test/recipes/80-test_cms.t

   1 #! /usr/bin/env perl
   2 # Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the Apache License 2.0 (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 use strict;
  11 use warnings;
  12
  13 use POSIX;
  14 use File::Spec::Functions qw/catfile/;
  15 use File::Compare qw/compare_text compare/;
  16 use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
  17
  18 use OpenSSL::Test::Utils;
  19
  20 BEGIN {
  21     setup("test_cms");
  22 }
  23
  24 use lib srctop_dir('Configurations');
  25 use lib bldtop_dir('.');
  26
  27 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
  28
  29 plan skip_all => "CMS is not supported by this OpenSSL build"
  30     if disabled("cms");
  31
  32 my $provpath = bldtop_dir("providers");
  33
  34 # Some tests require legacy algorithms to be included.
  35 my @legacyprov = ("-provider-path", $provpath,
  36                   "-provider", "default",
  37                   "-provider", "legacy" );
  38 my @defaultprov = ("-provider-path", $provpath,
  39                    "-provider", "default");
  40
  41 my @config = ( );
  42 my $provname = 'default';
  43
  44 my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
  45 my $smdir    = srctop_dir("test", "smime-certs");
  46 my $smcont   = srctop_file("test", "smcont.txt");
  47 my $smcont_zero = srctop_file("test", "smcont_zero.txt");
  48 my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
  49     = disabled qw/des dh dsa ec ec2m rc2 zlib/;
  50
  51 $no_rc2 = 1 if disabled("legacy");
  52
  53 plan tests => 23;
  54
  55 ok(run(test(["pkcs7_test"])), "test pkcs7");
  56
  57 unless ($no_fips) {
  58     @config = ( "-config", srctop_file("test", "fips-and-base.cnf") );
  59     $provname = 'fips';
  60 }
  61
  62 $ENV{OPENSSL_TEST_LIBCTX} = "1";
  63 my @prov = ("-provider-path", $provpath,
  64             @config,
  65             "-provider", $provname);
  66
  67 my $smrsa1024 = catfile($smdir, "smrsa1024.pem");
  68 my $smrsa1 = catfile($smdir, "smrsa1.pem");
  69 my $smroot = catfile($smdir, "smroot.pem");
  70
  71 my @smime_pkcs7_tests = (
  72
  73     [ "signed content DER format, RSA key",
  74       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
  75         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
  76       [ "{cmd2}",  @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  77         "-CAfile", $smroot, "-out", "{output}.txt" ],
  78       \&final_compare
  79     ],
  80
  81     [ "signed detached content DER format, RSA key",
  82       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  83         "-signer", $smrsa1, "-out", "{output}.cms" ],
  84       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  85         "-CAfile", $smroot, "-out", "{output}.txt",
  86         "-content", $smcont ],
  87       \&final_compare
  88     ],
  89
  90     [ "signed content test streaming BER format, RSA",
  91       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
  92         "-stream",
  93         "-signer", $smrsa1, "-out", "{output}.cms" ],
  94       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  95         "-CAfile", $smroot, "-out", "{output}.txt" ],
  96       \&final_compare
  97     ],
  98
  99     [ "signed content DER format, DSA key",
 100       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
 101         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
 102       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
 103         "-CAfile", $smroot, "-out", "{output}.txt" ],
 104       \&final_compare
 105     ],
 106
 107     [ "signed detached content DER format, DSA key",
 108       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
 109         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
 110       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
 111         "-CAfile", $smroot, "-out", "{output}.txt",
 112         "-content", $smcont ],
 113       \&final_compare
 114     ],
 115
 116     [ "signed detached content DER format, add RSA signer (with DSA existing)",
 117       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
 118         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
 119       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
 120         "-signer", $smrsa1, "-out", "{output}2.cms" ],
 121       [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
 122         "-CAfile", $smroot, "-out", "{output}.txt",
 123         "-content", $smcont ],
 124       \&final_compare
 125     ],
 126
 127     [ "signed content test streaming BER format, DSA key",
 128       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
 129         "-nodetach", "-stream",
 130         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
 131       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
 132         "-CAfile", $smroot, "-out", "{output}.txt" ],
 133       \&final_compare
 134     ],
 135
 136     [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
 137       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
 138         "-nodetach", "-stream",
 139         "-signer", $smrsa1,
 140         "-signer", catfile($smdir, "smrsa2.pem"),
 141         "-signer", catfile($smdir, "smdsa1.pem"),
 142         "-signer", catfile($smdir, "smdsa2.pem"),
 143         "-out", "{output}.cms" ],
 144       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
 145         "-CAfile", $smroot, "-out", "{output}.txt" ],
 146       \&final_compare
 147     ],
 148
 149     [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
 150       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
 151         "-noattr", "-nodetach", "-stream",
 152         "-signer", $smrsa1,
 153         "-signer", catfile($smdir, "smrsa2.pem"),
 154         "-signer", catfile($smdir, "smdsa1.pem"),
 155         "-signer", catfile($smdir, "smdsa2.pem"),
 156         "-out", "{output}.cms" ],
 157       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
 158         "-CAfile", $smroot, "-out", "{output}.txt" ],
 159       \&final_compare
 160     ],
 161
 162     [ "signed content S/MIME format, RSA key SHA1",
 163       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
 164         "-certfile", $smroot,
 165         "-signer", $smrsa1, "-out", "{output}.cms" ],
 166       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
 167         "-CAfile", $smroot, "-out", "{output}.txt" ],
 168       \&final_compare
 169     ],
 170
 171     [ "signed zero-length content S/MIME format, RSA key SHA1",
 172       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
 173         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
 174       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
 175         "-CAfile", $smroot, "-out", "{output}.txt" ],
 176       \&zero_compare
 177     ],
 178
 179     [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
 180       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
 181         "-signer", $smrsa1,
 182         "-signer", catfile($smdir, "smrsa2.pem"),
 183         "-signer", catfile($smdir, "smdsa1.pem"),
 184         "-signer", catfile($smdir, "smdsa2.pem"),
 185         "-stream", "-out", "{output}.cms" ],
 186       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
 187         "-CAfile", $smroot, "-out", "{output}.txt" ],
 188       \&final_compare
 189     ],
 190
 191     [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
 192       [ "{cmd1}", @prov, "-sign", "-in", $smcont,
 193         "-signer", $smrsa1,
 194         "-signer", catfile($smdir, "smrsa2.pem"),
 195         "-signer", catfile($smdir, "smdsa1.pem"),
 196         "-signer", catfile($smdir, "smdsa2.pem"),
 197         "-stream", "-out", "{output}.cms" ],
 198       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
 199         "-CAfile", $smroot, "-out", "{output}.txt" ],
 200       \&final_compare
 201     ],
 202
 203     [ "enveloped content test streaming S/MIME format, DES, 3 recipients",
 204       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 205         "-stream", "-out", "{output}.cms",
 206         $smrsa1,
 207         catfile($smdir, "smrsa2.pem"),
 208         catfile($smdir, "smrsa3.pem") ],
 209       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
 210         "-in", "{output}.cms", "-out", "{output}.txt" ],
 211       \&final_compare
 212     ],
 213
 214     [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
 215       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 216         "-stream", "-out", "{output}.cms",
 217         $smrsa1,
 218         catfile($smdir, "smrsa2.pem"),
 219         catfile($smdir, "smrsa3.pem") ],
 220       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
 221         "-in", "{output}.cms", "-out", "{output}.txt" ],
 222       \&final_compare
 223     ],
 224
 225     [ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used",
 226       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 227         "-stream", "-out", "{output}.cms",
 228         $smrsa1,
 229         catfile($smdir, "smrsa2.pem"),
 230         catfile($smdir, "smrsa3-cert.pem") ],
 231       [ "{cmd2}", @defaultprov, "-decrypt",
 232         "-recip", catfile($smdir, "smrsa3-cert.pem"),
 233         "-inkey", catfile($smdir, "smrsa3-key.pem"),
 234         "-in", "{output}.cms", "-out", "{output}.txt" ],
 235       \&final_compare
 236     ],
 237
 238     [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
 239       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
 240         "-aes256", "-stream", "-out", "{output}.cms",
 241         $smrsa1,
 242         catfile($smdir, "smrsa2.pem"),
 243         catfile($smdir, "smrsa3.pem") ],
 244       [ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1,
 245         "-in", "{output}.cms", "-out", "{output}.txt" ],
 246       \&final_compare
 247     ],
 248
 249 );
 250
 251 my @smime_cms_tests = (
 252
 253     [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
 254       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
 255         "-nodetach", "-keyid",
 256         "-signer", $smrsa1,
 257         "-signer", catfile($smdir, "smrsa2.pem"),
 258         "-signer", catfile($smdir, "smdsa1.pem"),
 259         "-signer", catfile($smdir, "smdsa2.pem"),
 260         "-stream", "-out", "{output}.cms" ],
 261       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
 262         "-CAfile", $smroot, "-out", "{output}.txt" ],
 263       \&final_compare
 264     ],
 265
 266     [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
 267       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 268         "-signer", $smrsa1,
 269         "-signer", catfile($smdir, "smrsa2.pem"),
 270         "-signer", catfile($smdir, "smdsa1.pem"),
 271         "-signer", catfile($smdir, "smdsa2.pem"),
 272         "-stream", "-out", "{output}.cms" ],
 273       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 274         "-CAfile", $smroot, "-out", "{output}.txt" ],
 275       \&final_compare
 276     ],
 277
 278     [ "signed content MIME format, RSA key, signed receipt request",
 279       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
 280         "-signer", $smrsa1,
 281         "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
 282         "-out", "{output}.cms" ],
 283       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
 284         "-CAfile", $smroot, "-out", "{output}.txt" ],
 285       \&final_compare
 286     ],
 287
 288     [ "signed receipt MIME format, RSA key",
 289       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
 290         "-signer", $smrsa1,
 291         "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
 292         "-out", "{output}.cms" ],
 293       [ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms",
 294         "-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ],
 295       [ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms",
 296         "-CAfile", $smroot ]
 297     ],
 298
 299     [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
 300       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 301         "-stream", "-out", "{output}.cms", "-keyid",
 302         $smrsa1,
 303         catfile($smdir, "smrsa2.pem"),
 304         catfile($smdir, "smrsa3.pem") ],
 305       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
 306         "-in", "{output}.cms", "-out", "{output}.txt" ],
 307       \&final_compare
 308     ],
 309
 310     [ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK",
 311       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
 312         "-stream", "-out", "{output}.cms",
 313         "-secretkey", "000102030405060708090A0B0C0D0E0F",
 314         "-secretkeyid", "C0FEE0" ],
 315       [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
 316         "-inform", "PEM",
 317         "-secretkey", "000102030405060708090A0B0C0D0E0F",
 318         "-secretkeyid", "C0FEE0" ],
 319       \&final_compare
 320     ],
 321
 322     [ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK",
 323       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
 324         "-stream", "-out", "{output}.cms",
 325         "-secretkey", "000102030405060708090A0B0C0D0E0F",
 326         "-secretkeyid", "C0FEE0" ],
 327       [ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
 328         "-inform", "PEM",
 329         "-secretkey", "000102030405060708090A0B0C0D0E0F",
 330         "-secretkeyid", "C0FEE0" ],
 331       \&final_compare
 332     ],
 333
 334     [ "enveloped content test streaming PEM format, KEK, key only",
 335       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
 336         "-stream", "-out", "{output}.cms",
 337         "-secretkey", "000102030405060708090A0B0C0D0E0F",
 338         "-secretkeyid", "C0FEE0" ],
 339       [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
 340         "-inform", "PEM",
 341         "-secretkey", "000102030405060708090A0B0C0D0E0F" ],
 342       \&final_compare
 343     ],
 344
 345     [ "data content test streaming PEM format",
 346       [ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM",
 347         "-nodetach", "-stream", "-out", "{output}.cms" ],
 348       [ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM",
 349         "-out", "{output}.txt" ],
 350       \&final_compare
 351     ],
 352
 353     [ "encrypted content test streaming PEM format, 128 bit RC2 key",
 354       [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
 355         "-in", $smcont, "-outform", "PEM",
 356         "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
 357         "-stream", "-out", "{output}.cms" ],
 358       [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
 359         "-inform", "PEM",
 360         "-secretkey", "000102030405060708090A0B0C0D0E0F",
 361         "-out", "{output}.txt" ],
 362       \&final_compare
 363     ],
 364
 365     [ "encrypted content test streaming PEM format, 40 bit RC2 key",
 366       [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
 367         "-in", $smcont, "-outform", "PEM",
 368         "-rc2", "-secretkey", "0001020304",
 369         "-stream", "-out", "{output}.cms" ],
 370       [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
 371         "-inform", "PEM",
 372         "-secretkey", "0001020304", "-out", "{output}.txt" ],
 373       \&final_compare
 374     ],
 375
 376     [ "encrypted content test streaming PEM format, triple DES key",
 377       [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
 378         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
 379         "-stream", "-out", "{output}.cms" ],
 380       [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
 381         "-inform", "PEM",
 382         "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
 383         "-out", "{output}.txt" ],
 384       \&final_compare
 385     ],
 386
 387     [ "encrypted content test streaming PEM format, 128 bit AES key",
 388       [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
 389         "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
 390         "-stream", "-out", "{output}.cms" ],
 391       [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
 392         "-inform", "PEM",
 393         "-secretkey", "000102030405060708090A0B0C0D0E0F",
 394         "-out", "{output}.txt" ],
 395       \&final_compare
 396     ],
 397 );
 398
 399 my @smime_cms_cades_tests = (
 400
 401     [ "signed content DER format, RSA key, CAdES-BES compatible",
 402       [ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER",
 403          "-nodetach",
 404         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
 405       [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
 406         "-CAfile", $smroot, "-out", "{output}.txt" ],
 407       \&final_compare
 408     ],
 409
 410     [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
 411       [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
 412         "DER", "-nodetach", "-certfile", $smroot,
 413         "-signer", $smrsa1, "-out", "{output}.cms" ],
 414       [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
 415         "-CAfile", $smroot, "-out", "{output}.txt" ],
 416       \&final_compare
 417     ],
 418
 419     [ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible",
 420       [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform",
 421         "DER", "-nodetach", "-certfile", $smroot,
 422         "-signer", $smrsa1, "-out", "{output}.cms" ],
 423       [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
 424         "-CAfile", $smroot, "-out", "{output}.txt" ],
 425       \&final_compare
 426     ],
 427
 428     [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
 429       [ "{cmd1}", @prov, "-sign", "-cades", "-binary",  "-nodetach", "-nosmimecap", "-md", "sha256",
 430         "-in", $smcont, "-outform", "DER",
 431         "-certfile", $smroot, "-signer", $smrsa1,
 432         "-outform", "DER", "-out", "{output}.cms"  ],
 433       [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
 434         "-CAfile", $smroot, "-out", "{output}.txt" ],
 435       \&final_compare
 436     ],
 437
 438     [ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible",
 439       [ "{cmd1}", @prov, "-sign", "-cades", "-binary",  "-nodetach", "-nosmimecap", "-md", "sha256",
 440         "-in", $smcont, "-outform", "DER",
 441         "-certfile", $smroot, "-signer", $smrsa1,
 442         "-outform", "DER", "-out", "{output}.cms"  ],
 443       [ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
 444         "-inform", "DER", "-in", "{output}.cms",
 445         "-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"),
 446         "-outform", "DER", "-out", "{output}2.cms" ],
 447
 448       [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER",
 449         "-CAfile", $smroot, "-out", "{output}.txt" ],
 450       \&final_compare
 451     ],
 452 );
 453
 454 my @smime_cms_cades_ko_tests = (
 455     [ "sign content DER format, RSA key, not CAdES-BES compatible",
 456       [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
 457         "-certfile", $smroot, "-signer", $smrsa1, "-out", "cades-ko.cms" ],
 458       "fail to verify token since requiring CAdES-BES compatibility",
 459       [ @prov, "-verify", "-cades", "-in", "cades-ko.cms", "-inform", "DER",
 460         "-CAfile", $smroot, "-out", "cades-ko.txt" ],
 461       \&final_compare
 462     ]
 463 );
 464
 465 # cades options test - check that some combinations are rejected
 466 my @smime_cms_cades_invalid_option_tests = (
 467     [
 468         [ "-cades", "-noattr" ],
 469     ],[
 470         [ "-verify", "-cades", "-noattr" ],
 471     ],[
 472         [ "-verify", "-cades", "-noverify" ],
 473     ],
 474 );
 475
 476 my @smime_cms_comp_tests = (
 477
 478     [ "compressed content test streaming PEM format",
 479       [ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
 480         "-stream", "-out", "{output}.cms" ],
 481       [ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM",
 482         "-out", "{output}.txt" ],
 483       \&final_compare
 484     ]
 485
 486 );
 487
 488 my @smime_cms_param_tests = (
 489     [ "signed content test streaming PEM format, RSA keys, PSS signature",
 490       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 491         "-signer", $smrsa1,
 492         "-keyopt", "rsa_padding_mode:pss",
 493         "-out", "{output}.cms" ],
 494       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 495         "-CAfile", $smroot, "-out", "{output}.txt" ],
 496       \&final_compare
 497     ],
 498
 499     [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
 500       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 501         "-signer", $smrsa1,
 502         "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
 503         "-out", "{output}.cms" ],
 504       sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; },
 505       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 506         "-CAfile", $smroot, "-out", "{output}.txt" ],
 507       \&final_compare
 508     ],
 509
 510     [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
 511       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 512         "-noattr", "-signer", $smrsa1,
 513         "-keyopt", "rsa_padding_mode:pss",
 514         "-out", "{output}.cms" ],
 515       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 516         "-CAfile", $smroot, "-out", "{output}.txt" ],
 517       \&final_compare
 518     ],
 519
 520     [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
 521       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 522         "-signer", $smrsa1,
 523         "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384",
 524         "-out", "{output}.cms" ],
 525       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 526         "-CAfile", $smroot, "-out", "{output}.txt" ],
 527       \&final_compare
 528     ],
 529
 530     [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16",
 531       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 532         "-signer", $smrsa1, "-md", "sha256",
 533         "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16",
 534         "-out", "{output}.cms" ],
 535       sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; },
 536       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 537         "-CAfile", $smroot, "-out", "{output}.txt" ],
 538       \&final_compare
 539     ],
 540
 541     [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest",
 542       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 543         "-signer", $smrsa1, "-md", "sha256",
 544         "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest",
 545         "-out", "{output}.cms" ],
 546       # digest is SHA-256, which produces 32 bytes of output
 547       sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
 548       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 549         "-CAfile", $smroot, "-out", "{output}.txt" ],
 550       \&final_compare
 551     ],
 552
 553     [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
 554       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 555         "-stream", "-out", "{output}.cms",
 556         "-recip", $smrsa1,
 557         "-keyopt", "rsa_padding_mode:oaep" ],
 558       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
 559         "-in", "{output}.cms", "-out", "{output}.txt" ],
 560       \&final_compare
 561     ],
 562
 563     [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
 564       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 565         "-stream", "-out", "{output}.cms",
 566         "-recip", $smrsa1,
 567         "-keyopt", "rsa_padding_mode:oaep",
 568         "-keyopt", "rsa_oaep_md:sha256" ],
 569       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
 570         "-in", "{output}.cms", "-out", "{output}.txt" ],
 571       \&final_compare
 572     ],
 573
 574     [ "enveloped content test streaming S/MIME format, DES, ECDH",
 575       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 576         "-stream", "-out", "{output}.cms",
 577         "-recip", catfile($smdir, "smec1.pem") ],
 578       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
 579         "-in", "{output}.cms", "-out", "{output}.txt" ],
 580       \&final_compare
 581     ],
 582
 583     [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
 584       [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
 585         "-stream", "-out", "{output}.cms",
 586         catfile($smdir, "smec1.pem"),
 587         catfile($smdir, "smec3.pem") ],
 588       [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
 589         "-in", "{output}.cms", "-out", "{output}.txt" ],
 590       \&final_compare
 591     ],
 592
 593     [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
 594       [ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont,
 595         "-stream", "-out", "{output}.cms",
 596         "-recip", catfile($smdir, "smec1.pem") ],
 597       [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
 598         "-in", "{output}.cms", "-out", "{output}.txt" ],
 599       \&final_compare
 600     ],
 601
 602     [ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF",
 603       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
 604         "-stream", "-out", "{output}.cms",
 605         "-recip", catfile($smdir, "smec1.pem"), "-aes128",
 606         "-keyopt", "ecdh_kdf_md:sha256" ],
 607       [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
 608         "-in", "{output}.cms", "-out", "{output}.txt" ],
 609       \&final_compare
 610     ],
 611
 612     [ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF",
 613       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
 614         "-stream", "-out", "{output}.cms",
 615         "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ],
 616       [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
 617         "-in", "{output}.cms", "-out", "{output}.txt" ],
 618       \&final_compare
 619     ],
 620
 621     [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
 622       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
 623         "-stream", "-out", "{output}.cms",
 624         "-recip", catfile($smdir, "smec2.pem"), "-aes128",
 625         "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
 626       [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
 627         "-in", "{output}.cms", "-out", "{output}.txt" ],
 628       \&final_compare
 629     ],
 630
 631     [ "enveloped content test streaming S/MIME format, X9.42 DH",
 632       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
 633         "-stream", "-out", "{output}.cms",
 634         "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
 635       [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
 636         "-in", "{output}.cms", "-out", "{output}.txt" ],
 637       \&final_compare
 638     ]
 639 );
 640
 641 my @smime_cms_param_tests_autodigestmax = (
 642     [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length",
 643       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 644         "-signer", $smrsa1, "-md", "sha256",
 645         "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
 646         "-out", "{output}.cms" ],
 647       # digest is SHA-256, which produces 32, bytes of output
 648       sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
 649       [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 650         "-CAfile", $smroot, "-out", "{output}.txt" ],
 651       \&final_compare
 652     ],
 653
 654     [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize > maximum salt length",
 655       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
 656         "-signer", $smrsa1024, "-md", "sha512",
 657         "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
 658         "-out", "{output}.cms" ],
 659       # digest is SHA-512, which produces 64, bytes of output, but an RSA-PSS
 660       # signature with a 1024 bit RSA key can only accommodate 62
 661       sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 62; },
 662       [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
 663         "-CAfile", $smroot, "-out", "{output}.txt" ],
 664       \&final_compare
 665     ]
 666 );
 667
 668
 669 my @contenttype_cms_test = (
 670     [ "signed content test - check that content type is added to additional signerinfo, RSA keys",
 671       [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont,
 672         "-outform", "DER", "-signer", $smrsa1, "-md", "SHA256",
 673         "-out", "{output}.cms" ],
 674       [ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms",
 675         "-inform", "DER", "-outform", "DER",
 676         "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
 677         "-out", "{output}2.cms" ],
 678       sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; },
 679       [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
 680         "-CAfile", $smroot, "-out", "{output}.txt" ]
 681     ],
 682 );
 683
 684 my @incorrect_attribute_cms_test = (
 685     "bad_signtime_attr.cms",
 686     "no_ct_attr.cms",
 687     "no_md_attr.cms",
 688     "ct_multiple_attr.cms"
 689 );
 690
 691 # Runs a standard loop on the input array
 692 sub runner_loop {
 693     my %opts = ( @_ );
 694     my $cnt1 = 0;
 695
 696     foreach (@{$opts{tests}}) {
 697         $cnt1++;
 698         $opts{output} = "$opts{prefix}-$cnt1";
 699       SKIP: {
 700           my $skip_reason = check_availability($$_[0]);
 701           skip $skip_reason, 1 if $skip_reason;
 702           my $ok = 1;
 703           1 while unlink "$opts{output}.txt";
 704
 705           foreach (@$_[1..$#$_]) {
 706               if (ref $_ eq 'CODE') {
 707                   $ok &&= $_->(%opts);
 708               } else {
 709                   my @cmd = map {
 710                       my $x = $_;
 711                       while ($x =~ /\{([^\}]+)\}/) {
 712                           $x = $`.$opts{$1}.$' if exists $opts{$1};
 713                       }
 714                       $x;
 715                   } @$_;
 716
 717                   diag "CMD: openssl ", join(" ", @cmd);
 718                   $ok &&= run(app(["openssl", @cmd]));
 719                   $opts{input} = $opts{output};
 720               }
 721           }
 722
 723           ok($ok, $$_[0]);
 724         }
 725     }
 726 }
 727
 728 sub final_compare {
 729     my %opts = @_;
 730
 731     diag "Comparing $smcont with $opts{output}.txt";
 732     return compare_text($smcont, "$opts{output}.txt") == 0;
 733 }
 734
 735 sub zero_compare {
 736     my %opts = @_;
 737
 738     diag "Checking for zero-length file";
 739     return (-e "$opts{output}.txt" && -z "$opts{output}.txt");
 740 }
 741
 742 subtest "CMS => PKCS#7 compatibility tests\n" => sub {
 743     plan tests => scalar @smime_pkcs7_tests;
 744
 745     runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime',
 746                 tests => [ @smime_pkcs7_tests ]);
 747 };
 748 subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
 749     plan tests => scalar @smime_pkcs7_tests;
 750
 751     runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms',
 752                 tests => [ @smime_pkcs7_tests ]);
 753 };
 754
 755 subtest "CMS <=> CMS consistency tests\n" => sub {
 756     plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
 757
 758     runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms',
 759                 tests => [ @smime_pkcs7_tests ]);
 760     runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms',
 761                 tests => [ @smime_cms_tests ]);
 762 };
 763
 764 subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
 765     plan tests =>
 766         (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests) +
 767         (scalar @smime_cms_param_tests_autodigestmax) + 1;
 768
 769     ok(run(app(["openssl", "cms", @prov,
 770                 "-sign", "-in", $smcont,
 771                 "-outform", "PEM",
 772                 "-nodetach",
 773                 "-signer", $smrsa1,
 774                 "-keyopt", "rsa_padding_mode:pss",
 775                 "-keyopt", "rsa_pss_saltlen:auto-digestmax",
 776                 "-out", "digestmaxtest.cms"])));
 777     # Providers that do not support rsa_pss_saltlen:auto-digestmax will parse
 778     # it as 0
 779     my $no_autodigestmax = rsapssSaltlen("digestmaxtest.cms") == 0;
 780     1 while unlink "digestmaxtest.cms";
 781
 782     runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms',
 783                 tests => [ @smime_cms_param_tests ]);
 784   SKIP: {
 785       skip("Zlib not supported: compression tests skipped",
 786            scalar @smime_cms_comp_tests)
 787           if $no_zlib;
 788
 789       runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms',
 790                   tests => [ @smime_cms_comp_tests ]);
 791     }
 792
 793   SKIP: {
 794     skip("rsa_pss_saltlen:auto-digestmax not supported",
 795          scalar @smime_cms_param_tests_autodigestmax)
 796        if $no_autodigestmax;
 797
 798        runner_loop(prefix => 'cms2cms-comp', 'cmd1' => 'cms', cmd2 => 'cms',
 799                    tests => [ @smime_cms_param_tests_autodigestmax ]);
 800   }
 801 };
 802
 803 # Returns the number of matches of a Content Type Attribute in a binary file.
 804 sub contentType_matches {
 805   # Read in a binary file
 806   my ($in) = @_;
 807   open (HEX_IN, "$in") or die("open failed for $in : $!");
 808   binmode(HEX_IN);
 809   local $/;
 810   my $str = <HEX_IN>;
 811
 812   # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
 813   my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
 814
 815   close(HEX_IN);
 816   return scalar(@c);
 817 }
 818
 819 sub rsapssSaltlen {
 820   my ($in) = @_;
 821   my $exit = 0;
 822
 823   my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]),
 824                       capture => 1,
 825                       statusvar => $exit);
 826   return -1 if $exit != 0;
 827
 828   my $pssparam_offset = -1;
 829   while ($_ = shift @asn1parse) {
 830     chomp;
 831     next unless /:rsassaPss/;
 832     # This line contains :rsassaPss, the next line contains a raw dump of the
 833     # RSA_PSS_PARAMS sequence; obtain its offset
 834     $_ = shift @asn1parse;
 835     if (/^\s*(\d+):/) {
 836       $pssparam_offset = int($1);
 837     }
 838   }
 839
 840   if ($pssparam_offset == -1) {
 841     note "Failed to determine RSA_PSS_PARAM offset in CMS. " +
 842          "Was the file correctly signed with RSASSA-PSS?";
 843     return -1;
 844   }
 845
 846   my @pssparam = run(app(["openssl", "asn1parse", "-in", $in,
 847                           "-strparse", $pssparam_offset]),
 848                      capture => 1,
 849                      statusvar => $exit);
 850   return -1 if $exit != 0;
 851
 852   my $saltlen = -1;
 853   # Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated.
 854   # This assumes the salt length is the last field, which may possibly be
 855   # incorrect if there is a non-standard trailer field, but there almost never
 856   # is in PSS.
 857   if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) {
 858     $saltlen = hex($1);
 859   }
 860
 861   if ($saltlen == -1) {
 862     note "Failed to determine salt length from RSA_PSS_PARAM struct. " +
 863          "Was the file correctly signed with RSASSA-PSS?";
 864     return -1;
 865   }
 866
 867   return $saltlen;
 868 }
 869
 870 subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
 871     plan tests => (scalar @contenttype_cms_test);
 872
 873     runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms',
 874                 tests => [ @contenttype_cms_test ]);
 875 };
 876
 877 subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
 878     plan tests =>
 879         (scalar @incorrect_attribute_cms_test);
 880
 881     my $cnt = 0;
 882     foreach my $name (@incorrect_attribute_cms_test) {
 883         my $out = "incorrect-$cnt.txt";
 884
 885         ok(!run(app(["openssl", "cms", @prov, "-verify", "-in",
 886                      catfile($datadir, $name), "-inform", "DER", "-CAfile",
 887                      $smroot, "-out", $out ])),
 888             $name);
 889     }
 890 };
 891
 892 subtest "CMS Check that bad encryption algorithm fails\n" => sub {
 893     plan tests => 1;
 894
 895     SKIP: {
 896         skip "DES or Legacy isn't supported in this build", 1
 897             if disabled("des") || disabled("legacy");
 898
 899         my $out = "smtst.txt";
 900
 901         ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt",
 902                     "-in", $smcont,
 903                     "-stream", "-recip", $smrsa1,
 904                     "-des-ede3",
 905                     "-out", $out ])),
 906            "Decrypt message from OpenSSL 1.1.1");
 907     }
 908 };
 909
 910 subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub {
 911     plan tests => 1;
 912
 913     SKIP: {
 914         skip "EC or DES isn't supported in this build", 1
 915             if disabled("ec") || disabled("des");
 916
 917         my $out = "smtst.txt";
 918
 919         ok(run(app(["openssl", "cms", @defaultprov, "-decrypt",
 920                     "-inkey", catfile($smdir, "smec3.pem"),
 921                     "-in", catfile($datadir, "ciphertext_from_1_1_1.cms"),
 922                     "-out", $out ]))
 923            && compare_text($smcont, $out) == 0,
 924            "Decrypt message from OpenSSL 1.1.1");
 925     }
 926 };
 927
 928 subtest "CAdES <=> CAdES consistency tests\n" => sub {
 929     plan tests => (scalar @smime_cms_cades_tests);
 930
 931     runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms',
 932                 tests => [ @smime_cms_cades_tests ]);
 933 };
 934
 935 subtest "CAdES; cms incompatible arguments tests\n" => sub {
 936     plan tests => (scalar @smime_cms_cades_invalid_option_tests);
 937
 938     foreach (@smime_cms_cades_invalid_option_tests) {
 939         ok(!run(app(["openssl", "cms", @{$$_[0]} ] )));
 940     }
 941 };
 942
 943 subtest "CAdES ko tests\n" => sub {
 944     plan tests => 2 * scalar @smime_cms_cades_ko_tests;
 945
 946     foreach (@smime_cms_cades_ko_tests) {
 947       SKIP: {
 948         my $skip_reason = check_availability($$_[0]);
 949         skip $skip_reason, 1 if $skip_reason;
 950         1 while unlink "cades-ko.txt";
 951
 952         ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]);
 953         ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]);
 954         }
 955     }
 956 };
 957
 958 subtest "CMS binary input tests\n" => sub {
 959     my $input = srctop_file("test", "smcont.bin");
 960     my $signed = "smcont.signed";
 961     my $verified = "smcont.verified";
 962
 963     plan tests => 11;
 964
 965     ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
 966                 "-binary", "-in", $input, "-out", $signed])),
 967        "sign binary input with -binary");
 968     ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
 969                 "-binary", "-in", $signed, "-out", $verified])),
 970        "verify binary input with -binary");
 971     is(compare($input, $verified), 0, "binary input retained with -binary");
 972
 973     ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
 974                 "-in", $input, "-out", $signed.".nobin"])),
 975        "sign binary input without -binary");
 976     ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
 977                 "-in", $signed.".nobin", "-out", $verified.".nobin"])),
 978        "verify binary input without -binary");
 979     is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary");
 980     ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
 981                 "-binary", "-in", $signed, "-out", $verified.".crlfeol"])),
 982        "verify binary input wrong crlfeol");
 983
 984     ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
 985                 "-crlfeol",
 986                 "-binary", "-in", $input, "-out", $signed.".crlf"])),
 987        "sign binary input with -binary -crlfeol");
 988     ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
 989                 "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])),
 990        "verify binary input with -binary -crlfeol");
 991     is(compare($input, $verified.".crlf"), 0,
 992        "binary input retained with -binary -crlfeol");
 993     ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
 994                 "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])),
 995        "verify binary input with -binary missing -crlfeol");
 996 };
 997
 998 subtest "CMS signed digest, DER format" => sub {
 999     plan tests => 2;
1000
1001     # Pre-computed SHA256 digest of $smcont in hexadecimal form
1002     my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
1003
1004     my $sig_file = "signature.der";
1005     ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
1006                     "-outform", "DER",
1007                     "-certfile", catfile($smdir, "smroot.pem"),
1008                     "-signer", catfile($smdir, "smrsa1.pem"),
1009                     "-out", $sig_file])),
1010         "CMS sign pre-computed digest, DER format");
1011
1012     ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1013                     "-inform", "DER",
1014                     "-CAfile", catfile($smdir, "smroot.pem"),
1015                     "-content", $smcont])),
1016        "Verify CMS signed digest, DER format");
1017 };
1018
1019 subtest "CMS signed digest, S/MIME format" => sub {
1020     plan tests => 2;
1021
1022     # Pre-computed SHA256 digest of $smcont in hexadecimal form
1023     my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
1024
1025     my $sig_file = "signature.smime";
1026     ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
1027                     "-outform", "SMIME",
1028                     "-certfile", catfile($smdir, "smroot.pem"),
1029                     "-signer", catfile($smdir, "smrsa1.pem"),
1030                     "-out", $sig_file])),
1031         "CMS sign pre-computed digest, S/MIME format");
1032
1033     ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1034                     "-inform", "SMIME",
1035                     "-CAfile", catfile($smdir, "smroot.pem"),
1036                     "-content", $smcont])),
1037        "Verify CMS signed digest, S/MIME format");
1038 };
1039
1040 subtest "CMS code signing test" => sub {
1041     plan tests => 7;
1042     my $sig_file = "signature.p7s";
1043     ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
1044                    "-certfile", catfile($smdir, "smroot.pem"),
1045                    "-signer", catfile($smdir, "smrsa1.pem"),
1046                    "-out", $sig_file])),
1047        "accept perform CMS signature with smime certificate");
1048
1049     ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1050                     "-CAfile", catfile($smdir, "smroot.pem"),
1051                     "-content", $smcont])),
1052        "accept verify CMS signature with smime certificate");
1053
1054     ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1055                     "-CAfile", catfile($smdir, "smroot.pem"),
1056                     "-purpose", "codesign",
1057                     "-content", $smcont])),
1058        "fail verify CMS signature with smime certificate for purpose code signing");
1059
1060     ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1061                     "-CAfile", catfile($smdir, "smroot.pem"),
1062                     "-purpose", "football",
1063                     "-content", $smcont])),
1064        "fail verify CMS signature with invalid purpose argument");
1065
1066     ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
1067                    "-certfile", catfile($smdir, "smroot.pem"),
1068                    "-signer", catfile($smdir, "csrsa1.pem"),
1069                    "-out", $sig_file])),
1070         "accept perform CMS signature with code signing certificate");
1071
1072     ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1073                     "-CAfile", catfile($smdir, "smroot.pem"),
1074                     "-purpose", "codesign",
1075                     "-content", $smcont])),
1076        "accept verify CMS signature with code signing certificate for purpose code signing");
1077
1078     ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1079                     "-CAfile", catfile($smdir, "smroot.pem"),
1080                     "-content", $smcont])),
1081        "fail verify CMS signature with code signing certificate for purpose smime_sign");
1082 };
1083
1084 # Test case for missing MD algorithm (must not segfault)
1085
1086 with({ exit_checker => sub { return shift == 4; } },
1087     sub {
1088         ok(run(app(['openssl', 'smime', '-verify', '-noverify',
1089                     '-inform', 'PEM',
1090                     '-in', data_file("pkcs7-md4.pem"),
1091                    ])),
1092             "Check failure of EVP_DigestInit in PKCS7 signed is handled");
1093
1094         ok(run(app(['openssl', 'smime', '-decrypt',
1095                     '-inform', 'PEM',
1096                     '-in', data_file("pkcs7-md4-encrypted.pem"),
1097                     '-recip', srctop_file("test", "certs", "ee-cert.pem"),
1098                     '-inkey', srctop_file("test", "certs", "ee-key.pem")
1099                    ])),
1100             "Check failure of EVP_DigestInit in PKCS7 signedAndEnveloped is handled");
1101     });
1102
1103 sub check_availability {
1104     my $tnam = shift;
1105
1106     return "$tnam: skipped, EC disabled\n"
1107         if ($no_ec && $tnam =~ /ECDH/);
1108     return "$tnam: skipped, ECDH disabled\n"
1109         if ($no_ec && $tnam =~ /ECDH/);
1110     return "$tnam: skipped, EC2M disabled\n"
1111         if ($no_ec2m && $tnam =~ /K-283/);
1112     return "$tnam: skipped, DH disabled\n"
1113         if ($no_dh && $tnam =~ /X9\.42/);
1114     return "$tnam: skipped, RC2 disabled\n"
1115         if ($no_rc2 && $tnam =~ /RC2/);
1116     return "$tnam: skipped, DES disabled\n"
1117         if ($no_des && $tnam =~ /DES/);
1118     return "$tnam: skipped, DSA disabled\n"
1119         if ($no_dsa && $tnam =~ / DSA/);
1120
1121     return "";
1122 }
1123
1124 # Test case for the locking problem reported in #19643.
1125 # This will fail if the fix is in and deadlock on Windows (and possibly
1126 # other platforms) if not.
1127 ok(!run(app(['openssl', 'cms', '-verify',
1128              '-CAfile', srctop_file("test/certs", "pkitsta.pem"),
1129              '-policy', 'anyPolicy',
1130              '-in', srctop_file("test/smime-eml",
1131                                 "SignedInvalidMappingFromanyPolicyTest7.eml")
1132             ])),
1133    "issue#19643");
1134
1135 # Check that we get the expected failure return code
1136 with({ exit_checker => sub { return shift == 6; } },
1137     sub {
1138         ok(run(app(['openssl', 'cms', '-encrypt',
1139                     '-in', srctop_file("test", "smcont.txt"),
1140                     '-aes128', '-stream', '-recip',
1141                     srctop_file("test/smime-certs", "badrsa.pem"),
1142                    ])),
1143             "Check failure during BIO setup with -stream is handled correctly");
1144     });
1145
1146 # Test case for return value mis-check reported in #21986
1147 with({ exit_checker => sub { return shift == 3; } },
1148     sub {
1149         SKIP: {
1150           skip "DSA is not supported in this build", 1 if $no_dsa;
1151
1152           ok(run(app(['openssl', 'cms', '-sign',
1153                       '-in', srctop_file("test", "smcont.txt"),
1154                       '-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
1155                       '-md', 'SHAKE256'])),
1156             "issue#21986");
1157         }
1158     });
1159
1160 # Test for problem reported in #22225
1161 with({ exit_checker => sub { return shift == 3; } },
1162     sub {
1163         ok(run(app(['openssl', 'cms', '-encrypt',
1164                     '-in', srctop_file("test", "smcont.txt"),
1165                     '-aes-256-ctr', '-recip',
1166                     catfile($smdir, "smec1.pem"),
1167                    ])),
1168            "Check for failure when cipher does not have an assigned OID (issue#22225)");
1169      });
1170
1171 # Test encrypt to three recipients, and decrypt using key-only;
1172 # i.e. do not follow the recommended practice of providing the
1173 # recipient cert in the decrypt op.
1174 #
1175 # Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5.
1176 #
1177 # Because the cert is not provided during decrypt, all RSA ciphertexts
1178 # are decrypted in turn, and when/if there is a valid decryption, it
1179 # is assumed the correct content-key has been recovered.
1180 #
1181 # That process may fail with RSAES-PKCS-v1_5 b/c there is a
1182 # non-negligible chance that decrypting a random input using
1183 # RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys
1184 # could be recovered and the wrong one might be used).
1185 #
1186 # See https://github.com/openssl/project/issues/380
1187 subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub {
1188     plan tests => 3;
1189
1190     my $pt = srctop_file("test", "smcont.txt");
1191     my $ct = "smtst.cms";
1192     my $ptpt = "smtst.txt";
1193
1194     ok(run(app(['openssl', 'cms',
1195                 @defaultprov,
1196                 '-encrypt', '-aes128',
1197                 '-in', $pt,
1198                 '-out', $ct,
1199                 '-stream',
1200                 '-recip', catfile($smdir, "smrsa1.pem"),
1201                 '-keyopt', 'rsa_padding_mode:oaep',
1202                 '-recip', catfile($smdir, "smrsa2.pem"),
1203                 '-keyopt', 'rsa_padding_mode:oaep',
1204                 '-recip', catfile($smdir, "smrsa3-cert.pem"),
1205                 '-keyopt', 'rsa_padding_mode:oaep',
1206                ])),
1207        "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)");
1208     ok(run(app(['openssl', 'cms',
1209                 @defaultprov,
1210                 '-decrypt', '-aes128',
1211                 '-in', $ct,
1212                 '-out', $ptpt,
1213                 '-inkey', catfile($smdir, "smrsa3-key.pem"),
1214                ])),
1215        "decrypt with key only");
1216     is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext");
1217 };