80-test_cms.t 45 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use warnings;
  10. use POSIX;
  11. use File::Spec::Functions qw/catfile/;
  12. use File::Compare qw/compare_text compare/;
  13. use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
  14. use OpenSSL::Test::Utils;
  15. BEGIN {
  16. setup("test_cms");
  17. }
  18. use lib srctop_dir('Configurations');
  19. use lib bldtop_dir('.');
  20. my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
  21. plan skip_all => "CMS is not supported by this OpenSSL build"
  22. if disabled("cms");
  23. my $provpath = bldtop_dir("providers");
  24. # Some tests require legacy algorithms to be included.
  25. my @legacyprov = ("-provider-path", $provpath,
  26. "-provider", "default",
  27. "-provider", "legacy" );
  28. my @defaultprov = ("-provider-path", $provpath,
  29. "-provider", "default");
  30. my @config = ( );
  31. my $provname = 'default';
  32. my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
  33. my $smdir = srctop_dir("test", "smime-certs");
  34. my $smcont = srctop_file("test", "smcont.txt");
  35. my $smcont_zero = srctop_file("test", "smcont_zero.txt");
  36. my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
  37. = disabled qw/des dh dsa ec ec2m rc2 zlib/;
  38. $no_rc2 = 1 if disabled("legacy");
  39. plan tests => 22;
  40. ok(run(test(["pkcs7_test"])), "test pkcs7");
  41. unless ($no_fips) {
  42. @config = ( "-config", srctop_file("test", "fips-and-base.cnf") );
  43. $provname = 'fips';
  44. }
  45. $ENV{OPENSSL_TEST_LIBCTX} = "1";
  46. my @prov = ("-provider-path", $provpath,
  47. @config,
  48. "-provider", $provname);
  49. my $smrsa1024 = catfile($smdir, "smrsa1024.pem");
  50. my $smrsa1 = catfile($smdir, "smrsa1.pem");
  51. my $smroot = catfile($smdir, "smroot.pem");
  52. my @smime_pkcs7_tests = (
  53. [ "signed content DER format, RSA key",
  54. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
  55. "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
  56. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  57. "-CAfile", $smroot, "-out", "{output}.txt" ],
  58. \&final_compare
  59. ],
  60. [ "signed detached content DER format, RSA key",
  61. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  62. "-signer", $smrsa1, "-out", "{output}.cms" ],
  63. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  64. "-CAfile", $smroot, "-out", "{output}.txt",
  65. "-content", $smcont ],
  66. \&final_compare
  67. ],
  68. [ "signed content test streaming BER format, RSA",
  69. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
  70. "-stream",
  71. "-signer", $smrsa1, "-out", "{output}.cms" ],
  72. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  73. "-CAfile", $smroot, "-out", "{output}.txt" ],
  74. \&final_compare
  75. ],
  76. [ "signed content DER format, DSA key",
  77. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
  78. "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
  79. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  80. "-CAfile", $smroot, "-out", "{output}.txt" ],
  81. \&final_compare
  82. ],
  83. [ "signed detached content DER format, DSA key",
  84. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  85. "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
  86. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  87. "-CAfile", $smroot, "-out", "{output}.txt",
  88. "-content", $smcont ],
  89. \&final_compare
  90. ],
  91. [ "signed detached content DER format, add RSA signer (with DSA existing)",
  92. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  93. "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
  94. [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
  95. "-signer", $smrsa1, "-out", "{output}2.cms" ],
  96. [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
  97. "-CAfile", $smroot, "-out", "{output}.txt",
  98. "-content", $smcont ],
  99. \&final_compare
  100. ],
  101. [ "signed content test streaming BER format, DSA key",
  102. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  103. "-nodetach", "-stream",
  104. "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
  105. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  106. "-CAfile", $smroot, "-out", "{output}.txt" ],
  107. \&final_compare
  108. ],
  109. [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
  110. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  111. "-nodetach", "-stream",
  112. "-signer", $smrsa1,
  113. "-signer", catfile($smdir, "smrsa2.pem"),
  114. "-signer", catfile($smdir, "smdsa1.pem"),
  115. "-signer", catfile($smdir, "smdsa2.pem"),
  116. "-out", "{output}.cms" ],
  117. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  118. "-CAfile", $smroot, "-out", "{output}.txt" ],
  119. \&final_compare
  120. ],
  121. [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
  122. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  123. "-noattr", "-nodetach", "-stream",
  124. "-signer", $smrsa1,
  125. "-signer", catfile($smdir, "smrsa2.pem"),
  126. "-signer", catfile($smdir, "smdsa1.pem"),
  127. "-signer", catfile($smdir, "smdsa2.pem"),
  128. "-out", "{output}.cms" ],
  129. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  130. "-CAfile", $smroot, "-out", "{output}.txt" ],
  131. \&final_compare
  132. ],
  133. [ "signed content S/MIME format, RSA key SHA1",
  134. [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
  135. "-certfile", $smroot,
  136. "-signer", $smrsa1, "-out", "{output}.cms" ],
  137. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
  138. "-CAfile", $smroot, "-out", "{output}.txt" ],
  139. \&final_compare
  140. ],
  141. [ "signed zero-length content S/MIME format, RSA key SHA1",
  142. [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
  143. "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
  144. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
  145. "-CAfile", $smroot, "-out", "{output}.txt" ],
  146. \&zero_compare
  147. ],
  148. [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
  149. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
  150. "-signer", $smrsa1,
  151. "-signer", catfile($smdir, "smrsa2.pem"),
  152. "-signer", catfile($smdir, "smdsa1.pem"),
  153. "-signer", catfile($smdir, "smdsa2.pem"),
  154. "-stream", "-out", "{output}.cms" ],
  155. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
  156. "-CAfile", $smroot, "-out", "{output}.txt" ],
  157. \&final_compare
  158. ],
  159. [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
  160. [ "{cmd1}", @prov, "-sign", "-in", $smcont,
  161. "-signer", $smrsa1,
  162. "-signer", catfile($smdir, "smrsa2.pem"),
  163. "-signer", catfile($smdir, "smdsa1.pem"),
  164. "-signer", catfile($smdir, "smdsa2.pem"),
  165. "-stream", "-out", "{output}.cms" ],
  166. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
  167. "-CAfile", $smroot, "-out", "{output}.txt" ],
  168. \&final_compare
  169. ],
  170. [ "enveloped content test streaming S/MIME format, DES, 3 recipients",
  171. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  172. "-stream", "-out", "{output}.cms",
  173. $smrsa1,
  174. catfile($smdir, "smrsa2.pem"),
  175. catfile($smdir, "smrsa3.pem") ],
  176. [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
  177. "-in", "{output}.cms", "-out", "{output}.txt" ],
  178. \&final_compare
  179. ],
  180. [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
  181. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  182. "-stream", "-out", "{output}.cms",
  183. $smrsa1,
  184. catfile($smdir, "smrsa2.pem"),
  185. catfile($smdir, "smrsa3.pem") ],
  186. [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
  187. "-in", "{output}.cms", "-out", "{output}.txt" ],
  188. \&final_compare
  189. ],
  190. [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used",
  191. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  192. "-stream", "-out", "{output}.cms",
  193. $smrsa1,
  194. catfile($smdir, "smrsa2.pem"),
  195. catfile($smdir, "smrsa3.pem") ],
  196. [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"),
  197. "-in", "{output}.cms", "-out", "{output}.txt" ],
  198. \&final_compare
  199. ],
  200. [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
  201. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
  202. "-aes256", "-stream", "-out", "{output}.cms",
  203. $smrsa1,
  204. catfile($smdir, "smrsa2.pem"),
  205. catfile($smdir, "smrsa3.pem") ],
  206. [ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1,
  207. "-in", "{output}.cms", "-out", "{output}.txt" ],
  208. \&final_compare
  209. ],
  210. );
  211. my @smime_cms_tests = (
  212. [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
  213. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
  214. "-nodetach", "-keyid",
  215. "-signer", $smrsa1,
  216. "-signer", catfile($smdir, "smrsa2.pem"),
  217. "-signer", catfile($smdir, "smdsa1.pem"),
  218. "-signer", catfile($smdir, "smdsa2.pem"),
  219. "-stream", "-out", "{output}.cms" ],
  220. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
  221. "-CAfile", $smroot, "-out", "{output}.txt" ],
  222. \&final_compare
  223. ],
  224. [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
  225. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  226. "-signer", $smrsa1,
  227. "-signer", catfile($smdir, "smrsa2.pem"),
  228. "-signer", catfile($smdir, "smdsa1.pem"),
  229. "-signer", catfile($smdir, "smdsa2.pem"),
  230. "-stream", "-out", "{output}.cms" ],
  231. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  232. "-CAfile", $smroot, "-out", "{output}.txt" ],
  233. \&final_compare
  234. ],
  235. [ "signed content MIME format, RSA key, signed receipt request",
  236. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
  237. "-signer", $smrsa1,
  238. "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
  239. "-out", "{output}.cms" ],
  240. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
  241. "-CAfile", $smroot, "-out", "{output}.txt" ],
  242. \&final_compare
  243. ],
  244. [ "signed receipt MIME format, RSA key",
  245. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
  246. "-signer", $smrsa1,
  247. "-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
  248. "-out", "{output}.cms" ],
  249. [ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms",
  250. "-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ],
  251. [ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms",
  252. "-CAfile", $smroot ]
  253. ],
  254. [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
  255. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  256. "-stream", "-out", "{output}.cms", "-keyid",
  257. $smrsa1,
  258. catfile($smdir, "smrsa2.pem"),
  259. catfile($smdir, "smrsa3.pem") ],
  260. [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
  261. "-in", "{output}.cms", "-out", "{output}.txt" ],
  262. \&final_compare
  263. ],
  264. [ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK",
  265. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
  266. "-stream", "-out", "{output}.cms",
  267. "-secretkey", "000102030405060708090A0B0C0D0E0F",
  268. "-secretkeyid", "C0FEE0" ],
  269. [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
  270. "-inform", "PEM",
  271. "-secretkey", "000102030405060708090A0B0C0D0E0F",
  272. "-secretkeyid", "C0FEE0" ],
  273. \&final_compare
  274. ],
  275. [ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK",
  276. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm",
  277. "-stream", "-out", "{output}.cms",
  278. "-secretkey", "000102030405060708090A0B0C0D0E0F",
  279. "-secretkeyid", "C0FEE0" ],
  280. [ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
  281. "-inform", "PEM",
  282. "-secretkey", "000102030405060708090A0B0C0D0E0F",
  283. "-secretkeyid", "C0FEE0" ],
  284. \&final_compare
  285. ],
  286. [ "enveloped content test streaming PEM format, KEK, key only",
  287. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
  288. "-stream", "-out", "{output}.cms",
  289. "-secretkey", "000102030405060708090A0B0C0D0E0F",
  290. "-secretkeyid", "C0FEE0" ],
  291. [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt",
  292. "-inform", "PEM",
  293. "-secretkey", "000102030405060708090A0B0C0D0E0F" ],
  294. \&final_compare
  295. ],
  296. [ "data content test streaming PEM format",
  297. [ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM",
  298. "-nodetach", "-stream", "-out", "{output}.cms" ],
  299. [ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM",
  300. "-out", "{output}.txt" ],
  301. \&final_compare
  302. ],
  303. [ "encrypted content test streaming PEM format, 128 bit RC2 key",
  304. [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
  305. "-in", $smcont, "-outform", "PEM",
  306. "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
  307. "-stream", "-out", "{output}.cms" ],
  308. [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
  309. "-inform", "PEM",
  310. "-secretkey", "000102030405060708090A0B0C0D0E0F",
  311. "-out", "{output}.txt" ],
  312. \&final_compare
  313. ],
  314. [ "encrypted content test streaming PEM format, 40 bit RC2 key",
  315. [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt",
  316. "-in", $smcont, "-outform", "PEM",
  317. "-rc2", "-secretkey", "0001020304",
  318. "-stream", "-out", "{output}.cms" ],
  319. [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms",
  320. "-inform", "PEM",
  321. "-secretkey", "0001020304", "-out", "{output}.txt" ],
  322. \&final_compare
  323. ],
  324. [ "encrypted content test streaming PEM format, triple DES key",
  325. [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
  326. "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
  327. "-stream", "-out", "{output}.cms" ],
  328. [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
  329. "-inform", "PEM",
  330. "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
  331. "-out", "{output}.txt" ],
  332. \&final_compare
  333. ],
  334. [ "encrypted content test streaming PEM format, 128 bit AES key",
  335. [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
  336. "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
  337. "-stream", "-out", "{output}.cms" ],
  338. [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms",
  339. "-inform", "PEM",
  340. "-secretkey", "000102030405060708090A0B0C0D0E0F",
  341. "-out", "{output}.txt" ],
  342. \&final_compare
  343. ],
  344. );
  345. my @smime_cms_cades_tests = (
  346. [ "signed content DER format, RSA key, CAdES-BES compatible",
  347. [ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER",
  348. "-nodetach",
  349. "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
  350. [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
  351. "-CAfile", $smroot, "-out", "{output}.txt" ],
  352. \&final_compare
  353. ],
  354. [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
  355. [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
  356. "DER", "-nodetach", "-certfile", $smroot,
  357. "-signer", $smrsa1, "-out", "{output}.cms" ],
  358. [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
  359. "-CAfile", $smroot, "-out", "{output}.txt" ],
  360. \&final_compare
  361. ],
  362. [ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible",
  363. [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform",
  364. "DER", "-nodetach", "-certfile", $smroot,
  365. "-signer", $smrsa1, "-out", "{output}.cms" ],
  366. [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
  367. "-CAfile", $smroot, "-out", "{output}.txt" ],
  368. \&final_compare
  369. ],
  370. [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
  371. [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
  372. "-in", $smcont, "-outform", "DER",
  373. "-certfile", $smroot, "-signer", $smrsa1,
  374. "-outform", "DER", "-out", "{output}.cms" ],
  375. [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
  376. "-CAfile", $smroot, "-out", "{output}.txt" ],
  377. \&final_compare
  378. ],
  379. [ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible",
  380. [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
  381. "-in", $smcont, "-outform", "DER",
  382. "-certfile", $smroot, "-signer", $smrsa1,
  383. "-outform", "DER", "-out", "{output}.cms" ],
  384. [ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256",
  385. "-inform", "DER", "-in", "{output}.cms",
  386. "-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"),
  387. "-outform", "DER", "-out", "{output}2.cms" ],
  388. [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER",
  389. "-CAfile", $smroot, "-out", "{output}.txt" ],
  390. \&final_compare
  391. ],
  392. );
  393. my @smime_cms_cades_ko_tests = (
  394. [ "sign content DER format, RSA key, not CAdES-BES compatible",
  395. [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
  396. "-certfile", $smroot, "-signer", $smrsa1, "-out", "cades-ko.cms" ],
  397. "fail to verify token since requiring CAdES-BES compatibility",
  398. [ @prov, "-verify", "-cades", "-in", "cades-ko.cms", "-inform", "DER",
  399. "-CAfile", $smroot, "-out", "cades-ko.txt" ],
  400. \&final_compare
  401. ]
  402. );
  403. # cades options test - check that some combinations are rejected
  404. my @smime_cms_cades_invalid_option_tests = (
  405. [
  406. [ "-cades", "-noattr" ],
  407. ],[
  408. [ "-verify", "-cades", "-noattr" ],
  409. ],[
  410. [ "-verify", "-cades", "-noverify" ],
  411. ],
  412. );
  413. my @smime_cms_comp_tests = (
  414. [ "compressed content test streaming PEM format",
  415. [ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
  416. "-stream", "-out", "{output}.cms" ],
  417. [ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM",
  418. "-out", "{output}.txt" ],
  419. \&final_compare
  420. ]
  421. );
  422. my @smime_cms_param_tests = (
  423. [ "signed content test streaming PEM format, RSA keys, PSS signature",
  424. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  425. "-signer", $smrsa1,
  426. "-keyopt", "rsa_padding_mode:pss",
  427. "-out", "{output}.cms" ],
  428. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  429. "-CAfile", $smroot, "-out", "{output}.txt" ],
  430. \&final_compare
  431. ],
  432. [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max",
  433. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  434. "-signer", $smrsa1,
  435. "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max",
  436. "-out", "{output}.cms" ],
  437. sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; },
  438. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  439. "-CAfile", $smroot, "-out", "{output}.txt" ],
  440. \&final_compare
  441. ],
  442. [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
  443. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  444. "-noattr", "-signer", $smrsa1,
  445. "-keyopt", "rsa_padding_mode:pss",
  446. "-out", "{output}.cms" ],
  447. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  448. "-CAfile", $smroot, "-out", "{output}.txt" ],
  449. \&final_compare
  450. ],
  451. [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
  452. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  453. "-signer", $smrsa1,
  454. "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384",
  455. "-out", "{output}.cms" ],
  456. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  457. "-CAfile", $smroot, "-out", "{output}.txt" ],
  458. \&final_compare
  459. ],
  460. [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16",
  461. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  462. "-signer", $smrsa1, "-md", "sha256",
  463. "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16",
  464. "-out", "{output}.cms" ],
  465. sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; },
  466. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  467. "-CAfile", $smroot, "-out", "{output}.txt" ],
  468. \&final_compare
  469. ],
  470. [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest",
  471. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  472. "-signer", $smrsa1, "-md", "sha256",
  473. "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest",
  474. "-out", "{output}.cms" ],
  475. # digest is SHA-256, which produces 32 bytes of output
  476. sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
  477. [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  478. "-CAfile", $smroot, "-out", "{output}.txt" ],
  479. \&final_compare
  480. ],
  481. [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
  482. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  483. "-stream", "-out", "{output}.cms",
  484. "-recip", $smrsa1,
  485. "-keyopt", "rsa_padding_mode:oaep" ],
  486. [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
  487. "-in", "{output}.cms", "-out", "{output}.txt" ],
  488. \&final_compare
  489. ],
  490. [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
  491. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  492. "-stream", "-out", "{output}.cms",
  493. "-recip", $smrsa1,
  494. "-keyopt", "rsa_padding_mode:oaep",
  495. "-keyopt", "rsa_oaep_md:sha256" ],
  496. [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1,
  497. "-in", "{output}.cms", "-out", "{output}.txt" ],
  498. \&final_compare
  499. ],
  500. [ "enveloped content test streaming S/MIME format, DES, ECDH",
  501. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  502. "-stream", "-out", "{output}.cms",
  503. "-recip", catfile($smdir, "smec1.pem") ],
  504. [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
  505. "-in", "{output}.cms", "-out", "{output}.txt" ],
  506. \&final_compare
  507. ],
  508. [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used",
  509. [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
  510. "-stream", "-out", "{output}.cms",
  511. catfile($smdir, "smec1.pem"),
  512. catfile($smdir, "smec3.pem") ],
  513. [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"),
  514. "-in", "{output}.cms", "-out", "{output}.txt" ],
  515. \&final_compare
  516. ],
  517. [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
  518. [ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont,
  519. "-stream", "-out", "{output}.cms",
  520. "-recip", catfile($smdir, "smec1.pem") ],
  521. [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
  522. "-in", "{output}.cms", "-out", "{output}.txt" ],
  523. \&final_compare
  524. ],
  525. [ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF",
  526. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
  527. "-stream", "-out", "{output}.cms",
  528. "-recip", catfile($smdir, "smec1.pem"), "-aes128",
  529. "-keyopt", "ecdh_kdf_md:sha256" ],
  530. [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
  531. "-in", "{output}.cms", "-out", "{output}.txt" ],
  532. \&final_compare
  533. ],
  534. [ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF",
  535. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
  536. "-stream", "-out", "{output}.cms",
  537. "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ],
  538. [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
  539. "-in", "{output}.cms", "-out", "{output}.txt" ],
  540. \&final_compare
  541. ],
  542. [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
  543. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
  544. "-stream", "-out", "{output}.cms",
  545. "-recip", catfile($smdir, "smec2.pem"), "-aes128",
  546. "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
  547. [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
  548. "-in", "{output}.cms", "-out", "{output}.txt" ],
  549. \&final_compare
  550. ],
  551. [ "enveloped content test streaming S/MIME format, X9.42 DH",
  552. [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
  553. "-stream", "-out", "{output}.cms",
  554. "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
  555. [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
  556. "-in", "{output}.cms", "-out", "{output}.txt" ],
  557. \&final_compare
  558. ]
  559. );
  560. my @smime_cms_param_tests_autodigestmax = (
  561. [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length",
  562. [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  563. "-signer", $smrsa1, "-md", "sha256",
  564. "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
  565. "-out", "{output}.cms" ],
  566. # digest is SHA-256, which produces 32, bytes of output
  567. sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; },
  568. [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  569. "-CAfile", $smroot, "-out", "{output}.txt" ],
  570. \&final_compare
  571. ],
  572. [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize > maximum salt length",
  573. [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
  574. "-signer", $smrsa1024, "-md", "sha512",
  575. "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax",
  576. "-out", "{output}.cms" ],
  577. # digest is SHA-512, which produces 64, bytes of output, but an RSA-PSS
  578. # signature with a 1024 bit RSA key can only accommodate 62
  579. sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 62; },
  580. [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
  581. "-CAfile", $smroot, "-out", "{output}.txt" ],
  582. \&final_compare
  583. ]
  584. );
  585. my @contenttype_cms_test = (
  586. [ "signed content test - check that content type is added to additional signerinfo, RSA keys",
  587. [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont,
  588. "-outform", "DER", "-signer", $smrsa1, "-md", "SHA256",
  589. "-out", "{output}.cms" ],
  590. [ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms",
  591. "-inform", "DER", "-outform", "DER",
  592. "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256",
  593. "-out", "{output}2.cms" ],
  594. sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; },
  595. [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
  596. "-CAfile", $smroot, "-out", "{output}.txt" ]
  597. ],
  598. );
  599. my @incorrect_attribute_cms_test = (
  600. "bad_signtime_attr.cms",
  601. "no_ct_attr.cms",
  602. "no_md_attr.cms",
  603. "ct_multiple_attr.cms"
  604. );
  605. # Runs a standard loop on the input array
  606. sub runner_loop {
  607. my %opts = ( @_ );
  608. my $cnt1 = 0;
  609. foreach (@{$opts{tests}}) {
  610. $cnt1++;
  611. $opts{output} = "$opts{prefix}-$cnt1";
  612. SKIP: {
  613. my $skip_reason = check_availability($$_[0]);
  614. skip $skip_reason, 1 if $skip_reason;
  615. my $ok = 1;
  616. 1 while unlink "$opts{output}.txt";
  617. foreach (@$_[1..$#$_]) {
  618. if (ref $_ eq 'CODE') {
  619. $ok &&= $_->(%opts);
  620. } else {
  621. my @cmd = map {
  622. my $x = $_;
  623. while ($x =~ /\{([^\}]+)\}/) {
  624. $x = $`.$opts{$1}.$' if exists $opts{$1};
  625. }
  626. $x;
  627. } @$_;
  628. diag "CMD: openssl ", join(" ", @cmd);
  629. $ok &&= run(app(["openssl", @cmd]));
  630. $opts{input} = $opts{output};
  631. }
  632. }
  633. ok($ok, $$_[0]);
  634. }
  635. }
  636. }
  637. sub final_compare {
  638. my %opts = @_;
  639. diag "Comparing $smcont with $opts{output}.txt";
  640. return compare_text($smcont, "$opts{output}.txt") == 0;
  641. }
  642. sub zero_compare {
  643. my %opts = @_;
  644. diag "Checking for zero-length file";
  645. return (-e "$opts{output}.txt" && -z "$opts{output}.txt");
  646. }
  647. subtest "CMS => PKCS#7 compatibility tests\n" => sub {
  648. plan tests => scalar @smime_pkcs7_tests;
  649. runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime',
  650. tests => [ @smime_pkcs7_tests ]);
  651. };
  652. subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
  653. plan tests => scalar @smime_pkcs7_tests;
  654. runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms',
  655. tests => [ @smime_pkcs7_tests ]);
  656. };
  657. subtest "CMS <=> CMS consistency tests\n" => sub {
  658. plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
  659. runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms',
  660. tests => [ @smime_pkcs7_tests ]);
  661. runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms',
  662. tests => [ @smime_cms_tests ]);
  663. };
  664. subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
  665. plan tests =>
  666. (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests) +
  667. (scalar @smime_cms_param_tests_autodigestmax) + 1;
  668. ok(run(app(["openssl", "cms", @prov,
  669. "-sign", "-in", $smcont,
  670. "-outform", "PEM",
  671. "-nodetach",
  672. "-signer", $smrsa1,
  673. "-keyopt", "rsa_padding_mode:pss",
  674. "-keyopt", "rsa_pss_saltlen:auto-digestmax",
  675. "-out", "digestmaxtest.cms"])));
  676. # Providers that do not support rsa_pss_saltlen:auto-digestmax will parse
  677. # it as 0
  678. my $no_autodigestmax = rsapssSaltlen("digestmaxtest.cms") == 0;
  679. 1 while unlink "digestmaxtest.cms";
  680. runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms',
  681. tests => [ @smime_cms_param_tests ]);
  682. SKIP: {
  683. skip("Zlib not supported: compression tests skipped",
  684. scalar @smime_cms_comp_tests)
  685. if $no_zlib;
  686. runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms',
  687. tests => [ @smime_cms_comp_tests ]);
  688. }
  689. SKIP: {
  690. skip("rsa_pss_saltlen:auto-digestmax not supported",
  691. scalar @smime_cms_param_tests_autodigestmax)
  692. if $no_autodigestmax;
  693. runner_loop(prefix => 'cms2cms-comp', 'cmd1' => 'cms', cmd2 => 'cms',
  694. tests => [ @smime_cms_param_tests_autodigestmax ]);
  695. }
  696. };
  697. # Returns the number of matches of a Content Type Attribute in a binary file.
  698. sub contentType_matches {
  699. # Read in a binary file
  700. my ($in) = @_;
  701. open (HEX_IN, "$in") or die("open failed for $in : $!");
  702. binmode(HEX_IN);
  703. local $/;
  704. my $str = <HEX_IN>;
  705. # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data)
  706. my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs;
  707. close(HEX_IN);
  708. return scalar(@c);
  709. }
  710. sub rsapssSaltlen {
  711. my ($in) = @_;
  712. my $exit = 0;
  713. my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]),
  714. capture => 1,
  715. statusvar => $exit);
  716. return -1 if $exit != 0;
  717. my $pssparam_offset = -1;
  718. while ($_ = shift @asn1parse) {
  719. chomp;
  720. next unless /:rsassaPss/;
  721. # This line contains :rsassaPss, the next line contains a raw dump of the
  722. # RSA_PSS_PARAMS sequence; obtain its offset
  723. $_ = shift @asn1parse;
  724. if (/^\s*(\d+):/) {
  725. $pssparam_offset = int($1);
  726. }
  727. }
  728. if ($pssparam_offset == -1) {
  729. note "Failed to determine RSA_PSS_PARAM offset in CMS. " +
  730. "Was the file correctly signed with RSASSA-PSS?";
  731. return -1;
  732. }
  733. my @pssparam = run(app(["openssl", "asn1parse", "-in", $in,
  734. "-strparse", $pssparam_offset]),
  735. capture => 1,
  736. statusvar => $exit);
  737. return -1 if $exit != 0;
  738. my $saltlen = -1;
  739. # Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated.
  740. # This assumes the salt length is the last field, which may possibly be
  741. # incorrect if there is a non-standard trailer field, but there almost never
  742. # is in PSS.
  743. if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) {
  744. $saltlen = hex($1);
  745. }
  746. if ($saltlen == -1) {
  747. note "Failed to determine salt length from RSA_PSS_PARAM struct. " +
  748. "Was the file correctly signed with RSASSA-PSS?";
  749. return -1;
  750. }
  751. return $saltlen;
  752. }
  753. subtest "CMS Check the content type attribute is added for additional signers\n" => sub {
  754. plan tests => (scalar @contenttype_cms_test);
  755. runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms',
  756. tests => [ @contenttype_cms_test ]);
  757. };
  758. subtest "CMS Check that bad attributes fail when verifying signers\n" => sub {
  759. plan tests =>
  760. (scalar @incorrect_attribute_cms_test);
  761. my $cnt = 0;
  762. foreach my $name (@incorrect_attribute_cms_test) {
  763. my $out = "incorrect-$cnt.txt";
  764. ok(!run(app(["openssl", "cms", @prov, "-verify", "-in",
  765. catfile($datadir, $name), "-inform", "DER", "-CAfile",
  766. $smroot, "-out", $out ])),
  767. $name);
  768. }
  769. };
  770. subtest "CMS Check that bad encryption algorithm fails\n" => sub {
  771. plan tests => 1;
  772. SKIP: {
  773. skip "DES or Legacy isn't supported in this build", 1
  774. if disabled("des") || disabled("legacy");
  775. my $out = "smtst.txt";
  776. ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt",
  777. "-in", $smcont,
  778. "-stream", "-recip", $smrsa1,
  779. "-des-ede3",
  780. "-out", $out ])),
  781. "Decrypt message from OpenSSL 1.1.1");
  782. }
  783. };
  784. subtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub {
  785. plan tests => 1;
  786. SKIP: {
  787. skip "EC or DES isn't supported in this build", 1
  788. if disabled("ec") || disabled("des");
  789. my $out = "smtst.txt";
  790. ok(run(app(["openssl", "cms", @defaultprov, "-decrypt",
  791. "-inkey", catfile($smdir, "smec3.pem"),
  792. "-in", catfile($datadir, "ciphertext_from_1_1_1.cms"),
  793. "-out", $out ]))
  794. && compare_text($smcont, $out) == 0,
  795. "Decrypt message from OpenSSL 1.1.1");
  796. }
  797. };
  798. subtest "CAdES <=> CAdES consistency tests\n" => sub {
  799. plan tests => (scalar @smime_cms_cades_tests);
  800. runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms',
  801. tests => [ @smime_cms_cades_tests ]);
  802. };
  803. subtest "CAdES; cms incompatible arguments tests\n" => sub {
  804. plan tests => (scalar @smime_cms_cades_invalid_option_tests);
  805. foreach (@smime_cms_cades_invalid_option_tests) {
  806. ok(!run(app(["openssl", "cms", @{$$_[0]} ] )));
  807. }
  808. };
  809. subtest "CAdES ko tests\n" => sub {
  810. plan tests => 2 * scalar @smime_cms_cades_ko_tests;
  811. foreach (@smime_cms_cades_ko_tests) {
  812. SKIP: {
  813. my $skip_reason = check_availability($$_[0]);
  814. skip $skip_reason, 1 if $skip_reason;
  815. 1 while unlink "cades-ko.txt";
  816. ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]);
  817. ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]);
  818. }
  819. }
  820. };
  821. subtest "CMS binary input tests\n" => sub {
  822. my $input = srctop_file("test", "smcont.bin");
  823. my $signed = "smcont.signed";
  824. my $verified = "smcont.verified";
  825. plan tests => 11;
  826. ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
  827. "-binary", "-in", $input, "-out", $signed])),
  828. "sign binary input with -binary");
  829. ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
  830. "-binary", "-in", $signed, "-out", $verified])),
  831. "verify binary input with -binary");
  832. is(compare($input, $verified), 0, "binary input retained with -binary");
  833. ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
  834. "-in", $input, "-out", $signed.".nobin"])),
  835. "sign binary input without -binary");
  836. ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
  837. "-in", $signed.".nobin", "-out", $verified.".nobin"])),
  838. "verify binary input without -binary");
  839. is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary");
  840. ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
  841. "-binary", "-in", $signed, "-out", $verified.".crlfeol"])),
  842. "verify binary input wrong crlfeol");
  843. ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1,
  844. "-crlfeol",
  845. "-binary", "-in", $input, "-out", $signed.".crlf"])),
  846. "sign binary input with -binary -crlfeol");
  847. ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol",
  848. "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])),
  849. "verify binary input with -binary -crlfeol");
  850. is(compare($input, $verified.".crlf"), 0,
  851. "binary input retained with -binary -crlfeol");
  852. ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot,
  853. "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])),
  854. "verify binary input with -binary missing -crlfeol");
  855. };
  856. subtest "CMS signed digest, DER format" => sub {
  857. plan tests => 2;
  858. # Pre-computed SHA256 digest of $smcont in hexadecimal form
  859. my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
  860. my $sig_file = "signature.der";
  861. ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
  862. "-outform", "DER",
  863. "-certfile", catfile($smdir, "smroot.pem"),
  864. "-signer", catfile($smdir, "smrsa1.pem"),
  865. "-out", $sig_file])),
  866. "CMS sign pre-computed digest, DER format");
  867. ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
  868. "-inform", "DER",
  869. "-CAfile", catfile($smdir, "smroot.pem"),
  870. "-content", $smcont])),
  871. "Verify CMS signed digest, DER format");
  872. };
  873. subtest "CMS signed digest, S/MIME format" => sub {
  874. plan tests => 2;
  875. # Pre-computed SHA256 digest of $smcont in hexadecimal form
  876. my $digest = "ff236ef61b396355f75a4cc6e1c306d4c309084ae271a9e2ad6888f10a101b32";
  877. my $sig_file = "signature.smime";
  878. ok(run(app(["openssl", "cms", @prov, "-sign", "-digest", $digest,
  879. "-outform", "SMIME",
  880. "-certfile", catfile($smdir, "smroot.pem"),
  881. "-signer", catfile($smdir, "smrsa1.pem"),
  882. "-out", $sig_file])),
  883. "CMS sign pre-computed digest, S/MIME format");
  884. ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
  885. "-inform", "SMIME",
  886. "-CAfile", catfile($smdir, "smroot.pem"),
  887. "-content", $smcont])),
  888. "Verify CMS signed digest, S/MIME format");
  889. };
  890. subtest "CMS code signing test" => sub {
  891. plan tests => 7;
  892. my $sig_file = "signature.p7s";
  893. ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
  894. "-certfile", catfile($smdir, "smroot.pem"),
  895. "-signer", catfile($smdir, "smrsa1.pem"),
  896. "-out", $sig_file])),
  897. "accept perform CMS signature with smime certificate");
  898. ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
  899. "-CAfile", catfile($smdir, "smroot.pem"),
  900. "-content", $smcont])),
  901. "accept verify CMS signature with smime certificate");
  902. ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
  903. "-CAfile", catfile($smdir, "smroot.pem"),
  904. "-purpose", "codesign",
  905. "-content", $smcont])),
  906. "fail verify CMS signature with smime certificate for purpose code signing");
  907. ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
  908. "-CAfile", catfile($smdir, "smroot.pem"),
  909. "-purpose", "football",
  910. "-content", $smcont])),
  911. "fail verify CMS signature with invalid purpose argument");
  912. ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont,
  913. "-certfile", catfile($smdir, "smroot.pem"),
  914. "-signer", catfile($smdir, "csrsa1.pem"),
  915. "-out", $sig_file])),
  916. "accept perform CMS signature with code signing certificate");
  917. ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
  918. "-CAfile", catfile($smdir, "smroot.pem"),
  919. "-purpose", "codesign",
  920. "-content", $smcont])),
  921. "accept verify CMS signature with code signing certificate for purpose code signing");
  922. ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file,
  923. "-CAfile", catfile($smdir, "smroot.pem"),
  924. "-content", $smcont])),
  925. "fail verify CMS signature with code signing certificate for purpose smime_sign");
  926. };
  927. # Test case for missing MD algorithm (must not segfault)
  928. with({ exit_checker => sub { return shift == 4; } },
  929. sub {
  930. ok(run(app(['openssl', 'smime', '-verify', '-noverify',
  931. '-inform', 'PEM',
  932. '-in', data_file("pkcs7-md4.pem"),
  933. ])),
  934. "Check failure of EVP_DigestInit in PKCS7 signed is handled");
  935. ok(run(app(['openssl', 'smime', '-decrypt',
  936. '-inform', 'PEM',
  937. '-in', data_file("pkcs7-md4-encrypted.pem"),
  938. '-recip', srctop_file("test", "certs", "ee-cert.pem"),
  939. '-inkey', srctop_file("test", "certs", "ee-key.pem")
  940. ])),
  941. "Check failure of EVP_DigestInit in PKCS7 signedAndEnveloped is handled");
  942. });
  943. sub check_availability {
  944. my $tnam = shift;
  945. return "$tnam: skipped, EC disabled\n"
  946. if ($no_ec && $tnam =~ /ECDH/);
  947. return "$tnam: skipped, ECDH disabled\n"
  948. if ($no_ec && $tnam =~ /ECDH/);
  949. return "$tnam: skipped, EC2M disabled\n"
  950. if ($no_ec2m && $tnam =~ /K-283/);
  951. return "$tnam: skipped, DH disabled\n"
  952. if ($no_dh && $tnam =~ /X9\.42/);
  953. return "$tnam: skipped, RC2 disabled\n"
  954. if ($no_rc2 && $tnam =~ /RC2/);
  955. return "$tnam: skipped, DES disabled\n"
  956. if ($no_des && $tnam =~ /DES/);
  957. return "$tnam: skipped, DSA disabled\n"
  958. if ($no_dsa && $tnam =~ / DSA/);
  959. return "";
  960. }
  961. # Test case for the locking problem reported in #19643.
  962. # This will fail if the fix is in and deadlock on Windows (and possibly
  963. # other platforms) if not.
  964. ok(!run(app(['openssl', 'cms', '-verify',
  965. '-CAfile', srctop_file("test/certs", "pkitsta.pem"),
  966. '-policy', 'anyPolicy',
  967. '-in', srctop_file("test/smime-eml",
  968. "SignedInvalidMappingFromanyPolicyTest7.eml")
  969. ])),
  970. "issue#19643");
  971. # Check that we get the expected failure return code
  972. with({ exit_checker => sub { return shift == 6; } },
  973. sub {
  974. ok(run(app(['openssl', 'cms', '-encrypt',
  975. '-in', srctop_file("test", "smcont.txt"),
  976. '-aes128', '-stream', '-recip',
  977. srctop_file("test/smime-certs", "badrsa.pem"),
  978. ])),
  979. "Check failure during BIO setup with -stream is handled correctly");
  980. });
  981. # Test case for return value mis-check reported in #21986
  982. with({ exit_checker => sub { return shift == 3; } },
  983. sub {
  984. SKIP: {
  985. skip "DSA is not supported in this build", 1 if $no_dsa;
  986. ok(run(app(['openssl', 'cms', '-sign',
  987. '-in', srctop_file("test", "smcont.txt"),
  988. '-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
  989. '-md', 'SHAKE256'])),
  990. "issue#21986");
  991. }
  992. });
  993. # Test for problem reported in #22225
  994. with({ exit_checker => sub { return shift == 3; } },
  995. sub {
  996. ok(run(app(['openssl', 'cms', '-encrypt',
  997. '-in', srctop_file("test", "smcont.txt"),
  998. '-aes-256-ctr', '-recip',
  999. catfile($smdir, "smec1.pem"),
  1000. ])),
  1001. "Check for failure when cipher does not have an assigned OID (issue#22225)");
  1002. });