provider_pkey_test.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446
  1. /*
  2. * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stddef.h>
  10. #include <string.h>
  11. #include <openssl/provider.h>
  12. #include <openssl/params.h>
  13. #include <openssl/core_names.h>
  14. #include <openssl/evp.h>
  15. #include <openssl/store.h>
  16. #include <openssl/ui.h>
  17. #include "testutil.h"
  18. #include "fake_rsaprov.h"
  19. static OSSL_LIB_CTX *libctx = NULL;
  20. extern int key_deleted; /* From fake_rsaprov.c */
  21. /* Fetch SIGNATURE method using a libctx and propq */
  22. static int fetch_sig(OSSL_LIB_CTX *ctx, const char *alg, const char *propq,
  23. OSSL_PROVIDER *expected_prov)
  24. {
  25. OSSL_PROVIDER *prov;
  26. EVP_SIGNATURE *sig = EVP_SIGNATURE_fetch(ctx, "RSA", propq);
  27. int ret = 0;
  28. if (!TEST_ptr(sig))
  29. return 0;
  30. if (!TEST_ptr(prov = EVP_SIGNATURE_get0_provider(sig)))
  31. goto end;
  32. if (!TEST_ptr_eq(prov, expected_prov)) {
  33. TEST_info("Fetched provider: %s, Expected provider: %s",
  34. OSSL_PROVIDER_get0_name(prov),
  35. OSSL_PROVIDER_get0_name(expected_prov));
  36. goto end;
  37. }
  38. ret = 1;
  39. end:
  40. EVP_SIGNATURE_free(sig);
  41. return ret;
  42. }
  43. static int test_pkey_sig(void)
  44. {
  45. OSSL_PROVIDER *deflt = NULL;
  46. OSSL_PROVIDER *fake_rsa = NULL;
  47. int i, ret = 0;
  48. EVP_PKEY *pkey = NULL;
  49. EVP_PKEY_CTX *ctx = NULL;
  50. if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
  51. return 0;
  52. if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
  53. goto end;
  54. /* Do a direct fetch to see it works */
  55. if (!TEST_true(fetch_sig(libctx, "RSA", "provider=fake-rsa", fake_rsa))
  56. || !TEST_true(fetch_sig(libctx, "RSA", "?provider=fake-rsa", fake_rsa)))
  57. goto end;
  58. /* Construct a pkey using precise propq to use our provider */
  59. if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
  60. "provider=fake-rsa"))
  61. || !TEST_true(EVP_PKEY_fromdata_init(ctx))
  62. || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, NULL))
  63. || !TEST_ptr(pkey))
  64. goto end;
  65. EVP_PKEY_CTX_free(ctx);
  66. ctx = NULL;
  67. /* try exercising signature_init ops a few times */
  68. for (i = 0; i < 3; i++) {
  69. size_t siglen;
  70. /*
  71. * Create a signing context for our pkey with optional propq.
  72. * The sign init should pick both keymgmt and signature from
  73. * fake-rsa as the key is not exportable.
  74. */
  75. if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey,
  76. "?provider=default")))
  77. goto end;
  78. /*
  79. * If this picks the wrong signature without realizing it
  80. * we can get a segfault or some internal error. At least watch
  81. * whether fake-rsa sign_init is exercised by calling sign.
  82. */
  83. if (!TEST_int_eq(EVP_PKEY_sign_init(ctx), 1))
  84. goto end;
  85. if (!TEST_int_eq(EVP_PKEY_sign(ctx, NULL, &siglen, NULL, 0), 1)
  86. || !TEST_size_t_eq(siglen, 256))
  87. goto end;
  88. EVP_PKEY_CTX_free(ctx);
  89. ctx = NULL;
  90. }
  91. ret = 1;
  92. end:
  93. fake_rsa_finish(fake_rsa);
  94. OSSL_PROVIDER_unload(deflt);
  95. EVP_PKEY_CTX_free(ctx);
  96. EVP_PKEY_free(pkey);
  97. return ret;
  98. }
  99. static int test_alternative_keygen_init(void)
  100. {
  101. EVP_PKEY_CTX *ctx = NULL;
  102. OSSL_PROVIDER *deflt = NULL;
  103. OSSL_PROVIDER *fake_rsa = NULL;
  104. const OSSL_PROVIDER *provider;
  105. const char *provname;
  106. int ret = 0;
  107. if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
  108. goto end;
  109. /* first try without the fake RSA provider loaded */
  110. if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)))
  111. goto end;
  112. if (!TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0))
  113. goto end;
  114. if (!TEST_ptr(provider = EVP_PKEY_CTX_get0_provider(ctx)))
  115. goto end;
  116. if (!TEST_ptr(provname = OSSL_PROVIDER_get0_name(provider)))
  117. goto end;
  118. if (!TEST_str_eq(provname, "default"))
  119. goto end;
  120. EVP_PKEY_CTX_free(ctx);
  121. ctx = NULL;
  122. /* now load fake RSA and try again */
  123. if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
  124. return 0;
  125. if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
  126. "?provider=fake-rsa")))
  127. goto end;
  128. if (!TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0))
  129. goto end;
  130. if (!TEST_ptr(provider = EVP_PKEY_CTX_get0_provider(ctx)))
  131. goto end;
  132. if (!TEST_ptr(provname = OSSL_PROVIDER_get0_name(provider)))
  133. goto end;
  134. if (!TEST_str_eq(provname, "fake-rsa"))
  135. goto end;
  136. ret = 1;
  137. end:
  138. fake_rsa_finish(fake_rsa);
  139. OSSL_PROVIDER_unload(deflt);
  140. EVP_PKEY_CTX_free(ctx);
  141. return ret;
  142. }
  143. static int test_pkey_eq(void)
  144. {
  145. OSSL_PROVIDER *deflt = NULL;
  146. OSSL_PROVIDER *fake_rsa = NULL;
  147. EVP_PKEY *pkey_fake = NULL;
  148. EVP_PKEY *pkey_dflt = NULL;
  149. EVP_PKEY_CTX *ctx = NULL;
  150. OSSL_PARAM *params = NULL;
  151. int ret = 0;
  152. if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
  153. return 0;
  154. if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
  155. goto end;
  156. /* Construct a public key for fake-rsa */
  157. if (!TEST_ptr(params = fake_rsa_key_params(0))
  158. || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
  159. "provider=fake-rsa"))
  160. || !TEST_true(EVP_PKEY_fromdata_init(ctx))
  161. || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
  162. params))
  163. || !TEST_ptr(pkey_fake))
  164. goto end;
  165. EVP_PKEY_CTX_free(ctx);
  166. ctx = NULL;
  167. OSSL_PARAM_free(params);
  168. params = NULL;
  169. /* Construct a public key for default */
  170. if (!TEST_ptr(params = fake_rsa_key_params(0))
  171. || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
  172. "provider=default"))
  173. || !TEST_true(EVP_PKEY_fromdata_init(ctx))
  174. || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
  175. params))
  176. || !TEST_ptr(pkey_dflt))
  177. goto end;
  178. EVP_PKEY_CTX_free(ctx);
  179. ctx = NULL;
  180. OSSL_PARAM_free(params);
  181. params = NULL;
  182. /* now test for equality */
  183. if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
  184. goto end;
  185. ret = 1;
  186. end:
  187. fake_rsa_finish(fake_rsa);
  188. OSSL_PROVIDER_unload(deflt);
  189. EVP_PKEY_CTX_free(ctx);
  190. EVP_PKEY_free(pkey_fake);
  191. EVP_PKEY_free(pkey_dflt);
  192. OSSL_PARAM_free(params);
  193. return ret;
  194. }
  195. static int test_pkey_store(int idx)
  196. {
  197. OSSL_PROVIDER *deflt = NULL;
  198. OSSL_PROVIDER *fake_rsa = NULL;
  199. int ret = 0;
  200. EVP_PKEY *pkey = NULL;
  201. OSSL_STORE_LOADER *loader = NULL;
  202. OSSL_STORE_CTX *ctx = NULL;
  203. OSSL_STORE_INFO *info;
  204. const char *propq = idx == 0 ? "?provider=fake-rsa"
  205. : "?provider=default";
  206. /* It's important to load the default provider first for this test */
  207. if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
  208. goto end;
  209. if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
  210. goto end;
  211. if (!TEST_ptr(loader = OSSL_STORE_LOADER_fetch(libctx, "fake_rsa",
  212. propq)))
  213. goto end;
  214. OSSL_STORE_LOADER_free(loader);
  215. if (!TEST_ptr(ctx = OSSL_STORE_open_ex("fake_rsa:test", libctx, propq,
  216. NULL, NULL, NULL, NULL, NULL)))
  217. goto end;
  218. while (!OSSL_STORE_eof(ctx)
  219. && (info = OSSL_STORE_load(ctx)) != NULL
  220. && pkey == NULL) {
  221. if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY)
  222. pkey = OSSL_STORE_INFO_get1_PKEY(info);
  223. OSSL_STORE_INFO_free(info);
  224. info = NULL;
  225. }
  226. if (!TEST_ptr(pkey) || !TEST_int_eq(EVP_PKEY_is_a(pkey, "RSA"), 1))
  227. goto end;
  228. ret = 1;
  229. end:
  230. fake_rsa_finish(fake_rsa);
  231. OSSL_PROVIDER_unload(deflt);
  232. OSSL_STORE_close(ctx);
  233. EVP_PKEY_free(pkey);
  234. return ret;
  235. }
  236. static int test_pkey_delete(void)
  237. {
  238. OSSL_PROVIDER *deflt = NULL;
  239. OSSL_PROVIDER *fake_rsa = NULL;
  240. int ret = 0;
  241. EVP_PKEY *pkey = NULL;
  242. OSSL_STORE_LOADER *loader = NULL;
  243. OSSL_STORE_CTX *ctx = NULL;
  244. OSSL_STORE_INFO *info;
  245. const char *propq = "?provider=fake-rsa";
  246. /* It's important to load the default provider first for this test */
  247. if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
  248. goto end;
  249. if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
  250. goto end;
  251. if (!TEST_ptr(loader = OSSL_STORE_LOADER_fetch(libctx, "fake_rsa",
  252. propq)))
  253. goto end;
  254. OSSL_STORE_LOADER_free(loader);
  255. /* First iteration: load key, check it, delete it */
  256. if (!TEST_ptr(ctx = OSSL_STORE_open_ex("fake_rsa:test", libctx, propq,
  257. NULL, NULL, NULL, NULL, NULL)))
  258. goto end;
  259. while (!OSSL_STORE_eof(ctx)
  260. && (info = OSSL_STORE_load(ctx)) != NULL
  261. && pkey == NULL) {
  262. if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY)
  263. pkey = OSSL_STORE_INFO_get1_PKEY(info);
  264. OSSL_STORE_INFO_free(info);
  265. info = NULL;
  266. }
  267. if (!TEST_ptr(pkey) || !TEST_int_eq(EVP_PKEY_is_a(pkey, "RSA"), 1))
  268. goto end;
  269. EVP_PKEY_free(pkey);
  270. pkey = NULL;
  271. if (!TEST_int_eq(OSSL_STORE_delete("fake_rsa:test", libctx, propq,
  272. NULL, NULL, NULL), 1))
  273. goto end;
  274. if (!TEST_int_eq(OSSL_STORE_close(ctx), 1))
  275. goto end;
  276. /* Second iteration: load key should fail */
  277. if (!TEST_ptr(ctx = OSSL_STORE_open_ex("fake_rsa:test", libctx, propq,
  278. NULL, NULL, NULL, NULL, NULL)))
  279. goto end;
  280. while (!OSSL_STORE_eof(ctx)) {
  281. info = OSSL_STORE_load(ctx);
  282. if (!TEST_ptr_null(info))
  283. goto end;
  284. }
  285. ret = 1;
  286. end:
  287. fake_rsa_finish(fake_rsa);
  288. OSSL_PROVIDER_unload(deflt);
  289. OSSL_STORE_close(ctx);
  290. fake_rsa_restore_store_state();
  291. return ret;
  292. }
  293. static int fake_pw_read_string(UI *ui, UI_STRING *uis)
  294. {
  295. const char *passphrase = FAKE_PASSPHRASE;
  296. if (UI_get_string_type(uis) == UIT_PROMPT) {
  297. UI_set_result(ui, uis, passphrase);
  298. return 1;
  299. }
  300. return 0;
  301. }
  302. static int test_pkey_store_open_ex(void)
  303. {
  304. OSSL_PROVIDER *deflt = NULL;
  305. OSSL_PROVIDER *fake_rsa = NULL;
  306. int ret = 0;
  307. EVP_PKEY *pkey = NULL;
  308. OSSL_STORE_LOADER *loader = NULL;
  309. OSSL_STORE_CTX *ctx = NULL;
  310. const char *propq = "?provider=fake-rsa";
  311. UI_METHOD *ui_method = NULL;
  312. /* It's important to load the default provider first for this test */
  313. if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
  314. goto end;
  315. if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
  316. goto end;
  317. if (!TEST_ptr(loader = OSSL_STORE_LOADER_fetch(libctx, "fake_rsa",
  318. propq)))
  319. goto end;
  320. OSSL_STORE_LOADER_free(loader);
  321. if (!TEST_ptr(ui_method= UI_create_method("PW Callbacks")))
  322. goto end;
  323. if (UI_method_set_reader(ui_method, fake_pw_read_string))
  324. goto end;
  325. if (!TEST_ptr(ctx = OSSL_STORE_open_ex("fake_rsa:openpwtest", libctx, propq,
  326. ui_method, NULL, NULL, NULL, NULL)))
  327. goto end;
  328. /* retry w/o ui_method to ensure we actually enter pw checks and fail */
  329. OSSL_STORE_close(ctx);
  330. if (!TEST_ptr_null(ctx = OSSL_STORE_open_ex("fake_rsa:openpwtest", libctx,
  331. propq, NULL, NULL, NULL, NULL,
  332. NULL)))
  333. goto end;
  334. ret = 1;
  335. end:
  336. UI_destroy_method(ui_method);
  337. fake_rsa_finish(fake_rsa);
  338. OSSL_PROVIDER_unload(deflt);
  339. OSSL_STORE_close(ctx);
  340. EVP_PKEY_free(pkey);
  341. return ret;
  342. }
  343. int setup_tests(void)
  344. {
  345. libctx = OSSL_LIB_CTX_new();
  346. if (libctx == NULL)
  347. return 0;
  348. ADD_TEST(test_pkey_sig);
  349. ADD_TEST(test_alternative_keygen_init);
  350. ADD_TEST(test_pkey_eq);
  351. ADD_ALL_TESTS(test_pkey_store, 2);
  352. ADD_TEST(test_pkey_delete);
  353. ADD_TEST(test_pkey_store_open_ex);
  354. return 1;
  355. }
  356. void cleanup_tests(void)
  357. {
  358. OSSL_LIB_CTX_free(libctx);
  359. }