1e0c4386eSCy Schubert#! /usr/bin/env perl 2e0c4386eSCy Schubert# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. 3e0c4386eSCy Schubert# 4e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8e0c4386eSCy Schubert 9e0c4386eSCy Schubert 10e0c4386eSCy Schubertuse strict; 11e0c4386eSCy Schubertuse warnings; 12e0c4386eSCy Schubert 13e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 14e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT srctop_file/; 15e0c4386eSCy Schubert 16e0c4386eSCy Schubertsetup("test_req"); 17e0c4386eSCy Schubert 18*44096ebdSEnji Cooperplan tests => 50; 19e0c4386eSCy Schubert 20e0c4386eSCy Schubertrequire_ok(srctop_file('test', 'recipes', 'tconversion.pl')); 21e0c4386eSCy Schubert 22e0c4386eSCy Schubertmy @certs = qw(test certs); 23e0c4386eSCy Schubert 24e0c4386eSCy Schubert# What type of key to generate? 25e0c4386eSCy Schubertmy @req_new; 26e0c4386eSCy Schubertif (disabled("rsa")) { 27e0c4386eSCy Schubert @req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem")); 28e0c4386eSCy Schubert} else { 29e0c4386eSCy Schubert @req_new = ("-new"); 30e0c4386eSCy Schubert note("There should be a 2 sequences of .'s and some +'s."); 31e0c4386eSCy Schubert note("There should not be more that at most 80 per line"); 32e0c4386eSCy Schubert} 33e0c4386eSCy Schubert 34e0c4386eSCy Schubert# Prevent MSys2 filename munging for arguments that look like file paths but 35e0c4386eSCy Schubert# aren't 36e0c4386eSCy Schubert$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; 37e0c4386eSCy Schubert 38e0c4386eSCy Schubert# Check for duplicate -addext parameters, and one "working" case. 39e0c4386eSCy Schubertmy @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", 40e0c4386eSCy Schubert "-key", srctop_file("test", "certs", "ee-key.pem"), 41e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), @req_new ); 42e0c4386eSCy Schubertmy $val = "subjectAltName=DNS:example.com"; 43e0c4386eSCy Schubertmy $val1 = "subjectAltName=otherName:1.2.3.4;UTF8:test,email:info\@example.com"; 44e0c4386eSCy Schubertmy $val2 = " " . $val; 45e0c4386eSCy Schubertmy $val3 = $val; 46e0c4386eSCy Schubert$val3 =~ s/=/ =/; 47e0c4386eSCy Schubertok( run(app([@addext_args, "-addext", $val]))); 48e0c4386eSCy Schubertok( run(app([@addext_args, "-addext", $val1]))); 49e0c4386eSCy Schubert$val1 =~ s/UTF8/XXXX/; # execute the error handling in do_othername 50e0c4386eSCy Schubertok(!run(app([@addext_args, "-addext", $val1]))); 51e0c4386eSCy Schubertok(!run(app([@addext_args, "-addext", $val, "-addext", $val]))); 52e0c4386eSCy Schubertok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); 53e0c4386eSCy Schubertok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); 54e0c4386eSCy Schubertok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); 55e0c4386eSCy Schubertok(run(app([@addext_args, "-addext", "SXNetID=1:one, 2:two, 3:three"]))); 56*44096ebdSEnji Cooperok(run(app([@addext_args, "-addext", "subjectAltName=dirName:dirname_sec"]))); 57e0c4386eSCy Schubert 58e0c4386eSCy Schubert# If a CSR is provided with neither of -key or -CA/-CAkey, this should fail. 59e0c4386eSCy Schubertok(!run(app(["openssl", "req", "-x509", 60e0c4386eSCy Schubert "-in", srctop_file(@certs, "x509-check.csr"), 61e0c4386eSCy Schubert "-out", "testreq.pem"]))); 62e0c4386eSCy Schubert 63e0c4386eSCy Schubertsubtest "generating alt certificate requests with RSA" => sub { 64e0c4386eSCy Schubert plan tests => 3; 65e0c4386eSCy Schubert 66e0c4386eSCy Schubert SKIP: { 67e0c4386eSCy Schubert skip "RSA is not supported by this OpenSSL build", 2 68e0c4386eSCy Schubert if disabled("rsa"); 69e0c4386eSCy Schubert 70e0c4386eSCy Schubert ok(run(app(["openssl", "req", 71e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 72e0c4386eSCy Schubert "-section", "altreq", 73e0c4386eSCy Schubert "-new", "-out", "testreq-rsa.pem", "-utf8", 74e0c4386eSCy Schubert "-key", srctop_file("test", "testrsa.pem")])), 75e0c4386eSCy Schubert "Generating request"); 76e0c4386eSCy Schubert 77e0c4386eSCy Schubert ok(run(app(["openssl", "req", 78e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 79e0c4386eSCy Schubert "-verify", "-in", "testreq-rsa.pem", "-noout"])), 80e0c4386eSCy Schubert "Verifying signature on request"); 81e0c4386eSCy Schubert 82e0c4386eSCy Schubert ok(run(app(["openssl", "req", 83e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 84e0c4386eSCy Schubert "-section", "altreq", 85e0c4386eSCy Schubert "-verify", "-in", "testreq-rsa.pem", "-noout"])), 86e0c4386eSCy Schubert "Verifying signature on request"); 87e0c4386eSCy Schubert } 88e0c4386eSCy Schubert}; 89e0c4386eSCy Schubert 90e0c4386eSCy Schubert 91e0c4386eSCy Schubertsubtest "generating certificate requests with RSA" => sub { 92e0c4386eSCy Schubert plan tests => 8; 93e0c4386eSCy Schubert 94e0c4386eSCy Schubert SKIP: { 95e0c4386eSCy Schubert skip "RSA is not supported by this OpenSSL build", 2 96e0c4386eSCy Schubert if disabled("rsa"); 97e0c4386eSCy Schubert 98e0c4386eSCy Schubert ok(!run(app(["openssl", "req", 99e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 100e0c4386eSCy Schubert "-new", "-out", "testreq-rsa.pem", "-utf8", 101e0c4386eSCy Schubert "-key", srctop_file("test", "testrsa.pem"), 102e0c4386eSCy Schubert "-keyform", "DER"])), 103e0c4386eSCy Schubert "Checking that mismatching keyform fails"); 104e0c4386eSCy Schubert 105e0c4386eSCy Schubert ok(run(app(["openssl", "req", 106e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 107e0c4386eSCy Schubert "-new", "-out", "testreq-rsa.pem", "-utf8", 108e0c4386eSCy Schubert "-key", srctop_file("test", "testrsa.pem"), 109e0c4386eSCy Schubert "-keyform", "PEM"])), 110e0c4386eSCy Schubert "Generating request"); 111e0c4386eSCy Schubert 112e0c4386eSCy Schubert ok(run(app(["openssl", "req", 113e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 114e0c4386eSCy Schubert "-verify", "-in", "testreq-rsa.pem", "-noout"])), 115e0c4386eSCy Schubert "Verifying signature on request"); 116e0c4386eSCy Schubert 117e0c4386eSCy Schubert ok(run(app(["openssl", "req", 118e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 119e0c4386eSCy Schubert "-modulus", "-in", "testreq-rsa.pem", "-noout"])), 120e0c4386eSCy Schubert "Printing a modulus of the request key"); 121e0c4386eSCy Schubert 122e0c4386eSCy Schubert ok(run(app(["openssl", "req", 123e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 124e0c4386eSCy Schubert "-new", "-out", "testreq_withattrs_pem.pem", "-utf8", 125e0c4386eSCy Schubert "-key", srctop_file("test", "testrsa_withattrs.pem")])), 126e0c4386eSCy Schubert "Generating request from a key with extra attributes - PEM"); 127e0c4386eSCy Schubert 128e0c4386eSCy Schubert ok(run(app(["openssl", "req", 129e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 130e0c4386eSCy Schubert "-verify", "-in", "testreq_withattrs_pem.pem", "-noout"])), 131e0c4386eSCy Schubert "Verifying signature on request from a key with extra attributes - PEM"); 132e0c4386eSCy Schubert 133e0c4386eSCy Schubert ok(run(app(["openssl", "req", 134e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 135e0c4386eSCy Schubert "-new", "-out", "testreq_withattrs_der.pem", "-utf8", 136e0c4386eSCy Schubert "-key", srctop_file("test", "testrsa_withattrs.der"), 137e0c4386eSCy Schubert "-keyform", "DER"])), 138e0c4386eSCy Schubert "Generating request from a key with extra attributes - PEM"); 139e0c4386eSCy Schubert 140e0c4386eSCy Schubert ok(run(app(["openssl", "req", 141e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 142e0c4386eSCy Schubert "-verify", "-in", "testreq_withattrs_der.pem", "-noout"])), 143e0c4386eSCy Schubert "Verifying signature on request from a key with extra attributes - PEM"); 144e0c4386eSCy Schubert } 145e0c4386eSCy Schubert}; 146e0c4386eSCy Schubert 147e0c4386eSCy Schubertsubtest "generating certificate requests with RSA-PSS" => sub { 148e0c4386eSCy Schubert plan tests => 12; 149e0c4386eSCy Schubert 150e0c4386eSCy Schubert SKIP: { 151e0c4386eSCy Schubert skip "RSA is not supported by this OpenSSL build", 2 152e0c4386eSCy Schubert if disabled("rsa"); 153e0c4386eSCy Schubert 154e0c4386eSCy Schubert ok(run(app(["openssl", "req", 155e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 156e0c4386eSCy Schubert "-new", "-out", "testreq-rsapss.pem", "-utf8", 157e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapss.pem")])), 158e0c4386eSCy Schubert "Generating request"); 159e0c4386eSCy Schubert ok(run(app(["openssl", "req", 160e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 161e0c4386eSCy Schubert "-verify", "-in", "testreq-rsapss.pem", "-noout"])), 162e0c4386eSCy Schubert "Verifying signature on request"); 163e0c4386eSCy Schubert 164e0c4386eSCy Schubert ok(run(app(["openssl", "req", 165e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 166e0c4386eSCy Schubert "-new", "-out", "testreq-rsapss2.pem", "-utf8", 167e0c4386eSCy Schubert "-sigopt", "rsa_padding_mode:pss", 168e0c4386eSCy Schubert "-sigopt", "rsa_pss_saltlen:-1", 169e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapss.pem")])), 170e0c4386eSCy Schubert "Generating request"); 171e0c4386eSCy Schubert ok(run(app(["openssl", "req", 172e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 173e0c4386eSCy Schubert "-verify", "-in", "testreq-rsapss2.pem", "-noout"])), 174e0c4386eSCy Schubert "Verifying signature on request"); 175e0c4386eSCy Schubert 176e0c4386eSCy Schubert ok(run(app(["openssl", "req", 177e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 178e0c4386eSCy Schubert "-new", "-out", "testreq-rsapssmand.pem", "-utf8", 179e0c4386eSCy Schubert "-sigopt", "rsa_padding_mode:pss", 180e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapssmandatory.pem")])), 181e0c4386eSCy Schubert "Generating request"); 182e0c4386eSCy Schubert ok(run(app(["openssl", "req", 183e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 184e0c4386eSCy Schubert "-verify", "-in", "testreq-rsapssmand.pem", "-noout"])), 185e0c4386eSCy Schubert "Verifying signature on request"); 186e0c4386eSCy Schubert 187e0c4386eSCy Schubert ok(run(app(["openssl", "req", 188e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 189e0c4386eSCy Schubert "-new", "-out", "testreq-rsapssmand2.pem", "-utf8", 190e0c4386eSCy Schubert "-sigopt", "rsa_pss_saltlen:100", 191e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapssmandatory.pem")])), 192e0c4386eSCy Schubert "Generating request"); 193e0c4386eSCy Schubert ok(run(app(["openssl", "req", 194e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 195e0c4386eSCy Schubert "-verify", "-in", "testreq-rsapssmand2.pem", "-noout"])), 196e0c4386eSCy Schubert "Verifying signature on request"); 197e0c4386eSCy Schubert 198e0c4386eSCy Schubert ok(!run(app(["openssl", "req", 199e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 200e0c4386eSCy Schubert "-new", "-out", "testreq-rsapss3.pem", "-utf8", 201e0c4386eSCy Schubert "-sigopt", "rsa_padding_mode:pkcs1", 202e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapss.pem")])), 203e0c4386eSCy Schubert "Generating request with expected failure"); 204e0c4386eSCy Schubert 205e0c4386eSCy Schubert ok(!run(app(["openssl", "req", 206e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 207e0c4386eSCy Schubert "-new", "-out", "testreq-rsapss3.pem", "-utf8", 208e0c4386eSCy Schubert "-sigopt", "rsa_pss_saltlen:-4", 209e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapss.pem")])), 210e0c4386eSCy Schubert "Generating request with expected failure"); 211e0c4386eSCy Schubert 212e0c4386eSCy Schubert ok(!run(app(["openssl", "req", 213e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 214e0c4386eSCy Schubert "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", 215e0c4386eSCy Schubert "-sigopt", "rsa_pss_saltlen:10", 216e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapssmandatory.pem")])), 217e0c4386eSCy Schubert "Generating request with expected failure"); 218e0c4386eSCy Schubert 219e0c4386eSCy Schubert ok(!run(app(["openssl", "req", 220e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 221e0c4386eSCy Schubert "-new", "-out", "testreq-rsapssmand3.pem", "-utf8", 222e0c4386eSCy Schubert "-sha256", 223e0c4386eSCy Schubert "-key", srctop_file("test", "testrsapssmandatory.pem")])), 224e0c4386eSCy Schubert "Generating request with expected failure"); 225e0c4386eSCy Schubert } 226e0c4386eSCy Schubert}; 227e0c4386eSCy Schubert 228e0c4386eSCy Schubertsubtest "generating certificate requests with DSA" => sub { 229e0c4386eSCy Schubert plan tests => 2; 230e0c4386eSCy Schubert 231e0c4386eSCy Schubert SKIP: { 232e0c4386eSCy Schubert skip "DSA is not supported by this OpenSSL build", 2 233e0c4386eSCy Schubert if disabled("dsa"); 234e0c4386eSCy Schubert 235e0c4386eSCy Schubert ok(run(app(["openssl", "req", 236e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 237e0c4386eSCy Schubert "-new", "-out", "testreq-dsa.pem", "-utf8", 238e0c4386eSCy Schubert "-key", srctop_file("test", "testdsa.pem")])), 239e0c4386eSCy Schubert "Generating request"); 240e0c4386eSCy Schubert 241e0c4386eSCy Schubert ok(run(app(["openssl", "req", 242e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 243e0c4386eSCy Schubert "-verify", "-in", "testreq-dsa.pem", "-noout"])), 244e0c4386eSCy Schubert "Verifying signature on request"); 245e0c4386eSCy Schubert } 246e0c4386eSCy Schubert}; 247e0c4386eSCy Schubert 248e0c4386eSCy Schubertsubtest "generating certificate requests with ECDSA" => sub { 249e0c4386eSCy Schubert plan tests => 2; 250e0c4386eSCy Schubert 251e0c4386eSCy Schubert SKIP: { 252e0c4386eSCy Schubert skip "ECDSA is not supported by this OpenSSL build", 2 253e0c4386eSCy Schubert if disabled("ec"); 254e0c4386eSCy Schubert 255e0c4386eSCy Schubert ok(run(app(["openssl", "req", 256e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 257e0c4386eSCy Schubert "-new", "-out", "testreq-ec.pem", "-utf8", 258e0c4386eSCy Schubert "-key", srctop_file("test", "testec-p256.pem")])), 259e0c4386eSCy Schubert "Generating request"); 260e0c4386eSCy Schubert 261e0c4386eSCy Schubert ok(run(app(["openssl", "req", 262e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 263e0c4386eSCy Schubert "-verify", "-in", "testreq-ec.pem", "-noout"])), 264e0c4386eSCy Schubert "Verifying signature on request"); 265e0c4386eSCy Schubert } 266e0c4386eSCy Schubert}; 267e0c4386eSCy Schubert 268e0c4386eSCy Schubertsubtest "generating certificate requests with Ed25519" => sub { 269e0c4386eSCy Schubert plan tests => 2; 270e0c4386eSCy Schubert 271e0c4386eSCy Schubert SKIP: { 272e0c4386eSCy Schubert skip "Ed25519 is not supported by this OpenSSL build", 2 273e0c4386eSCy Schubert if disabled("ec"); 274e0c4386eSCy Schubert 275e0c4386eSCy Schubert ok(run(app(["openssl", "req", 276e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 277e0c4386eSCy Schubert "-new", "-out", "testreq-ed25519.pem", "-utf8", 278e0c4386eSCy Schubert "-key", srctop_file("test", "tested25519.pem")])), 279e0c4386eSCy Schubert "Generating request"); 280e0c4386eSCy Schubert 281e0c4386eSCy Schubert ok(run(app(["openssl", "req", 282e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 283e0c4386eSCy Schubert "-verify", "-in", "testreq-ed25519.pem", "-noout"])), 284e0c4386eSCy Schubert "Verifying signature on request"); 285e0c4386eSCy Schubert } 286e0c4386eSCy Schubert}; 287e0c4386eSCy Schubert 288e0c4386eSCy Schubertsubtest "generating certificate requests with Ed448" => sub { 289e0c4386eSCy Schubert plan tests => 2; 290e0c4386eSCy Schubert 291e0c4386eSCy Schubert SKIP: { 292e0c4386eSCy Schubert skip "Ed448 is not supported by this OpenSSL build", 2 293e0c4386eSCy Schubert if disabled("ec"); 294e0c4386eSCy Schubert 295e0c4386eSCy Schubert ok(run(app(["openssl", "req", 296e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 297e0c4386eSCy Schubert "-new", "-out", "testreq-ed448.pem", "-utf8", 298e0c4386eSCy Schubert "-key", srctop_file("test", "tested448.pem")])), 299e0c4386eSCy Schubert "Generating request"); 300e0c4386eSCy Schubert 301e0c4386eSCy Schubert ok(run(app(["openssl", "req", 302e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 303e0c4386eSCy Schubert "-verify", "-in", "testreq-ed448.pem", "-noout"])), 304e0c4386eSCy Schubert "Verifying signature on request"); 305e0c4386eSCy Schubert } 306e0c4386eSCy Schubert}; 307e0c4386eSCy Schubert 308e0c4386eSCy Schubertsubtest "generating certificate requests" => sub { 309e0c4386eSCy Schubert plan tests => 2; 310e0c4386eSCy Schubert 311e0c4386eSCy Schubert ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), 312e0c4386eSCy Schubert "-key", srctop_file("test", "certs", "ee-key.pem"), 313e0c4386eSCy Schubert @req_new, "-out", "testreq.pem"])), 314e0c4386eSCy Schubert "Generating request"); 315e0c4386eSCy Schubert 316e0c4386eSCy Schubert ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), 317e0c4386eSCy Schubert "-verify", "-in", "testreq.pem", "-noout"])), 318e0c4386eSCy Schubert "Verifying signature on request"); 319e0c4386eSCy Schubert}; 320e0c4386eSCy Schubert 321e0c4386eSCy Schubertsubtest "generating SM2 certificate requests" => sub { 322e0c4386eSCy Schubert plan tests => 4; 323e0c4386eSCy Schubert 324e0c4386eSCy Schubert SKIP: { 325e0c4386eSCy Schubert skip "SM2 is not supported by this OpenSSL build", 4 326e0c4386eSCy Schubert if disabled("sm2"); 327e0c4386eSCy Schubert ok(run(app(["openssl", "req", 328e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 329e0c4386eSCy Schubert "-new", "-key", srctop_file(@certs, "sm2.key"), 330e0c4386eSCy Schubert "-sigopt", "distid:1234567812345678", 331e0c4386eSCy Schubert "-out", "testreq-sm2.pem", "-sm3"])), 332e0c4386eSCy Schubert "Generating SM2 certificate request"); 333e0c4386eSCy Schubert 334e0c4386eSCy Schubert ok(run(app(["openssl", "req", 335e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 336e0c4386eSCy Schubert "-verify", "-in", "testreq-sm2.pem", "-noout", 337e0c4386eSCy Schubert "-vfyopt", "distid:1234567812345678", "-sm3"])), 338e0c4386eSCy Schubert "Verifying signature on SM2 certificate request"); 339e0c4386eSCy Schubert 340e0c4386eSCy Schubert ok(run(app(["openssl", "req", 341e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 342e0c4386eSCy Schubert "-new", "-key", srctop_file(@certs, "sm2.key"), 343e0c4386eSCy Schubert "-sigopt", "hexdistid:DEADBEEF", 344e0c4386eSCy Schubert "-out", "testreq-sm2.pem", "-sm3"])), 345e0c4386eSCy Schubert "Generating SM2 certificate request with hex id"); 346e0c4386eSCy Schubert 347e0c4386eSCy Schubert ok(run(app(["openssl", "req", 348e0c4386eSCy Schubert "-config", srctop_file("test", "test.cnf"), 349e0c4386eSCy Schubert "-verify", "-in", "testreq-sm2.pem", "-noout", 350e0c4386eSCy Schubert "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])), 351e0c4386eSCy Schubert "Verifying signature on SM2 certificate request"); 352e0c4386eSCy Schubert } 353e0c4386eSCy Schubert}; 354e0c4386eSCy Schubert 355e0c4386eSCy Schubertmy @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf")); 356e0c4386eSCy Schubert 357e0c4386eSCy Schubertrun_conversion('req conversions', 358e0c4386eSCy Schubert "testreq.pem"); 359e0c4386eSCy Schubertrun_conversion('req conversions -- testreq2', 360e0c4386eSCy Schubert srctop_file("test", "testreq2.pem")); 361e0c4386eSCy Schubert 362e0c4386eSCy Schubertsub run_conversion { 363e0c4386eSCy Schubert my $title = shift; 364e0c4386eSCy Schubert my $reqfile = shift; 365e0c4386eSCy Schubert 366e0c4386eSCy Schubert subtest $title => sub { 367e0c4386eSCy Schubert run(app(["openssl", @openssl_args, 368e0c4386eSCy Schubert "-in", $reqfile, "-inform", "p", 369e0c4386eSCy Schubert "-noout", "-text"], 370e0c4386eSCy Schubert stderr => "req-check.err", stdout => undef)); 371e0c4386eSCy Schubert open DATA, "req-check.err"; 372e0c4386eSCy Schubert SKIP: { 373e0c4386eSCy Schubert plan skip_all => "skipping req conversion test for $reqfile" 374e0c4386eSCy Schubert if grep /Unknown Public Key/, map { s/\R//; } <DATA>; 375e0c4386eSCy Schubert 376e0c4386eSCy Schubert tconversion( -type => 'req', -in => $reqfile, 377e0c4386eSCy Schubert -args => [ @openssl_args ] ); 378e0c4386eSCy Schubert } 379e0c4386eSCy Schubert close DATA; 380e0c4386eSCy Schubert unlink "req-check.err"; 381e0c4386eSCy Schubert 382e0c4386eSCy Schubert done_testing(); 383e0c4386eSCy Schubert }; 384e0c4386eSCy Schubert} 385e0c4386eSCy Schubert 386e0c4386eSCy Schubert# Test both generation and verification of certs w.r.t. RFC 5280 requirements 387e0c4386eSCy Schubert 388e0c4386eSCy Schubertmy $ca_cert; # will be set below 389e0c4386eSCy Schubertsub generate_cert { 390e0c4386eSCy Schubert my $cert = shift @_; 391e0c4386eSCy Schubert my $ss = $cert =~ m/self-signed/; 392e0c4386eSCy Schubert my $is_ca = $cert =~ m/CA/; 393e0c4386eSCy Schubert my $cn = $is_ca ? "CA" : "EE"; 394e0c4386eSCy Schubert my $ca_key = srctop_file(@certs, "ca-key.pem"); 395e0c4386eSCy Schubert my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem"); 396e0c4386eSCy Schubert my @cmd = ("openssl", "req", "-config", "", "-x509", 397e0c4386eSCy Schubert "-subj", "/CN=$cn", @_, "-out", $cert); 398e0c4386eSCy Schubert push(@cmd, ("-key", $key)) if $ss; 399e0c4386eSCy Schubert push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; 400e0c4386eSCy Schubert ok(run(app([@cmd])), "generate $cert"); 401e0c4386eSCy Schubert} 402e0c4386eSCy Schubertsub has_SKID { 403e0c4386eSCy Schubert my $cert = shift @_; 404e0c4386eSCy Schubert my $expect = shift @_; 405e0c4386eSCy Schubert cert_contains($cert, "Subject Key Identifier", $expect); 406e0c4386eSCy Schubert} 407e0c4386eSCy Schubertsub has_AKID { 408e0c4386eSCy Schubert my $cert = shift @_; 409e0c4386eSCy Schubert my $expect = shift @_; 410e0c4386eSCy Schubert cert_contains($cert, "Authority Key Identifier", $expect); 411e0c4386eSCy Schubert} 412e0c4386eSCy Schubertsub has_keyUsage { 413e0c4386eSCy Schubert my $cert = shift @_; 414e0c4386eSCy Schubert my $expect = shift @_; 415e0c4386eSCy Schubert cert_contains($cert, "Key Usage", $expect); 416e0c4386eSCy Schubert} 417e0c4386eSCy Schubertsub strict_verify { 418e0c4386eSCy Schubert my $cert = shift @_; 419e0c4386eSCy Schubert my $expect = shift @_; 420e0c4386eSCy Schubert my $trusted = shift @_; 421e0c4386eSCy Schubert $trusted = $cert unless $trusted; 422e0c4386eSCy Schubert ok(run(app(["openssl", "verify", "-x509_strict", "-trusted", $trusted, 423e0c4386eSCy Schubert "-partial_chain", $cert])) == $expect, 424e0c4386eSCy Schubert "strict verify allow $cert"); 425e0c4386eSCy Schubert} 426e0c4386eSCy Schubert 427e0c4386eSCy Schubertmy @v3_ca = ("-addext", "basicConstraints = critical,CA:true", 428e0c4386eSCy Schubert "-addext", "keyUsage = keyCertSign"); 429e0c4386eSCy Schubertmy $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; 430e0c4386eSCy Schubertmy $cert = "self-signed_v1_CA_no_KIDs.pem"; 431e0c4386eSCy Schubertgenerate_cert($cert); 432e0c4386eSCy Schubertcert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID 433e0c4386eSCy Schubert#TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA 434e0c4386eSCy Schubert 435e0c4386eSCy Schubert$ca_cert = "self-signed_v3_CA_default_SKID.pem"; 436e0c4386eSCy Schubertgenerate_cert($ca_cert, @v3_ca); 437e0c4386eSCy Schuberthas_SKID($ca_cert, 1); 438e0c4386eSCy Schuberthas_AKID($ca_cert, 0); 439e0c4386eSCy Schubertstrict_verify($ca_cert, 1); 440e0c4386eSCy Schubert 441e0c4386eSCy Schubert$cert = "self-signed_v3_CA_no_SKID.pem"; 442e0c4386eSCy Schubertgenerate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); 443e0c4386eSCy Schubertcert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID 444e0c4386eSCy Schubert#TODO strict_verify($cert, 0); 445e0c4386eSCy Schubert 446e0c4386eSCy Schubert$cert = "self-signed_v3_CA_both_KIDs.pem"; 447e0c4386eSCy Schubertgenerate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash", 448e0c4386eSCy Schubert "-addext", "authorityKeyIdentifier = keyid:always"); 449e0c4386eSCy Schubertcert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID 450e0c4386eSCy Schubertstrict_verify($cert, 1); 451e0c4386eSCy Schubert 452e0c4386eSCy Schubert$cert = "self-signed_v3_EE_wrong_keyUsage.pem"; 453e0c4386eSCy Schubertgenerate_cert($cert, "-addext", "keyUsage = keyCertSign"); 454e0c4386eSCy Schubert#TODO strict_verify($cert, 1); # should be accepted because RFC 5280 does not apply 455e0c4386eSCy Schubert 456e0c4386eSCy Schubert$cert = "v3_EE_default_KIDs.pem"; 457e0c4386eSCy Schubertgenerate_cert($cert, "-addext", "keyUsage = dataEncipherment", 458e0c4386eSCy Schubert "-key", srctop_file(@certs, "ee-key.pem")); 459e0c4386eSCy Schubertcert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 460e0c4386eSCy Schubertstrict_verify($cert, 1, $ca_cert); 461e0c4386eSCy Schubert 462e0c4386eSCy Schubert$cert = "v3_EE_no_AKID.pem"; 463e0c4386eSCy Schubertgenerate_cert($cert, "-addext", "authorityKeyIdentifier = none", 464e0c4386eSCy Schubert "-key", srctop_file(@certs, "ee-key.pem")); 465e0c4386eSCy Schuberthas_SKID($cert, 1); 466e0c4386eSCy Schuberthas_AKID($cert, 0); 467e0c4386eSCy Schubertstrict_verify($cert, 0, $ca_cert); 468e0c4386eSCy Schubert 469e0c4386eSCy Schubert$cert = "self-issued_v3_EE_default_KIDs.pem"; 470e0c4386eSCy Schubertgenerate_cert($cert, "-addext", "keyUsage = dataEncipherment", 471e0c4386eSCy Schubert "-in", srctop_file(@certs, "x509-check.csr")); 472e0c4386eSCy Schubertcert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID 473e0c4386eSCy Schubertstrict_verify($cert, 1); 474e0c4386eSCy Schubert 475e0c4386eSCy Schubertmy $cert = "self-signed_CA_no_keyUsage.pem"; 476e0c4386eSCy Schubertgenerate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr")); 477e0c4386eSCy Schuberthas_keyUsage($cert, 0); 478e0c4386eSCy Schubertmy $cert = "self-signed_CA_with_keyUsages.pem"; 479e0c4386eSCy Schubertgenerate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"), 480e0c4386eSCy Schubert "-copy_extensions", "copy"); 481e0c4386eSCy Schuberthas_keyUsage($cert, 1); 482e0c4386eSCy Schubert 483e0c4386eSCy Schubert# Generate cert using req with '-modulus' 484e0c4386eSCy Schubertok(run(app(["openssl", "req", "-x509", "-new", "-days", "365", 485e0c4386eSCy Schubert "-key", srctop_file("test", "testrsa.pem"), 486e0c4386eSCy Schubert "-config", srctop_file('test', 'test.cnf'), 487e0c4386eSCy Schubert "-out", "testreq-cert.pem", 488e0c4386eSCy Schubert "-modulus"])), "cert req creation - with -modulus"); 489e0c4386eSCy Schubert 490e0c4386eSCy Schubert# Verify cert 491e0c4386eSCy Schubertok(run(app(["openssl", "x509", "-in", "testreq-cert.pem", 492e0c4386eSCy Schubert "-noout", "-text"])), "cert verification"); 493