diff options
Diffstat (limited to 'deps/openssl/openssl/test/recipes/90-test_store.t')
-rw-r--r-- | deps/openssl/openssl/test/recipes/90-test_store.t | 494 |
1 files changed, 494 insertions, 0 deletions
diff --git a/deps/openssl/openssl/test/recipes/90-test_store.t b/deps/openssl/openssl/test/recipes/90-test_store.t new file mode 100644 index 0000000000..888213e4a6 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/90-test_store.t @@ -0,0 +1,494 @@ +#! /usr/bin/env perl +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use File::Spec::Functions; +use File::Copy; +use MIME::Base64; +use OpenSSL::Test qw(:DEFAULT srctop_file srctop_dir bldtop_file data_file); +use OpenSSL::Test::Utils; + +my $test_name = "test_store"; +setup($test_name); + +my $mingw = config('target') =~ m|^mingw|; + +my @noexist_files = + ( "test/blahdiblah.pem", + "test/blahdibleh.der" ); +my @src_files = + ( "test/testx509.pem", + "test/testrsa.pem", + "test/testrsapub.pem", + "test/testcrl.pem", + "apps/server.pem" ); +my @generated_files = + ( + ### generated from the source files + + "testx509.der", + "testrsa.der", + "testrsapub.der", + "testcrl.der", + + ### generated locally + + "rsa-key-pkcs1.pem", "rsa-key-pkcs1.der", + "rsa-key-pkcs1-aes128.pem", + "rsa-key-pkcs8.pem", "rsa-key-pkcs8.der", + "rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der", + "rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der", + "rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12", + "rsa-key-aes256-cbc-sha256.p12", + "rsa-key-md5-des-sha1.p12", + "rsa-key-aes256-cbc-md5-des-sha256.p12", + "rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der", + "rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der", + "dsa-key-pkcs1.pem", "dsa-key-pkcs1.der", + "dsa-key-pkcs1-aes128.pem", + "dsa-key-pkcs8.pem", "dsa-key-pkcs8.der", + "dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der", + "dsa-key-aes256-cbc-sha256.p12", + "ec-key-pkcs1.pem", "ec-key-pkcs1.der", + "ec-key-pkcs1-aes128.pem", + "ec-key-pkcs8.pem", "ec-key-pkcs8.der", + "ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der", + "ec-key-aes256-cbc-sha256.p12", + ); +my %generated_file_files = + $^O eq 'linux' + ? ( "test/testx509.pem" => "file:testx509.pem", + "test/testrsa.pem" => "file:testrsa.pem", + "test/testrsapub.pem" => "file:testrsapub.pem", + "test/testcrl.pem" => "file:testcrl.pem", + "apps/server.pem" => "file:server.pem" ) + : (); +my @noexist_file_files = + ( "file:blahdiblah.pem", + "file:test/blahdibleh.der" ); + +my $n = (3 * scalar @noexist_files) + + (6 * scalar @src_files) + + (4 * scalar @generated_files) + + (scalar keys %generated_file_files) + + (scalar @noexist_file_files) + + 3 + + 11; + +plan tests => $n; + +indir "store_$$" => sub { + SKIP: + { + skip "failed initialisation", $n unless init(); + + my $rehash = init_rehash(); + + foreach (@noexist_files) { + my $file = srctop_file($_); + + ok(!run(app(["openssl", "storeutl", "-noout", $file]))); + ok(!run(app(["openssl", "storeutl", "-noout", + to_abs_file($file)]))); + { + local $ENV{MSYS2_ARG_CONV_EXCL} = "file:"; + + ok(!run(app(["openssl", "storeutl", "-noout", + to_abs_file_uri($file)]))); + } + } + foreach (@src_files) { + my $file = srctop_file($_); + + ok(run(app(["openssl", "storeutl", "-noout", $file]))); + ok(run(app(["openssl", "storeutl", "-noout", to_abs_file($file)]))); + SKIP: + { + skip "file: tests disabled on MingW", 4 if $mingw; + + ok(run(app(["openssl", "storeutl", "-noout", + to_abs_file_uri($file)]))); + ok(run(app(["openssl", "storeutl", "-noout", + to_abs_file_uri($file, 0, "")]))); + ok(run(app(["openssl", "storeutl", "-noout", + to_abs_file_uri($file, 0, "localhost")]))); + ok(!run(app(["openssl", "storeutl", "-noout", + to_abs_file_uri($file, 0, "dummy")]))); + } + } + foreach (@generated_files) { + ok(run(app(["openssl", "storeutl", "-noout", "-passin", + "pass:password", $_]))); + ok(run(app(["openssl", "storeutl", "-noout", "-passin", + "pass:password", to_abs_file($_)]))); + + SKIP: + { + skip "file: tests disabled on MingW", 2 if $mingw; + + ok(run(app(["openssl", "storeutl", "-noout", "-passin", + "pass:password", to_abs_file_uri($_)]))); + ok(!run(app(["openssl", "storeutl", "-noout", "-passin", + "pass:password", to_file_uri($_)]))); + } + } + foreach (values %generated_file_files) { + SKIP: + { + skip "file: tests disabled on MingW", 1 if $mingw; + + ok(run(app(["openssl", "storeutl", "-noout", $_]))); + } + } + foreach (@noexist_file_files) { + SKIP: + { + skip "file: tests disabled on MingW", 1 if $mingw; + + ok(!run(app(["openssl", "storeutl", "-noout", $_]))); + } + } + { + my $dir = srctop_dir("test", "certs"); + + ok(run(app(["openssl", "storeutl", "-noout", $dir]))); + ok(run(app(["openssl", "storeutl", "-noout", + to_abs_file($dir, 1)]))); + SKIP: + { + skip "file: tests disabled on MingW", 1 if $mingw; + + ok(run(app(["openssl", "storeutl", "-noout", + to_abs_file_uri($dir, 1)]))); + } + } + + ok(!run(app(['openssl', 'storeutl', '-noout', + '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert', + srctop_file('test', 'testx509.pem')])), + "Checking that -subject can't be used with a single file"); + + ok(run(app(['openssl', 'storeutl', '-certs', '-noout', + srctop_file('test', 'testx509.pem')])), + "Checking that -certs returns 1 object on a certificate file"); + ok(run(app(['openssl', 'storeutl', '-certs', '-noout', + srctop_file('test', 'testcrl.pem')])), + "Checking that -certs returns 0 objects on a CRL file"); + + ok(run(app(['openssl', 'storeutl', '-crls', '-noout', + srctop_file('test', 'testx509.pem')])), + "Checking that -crls returns 0 objects on a certificate file"); + ok(run(app(['openssl', 'storeutl', '-crls', '-noout', + srctop_file('test', 'testcrl.pem')])), + "Checking that -crls returns 1 object on a CRL file"); + + SKIP: { + skip "failed rehash initialisation", 6 unless $rehash; + + # subject from testx509.pem: + # '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert' + # issuer from testcrl.pem: + # '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority' + ok(run(app(['openssl', 'storeutl', '-noout', + '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert', + catdir(curdir(), 'rehash')]))); + ok(run(app(['openssl', 'storeutl', '-noout', + '-subject', + '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority', + catdir(curdir(), 'rehash')]))); + ok(run(app(['openssl', 'storeutl', '-noout', '-certs', + '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert', + catdir(curdir(), 'rehash')]))); + ok(run(app(['openssl', 'storeutl', '-noout', '-crls', + '-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert', + catdir(curdir(), 'rehash')]))); + ok(run(app(['openssl', 'storeutl', '-noout', '-certs', + '-subject', + '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority', + catdir(curdir(), 'rehash')]))); + ok(run(app(['openssl', 'storeutl', '-noout', '-crls', + '-subject', + '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority', + catdir(curdir(), 'rehash')]))); + } + } +}, create => 1, cleanup => 1; + +sub init { + return ( + # rsa-key-pkcs1.pem + run(app(["openssl", "genrsa", + "-out", "rsa-key-pkcs1.pem", "2432"])) + # dsa-key-pkcs1.pem + && run(app(["openssl", "dsaparam", "-genkey", + "-out", "dsa-key-pkcs1.pem", "1024"])) + # ec-key-pkcs1.pem (one might think that 'genec' would be practical) + && run(app(["openssl", "ecparam", "-genkey", "-name", "prime256v1", + "-out", "ec-key-pkcs1.pem"])) + # rsa-key-pkcs1-aes128.pem + && run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128", + "-in", "rsa-key-pkcs1.pem", + "-out", "rsa-key-pkcs1-aes128.pem"])) + # dsa-key-pkcs1-aes128.pem + && run(app(["openssl", "dsa", "-passout", "pass:password", "-aes128", + "-in", "dsa-key-pkcs1.pem", + "-out", "dsa-key-pkcs1-aes128.pem"])) + # ec-key-pkcs1-aes128.pem + && run(app(["openssl", "ec", "-passout", "pass:password", "-aes128", + "-in", "ec-key-pkcs1.pem", + "-out", "ec-key-pkcs1-aes128.pem"])) + # *-key-pkcs8.pem + && runall(sub { + my $dstfile = shift; + (my $srcfile = $dstfile) + =~ s/-key-pkcs8\.pem$/-key-pkcs1.pem/i; + run(app(["openssl", "pkcs8", "-topk8", "-nocrypt", + "-in", $srcfile, "-out", $dstfile])); + }, grep(/-key-pkcs8\.pem$/, @generated_files)) + # *-key-pkcs8-pbes1-sha1-3des.pem + && runall(sub { + my $dstfile = shift; + (my $srcfile = $dstfile) + =~ s/-key-pkcs8-pbes1-sha1-3des\.pem$ + /-key-pkcs8.pem/ix; + run(app(["openssl", "pkcs8", "-topk8", + "-passout", "pass:password", + "-v1", "pbeWithSHA1And3-KeyTripleDES-CBC", + "-in", $srcfile, "-out", $dstfile])); + }, grep(/-key-pkcs8-pbes1-sha1-3des\.pem$/, @generated_files)) + # *-key-pkcs8-pbes1-md5-des.pem + && runall(sub { + my $dstfile = shift; + (my $srcfile = $dstfile) + =~ s/-key-pkcs8-pbes1-md5-des\.pem$ + /-key-pkcs8.pem/ix; + run(app(["openssl", "pkcs8", "-topk8", + "-passout", "pass:password", + "-v1", "pbeWithSHA1And3-KeyTripleDES-CBC", + "-in", $srcfile, "-out", $dstfile])); + }, grep(/-key-pkcs8-pbes1-md5-des\.pem$/, @generated_files)) + # *-key-pkcs8-pbes2-sha1.pem + && runall(sub { + my $dstfile = shift; + (my $srcfile = $dstfile) + =~ s/-key-pkcs8-pbes2-sha1\.pem$ + /-key-pkcs8.pem/ix; + run(app(["openssl", "pkcs8", "-topk8", + "-passout", "pass:password", + "-v2", "aes256", "-v2prf", "hmacWithSHA1", + "-in", $srcfile, "-out", $dstfile])); + }, grep(/-key-pkcs8-pbes2-sha1\.pem$/, @generated_files)) + # *-key-pkcs8-pbes2-sha1.pem + && runall(sub { + my $dstfile = shift; + (my $srcfile = $dstfile) + =~ s/-key-pkcs8-pbes2-sha256\.pem$ + /-key-pkcs8.pem/ix; + run(app(["openssl", "pkcs8", "-topk8", + "-passout", "pass:password", + "-v2", "aes256", "-v2prf", "hmacWithSHA256", + "-in", $srcfile, "-out", $dstfile])); + }, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files)) + # *-cert.pem (intermediary for the .p12 inits) + && run(app(["openssl", "req", "-x509", + "-config", data_file("ca.cnf"), "-nodes", + "-out", "cacert.pem", "-keyout", "cakey.pem"])) + && runall(sub { + my $srckey = shift; + (my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|; + (my $csr = $dstfile) =~ s|\.pem|.csr|; + + (run(app(["openssl", "req", "-new", + "-config", data_file("user.cnf"), + "-key", $srckey, "-out", $csr])) + && + run(app(["openssl", "x509", "-days", "3650", + "-CA", "cacert.pem", + "-CAkey", "cakey.pem", + "-set_serial", time(), "-req", + "-in", $csr, "-out", $dstfile]))); + }, grep(/-key-pkcs8\.pem$/, @generated_files)) + # *.p12 + && runall(sub { + my $dstfile = shift; + my ($type, $certpbe_index, $keypbe_index, + $macalg_index) = + $dstfile =~ m{^(.*)-key-(?| + # cert and key PBE are same + () # + ([^-]*-[^-]*)- # key & cert PBE + ([^-]*) # MACalg + | + # cert and key PBE are not same + ([^-]*-[^-]*)- # cert PBE + ([^-]*-[^-]*)- # key PBE + ([^-]*) # MACalg + )\.}x; + if (!$certpbe_index) { + $certpbe_index = $keypbe_index; + } + my $srckey = "$type-key-pkcs8.pem"; + my $srccert = "$type-cert.pem"; + my %pbes = + ( + "sha1-3des" => "pbeWithSHA1And3-KeyTripleDES-CBC", + "md5-des" => "pbeWithMD5AndDES-CBC", + "aes256-cbc" => "AES-256-CBC", + ); + my %macalgs = + ( + "sha1" => "SHA1", + "sha256" => "SHA256", + ); + my $certpbe = $pbes{$certpbe_index}; + my $keypbe = $pbes{$keypbe_index}; + my $macalg = $macalgs{$macalg_index}; + if (!defined($certpbe) || !defined($keypbe) + || !defined($macalg)) { + print STDERR "Cert PBE for $pbe_index not defined\n" + unless defined $certpbe; + print STDERR "Key PBE for $pbe_index not defined\n" + unless defined $keypbe; + print STDERR "MACALG for $macalg_index not defined\n" + unless defined $macalg; + print STDERR "(destination file was $dstfile)\n"; + return 0; + } + run(app(["openssl", "pkcs12", "-inkey", $srckey, + "-in", $srccert, "-passout", "pass:password", + "-export", "-macalg", $macalg, + "-certpbe", $certpbe, "-keypbe", $keypbe, + "-out", $dstfile])); + }, grep(/\.p12/, @generated_files)) + # *.der (the end all init) + && runall(sub { + my $dstfile = shift; + (my $srcfile = $dstfile) =~ s/\.der$/.pem/i; + if (! -f $srcfile) { + $srcfile = srctop_file("test", $srcfile); + } + my $infh; + unless (open $infh, $srcfile) { + return 0; + } + my $l; + while (($l = <$infh>) !~ /^-----BEGIN\s/ + || $l =~ /^-----BEGIN.*PARAMETERS-----/) { + } + my $b64 = ""; + while (($l = <$infh>) !~ /^-----END\s/) { + $l =~ s|\R$||; + $b64 .= $l unless $l =~ /:/; + } + close $infh; + my $der = decode_base64($b64); + unless (length($b64) / 4 * 3 - length($der) < 3) { + print STDERR "Length error, ",length($b64), + " bytes of base64 became ",length($der), + " bytes of der? ($srcfile => $dstfile)\n"; + return 0; + } + my $outfh; + unless (open $outfh, ">:raw", $dstfile) { + return 0; + } + print $outfh $der; + close $outfh; + return 1; + }, grep(/\.der$/, @generated_files)) + && runall(sub { + my $srcfile = shift; + my $dstfile = $generated_file_files{$srcfile}; + + unless (copy srctop_file($srcfile), $dstfile) { + warn "$!\n"; + return 0; + } + return 1; + }, keys %generated_file_files) + ); +} + +sub init_rehash { + return ( + mkdir(catdir(curdir(), 'rehash')) + && copy(srctop_file('test', 'testx509.pem'), + catdir(curdir(), 'rehash')) + && copy(srctop_file('test', 'testcrl.pem'), + catdir(curdir(), 'rehash')) + && run(app(['openssl', 'rehash', catdir(curdir(), 'rehash')])) + ); +} + +sub runall { + my ($function, @items) = @_; + + foreach (@items) { + return 0 unless $function->($_); + } + return 1; +} + +# According to RFC8089, a relative file: path is invalid. We still produce +# them for testing purposes. +sub to_file_uri { + my ($file, $isdir, $authority) = @_; + my $vol; + my $dir; + + die "to_file_uri: No file given\n" if !defined($file) || $file eq ''; + + ($vol, $dir, $file) = File::Spec->splitpath($file, $isdir // 0); + + # Make sure we have a Unix style directory. + $dir = join('/', File::Spec->splitdir($dir)); + # Canonicalise it (note: it seems to be only needed on Unix) + while (1) { + my $newdir = $dir; + $newdir =~ s|/[^/]*[^/\.]+[^/]*/\.\./|/|g; + last if $newdir eq $dir; + $dir = $newdir; + } + # Take care of the corner cases the loop can't handle, and that $dir + # ends with a / unless it's empty + $dir =~ s|/[^/]*[^/\.]+[^/]*/\.\.$|/|; + $dir =~ s|^[^/]*[^/\.]+[^/]*/\.\./|/|; + $dir =~ s|^[^/]*[^/\.]+[^/]*/\.\.$||; + if ($isdir // 0) { + $dir =~ s|/$|| if $dir ne '/'; + } else { + $dir .= '/' if $dir ne '' && $dir !~ m|/$|; + } + + # If the file system has separate volumes (at present, Windows and VMS) + # we need to handle them. In URIs, they are invariably the first + # component of the path, which is always absolute. + # On VMS, user:[foo.bar] translates to /user/foo/bar + # On Windows, c:\Users\Foo translates to /c:/Users/Foo + if ($vol ne '') { + $vol =~ s|:||g if ($^O eq "VMS"); + $dir = '/' . $dir if $dir ne '' && $dir !~ m|^/|; + $dir = '/' . $vol . $dir; + } + $file = $dir . $file; + + return "file://$authority$file" if defined $authority; + return "file:$file"; +} + +sub to_abs_file { + my ($file) = @_; + + return File::Spec->rel2abs($file); +} + +sub to_abs_file_uri { + my ($file, $isdir, $authority) = @_; + + die "to_abs_file_uri: No file given\n" if !defined($file) || $file eq ''; + return to_file_uri(to_abs_file($file), $isdir, $authority); +} |