algorithmid_test.c 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328
  1. /*
  2. * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/asn1.h>
  10. #include <openssl/pem.h>
  11. #include "internal/sizes.h"
  12. #include "crypto/evp.h"
  13. #include "testutil.h"
  14. /* Collected arguments */
  15. static const char *eecert_filename = NULL; /* For test_x509_file() */
  16. static const char *cacert_filename = NULL; /* For test_x509_file() */
  17. static const char *pubkey_filename = NULL; /* For test_spki_file() */
  18. #define ALGORITHMID_NAME "algorithm-id"
  19. static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename)
  20. {
  21. const ASN1_OBJECT *oid;
  22. X509_ALGOR *alg = NULL;
  23. EVP_PKEY *pkey = NULL;
  24. EVP_KEYMGMT *keymgmt = NULL;
  25. void *keydata = NULL;
  26. char name[OSSL_MAX_NAME_SIZE] = "";
  27. unsigned char *algid_legacy = NULL;
  28. int algid_legacy_len = 0;
  29. static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE];
  30. size_t algid_prov_len = 0;
  31. const OSSL_PARAM *gettable_params = NULL;
  32. OSSL_PARAM params[] = {
  33. OSSL_PARAM_octet_string(ALGORITHMID_NAME,
  34. &algid_prov, sizeof(algid_prov)),
  35. OSSL_PARAM_END
  36. };
  37. int ret = 0;
  38. if (!TEST_true(X509_PUBKEY_get0_param(NULL, NULL, NULL, &alg, pubkey))
  39. || !TEST_ptr(pkey = X509_PUBKEY_get0(pubkey)))
  40. goto end;
  41. if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0))
  42. goto end;
  43. X509_ALGOR_get0(&oid, NULL, NULL, alg);
  44. if (!TEST_int_gt(OBJ_obj2txt(name, sizeof(name), oid, 0), 0))
  45. goto end;
  46. /*
  47. * We use an internal functions to ensure we have a provided key.
  48. * Note that |keydata| should not be freed, as it's cached in |pkey|.
  49. * The |keymgmt|, however, should, as its reference count is incremented
  50. * in this function.
  51. */
  52. if ((keydata = evp_pkey_export_to_provider(pkey, NULL,
  53. &keymgmt, NULL)) == NULL) {
  54. TEST_info("The public key found in '%s' doesn't have provider support."
  55. " Skipping...",
  56. filename);
  57. ret = 1;
  58. goto end;
  59. }
  60. if (!TEST_true(EVP_KEYMGMT_is_a(keymgmt, name))) {
  61. TEST_info("The AlgorithmID key type (%s) for the public key found in"
  62. " '%s' doesn't match the key type of the extracted public"
  63. " key.",
  64. name, filename);
  65. ret = 1;
  66. goto end;
  67. }
  68. if (!TEST_ptr(gettable_params = EVP_KEYMGMT_gettable_params(keymgmt))
  69. || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) {
  70. TEST_info("The %s provider keymgmt appears to lack support for algorithm-id."
  71. " Skipping...",
  72. name);
  73. ret = 1;
  74. goto end;
  75. }
  76. algid_prov[0] = '\0';
  77. if (!TEST_true(evp_keymgmt_get_params(keymgmt, keydata, params)))
  78. goto end;
  79. algid_prov_len = params[0].return_size;
  80. /* We now have all the algorithm IDs we need, let's compare them */
  81. if (TEST_mem_eq(algid_legacy, algid_legacy_len,
  82. algid_prov, algid_prov_len))
  83. ret = 1;
  84. end:
  85. EVP_KEYMGMT_free(keymgmt);
  86. OPENSSL_free(algid_legacy);
  87. return ret;
  88. }
  89. static int test_x509_spki_aid(X509 *cert, const char *filename)
  90. {
  91. X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);
  92. return test_spki_aid(pubkey, filename);
  93. }
  94. static int test_x509_sig_aid(X509 *eecert, const char *ee_filename,
  95. X509 *cacert, const char *ca_filename)
  96. {
  97. const ASN1_OBJECT *sig_oid = NULL;
  98. const X509_ALGOR *alg = NULL;
  99. int sig_nid = NID_undef, dig_nid = NID_undef, pkey_nid = NID_undef;
  100. EVP_MD_CTX *mdctx = NULL;
  101. EVP_PKEY_CTX *pctx = NULL;
  102. EVP_PKEY *pkey = NULL;
  103. unsigned char *algid_legacy = NULL;
  104. int algid_legacy_len = 0;
  105. static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE];
  106. size_t algid_prov_len = 0;
  107. const OSSL_PARAM *gettable_params = NULL;
  108. OSSL_PARAM params[] = {
  109. OSSL_PARAM_octet_string("algorithm-id",
  110. &algid_prov, sizeof(algid_prov)),
  111. OSSL_PARAM_END
  112. };
  113. int ret = 0;
  114. X509_get0_signature(NULL, &alg, eecert);
  115. X509_ALGOR_get0(&sig_oid, NULL, NULL, alg);
  116. if (!TEST_int_eq(X509_ALGOR_cmp(alg, X509_get0_tbs_sigalg(eecert)), 0))
  117. goto end;
  118. if (!TEST_int_ne(sig_nid = OBJ_obj2nid(sig_oid), NID_undef)
  119. || !TEST_true(OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid))
  120. || !TEST_ptr(pkey = X509_get0_pubkey(cacert)))
  121. goto end;
  122. if (!TEST_true(EVP_PKEY_is_a(pkey, OBJ_nid2sn(pkey_nid)))) {
  123. TEST_info("The '%s' pubkey can't be used to verify the '%s' signature",
  124. ca_filename, ee_filename);
  125. TEST_info("Signature algorithm is %s (pkey type %s, hash type %s)",
  126. OBJ_nid2sn(sig_nid), OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid));
  127. TEST_info("Pkey key type is %s", EVP_PKEY_get0_type_name(pkey));
  128. goto end;
  129. }
  130. if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0))
  131. goto end;
  132. if (!TEST_ptr(mdctx = EVP_MD_CTX_new())
  133. || !TEST_true(EVP_DigestVerifyInit_ex(mdctx, &pctx,
  134. OBJ_nid2sn(dig_nid),
  135. NULL, NULL, pkey, NULL))) {
  136. TEST_info("Couldn't initialize a DigestVerify operation with "
  137. "pkey type %s and hash type %s",
  138. OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid));
  139. goto end;
  140. }
  141. if (!TEST_ptr(gettable_params = EVP_PKEY_CTX_gettable_params(pctx))
  142. || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) {
  143. TEST_info("The %s provider keymgmt appears to lack support for algorithm-id"
  144. " Skipping...",
  145. OBJ_nid2sn(pkey_nid));
  146. ret = 1;
  147. goto end;
  148. }
  149. algid_prov[0] = '\0';
  150. if (!TEST_true(EVP_PKEY_CTX_get_params(pctx, params)))
  151. goto end;
  152. algid_prov_len = params[0].return_size;
  153. /* We now have all the algorithm IDs we need, let's compare them */
  154. if (TEST_mem_eq(algid_legacy, algid_legacy_len,
  155. algid_prov, algid_prov_len))
  156. ret = 1;
  157. end:
  158. EVP_MD_CTX_free(mdctx);
  159. /* pctx is free by EVP_MD_CTX_free() */
  160. OPENSSL_free(algid_legacy);
  161. return ret;
  162. }
  163. static int test_spki_file(void)
  164. {
  165. X509_PUBKEY *pubkey = NULL;
  166. BIO *b = BIO_new_file(pubkey_filename, "r");
  167. int ret = 0;
  168. if (b == NULL) {
  169. TEST_error("Couldn't open '%s' for reading\n", pubkey_filename);
  170. TEST_openssl_errors();
  171. goto end;
  172. }
  173. if ((pubkey = PEM_read_bio_X509_PUBKEY(b, NULL, NULL, NULL)) == NULL) {
  174. TEST_error("'%s' doesn't appear to be a SubjectPublicKeyInfo in PEM format\n",
  175. pubkey_filename);
  176. TEST_openssl_errors();
  177. goto end;
  178. }
  179. ret = test_spki_aid(pubkey, pubkey_filename);
  180. end:
  181. BIO_free(b);
  182. X509_PUBKEY_free(pubkey);
  183. return ret;
  184. }
  185. static int test_x509_files(void)
  186. {
  187. X509 *eecert = NULL, *cacert = NULL;
  188. BIO *bee = NULL, *bca = NULL;
  189. int ret = 0;
  190. if ((bee = BIO_new_file(eecert_filename, "r")) == NULL) {
  191. TEST_error("Couldn't open '%s' for reading\n", eecert_filename);
  192. TEST_openssl_errors();
  193. goto end;
  194. }
  195. if ((bca = BIO_new_file(cacert_filename, "r")) == NULL) {
  196. TEST_error("Couldn't open '%s' for reading\n", cacert_filename);
  197. TEST_openssl_errors();
  198. goto end;
  199. }
  200. if ((eecert = PEM_read_bio_X509(bee, NULL, NULL, NULL)) == NULL) {
  201. TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n",
  202. eecert_filename);
  203. TEST_openssl_errors();
  204. goto end;
  205. }
  206. if ((cacert = PEM_read_bio_X509(bca, NULL, NULL, NULL)) == NULL) {
  207. TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n",
  208. cacert_filename);
  209. TEST_openssl_errors();
  210. goto end;
  211. }
  212. ret = test_x509_sig_aid(eecert, eecert_filename, cacert, cacert_filename)
  213. & test_x509_spki_aid(eecert, eecert_filename)
  214. & test_x509_spki_aid(cacert, cacert_filename);
  215. end:
  216. BIO_free(bee);
  217. BIO_free(bca);
  218. X509_free(eecert);
  219. X509_free(cacert);
  220. return ret;
  221. }
  222. typedef enum OPTION_choice {
  223. OPT_ERR = -1,
  224. OPT_EOF = 0,
  225. OPT_X509,
  226. OPT_SPKI,
  227. OPT_TEST_ENUM
  228. } OPTION_CHOICE;
  229. const OPTIONS *test_get_options(void)
  230. {
  231. static const OPTIONS test_options[] = {
  232. OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file...\n"),
  233. { "x509", OPT_X509, '-', "Test X.509 certificates. Requires two files" },
  234. { "spki", OPT_SPKI, '-', "Test public keys in SubjectPublicKeyInfo form. Requires one file" },
  235. { OPT_HELP_STR, 1, '-',
  236. "file...\tFile(s) to run tests on. All files must be PEM encoded.\n" },
  237. { NULL }
  238. };
  239. return test_options;
  240. }
  241. int setup_tests(void)
  242. {
  243. OPTION_CHOICE o;
  244. int n, x509 = 0, spki = 0, testcount = 0;
  245. while ((o = opt_next()) != OPT_EOF) {
  246. switch (o) {
  247. case OPT_X509:
  248. x509 = 1;
  249. break;
  250. case OPT_SPKI:
  251. spki = 1;
  252. break;
  253. case OPT_TEST_CASES:
  254. break;
  255. default:
  256. case OPT_ERR:
  257. return 0;
  258. }
  259. }
  260. /* |testcount| adds all the given test types together */
  261. testcount = x509 + spki;
  262. if (testcount < 1)
  263. BIO_printf(bio_err, "No test type given\n");
  264. else if (testcount > 1)
  265. BIO_printf(bio_err, "Only one test type may be given\n");
  266. if (testcount != 1)
  267. return 0;
  268. n = test_get_argument_count();
  269. if (spki && n == 1) {
  270. pubkey_filename = test_get_argument(0);
  271. } else if (x509 && n == 2) {
  272. eecert_filename = test_get_argument(0);
  273. cacert_filename = test_get_argument(1);
  274. }
  275. if (spki && pubkey_filename == NULL) {
  276. BIO_printf(bio_err, "Missing -spki argument\n");
  277. return 0;
  278. } else if (x509 && (eecert_filename == NULL || cacert_filename == NULL)) {
  279. BIO_printf(bio_err, "Missing -x509 argument(s)\n");
  280. return 0;
  281. }
  282. if (x509)
  283. ADD_TEST(test_x509_files);
  284. if (spki)
  285. ADD_TEST(test_spki_file);
  286. return 1;
  287. }