80-test_cms.t@ 108206

Last change on this file since 108206 was 108206, checked in by vboxsync, 3 months ago
openssl-3.3.2: Exported all files to OSE and removed .scm-settings bugref:10757
Property svn:eol-style set to `LF` Property svn:executable set to ``* Property svn:keywords set to `Author Date Id Revision`
File size: 47.4 KB

Line
1	#! /usr/bin/env perl
2	# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
3	#
4	# Licensed under the Apache License 2.0 (the "License"). You may not use
5	# this file except in compliance with the License. You can obtain a copy
6	# in the file LICENSE in the source distribution or at
7	# https://www.openssl.org/source/license.html
8
9
10	use strict;
11	use warnings;
12
13	use POSIX;
14	use File::Spec::Functions qw/catfile/;
15	use File::Compare qw/compare_text compare/;
16	use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
17
18	use OpenSSL::Test::Utils;
19
20	BEGIN {
21	setup("test_cms");
22	}
23
24	use lib srctop_dir('Configurations');
25	use lib bldtop_dir('.');
26
27	my $no_fips = disabled('fips') \|\| ($ENV{NO_FIPS} // 0);
28
29	plan skip_all => "CMS is not supported by this OpenSSL build"
30	if disabled("cms");
31
32	my $provpath = bldtop_dir("providers");
33
34	# Some tests require legacy algorithms to be included.
35	my @legacyprov = ("-provider-path", $provpath,
36	"-provider", "default",
37	"-provider", "legacy" );
38	my @defaultprov = ("-provider-path", $provpath,
39	"-provider", "default");
40
41	my @config = ( );
42	my $provname = 'default';
43
44	my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
45	my $smdir = srctop_dir("test", "smime-certs");
46	my $smcont = srctop_file("test", "smcont.txt");
47	my $smcont_zero = srctop_file("test", "smcont_zero.txt");
48	my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
49	= disabled qw/des dh dsa ec ec2m rc2 zlib/;
50
51	$no_rc2 = 1 if disabled("legacy");
52
53	plan tests => 23;
54
55	ok(run(test(["pkcs7_test"])), "test pkcs7");
56
57	unless ($no_fips) {
58	@config = ( "-config", srctop_file("test", "fips-and-base.cnf") );
59	$provname = 'fips';
60	}
61
62	$ENV{OPENSSL_TEST_LIBCTX} = "1";
63	my @prov = ("-provider-path", $provpath,
64	@config,
65	"-provider", $provname);
66
67	my $smrsa1024 = catfile($smdir, "smrsa1024.pem");
68	my $smrsa1 = catfile($smdir, "smrsa1.pem");
69	my $smroot = catfile($smdir, "smroot.pem");
70
71	my @smime_pkcs7_tests = (
72
73	[ "signed content DER format, RSA key",
74	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
75	"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
76	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
77	"-CAfile", $smroot, "-out", "{output}.txt" ],
78	\&final_compare
79	],
80
81	[ "signed detached content DER format, RSA key",
82	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
83	"-signer", $smrsa1, "-out", "{output}.cms" ],
84	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
85	"-CAfile", $smroot, "-out", "{output}.txt",
86	"-content", $smcont ],
87	\&final_compare
88	],
89
90	[ "signed content test streaming BER format, RSA",
91	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
92	"-stream",
93	"-signer", $smrsa1, "-out", "{output}.cms" ],
94	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
95	"-CAfile", $smroot, "-out", "{output}.txt" ],
96	\&final_compare
97	],
98
99	[ "signed content DER format, DSA key",
100	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
101	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
102	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
103	"-CAfile", $smroot, "-out", "{output}.txt" ],
104	\&final_compare
105	],
106
107	[ "signed detached content DER format, DSA key",
108	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
109	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
110	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
111	"-CAfile", $smroot, "-out", "{output}.txt",
112	"-content", $smcont ],
113	\&final_compare
114	],
115
116	[ "signed detached content DER format, add RSA signer (with DSA existing)",
117	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
118	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
119	[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
120	"-signer", $smrsa1, "-out", "{output}2.cms" ],
121	[ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
122	"-CAfile", $smroot, "-out", "{output}.txt",
123	"-content", $smcont ],
124	\&final_compare
125	],
126
127	[ "signed content test streaming BER format, DSA key",
128	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
129	"-nodetach", "-stream",
130	"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
131	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
132	"-CAfile", $smroot, "-out", "{output}.txt" ],
133	\&final_compare
134	],
135
136	[ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
137	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
138	"-nodetach", "-stream",
139	"-signer", $smrsa1,
140	"-signer", catfile($smdir, "smrsa2.pem"),
141	"-signer", catfile($smdir, "smdsa1.pem"),
142	"-signer", catfile($smdir, "smdsa2.pem"),
143	"-out", "{output}.cms" ],
144	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
145	"-CAfile", $smroot, "-out", "{output}.txt" ],
146	\&final_compare
147	],
148
149	[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
150	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
151	"-noattr", "-nodetach", "-stream",
152	"-signer", $smrsa1,
153	"-signer", catfile($smdir, "smrsa2.pem"),
154	"-signer", catfile($smdir, "smdsa1.pem"),
155	"-signer", catfile($smdir, "smdsa2.pem"),
156	"-out", "{output}.cms" ],
157	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
158	"-CAfile", $smroot, "-out", "{output}.txt" ],
159	\&final_compare
160	],
161
162	[ "signed content S/MIME format, RSA key SHA1",
163	[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
164	"-certfile", $smroot,
165	"-signer", $smrsa1, "-out", "{output}.cms" ],
166	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
167	"-CAfile", $smroot, "-out", "{output}.txt" ],
168	\&final_compare
169	],
170
171	[ "signed zero-length content S/MIME format, RSA key SHA1",
172	[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
173	"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
174	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
175	"-CAfile", $smroot, "-out", "{output}.txt" ],
176	\&zero_compare
177	],
178
179	[ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
180	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
181	"-signer", $smrsa1,
182	"-signer", catfile($smdir, "smrsa2.pem"),
183	"-signer", catfile($smdir, "smdsa1.pem"),
184	"-signer", catfile($smdir, "smdsa2.pem"),
185	"-stream", "-out", "{output}.cms" ],
186	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
187	"-CAfile", $smroot, "-out", "{output}.txt" ],
188	\&final_compare
189	],
190
191	[ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
192	[ "{cmd1}", @prov, "-sign", "-in", $smcont,
193	"-signer", $smrsa1,
194	"-signer", catfile($smdir, "smrsa2.pem"),
195	"-signer", catfile($smdir, "smdsa1.pem"),
196	"-signer", catfile($smdir, "smdsa2.pem"),
197	"-stream", "-out", "{output}.cms" ],
198	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
199	"-CAfile", $smroot, "-out", "{output}.txt" ],
200	\&final_compare
201	],
202
203	[ "enveloped content test streaming S/MIME format, DES, 3 recipients",
204	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
205	"-stream", "-out", "{output}.cms",
206	$smrsa1,
207	catfile($smdir, "smrsa2.pem"),
208	catfile($smdir, "smrsa3.pem") ],
209	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
210	"-in", "{output}.cms", "-out", "{output}.txt" ],
211	\&final_compare
212	],
213
214	[ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
215	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
216	"-stream", "-out", "{output}.cms",
217	$smrsa1,
218	catfile($smdir, "smrsa2.pem"),
219	catfile($smdir, "smrsa3.pem") ],
220	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
221	"-in", "{output}.cms", "-out", "{output}.txt" ],
222	\&final_compare
223	],
224
225	[ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used",
226	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
227	"-stream", "-out", "{output}.cms",
228	$smrsa1,
229	catfile($smdir, "smrsa2.pem"),
230	catfile($smdir, "smrsa3-cert.pem") ],
231	[ "{cmd2}", @defaultprov, "-decrypt",
232	"-recip", catfile($smdir, "smrsa3-cert.pem"),
233	"-inkey", catfile($smdir, "smrsa3-key.pem"),
234	"-in", "{output}.cms", "-out", "{output}.txt" ],
235	\&final_compare
236	],
237
238	[ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
239	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
240	"-aes256", "-stream", "-out", "{output}.cms",
241	$smrsa1,
242	catfile($smdir, "smrsa2.pem"),
243	catfile($smdir, "smrsa3.pem") ],
244	[ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1,
245	"-in", "{output}.cms", "-out", "{output}.txt" ],
246	\&final_compare
247	],
248
249	);
250
251	my @smime_cms_tests = (
252
253	[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
254	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
255	"-nodetach", "-keyid",
256	"-signer", $smrsa1,
257	"-signer", catfile($smdir, "smrsa2.pem"),
258	"-signer", catfile($smdir, "smdsa1.pem"),
259	"-signer", catfile($smdir, "smdsa2.pem"),
260	"-stream", "-out", "{output}.cms" ],
261	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
262	"-CAfile", $smroot, "-out", "{output}.txt" ],
263	\&final_compare
264	],
265
266	[ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
267	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
268	"-signer", $smrsa1,
269	"-signer", catfile($smdir, "smrsa2.pem"),
270	"-signer", catfile($smdir, "smdsa1.pem"),
271	"-signer", catfile($smdir, "smdsa2.pem"),
272	"-stream", "-out", "{output}.cms" ],
273	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
274	"-CAfile", $smroot, "-out", "{output}.txt" ],
275	\&final_compare
276	],
277
278	[ "signed content MIME format, RSA key, signed receipt request",
279	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
280	"-signer", $smrsa1,
281	"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
282	"-out", "{output}.cms" ],
283	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
284	"-CAfile", $smroot, "-out", "{output}.txt" ],
285	\&final_compare
286	],
287
288	[ "signed receipt MIME format, RSA key",
289	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
290	"-signer", $smrsa1,
291	"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
292	"-out", "{output}.cms" ],
293	[ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms",
294	"-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ],
295	[ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms",
296	"-CAfile", $smroot ]
297	],
298
299	[ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
300	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
301	"-stream", "-out", "{output}.cms", "-keyid",
302	$smrsa1,
303	catfile($smdir, "smrsa2.pem"),
304	catfile($smdir, "smrsa3.pem") ],
305	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
306	"-in", "{output}.cms", "-out", "{output}.txt" ],
307	\&final_compare
308	],
309
310	[ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK",
311	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
312	"-stream", "-out", "{output}.cms",
313	"-secretkey", "000102030405060708090A0B0C0D0E0F",
314	"-secretkeyid", "C0FEE0" ],
315	[ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
316	"-inform", "PEM",
317	"-secretkey", "000102030405060708090A0B0C0D0E0F",
318	"-secretkeyid", "C0FEE0" ],
319	\&final_compare
320	],
321
322	[ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK",
323	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
324	"-stream", "-out", "{output}.cms",
325	"-secretkey", "000102030405060708090A0B0C0D0E0F",
326	"-secretkeyid", "C0FEE0" ],
327	[ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
328	"-inform", "PEM",
329	"-secretkey", "000102030405060708090A0B0C0D0E0F",
330	"-secretkeyid", "C0FEE0" ],
331	\&final_compare
332	],
333
334	[ "enveloped content test streaming PEM format, KEK, key only",
335	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
336	"-stream", "-out", "{output}.cms",
337	"-secretkey", "000102030405060708090A0B0C0D0E0F",
338	"-secretkeyid", "C0FEE0" ],
339	[ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
340	"-inform", "PEM",
341	"-secretkey", "000102030405060708090A0B0C0D0E0F" ],
342	\&final_compare
343	],
344
345	[ "data content test streaming PEM format",
346	[ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM",
347	"-nodetach", "-stream", "-out", "{output}.cms" ],
348	[ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM",
349	"-out", "{output}.txt" ],
350	\&final_compare
351	],
352
353	[ "encrypted content test streaming PEM format, 128 bit RC2 key",
354	[ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
355	"-in", $smcont, "-outform", "PEM",
356	"-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
357	"-stream", "-out", "{output}.cms" ],
358	[ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
359	"-inform", "PEM",
360	"-secretkey", "000102030405060708090A0B0C0D0E0F",
361	"-out", "{output}.txt" ],
362	\&final_compare
363	],
364
365	[ "encrypted content test streaming PEM format, 40 bit RC2 key",
366	[ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
367	"-in", $smcont, "-outform", "PEM",
368	"-rc2", "-secretkey", "0001020304",
369	"-stream", "-out", "{output}.cms" ],
370	[ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
371	"-inform", "PEM",
372	"-secretkey", "0001020304", "-out", "{output}.txt" ],
373	\&final_compare
374	],
375
376	[ "encrypted content test streaming PEM format, triple DES key",
377	[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
378	"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
379	"-stream", "-out", "{output}.cms" ],
380	[ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
381	"-inform", "PEM",
382	"-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
383	"-out", "{output}.txt" ],
384	\&final_compare
385	],
386
387	[ "encrypted content test streaming PEM format, 128 bit AES key",
388	[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
389	"-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
390	"-stream", "-out", "{output}.cms" ],
391	[ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
392	"-inform", "PEM",
393	"-secretkey", "000102030405060708090A0B0C0D0E0F",
394	"-out", "{output}.txt" ],
395	\&final_compare
396	],
397
398	[ "encrypted content test streaming PEM format -noout, 128 bit AES key",
399	[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
400	"-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
401	"-stream", "-noout" ],
402	[ "{cmd2}", @prov, "-help" ]
403	],
404	);
405
406	my @smime_cms_cades_tests = (
407
408	[ "signed content DER format, RSA key, CAdES-BES compatible",
409	[ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER",
410	"-nodetach",
411	"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
412	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
413	"-CAfile", $smroot, "-out", "{output}.txt" ],
414	\&final_compare
415	],
416
417	[ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
418	[ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
419	"DER", "-nodetach", "-certfile", $smroot,
420	"-signer", $smrsa1, "-out", "{output}.cms" ],
421	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
422	"-CAfile", $smroot, "-out", "{output}.txt" ],
423	\&final_compare
424	],
425
426	[ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible",
427	[ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform",
428	"DER", "-nodetach", "-certfile", $smroot,
429	"-signer", $smrsa1, "-out", "{output}.cms" ],
430	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
431	"-CAfile", $smroot, "-out", "{output}.txt" ],
432	\&final_compare
433	],
434
435	[ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
436	[ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
437	"-in", $smcont, "-outform", "DER",
438	"-certfile", $smroot, "-signer", $smrsa1,
439	"-outform", "DER", "-out", "{output}.cms" ],
440	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
441	"-CAfile", $smroot, "-out", "{output}.txt" ],
442	\&final_compare
443	],
444
445	[ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible",
446	[ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
447	"-in", $smcont, "-outform", "DER",
448	"-certfile", $smroot, "-signer", $smrsa1,
449	"-outform", "DER", "-out", "{output}.cms" ],
450	[ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
451	"-inform", "DER", "-in", "{output}.cms",
452	"-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"),
453	"-outform", "DER", "-out", "{output}2.cms" ],
454
455	[ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER",
456	"-CAfile", $smroot, "-out", "{output}.txt" ],
457	\&final_compare
458	],
459	);
460
461	my @smime_cms_cades_ko_tests = (
462	[ "sign content DER format, RSA key, not CAdES-BES compatible",
463	[ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
464	"-certfile", $smroot, "-signer", $smrsa1, "-out", "cades-ko.cms" ],
465	"fail to verify token since requiring CAdES-BES compatibility",
466	[ @prov, "-verify", "-cades", "-in", "cades-ko.cms", "-inform", "DER",
467	"-CAfile", $smroot, "-out", "cades-ko.txt" ],
468	\&final_compare
469	]
470	);
471
472	# cades options test - check that some combinations are rejected
473	my @smime_cms_cades_invalid_option_tests = (
474	[
475	[ "-cades", "-noattr" ],
476	],[
477	[ "-verify", "-cades", "-noattr" ],
478	],[
479	[ "-verify", "-cades", "-noverify" ],
480	],
481	);
482
483	my @smime_cms_comp_tests = (
484
485	[ "compressed content test streaming PEM format",
486	[ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
487	"-stream", "-out", "{output}.cms" ],
488	[ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM",
489	"-out", "{output}.txt" ],
490	\&final_compare
491	]
492
493	);
494
495	my @smime_cms_param_tests = (
496	[ "signed content test streaming PEM format, RSA keys, PSS signature",
497	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
498	"-signer", $smrsa1,
499	"-keyopt", "rsa_padding_mode:pss",
500	"-out", "{output}.cms" ],
501	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
502	"-CAfile", $smroot, "-out", "{output}.txt" ],
503	\&final_compare
504	],
505
506	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
507	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
508	"-signer", $smrsa1,
509	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
510	"-out", "{output}.cms" ],
511	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; },
512	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
513	"-CAfile", $smroot, "-out", "{output}.txt" ],
514	\&final_compare
515	],
516
517	[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
518	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
519	"-noattr", "-signer", $smrsa1,
520	"-keyopt", "rsa_padding_mode:pss",
521	"-out", "{output}.cms" ],
522	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
523	"-CAfile", $smroot, "-out", "{output}.txt" ],
524	\&final_compare
525	],
526
527	[ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
528	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
529	"-signer", $smrsa1,
530	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384",
531	"-out", "{output}.cms" ],
532	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
533	"-CAfile", $smroot, "-out", "{output}.txt" ],
534	\&final_compare
535	],
536
537	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16",
538	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
539	"-signer", $smrsa1, "-md", "sha256",
540	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16",
541	"-out", "{output}.cms" ],
542	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; },
543	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
544	"-CAfile", $smroot, "-out", "{output}.txt" ],
545	\&final_compare
546	],
547
548	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest",
549	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
550	"-signer", $smrsa1, "-md", "sha256",
551	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest",
552	"-out", "{output}.cms" ],
553	# digest is SHA-256, which produces 32 bytes of output
554	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
555	[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
556	"-CAfile", $smroot, "-out", "{output}.txt" ],
557	\&final_compare
558	],
559
560	[ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
561	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
562	"-stream", "-out", "{output}.cms",
563	"-recip", $smrsa1,
564	"-keyopt", "rsa_padding_mode:oaep" ],
565	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
566	"-in", "{output}.cms", "-out", "{output}.txt" ],
567	\&final_compare
568	],
569
570	[ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
571	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
572	"-stream", "-out", "{output}.cms",
573	"-recip", $smrsa1,
574	"-keyopt", "rsa_padding_mode:oaep",
575	"-keyopt", "rsa_oaep_md:sha256" ],
576	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
577	"-in", "{output}.cms", "-out", "{output}.txt" ],
578	\&final_compare
579	],
580
581	[ "enveloped content test streaming S/MIME format, DES, ECDH",
582	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
583	"-stream", "-out", "{output}.cms",
584	"-recip", catfile($smdir, "smec1.pem") ],
585	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
586	"-in", "{output}.cms", "-out", "{output}.txt" ],
587	\&final_compare
588	],
589
590	[ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
591	[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
592	"-stream", "-out", "{output}.cms",
593	catfile($smdir, "smec1.pem"),
594	catfile($smdir, "smec3.pem") ],
595	[ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
596	"-in", "{output}.cms", "-out", "{output}.txt" ],
597	\&final_compare
598	],
599
600	[ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
601	[ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont,
602	"-stream", "-out", "{output}.cms",
603	"-recip", catfile($smdir, "smec1.pem") ],
604	[ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
605	"-in", "{output}.cms", "-out", "{output}.txt" ],
606	\&final_compare
607	],
608
609	[ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF",
610	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
611	"-stream", "-out", "{output}.cms",
612	"-recip", catfile($smdir, "smec1.pem"), "-aes128",
613	"-keyopt", "ecdh_kdf_md:sha256" ],
614	[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
615	"-in", "{output}.cms", "-out", "{output}.txt" ],
616	\&final_compare
617	],
618
619	[ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF",
620	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
621	"-stream", "-out", "{output}.cms",
622	"-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ],
623	[ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
624	"-in", "{output}.cms", "-out", "{output}.txt" ],
625	\&final_compare
626	],
627
628	[ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
629	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
630	"-stream", "-out", "{output}.cms",
631	"-recip", catfile($smdir, "smec2.pem"), "-aes128",
632	"-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
633	[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
634	"-in", "{output}.cms", "-out", "{output}.txt" ],
635	\&final_compare
636	],
637
638	[ "enveloped content test streaming S/MIME format, X9.42 DH",
639	[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
640	"-stream", "-out", "{output}.cms",
641	"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
642	[ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
643	"-in", "{output}.cms", "-out", "{output}.txt" ],
644	\&final_compare
645	]
646	);
647
648	my @smime_cms_param_tests_autodigestmax = (
649	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length",
650	[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
651	"-signer", $smrsa1, "-md", "sha256",
652	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
653	"-out", "{output}.cms" ],
654	# digest is SHA-256, which produces 32, bytes of output
655	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
656	[ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
657	"-CAfile", $smroot, "-out", "{output}.txt" ],
658	\&final_compare
659	],
660
661	[ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize > maximum salt length",
662	[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
663	"-signer", $smrsa1024, "-md", "sha512",
664	"-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
665	"-out", "{output}.cms" ],
666	# digest is SHA-512, which produces 64, bytes of output, but an RSA-PSS
667	# signature with a 1024 bit RSA key can only accommodate 62
668	sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 62; },
669	[ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
670	"-CAfile", $smroot, "-out", "{output}.txt" ],
671	\&final_compare
672	]
673	);
674
675
676	my @contenttype_cms_test = (
677	[ "signed content test - check that content type is added to additional signerinfo, RSA keys",
678	[ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont,
679	"-outform", "DER", "-signer", $smrsa1, "-md", "SHA256",
680	"-out", "{output}.cms" ],
681	[ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms",
682	"-inform", "DER", "-outform", "DER",
683	"-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
684	"-out", "{output}2.cms" ],
685	sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; },
686	[ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
687	"-CAfile", $smroot, "-out", "{output}.txt" ]
688	],
689	);
690
691	my @incorrect_attribute_cms_test = (
692	"bad_signtime_attr.cms",
693	"no_ct_attr.cms",
694	"no_md_attr.cms",
695	"ct_multiple_attr.cms"
696	);
697
698	# Runs a standard loop on the input array
699	sub runner_loop {
700	my %opts = ( @_ );
701	my $cnt1 = 0;
702
703	foreach (@{$opts{tests}}) {
704	$cnt1++;
705	$opts{output} = "$opts{prefix}-$cnt1";
706	SKIP: {
707	my $skip_reason = check_availability($$_[0]);
708	skip $skip_reason, 1 if $skip_reason;
709	my $ok = 1;
710	1 while unlink "$opts{output}.txt";
711
712	foreach (@$_[1..$#$_]) {
713	if (ref $_ eq 'CODE') {
714	$ok &&= $_->(%opts);
715	} else {
716	my @cmd = map {
717	my $x = $_;
718	while ($x =~ /\{([^\}]+)\}/) {
719	$x = $`.$opts{$1}.$' if exists $opts{$1};
720	}
721	$x;
722	} @$_;
723
724	diag "CMD: openssl ", join(" ", @cmd);
725	$ok &&= run(app(["openssl", @cmd]));
726	$opts{input} = $opts{output};
727	}
728	}
729
730	ok($ok, $$_[0]);
731	}
732	}
733	}
734
735	sub final_compare {
736	my %opts = @_;
737
738	diag "Comparing $smcont with $opts{output}.txt";
739	return compare_text($smcont, "$opts{output}.txt") == 0;
740	}
741
742	sub zero_compare {
743	my %opts = @_;
744
745	diag "Checking for zero-length file";
746	return (-e "$opts{output}.txt" && -z "$opts{output}.txt");
747	}
748
749	subtest "CMS => PKCS#7 compatibility tests\n" => sub {
750	plan tests => scalar @smime_pkcs7_tests;
751
752	runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime',
753	tests => [ @smime_pkcs7_tests ]);
754	};
755	subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
756	plan tests => scalar @smime_pkcs7_tests;
757
758	runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms',
759	tests => [ @smime_pkcs7_tests ]);
760	};
761
762	subtest "CMS <=> CMS consistency tests\n" => sub {
763	plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
764
765	runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms',
766	tests => [ @smime_pkcs7_tests ]);
767	runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms',
768	tests => [ @smime_cms_tests ]);
769	};
770
771	subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
772	plan tests =>
773	(scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests) +
774	(scalar @smime_cms_param_tests_autodigestmax) + 1;
775
776	ok(run(app(["openssl", "cms", @prov,
777	"-sign", "-in", $smcont,
778	"-outform", "PEM",
779	"-nodetach",
780	"-signer", $smrsa1,
781	"-keyopt", "rsa_padding_mode:pss",
782	"-keyopt", "rsa_pss_saltlen:auto-digestmax",
783	"-out", "digestmaxtest.cms"])));
784	# Providers that do not support rsa_pss_saltlen:auto-digestmax will parse
785	# it as 0
786	my $no_autodigestmax = rsapssSaltlen("digestmaxtest.cms") == 0;
787	1 while unlink "digestmaxtest.cms";
788
789	runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms',
790	tests => [ @smime_cms_param_tests ]);
791	SKIP: {
792	skip("Zlib not supported: compression tests skipped",
793	scalar @smime_cms_comp_tests)
794	if $no_zlib;
795
796	runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms',
797	tests => [ @smime_cms_comp_tests ]);
798	}
799
800	SKIP: {
801	skip("rsa_pss_saltlen:auto-digestmax not supported",
802	scalar @smime_cms_param_tests_autodigestmax)
803	if $no_autodigestmax;
804
805	runner_loop(prefix => 'cms2cms-comp', 'cmd1' => 'cms', cmd2 => 'cms',
806	tests => [ @smime_cms_param_tests_autodigestmax ]);
807	}
808	};
809
810	# Returns the number of matches of a Content Type Attribute in a binary file.
811	sub contentType_matches {
812	# Read in a binary file
813	my ($in) = @_;
814	open (HEX_IN, "$in") or die("open failed for $in : $!");
815	binmode(HEX_IN);
816	local $/;
817	my $str = <HEX_IN>;
818
819	# Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
820	my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
821
822	close(HEX_IN);
823	return scalar(@c);
824	}
825
826	sub rsapssSaltlen {
827	my ($in) = @_;
828	my $exit = 0;
829
830	my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]),
831	capture => 1,
832	statusvar => $exit);
833	return -1 if $exit != 0;
834
835	my $pssparam_offset = -1;
836	while ($_ = shift @asn1parse) {
837	chomp;
838	next unless /:rsassaPss/;
839	# This line contains :rsassaPss, the next line contains a raw dump of the
840	# RSA_PSS_PARAMS sequence; obtain its offset
841	$_ = shift @asn1parse;
842	if (/^\s*(\d+):/) {
843	$pssparam_offset = int($1);
844	}
845	}
846
847	if ($pssparam_offset == -1) {
848	note "Failed to determine RSA_PSS_PARAM offset in CMS. " +
849	"Was the file correctly signed with RSASSA-PSS?";
850	return -1;
851	}
852
853	my @pssparam = run(app(["openssl", "asn1parse", "-in", $in,
854	"-strparse", $pssparam_offset]),
855	capture => 1,
856	statusvar => $exit);
857	return -1 if $exit != 0;
858
859	my $saltlen = -1;
860	# Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated.
861	# This assumes the salt length is the last field, which may possibly be
862	# incorrect if there is a non-standard trailer field, but there almost never
863	# is in PSS.
864	if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) {
865	$saltlen = hex($1);
866	}
867
868	if ($saltlen == -1) {
869	note "Failed to determine salt length from RSA_PSS_PARAM struct. " +
870	"Was the file correctly signed with RSASSA-PSS?";
871	return -1;
872	}
873
874	return $saltlen;
875	}
876
877	subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
878	plan tests => (scalar @contenttype_cms_test);
879
880	runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms',
881	tests => [ @contenttype_cms_test ]);
882	};
883
884	subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
885	plan tests =>
886	(scalar @incorrect_attribute_cms_test);
887
888	my $cnt = 0;
889	foreach my $name (@incorrect_attribute_cms_test) {
890	my $out = "incorrect-$cnt.txt";
891
892	ok(!run(app(["openssl", "cms", @prov, "-verify", "-in",
893	catfile($datadir, $name), "-inform", "DER", "-CAfile",
894	$smroot, "-out", $out ])),
895	$name);
896	}
897	};
898
899	subtest "CMS Check that bad encryption algorithm fails\n" => sub {
900	plan tests => 1;
901
902	SKIP: {
903	skip "DES or Legacy isn't supported in this build", 1
904	if disabled("des") \|\| disabled("legacy");
905
906	my $out = "smtst.txt";
907
908	ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt",
909	"-in", $smcont,
910	"-stream", "-recip", $smrsa1,
911	"-des-ede3",
912	"-out", $out ])),
913	"Decrypt message from OpenSSL 1.1.1");
914	}
915	};
916
917	subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub {
918	plan tests => 1;
919
920	SKIP: {
921	skip "EC or DES isn't supported in this build", 1
922	if disabled("ec") \|\| disabled("des");
923
924	my $out = "smtst.txt";
925
926	ok(run(app(["openssl", "cms", @defaultprov, "-decrypt",
927	"-inkey", catfile($smdir, "smec3.pem"),
928	"-in", catfile($datadir, "ciphertext_from_1_1_1.cms"),
929	"-out", $out ]))
930	&& compare_text($smcont, $out) == 0,
931	"Decrypt message from OpenSSL 1.1.1");
932	}
933	};
934
935	subtest "CAdES <=> CAdES consistency tests\n" => sub {
936	plan tests => (scalar @smime_cms_cades_tests);
937
938	runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms',
939	tests => [ @smime_cms_cades_tests ]);
940	};
941
942	subtest "CAdES; cms incompatible arguments tests\n" => sub {
943	plan tests => (scalar @smime_cms_cades_invalid_option_tests);
944
945	foreach (@smime_cms_cades_invalid_option_tests) {
946	ok(!run(app(["openssl", "cms", @{$$_[0]} ] )));
947	}
948	};
949
950	subtest "CAdES ko tests\n" => sub {
951	plan tests => 2 * scalar @smime_cms_cades_ko_tests;
952
953	foreach (@smime_cms_cades_ko_tests) {
954	SKIP: {
955	my $skip_reason = check_availability($$_[0]);
956	skip $skip_reason, 1 if $skip_reason;
957	1 while unlink "cades-ko.txt";
958
959	ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]);
960	ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]);
961	}
962	}
963	};
964
965	subtest "CMS binary input tests\n" => sub {
966	my $input = srctop_file("test", "smcont.bin");
967	my $signed = "smcont.signed";
968	my $verified = "smcont.verified";
969
970	plan tests => 11;
971
972	ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
973	"-binary", "-in", $input, "-out", $signed])),
974	"sign binary input with -binary");
975	ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
976	"-binary", "-in", $signed, "-out", $verified])),
977	"verify binary input with -binary");
978	is(compare($input, $verified), 0, "binary input retained with -binary");
979
980	ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
981	"-in", $input, "-out", $signed.".nobin"])),
982	"sign binary input without -binary");
983	ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
984	"-in", $signed.".nobin", "-out", $verified.".nobin"])),
985	"verify binary input without -binary");
986	is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary");
987	ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
988	"-binary", "-in", $signed, "-out", $verified.".crlfeol"])),
989	"verify binary input wrong crlfeol");
990
991	ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
992	"-crlfeol",
993	"-binary", "-in", $input, "-out", $signed.".crlf"])),
994	"sign binary input with -binary -crlfeol");
995	ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
996	"-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])),
997	"verify binary input with -binary -crlfeol");
998	is(compare($input, $verified.".crlf"), 0,
999	"binary input retained with -binary -crlfeol");
1000	ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
1001	"-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])),
1002	"verify binary input with -binary missing -crlfeol");
1003	};
1004
1005	subtest "CMS signed digest, DER format" => sub {
1006	plan tests => 2;
1007
1008	# Pre-computed SHA256 digest of $smcont in hexadecimal form
1009	my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
1010
1011	my $sig_file = "signature.der";
1012	ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
1013	"-outform", "DER",
1014	"-certfile", catfile($smdir, "smroot.pem"),
1015	"-signer", catfile($smdir, "smrsa1.pem"),
1016	"-out", $sig_file])),
1017	"CMS sign pre-computed digest, DER format");
1018
1019	ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1020	"-inform", "DER",
1021	"-CAfile", catfile($smdir, "smroot.pem"),
1022	"-content", $smcont])),
1023	"Verify CMS signed digest, DER format");
1024	};
1025
1026	subtest "CMS signed digest, S/MIME format" => sub {
1027	plan tests => 2;
1028
1029	# Pre-computed SHA256 digest of $smcont in hexadecimal form
1030	my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
1031
1032	my $sig_file = "signature.smime";
1033	ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
1034	"-outform", "SMIME",
1035	"-certfile", catfile($smdir, "smroot.pem"),
1036	"-signer", catfile($smdir, "smrsa1.pem"),
1037	"-out", $sig_file])),
1038	"CMS sign pre-computed digest, S/MIME format");
1039
1040	ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1041	"-inform", "SMIME",
1042	"-CAfile", catfile($smdir, "smroot.pem"),
1043	"-content", $smcont])),
1044	"Verify CMS signed digest, S/MIME format");
1045	};
1046
1047	subtest "CMS code signing test" => sub {
1048	plan tests => 7;
1049	my $sig_file = "signature.p7s";
1050	ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
1051	"-certfile", catfile($smdir, "smroot.pem"),
1052	"-signer", catfile($smdir, "smrsa1.pem"),
1053	"-out", $sig_file])),
1054	"accept perform CMS signature with smime certificate");
1055
1056	ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1057	"-CAfile", catfile($smdir, "smroot.pem"),
1058	"-content", $smcont])),
1059	"accept verify CMS signature with smime certificate");
1060
1061	ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1062	"-CAfile", catfile($smdir, "smroot.pem"),
1063	"-purpose", "codesign",
1064	"-content", $smcont])),
1065	"fail verify CMS signature with smime certificate for purpose code signing");
1066
1067	ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1068	"-CAfile", catfile($smdir, "smroot.pem"),
1069	"-purpose", "football",
1070	"-content", $smcont])),
1071	"fail verify CMS signature with invalid purpose argument");
1072
1073	ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
1074	"-certfile", catfile($smdir, "smroot.pem"),
1075	"-signer", catfile($smdir, "csrsa1.pem"),
1076	"-out", $sig_file])),
1077	"accept perform CMS signature with code signing certificate");
1078
1079	ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1080	"-CAfile", catfile($smdir, "smroot.pem"),
1081	"-purpose", "codesign",
1082	"-content", $smcont])),
1083	"accept verify CMS signature with code signing certificate for purpose code signing");
1084
1085	ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
1086	"-CAfile", catfile($smdir, "smroot.pem"),
1087	"-content", $smcont])),
1088	"fail verify CMS signature with code signing certificate for purpose smime_sign");
1089	};
1090
1091	# Test case for missing MD algorithm (must not segfault)
1092
1093	with({ exit_checker => sub { return shift == 4; } },
1094	sub {
1095	ok(run(app(['openssl', 'smime', '-verify', '-noverify',
1096	'-inform', 'PEM',
1097	'-in', data_file("pkcs7-md4.pem"),
1098	])),
1099	"Check failure of EVP_DigestInit in PKCS7 signed is handled");
1100
1101	ok(run(app(['openssl', 'smime', '-decrypt',
1102	'-inform', 'PEM',
1103	'-in', data_file("pkcs7-md4-encrypted.pem"),
1104	'-recip', srctop_file("test", "certs", "ee-cert.pem"),
1105	'-inkey', srctop_file("test", "certs", "ee-key.pem")
1106	])),
1107	"Check failure of EVP_DigestInit in PKCS7 signedAndEnveloped is handled");
1108	});
1109
1110	sub check_availability {
1111	my $tnam = shift;
1112
1113	return "$tnam: skipped, EC disabled\n"
1114	if ($no_ec && $tnam =~ /ECDH/);
1115	return "$tnam: skipped, ECDH disabled\n"
1116	if ($no_ec && $tnam =~ /ECDH/);
1117	return "$tnam: skipped, EC2M disabled\n"
1118	if ($no_ec2m && $tnam =~ /K-283/);
1119	return "$tnam: skipped, DH disabled\n"
1120	if ($no_dh && $tnam =~ /X9\.42/);
1121	return "$tnam: skipped, RC2 disabled\n"
1122	if ($no_rc2 && $tnam =~ /RC2/);
1123	return "$tnam: skipped, DES disabled\n"
1124	if ($no_des && $tnam =~ /DES/);
1125	return "$tnam: skipped, DSA disabled\n"
1126	if ($no_dsa && $tnam =~ / DSA/);
1127
1128	return "";
1129	}
1130
1131	# Test case for the locking problem reported in #19643.
1132	# This will fail if the fix is in and deadlock on Windows (and possibly
1133	# other platforms) if not.
1134	ok(!run(app(['openssl', 'cms', '-verify',
1135	'-CAfile', srctop_file("test/certs", "pkitsta.pem"),
1136	'-policy', 'anyPolicy',
1137	'-in', srctop_file("test/smime-eml",
1138	"SignedInvalidMappingFromanyPolicyTest7.eml")
1139	])),
1140	"issue#19643");
1141
1142	# Check that we get the expected failure return code
1143	with({ exit_checker => sub { return shift == 6; } },
1144	sub {
1145	ok(run(app(['openssl', 'cms', '-encrypt',
1146	'-in', srctop_file("test", "smcont.txt"),
1147	'-aes128', '-stream', '-recip',
1148	srctop_file("test/smime-certs", "badrsa.pem"),
1149	])),
1150	"Check failure during BIO setup with -stream is handled correctly");
1151	});
1152
1153	# Test case for return value mis-check reported in #21986
1154	with({ exit_checker => sub { return shift == 3; } },
1155	sub {
1156	SKIP: {
1157	skip "DSA is not supported in this build", 1 if $no_dsa;
1158
1159	ok(run(app(['openssl', 'cms', '-sign',
1160	'-in', srctop_file("test", "smcont.txt"),
1161	'-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
1162	'-md', 'SHAKE256'])),
1163	"issue#21986");
1164	}
1165	});
1166
1167	# Test for problem reported in #22225
1168	with({ exit_checker => sub { return shift == 3; } },
1169	sub {
1170	ok(run(app(['openssl', 'cms', '-encrypt',
1171	'-in', srctop_file("test", "smcont.txt"),
1172	'-aes-256-ctr', '-recip',
1173	catfile($smdir, "smec1.pem"),
1174	])),
1175	"Check for failure when cipher does not have an assigned OID (issue#22225)");
1176	});
1177
1178	# Test encrypt to three recipients, and decrypt using key-only;
1179	# i.e. do not follow the recommended practice of providing the
1180	# recipient cert in the decrypt op.
1181	#
1182	# Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5.
1183	#
1184	# Because the cert is not provided during decrypt, all RSA ciphertexts
1185	# are decrypted in turn, and when/if there is a valid decryption, it
1186	# is assumed the correct content-key has been recovered.
1187	#
1188	# That process may fail with RSAES-PKCS-v1_5 b/c there is a
1189	# non-negligible chance that decrypting a random input using
1190	# RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys
1191	# could be recovered and the wrong one might be used).
1192	#
1193	# See https://github.com/openssl/project/issues/380
1194	subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub {
1195	plan tests => 3;
1196
1197	my $pt = srctop_file("test", "smcont.txt");
1198	my $ct = "smtst.cms";
1199	my $ptpt = "smtst.txt";
1200
1201	ok(run(app(['openssl', 'cms',
1202	@defaultprov,
1203	'-encrypt', '-aes128',
1204	'-in', $pt,
1205	'-out', $ct,
1206	'-stream',
1207	'-recip', catfile($smdir, "smrsa1.pem"),
1208	'-keyopt', 'rsa_padding_mode:oaep',
1209	'-recip', catfile($smdir, "smrsa2.pem"),
1210	'-keyopt', 'rsa_padding_mode:oaep',
1211	'-recip', catfile($smdir, "smrsa3-cert.pem"),
1212	'-keyopt', 'rsa_padding_mode:oaep',
1213	])),
1214	"encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)");
1215	ok(run(app(['openssl', 'cms',
1216	@defaultprov,
1217	'-decrypt', '-aes128',
1218	'-in', $ct,
1219	'-out', $ptpt,
1220	'-inkey', catfile($smdir, "smrsa3-key.pem"),
1221	])),
1222	"decrypt with key only");
1223	is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext");
1224	};

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.3.2/test/recipes/80-test_cms.t@ 108206

Download in other formats: