1e0c4386eSCy Schubert#! /usr/bin/env perl 2*0d0c8621SEnji Cooper# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. 3e0c4386eSCy Schubert# 4e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8e0c4386eSCy Schubert 9e0c4386eSCy Schubert 10e0c4386eSCy Schubertuse strict; 11e0c4386eSCy Schubertuse warnings; 12e0c4386eSCy Schubert 13e0c4386eSCy Schubertuse POSIX; 14e0c4386eSCy Schubertuse File::Spec::Functions qw/catfile/; 15e0c4386eSCy Schubertuse File::Compare qw/compare_text compare/; 16e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/; 17e0c4386eSCy Schubert 18e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 19e0c4386eSCy Schubert 20e0c4386eSCy SchubertBEGIN { 21e0c4386eSCy Schubert setup("test_cms"); 22e0c4386eSCy Schubert} 23e0c4386eSCy Schubert 24e0c4386eSCy Schubertuse lib srctop_dir('Configurations'); 25e0c4386eSCy Schubertuse lib bldtop_dir('.'); 26e0c4386eSCy Schubert 27e0c4386eSCy Schubertmy $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); 28*0d0c8621SEnji Coopermy $old_fips = 0; 29e0c4386eSCy Schubert 30e0c4386eSCy Schubertplan skip_all => "CMS is not supported by this OpenSSL build" 31e0c4386eSCy Schubert if disabled("cms"); 32e0c4386eSCy Schubert 33e0c4386eSCy Schubertmy $provpath = bldtop_dir("providers"); 34e0c4386eSCy Schubert 35e0c4386eSCy Schubert# Some tests require legacy algorithms to be included. 36e0c4386eSCy Schubertmy @legacyprov = ("-provider-path", $provpath, 37e0c4386eSCy Schubert "-provider", "default", 38e0c4386eSCy Schubert "-provider", "legacy" ); 39e0c4386eSCy Schubertmy @defaultprov = ("-provider-path", $provpath, 40e0c4386eSCy Schubert "-provider", "default"); 41e0c4386eSCy Schubert 42e0c4386eSCy Schubertmy @config = ( ); 43e0c4386eSCy Schubertmy $provname = 'default'; 44e0c4386eSCy Schubert 45e0c4386eSCy Schubertmy $datadir = srctop_dir("test", "recipes", "80-test_cms_data"); 46e0c4386eSCy Schubertmy $smdir = srctop_dir("test", "smime-certs"); 47e0c4386eSCy Schubertmy $smcont = srctop_file("test", "smcont.txt"); 48e0c4386eSCy Schubertmy $smcont_zero = srctop_file("test", "smcont_zero.txt"); 49e0c4386eSCy Schubertmy ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) 50e0c4386eSCy Schubert = disabled qw/des dh dsa ec ec2m rc2 zlib/; 51e0c4386eSCy Schubert 52e0c4386eSCy Schubert$no_rc2 = 1 if disabled("legacy"); 53e0c4386eSCy Schubert 54*0d0c8621SEnji Cooperplan tests => 20; 55e0c4386eSCy Schubert 56e0c4386eSCy Schubertok(run(test(["pkcs7_test"])), "test pkcs7"); 57e0c4386eSCy Schubert 58e0c4386eSCy Schubertunless ($no_fips) { 59*0d0c8621SEnji Cooper my $provconf = srctop_file("test", "fips-and-base.cnf"); 60*0d0c8621SEnji Cooper @config = ( "-config", $provconf ); 61e0c4386eSCy Schubert $provname = 'fips'; 62*0d0c8621SEnji Cooper 63*0d0c8621SEnji Cooper run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]), 64*0d0c8621SEnji Cooper capture => 1, statusvar => $old_fips); 65e0c4386eSCy Schubert} 66e0c4386eSCy Schubert 67e0c4386eSCy Schubert$ENV{OPENSSL_TEST_LIBCTX} = "1"; 68e0c4386eSCy Schubertmy @prov = ("-provider-path", $provpath, 69e0c4386eSCy Schubert @config, 70e0c4386eSCy Schubert "-provider", $provname); 71e0c4386eSCy Schubert 72e0c4386eSCy Schubertmy $smrsa1024 = catfile($smdir, "smrsa1024.pem"); 73e0c4386eSCy Schubertmy $smrsa1 = catfile($smdir, "smrsa1.pem"); 74e0c4386eSCy Schubertmy $smroot = catfile($smdir, "smroot.pem"); 75e0c4386eSCy Schubert 76e0c4386eSCy Schubertmy @smime_pkcs7_tests = ( 77e0c4386eSCy Schubert 78e0c4386eSCy Schubert [ "signed content DER format, RSA key", 79e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 80e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 81e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 82e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 83e0c4386eSCy Schubert \&final_compare 84e0c4386eSCy Schubert ], 85e0c4386eSCy Schubert 86e0c4386eSCy Schubert [ "signed detached content DER format, RSA key", 87e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 88e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 89e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 90e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt", 91e0c4386eSCy Schubert "-content", $smcont ], 92e0c4386eSCy Schubert \&final_compare 93e0c4386eSCy Schubert ], 94e0c4386eSCy Schubert 95e0c4386eSCy Schubert [ "signed content test streaming BER format, RSA", 96e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 97e0c4386eSCy Schubert "-stream", 98e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 99e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 100e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 101e0c4386eSCy Schubert \&final_compare 102e0c4386eSCy Schubert ], 103e0c4386eSCy Schubert 104e0c4386eSCy Schubert [ "signed content DER format, DSA key", 105e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 106e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 107e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 108e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 109e0c4386eSCy Schubert \&final_compare 110e0c4386eSCy Schubert ], 111e0c4386eSCy Schubert 112e0c4386eSCy Schubert [ "signed detached content DER format, DSA key", 113e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 114e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 115e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 116e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt", 117e0c4386eSCy Schubert "-content", $smcont ], 118e0c4386eSCy Schubert \&final_compare 119e0c4386eSCy Schubert ], 120e0c4386eSCy Schubert 121e0c4386eSCy Schubert [ "signed detached content DER format, add RSA signer (with DSA existing)", 122e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 123e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 124e0c4386eSCy Schubert [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", 125e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}2.cms" ], 126e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER", 127e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt", 128e0c4386eSCy Schubert "-content", $smcont ], 129e0c4386eSCy Schubert \&final_compare 130e0c4386eSCy Schubert ], 131e0c4386eSCy Schubert 132e0c4386eSCy Schubert [ "signed content test streaming BER format, DSA key", 133e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 134e0c4386eSCy Schubert "-nodetach", "-stream", 135e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 136e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 137e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 138e0c4386eSCy Schubert \&final_compare 139e0c4386eSCy Schubert ], 140e0c4386eSCy Schubert 141e0c4386eSCy Schubert [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", 142e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 143e0c4386eSCy Schubert "-nodetach", "-stream", 144e0c4386eSCy Schubert "-signer", $smrsa1, 145e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 146e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 147e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 148e0c4386eSCy Schubert "-out", "{output}.cms" ], 149e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 150e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 151e0c4386eSCy Schubert \&final_compare 152e0c4386eSCy Schubert ], 153e0c4386eSCy Schubert 154e0c4386eSCy Schubert [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", 155e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 156e0c4386eSCy Schubert "-noattr", "-nodetach", "-stream", 157e0c4386eSCy Schubert "-signer", $smrsa1, 158e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 159e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 160e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 161e0c4386eSCy Schubert "-out", "{output}.cms" ], 162e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 163e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 164e0c4386eSCy Schubert \&final_compare 165e0c4386eSCy Schubert ], 166e0c4386eSCy Schubert 167e0c4386eSCy Schubert [ "signed content S/MIME format, RSA key SHA1", 168e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", 169e0c4386eSCy Schubert "-certfile", $smroot, 170e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 171e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 172e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 173e0c4386eSCy Schubert \&final_compare 174e0c4386eSCy Schubert ], 175e0c4386eSCy Schubert 176e0c4386eSCy Schubert [ "signed zero-length content S/MIME format, RSA key SHA1", 177e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", 178e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 179e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 180e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 181e0c4386eSCy Schubert \&zero_compare 182e0c4386eSCy Schubert ], 183e0c4386eSCy Schubert 184e0c4386eSCy Schubert [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", 185e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", 186e0c4386eSCy Schubert "-signer", $smrsa1, 187e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 188e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 189e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 190e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 191e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 192e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 193e0c4386eSCy Schubert \&final_compare 194e0c4386eSCy Schubert ], 195e0c4386eSCy Schubert 196e0c4386eSCy Schubert [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", 197e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, 198e0c4386eSCy Schubert "-signer", $smrsa1, 199e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 200e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 201e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 202e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 203e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 204e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 205e0c4386eSCy Schubert \&final_compare 206e0c4386eSCy Schubert ], 207e0c4386eSCy Schubert 208e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients", 209e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 210e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 211e0c4386eSCy Schubert $smrsa1, 212e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 213e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 214e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 215e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 216e0c4386eSCy Schubert \&final_compare 217e0c4386eSCy Schubert ], 218e0c4386eSCy Schubert 219e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used", 220e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 221e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 222e0c4386eSCy Schubert $smrsa1, 223e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 224e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 225e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"), 226e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 227e0c4386eSCy Schubert \&final_compare 228e0c4386eSCy Schubert ], 229e0c4386eSCy Schubert 230e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used", 231e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 232e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 233e0c4386eSCy Schubert $smrsa1, 234e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 235e0c4386eSCy Schubert catfile($smdir, "smrsa3-cert.pem") ], 236e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", 237e0c4386eSCy Schubert "-recip", catfile($smdir, "smrsa3-cert.pem"), 238e0c4386eSCy Schubert "-inkey", catfile($smdir, "smrsa3-key.pem"), 239e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 240e0c4386eSCy Schubert \&final_compare 241e0c4386eSCy Schubert ], 242e0c4386eSCy Schubert 243e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", 244e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 245e0c4386eSCy Schubert "-aes256", "-stream", "-out", "{output}.cms", 246e0c4386eSCy Schubert $smrsa1, 247e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 248e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 249e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1, 250e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 251e0c4386eSCy Schubert \&final_compare 252e0c4386eSCy Schubert ], 253e0c4386eSCy Schubert 254e0c4386eSCy Schubert); 255e0c4386eSCy Schubert 256e0c4386eSCy Schubertmy @smime_cms_tests = ( 257e0c4386eSCy Schubert 258e0c4386eSCy Schubert [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", 259e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 260e0c4386eSCy Schubert "-nodetach", "-keyid", 261e0c4386eSCy Schubert "-signer", $smrsa1, 262e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 263e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 264e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 265e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 266e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 267e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 268e0c4386eSCy Schubert \&final_compare 269e0c4386eSCy Schubert ], 270e0c4386eSCy Schubert 271e0c4386eSCy Schubert [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", 272e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 273e0c4386eSCy Schubert "-signer", $smrsa1, 274e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 275e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 276e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 277e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 278e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 279e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 280e0c4386eSCy Schubert \&final_compare 281e0c4386eSCy Schubert ], 282e0c4386eSCy Schubert 283e0c4386eSCy Schubert [ "signed content MIME format, RSA key, signed receipt request", 284e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", 285e0c4386eSCy Schubert "-signer", $smrsa1, 286e0c4386eSCy Schubert "-receipt_request_to", "test\@openssl.org", "-receipt_request_all", 287e0c4386eSCy Schubert "-out", "{output}.cms" ], 288e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 289e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 290e0c4386eSCy Schubert \&final_compare 291e0c4386eSCy Schubert ], 292e0c4386eSCy Schubert 293e0c4386eSCy Schubert [ "signed receipt MIME format, RSA key", 294e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", 295e0c4386eSCy Schubert "-signer", $smrsa1, 296e0c4386eSCy Schubert "-receipt_request_to", "test\@openssl.org", "-receipt_request_all", 297e0c4386eSCy Schubert "-out", "{output}.cms" ], 298e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms", 299e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ], 300e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms", 301e0c4386eSCy Schubert "-CAfile", $smroot ] 302e0c4386eSCy Schubert ], 303e0c4386eSCy Schubert 304e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid", 305e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 306e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", "-keyid", 307e0c4386eSCy Schubert $smrsa1, 308e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 309e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 310e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 311e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 312e0c4386eSCy Schubert \&final_compare 313e0c4386eSCy Schubert ], 314e0c4386eSCy Schubert 315e0c4386eSCy Schubert [ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK", 316e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", 317e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 318e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 319e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 320e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt", 321e0c4386eSCy Schubert "-inform", "PEM", 322e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 323e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 324e0c4386eSCy Schubert \&final_compare 325e0c4386eSCy Schubert ], 326e0c4386eSCy Schubert 327e0c4386eSCy Schubert [ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK", 328e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm", 329e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 330e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 331e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 332e0c4386eSCy Schubert [ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt", 333e0c4386eSCy Schubert "-inform", "PEM", 334e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 335e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 336e0c4386eSCy Schubert \&final_compare 337e0c4386eSCy Schubert ], 338e0c4386eSCy Schubert 339e0c4386eSCy Schubert [ "enveloped content test streaming PEM format, KEK, key only", 340e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", 341e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 342e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 343e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 344e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt", 345e0c4386eSCy Schubert "-inform", "PEM", 346e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F" ], 347e0c4386eSCy Schubert \&final_compare 348e0c4386eSCy Schubert ], 349e0c4386eSCy Schubert 350e0c4386eSCy Schubert [ "data content test streaming PEM format", 351e0c4386eSCy Schubert [ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM", 352e0c4386eSCy Schubert "-nodetach", "-stream", "-out", "{output}.cms" ], 353e0c4386eSCy Schubert [ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM", 354e0c4386eSCy Schubert "-out", "{output}.txt" ], 355e0c4386eSCy Schubert \&final_compare 356e0c4386eSCy Schubert ], 357e0c4386eSCy Schubert 358e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, 128 bit RC2 key", 359e0c4386eSCy Schubert [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt", 360e0c4386eSCy Schubert "-in", $smcont, "-outform", "PEM", 361e0c4386eSCy Schubert "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F", 362e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 363e0c4386eSCy Schubert [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms", 364e0c4386eSCy Schubert "-inform", "PEM", 365e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 366e0c4386eSCy Schubert "-out", "{output}.txt" ], 367e0c4386eSCy Schubert \&final_compare 368e0c4386eSCy Schubert ], 369e0c4386eSCy Schubert 370e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, 40 bit RC2 key", 371e0c4386eSCy Schubert [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt", 372e0c4386eSCy Schubert "-in", $smcont, "-outform", "PEM", 373e0c4386eSCy Schubert "-rc2", "-secretkey", "0001020304", 374e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 375e0c4386eSCy Schubert [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms", 376e0c4386eSCy Schubert "-inform", "PEM", 377e0c4386eSCy Schubert "-secretkey", "0001020304", "-out", "{output}.txt" ], 378e0c4386eSCy Schubert \&final_compare 379e0c4386eSCy Schubert ], 380e0c4386eSCy Schubert 381e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, triple DES key", 382e0c4386eSCy Schubert [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", 383e0c4386eSCy Schubert "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", 384e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 385e0c4386eSCy Schubert [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms", 386e0c4386eSCy Schubert "-inform", "PEM", 387e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", 388e0c4386eSCy Schubert "-out", "{output}.txt" ], 389e0c4386eSCy Schubert \&final_compare 390e0c4386eSCy Schubert ], 391e0c4386eSCy Schubert 392e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, 128 bit AES key", 393e0c4386eSCy Schubert [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", 394e0c4386eSCy Schubert "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", 395e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 396e0c4386eSCy Schubert [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms", 397e0c4386eSCy Schubert "-inform", "PEM", 398e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 399e0c4386eSCy Schubert "-out", "{output}.txt" ], 400e0c4386eSCy Schubert \&final_compare 401e0c4386eSCy Schubert ], 402*0d0c8621SEnji Cooper 403*0d0c8621SEnji Cooper [ "encrypted content test streaming PEM format -noout, 128 bit AES key", 404*0d0c8621SEnji Cooper [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", 405*0d0c8621SEnji Cooper "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", 406*0d0c8621SEnji Cooper "-stream", "-noout" ], 407*0d0c8621SEnji Cooper [ "{cmd2}", @prov, "-help" ] 408*0d0c8621SEnji Cooper ], 409e0c4386eSCy Schubert); 410e0c4386eSCy Schubert 411e0c4386eSCy Schubertmy @smime_cms_cades_tests = ( 412e0c4386eSCy Schubert 413e0c4386eSCy Schubert [ "signed content DER format, RSA key, CAdES-BES compatible", 414e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER", 415e0c4386eSCy Schubert "-nodetach", 416e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 417e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 418e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 419e0c4386eSCy Schubert \&final_compare 420e0c4386eSCy Schubert ], 421e0c4386eSCy Schubert 422e0c4386eSCy Schubert [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible", 423e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform", 424e0c4386eSCy Schubert "DER", "-nodetach", "-certfile", $smroot, 425e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 426e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 427e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 428e0c4386eSCy Schubert \&final_compare 429e0c4386eSCy Schubert ], 430e0c4386eSCy Schubert 431e0c4386eSCy Schubert [ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible", 432e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform", 433e0c4386eSCy Schubert "DER", "-nodetach", "-certfile", $smroot, 434e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 435e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 436e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 437e0c4386eSCy Schubert \&final_compare 438e0c4386eSCy Schubert ], 439e0c4386eSCy Schubert 440e0c4386eSCy Schubert [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible", 441e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256", 442e0c4386eSCy Schubert "-in", $smcont, "-outform", "DER", 443e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, 444e0c4386eSCy Schubert "-outform", "DER", "-out", "{output}.cms" ], 445e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 446e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 447e0c4386eSCy Schubert \&final_compare 448e0c4386eSCy Schubert ], 449e0c4386eSCy Schubert 450e0c4386eSCy Schubert [ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible", 451e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256", 452e0c4386eSCy Schubert "-in", $smcont, "-outform", "DER", 453e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, 454e0c4386eSCy Schubert "-outform", "DER", "-out", "{output}.cms" ], 455e0c4386eSCy Schubert [ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256", 456e0c4386eSCy Schubert "-inform", "DER", "-in", "{output}.cms", 457e0c4386eSCy Schubert "-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"), 458e0c4386eSCy Schubert "-outform", "DER", "-out", "{output}2.cms" ], 459e0c4386eSCy Schubert 460e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER", 461e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 462e0c4386eSCy Schubert \&final_compare 463e0c4386eSCy Schubert ], 464e0c4386eSCy Schubert); 465e0c4386eSCy Schubert 466e0c4386eSCy Schubertmy @smime_cms_cades_ko_tests = ( 467e0c4386eSCy Schubert [ "sign content DER format, RSA key, not CAdES-BES compatible", 468e0c4386eSCy Schubert [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 469e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 470e0c4386eSCy Schubert "fail to verify token since requiring CAdES-BES compatibility", 471e0c4386eSCy Schubert [ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 472e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 473e0c4386eSCy Schubert \&final_compare 474e0c4386eSCy Schubert ] 475e0c4386eSCy Schubert); 476e0c4386eSCy Schubert 477e0c4386eSCy Schubert# cades options test - check that some combinations are rejected 478e0c4386eSCy Schubertmy @smime_cms_cades_invalid_option_tests = ( 479e0c4386eSCy Schubert [ 480e0c4386eSCy Schubert [ "-cades", "-noattr" ], 481e0c4386eSCy Schubert ],[ 482e0c4386eSCy Schubert [ "-verify", "-cades", "-noattr" ], 483e0c4386eSCy Schubert ],[ 484e0c4386eSCy Schubert [ "-verify", "-cades", "-noverify" ], 485e0c4386eSCy Schubert ], 486e0c4386eSCy Schubert); 487e0c4386eSCy Schubert 488e0c4386eSCy Schubertmy @smime_cms_comp_tests = ( 489e0c4386eSCy Schubert 490e0c4386eSCy Schubert [ "compressed content test streaming PEM format", 491e0c4386eSCy Schubert [ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach", 492e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 493e0c4386eSCy Schubert [ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM", 494e0c4386eSCy Schubert "-out", "{output}.txt" ], 495e0c4386eSCy Schubert \&final_compare 496e0c4386eSCy Schubert ] 497e0c4386eSCy Schubert 498e0c4386eSCy Schubert); 499e0c4386eSCy Schubert 500e0c4386eSCy Schubertmy @smime_cms_param_tests = ( 501e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature", 502e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 503e0c4386eSCy Schubert "-signer", $smrsa1, 504e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", 505e0c4386eSCy Schubert "-out", "{output}.cms" ], 506e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 507e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 508e0c4386eSCy Schubert \&final_compare 509e0c4386eSCy Schubert ], 510e0c4386eSCy Schubert 511e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max", 512e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 513e0c4386eSCy Schubert "-signer", $smrsa1, 514e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max", 515e0c4386eSCy Schubert "-out", "{output}.cms" ], 516e0c4386eSCy Schubert sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; }, 517e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 518e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 519e0c4386eSCy Schubert \&final_compare 520e0c4386eSCy Schubert ], 521e0c4386eSCy Schubert 522e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes", 523e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 524e0c4386eSCy Schubert "-noattr", "-signer", $smrsa1, 525e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", 526e0c4386eSCy Schubert "-out", "{output}.cms" ], 527e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 528e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 529e0c4386eSCy Schubert \&final_compare 530e0c4386eSCy Schubert ], 531e0c4386eSCy Schubert 532e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1", 533e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 534e0c4386eSCy Schubert "-signer", $smrsa1, 535e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384", 536e0c4386eSCy Schubert "-out", "{output}.cms" ], 537e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 538e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 539e0c4386eSCy Schubert \&final_compare 540e0c4386eSCy Schubert ], 541e0c4386eSCy Schubert 542e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16", 543e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 544e0c4386eSCy Schubert "-signer", $smrsa1, "-md", "sha256", 545e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16", 546e0c4386eSCy Schubert "-out", "{output}.cms" ], 547e0c4386eSCy Schubert sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; }, 548e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 549e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 550e0c4386eSCy Schubert \&final_compare 551e0c4386eSCy Schubert ], 552e0c4386eSCy Schubert 553e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest", 554e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 555e0c4386eSCy Schubert "-signer", $smrsa1, "-md", "sha256", 556e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest", 557e0c4386eSCy Schubert "-out", "{output}.cms" ], 558e0c4386eSCy Schubert # digest is SHA-256, which produces 32 bytes of output 559e0c4386eSCy Schubert sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; }, 560e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 561e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 562e0c4386eSCy Schubert \&final_compare 563e0c4386eSCy Schubert ], 564e0c4386eSCy Schubert 565e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters", 566e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 567e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 568e0c4386eSCy Schubert "-recip", $smrsa1, 569e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:oaep" ], 570e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 571e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 572e0c4386eSCy Schubert \&final_compare 573e0c4386eSCy Schubert ], 574e0c4386eSCy Schubert 575e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256", 576e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 577e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 578e0c4386eSCy Schubert "-recip", $smrsa1, 579e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:oaep", 580e0c4386eSCy Schubert "-keyopt", "rsa_oaep_md:sha256" ], 581e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 582e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 583e0c4386eSCy Schubert \&final_compare 584e0c4386eSCy Schubert ], 585e0c4386eSCy Schubert 586e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, ECDH", 587e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 588e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 589e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem") ], 590e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 591e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 592e0c4386eSCy Schubert \&final_compare 593e0c4386eSCy Schubert ], 594e0c4386eSCy Schubert 595e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used", 596e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 597e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 598e0c4386eSCy Schubert catfile($smdir, "smec1.pem"), 599e0c4386eSCy Schubert catfile($smdir, "smec3.pem") ], 600e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"), 601e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 602e0c4386eSCy Schubert \&final_compare 603e0c4386eSCy Schubert ], 604e0c4386eSCy Schubert 605e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier", 606e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont, 607e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 608e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem") ], 609e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 610e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 611e0c4386eSCy Schubert \&final_compare 612e0c4386eSCy Schubert ], 613e0c4386eSCy Schubert 614e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF", 615e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 616e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 617e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem"), "-aes128", 618e0c4386eSCy Schubert "-keyopt", "ecdh_kdf_md:sha256" ], 619*0d0c8621SEnji Cooper sub { my %opts = @_; smimeType_matches("$opts{output}.cms", "enveloped-data"); }, 620e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 621e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 622e0c4386eSCy Schubert \&final_compare 623e0c4386eSCy Schubert ], 624e0c4386eSCy Schubert 625e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF", 626e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 627e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 628e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ], 629*0d0c8621SEnji Cooper sub { my %opts = @_; smimeType_matches("$opts{output}.cms", "authEnveloped-data"); }, 630e0c4386eSCy Schubert [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 631e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 632e0c4386eSCy Schubert \&final_compare 633e0c4386eSCy Schubert ], 634e0c4386eSCy Schubert 635e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH", 636e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 637e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 638e0c4386eSCy Schubert "-recip", catfile($smdir, "smec2.pem"), "-aes128", 639e0c4386eSCy Schubert "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ], 640e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"), 641e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 642e0c4386eSCy Schubert \&final_compare 643*0d0c8621SEnji Cooper ] 644*0d0c8621SEnji Cooper); 645e0c4386eSCy Schubert 646*0d0c8621SEnji Cooperif ($no_fips || $old_fips) { 647*0d0c8621SEnji Cooper # Only SHA1 supported in dh_cms_encrypt() 648*0d0c8621SEnji Cooper push(@smime_cms_param_tests, 649e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, X9.42 DH", 650e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 651e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 652e0c4386eSCy Schubert "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], 653e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), 654e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 655e0c4386eSCy Schubert \&final_compare 656e0c4386eSCy Schubert ] 657e0c4386eSCy Schubert ); 658*0d0c8621SEnji Cooper} 659e0c4386eSCy Schubert 660e0c4386eSCy Schubertmy @contenttype_cms_test = ( 661e0c4386eSCy Schubert [ "signed content test - check that content type is added to additional signerinfo, RSA keys", 662e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont, 663e0c4386eSCy Schubert "-outform", "DER", "-signer", $smrsa1, "-md", "SHA256", 664e0c4386eSCy Schubert "-out", "{output}.cms" ], 665e0c4386eSCy Schubert [ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms", 666e0c4386eSCy Schubert "-inform", "DER", "-outform", "DER", 667e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256", 668e0c4386eSCy Schubert "-out", "{output}2.cms" ], 669e0c4386eSCy Schubert sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; }, 670e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER", 671e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ] 672e0c4386eSCy Schubert ], 673e0c4386eSCy Schubert); 674e0c4386eSCy Schubert 675e0c4386eSCy Schubertmy @incorrect_attribute_cms_test = ( 676e0c4386eSCy Schubert "bad_signtime_attr.cms", 677e0c4386eSCy Schubert "no_ct_attr.cms", 678e0c4386eSCy Schubert "no_md_attr.cms", 679e0c4386eSCy Schubert "ct_multiple_attr.cms" 680e0c4386eSCy Schubert); 681e0c4386eSCy Schubert 682e0c4386eSCy Schubert# Runs a standard loop on the input array 683e0c4386eSCy Schubertsub runner_loop { 684e0c4386eSCy Schubert my %opts = ( @_ ); 685e0c4386eSCy Schubert my $cnt1 = 0; 686e0c4386eSCy Schubert 687e0c4386eSCy Schubert foreach (@{$opts{tests}}) { 688e0c4386eSCy Schubert $cnt1++; 689e0c4386eSCy Schubert $opts{output} = "$opts{prefix}-$cnt1"; 690e0c4386eSCy Schubert SKIP: { 691e0c4386eSCy Schubert my $skip_reason = check_availability($$_[0]); 692e0c4386eSCy Schubert skip $skip_reason, 1 if $skip_reason; 693e0c4386eSCy Schubert my $ok = 1; 694e0c4386eSCy Schubert 1 while unlink "$opts{output}.txt"; 695e0c4386eSCy Schubert 696e0c4386eSCy Schubert foreach (@$_[1..$#$_]) { 697e0c4386eSCy Schubert if (ref $_ eq 'CODE') { 698e0c4386eSCy Schubert $ok &&= $_->(%opts); 699e0c4386eSCy Schubert } else { 700e0c4386eSCy Schubert my @cmd = map { 701e0c4386eSCy Schubert my $x = $_; 702e0c4386eSCy Schubert while ($x =~ /\{([^\}]+)\}/) { 703e0c4386eSCy Schubert $x = $`.$opts{$1}.$' if exists $opts{$1}; 704e0c4386eSCy Schubert } 705e0c4386eSCy Schubert $x; 706e0c4386eSCy Schubert } @$_; 707e0c4386eSCy Schubert 708e0c4386eSCy Schubert diag "CMD: openssl ", join(" ", @cmd); 709e0c4386eSCy Schubert $ok &&= run(app(["openssl", @cmd])); 710e0c4386eSCy Schubert $opts{input} = $opts{output}; 711e0c4386eSCy Schubert } 712e0c4386eSCy Schubert } 713e0c4386eSCy Schubert 714e0c4386eSCy Schubert ok($ok, $$_[0]); 715e0c4386eSCy Schubert } 716e0c4386eSCy Schubert } 717e0c4386eSCy Schubert} 718e0c4386eSCy Schubert 719e0c4386eSCy Schubertsub final_compare { 720e0c4386eSCy Schubert my %opts = @_; 721e0c4386eSCy Schubert 722e0c4386eSCy Schubert diag "Comparing $smcont with $opts{output}.txt"; 723e0c4386eSCy Schubert return compare_text($smcont, "$opts{output}.txt") == 0; 724e0c4386eSCy Schubert} 725e0c4386eSCy Schubert 726e0c4386eSCy Schubertsub zero_compare { 727e0c4386eSCy Schubert my %opts = @_; 728e0c4386eSCy Schubert 729e0c4386eSCy Schubert diag "Checking for zero-length file"; 730e0c4386eSCy Schubert return (-e "$opts{output}.txt" && -z "$opts{output}.txt"); 731e0c4386eSCy Schubert} 732e0c4386eSCy Schubert 733e0c4386eSCy Schubertsubtest "CMS => PKCS#7 compatibility tests\n" => sub { 734e0c4386eSCy Schubert plan tests => scalar @smime_pkcs7_tests; 735e0c4386eSCy Schubert 736e0c4386eSCy Schubert runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime', 737e0c4386eSCy Schubert tests => [ @smime_pkcs7_tests ]); 738e0c4386eSCy Schubert}; 739e0c4386eSCy Schubertsubtest "CMS <= PKCS#7 compatibility tests\n" => sub { 740e0c4386eSCy Schubert plan tests => scalar @smime_pkcs7_tests; 741e0c4386eSCy Schubert 742e0c4386eSCy Schubert runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms', 743e0c4386eSCy Schubert tests => [ @smime_pkcs7_tests ]); 744e0c4386eSCy Schubert}; 745e0c4386eSCy Schubert 746e0c4386eSCy Schubertsubtest "CMS <=> CMS consistency tests\n" => sub { 747e0c4386eSCy Schubert plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests); 748e0c4386eSCy Schubert 749e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms', 750e0c4386eSCy Schubert tests => [ @smime_pkcs7_tests ]); 751e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms', 752e0c4386eSCy Schubert tests => [ @smime_cms_tests ]); 753e0c4386eSCy Schubert}; 754e0c4386eSCy Schubert 755e0c4386eSCy Schubertsubtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub { 756e0c4386eSCy Schubert plan tests => 757e0c4386eSCy Schubert (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests); 758e0c4386eSCy Schubert 759e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms', 760e0c4386eSCy Schubert tests => [ @smime_cms_param_tests ]); 761e0c4386eSCy Schubert SKIP: { 762e0c4386eSCy Schubert skip("Zlib not supported: compression tests skipped", 763e0c4386eSCy Schubert scalar @smime_cms_comp_tests) 764e0c4386eSCy Schubert if $no_zlib; 765e0c4386eSCy Schubert 766e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms', 767e0c4386eSCy Schubert tests => [ @smime_cms_comp_tests ]); 768e0c4386eSCy Schubert } 769e0c4386eSCy Schubert}; 770e0c4386eSCy Schubert 771e0c4386eSCy Schubert# Returns the number of matches of a Content Type Attribute in a binary file. 772e0c4386eSCy Schubertsub contentType_matches { 773e0c4386eSCy Schubert # Read in a binary file 774e0c4386eSCy Schubert my ($in) = @_; 775e0c4386eSCy Schubert open (HEX_IN, "$in") or die("open failed for $in : $!"); 776e0c4386eSCy Schubert binmode(HEX_IN); 777e0c4386eSCy Schubert local $/; 778e0c4386eSCy Schubert my $str = <HEX_IN>; 779e0c4386eSCy Schubert 780e0c4386eSCy Schubert # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data) 781e0c4386eSCy Schubert my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs; 782e0c4386eSCy Schubert 783e0c4386eSCy Schubert close(HEX_IN); 784e0c4386eSCy Schubert return scalar(@c); 785e0c4386eSCy Schubert} 786e0c4386eSCy Schubert 787*0d0c8621SEnji Cooper# Returns 1 if the smime-type matches the passed parameter, otherwise 0. 788*0d0c8621SEnji Coopersub smimeType_matches { 789*0d0c8621SEnji Cooper my ($in, $expected_smime_type) = @_; 790*0d0c8621SEnji Cooper 791*0d0c8621SEnji Cooper # Read the text file 792*0d0c8621SEnji Cooper open(my $fh, '<', $in) or die("open failed for $in : $!"); 793*0d0c8621SEnji Cooper local $/; 794*0d0c8621SEnji Cooper my $content = <$fh>; 795*0d0c8621SEnji Cooper close($fh); 796*0d0c8621SEnji Cooper 797*0d0c8621SEnji Cooper # Extract the Content-Type line with the smime-type attribute 798*0d0c8621SEnji Cooper if ($content =~ /Content-Type:\s*application\/pkcs7-mime.*smime-type=([^\s;]+)/) { 799*0d0c8621SEnji Cooper my $smime_type = $1; 800*0d0c8621SEnji Cooper 801*0d0c8621SEnji Cooper # Compare the extracted smime-type with the expected value 802*0d0c8621SEnji Cooper return ($smime_type eq $expected_smime_type) ? 1 : 0; 803*0d0c8621SEnji Cooper } 804*0d0c8621SEnji Cooper 805*0d0c8621SEnji Cooper # If no smime-type is found, return 0 806*0d0c8621SEnji Cooper return 0; 807*0d0c8621SEnji Cooper} 808*0d0c8621SEnji Cooper 809e0c4386eSCy Schubertsub rsapssSaltlen { 810e0c4386eSCy Schubert my ($in) = @_; 811e0c4386eSCy Schubert my $exit = 0; 812e0c4386eSCy Schubert 813e0c4386eSCy Schubert my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]), 814e0c4386eSCy Schubert capture => 1, 815e0c4386eSCy Schubert statusvar => $exit); 816e0c4386eSCy Schubert return -1 if $exit != 0; 817e0c4386eSCy Schubert 818e0c4386eSCy Schubert my $pssparam_offset = -1; 819e0c4386eSCy Schubert while ($_ = shift @asn1parse) { 820e0c4386eSCy Schubert chomp; 821e0c4386eSCy Schubert next unless /:rsassaPss/; 822e0c4386eSCy Schubert # This line contains :rsassaPss, the next line contains a raw dump of the 823e0c4386eSCy Schubert # RSA_PSS_PARAMS sequence; obtain its offset 824e0c4386eSCy Schubert $_ = shift @asn1parse; 825e0c4386eSCy Schubert if (/^\s*(\d+):/) { 826e0c4386eSCy Schubert $pssparam_offset = int($1); 827e0c4386eSCy Schubert } 828e0c4386eSCy Schubert } 829e0c4386eSCy Schubert 830e0c4386eSCy Schubert if ($pssparam_offset == -1) { 831e0c4386eSCy Schubert note "Failed to determine RSA_PSS_PARAM offset in CMS. " + 832e0c4386eSCy Schubert "Was the file correctly signed with RSASSA-PSS?"; 833e0c4386eSCy Schubert return -1; 834e0c4386eSCy Schubert } 835e0c4386eSCy Schubert 836e0c4386eSCy Schubert my @pssparam = run(app(["openssl", "asn1parse", "-in", $in, 837e0c4386eSCy Schubert "-strparse", $pssparam_offset]), 838e0c4386eSCy Schubert capture => 1, 839e0c4386eSCy Schubert statusvar => $exit); 840e0c4386eSCy Schubert return -1 if $exit != 0; 841e0c4386eSCy Schubert 842e0c4386eSCy Schubert my $saltlen = -1; 843e0c4386eSCy Schubert # Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated. 844e0c4386eSCy Schubert # This assumes the salt length is the last field, which may possibly be 845e0c4386eSCy Schubert # incorrect if there is a non-standard trailer field, but there almost never 846e0c4386eSCy Schubert # is in PSS. 847e0c4386eSCy Schubert if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) { 848e0c4386eSCy Schubert $saltlen = hex($1); 849e0c4386eSCy Schubert } 850e0c4386eSCy Schubert 851e0c4386eSCy Schubert if ($saltlen == -1) { 852e0c4386eSCy Schubert note "Failed to determine salt length from RSA_PSS_PARAM struct. " + 853e0c4386eSCy Schubert "Was the file correctly signed with RSASSA-PSS?"; 854e0c4386eSCy Schubert return -1; 855e0c4386eSCy Schubert } 856e0c4386eSCy Schubert 857e0c4386eSCy Schubert return $saltlen; 858e0c4386eSCy Schubert} 859e0c4386eSCy Schubert 860e0c4386eSCy Schubertsubtest "CMS Check the content type attribute is added for additional signers\n" => sub { 861e0c4386eSCy Schubert plan tests => (scalar @contenttype_cms_test); 862e0c4386eSCy Schubert 863e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms', 864e0c4386eSCy Schubert tests => [ @contenttype_cms_test ]); 865e0c4386eSCy Schubert}; 866e0c4386eSCy Schubert 867e0c4386eSCy Schubertsubtest "CMS Check that bad attributes fail when verifying signers\n" => sub { 868e0c4386eSCy Schubert plan tests => 869e0c4386eSCy Schubert (scalar @incorrect_attribute_cms_test); 870e0c4386eSCy Schubert 871e0c4386eSCy Schubert my $cnt = 0; 872e0c4386eSCy Schubert foreach my $name (@incorrect_attribute_cms_test) { 873e0c4386eSCy Schubert my $out = "incorrect-$cnt.txt"; 874e0c4386eSCy Schubert 875e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", 876e0c4386eSCy Schubert catfile($datadir, $name), "-inform", "DER", "-CAfile", 877e0c4386eSCy Schubert $smroot, "-out", $out ])), 878e0c4386eSCy Schubert $name); 879e0c4386eSCy Schubert } 880e0c4386eSCy Schubert}; 881e0c4386eSCy Schubert 882e0c4386eSCy Schubertsubtest "CMS Check that bad encryption algorithm fails\n" => sub { 883e0c4386eSCy Schubert plan tests => 1; 884e0c4386eSCy Schubert 885e0c4386eSCy Schubert SKIP: { 886e0c4386eSCy Schubert skip "DES or Legacy isn't supported in this build", 1 887e0c4386eSCy Schubert if disabled("des") || disabled("legacy"); 888e0c4386eSCy Schubert 889e0c4386eSCy Schubert my $out = "smtst.txt"; 890e0c4386eSCy Schubert 891e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt", 892e0c4386eSCy Schubert "-in", $smcont, 893e0c4386eSCy Schubert "-stream", "-recip", $smrsa1, 894e0c4386eSCy Schubert "-des-ede3", 895e0c4386eSCy Schubert "-out", $out ])), 896e0c4386eSCy Schubert "Decrypt message from OpenSSL 1.1.1"); 897e0c4386eSCy Schubert } 898e0c4386eSCy Schubert}; 899e0c4386eSCy Schubert 900e0c4386eSCy Schubertsubtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub { 901e0c4386eSCy Schubert plan tests => 1; 902e0c4386eSCy Schubert 903e0c4386eSCy Schubert SKIP: { 904e0c4386eSCy Schubert skip "EC or DES isn't supported in this build", 1 905e0c4386eSCy Schubert if disabled("ec") || disabled("des"); 906e0c4386eSCy Schubert 907e0c4386eSCy Schubert my $out = "smtst.txt"; 908e0c4386eSCy Schubert 909e0c4386eSCy Schubert ok(run(app(["openssl", "cms", @defaultprov, "-decrypt", 910e0c4386eSCy Schubert "-inkey", catfile($smdir, "smec3.pem"), 911e0c4386eSCy Schubert "-in", catfile($datadir, "ciphertext_from_1_1_1.cms"), 912e0c4386eSCy Schubert "-out", $out ])) 913e0c4386eSCy Schubert && compare_text($smcont, $out) == 0, 914e0c4386eSCy Schubert "Decrypt message from OpenSSL 1.1.1"); 915e0c4386eSCy Schubert } 916e0c4386eSCy Schubert}; 917e0c4386eSCy Schubert 918e0c4386eSCy Schubertsubtest "CAdES <=> CAdES consistency tests\n" => sub { 919e0c4386eSCy Schubert plan tests => (scalar @smime_cms_cades_tests); 920e0c4386eSCy Schubert 921e0c4386eSCy Schubert runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms', 922e0c4386eSCy Schubert tests => [ @smime_cms_cades_tests ]); 923e0c4386eSCy Schubert}; 924e0c4386eSCy Schubert 925e0c4386eSCy Schubertsubtest "CAdES; cms incompatible arguments tests\n" => sub { 926e0c4386eSCy Schubert plan tests => (scalar @smime_cms_cades_invalid_option_tests); 927e0c4386eSCy Schubert 928e0c4386eSCy Schubert foreach (@smime_cms_cades_invalid_option_tests) { 929e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @{$$_[0]} ] ))); 930e0c4386eSCy Schubert } 931e0c4386eSCy Schubert}; 932e0c4386eSCy Schubert 933e0c4386eSCy Schubertsubtest "CAdES ko tests\n" => sub { 934e0c4386eSCy Schubert plan tests => 2 * scalar @smime_cms_cades_ko_tests; 935e0c4386eSCy Schubert 936e0c4386eSCy Schubert foreach (@smime_cms_cades_ko_tests) { 937e0c4386eSCy Schubert SKIP: { 938e0c4386eSCy Schubert my $skip_reason = check_availability($$_[0]); 939e0c4386eSCy Schubert skip $skip_reason, 1 if $skip_reason; 940e0c4386eSCy Schubert 941e0c4386eSCy Schubert ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]); 942e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]); 943e0c4386eSCy Schubert } 944e0c4386eSCy Schubert } 945e0c4386eSCy Schubert}; 946e0c4386eSCy Schubert 947e0c4386eSCy Schubertsubtest "CMS binary input tests\n" => sub { 948e0c4386eSCy Schubert my $input = srctop_file("test", "smcont.bin"); 949e0c4386eSCy Schubert my $signed = "smcont.signed"; 950e0c4386eSCy Schubert my $verified = "smcont.verified"; 951e0c4386eSCy Schubert 952e0c4386eSCy Schubert plan tests => 11; 953e0c4386eSCy Schubert 954e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1, 955e0c4386eSCy Schubert "-binary", "-in", $input, "-out", $signed])), 956e0c4386eSCy Schubert "sign binary input with -binary"); 957e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, 958e0c4386eSCy Schubert "-binary", "-in", $signed, "-out", $verified])), 959e0c4386eSCy Schubert "verify binary input with -binary"); 960e0c4386eSCy Schubert is(compare($input, $verified), 0, "binary input retained with -binary"); 961e0c4386eSCy Schubert 962e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1, 963e0c4386eSCy Schubert "-in", $input, "-out", $signed.".nobin"])), 964e0c4386eSCy Schubert "sign binary input without -binary"); 965e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, 966e0c4386eSCy Schubert "-in", $signed.".nobin", "-out", $verified.".nobin"])), 967e0c4386eSCy Schubert "verify binary input without -binary"); 968e0c4386eSCy Schubert is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary"); 969e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol", 970e0c4386eSCy Schubert "-binary", "-in", $signed, "-out", $verified.".crlfeol"])), 971e0c4386eSCy Schubert "verify binary input wrong crlfeol"); 972e0c4386eSCy Schubert 973e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1, 974e0c4386eSCy Schubert "-crlfeol", 975e0c4386eSCy Schubert "-binary", "-in", $input, "-out", $signed.".crlf"])), 976e0c4386eSCy Schubert "sign binary input with -binary -crlfeol"); 977e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol", 978e0c4386eSCy Schubert "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])), 979e0c4386eSCy Schubert "verify binary input with -binary -crlfeol"); 980e0c4386eSCy Schubert is(compare($input, $verified.".crlf"), 0, 981e0c4386eSCy Schubert "binary input retained with -binary -crlfeol"); 982e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, 983e0c4386eSCy Schubert "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])), 984e0c4386eSCy Schubert "verify binary input with -binary missing -crlfeol"); 985e0c4386eSCy Schubert}; 986e0c4386eSCy Schubert 987e0c4386eSCy Schubert# Test case for missing MD algorithm (must not segfault) 988e0c4386eSCy Schubert 989e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 4; } }, 990e0c4386eSCy Schubert sub { 991e0c4386eSCy Schubert ok(run(app(['openssl', 'smime', '-verify', '-noverify', 992e0c4386eSCy Schubert '-inform', 'PEM', 993e0c4386eSCy Schubert '-in', data_file("pkcs7-md4.pem"), 994e0c4386eSCy Schubert ])), 995e0c4386eSCy Schubert "Check failure of EVP_DigestInit is handled correctly"); 996e0c4386eSCy Schubert }); 997e0c4386eSCy Schubert 998e0c4386eSCy Schubertsub check_availability { 999e0c4386eSCy Schubert my $tnam = shift; 1000e0c4386eSCy Schubert 1001e0c4386eSCy Schubert return "$tnam: skipped, EC disabled\n" 1002e0c4386eSCy Schubert if ($no_ec && $tnam =~ /ECDH/); 1003e0c4386eSCy Schubert return "$tnam: skipped, ECDH disabled\n" 1004e0c4386eSCy Schubert if ($no_ec && $tnam =~ /ECDH/); 1005e0c4386eSCy Schubert return "$tnam: skipped, EC2M disabled\n" 1006e0c4386eSCy Schubert if ($no_ec2m && $tnam =~ /K-283/); 1007e0c4386eSCy Schubert return "$tnam: skipped, DH disabled\n" 1008e0c4386eSCy Schubert if ($no_dh && $tnam =~ /X9\.42/); 1009e0c4386eSCy Schubert return "$tnam: skipped, RC2 disabled\n" 1010e0c4386eSCy Schubert if ($no_rc2 && $tnam =~ /RC2/); 1011e0c4386eSCy Schubert return "$tnam: skipped, DES disabled\n" 1012e0c4386eSCy Schubert if ($no_des && $tnam =~ /DES/); 1013e0c4386eSCy Schubert return "$tnam: skipped, DSA disabled\n" 1014e0c4386eSCy Schubert if ($no_dsa && $tnam =~ / DSA/); 1015e0c4386eSCy Schubert 1016e0c4386eSCy Schubert return ""; 1017e0c4386eSCy Schubert} 1018e0c4386eSCy Schubert 1019e0c4386eSCy Schubert# Test case for the locking problem reported in #19643. 1020e0c4386eSCy Schubert# This will fail if the fix is in and deadlock on Windows (and possibly 1021e0c4386eSCy Schubert# other platforms) if not. 1022e0c4386eSCy Schubertok(!run(app(['openssl', 'cms', '-verify', 1023e0c4386eSCy Schubert '-CAfile', srctop_file("test/certs", "pkitsta.pem"), 1024e0c4386eSCy Schubert '-policy', 'anyPolicy', 1025e0c4386eSCy Schubert '-in', srctop_file("test/smime-eml", 1026e0c4386eSCy Schubert "SignedInvalidMappingFromanyPolicyTest7.eml") 1027e0c4386eSCy Schubert ])), 1028e0c4386eSCy Schubert "issue#19643"); 1029e0c4386eSCy Schubert 1030*0d0c8621SEnji Cooper# Check that kari encryption with originator does not segfault 1031*0d0c8621SEnji Cooperwith({ exit_checker => sub { return shift == 3; } }, 1032*0d0c8621SEnji Cooper sub { 1033*0d0c8621SEnji Cooper SKIP: { 1034*0d0c8621SEnji Cooper skip "EC is not supported in this build", 1 if $no_ec; 1035*0d0c8621SEnji Cooper 1036*0d0c8621SEnji Cooper ok(run(app(['openssl', 'cms', '-encrypt', 1037*0d0c8621SEnji Cooper '-in', srctop_file("test", "smcont.txt"), '-aes128', 1038*0d0c8621SEnji Cooper '-recip', catfile($smdir, "smec1.pem"), 1039*0d0c8621SEnji Cooper '-originator', catfile($smdir, "smec3.pem"), 1040*0d0c8621SEnji Cooper '-inkey', catfile($smdir, "smec3.pem") 1041*0d0c8621SEnji Cooper ])), 1042*0d0c8621SEnji Cooper "Check failure for currently not supported kari encryption with static originator"); 1043*0d0c8621SEnji Cooper } 1044*0d0c8621SEnji Cooper }); 1045*0d0c8621SEnji Cooper 1046e0c4386eSCy Schubert# Check that we get the expected failure return code 1047e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 6; } }, 1048e0c4386eSCy Schubert sub { 1049e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', '-encrypt', 1050e0c4386eSCy Schubert '-in', srctop_file("test", "smcont.txt"), 1051e0c4386eSCy Schubert '-aes128', '-stream', '-recip', 1052e0c4386eSCy Schubert srctop_file("test/smime-certs", "badrsa.pem"), 1053e0c4386eSCy Schubert ])), 1054e0c4386eSCy Schubert "Check failure during BIO setup with -stream is handled correctly"); 1055e0c4386eSCy Schubert }); 1056e0c4386eSCy Schubert 1057e0c4386eSCy Schubert# Test case for return value mis-check reported in #21986 1058e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 3; } }, 1059e0c4386eSCy Schubert sub { 1060e0c4386eSCy Schubert SKIP: { 1061e0c4386eSCy Schubert skip "DSA is not supported in this build", 1 if $no_dsa; 1062e0c4386eSCy Schubert 1063e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', '-sign', 1064e0c4386eSCy Schubert '-in', srctop_file("test", "smcont.txt"), 1065e0c4386eSCy Schubert '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), 1066e0c4386eSCy Schubert '-md', 'SHAKE256'])), 1067e0c4386eSCy Schubert "issue#21986"); 1068e0c4386eSCy Schubert } 1069e0c4386eSCy Schubert }); 1070e0c4386eSCy Schubert 1071e0c4386eSCy Schubert# Test for problem reported in #22225 1072e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 3; } }, 1073e0c4386eSCy Schubert sub { 1074e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', '-encrypt', 1075e0c4386eSCy Schubert '-in', srctop_file("test", "smcont.txt"), 1076e0c4386eSCy Schubert '-aes-256-ctr', '-recip', 1077e0c4386eSCy Schubert catfile($smdir, "smec1.pem"), 1078e0c4386eSCy Schubert ])), 1079e0c4386eSCy Schubert "Check for failure when cipher does not have an assigned OID (issue#22225)"); 1080e0c4386eSCy Schubert }); 1081e0c4386eSCy Schubert 1082e0c4386eSCy Schubert# Test encrypt to three recipients, and decrypt using key-only; 1083e0c4386eSCy Schubert# i.e. do not follow the recommended practice of providing the 1084e0c4386eSCy Schubert# recipient cert in the decrypt op. 1085e0c4386eSCy Schubert# 1086e0c4386eSCy Schubert# Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5. 1087e0c4386eSCy Schubert# 1088e0c4386eSCy Schubert# Because the cert is not provided during decrypt, all RSA ciphertexts 1089e0c4386eSCy Schubert# are decrypted in turn, and when/if there is a valid decryption, it 1090e0c4386eSCy Schubert# is assumed the correct content-key has been recovered. 1091e0c4386eSCy Schubert# 1092e0c4386eSCy Schubert# That process may fail with RSAES-PKCS-v1_5 b/c there is a 1093e0c4386eSCy Schubert# non-negligible chance that decrypting a random input using 1094e0c4386eSCy Schubert# RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys 1095e0c4386eSCy Schubert# could be recovered and the wrong one might be used). 1096e0c4386eSCy Schubert# 1097e0c4386eSCy Schubert# See https://github.com/openssl/project/issues/380 1098e0c4386eSCy Schubertsubtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub { 1099e0c4386eSCy Schubert plan tests => 3; 1100e0c4386eSCy Schubert 1101e0c4386eSCy Schubert my $pt = srctop_file("test", "smcont.txt"); 1102e0c4386eSCy Schubert my $ct = "smtst.cms"; 1103e0c4386eSCy Schubert my $ptpt = "smtst.txt"; 1104e0c4386eSCy Schubert 1105e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', 1106e0c4386eSCy Schubert @defaultprov, 1107e0c4386eSCy Schubert '-encrypt', '-aes128', 1108e0c4386eSCy Schubert '-in', $pt, 1109e0c4386eSCy Schubert '-out', $ct, 1110e0c4386eSCy Schubert '-stream', 1111e0c4386eSCy Schubert '-recip', catfile($smdir, "smrsa1.pem"), 1112e0c4386eSCy Schubert '-keyopt', 'rsa_padding_mode:oaep', 1113e0c4386eSCy Schubert '-recip', catfile($smdir, "smrsa2.pem"), 1114e0c4386eSCy Schubert '-keyopt', 'rsa_padding_mode:oaep', 1115e0c4386eSCy Schubert '-recip', catfile($smdir, "smrsa3-cert.pem"), 1116e0c4386eSCy Schubert '-keyopt', 'rsa_padding_mode:oaep', 1117e0c4386eSCy Schubert ])), 1118e0c4386eSCy Schubert "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)"); 1119e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', 1120e0c4386eSCy Schubert @defaultprov, 1121e0c4386eSCy Schubert '-decrypt', '-aes128', 1122e0c4386eSCy Schubert '-in', $ct, 1123e0c4386eSCy Schubert '-out', $ptpt, 1124e0c4386eSCy Schubert '-inkey', catfile($smdir, "smrsa3-key.pem"), 1125e0c4386eSCy Schubert ])), 1126e0c4386eSCy Schubert "decrypt with key only"); 1127e0c4386eSCy Schubert is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext"); 1128e0c4386eSCy Schubert}; 1129