25-test_req.t@ 105945

最後變更在這個檔案從105945是 105945,由 vboxsync 提交於 7 月前
openssl-3.1.7: Applied and adjusted our OpenSSL changes to 3.1.7. bugref:10757
檔案大小: 19.0 KB

行
1	#! /usr/bin/env perl
2	# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
3	#
4	# Licensed under the Apache License 2.0 (the "License"). You may not use
5	# this file except in compliance with the License. You can obtain a copy
6	# in the file LICENSE in the source distribution or at
7	# https://www.openssl.org/source/license.html
8
9
10	use strict;
11	use warnings;
12
13	use OpenSSL::Test::Utils;
14	use OpenSSL::Test qw/:DEFAULT srctop_file/;
15
16	setup("test_req");
17
18	plan tests => 50;
19
20	require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
21
22	my @certs = qw(test certs);
23
24	# What type of key to generate?
25	my @req_new;
26	if (disabled("rsa")) {
27	@req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem"));
28	} else {
29	@req_new = ("-new");
30	note("There should be a 2 sequences of .'s and some +'s.");
31	note("There should not be more that at most 80 per line");
32	}
33
34	# Prevent MSys2 filename munging for arguments that look like file paths but
35	# aren't
36	$ENV{MSYS2_ARG_CONV_EXCL} = "/CN=";
37
38	# Check for duplicate -addext parameters, and one "working" case.
39	my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
40	"-key", srctop_file("test", "certs", "ee-key.pem"),
41	"-config", srctop_file("test", "test.cnf"), @req_new );
42	my $val = "subjectAltName=DNS:example.com";
43	my $val1 = "subjectAltName=otherName:1.2.3.4;UTF8:test,email:info\@example.com";
44	my $val2 = " " . $val;
45	my $val3 = $val;
46	$val3 =~ s/=/ =/;
47	ok( run(app([@addext_args, "-addext", $val])));
48	ok( run(app([@addext_args, "-addext", $val1])));
49	$val1 =~ s/UTF8/XXXX/; # execute the error handling in do_othername
50	ok(!run(app([@addext_args, "-addext", $val1])));
51	ok(!run(app([@addext_args, "-addext", $val, "-addext", $val])));
52	ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2])));
53	ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3])));
54	ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
55	ok(run(app([@addext_args, "-addext", "SXNetID=1:one, 2:two, 3:three"])));
56	ok(run(app([@addext_args, "-addext", "subjectAltName=dirName:dirname_sec"])));
57
58	# If a CSR is provided with neither of -key or -CA/-CAkey, this should fail.
59	ok(!run(app(["openssl", "req", "-x509",
60	"-in", srctop_file(@certs, "x509-check.csr"),
61	"-out", "testreq.pem"])));
62
63	subtest "generating alt certificate requests with RSA" => sub {
64	plan tests => 3;
65
66	SKIP: {
67	skip "RSA is not supported by this OpenSSL build", 2
68	if disabled("rsa");
69
70	ok(run(app(["openssl", "req",
71	"-config", srctop_file("test", "test.cnf"),
72	"-section", "altreq",
73	"-new", "-out", "testreq-rsa.pem", "-utf8",
74	"-key", srctop_file("test", "testrsa.pem")])),
75	"Generating request");
76
77	ok(run(app(["openssl", "req",
78	"-config", srctop_file("test", "test.cnf"),
79	"-verify", "-in", "testreq-rsa.pem", "-noout"])),
80	"Verifying signature on request");
81
82	ok(run(app(["openssl", "req",
83	"-config", srctop_file("test", "test.cnf"),
84	"-section", "altreq",
85	"-verify", "-in", "testreq-rsa.pem", "-noout"])),
86	"Verifying signature on request");
87	}
88	};
89
90
91	subtest "generating certificate requests with RSA" => sub {
92	plan tests => 8;
93
94	SKIP: {
95	skip "RSA is not supported by this OpenSSL build", 2
96	if disabled("rsa");
97
98	ok(!run(app(["openssl", "req",
99	"-config", srctop_file("test", "test.cnf"),
100	"-new", "-out", "testreq-rsa.pem", "-utf8",
101	"-key", srctop_file("test", "testrsa.pem"),
102	"-keyform", "DER"])),
103	"Checking that mismatching keyform fails");
104
105	ok(run(app(["openssl", "req",
106	"-config", srctop_file("test", "test.cnf"),
107	"-new", "-out", "testreq-rsa.pem", "-utf8",
108	"-key", srctop_file("test", "testrsa.pem"),
109	"-keyform", "PEM"])),
110	"Generating request");
111
112	ok(run(app(["openssl", "req",
113	"-config", srctop_file("test", "test.cnf"),
114	"-verify", "-in", "testreq-rsa.pem", "-noout"])),
115	"Verifying signature on request");
116
117	ok(run(app(["openssl", "req",
118	"-config", srctop_file("test", "test.cnf"),
119	"-modulus", "-in", "testreq-rsa.pem", "-noout"])),
120	"Printing a modulus of the request key");
121
122	ok(run(app(["openssl", "req",
123	"-config", srctop_file("test", "test.cnf"),
124	"-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
125	"-key", srctop_file("test", "testrsa_withattrs.pem")])),
126	"Generating request from a key with extra attributes - PEM");
127
128	ok(run(app(["openssl", "req",
129	"-config", srctop_file("test", "test.cnf"),
130	"-verify", "-in", "testreq_withattrs_pem.pem", "-noout"])),
131	"Verifying signature on request from a key with extra attributes - PEM");
132
133	ok(run(app(["openssl", "req",
134	"-config", srctop_file("test", "test.cnf"),
135	"-new", "-out", "testreq_withattrs_der.pem", "-utf8",
136	"-key", srctop_file("test", "testrsa_withattrs.der"),
137	"-keyform", "DER"])),
138	"Generating request from a key with extra attributes - PEM");
139
140	ok(run(app(["openssl", "req",
141	"-config", srctop_file("test", "test.cnf"),
142	"-verify", "-in", "testreq_withattrs_der.pem", "-noout"])),
143	"Verifying signature on request from a key with extra attributes - PEM");
144	}
145	};
146
147	subtest "generating certificate requests with RSA-PSS" => sub {
148	plan tests => 12;
149
150	SKIP: {
151	skip "RSA is not supported by this OpenSSL build", 2
152	if disabled("rsa");
153
154	ok(run(app(["openssl", "req",
155	"-config", srctop_file("test", "test.cnf"),
156	"-new", "-out", "testreq-rsapss.pem", "-utf8",
157	"-key", srctop_file("test", "testrsapss.pem")])),
158	"Generating request");
159	ok(run(app(["openssl", "req",
160	"-config", srctop_file("test", "test.cnf"),
161	"-verify", "-in", "testreq-rsapss.pem", "-noout"])),
162	"Verifying signature on request");
163
164	ok(run(app(["openssl", "req",
165	"-config", srctop_file("test", "test.cnf"),
166	"-new", "-out", "testreq-rsapss2.pem", "-utf8",
167	"-sigopt", "rsa_padding_mode:pss",
168	"-sigopt", "rsa_pss_saltlen:-1",
169	"-key", srctop_file("test", "testrsapss.pem")])),
170	"Generating request");
171	ok(run(app(["openssl", "req",
172	"-config", srctop_file("test", "test.cnf"),
173	"-verify", "-in", "testreq-rsapss2.pem", "-noout"])),
174	"Verifying signature on request");
175
176	ok(run(app(["openssl", "req",
177	"-config", srctop_file("test", "test.cnf"),
178	"-new", "-out", "testreq-rsapssmand.pem", "-utf8",
179	"-sigopt", "rsa_padding_mode:pss",
180	"-key", srctop_file("test", "testrsapssmandatory.pem")])),
181	"Generating request");
182	ok(run(app(["openssl", "req",
183	"-config", srctop_file("test", "test.cnf"),
184	"-verify", "-in", "testreq-rsapssmand.pem", "-noout"])),
185	"Verifying signature on request");
186
187	ok(run(app(["openssl", "req",
188	"-config", srctop_file("test", "test.cnf"),
189	"-new", "-out", "testreq-rsapssmand2.pem", "-utf8",
190	"-sigopt", "rsa_pss_saltlen:100",
191	"-key", srctop_file("test", "testrsapssmandatory.pem")])),
192	"Generating request");
193	ok(run(app(["openssl", "req",
194	"-config", srctop_file("test", "test.cnf"),
195	"-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])),
196	"Verifying signature on request");
197
198	ok(!run(app(["openssl", "req",
199	"-config", srctop_file("test", "test.cnf"),
200	"-new", "-out", "testreq-rsapss3.pem", "-utf8",
201	"-sigopt", "rsa_padding_mode:pkcs1",
202	"-key", srctop_file("test", "testrsapss.pem")])),
203	"Generating request with expected failure");
204
205	ok(!run(app(["openssl", "req",
206	"-config", srctop_file("test", "test.cnf"),
207	"-new", "-out", "testreq-rsapss3.pem", "-utf8",
208	"-sigopt", "rsa_pss_saltlen:-5",
209	"-key", srctop_file("test", "testrsapss.pem")])),
210	"Generating request with expected failure");
211
212	ok(!run(app(["openssl", "req",
213	"-config", srctop_file("test", "test.cnf"),
214	"-new", "-out", "testreq-rsapssmand3.pem", "-utf8",
215	"-sigopt", "rsa_pss_saltlen:10",
216	"-key", srctop_file("test", "testrsapssmandatory.pem")])),
217	"Generating request with expected failure");
218
219	ok(!run(app(["openssl", "req",
220	"-config", srctop_file("test", "test.cnf"),
221	"-new", "-out", "testreq-rsapssmand3.pem", "-utf8",
222	"-sha256",
223	"-key", srctop_file("test", "testrsapssmandatory.pem")])),
224	"Generating request with expected failure");
225	}
226	};
227
228	subtest "generating certificate requests with DSA" => sub {
229	plan tests => 2;
230
231	SKIP: {
232	skip "DSA is not supported by this OpenSSL build", 2
233	if disabled("dsa");
234
235	ok(run(app(["openssl", "req",
236	"-config", srctop_file("test", "test.cnf"),
237	"-new", "-out", "testreq-dsa.pem", "-utf8",
238	"-key", srctop_file("test", "testdsa.pem")])),
239	"Generating request");
240
241	ok(run(app(["openssl", "req",
242	"-config", srctop_file("test", "test.cnf"),
243	"-verify", "-in", "testreq-dsa.pem", "-noout"])),
244	"Verifying signature on request");
245	}
246	};
247
248	subtest "generating certificate requests with ECDSA" => sub {
249	plan tests => 2;
250
251	SKIP: {
252	skip "ECDSA is not supported by this OpenSSL build", 2
253	if disabled("ec");
254
255	ok(run(app(["openssl", "req",
256	"-config", srctop_file("test", "test.cnf"),
257	"-new", "-out", "testreq-ec.pem", "-utf8",
258	"-key", srctop_file("test", "testec-p256.pem")])),
259	"Generating request");
260
261	ok(run(app(["openssl", "req",
262	"-config", srctop_file("test", "test.cnf"),
263	"-verify", "-in", "testreq-ec.pem", "-noout"])),
264	"Verifying signature on request");
265	}
266	};
267
268	subtest "generating certificate requests with Ed25519" => sub {
269	plan tests => 2;
270
271	SKIP: {
272	skip "Ed25519 is not supported by this OpenSSL build", 2
273	if disabled("ec");
274
275	ok(run(app(["openssl", "req",
276	"-config", srctop_file("test", "test.cnf"),
277	"-new", "-out", "testreq-ed25519.pem", "-utf8",
278	"-key", srctop_file("test", "tested25519.pem")])),
279	"Generating request");
280
281	ok(run(app(["openssl", "req",
282	"-config", srctop_file("test", "test.cnf"),
283	"-verify", "-in", "testreq-ed25519.pem", "-noout"])),
284	"Verifying signature on request");
285	}
286	};
287
288	subtest "generating certificate requests with Ed448" => sub {
289	plan tests => 2;
290
291	SKIP: {
292	skip "Ed448 is not supported by this OpenSSL build", 2
293	if disabled("ec");
294
295	ok(run(app(["openssl", "req",
296	"-config", srctop_file("test", "test.cnf"),
297	"-new", "-out", "testreq-ed448.pem", "-utf8",
298	"-key", srctop_file("test", "tested448.pem")])),
299	"Generating request");
300
301	ok(run(app(["openssl", "req",
302	"-config", srctop_file("test", "test.cnf"),
303	"-verify", "-in", "testreq-ed448.pem", "-noout"])),
304	"Verifying signature on request");
305	}
306	};
307
308	subtest "generating certificate requests" => sub {
309	plan tests => 2;
310
311	ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
312	"-key", srctop_file("test", "certs", "ee-key.pem"),
313	@req_new, "-out", "testreq.pem"])),
314	"Generating request");
315
316	ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
317	"-verify", "-in", "testreq.pem", "-noout"])),
318	"Verifying signature on request");
319	};
320
321	subtest "generating SM2 certificate requests" => sub {
322	plan tests => 4;
323
324	SKIP: {
325	skip "SM2 is not supported by this OpenSSL build", 4
326	if disabled("sm2");
327	ok(run(app(["openssl", "req",
328	"-config", srctop_file("test", "test.cnf"),
329	"-new", "-key", srctop_file(@certs, "sm2.key"),
330	"-sigopt", "distid:1234567812345678",
331	"-out", "testreq-sm2.pem", "-sm3"])),
332	"Generating SM2 certificate request");
333
334	ok(run(app(["openssl", "req",
335	"-config", srctop_file("test", "test.cnf"),
336	"-verify", "-in", "testreq-sm2.pem", "-noout",
337	"-vfyopt", "distid:1234567812345678", "-sm3"])),
338	"Verifying signature on SM2 certificate request");
339
340	ok(run(app(["openssl", "req",
341	"-config", srctop_file("test", "test.cnf"),
342	"-new", "-key", srctop_file(@certs, "sm2.key"),
343	"-sigopt", "hexdistid:DEADBEEF",
344	"-out", "testreq-sm2.pem", "-sm3"])),
345	"Generating SM2 certificate request with hex id");
346
347	ok(run(app(["openssl", "req",
348	"-config", srctop_file("test", "test.cnf"),
349	"-verify", "-in", "testreq-sm2.pem", "-noout",
350	"-vfyopt", "hexdistid:DEADBEEF", "-sm3"])),
351	"Verifying signature on SM2 certificate request");
352	}
353	};
354
355	my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf"));
356
357	run_conversion('req conversions',
358	"testreq.pem");
359	run_conversion('req conversions -- testreq2',
360	srctop_file("test", "testreq2.pem"));
361
362	sub run_conversion {
363	my $title = shift;
364	my $reqfile = shift;
365
366	subtest $title => sub {
367	run(app(["openssl", @openssl_args,
368	"-in", $reqfile, "-inform", "p",
369	"-noout", "-text"],
370	stderr => "req-check.err", stdout => undef));
371	open DATA, "req-check.err";
372	SKIP: {
373	plan skip_all => "skipping req conversion test for $reqfile"
374	if grep /Unknown Public Key/, map { s/\R//; } <DATA>;
375
376	tconversion( -type => 'req', -in => $reqfile,
377	-args => [ @openssl_args ] );
378	}
379	close DATA;
380	unlink "req-check.err";
381
382	done_testing();
383	};
384	}
385
386	# Test both generation and verification of certs w.r.t. RFC 5280 requirements
387
388	my $ca_cert; # will be set below
389	sub generate_cert {
390	my $cert = shift @_;
391	my $ss = $cert =~ m/self-signed/;
392	my $is_ca = $cert =~ m/CA/;
393	my $cn = $is_ca ? "CA" : "EE";
394	my $ca_key = srctop_file(@certs, "ca-key.pem");
395	my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem");
396	my @cmd = ("openssl", "req", "-config", "", "-x509",
397	"-subj", "/CN=$cn", @_, "-out", $cert);
398	push(@cmd, ("-key", $key)) if $ss;
399	push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss;
400	ok(run(app([@cmd])), "generate $cert");
401	}
402	sub has_SKID {
403	my $cert = shift @_;
404	my $expect = shift @_;
405	cert_contains($cert, "Subject Key Identifier", $expect);
406	}
407	sub has_AKID {
408	my $cert = shift @_;
409	my $expect = shift @_;
410	cert_contains($cert, "Authority Key Identifier", $expect);
411	}
412	sub has_keyUsage {
413	my $cert = shift @_;
414	my $expect = shift @_;
415	cert_contains($cert, "Key Usage", $expect);
416	}
417	sub strict_verify {
418	my $cert = shift @_;
419	my $expect = shift @_;
420	my $trusted = shift @_;
421	$trusted = $cert unless $trusted;
422	ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted,
423	"-partial_chain", $cert])) == $expect,
424	"strict verify allow $cert");
425	}
426
427	my @v3_ca = ("-addext", "basicConstraints = critical,CA:true",
428	"-addext", "keyUsage = keyCertSign");
429	my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier";
430	my $cert = "self-signed_v1_CA_no_KIDs.pem";
431	generate_cert($cert);
432	cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
433	#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA
434
435	$ca_cert = "self-signed_v3_CA_default_SKID.pem";
436	generate_cert($ca_cert, @v3_ca);
437	has_SKID($ca_cert, 1);
438	has_AKID($ca_cert, 0);
439	strict_verify($ca_cert, 1);
440
441	$cert = "self-signed_v3_CA_no_SKID.pem";
442	generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none");
443	cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID
444	#TODO strict_verify($cert, 0);
445
446	$cert = "self-signed_v3_CA_both_KIDs.pem";
447	generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash",
448	"-addext", "authorityKeyIdentifier = keyid:always");
449	cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID
450	strict_verify($cert, 1);
451
452	$cert = "self-signed_v3_EE_wrong_keyUsage.pem";
453	generate_cert($cert, "-addext", "keyUsage = keyCertSign");
454	#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply
455
456	$cert = "v3_EE_default_KIDs.pem";
457	generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
458	"-key", srctop_file(@certs, "ee-key.pem"));
459	cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
460	strict_verify($cert, 1, $ca_cert);
461
462	$cert = "v3_EE_no_AKID.pem";
463	generate_cert($cert, "-addext", "authorityKeyIdentifier = none",
464	"-key", srctop_file(@certs, "ee-key.pem"));
465	has_SKID($cert, 1);
466	has_AKID($cert, 0);
467	strict_verify($cert, 0, $ca_cert);
468
469	$cert = "self-issued_v3_EE_default_KIDs.pem";
470	generate_cert($cert, "-addext", "keyUsage = dataEncipherment",
471	"-in", srctop_file(@certs, "x509-check.csr"));
472	cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
473	strict_verify($cert, 1);
474
475	my $cert = "self-signed_CA_no_keyUsage.pem";
476	generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"));
477	has_keyUsage($cert, 0);
478	my $cert = "self-signed_CA_with_keyUsages.pem";
479	generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
480	"-copy_extensions", "copy");
481	has_keyUsage($cert, 1);
482
483	# Generate cert using req with '-modulus'
484	ok(run(app(["openssl", "req", "-x509", "-new", "-days", "365",
485	"-key", srctop_file("test", "testrsa.pem"),
486	"-config", srctop_file('test', 'test.cnf'),
487	"-out", "testreq-cert.pem",
488	"-modulus"])), "cert req creation - with -modulus");
489
490	# Verify cert
491	ok(run(app(["openssl", "x509", "-in", "testreq-cert.pem",
492	"-noout", "-text"])), "cert verification");

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-3.1.7/test/recipes/25-test_req.t@ 105945

以其他格式下載: