1
0

pem.test 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459
  1. #!/usr/bin/env bash
  2. # pem.test
  3. # Copyright wolfSSL 2023-2023
  4. tmp_file=./pem_test.$$
  5. tmp_der_file=./pem_test_out_der.$$
  6. tmp_pem_file=./pem_test_out_pem.$$
  7. PEM_EXE=./examples/pem/pem
  8. ASN1_EXE=./examples/asn1/asn1
  9. TEST_CNT=0
  10. TEST_PASS_CNT=0
  11. TEST_SKIP_CNT=0
  12. TEST_FAIL_CNT=0
  13. TEST_FAIL=
  14. TEST_CASES=()
  15. RUN_ALL="YES"
  16. CR=$'\n'
  17. ENC_STRING="encrypt"
  18. DER_TO_PEM_STRING="input is DER and output is PEM"
  19. # Cleanup temporaries created during testing.
  20. do_cleanup() {
  21. echo
  22. echo "in cleanup"
  23. if [ -e "$tmp_der_file" ]; then
  24. echo -e "removing existing temporary DER output file"
  25. rm "$tmp_der_file"
  26. fi
  27. if [ -e "$tmp_pem_file" ]; then
  28. echo -e "removing existing temporary PEM output file"
  29. rm "$tmp_pem_file"
  30. fi
  31. if [ -e "$tmp_file" ]; then
  32. echo -e "removing existing temporary output file"
  33. rm "$tmp_file"
  34. fi
  35. }
  36. # Called when a signal is trapped.
  37. do_trap() {
  38. echo
  39. echo "got trap"
  40. do_cleanup
  41. exit 1
  42. }
  43. # Trap keyboard interrupt and termination signal.
  44. trap do_trap INT TERM
  45. # Check the usage text for a string to determine feature support.
  46. #
  47. # @param [in] $1 String to search for,
  48. # @return 1 when string is found.
  49. # @return 0 otherwise.
  50. check_usage_string() {
  51. $PEM_EXE -? | grep "$1" >$tmp_file 2>&1
  52. if [ "$?" = "0" ]; then
  53. return 1
  54. fi
  55. return 0
  56. }
  57. # Check whether the test case is to be run.
  58. # When command line parameters given - only run those.
  59. #
  60. # @return 1 when test case is to be run.
  61. # @return 0 otherwise.
  62. check_run() {
  63. # When RUN_ALL set them all test cases are run.
  64. if [ "$RUN_ALL" != "" ]; then
  65. return 1
  66. else
  67. # Check if test case number in list.
  68. for T in "${TEST_CASE[@]}"; do
  69. if [ "$T" = "$TEST_CNT" ]; then
  70. return 1
  71. fi
  72. done
  73. return 0
  74. fi
  75. }
  76. # Setup for new test case.
  77. #
  78. # @param [in] $* Name of test case.
  79. test_setup() {
  80. TEST_CNT=$((TEST_CNT+1))
  81. TEST_DESC="$TEST_CNT: $*"
  82. FAILED=
  83. SKIP=
  84. if [ "$USAGE_STRING" != "" ]; then
  85. # Check usage output for string to see whether we have to skip test case
  86. # due to wolfSSL missing features.
  87. check_usage_string "$USAGE_STRING"
  88. if [ "$?" = "0" ] ; then
  89. echo
  90. echo "$TEST_DESC"
  91. echo "SKIPPED"
  92. SKIP="missing feature"
  93. fi
  94. USAGE_STRING=
  95. fi
  96. if [ "$SKIP" = "" ]; then
  97. # Check whether this test case is to be run.
  98. check_run
  99. if [ "$?" = "1" ]; then
  100. echo
  101. echo "$TEST_DESC"
  102. TEST_PASS_CNT=$((TEST_PASS_CNT+1))
  103. else
  104. SKIP="not requested"
  105. fi
  106. fi
  107. # Handle skipping
  108. if [ "$SKIP" != "" ]; then
  109. TEST_SKIP_CNT=$((TEST_SKIP_CNT+1))
  110. fi
  111. }
  112. # Handle when a test case failed.
  113. test_fail() {
  114. if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
  115. TEST_PASS_CNT=$((TEST_PASS_CNT-1))
  116. TEST_FAIL_CNT=$((TEST_FAIL_CNT+1))
  117. TEST_FAIL="$TEST_FAIL$CR $TEST_DESC"
  118. FAILED=yes
  119. fi
  120. }
  121. # Use asn1 to check DER produced is valid.
  122. check_der() {
  123. $ASN1_EXE $tmp_der_file >$tmp_file 2>&1
  124. if [ "$?" != "0" ]; then
  125. echo
  126. echo " DER result bad"
  127. test_fail
  128. fi
  129. }
  130. # Convert PEM file to DER
  131. #
  132. # @param [in] $* Command line parameters to pem example.
  133. convert_to_der() {
  134. if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
  135. echo " $PEM_EXE $* -out $tmp_pem_file"
  136. $PEM_EXE "$@" -out $tmp_der_file
  137. if [ "$?" != "0" ]; then
  138. echo " Failed to convert to DER"
  139. test_fail
  140. fi
  141. check_der
  142. fi
  143. }
  144. # Compare generated DER file to existing file.
  145. #
  146. # @param [in] $1 File to compare to.
  147. compare_der() {
  148. diff $tmp_der_file $1
  149. if [ "$?" != "0" ]; then
  150. echo " Created DER file different from expected"
  151. test_fail
  152. fi
  153. }
  154. # Convert DER file to PEM
  155. #
  156. # PEM_TYPE contains PEM header to encode.
  157. #
  158. # @param [in] $* Command line parameters to pem example.
  159. convert_to_pem() {
  160. if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
  161. echo " $PEM_EXE --der -t \"$PEM_TYPE\" $* -out $tmp_pem_file"
  162. $PEM_EXE --der "$@" -t "$PEM_TYPE" -out $tmp_pem_file
  163. if [ "$?" != "0" ]; then
  164. test_fail
  165. fi
  166. fi
  167. }
  168. # Compare generated PEM file to existing file.
  169. compare_pem() {
  170. diff $tmp_pem_file $1 >$tmp_file 2>&1
  171. if [ "$?" != "0" ]; then
  172. cat $tmp_file
  173. echo
  174. echo " Created PEM file different from expected"
  175. test_fail
  176. fi
  177. }
  178. # Convert to and from PEM and DER and compare to file containing expected DER.
  179. #
  180. # @param [in] $1 Name of PEM file to read.
  181. # @param [in] $2 Name of DER file to compare to.
  182. # @param [in] $3 PEM type expected in PEM file and to place in created PEM
  183. # file.
  184. pem_der_exp() {
  185. if [ "$SKIP" = "" -a "$FAILED" = "" ]; then
  186. PEM_FILE=$1
  187. DER_FILE=$2
  188. PEM_TYPE="$3"
  189. # Convert PEM to DER
  190. convert_to_der -in $PEM_FILE
  191. if [ "$FAILED" = "" ]; then
  192. # On success, compare to DER file.
  193. compare_der $DER_FILE
  194. fi
  195. # Check if converting from DER to PEM is supported.
  196. check_usage_string $DER_TO_PEM_STRING
  197. if [ "$?" = "1" ]; then
  198. if [ "$FAILED" = "" ]; then
  199. # Convert expected DER file to PEM
  200. convert_to_pem -in $DER_FILE
  201. fi
  202. if [ "$FAILED" = "" ]; then
  203. # On success, compare to original PEM file.
  204. compare_pem $PEM_FILE
  205. fi
  206. fi
  207. fi
  208. }
  209. # Convert DER to encrypted PEM.
  210. #
  211. # @param [in] $@ Command line parameters to pem example when encrypting.
  212. der_pem_enc() {
  213. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  214. convert_to_pem -in ./certs/server-key.der -p yassl123 "$@"
  215. convert_to_der -in $tmp_pem_file -p yassl123
  216. }
  217. ################################################################################
  218. # Check for pem example - can't test without it.
  219. if [ ! -x $PEM_EXE ]; then
  220. echo "PEM example not available, won't run"
  221. exit 77
  222. fi
  223. # Check for asn1 example - don't want to test without it.
  224. if [ ! -x $ASN1_EXE ]; then
  225. echo "ASN.1 example not available, won't run"
  226. exit 77
  227. fi
  228. # Check the available features compiled into pem example.
  229. echo "wolfSSL features:"
  230. check_usage_string $DER_TO_PEM_STRING
  231. if [ "$?" = "1" ]; then
  232. echo " Conversion from DER to PEM support compiled in."
  233. else
  234. echo " Conversion from DER to PEM support NOT compiled in."
  235. fi
  236. check_usage_string $ENC_STRING
  237. if [ "$?" = "1" ]; then
  238. echo " Encryption support compiled in."
  239. else
  240. echo " Encryption support NOT compiled in."
  241. fi
  242. echo
  243. # Command line parameters are test cases to run.
  244. while [ $# -gt 0 ]; do
  245. TEST_CASE[${#TEST_CASE[@]}]=$1
  246. RUN_ALL=
  247. shift 1
  248. done
  249. test_setup "Convert PEM certificate (first of many) to DER"
  250. convert_to_der -in ./certs/server-cert.pem
  251. test_setup "Convert PEM certificate (second of many) to DER"
  252. convert_to_der -in ./certs/server-cert.pem --offset 6000
  253. test_setup "RSA private key"
  254. pem_der_exp ./certs/server-key.pem \
  255. ./certs/server-key.der "RSA PRIVATE KEY"
  256. test_setup "RSA public key"
  257. pem_der_exp ./certs/server-keyPub.pem \
  258. ./certs/server-keyPub.der "RSA PUBLIC KEY"
  259. test_setup "DH parameters"
  260. pem_der_exp ./certs/dh3072.pem \
  261. ./certs/dh3072.der "DH PARAMETERS"
  262. test_setup "X9.42 parameters"
  263. pem_der_exp ./certs/x942dh2048.pem \
  264. ./certs/x942dh2048.der "X9.42 DH PARAMETERS"
  265. USAGE_STRING=" DSA PARAMETERS"
  266. test_setup "DSA parameters"
  267. pem_der_exp ./certs/dsaparams.pem \
  268. ./certs/dsaparams.der "DSA PARAMETERS"
  269. USAGE_STRING=" DSA PRIVATE KEY"
  270. test_setup "DSA private key"
  271. pem_der_exp ./certs/1024/dsa1024.pem \
  272. ./certs/1024/dsa1024.der "DSA PRIVATE KEY"
  273. USAGE_STRING=" EC PRIVATE KEY"
  274. test_setup "ECC private key"
  275. pem_der_exp ./certs/ecc-keyPkcs8.pem \
  276. ./certs/ecc-keyPkcs8.der "PRIVATE KEY"
  277. USAGE_STRING=" EC PRIVATE KEY"
  278. test_setup "EC PRIVATE KEY"
  279. pem_der_exp ./certs/ecc-privkey.pem \
  280. ./certs/ecc-privkey.der "EC PRIVATE KEY"
  281. USAGE_STRING=" EC PARAMETERS"
  282. test_setup "ECC parameters"
  283. pem_der_exp ./certs/ecc-params.pem \
  284. ./certs/ecc-params.der "EC PARAMETERS"
  285. test_setup "ECC public key"
  286. pem_der_exp ./certs/ecc-keyPub.pem \
  287. ./certs/ecc-keyPub.der "PUBLIC KEY"
  288. test_setup "Ed25519 public key"
  289. pem_der_exp ./certs/ed25519/client-ed25519-key.pem \
  290. ./certs/ed25519/client-ed25519-key.der 'PUBLIC KEY'
  291. test_setup "Ed25519 private key"
  292. pem_der_exp ./certs/ed25519/client-ed25519-priv.pem \
  293. ./certs/ed25519/client-ed25519-priv.der 'PRIVATE KEY'
  294. USAGE_STRING=" EDDSA PRIVATE KEY"
  295. test_setup "EdDSA private key"
  296. pem_der_exp ./certs/ed25519/eddsa-ed25519.pem \
  297. ./certs/ed25519/eddsa-ed25519.der 'EDDSA PRIVATE KEY'
  298. test_setup "Ed448 public key"
  299. pem_der_exp ./certs/ed448/client-ed448-key.pem \
  300. ./certs/ed448/client-ed448-key.der 'PUBLIC KEY'
  301. test_setup "Ed448 private key"
  302. pem_der_exp ./certs/ed448/client-ed448-priv.pem \
  303. ./certs/ed448/client-ed448-priv.der 'PRIVATE KEY'
  304. USAGE_STRING=" CERTIFICATE REQUEST"
  305. test_setup "Certificate Request"
  306. pem_der_exp ./certs/csr.dsa.pem \
  307. ./certs/csr.dsa.der 'CERTIFICATE REQUEST'
  308. USAGE_STRING=" X509 CRL"
  309. test_setup "X509 CRL"
  310. pem_der_exp ./certs/crl/caEccCrl.pem \
  311. ./certs/crl/caEccCrl.der 'X509 CRL'
  312. USAGE_STRING=$ENC_STRING
  313. test_setup "Encrypted Key with header"
  314. convert_to_der -in ./certs/server-keyEnc.pem -p yassl123 --padding
  315. USAGE_STRING=$ENC_STRING
  316. test_setup "Encrypted Key - PKCS#8"
  317. convert_to_der -in ./certs/server-keyPkcs8Enc.pem -p yassl123
  318. USAGE_STRING=$ENC_STRING
  319. test_setup "Encrypted Key - PKCS#8 (PKCS#12 PBE)"
  320. convert_to_der -in ./certs/server-keyPkcs8Enc12.pem -p yassl123
  321. USAGE_STRING="PBES1_MD5_DES"
  322. test_setup "Encrypted Key - PKCS#8 (PKCS#5 PBES1-MD5-DES)"
  323. convert_to_der -in ./certs/ecc-keyPkcs8Enc.pem -p yassl123
  324. USAGE_STRING=" DES3"
  325. test_setup "Encrypted Key - PKCS#8 (PKCS#5v2 PBE-SHA1-DES3)"
  326. convert_to_der -in ./certs/server-keyPkcs8Enc2.pem -p yassl123
  327. USAGE_STRING="AES-256-CBC"
  328. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  329. test_setup "Encrypt Key - PKCS#8 (Default: PKCS#5 PBES2 AES-256-CBC)"
  330. der_pem_enc
  331. USAGE_STRING="AES-256-CBC"
  332. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  333. test_setup "Encrypt Key - PKCS#8 - Large salt"
  334. der_pem_enc -s 16
  335. USAGE_STRING="AES-256-CBC"
  336. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  337. test_setup "Encrypt Key - PKCS#8 - 10000 iterations (DER encoding check)"
  338. der_pem_enc -i 10000
  339. USAGE_STRING="AES-256-CBC"
  340. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  341. test_setup "Encrypt Key - PKCS#8 - 100 iterations (DER encoding check)"
  342. der_pem_enc -i 100
  343. USAGE_STRING="AES-128-CBC"
  344. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  345. test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES2 AES-128-CBC)"
  346. der_pem_enc --pbe-alg AES-128-CBC
  347. USAGE_STRING="DES"
  348. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  349. test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES2 DES)"
  350. der_pem_enc --pbe-alg DES
  351. USAGE_STRING="DES3"
  352. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  353. test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES2 DES3)"
  354. der_pem_enc --pbe-alg DES3
  355. USAGE_STRING="PBES1_MD5_DES"
  356. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  357. test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES1-MD5-DES)"
  358. der_pem_enc --pbe PBES1_MD5_DES
  359. USAGE_STRING="PBES1_SHA1_DES"
  360. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  361. test_setup "Encrypt Key - PKCS#8 (PKCS#5 PBES1-SHA1-DES)"
  362. der_pem_enc --pbe PBES1_SHA1_DES
  363. USAGE_STRING=" SHA1_RC4_128"
  364. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  365. test_setup "Encrypt Key - PKCS#8 (PKCS#12 PBE-SHA1-RC4-128)"
  366. der_pem_enc --pbe-ver PKCS12 --pbe SHA1_RC4_128
  367. USAGE_STRING=" SHA1_DES3"
  368. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  369. test_setup "Encrypt Key - PKCS#8 (PKCS#12 PBE-SHA1-DES3)"
  370. der_pem_enc --pbe-ver PKCS12 --pbe SHA1_DES3
  371. USAGE_STRING="SHA1_40RC2_CBC"
  372. PEM_TYPE="ENCRYPTED PRIVATE KEY"
  373. test_setup "Encrypt Key - PKCS#8 (PKCS#12 PBE-SHA1-40RC2-CBC)"
  374. der_pem_enc --pbe-ver PKCS12 --pbe SHA1_40RC2_CBC
  375. # Note: PKCS#12 with SHA1_DES doesn't work as we encode as PKCS#5 SHA1_DES as
  376. # ids are the same
  377. # Report results
  378. echo
  379. if [ "$TEST_SKIP_CNT" = "0" ]; then
  380. echo "RESULT: $TEST_PASS_CNT/$TEST_CNT (pass/total)"
  381. else
  382. echo "RESULT: $TEST_PASS_CNT/$TEST_SKIP_CNT/$TEST_CNT (pass/skip/total)"
  383. fi
  384. if [ "$TEST_FAIL_CNT" != "0" ]; then
  385. echo "FAILURES ($TEST_FAIL_CNT):$TEST_FAIL"
  386. else
  387. echo "PASSED"
  388. fi
  389. # Cleanup temporaries
  390. do_cleanup