From 6d2523e0378edabad236bf052d465448dc387c9d Mon Sep 17 00:00:00 2001 From: Paul Yang Date: Mon, 5 Jun 2017 03:16:40 +0800 Subject: [PATCH] Add test cases for X509_check_private_key To test X509_check_private_key and relatives. Add a CSR and corresponding RSA private key to test X509_REQ_check_private_key function. Signed-off-by: Paul Yang Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3614) --- test/build.info | 6 +- test/certs/x509-check-key.pem | 28 ++++ test/certs/x509-check.csr | 15 +++ test/recipes/60-test_x509_check_cert_pkey.t | 39 ++++++ test/x509_check_cert_pkey_test.c | 138 ++++++++++++++++++++ 5 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 test/certs/x509-check-key.pem create mode 100644 test/certs/x509-check.csr create mode 100644 test/recipes/60-test_x509_check_cert_pkey.t create mode 100644 test/x509_check_cert_pkey_test.c diff --git a/test/build.info b/test/build.info index 3dd7590957..5bb570ed5b 100644 --- a/test/build.info +++ b/test/build.info @@ -41,7 +41,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ pkey_meth_test uitest cipherbytes_test asn1_encode_test \ - x509_time_test x509_dup_cert_test recordlentest \ + x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \ time_offset_test pemtest SOURCE[aborttest]=aborttest.c @@ -301,6 +301,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN INCLUDE[x509_dup_cert_test]=../include DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a + SOURCE[x509_check_cert_pkey_test]=x509_check_cert_pkey_test.c + INCLUDE[x509_check_cert_pkey_test]=../include + DEPEND[x509_check_cert_pkey_test]=../libcrypto libtestutil.a + SOURCE[pemtest]=pemtest.c INCLUDE[pemtest]=../include . DEPEND[pemtest]=../libcrypto libtestutil.a diff --git a/test/certs/x509-check-key.pem b/test/certs/x509-check-key.pem new file mode 100644 index 0000000000..20888d0437 --- /dev/null +++ b/test/certs/x509-check-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCd6jpgFiM/ZW6d +CJlEIxmKk7rH7MRL93wW32o5duTwtT1cs/y+ylfey0l5tYBzGMxjUPNeYGTBqiuz +6ueVyMvbe3wymXPp+zzoaq3if3Jycb+1gurSyiQpF6T1PLmfJDgQQT0XnI7qRwHI +5FJTvKM9mpv3iKohBseT/a8yfdk27zFYrSMZjfaqZc+0a18bHi/SgNN36Lj+vnPc +s2DzS8ymBJ10Zq6icy6xL30sHDKPOKKrD8+EJ6suUm5CpLL4N6jPOmk9Dj7XQv2Y +woX2S0Ys6dFpHuGBJ1NngBW/0Zm9oseDOxxqplPGIYa8nN7BIrTwAJEhkmKTEi9P +8APIi6DVAgMBAAECggEAMWkKnuoOWVXJiIUaP8GjykJzHP8uZH6paxa4zAYxmEd9 +TbZbjO8PE30UHmr2KA1IVoMLwynyHM68Ie2MTMepUaGPuN1e8YVVB3vpsIckLj79 +NzQheZcaPWlSihFYGz1f9WYUUYEBDrjtDAi04dKSWUI5LviqEu9mHx4vZWMPRiqP +mrtp3CH34ViJL4v4TtvEeuOvLf4mYpfWe1Il7U2eYSqcxO0lCwk7nd/JCzpPWA7C +TQZSTtp5AQ4OT7LPFZIgs/87Qi8fuEEvN+6rt07r0j6/gPOVa2xoj4a7MJYsxi9O +s1xA8Q+xjUEnjHth1MLCrmHYbJuWptIqgPTkVvB2OQKBgQDSAywBvs7PDdt+BLTc +6J4g/gOL/17ATysmhUGJ6VxrNulViLtiFeyf3p4vj/fSa2y4ZnP/hHovzfces1Bd +6YXtPGIuRNOnVdlYx2Y/OGrw0baxRAIW8D6Z4ms1n8hesGssteKZeaT4ojIPpJS1 +c1UtextX5OBLYaiFxwTb1Q6bAwKBgQDAfpbrlBN4936glc5uFmKNvFfNB8P30+Bk +DFtth5TMsCL406aUlIl4lkBrXAgUTndRai2cWYD9ffsXQmm+yx1q5kO6akeAaueq +WMo3ViZnxK8Fe4oF4M9OoaEQRcVmV5jFMKH9S268B8/x96lNh/i7M58nB5AeNDlV +AMyHW2vhRwKBgAxduXKk3KKei0UhW9ECNYV1z5mnwNmMD9tlz1Uik5mQky7BLV96 +MQO85Q2h6ZLPVoiJJ91s3JECDMIXBu1wub0daB6XWOsqh/DNVPz2An4JqztG6OSW +4ujGx09SCEdjFfx8/UnSOt+VFWOMamFA2EwkSpjjVj26E2VFMckMA58nAoGADabs +vTh7SREEgg8d3ODpjHPXJktuspzsRSw7L8F15C55zHv2TINcXJkLaJHWYNpPzA5j +vbr7Uv8kV7n2FfoB1BsQop/3AjySwZoafWI2xxVD9HeWimQvT7xW1/iaz29W/mU8 +l+JJsDw9m0OdVkpWcbBvkS0QI5RAnK650r/BHvECgYB6s9Qp5osOCdtPli7MYyD6 +mw+61DSgThUgKa7j96NG2ToYeNWTdf2Fd4Xa7s6MWryaGY+IMSRga24CM+WvaaAL +iGZLY8dfpM/yDr0pva4WF66ARajDhNx1wvOBQJpHnldX0G4gYczIsIWgUhzo4eH8 +37OzKradFq+avGmtCBeV8A== +-----END PRIVATE KEY----- diff --git a/test/certs/x509-check.csr b/test/certs/x509-check.csr new file mode 100644 index 0000000000..179d05a0ad --- /dev/null +++ b/test/certs/x509-check.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPeDUwOS1jaGVjay10ZXN0MIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAneo6YBYjP2VunQiZRCMZipO6x+zES/d8 +Ft9qOXbk8LU9XLP8vspX3stJebWAcxjMY1DzXmBkwaors+rnlcjL23t8Mplz6fs8 +6Gqt4n9ycnG/tYLq0sokKRek9Ty5nyQ4EEE9F5yO6kcByORSU7yjPZqb94iqIQbH +k/2vMn3ZNu8xWK0jGY32qmXPtGtfGx4v0oDTd+i4/r5z3LNg80vMpgSddGauonMu +sS99LBwyjziiqw/PhCerLlJuQqSy+DeozzppPQ4+10L9mMKF9ktGLOnRaR7hgSdT +Z4AVv9GZvaLHgzscaqZTxiGGvJzewSK08ACRIZJikxIvT/ADyIug1QIDAQABoAAw +DQYJKoZIhvcNAQELBQADggEBABN+XkwFoyyN1+b5SYhUzdQFj0ZfhzNxiMXOFR/n +ww0gW7KCAhZd90aPBtQjEORzsCUX2xhllglXaojw+wOaEMaJDMDzojJelan1TEWJ +Vyvklj8OBoH25ur5Y8iWrnMivkb4hU1Mrd4QxF697FVVTniwVyUy8Xfn6D44vEII +gyCUk/jCD6MAD6/hBaexetqrbUQyVrtPewYgXrJokRDGDzFlG3jcXvl3CV2iib2X +hAbiaAJmlgZwIMeu/60YgJoIWwilG7dYq9hvcpyfQhYXa9BbOz62WRsLvT0Ewue9 +81kzAkwhfvGauPh/yjP+6K5HY09KdOtg30xtwUtT4IU5yHQ= +-----END CERTIFICATE REQUEST----- diff --git a/test/recipes/60-test_x509_check_cert_pkey.t b/test/recipes/60-test_x509_check_cert_pkey.t new file mode 100644 index 0000000000..794e71959f --- /dev/null +++ b/test/recipes/60-test_x509_check_cert_pkey.t @@ -0,0 +1,39 @@ +#! /usr/bin/env perl +# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_x509_check_cert_pkey"); + +plan tests => 6; + +# rsa +ok(run(test(["x509_check_cert_pkey_test", + srctop_file("test", "certs", "servercert.pem"), + srctop_file("test", "certs", "serverkey.pem"), "cert", "ok"]))); +# mismatched rsa +ok(run(test(["x509_check_cert_pkey_test", + srctop_file("test", "certs", "servercert.pem"), + srctop_file("test", "certs", "wrongkey.pem"), "cert", "failed"]))); +# dsa +ok(run(test(["x509_check_cert_pkey_test", + srctop_file("test", "certs", "server-dsa-cert.pem"), + srctop_file("test", "certs", "server-dsa-key.pem"), "cert", "ok"]))); +# ecc +ok(run(test(["x509_check_cert_pkey_test", + srctop_file("test", "certs", "server-ecdsa-cert.pem"), + srctop_file("test", "certs", "server-ecdsa-key.pem"), "cert", "ok"]))); +# certificate request (rsa) +ok(run(test(["x509_check_cert_pkey_test", + srctop_file("test", "certs", "x509-check.csr"), + srctop_file("test", "certs", "x509-check-key.pem"), "req", "ok"]))); +# mismatched certificate request (rsa) +ok(run(test(["x509_check_cert_pkey_test", + srctop_file("test", "certs", "x509-check.csr"), + srctop_file("test", "certs", "wrongkey.pem"), "req", "failed"]))); diff --git a/test/x509_check_cert_pkey_test.c b/test/x509_check_cert_pkey_test.c new file mode 100644 index 0000000000..7151c172b8 --- /dev/null +++ b/test/x509_check_cert_pkey_test.c @@ -0,0 +1,138 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#include +#include +#include "testutil.h" + +/* + * c: path of a cert in PEM format + * k: path of a key in PEM format + * t: API type, "cert" for X509_ and "req" for X509_REQ_ APIs. + * e: expected, "ok" for success, "failed" for what should fail. + */ +static int test_x509_check_cert_pkey(const char *c, const char *k, + const char *t, const char *e) +{ + BIO *bio = NULL; + X509 *x509 = NULL; + X509_REQ *x509_req = NULL; + EVP_PKEY *pkey = NULL; + int ret = 0, type = 0, expected = 0, result; + + /* + * we check them first thus if fails we don't need to do + * those PEM parsing operations. + */ + if (strcmp(t, "cert") == 0) { + type = 1; + } else if (strcmp(t, "req") == 0) { + type = 2; + } else { + TEST_error("invalid 'type'"); + goto failed; + } + + if (strcmp(e, "ok") == 0) { + expected = 1; + } else if (strcmp(e, "failed") == 0) { + expected = 2; + } else { + TEST_error("invalid 'expected'"); + goto failed; + } + + /* process private key */ + bio = BIO_new_file(k, "r"); + if (bio == NULL) { + TEST_error("create BIO for private key failed"); + goto failed; + } + + pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + if (pkey == NULL) { + TEST_error("read PEM private key failed"); + goto failed; + } + + BIO_free(bio); + + /* process cert or cert request, use the same local var */ + bio = BIO_new_file(c, "r"); + if (bio == NULL) { + TEST_error("create BIO for cert or cert req failed"); + goto failed; + } + + switch (type) { + case 1: + x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (x509 == NULL) { + TEST_error("read PEM x509 failed"); + goto failed; + } + + result = X509_check_private_key(x509, pkey); + break; + case 2: + x509_req = PEM_read_bio_X509_REQ(bio, NULL, NULL, NULL); + if (x509_req == NULL) { + TEST_error("read PEM x509 req failed"); + goto failed; + } + + result = X509_REQ_check_private_key(x509_req, pkey); + break; + default: + /* should never be here */ + break; + } + + if (expected == 1) { + /* expected == 1 means we expect an "ok" */ + if (!TEST_int_eq(result, 1)) { + TEST_error("check private key: expected: 1, got: %d", result); + goto failed; + } + } else { + if (!TEST_int_eq(result, 0)) { + TEST_error("check private key: expected: 0, got: %d", result); + goto failed; + } + } + +out: + if (bio) + BIO_free(bio); + if (x509) + X509_free(x509); + if (x509_req) + X509_REQ_free(x509_req); + if (pkey) + EVP_PKEY_free(pkey); + return ret; + +failed: + ret = 1; + goto out; +} + +int test_main(int argc, char **argv) +{ + if (!TEST_int_eq(argc, 5)) { + TEST_info("usage: x509_check_cert_pkey cert.pem|cert.req" + " key.pem cert|req "); + return 1; + } + + return test_x509_check_cert_pkey(argv[1], argv[2], argv[3], argv[4]); +} -- 2.25.1