diff options
Diffstat (limited to 'crypto/openssl/test/recipes')
16 files changed, 713 insertions, 15 deletions
diff --git a/crypto/openssl/test/recipes/03-test_fipsinstall.t b/crypto/openssl/test/recipes/03-test_fipsinstall.t index 1f9110ef600a..3dcbe67c6d55 100644 --- a/crypto/openssl/test/recipes/03-test_fipsinstall.t +++ b/crypto/openssl/test/recipes/03-test_fipsinstall.t @@ -63,7 +63,7 @@ my @commandline = ( 'x942kdf_key_check', 'x942kdf-key-check' ) ); -plan tests => 40 + (scalar @pedantic_okay) + (scalar @pedantic_fail) +plan tests => 41 + (scalar @pedantic_okay) + (scalar @pedantic_fail) + 4 * (scalar @commandline); my $infile = bldtop_file('providers', platform->dso('fips')); @@ -392,6 +392,16 @@ SKIP: { "fipsinstall fails when the ML-KEM decapsulate implicit failure result is corrupted"); } +# corrupt an Asymmetric cipher test +SKIP: { + skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1 + if disabled("rsa") || disabled("fips-post"); + ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, + '-corrupt_desc', 'RSA_Encrypt', + '-corrupt_type', 'KAT_AsymmetricCipher'])), + "fipsinstall fails when the asymmetric cipher result is corrupted"); +} + # 'local' ensures that this change is only done in this file. local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir()); diff --git a/crypto/openssl/test/recipes/15-test_ec.t b/crypto/openssl/test/recipes/15-test_ec.t index c953fad9f1ec..9bf946e81b4b 100644 --- a/crypto/openssl/test/recipes/15-test_ec.t +++ b/crypto/openssl/test/recipes/15-test_ec.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,7 @@ setup("test_ec"); plan skip_all => 'EC is not supported in this build' if disabled('ec'); -plan tests => 15; +plan tests => 16; my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); @@ -33,6 +33,16 @@ subtest 'EC conversions -- private key' => sub { tconversion( -type => 'ec', -prefix => 'ec-priv', -in => srctop_file("test","testec-p256.pem") ); }; + +SKIP: { + skip "SM2 is not supported by this OpenSSL build", 1 + if disabled("sm2"); + subtest 'EC conversions -- private key' => sub { + tconversion( -type => 'ec', -prefix => 'sm2-priv', + -in => srctop_file("test","testec-sm2.pem") ); + }; +} + subtest 'EC conversions -- private key PKCS#8' => sub { tconversion( -type => 'ec', -prefix => 'ec-pkcs8', -in => srctop_file("test","testec-p256.pem"), diff --git a/crypto/openssl/test/recipes/20-test_cli_list.t b/crypto/openssl/test/recipes/20-test_cli_list.t new file mode 100644 index 000000000000..a039b20978e4 --- /dev/null +++ b/crypto/openssl/test/recipes/20-test_cli_list.t @@ -0,0 +1,25 @@ +#! /usr/bin/env perl +# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/; +use OpenSSL::Test::Utils; + +setup("test_cli_list"); + +plan tests => 2; + +ok(run(app(["openssl", "list", "-skey-managers"], + stdout => "listout.txt")), +"List skey managers - default configuration"); +open DATA, "listout.txt"; +my @match = grep /secret key/, <DATA>; +close DATA; +ok(scalar @match > 1 ? 1 : 0, "Several skey managers are listed - default configuration"); diff --git a/crypto/openssl/test/recipes/25-test_verify.t b/crypto/openssl/test/recipes/25-test_verify.t index 271f499690bf..673c3d5f1772 100644 --- a/crypto/openssl/test/recipes/25-test_verify.t +++ b/crypto/openssl/test/recipes/25-test_verify.t @@ -602,9 +602,10 @@ ok(vfy_root("-CAfile", $rootcert), "CAfile"); ok(vfy_root("-CAstore", $rootcert), "CAstore"); ok(vfy_root("-CAstore", $rootcert, "-CAfile", $rootcert), "CAfile and existing CAstore"); ok(!vfy_root("-CAstore", "non-existing", "-CAfile", $rootcert), "CAfile and non-existing CAstore"); + SKIP: { - skip "file names with colons aren't supported on Windows and VMS", 2 - if $^O =~ /^(MsWin32|VMS)$/; + skip "file names with colons aren't supported on Windows and VMS", 1 + if $^O =~ /^(MSWin32|VMS)$/; my $foo_file = "foo:cert.pem"; copy($rootcert, $foo_file); ok(vfy_root("-CAstore", $foo_file), "CAstore foo:file"); diff --git a/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt b/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt index d8f6aa72a175..e2de4754fa74 100644 --- a/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt +++ b/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -129,3 +129,11 @@ Ctrl.cipher = cipher:DES-EDE3-CBC Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 Ctrl.hexconstant = hexconstant:0000000155 Output = 935079d14490a75c3093c4a6e8c3b049c71e6ee705 + +#Erroneous key size for the cipher as XTS has double key size +KDF = KRB5KDF +Ctrl.cipher = cipher:AES-256-XTS +Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 +Ctrl.hexconstant = hexconstant:0000000255 +Output = 97151B4C76945063E2EB0529DC067D97D7BBA90776D8126D91F34F3101AEA8BA +Result = KDF_DERIVE_ERROR diff --git a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt index 54b143beada4..07dc4b429819 100644 --- a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +++ b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -261,6 +261,15 @@ Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" Result = KEYOP_MISMATCH +FIPSversion = >=3.6.0 +Sign = P-256 +Securitycheck = 1 +Unapproved = 1 +CtrlInit = digest-check:0 +Ctrl = digest:SHA512-224 +Input = "0123456789ABCDEF1234" +Result = KEYOP_ERROR + Title = XOF disallowed DigestVerify = SHAKE256 diff --git a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt index 5083cc2bde24..f258700670ab 100644 --- a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt +++ b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -186,4 +186,4 @@ Output = 6a7fc08e9999fc9d50cda476e973a01a06efeb52eece1c78cb1422950476cbff67408c6 Availablein = default Sign-Message = RSA-SM3:RSA-2048 Input = "Hello World" -Output = 92657e22036214c343d8e95d129c0c47430d5a1ae452371a7847a963f533f96e018aa6658958e6a584cf0d380aa9435175cf2de3dfa60100aca893b76aa6d8f0cc9154ee982cb5ea8f19153fe8a9c801aa2da8bb4451c7ec6fd836e81ecdacf022b68294db068efa47decf3a7c548ea7088a16433029b8733b9573053b7e7122ea10b662726fc97bd149c663617434a9707b672b024f95865d91077edfb79c8ed4c8528032204c46c984a6c82b17794cbf9c4dfe4c1af1d59535f7755540ff36d6a2b55accbf046896c4aae9287a33f38c2a269a02abdac46c17b1b55ee89cc9eb3011a84916596f982c5375dd2110633be6dc43532919466d83bd0f3e406978 +Output = b74e03c18050807541bde949aa0ac91d43fb9730f0b529d5100d5776f4f446d0ca0f0992359dc5f89386ed45bc3bf52cac1f75fbcc088fc2ea77624fd962569d2d317e90886dec424fb6757c4eba1e881ddf4f7942e8003b54e05cc974558dea171ce23a2fc158f71a5621c9a2c3ce45c9af4c706d3f60efe0c0f087a6ec504f771b08e2a1d78e0316c74706c678869bf121d5da00e2e8c8dc1cd273315b4ad8ab9962c62f81cebc5fb393b7f8860ee68545578413feada82b1c2bbfabfa157e298f0354bffc1cc6aa68f058a5d34b6b70ffacd3532c6b2c6a0de059bf605edf392ac8adbf1769555a0a50b2b13c63cae98a461498fae7f0d1729b710f05f39e diff --git a/crypto/openssl/test/recipes/80-test_cms.t b/crypto/openssl/test/recipes/80-test_cms.t index 5c967c581835..4031dbec77f5 100644 --- a/crypto/openssl/test/recipes/80-test_cms.t +++ b/crypto/openssl/test/recipes/80-test_cms.t @@ -89,6 +89,15 @@ my @smime_pkcs7_tests = ( \&final_compare ], + [ "signed text content DER format, RSA key", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-certfile", $smroot, "-signer", $smrsa1, "-text", + "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", + "-text", "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], + [ "signed detached content DER format, RSA key", [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-signer", $smrsa1, "-out", "{output}.cms" ], @@ -222,6 +231,14 @@ my @smime_pkcs7_tests = ( \&final_compare ], + [ "enveloped text content streaming S/MIME format, DES, 1 recipient", + [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-text", "-out", "{output}.cms", $smrsa1 ], + [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, + "-in", "{output}.cms", "-text", "-out", "{output}.txt" ], + \&final_compare + ], + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used", [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, "-stream", "-out", "{output}.cms", diff --git a/crypto/openssl/test/recipes/90-test_sslapi.t b/crypto/openssl/test/recipes/90-test_sslapi.t index 650e0d1ffb16..70c2c24d8661 100644 --- a/crypto/openssl/test/recipes/90-test_sslapi.t +++ b/crypto/openssl/test/recipes/90-test_sslapi.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -45,7 +45,10 @@ ok(run(test(["sslapitest", srctop_dir("test", "certs"), srctop_file("test", "recipes", "90-test_sslapi_data", - "dhparams.pem")])), + "dhparams.pem"), + srctop_dir("test", + "recipes", + "90-test_sslapi_data")])), "running sslapitest"); SKIP: { @@ -62,7 +65,10 @@ SKIP: { srctop_file("test", "recipes", "90-test_sslapi_data", - "dhparams.pem")])), + "dhparams.pem"), + srctop_dir("test", + "recipes", + "90-test_sslapi_data")])), "running sslapitest with default fips config"); run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), @@ -140,7 +146,10 @@ SKIP: { srctop_file("test", "recipes", "90-test_sslapi_data", - "dhparams.pem")])), + "dhparams.pem"), + srctop_dir("test", + "recipes", + "90-test_sslapi_data")])), "running sslapitest with modified fips config"); } diff --git a/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt new file mode 100644 index 000000000000..05aed8299b0e --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt @@ -0,0 +1,255 @@ +Sent TLS Record +Header: + Version = TLS 1.0 (0x301) + Content Type = Handshake (22) + Length = ? + ClientHello, Length=? + client_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suites (len=2) + {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_methods (len=1) + No Compression (0x00) + extensions, length = ? + extension_type=ec_point_formats(11), length=4 + uncompressed (0) + ansiX962_compressed_prime (1) + ansiX962_compressed_char2 (2) + extension_type=supported_groups(10), length=20 + MLKEM512 (512) + MLKEM768 (513) + MLKEM1024 (514) + X25519MLKEM768 (4588) + SecP256r1MLKEM768 (4587) + SecP384r1MLKEM1024 (4589) + secp521r1 (P-521) (25) + secp384r1 (P-384) (24) + secp256r1 (P-256) (23) + extension_type=session_ticket(35), length=0 + extension_type=encrypt_then_mac(22), length=0 + extension_type=extended_master_secret(23), length=0 + extension_type=signature_algorithms(13), length=? + mldsa65 (0x0905) + mldsa87 (0x0906) + mldsa44 (0x0904) + ecdsa_secp256r1_sha256 (0x0403) + ecdsa_secp384r1_sha384 (0x0503) + ecdsa_secp521r1_sha512 (0x0603) + ed25519 (0x0807) + ed448 (0x0808) + ecdsa_brainpoolP256r1tls13_sha256 (0x081a) + ecdsa_brainpoolP384r1tls13_sha384 (0x081b) + ecdsa_brainpoolP512r1tls13_sha512 (0x081c) + rsa_pss_pss_sha256 (0x0809) + rsa_pss_pss_sha384 (0x080a) + rsa_pss_pss_sha512 (0x080b) + rsa_pss_rsae_sha256 (0x0804) + rsa_pss_rsae_sha384 (0x0805) + rsa_pss_rsae_sha512 (0x0806) + rsa_pkcs1_sha256 (0x0401) + rsa_pkcs1_sha384 (0x0501) + rsa_pkcs1_sha512 (0x0601) + extension_type=supported_versions(43), length=3 + TLS 1.3 (772) + extension_type=psk_key_exchange_modes(45), length=2 + psk_dhe_ke (1) + extension_type=key_share(51), length=806 + NamedGroup: MLKEM512 (512) + key_exchange: (len=800): ? + extension_type=compress_certificate(27), length=3 + zlib (1) + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = Handshake (22) + Length = 858 + ServerHello, Length=854 + server_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suite {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_method: No Compression (0x00) + extensions, length = ? + extension_type=supported_versions(43), length=2 + TLS 1.3 (772) + extension_type=key_share(51), length=772 + NamedGroup: MLKEM512 (512) + key_exchange: (len=768): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 23 + Inner Content Type = Handshake (22) + EncryptedExtensions, Length=2 + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 839 + Inner Content Type = Handshake (22) + Certificate, Length=818 + context (len=0): + certificate_list, length=814 + ASN.1Cert, length=809 +------details----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Root CA + Validity + Not Before: Jan 14 22:29:46 2016 GMT + Not After : Jan 15 22:29:46 2116 GMT + Subject: CN = server.example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:5d:60:6a:df:fc:61:ee:48:aa:8c:11:48:43: + a5:6d:b6:52:5d:aa:98:49:b1:61:92:35:b1:fc:3a: + 04:25:0c:6d:79:ff:b4:d5:c9:e9:5c:1c:3b:e0:ab: + b3:b8:7d:a3:de:6d:bd:e0:dd:d7:5a:bf:14:47:11: + 42:5e:a6:82:d0:61:c1:7f:dd:13:46:e6:09:85:07: + 0e:f2:d4:fc:1a:64:d2:0a:ad:20:ab:20:6b:96:f0: + ad:cc:c4:19:53:55:dc:01:1d:a4:b3:ef:8a:b4:49: + 53:5d:8a:05:1c:f1:dc:e1:44:bf:c5:d7:e2:77:19: + 57:5c:97:0b:75:ee:88:43:71:0f:ca:6c:c1:b4:b2: + 50:a7:77:46:6c:58:0f:11:bf:f1:76:24:5a:ae:39: + 42:b7:51:67:29:e1:d0:55:30:6f:17:e4:91:ea:ad: + f8:28:c2:43:6f:a2:64:a9:fb:9d:98:92:62:48:3e: + eb:0d:4f:82:4a:8a:ff:3f:72:ee:96:b5:ae:a1:c1: + 98:ba:ef:7d:90:75:6d:ff:5a:52:9e:ab:f5:c0:7e: + d0:87:43:db:85:07:07:0f:7d:38:7a:fd:d1:d3:ee: + 65:1d:d3:ea:39:6a:87:37:ee:4a:d3:e0:0d:6e:f5: + 70:ac:c2:bd:f1:6e:f3:92:95:5e:a9:f0:a1:65:95: + 93:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C0:E7:84:BF:E8:59:27:33:10:B0:52:4F:51:52:2F:06:D6:C0:7A:CD + X509v3 Authority Key Identifier: + 70:7F:2E:AE:83:68:59:98:04:23:2A:CD:EB:3E:17:CD:24:DD:01:49 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:server.example + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 7b:d3:04:43:75:8a:0f:11:ae:c4:fb:d7:a1:a2:9e:fe:20:18: + d5:f4:2f:31:88:46:b6:75:8c:ee:e5:9b:97:a6:b9:a3:cd:60: + 9a:46:c3:48:97:e5:97:68:f7:5a:86:35:73:d9:69:9e:f9:5f: + 74:b9:e6:94:13:01:cb:6a:dc:e3:c4:04:e9:65:da:9c:a4:8b: + 28:f3:f9:9a:7f:bf:97:1f:45:92:e5:05:b1:56:e6:0b:f6:47: + de:1e:89:b6:2b:e1:4d:df:4a:7e:01:d3:23:dc:97:8c:47:fe: + 5f:c7:cc:98:46:0e:c4:83:5b:ca:8a:f1:52:09:be:6b:ec:3f: + 09:8b:d0:93:02:bf:e1:51:e7:d1:7e:34:56:19:74:d0:ff:28: + 25:de:b7:9f:56:52:91:7d:20:29:85:0a:80:44:5f:71:32:25: + 71:0f:c2:16:e2:5f:6b:1d:3f:32:5b:0a:3c:74:1c:b9:62:f1: + ed:07:50:a3:6d:b4:b4:31:0a:c0:53:44:6a:3a:88:84:8b:2d: + a9:b0:37:8e:e6:18:36:bd:9a:20:40:0f:01:92:8b:3d:aa:61: + e7:ae:2c:ed:36:cd:3a:07:86:74:3a:29:b3:d7:3a:b4:00:a9: + c2:f5:92:78:0e:e2:0f:a3:fe:bb:be:e0:06:53:84:59:1d:90: + 69:e5:b6:f9 +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +-----END CERTIFICATE----- +------------------ + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 281 + Inner Content Type = Handshake (22) + CertificateVerify, Length=260 + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature (len=256): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + diff --git a/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref.txt b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref.txt new file mode 100644 index 000000000000..5d332da235fb --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref.txt @@ -0,0 +1,253 @@ +Sent TLS Record +Header: + Version = TLS 1.0 (0x301) + Content Type = Handshake (22) + Length = ? + ClientHello, Length=? + client_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suites (len=2) + {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_methods (len=1) + No Compression (0x00) + extensions, length = ? + extension_type=ec_point_formats(11), length=4 + uncompressed (0) + ansiX962_compressed_prime (1) + ansiX962_compressed_char2 (2) + extension_type=supported_groups(10), length=20 + MLKEM512 (512) + MLKEM768 (513) + MLKEM1024 (514) + X25519MLKEM768 (4588) + SecP256r1MLKEM768 (4587) + SecP384r1MLKEM1024 (4589) + secp521r1 (P-521) (25) + secp384r1 (P-384) (24) + secp256r1 (P-256) (23) + extension_type=session_ticket(35), length=0 + extension_type=encrypt_then_mac(22), length=0 + extension_type=extended_master_secret(23), length=0 + extension_type=signature_algorithms(13), length=? + mldsa65 (0x0905) + mldsa87 (0x0906) + mldsa44 (0x0904) + ecdsa_secp256r1_sha256 (0x0403) + ecdsa_secp384r1_sha384 (0x0503) + ecdsa_secp521r1_sha512 (0x0603) + ed25519 (0x0807) + ed448 (0x0808) + ecdsa_brainpoolP256r1tls13_sha256 (0x081a) + ecdsa_brainpoolP384r1tls13_sha384 (0x081b) + ecdsa_brainpoolP512r1tls13_sha512 (0x081c) + rsa_pss_pss_sha256 (0x0809) + rsa_pss_pss_sha384 (0x080a) + rsa_pss_pss_sha512 (0x080b) + rsa_pss_rsae_sha256 (0x0804) + rsa_pss_rsae_sha384 (0x0805) + rsa_pss_rsae_sha512 (0x0806) + rsa_pkcs1_sha256 (0x0401) + rsa_pkcs1_sha384 (0x0501) + rsa_pkcs1_sha512 (0x0601) + extension_type=supported_versions(43), length=3 + TLS 1.3 (772) + extension_type=psk_key_exchange_modes(45), length=2 + psk_dhe_ke (1) + extension_type=key_share(51), length=806 + NamedGroup: MLKEM512 (512) + key_exchange: (len=800): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = Handshake (22) + Length = 858 + ServerHello, Length=854 + server_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suite {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_method: No Compression (0x00) + extensions, length = ? + extension_type=supported_versions(43), length=2 + TLS 1.3 (772) + extension_type=key_share(51), length=772 + NamedGroup: MLKEM512 (512) + key_exchange: (len=768): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 23 + Inner Content Type = Handshake (22) + EncryptedExtensions, Length=2 + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 839 + Inner Content Type = Handshake (22) + Certificate, Length=818 + context (len=0): + certificate_list, length=814 + ASN.1Cert, length=809 +------details----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Root CA + Validity + Not Before: Jan 14 22:29:46 2016 GMT + Not After : Jan 15 22:29:46 2116 GMT + Subject: CN = server.example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:5d:60:6a:df:fc:61:ee:48:aa:8c:11:48:43: + a5:6d:b6:52:5d:aa:98:49:b1:61:92:35:b1:fc:3a: + 04:25:0c:6d:79:ff:b4:d5:c9:e9:5c:1c:3b:e0:ab: + b3:b8:7d:a3:de:6d:bd:e0:dd:d7:5a:bf:14:47:11: + 42:5e:a6:82:d0:61:c1:7f:dd:13:46:e6:09:85:07: + 0e:f2:d4:fc:1a:64:d2:0a:ad:20:ab:20:6b:96:f0: + ad:cc:c4:19:53:55:dc:01:1d:a4:b3:ef:8a:b4:49: + 53:5d:8a:05:1c:f1:dc:e1:44:bf:c5:d7:e2:77:19: + 57:5c:97:0b:75:ee:88:43:71:0f:ca:6c:c1:b4:b2: + 50:a7:77:46:6c:58:0f:11:bf:f1:76:24:5a:ae:39: + 42:b7:51:67:29:e1:d0:55:30:6f:17:e4:91:ea:ad: + f8:28:c2:43:6f:a2:64:a9:fb:9d:98:92:62:48:3e: + eb:0d:4f:82:4a:8a:ff:3f:72:ee:96:b5:ae:a1:c1: + 98:ba:ef:7d:90:75:6d:ff:5a:52:9e:ab:f5:c0:7e: + d0:87:43:db:85:07:07:0f:7d:38:7a:fd:d1:d3:ee: + 65:1d:d3:ea:39:6a:87:37:ee:4a:d3:e0:0d:6e:f5: + 70:ac:c2:bd:f1:6e:f3:92:95:5e:a9:f0:a1:65:95: + 93:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C0:E7:84:BF:E8:59:27:33:10:B0:52:4F:51:52:2F:06:D6:C0:7A:CD + X509v3 Authority Key Identifier: + 70:7F:2E:AE:83:68:59:98:04:23:2A:CD:EB:3E:17:CD:24:DD:01:49 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:server.example + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 7b:d3:04:43:75:8a:0f:11:ae:c4:fb:d7:a1:a2:9e:fe:20:18: + d5:f4:2f:31:88:46:b6:75:8c:ee:e5:9b:97:a6:b9:a3:cd:60: + 9a:46:c3:48:97:e5:97:68:f7:5a:86:35:73:d9:69:9e:f9:5f: + 74:b9:e6:94:13:01:cb:6a:dc:e3:c4:04:e9:65:da:9c:a4:8b: + 28:f3:f9:9a:7f:bf:97:1f:45:92:e5:05:b1:56:e6:0b:f6:47: + de:1e:89:b6:2b:e1:4d:df:4a:7e:01:d3:23:dc:97:8c:47:fe: + 5f:c7:cc:98:46:0e:c4:83:5b:ca:8a:f1:52:09:be:6b:ec:3f: + 09:8b:d0:93:02:bf:e1:51:e7:d1:7e:34:56:19:74:d0:ff:28: + 25:de:b7:9f:56:52:91:7d:20:29:85:0a:80:44:5f:71:32:25: + 71:0f:c2:16:e2:5f:6b:1d:3f:32:5b:0a:3c:74:1c:b9:62:f1: + ed:07:50:a3:6d:b4:b4:31:0a:c0:53:44:6a:3a:88:84:8b:2d: + a9:b0:37:8e:e6:18:36:bd:9a:20:40:0f:01:92:8b:3d:aa:61: + e7:ae:2c:ed:36:cd:3a:07:86:74:3a:29:b3:d7:3a:b4:00:a9: + c2:f5:92:78:0e:e2:0f:a3:fe:bb:be:e0:06:53:84:59:1d:90: + 69:e5:b6:f9 +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +-----END CERTIFICATE----- +------------------ + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 281 + Inner Content Type = Handshake (22) + CertificateVerify, Length=260 + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature (len=256): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + diff --git a/crypto/openssl/test/recipes/90-test_store_cases.t b/crypto/openssl/test/recipes/90-test_store_cases.t index 05b00e6b4eb1..5915a1b76a53 100644 --- a/crypto/openssl/test/recipes/90-test_store_cases.t +++ b/crypto/openssl/test/recipes/90-test_store_cases.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,9 +18,10 @@ use OpenSSL::Test::Utils; my $test_name = "test_store_cases"; setup($test_name); -plan tests => 2; +plan tests => 3; my $stderr; +my @stdout; # The case of the garbage PKCS#12 DER file where a passphrase was # prompted for. That should not have happened. @@ -34,3 +35,24 @@ open DATA, $stderr; close DATA; ok(scalar @match > 0 ? 0 : 1, "checking that storeutl didn't ask for a passphrase"); + + SKIP: { + skip "The objects in test-BER.p12 contain EC keys, which is disabled in this build", 1 + if disabled("ec"); + skip "test-BER.p12 has contents encrypted with DES-EDE3-CBC, which is disabled in this build", 1 + if disabled("des"); + + # The case with a BER-encoded PKCS#12 file, using infinite + EOC + # constructs. There was a bug with those in OpenSSL 3.0 and newer, + # where OSSL_STORE_load() (and by consequence, 'openssl storeutl') + # only extracted the first available object from that file and + # ignored the rest. + # Our test file has a total of four objects, and this should be + # reflected in the total that 'openssl storeutl' outputs + @stdout = run(app(['openssl', 'storeutl', '-passin', 'pass:12345', + data_file('test-BER.p12')]), + capture => 1); + @stdout = map { my $x = $_; $x =~ s/\R$//; $x } @stdout; # Better chomp + ok((grep { $_ eq 'Total found: 4' } @stdout), + "Checking that 'openssl storeutl' with test-BER.p12 returns 4 objects"); +} diff --git a/crypto/openssl/test/recipes/90-test_store_cases_data/test-BER.p12 b/crypto/openssl/test/recipes/90-test_store_cases_data/test-BER.p12 Binary files differnew file mode 100644 index 000000000000..256e697bac1a --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_store_cases_data/test-BER.p12 diff --git a/crypto/openssl/test/recipes/90-test_threads_data/store/8489a545.0 b/crypto/openssl/test/recipes/90-test_threads_data/store/8489a545.0 new file mode 100644 index 000000000000..7fd65dfe924b --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_threads_data/store/8489a545.0 @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFjCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTEzN1oYDzIxMjAxMjEzMjAxMTM3WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo3UwczAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB +BjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3o1IwHwYDVR0jBBgwFoAUjvUl +rx6ba4Q9fICayVOcTXL3o1IwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcN +AQELBQADggEBABWUjaqtkdRDhVAJZTxkJVgohjRrBwp86Y0JZWdCDua/sErmEaGu +nQVxWWFWIgu6sb8tyQo3/7dBIQl3Rpij9bsgKhToO1OzoG3Oi3d0+zRDHfY6xNrj +TUE00FeLHGNWsgZSIvu99DrGApT/+uPdWfJgMu5szillqW+4hcCUPLjG9ekVNt1s +KhdEklo6PrP6eMbm6s22EIVUxqGE6xxAmrvyhlY1zJH9BJ23Ps+xabjG6OeMRZzT +0F/fU7XIFieSO7rqUcjgo1eYc3ghsDxNUJ6TPBgv5z4SPnstoOBj59rjpJ7Qkpyd +L17VfEadezat37Cpeha7vGDduCsyMfN4kiw= +-----END CERTIFICATE----- diff --git a/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh new file mode 100755 index 000000000000..716172f029d3 --- /dev/null +++ b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# Test openssl CA functionality using oqsprovider for alg $1 + +if [ $# -ne 1 ]; then + echo "Usage: $0 <algorithmname>. Exiting." + exit 1 +fi + +if [ -z "$OPENSSL_APP" ]; then + echo "OPENSSL_APP env var not set. Exiting." + exit 1 +fi + +if [ -z "$OPENSSL_MODULES" ]; then + echo "Warning: OPENSSL_MODULES env var not set." +fi + +if [ -z "$OPENSSL_CONF" ]; then + echo "Warning: OPENSSL_CONF env var not set." +fi + +# Set OSX DYLD_LIBRARY_PATH if not already externally set +if [ -z "$DYLD_LIBRARY_PATH" ]; then + export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH +fi + +echo "oqsprovider-ca.sh commencing..." + +#rm -rf tmp +mkdir -p tmp && cd tmp +rm -rf demoCA && mkdir -p demoCA/newcerts +touch demoCA/index.txt +echo '01' > demoCA/serial +$OPENSSL_APP req -x509 -new -newkey $1 -keyout $1_rootCA.key -out $1_rootCA.crt -subj "/CN=test CA" -nodes + +if [ $? -ne 0 ]; then + echo "Failed to generate root CA. Exiting." + exit 1 +fi + +$OPENSSL_APP req -new -newkey $1 -keyout $1.key -out $1.csr -nodes -subj "/CN=test Server" + +if [ $? -ne 0 ]; then + echo "Failed to generate test server CSR. Exiting." + exit 1 +fi + +$OPENSSL_APP ca -batch -days 100 -keyfile $1_rootCA.key -cert $1_rootCA.crt -policy policy_anything -notext -out $1.crt -infiles $1.csr + +if [ $? -ne 0 ]; then + echo "Failed to generate server CRT. Exiting." + exit 1 +fi + +# Don't forget to use provider(s) when not activated via config file +$OPENSSL_APP verify -CAfile $1_rootCA.crt $1.crt + diff --git a/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh index a03c3722fc43..18e0391d520f 100755 --- a/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh +++ b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh @@ -70,5 +70,7 @@ export OPENSSL_APP="$O_EXE/openssl" export OPENSSL_MODULES=$PWD/_build/lib export OQS_PROVIDER_TESTSCRIPTS=$SRCTOP/oqs-provider/scripts export OPENSSL_CONF=$OQS_PROVIDER_TESTSCRIPTS/openssl-ca.cnf +# hotfix for wrong cert validity period +cp $SRCTOP/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh $SRCTOP/oqs-provider/scripts/ # Be verbose if harness is verbose: $SRCTOP/oqs-provider/scripts/runtests.sh -V |