smroot.pem"),
166 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
167 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
168 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
172 [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
173 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
174 "-signer", catfile($smdir, "smrsa1.pem"),
175 "-signer", catfile($smdir, "smrsa2.pem"),
176 "-signer", catfile($smdir, "smdsa1.pem"),
177 "-signer", catfile($smdir, "smdsa2.pem"),
178 "-stream", "-out", "{output}.cms" ],
179 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
180 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
184 [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
185 [ "{cmd1}", @prov, "-sign", "-in", $smcont,
186 "-signer", catfile($smdir, "smrsa1.pem"),
187 "-signer", catfile($smdir, "smrsa2.pem"),
188 "-signer", catfile($smdir, "smdsa1.pem"),
189 "-signer", catfile($smdir, "smdsa2.pem"),
190 "-stream", "-out", "{output}.cms" ],
191 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
192 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
196 [ "enveloped content test streaming S/MIME format, DES, 3 recipients",
197 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
198 "-stream", "-out", "{output}.cms",
199 catfile($smdir, "smrsa1.pem"),
200 catfile($smdir, "smrsa2.pem"),
201 catfile($smdir, "smrsa3.pem") ],
202 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
203 "-in", "{output}.cms", "-out", "{output}.txt" ],
207 [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
208 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
209 "-stream", "-out", "{output}.cms",
210 catfile($smdir, "smrsa1.pem"),
211 catfile($smdir, "smrsa2.pem"),
212 catfile($smdir, "smrsa3.pem") ],
213 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
214 "-in", "{output}.cms", "-out", "{output}.txt" ],
218 [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used",
219 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
220 "-stream", "-out", "{output}.cms",
221 catfile($smdir, "smrsa1.pem"),
222 catfile($smdir, "smrsa2.pem"),
223 catfile($smdir, "smrsa3.pem") ],
224 [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"),
225 "-in", "{output}.cms", "-out", "{output}.txt" ],
229 [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
230 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
231 "-aes256", "-stream", "-out", "{output}.cms",
232 catfile($smdir, "smrsa1.pem"),
233 catfile($smdir, "smrsa2.pem"),
234 catfile($smdir, "smrsa3.pem") ],
235 [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
236 "-in", "{output}.cms", "-out", "{output}.txt" ],
242 my @smime_cms_tests = (
244 [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
245 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
246 "-nodetach", "-keyid",
247 "-signer", catfile($smdir, "smrsa1.pem"),
248 "-signer", catfile($smdir, "smrsa2.pem"),
249 "-signer", catfile($smdir, "smdsa1.pem"),
250 "-signer", catfile($smdir, "smdsa2.pem"),
251 "-stream", "-out", "{output}.cms" ],
252 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
253 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
257 [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
258 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
259 "-signer", catfile($smdir, "smrsa1.pem"),
260 "-signer", catfile($smdir, "smrsa2.pem"),
261 "-signer", catfile($smdir, "smdsa1.pem"),
262 "-signer", catfile($smdir, "smdsa2.pem"),
263 "-stream", "-out", "{output}.cms" ],
264 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
265 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
269 [ "signed content MIME format, RSA key, signed receipt request",
270 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
271 "-signer", catfile($smdir, "smrsa1.pem"),
272 "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
273 "-out", "{output}.cms" ],
274 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
275 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
279 [ "signed receipt MIME format, RSA key",
280 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
281 "-signer", catfile($smdir, "smrsa1.pem"),
282 "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
283 "-out", "{output}.cms" ],
284 [ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms",
285 "-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ],
286 [ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms",
287 "-CAfile", catfile($smdir, "smroot.pem") ]
290 [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
291 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
292 "-stream", "-out", "{output}.cms", "-keyid",
293 catfile($smdir, "smrsa1.pem"),
294 catfile($smdir, "smrsa2.pem"),
295 catfile($smdir, "smrsa3.pem") ],
296 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
297 "-in", "{output}.cms", "-out", "{output}.txt" ],
301 [ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK",
302 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
303 "-stream", "-out", "{output}.cms",
304 "-secretkey", "000102030405060708090A0B0C0D0E0F",
305 "-secretkeyid", "C0FEE0" ],
306 [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
308 "-secretkey", "000102030405060708090A0B0C0D0E0F",
309 "-secretkeyid", "C0FEE0" ],
313 [ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK",
314 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
315 "-stream", "-out", "{output}.cms",
316 "-secretkey", "000102030405060708090A0B0C0D0E0F",
317 "-secretkeyid", "C0FEE0" ],
318 [ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
320 "-secretkey", "000102030405060708090A0B0C0D0E0F",
321 "-secretkeyid", "C0FEE0" ],
325 [ "enveloped content test streaming PEM format, KEK, key only",
326 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
327 "-stream", "-out", "{output}.cms",
328 "-secretkey", "000102030405060708090A0B0C0D0E0F",
329 "-secretkeyid", "C0FEE0" ],
330 [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
332 "-secretkey", "000102030405060708090A0B0C0D0E0F" ],
336 [ "data content test streaming PEM format",
337 [ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM",
338 "-nodetach", "-stream", "-out", "{output}.cms" ],
339 [ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM",
340 "-out", "{output}.txt" ],
344 [ "encrypted content test streaming PEM format, 128 bit RC2 key",
345 [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
346 "-in", $smcont, "-outform", "PEM",
347 "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
348 "-stream", "-out", "{output}.cms" ],
349 [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
351 "-secretkey", "000102030405060708090A0B0C0D0E0F",
352 "-out", "{output}.txt" ],
356 [ "encrypted content test streaming PEM format, 40 bit RC2 key",
357 [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
358 "-in", $smcont, "-outform", "PEM",
359 "-rc2", "-secretkey", "0001020304",
360 "-stream", "-out", "{output}.cms" ],
361 [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
363 "-secretkey", "0001020304", "-out", "{output}.txt" ],
367 [ "encrypted content test streaming PEM format, triple DES key",
368 [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
369 "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
370 "-stream", "-out", "{output}.cms" ],
371 [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
373 "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
374 "-out", "{output}.txt" ],
378 [ "encrypted content test streaming PEM format, 128 bit AES key",
379 [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
380 "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
381 "-stream", "-out", "{output}.cms" ],
382 [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
384 "-secretkey", "000102030405060708090A0B0C0D0E0F",
385 "-out", "{output}.txt" ],
390 my @smime_cms_cades_tests = (
392 [ "signed content DER format, RSA key, CAdES-BES compatible",
393 [ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER",
395 "-certfile", catfile($smdir, "smroot.pem"),
396 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
397 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
398 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
402 [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
403 [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
404 "DER", "-nodetach", "-certfile", catfile($smdir, "smroot.pem"),
405 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
406 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
407 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
411 [ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible",
412 [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform",
413 "DER", "-nodetach", "-certfile", catfile($smdir, "smroot.pem"),
414 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
415 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
416 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
420 [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
421 [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
422 "-in", $smcont, "-outform", "DER",
423 "-certfile", catfile($smdir, "smroot.pem"),
424 "-signer", catfile($smdir, "smrsa1.pem"),
425 "-outform", "DER", "-out", "{output}.cms" ],
426 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
427 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
431 [ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible",
432 [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
433 "-in", $smcont, "-outform", "DER",
434 "-certfile", catfile($smdir, "smroot.pem"),
435 "-signer", catfile($smdir, "smrsa1.pem"),
436 "-outform", "DER", "-out", "{output}.cms" ],
437 [ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
438 "-inform", "DER", "-in", "{output}.cms",
439 "-certfile", catfile($smdir, "smroot.pem"),
440 "-signer", catfile($smdir, "smrsa2.pem"),
441 "-outform", "DER", "-out", "{output}2.cms" ],
443 [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER",
444 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
449 my @smime_cms_cades_ko_tests = (
450 [ "signed content DER format, RSA key, but verified as CAdES-BES compatible",
451 [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
452 "-certfile", catfile($smdir, "smroot.pem"),
453 "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
454 [ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
455 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
460 # cades options test - check that some combinations are rejected
461 my @smime_cms_cades_invalid_option_tests = (
463 [ "-cades", "-noattr" ],
465 [ "-verify", "-cades", "-noattr" ],
467 [ "-verify", "-cades", "-noverify" ],
471 my @smime_cms_comp_tests = (
473 [ "compressed content test streaming PEM format",
474 [ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
475 "-stream", "-out", "{output}.cms" ],
476 [ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM",
477 "-out", "{output}.txt" ],
483 my @smime_cms_param_tests = (
484 [ "signed content test streaming PEM format, RSA keys, PSS signature",
485 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
486 "-signer", catfile($smdir, "smrsa1.pem"),
487 "-keyopt", "rsa_padding_mode:pss",
488 "-out", "{output}.cms" ],
489 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
490 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
494 [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
495 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
496 "-signer", catfile($smdir, "smrsa1.pem"),
497 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
498 "-out", "{output}.cms" ],
499 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
500 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
504 [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
505 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
507 "-signer", catfile($smdir, "smrsa1.pem"),
508 "-keyopt", "rsa_padding_mode:pss",
509 "-out", "{output}.cms" ],
510 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
511 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
515 [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
516 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
517 "-signer", catfile($smdir, "smrsa1.pem"),
518 "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384",
519 "-out", "{output}.cms" ],
520 [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
521 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
525 [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
526 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
527 "-stream", "-out", "{output}.cms",
528 "-recip", catfile($smdir, "smrsa1.pem"),
529 "-keyopt", "rsa_padding_mode:oaep" ],
530 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
531 "-in", "{output}.cms", "-out", "{output}.txt" ],
535 [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
536 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
537 "-stream", "-out", "{output}.cms",
538 "-recip", catfile($smdir, "smrsa1.pem"),
539 "-keyopt", "rsa_padding_mode:oaep",
540 "-keyopt", "rsa_oaep_md:sha256" ],
541 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
542 "-in", "{output}.cms", "-out", "{output}.txt" ],
546 [ "enveloped content test streaming S/MIME format, DES, ECDH",
547 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
548 "-stream", "-out", "{output}.cms",
549 "-recip", catfile($smdir, "smec1.pem") ],
550 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
551 "-in", "{output}.cms", "-out", "{output}.txt" ],
555 [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
556 [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
557 "-stream", "-out", "{output}.cms",
558 catfile($smdir, "smec1.pem"),
559 catfile($smdir, "smec3.pem") ],
560 [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
561 "-in", "{output}.cms", "-out", "{output}.txt" ],
565 [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
566 [ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont,
567 "-stream", "-out", "{output}.cms",
568 "-recip", catfile($smdir, "smec1.pem") ],
569 [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
570 "-in", "{output}.cms", "-out", "{output}.txt" ],
574 [ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF",
575 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
576 "-stream", "-out", "{output}.cms",
577 "-recip", catfile($smdir, "smec1.pem"), "-aes128",
578 "-keyopt", "ecdh_kdf_md:sha256" ],
579 [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
580 "-in", "{output}.cms", "-out", "{output}.txt" ],
584 [ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF",
585 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
586 "-stream", "-out", "{output}.cms",
587 "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ],
588 [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
589 "-in", "{output}.cms", "-out", "{output}.txt" ],
593 [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
594 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
595 "-stream", "-out", "{output}.cms",
596 "-recip", catfile($smdir, "smec2.pem"), "-aes128",
597 "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
598 [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
599 "-in", "{output}.cms", "-out", "{output}.txt" ],
603 # TODO(3.0) Add this test back in when "dhpublicnumber" is supported
605 #[ "enveloped content test streaming S/MIME format, X9.42 DH",
606 # [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
607 # "-stream", "-out", "{output}.cms",
608 # "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
609 # [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
610 # "-in", "{output}.cms", "-out", "{output}.txt" ],
615 my @contenttype_cms_test = (
616 [ "signed content test - check that content type is added to additional signerinfo, RSA keys",
617 [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont,
619 "-signer", catfile($smdir, "smrsa1.pem"), "-md", "SHA256",
620 "-out", "{output}.cms" ],
621 [ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms",
622 "-inform", "DER", "-outform", "DER",
623 "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
624 "-out", "{output}2.cms" ],
625 sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; },
626 [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
627 "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ]
631 my @incorrect_attribute_cms_test = (
632 "bad_signtime_attr.cms",
635 "ct_multiple_attr.cms"
638 # Runs a standard loop on the input array
643 foreach (@{$opts{tests}}) {
645 $opts{output} = "$opts{prefix}-$cnt1";
647 my $skip_reason = check_availability($$_[0]);
648 skip $skip_reason, 1 if $skip_reason;
650 1 while unlink "$opts{output}.txt";
652 foreach (@$_[1..$#$_]) {
653 if (ref $_ eq 'CODE') {
658 while ($x =~ /\{([^\}]+)\}/) {
659 $x = $`.$opts{$1}.$' if exists $opts{$1};
664 diag "CMD: openssl ", join(" ", @cmd);
665 $ok &&= run(app(["openssl", @cmd]));
666 $opts{input} = $opts{output};
678 diag "Comparing $smcont with $opts{output}.txt";
679 return compare_text($smcont, "$opts{output}.txt") == 0;
682 subtest "CMS => PKCS#7 compatibility tests\n" => sub {
683 plan tests => scalar @smime_pkcs7_tests;
685 runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime',
686 tests => [ @smime_pkcs7_tests ]);
688 subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
689 plan tests => scalar @smime_pkcs7_tests;
691 runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms',
692 tests => [ @smime_pkcs7_tests ]);
695 subtest "CMS <=> CMS consistency tests\n" => sub {
696 plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
698 runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms',
699 tests => [ @smime_pkcs7_tests ]);
700 runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms',
701 tests => [ @smime_cms_tests ]);
704 subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
706 (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests);
708 runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms',
709 tests => [ @smime_cms_param_tests ]);
711 skip("Zlib not supported: compression tests skipped",
712 scalar @smime_cms_comp_tests)
715 runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms',
716 tests => [ @smime_cms_comp_tests ]);
720 # Returns the number of matches of a Content Type Attribute in a binary file.
721 sub contentType_matches {
722 # Read in a binary file
724 open (HEX_IN, "$in") or die("open failed for $in : $!");
729 # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
730 my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
736 subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
737 plan tests => (scalar @contenttype_cms_test);
739 runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms',
740 tests => [ @contenttype_cms_test ]);
743 subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
745 (scalar @incorrect_attribute_cms_test);
748 foreach my $name (@incorrect_attribute_cms_test) {
749 my $out = "incorrect-$cnt.txt";
751 ok(!run(app(["openssl", "cms", @prov, "-verify", "-in",
752 catfile($datadir, $name), "-inform", "DER", "-CAfile",
753 catfile($smdir, "smroot.pem"), "-out", $out ])),
758 subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub {
762 skip "EC or DES isn't supported in this build", 1
763 if disabled("ec") || disabled("des");
765 my $out = "smtst.txt";
767 ok(run(app(["openssl", "cms", @defaultprov, "-decrypt",
768 "-inkey", catfile($smdir, "smec3.pem"),
769 "-in", catfile($datadir, "ciphertext_from_1_1_1.cms"),
771 && compare_text($smcont, $out) == 0,
772 "Decrypt message from OpenSSL 1.1.1");
776 subtest "CAdES <=> CAdES consistency tests\n" => sub {
777 plan tests => (scalar @smime_cms_cades_tests);
779 runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms',
780 tests => [ @smime_cms_cades_tests ]);
783 subtest "CAdES; cms incompatible arguments tests\n" => sub {
784 plan tests => (scalar @smime_cms_cades_invalid_option_tests);
786 foreach (@smime_cms_cades_invalid_option_tests) {
787 ok(!run(app(["openssl", "cms", @{$$_[0]} ] )));
791 subtest "CAdES ko tests\n" => sub {
792 plan tests => (scalar @smime_cms_cades_ko_tests);
794 foreach (@smime_cms_cades_ko_tests) {
796 my $skip_reason = check_availability($$_[0]);
797 skip $skip_reason, 1 if $skip_reason;
799 ok(run(app(["openssl", "cms", @{$$_[1]}]))
800 && !run(app(["openssl", "cms", @{$$_[2]}])),
806 sub check_availability {
809 return "$tnam: skipped, EC disabled\n"
810 if ($no_ec && $tnam =~ /ECDH/);
811 return "$tnam: skipped, ECDH disabled\n"
812 if ($no_ec && $tnam =~ /ECDH/);
813 return "$tnam: skipped, EC2M disabled\n"
814 if ($no_ec2m && $tnam =~ /K-283/);
815 return "$tnam: skipped, DH disabled\n"
816 if ($no_dh && $tnam =~ /X9\.42/);
817 return "$tnam: skipped, RC2 disabled\n"
818 if ($no_rc2 && $tnam =~ /RC2/);
819 return "$tnam: skipped, DES disabled\n"
820 if ($no_des && $tnam =~ /DES/);
821 return "$tnam: skipped, DSA disabled\n"
822 if ($no_dsa && $tnam =~ / DSA/);