return 0;
}
- if (pcerts != NULL && *pcerts == NULL
- && (*pcerts = sk_X509_new_null()) == NULL) {
- BIO_printf(bio_err, "Out of memory loading");
- goto end;
- } else {
+ if (pcerts != NULL) {
+ if (*pcerts == NULL && (*pcerts = sk_X509_new_null()) == NULL) {
+ BIO_printf(bio_err, "Out of memory loading");
+ goto end;
+ }
cnt_expectations++;
expect = OSSL_STORE_INFO_CERT;
}
cnt_expectations++;
expect = OSSL_STORE_INFO_CRL;
}
- if (pcrls != NULL && *pcrls == NULL
- && (*pcrls = sk_X509_CRL_new_null()) == NULL) {
- BIO_printf(bio_err, "Out of memory loading");
- goto end;
- } else {
+ if (pcrls != NULL) {
+ if (*pcrls == NULL && (*pcrls = sk_X509_CRL_new_null()) == NULL) {
+ BIO_printf(bio_err, "Out of memory loading");
+ goto end;
+ }
cnt_expectations++;
expect = OSSL_STORE_INFO_CRL;
}
OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
int type, ok = 1;
- if (info == NULL)
- break;
+ /*
+ * This can happen (for example) if we attempt to load a file with
+ * multiple different types of things in it - but the thing we just
+ * tried to load wasn't one of the ones we wanted, e.g. if we're trying
+ * to load a certificate but the file has both the private key and the
+ * certificate in it. We just retry until eof.
+ */
+ if (info == NULL) {
+ if (OSSL_STORE_error(ctx)) {
+ ERR_print_errors(bio_err);
+ ERR_clear_error();
+ }
+ continue;
+ }
+
type = OSSL_STORE_INFO_get_type(info);
switch (type) {
case OSSL_STORE_INFO_PKEY:
ok(run(app(['openssl', 'list', '-key-managers', '-verbose', '-select', 'DSA' ])),
"provider listing of one item in the keymanager");
+sub pubfrompriv {
+ my $prefix = shift;
+ my $key = shift;
+ my $pub_key = shift;
+ my $type = shift;
+
+ ok(run(app(['openssl', 'pkey',
+ '-in', $key,
+ '-pubout',
+ '-out', $pub_key])),
+ $prefix.': '."Create the public key with $type parameters");
+
+}
+
my $tsignverify_count = 8;
sub tsignverify {
my $prefix = shift;
my $fips_key = shift;
+ my $fips_pub_key = shift;
my $nonfips_key = shift;
+ my $nonfips_pub_key = shift;
my $fips_sigfile = $prefix.'.fips.sig';
my $nonfips_sigfile = $prefix.'.nonfips.sig';
my $sigfile = '';
$testtext = $prefix.': '.
'Verify something with a FIPS key';
ok(run(app(['openssl', 'dgst', '-sha256',
- '-verify', $fips_key,
+ '-verify', $fips_pub_key,
'-signature', $sigfile,
$tbs_data])),
$testtext);
'Verify a valid signature against the wrong data with a FIPS key'.
' (should fail)';
ok(!run(app(['openssl', 'dgst', '-sha256',
- '-verify', $fips_key,
+ '-verify', $fips_pub_key,
'-signature', $sigfile,
$bogus_data])),
$testtext);
'Verify something with a non-FIPS key'.
' with the default provider';
ok(run(app(['openssl', 'dgst', '-sha256',
- '-verify', $nonfips_key,
+ '-verify', $nonfips_pub_key,
'-signature', $sigfile,
$tbs_data])),
$testtext);
'Verify something with a non-FIPS key'.
' (should fail)';
ok(!run(app(['openssl', 'dgst', '-sha256',
- '-verify', $nonfips_key,
+ '-verify', $nonfips_pub_key,
'-signature', $sigfile,
$tbs_data])),
$testtext);
'Verify a valid signature against the wrong data with a non-FIPS key'.
' (should fail)';
ok(!run(app(['openssl', 'dgst', '-sha256',
- '-verify', $nonfips_key,
+ '-verify', $nonfips_pub_key,
'-signature', $sigfile,
$bogus_data])),
$testtext);
my $testtext_prefix = 'EC';
my $a_fips_curve = 'prime256v1';
my $fips_key = $testtext_prefix.'.fips.priv.pem';
+ my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
my $a_nonfips_curve = 'brainpoolP256r1';
my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
+ my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
my $testtext = '';
my $curvename = '';
- plan tests => 3 + $tsignverify_count;
+ plan tests => 5 + $tsignverify_count;
$ENV{OPENSSL_CONF} = $defaultconf;
$curvename = $a_nonfips_curve;
'-out', $nonfips_key])),
$testtext);
+ pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
+
$ENV{OPENSSL_CONF} = $fipsconf;
$curvename = $a_fips_curve;
'-out', $fips_key])),
$testtext);
+ pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
+
$curvename = $a_nonfips_curve;
$testtext = $testtext_prefix.': '.
'Generate a key with a non-FIPS algorithm'.
'-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])),
$testtext);
- tsignverify($testtext_prefix, $fips_key, $nonfips_key);
+ tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
+ $nonfips_pub_key);
};
}
subtest RSA => sub {
my $testtext_prefix = 'RSA';
my $fips_key = $testtext_prefix.'.fips.priv.pem';
+ my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
+ my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
my $testtext = '';
- plan tests => 3 + $tsignverify_count;
+ plan tests => 5 + $tsignverify_count;
$ENV{OPENSSL_CONF} = $defaultconf;
$testtext = $testtext_prefix.': '.
'-out', $nonfips_key])),
$testtext);
+ pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
+
$ENV{OPENSSL_CONF} = $fipsconf;
$testtext = $testtext_prefix.': '.
'-out', $fips_key])),
$testtext);
+ pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
+
$testtext = $testtext_prefix.': '.
'Generate a key with a non-FIPS algorithm'.
' (should fail)';
'-out', $testtext_prefix.'.fail.priv.pem'])),
$testtext);
- tsignverify($testtext_prefix, $fips_key, $nonfips_key);
+ tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
+ $nonfips_pub_key);
};
}
subtest DSA => sub {
my $testtext_prefix = 'DSA';
my $fips_key = $testtext_prefix.'.fips.priv.pem';
+ my $fips_pub_key = $testtext_prefix.'.fips.pub.pem';
my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem';
+ my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem';
my $testtext = '';
my $fips_param = $testtext_prefix.'.fips.param.pem';
my $nonfips_param = $testtext_prefix.'.nonfips.param.pem';
- plan tests => 6 + $tsignverify_count;
+ plan tests => 8 + $tsignverify_count;
$ENV{OPENSSL_CONF} = $defaultconf;
'-out', $nonfips_key])),
$testtext);
+ pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS");
+
$ENV{OPENSSL_CONF} = $fipsconf;
$testtext = $testtext_prefix.': '.
'-out', $fips_key])),
$testtext);
+ pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS");
+
$testtext = $testtext_prefix.': '.
'Generate a key with non-FIPS parameters'.
' (should fail)';
'-out', $testtext_prefix.'.fail.priv.pem'])),
$testtext);
- tsignverify($testtext_prefix, $fips_key, $nonfips_key);
+ tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key,
+ $nonfips_pub_key);
};
}