2 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
11 use OpenSSL::Test qw(:DEFAULT srctop_file srctop_dir bldtop_file data_file);
13 my $test_name = "test_store";
17 ( "test/blahdiblah.pem",
18 "test/blahdibleh.der" );
20 ( "test/testx509.pem",
22 "test/testrsapub.pem",
27 ### generated from the source files
35 ### These examples were pilfered from OpenConnect's test suite
37 "rsa-key-pkcs1.pem", "rsa-key-pkcs1.der",
38 "rsa-key-pkcs1-aes128.pem",
39 "rsa-key-pkcs8.pem", "rsa-key-pkcs8.der",
40 "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der",
41 "rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der",
42 "rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12",
43 "rsa-key-aes256-cbc-sha256.p12",
44 "rsa-key-md5-des-sha1.p12",
45 "rsa-key-aes256-cbc-md5-des-sha256.p12",
46 "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der",
47 "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der",
48 "dsa-key-pkcs1.pem", "dsa-key-pkcs1.der",
49 "dsa-key-pkcs1-aes128.pem",
50 "dsa-key-pkcs8.pem", "dsa-key-pkcs8.der",
51 "dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der",
52 "dsa-key-aes256-cbc-sha256.p12",
53 "ec-key-pkcs1.pem", "ec-key-pkcs1.der",
54 "ec-key-pkcs1-aes128.pem",
55 "ec-key-pkcs8.pem", "ec-key-pkcs8.der",
56 "ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der",
57 "ec-key-aes256-cbc-sha256.p12",
60 my $n = (2 * scalar @noexist_files)
61 + (5 * scalar @src_files)
62 + (3 * scalar @generated_files)
67 indir "store_$$" => sub {
70 skip "failed initialisation", $n unless init();
72 foreach (@noexist_files) {
73 my $file = srctop_file($_);
74 ok(!run(app(["openssl", "storeutl", $file])));
75 ok(!run(app(["openssl", "storeutl", to_file_uri($file)])));
77 foreach (@src_files) {
78 my $file = srctop_file($_);
79 ok(run(app(["openssl", "storeutl", $file])));
80 ok(run(app(["openssl", "storeutl", to_file_uri($file)])));
81 ok(run(app(["openssl", "storeutl", to_file_uri($file, 0,
83 ok(run(app(["openssl", "storeutl", to_file_uri($file, 0,
85 ok(!run(app(["openssl", "storeutl", to_file_uri($file, 0,
88 foreach (@generated_files) {
89 ok(run(app(["openssl", "storeutl", "-passin", "pass:password",
91 ok(run(app(["openssl", "storeutl", "-passin", "pass:password",
93 ok(!run(app(["openssl", "storeutl", "-passin", "pass:password",
94 to_rel_file_uri($_)])));
97 my $dir = srctop_dir("test", "certs");
98 ok(run(app(["openssl", "storeutl", $dir])));
99 ok(run(app(["openssl", "storeutl", to_file_uri($dir, 1)])));
102 }, create => 1, cleanup => 1;
107 run(app(["openssl", "genrsa",
108 "-out", "rsa-key-pkcs1.pem", "2432"]))
110 && run(app(["openssl", "dsaparam", "-genkey",
111 "-out", "dsa-key-pkcs1.pem", "1024"]))
112 # ec-key-pkcs1.pem (one might think that 'genec' would be practical)
113 && run(app(["openssl", "ecparam", "-genkey", "-name", "prime256v1",
114 "-out", "ec-key-pkcs1.pem"]))
115 # rsa-key-pkcs1-aes128.pem
116 && run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128",
117 "-in", "rsa-key-pkcs1.pem",
118 "-out", "rsa-key-pkcs1-aes128.pem"]))
119 # dsa-key-pkcs1-aes128.pem
120 && run(app(["openssl", "dsa", "-passout", "pass:password", "-aes128",
121 "-in", "dsa-key-pkcs1.pem",
122 "-out", "dsa-key-pkcs1-aes128.pem"]))
123 # ec-key-pkcs1-aes128.pem
124 && run(app(["openssl", "ec", "-passout", "pass:password", "-aes128",
125 "-in", "ec-key-pkcs1.pem",
126 "-out", "ec-key-pkcs1-aes128.pem"]))
130 (my $srcfile = $dstfile)
131 =~ s/-key-pkcs8\.pem$/-key-pkcs1.pem/i;
132 run(app(["openssl", "pkcs8", "-topk8", "-nocrypt",
133 "-in", $srcfile, "-out", $dstfile]));
134 }, grep(/-key-pkcs8\.pem$/, @generated_files))
135 # *-key-pkcs8-pbes1-sha1-3des.pem
138 (my $srcfile = $dstfile)
139 =~ s/-key-pkcs8-pbes1-sha1-3des\.pem$
141 run(app(["openssl", "pkcs8", "-topk8",
142 "-passout", "pass:password",
143 "-v1", "pbeWithSHA1And3-KeyTripleDES-CBC",
144 "-in", $srcfile, "-out", $dstfile]));
145 }, grep(/-key-pkcs8-pbes1-sha1-3des\.pem$/, @generated_files))
146 # *-key-pkcs8-pbes1-md5-des.pem
149 (my $srcfile = $dstfile)
150 =~ s/-key-pkcs8-pbes1-md5-des\.pem$
152 run(app(["openssl", "pkcs8", "-topk8",
153 "-passout", "pass:password",
154 "-v1", "pbeWithSHA1And3-KeyTripleDES-CBC",
155 "-in", $srcfile, "-out", $dstfile]));
156 }, grep(/-key-pkcs8-pbes1-md5-des\.pem$/, @generated_files))
157 # *-key-pkcs8-pbes2-sha1.pem
160 (my $srcfile = $dstfile)
161 =~ s/-key-pkcs8-pbes2-sha1\.pem$
163 run(app(["openssl", "pkcs8", "-topk8",
164 "-passout", "pass:password",
165 "-v2", "aes256", "-v2prf", "hmacWithSHA1",
166 "-in", $srcfile, "-out", $dstfile]));
167 }, grep(/-key-pkcs8-pbes2-sha1\.pem$/, @generated_files))
168 # *-key-pkcs8-pbes2-sha1.pem
171 (my $srcfile = $dstfile)
172 =~ s/-key-pkcs8-pbes2-sha256\.pem$
174 run(app(["openssl", "pkcs8", "-topk8",
175 "-passout", "pass:password",
176 "-v2", "aes256", "-v2prf", "hmacWithSHA256",
177 "-in", $srcfile, "-out", $dstfile]));
178 }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
179 # *-cert.pem (intermediary for the .p12 inits)
180 && run(app(["openssl", "req", "-x509",
181 "-config", data_file("ca.cnf"), "-nodes",
182 "-out", "cacert.pem", "-keyout", "cakey.pem"]))
185 (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|;
186 (my $csr = $dstfile) =~ s|\.pem|.csr|;
188 (run(app(["openssl", "req", "-new",
189 "-config", data_file("user.cnf"),
190 "-key", $srckey, "-out", $csr]))
192 run(app(["openssl", "x509", "-days", "3650",
194 "-CAkey", "cakey.pem",
195 "-set_serial", time(), "-req",
196 "-in", $csr, "-out", $dstfile])));
197 }, grep(/-key-pkcs8\.pem$/, @generated_files))
201 my ($type, $certpbe_index, $keypbe_index,
203 $dstfile =~ m{^(.*)-key-(?|
204 # cert and key PBE are same
206 ([^-]*-[^-]*)- # key & cert PBE
209 # cert and key PBE are not same
210 ([^-]*-[^-]*)- # cert PBE
211 ([^-]*-[^-]*)- # key PBE
214 if (!$certpbe_index) {
215 $certpbe_index = $keypbe_index;
217 my $srckey = "$type-key-pkcs8.pem";
218 my $srccert = "$type-cert.pem";
221 "sha1-3des" => "pbeWithSHA1And3-KeyTripleDES-CBC",
222 "md5-des" => "pbeWithMD5AndDES-CBC",
223 "aes256-cbc" => "AES-256-CBC",
228 "sha256" => "SHA256",
230 my $certpbe = $pbes{$certpbe_index};
231 my $keypbe = $pbes{$keypbe_index};
232 my $macalg = $macalgs{$macalg_index};
233 if (!defined($certpbe) || !defined($keypbe)
234 || !defined($macalg)) {
235 print STDERR "Cert PBE for $pbe_index not defined\n"
236 unless defined $certpbe;
237 print STDERR "Key PBE for $pbe_index not defined\n"
238 unless defined $keypbe;
239 print STDERR "MACALG for $macalg_index not defined\n"
240 unless defined $macalg;
241 print STDERR "(destination file was $dstfile)\n";
244 run(app(["openssl", "pkcs12", "-inkey", $srckey,
245 "-in", $srccert, "-passout", "pass:password",
246 "-export", "-macalg", $macalg,
247 "-certpbe", $certpbe, "-keypbe", $keypbe,
249 }, grep(/\.p12/, @generated_files))
250 # *.der (the end all init)
253 (my $srcfile = $dstfile) =~ s/\.der$/.pem/i;
255 $srcfile = srctop_file("test", $srcfile);
258 unless (open $infh, $srcfile) {
262 while (($l = <$infh>) !~ /^-----BEGIN\s/
263 || $l =~ /^-----BEGIN.*PARAMETERS-----/) {
266 while (($l = <$infh>) !~ /^-----END\s/) {
268 $b64 .= $l unless $l =~ /:/;
271 my $der = decode_base64($b64);
272 unless (length($b64) / 4 * 3 - length($der) < 3) {
273 print STDERR "Length error, ",length($b64),
274 " bytes of base64 became ",length($der),
275 " bytes of der? ($srcfile => $dstfile)\n";
279 unless (open $outfh, ">:raw", $dstfile) {
285 }, grep(/\.der$/, @generated_files))
290 my ($function, @items) = @_;
293 return 0 unless $function->($_);
298 # According to RFC8089, a relative file: path is invalid. We still produce
299 # them for testing purposes.
300 sub to_rel_file_uri {
301 my ($file, $isdir, $authority) = @_;
305 die "to_rel_file_uri: No file given\n" if !defined($file) || $file eq '';
307 ($vol, $dir, $file) = File::Spec->splitpath($file, $isdir // 0);
309 # Make sure we have a Unix style directory.
310 $dir = join('/', File::Spec->splitdir($dir));
311 # Canonicalise it (note: it seems to be only needed on Unix)
314 $newdir =~ s|/[^/]*[^/\.]+[^/]*/\.\./|/|g;
315 last if $newdir eq $dir;
318 # Take care of the corner cases the loop can't handle, and that $dir
319 # ends with a / unless it's empty
320 $dir =~ s|/[^/]*[^/\.]+[^/]*/\.\.$|/|;
321 $dir =~ s|^[^/]*[^/\.]+[^/]*/\.\./|/|;
322 $dir =~ s|^[^/]*[^/\.]+[^/]*/\.\.$||;
324 $dir =~ s|/$|| if $dir ne '/';
326 $dir .= '/' if $dir ne '' && $dir !~ m|/$|;
329 # If the file system has separate volumes (at present, Windows and VMS)
330 # we need to handle them. In URIs, they are invariably the first
331 # component of the path, which is always absolute.
332 # On VMS, user:[foo.bar] translates to /user/foo/bar
333 # On Windows, c:\Users\Foo translates to /c:/Users/Foo
335 $vol =~ s|:||g if ($^O eq "VMS");
336 $dir = '/' . $dir if $dir ne '' && $dir !~ m|^/|;
337 $dir = '/' . $vol . $dir;
339 $file = $dir . $file;
341 return "file://$authority$file" if defined $authority;
346 my ($file, $isdir, $authority) = @_;
348 die "to_file_uri: No file given\n" if !defined($file) || $file eq '';
349 return to_rel_file_uri(File::Spec->rel2abs($file), $isdir, $authority);