To test X509_check_private_key and relatives.
Add a CSR and corresponding RSA private key to test
X509_REQ_check_private_key function.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
pkey_meth_test uitest cipherbytes_test asn1_encode_test \
- x509_time_test x509_dup_cert_test recordlentest \
+ x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \
time_offset_test pemtest
SOURCE[aborttest]=aborttest.c
INCLUDE[x509_dup_cert_test]=../include
DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a
+ SOURCE[x509_check_cert_pkey_test]=x509_check_cert_pkey_test.c
+ INCLUDE[x509_check_cert_pkey_test]=../include
+ DEPEND[x509_check_cert_pkey_test]=../libcrypto libtestutil.a
+
SOURCE[pemtest]=pemtest.c
INCLUDE[pemtest]=../include .
DEPEND[pemtest]=../libcrypto libtestutil.a
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCd6jpgFiM/ZW6d
+CJlEIxmKk7rH7MRL93wW32o5duTwtT1cs/y+ylfey0l5tYBzGMxjUPNeYGTBqiuz
+6ueVyMvbe3wymXPp+zzoaq3if3Jycb+1gurSyiQpF6T1PLmfJDgQQT0XnI7qRwHI
+5FJTvKM9mpv3iKohBseT/a8yfdk27zFYrSMZjfaqZc+0a18bHi/SgNN36Lj+vnPc
+s2DzS8ymBJ10Zq6icy6xL30sHDKPOKKrD8+EJ6suUm5CpLL4N6jPOmk9Dj7XQv2Y
+woX2S0Ys6dFpHuGBJ1NngBW/0Zm9oseDOxxqplPGIYa8nN7BIrTwAJEhkmKTEi9P
+8APIi6DVAgMBAAECggEAMWkKnuoOWVXJiIUaP8GjykJzHP8uZH6paxa4zAYxmEd9
+TbZbjO8PE30UHmr2KA1IVoMLwynyHM68Ie2MTMepUaGPuN1e8YVVB3vpsIckLj79
+NzQheZcaPWlSihFYGz1f9WYUUYEBDrjtDAi04dKSWUI5LviqEu9mHx4vZWMPRiqP
+mrtp3CH34ViJL4v4TtvEeuOvLf4mYpfWe1Il7U2eYSqcxO0lCwk7nd/JCzpPWA7C
+TQZSTtp5AQ4OT7LPFZIgs/87Qi8fuEEvN+6rt07r0j6/gPOVa2xoj4a7MJYsxi9O
+s1xA8Q+xjUEnjHth1MLCrmHYbJuWptIqgPTkVvB2OQKBgQDSAywBvs7PDdt+BLTc
+6J4g/gOL/17ATysmhUGJ6VxrNulViLtiFeyf3p4vj/fSa2y4ZnP/hHovzfces1Bd
+6YXtPGIuRNOnVdlYx2Y/OGrw0baxRAIW8D6Z4ms1n8hesGssteKZeaT4ojIPpJS1
+c1UtextX5OBLYaiFxwTb1Q6bAwKBgQDAfpbrlBN4936glc5uFmKNvFfNB8P30+Bk
+DFtth5TMsCL406aUlIl4lkBrXAgUTndRai2cWYD9ffsXQmm+yx1q5kO6akeAaueq
+WMo3ViZnxK8Fe4oF4M9OoaEQRcVmV5jFMKH9S268B8/x96lNh/i7M58nB5AeNDlV
+AMyHW2vhRwKBgAxduXKk3KKei0UhW9ECNYV1z5mnwNmMD9tlz1Uik5mQky7BLV96
+MQO85Q2h6ZLPVoiJJ91s3JECDMIXBu1wub0daB6XWOsqh/DNVPz2An4JqztG6OSW
+4ujGx09SCEdjFfx8/UnSOt+VFWOMamFA2EwkSpjjVj26E2VFMckMA58nAoGADabs
+vTh7SREEgg8d3ODpjHPXJktuspzsRSw7L8F15C55zHv2TINcXJkLaJHWYNpPzA5j
+vbr7Uv8kV7n2FfoB1BsQop/3AjySwZoafWI2xxVD9HeWimQvT7xW1/iaz29W/mU8
+l+JJsDw9m0OdVkpWcbBvkS0QI5RAnK650r/BHvECgYB6s9Qp5osOCdtPli7MYyD6
+mw+61DSgThUgKa7j96NG2ToYeNWTdf2Fd4Xa7s6MWryaGY+IMSRga24CM+WvaaAL
+iGZLY8dfpM/yDr0pva4WF66ARajDhNx1wvOBQJpHnldX0G4gYczIsIWgUhzo4eH8
+37OzKradFq+avGmtCBeV8A==
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN CERTIFICATE REQUEST-----
+MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPeDUwOS1jaGVjay10ZXN0MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAneo6YBYjP2VunQiZRCMZipO6x+zES/d8
+Ft9qOXbk8LU9XLP8vspX3stJebWAcxjMY1DzXmBkwaors+rnlcjL23t8Mplz6fs8
+6Gqt4n9ycnG/tYLq0sokKRek9Ty5nyQ4EEE9F5yO6kcByORSU7yjPZqb94iqIQbH
+k/2vMn3ZNu8xWK0jGY32qmXPtGtfGx4v0oDTd+i4/r5z3LNg80vMpgSddGauonMu
+sS99LBwyjziiqw/PhCerLlJuQqSy+DeozzppPQ4+10L9mMKF9ktGLOnRaR7hgSdT
+Z4AVv9GZvaLHgzscaqZTxiGGvJzewSK08ACRIZJikxIvT/ADyIug1QIDAQABoAAw
+DQYJKoZIhvcNAQELBQADggEBABN+XkwFoyyN1+b5SYhUzdQFj0ZfhzNxiMXOFR/n
+ww0gW7KCAhZd90aPBtQjEORzsCUX2xhllglXaojw+wOaEMaJDMDzojJelan1TEWJ
+Vyvklj8OBoH25ur5Y8iWrnMivkb4hU1Mrd4QxF697FVVTniwVyUy8Xfn6D44vEII
+gyCUk/jCD6MAD6/hBaexetqrbUQyVrtPewYgXrJokRDGDzFlG3jcXvl3CV2iib2X
+hAbiaAJmlgZwIMeu/60YgJoIWwilG7dYq9hvcpyfQhYXa9BbOz62WRsLvT0Ewue9
+81kzAkwhfvGauPh/yjP+6K5HY09KdOtg30xtwUtT4IU5yHQ=
+-----END CERTIFICATE REQUEST-----
--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_x509_check_cert_pkey");
+
+plan tests => 6;
+
+# rsa
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "servercert.pem"),
+ srctop_file("test", "certs", "serverkey.pem"), "cert", "ok"])));
+# mismatched rsa
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "servercert.pem"),
+ srctop_file("test", "certs", "wrongkey.pem"), "cert", "failed"])));
+# dsa
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "server-dsa-cert.pem"),
+ srctop_file("test", "certs", "server-dsa-key.pem"), "cert", "ok"])));
+# ecc
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "server-ecdsa-cert.pem"),
+ srctop_file("test", "certs", "server-ecdsa-key.pem"), "cert", "ok"])));
+# certificate request (rsa)
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "x509-check.csr"),
+ srctop_file("test", "certs", "x509-check-key.pem"), "req", "ok"])));
+# mismatched certificate request (rsa)
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "x509-check.csr"),
+ srctop_file("test", "certs", "wrongkey.pem"), "req", "failed"])));
--- /dev/null
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include "testutil.h"
+
+/*
+ * c: path of a cert in PEM format
+ * k: path of a key in PEM format
+ * t: API type, "cert" for X509_ and "req" for X509_REQ_ APIs.
+ * e: expected, "ok" for success, "failed" for what should fail.
+ */
+static int test_x509_check_cert_pkey(const char *c, const char *k,
+ const char *t, const char *e)
+{
+ BIO *bio = NULL;
+ X509 *x509 = NULL;
+ X509_REQ *x509_req = NULL;
+ EVP_PKEY *pkey = NULL;
+ int ret = 0, type = 0, expected = 0, result;
+
+ /*
+ * we check them first thus if fails we don't need to do
+ * those PEM parsing operations.
+ */
+ if (strcmp(t, "cert") == 0) {
+ type = 1;
+ } else if (strcmp(t, "req") == 0) {
+ type = 2;
+ } else {
+ TEST_error("invalid 'type'");
+ goto failed;
+ }
+
+ if (strcmp(e, "ok") == 0) {
+ expected = 1;
+ } else if (strcmp(e, "failed") == 0) {
+ expected = 2;
+ } else {
+ TEST_error("invalid 'expected'");
+ goto failed;
+ }
+
+ /* process private key */
+ bio = BIO_new_file(k, "r");
+ if (bio == NULL) {
+ TEST_error("create BIO for private key failed");
+ goto failed;
+ }
+
+ pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+ if (pkey == NULL) {
+ TEST_error("read PEM private key failed");
+ goto failed;
+ }
+
+ BIO_free(bio);
+
+ /* process cert or cert request, use the same local var */
+ bio = BIO_new_file(c, "r");
+ if (bio == NULL) {
+ TEST_error("create BIO for cert or cert req failed");
+ goto failed;
+ }
+
+ switch (type) {
+ case 1:
+ x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+ if (x509 == NULL) {
+ TEST_error("read PEM x509 failed");
+ goto failed;
+ }
+
+ result = X509_check_private_key(x509, pkey);
+ break;
+ case 2:
+ x509_req = PEM_read_bio_X509_REQ(bio, NULL, NULL, NULL);
+ if (x509_req == NULL) {
+ TEST_error("read PEM x509 req failed");
+ goto failed;
+ }
+
+ result = X509_REQ_check_private_key(x509_req, pkey);
+ break;
+ default:
+ /* should never be here */
+ break;
+ }
+
+ if (expected == 1) {
+ /* expected == 1 means we expect an "ok" */
+ if (!TEST_int_eq(result, 1)) {
+ TEST_error("check private key: expected: 1, got: %d", result);
+ goto failed;
+ }
+ } else {
+ if (!TEST_int_eq(result, 0)) {
+ TEST_error("check private key: expected: 0, got: %d", result);
+ goto failed;
+ }
+ }
+
+out:
+ if (bio)
+ BIO_free(bio);
+ if (x509)
+ X509_free(x509);
+ if (x509_req)
+ X509_REQ_free(x509_req);
+ if (pkey)
+ EVP_PKEY_free(pkey);
+ return ret;
+
+failed:
+ ret = 1;
+ goto out;
+}
+
+int test_main(int argc, char **argv)
+{
+ if (!TEST_int_eq(argc, 5)) {
+ TEST_info("usage: x509_check_cert_pkey cert.pem|cert.req"
+ " key.pem cert|req <expected>");
+ return 1;
+ }
+
+ return test_x509_check_cert_pkey(argv[1], argv[2], argv[3], argv[4]);
+}