1*e0c4386eSCy Schubert#! /usr/bin/env perl 2*e0c4386eSCy Schubert# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. 3*e0c4386eSCy Schubert# 4*e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License"). You may not use 5*e0c4386eSCy Schubert# this file except in compliance with the License. You can obtain a copy 6*e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at 7*e0c4386eSCy Schubert# https://www.openssl.org/source/license.html 8*e0c4386eSCy Schubert 9*e0c4386eSCy Schubert 10*e0c4386eSCy Schubertuse strict; 11*e0c4386eSCy Schubertuse warnings; 12*e0c4386eSCy Schubert 13*e0c4386eSCy Schubertuse POSIX; 14*e0c4386eSCy Schubertuse File::Spec::Functions qw/catfile/; 15*e0c4386eSCy Schubertuse File::Compare qw/compare_text compare/; 16*e0c4386eSCy Schubertuse OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/; 17*e0c4386eSCy Schubert 18*e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 19*e0c4386eSCy Schubert 20*e0c4386eSCy SchubertBEGIN { 21*e0c4386eSCy Schubert setup("test_cms"); 22*e0c4386eSCy Schubert} 23*e0c4386eSCy Schubert 24*e0c4386eSCy Schubertuse lib srctop_dir('Configurations'); 25*e0c4386eSCy Schubertuse lib bldtop_dir('.'); 26*e0c4386eSCy Schubert 27*e0c4386eSCy Schubertmy $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); 28*e0c4386eSCy Schubert 29*e0c4386eSCy Schubertplan skip_all => "CMS is not supported by this OpenSSL build" 30*e0c4386eSCy Schubert if disabled("cms"); 31*e0c4386eSCy Schubert 32*e0c4386eSCy Schubertmy $provpath = bldtop_dir("providers"); 33*e0c4386eSCy Schubert 34*e0c4386eSCy Schubert# Some tests require legacy algorithms to be included. 35*e0c4386eSCy Schubertmy @legacyprov = ("-provider-path", $provpath, 36*e0c4386eSCy Schubert "-provider", "default", 37*e0c4386eSCy Schubert "-provider", "legacy" ); 38*e0c4386eSCy Schubertmy @defaultprov = ("-provider-path", $provpath, 39*e0c4386eSCy Schubert "-provider", "default"); 40*e0c4386eSCy Schubert 41*e0c4386eSCy Schubertmy @config = ( ); 42*e0c4386eSCy Schubertmy $provname = 'default'; 43*e0c4386eSCy Schubert 44*e0c4386eSCy Schubertmy $datadir = srctop_dir("test", "recipes", "80-test_cms_data"); 45*e0c4386eSCy Schubertmy $smdir = srctop_dir("test", "smime-certs"); 46*e0c4386eSCy Schubertmy $smcont = srctop_file("test", "smcont.txt"); 47*e0c4386eSCy Schubertmy $smcont_zero = srctop_file("test", "smcont_zero.txt"); 48*e0c4386eSCy Schubertmy ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) 49*e0c4386eSCy Schubert = disabled qw/des dh dsa ec ec2m rc2 zlib/; 50*e0c4386eSCy Schubert 51*e0c4386eSCy Schubert$no_rc2 = 1 if disabled("legacy"); 52*e0c4386eSCy Schubert 53*e0c4386eSCy Schubertplan tests => 19; 54*e0c4386eSCy Schubert 55*e0c4386eSCy Schubertok(run(test(["pkcs7_test"])), "test pkcs7"); 56*e0c4386eSCy Schubert 57*e0c4386eSCy Schubertunless ($no_fips) { 58*e0c4386eSCy Schubert @config = ( "-config", srctop_file("test", "fips-and-base.cnf") ); 59*e0c4386eSCy Schubert $provname = 'fips'; 60*e0c4386eSCy Schubert} 61*e0c4386eSCy Schubert 62*e0c4386eSCy Schubert$ENV{OPENSSL_TEST_LIBCTX} = "1"; 63*e0c4386eSCy Schubertmy @prov = ("-provider-path", $provpath, 64*e0c4386eSCy Schubert @config, 65*e0c4386eSCy Schubert "-provider", $provname); 66*e0c4386eSCy Schubert 67*e0c4386eSCy Schubertmy $smrsa1024 = catfile($smdir, "smrsa1024.pem"); 68*e0c4386eSCy Schubertmy $smrsa1 = catfile($smdir, "smrsa1.pem"); 69*e0c4386eSCy Schubertmy $smroot = catfile($smdir, "smroot.pem"); 70*e0c4386eSCy Schubert 71*e0c4386eSCy Schubertmy @smime_pkcs7_tests = ( 72*e0c4386eSCy Schubert 73*e0c4386eSCy Schubert [ "signed content DER format, RSA key", 74*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 75*e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 76*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 77*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 78*e0c4386eSCy Schubert \&final_compare 79*e0c4386eSCy Schubert ], 80*e0c4386eSCy Schubert 81*e0c4386eSCy Schubert [ "signed detached content DER format, RSA key", 82*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 83*e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 84*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 85*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt", 86*e0c4386eSCy Schubert "-content", $smcont ], 87*e0c4386eSCy Schubert \&final_compare 88*e0c4386eSCy Schubert ], 89*e0c4386eSCy Schubert 90*e0c4386eSCy Schubert [ "signed content test streaming BER format, RSA", 91*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 92*e0c4386eSCy Schubert "-stream", 93*e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 94*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 95*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 96*e0c4386eSCy Schubert \&final_compare 97*e0c4386eSCy Schubert ], 98*e0c4386eSCy Schubert 99*e0c4386eSCy Schubert [ "signed content DER format, DSA key", 100*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 101*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 102*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 103*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 104*e0c4386eSCy Schubert \&final_compare 105*e0c4386eSCy Schubert ], 106*e0c4386eSCy Schubert 107*e0c4386eSCy Schubert [ "signed detached content DER format, DSA key", 108*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 109*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 110*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 111*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt", 112*e0c4386eSCy Schubert "-content", $smcont ], 113*e0c4386eSCy Schubert \&final_compare 114*e0c4386eSCy Schubert ], 115*e0c4386eSCy Schubert 116*e0c4386eSCy Schubert [ "signed detached content DER format, add RSA signer (with DSA existing)", 117*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 118*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 119*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", 120*e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}2.cms" ], 121*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER", 122*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt", 123*e0c4386eSCy Schubert "-content", $smcont ], 124*e0c4386eSCy Schubert \&final_compare 125*e0c4386eSCy Schubert ], 126*e0c4386eSCy Schubert 127*e0c4386eSCy Schubert [ "signed content test streaming BER format, DSA key", 128*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 129*e0c4386eSCy Schubert "-nodetach", "-stream", 130*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], 131*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 132*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 133*e0c4386eSCy Schubert \&final_compare 134*e0c4386eSCy Schubert ], 135*e0c4386eSCy Schubert 136*e0c4386eSCy Schubert [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", 137*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 138*e0c4386eSCy Schubert "-nodetach", "-stream", 139*e0c4386eSCy Schubert "-signer", $smrsa1, 140*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 141*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 142*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 143*e0c4386eSCy Schubert "-out", "{output}.cms" ], 144*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 145*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 146*e0c4386eSCy Schubert \&final_compare 147*e0c4386eSCy Schubert ], 148*e0c4386eSCy Schubert 149*e0c4386eSCy Schubert [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", 150*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 151*e0c4386eSCy Schubert "-noattr", "-nodetach", "-stream", 152*e0c4386eSCy Schubert "-signer", $smrsa1, 153*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 154*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 155*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 156*e0c4386eSCy Schubert "-out", "{output}.cms" ], 157*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 158*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 159*e0c4386eSCy Schubert \&final_compare 160*e0c4386eSCy Schubert ], 161*e0c4386eSCy Schubert 162*e0c4386eSCy Schubert [ "signed content S/MIME format, RSA key SHA1", 163*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", 164*e0c4386eSCy Schubert "-certfile", $smroot, 165*e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 166*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 167*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 168*e0c4386eSCy Schubert \&final_compare 169*e0c4386eSCy Schubert ], 170*e0c4386eSCy Schubert 171*e0c4386eSCy Schubert [ "signed zero-length content S/MIME format, RSA key SHA1", 172*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", 173*e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 174*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 175*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 176*e0c4386eSCy Schubert \&zero_compare 177*e0c4386eSCy Schubert ], 178*e0c4386eSCy Schubert 179*e0c4386eSCy Schubert [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", 180*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", 181*e0c4386eSCy Schubert "-signer", $smrsa1, 182*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 183*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 184*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 185*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 186*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 187*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 188*e0c4386eSCy Schubert \&final_compare 189*e0c4386eSCy Schubert ], 190*e0c4386eSCy Schubert 191*e0c4386eSCy Schubert [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", 192*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, 193*e0c4386eSCy Schubert "-signer", $smrsa1, 194*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 195*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 196*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 197*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 198*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 199*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 200*e0c4386eSCy Schubert \&final_compare 201*e0c4386eSCy Schubert ], 202*e0c4386eSCy Schubert 203*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients", 204*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 205*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 206*e0c4386eSCy Schubert $smrsa1, 207*e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 208*e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 209*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 210*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 211*e0c4386eSCy Schubert \&final_compare 212*e0c4386eSCy Schubert ], 213*e0c4386eSCy Schubert 214*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used", 215*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 216*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 217*e0c4386eSCy Schubert $smrsa1, 218*e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 219*e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 220*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"), 221*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 222*e0c4386eSCy Schubert \&final_compare 223*e0c4386eSCy Schubert ], 224*e0c4386eSCy Schubert 225*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used", 226*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 227*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 228*e0c4386eSCy Schubert $smrsa1, 229*e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 230*e0c4386eSCy Schubert catfile($smdir, "smrsa3-cert.pem") ], 231*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", 232*e0c4386eSCy Schubert "-recip", catfile($smdir, "smrsa3-cert.pem"), 233*e0c4386eSCy Schubert "-inkey", catfile($smdir, "smrsa3-key.pem"), 234*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 235*e0c4386eSCy Schubert \&final_compare 236*e0c4386eSCy Schubert ], 237*e0c4386eSCy Schubert 238*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", 239*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 240*e0c4386eSCy Schubert "-aes256", "-stream", "-out", "{output}.cms", 241*e0c4386eSCy Schubert $smrsa1, 242*e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 243*e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 244*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", $smrsa1, 245*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 246*e0c4386eSCy Schubert \&final_compare 247*e0c4386eSCy Schubert ], 248*e0c4386eSCy Schubert 249*e0c4386eSCy Schubert); 250*e0c4386eSCy Schubert 251*e0c4386eSCy Schubertmy @smime_cms_tests = ( 252*e0c4386eSCy Schubert 253*e0c4386eSCy Schubert [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", 254*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", 255*e0c4386eSCy Schubert "-nodetach", "-keyid", 256*e0c4386eSCy Schubert "-signer", $smrsa1, 257*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 258*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 259*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 260*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 261*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", 262*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 263*e0c4386eSCy Schubert \&final_compare 264*e0c4386eSCy Schubert ], 265*e0c4386eSCy Schubert 266*e0c4386eSCy Schubert [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", 267*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 268*e0c4386eSCy Schubert "-signer", $smrsa1, 269*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), 270*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa1.pem"), 271*e0c4386eSCy Schubert "-signer", catfile($smdir, "smdsa2.pem"), 272*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 273*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 274*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 275*e0c4386eSCy Schubert \&final_compare 276*e0c4386eSCy Schubert ], 277*e0c4386eSCy Schubert 278*e0c4386eSCy Schubert [ "signed content MIME format, RSA key, signed receipt request", 279*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", 280*e0c4386eSCy Schubert "-signer", $smrsa1, 281*e0c4386eSCy Schubert "-receipt_request_to", "test\@openssl.org", "-receipt_request_all", 282*e0c4386eSCy Schubert "-out", "{output}.cms" ], 283*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", 284*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 285*e0c4386eSCy Schubert \&final_compare 286*e0c4386eSCy Schubert ], 287*e0c4386eSCy Schubert 288*e0c4386eSCy Schubert [ "signed receipt MIME format, RSA key", 289*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", 290*e0c4386eSCy Schubert "-signer", $smrsa1, 291*e0c4386eSCy Schubert "-receipt_request_to", "test\@openssl.org", "-receipt_request_all", 292*e0c4386eSCy Schubert "-out", "{output}.cms" ], 293*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign_receipt", "-in", "{output}.cms", 294*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), "-out", "{output}2.cms" ], 295*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify_receipt", "{output}2.cms", "-in", "{output}.cms", 296*e0c4386eSCy Schubert "-CAfile", $smroot ] 297*e0c4386eSCy Schubert ], 298*e0c4386eSCy Schubert 299*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid", 300*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 301*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", "-keyid", 302*e0c4386eSCy Schubert $smrsa1, 303*e0c4386eSCy Schubert catfile($smdir, "smrsa2.pem"), 304*e0c4386eSCy Schubert catfile($smdir, "smrsa3.pem") ], 305*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 306*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 307*e0c4386eSCy Schubert \&final_compare 308*e0c4386eSCy Schubert ], 309*e0c4386eSCy Schubert 310*e0c4386eSCy Schubert [ "enveloped content test streaming PEM format, AES-256-CBC cipher, KEK", 311*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", 312*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 313*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 314*e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 315*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt", 316*e0c4386eSCy Schubert "-inform", "PEM", 317*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 318*e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 319*e0c4386eSCy Schubert \&final_compare 320*e0c4386eSCy Schubert ], 321*e0c4386eSCy Schubert 322*e0c4386eSCy Schubert [ "enveloped content test streaming PEM format, AES-256-GCM cipher, KEK", 323*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes-128-gcm", 324*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 325*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 326*e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 327*e0c4386eSCy Schubert [ "{cmd2}", "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt", 328*e0c4386eSCy Schubert "-inform", "PEM", 329*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 330*e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 331*e0c4386eSCy Schubert \&final_compare 332*e0c4386eSCy Schubert ], 333*e0c4386eSCy Schubert 334*e0c4386eSCy Schubert [ "enveloped content test streaming PEM format, KEK, key only", 335*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", 336*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 337*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 338*e0c4386eSCy Schubert "-secretkeyid", "C0FEE0" ], 339*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-in", "{output}.cms", "-out", "{output}.txt", 340*e0c4386eSCy Schubert "-inform", "PEM", 341*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F" ], 342*e0c4386eSCy Schubert \&final_compare 343*e0c4386eSCy Schubert ], 344*e0c4386eSCy Schubert 345*e0c4386eSCy Schubert [ "data content test streaming PEM format", 346*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-data_create", "-in", $smcont, "-outform", "PEM", 347*e0c4386eSCy Schubert "-nodetach", "-stream", "-out", "{output}.cms" ], 348*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-data_out", "-in", "{output}.cms", "-inform", "PEM", 349*e0c4386eSCy Schubert "-out", "{output}.txt" ], 350*e0c4386eSCy Schubert \&final_compare 351*e0c4386eSCy Schubert ], 352*e0c4386eSCy Schubert 353*e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, 128 bit RC2 key", 354*e0c4386eSCy Schubert [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt", 355*e0c4386eSCy Schubert "-in", $smcont, "-outform", "PEM", 356*e0c4386eSCy Schubert "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F", 357*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 358*e0c4386eSCy Schubert [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms", 359*e0c4386eSCy Schubert "-inform", "PEM", 360*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 361*e0c4386eSCy Schubert "-out", "{output}.txt" ], 362*e0c4386eSCy Schubert \&final_compare 363*e0c4386eSCy Schubert ], 364*e0c4386eSCy Schubert 365*e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, 40 bit RC2 key", 366*e0c4386eSCy Schubert [ "{cmd1}", @legacyprov, "-EncryptedData_encrypt", 367*e0c4386eSCy Schubert "-in", $smcont, "-outform", "PEM", 368*e0c4386eSCy Schubert "-rc2", "-secretkey", "0001020304", 369*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 370*e0c4386eSCy Schubert [ "{cmd2}", @legacyprov, "-EncryptedData_decrypt", "-in", "{output}.cms", 371*e0c4386eSCy Schubert "-inform", "PEM", 372*e0c4386eSCy Schubert "-secretkey", "0001020304", "-out", "{output}.txt" ], 373*e0c4386eSCy Schubert \&final_compare 374*e0c4386eSCy Schubert ], 375*e0c4386eSCy Schubert 376*e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, triple DES key", 377*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", 378*e0c4386eSCy Schubert "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", 379*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 380*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms", 381*e0c4386eSCy Schubert "-inform", "PEM", 382*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", 383*e0c4386eSCy Schubert "-out", "{output}.txt" ], 384*e0c4386eSCy Schubert \&final_compare 385*e0c4386eSCy Schubert ], 386*e0c4386eSCy Schubert 387*e0c4386eSCy Schubert [ "encrypted content test streaming PEM format, 128 bit AES key", 388*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", 389*e0c4386eSCy Schubert "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", 390*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 391*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-EncryptedData_decrypt", "-in", "{output}.cms", 392*e0c4386eSCy Schubert "-inform", "PEM", 393*e0c4386eSCy Schubert "-secretkey", "000102030405060708090A0B0C0D0E0F", 394*e0c4386eSCy Schubert "-out", "{output}.txt" ], 395*e0c4386eSCy Schubert \&final_compare 396*e0c4386eSCy Schubert ], 397*e0c4386eSCy Schubert); 398*e0c4386eSCy Schubert 399*e0c4386eSCy Schubertmy @smime_cms_cades_tests = ( 400*e0c4386eSCy Schubert 401*e0c4386eSCy Schubert [ "signed content DER format, RSA key, CAdES-BES compatible", 402*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-in", $smcont, "-outform", "DER", 403*e0c4386eSCy Schubert "-nodetach", 404*e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 405*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 406*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 407*e0c4386eSCy Schubert \&final_compare 408*e0c4386eSCy Schubert ], 409*e0c4386eSCy Schubert 410*e0c4386eSCy Schubert [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible", 411*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform", 412*e0c4386eSCy Schubert "DER", "-nodetach", "-certfile", $smroot, 413*e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 414*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 415*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 416*e0c4386eSCy Schubert \&final_compare 417*e0c4386eSCy Schubert ], 418*e0c4386eSCy Schubert 419*e0c4386eSCy Schubert [ "signed content DER format, RSA key, SHA512 md, CAdES-BES compatible", 420*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-md", "sha512", "-in", $smcont, "-outform", 421*e0c4386eSCy Schubert "DER", "-nodetach", "-certfile", $smroot, 422*e0c4386eSCy Schubert "-signer", $smrsa1, "-out", "{output}.cms" ], 423*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 424*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 425*e0c4386eSCy Schubert \&final_compare 426*e0c4386eSCy Schubert ], 427*e0c4386eSCy Schubert 428*e0c4386eSCy Schubert [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible", 429*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256", 430*e0c4386eSCy Schubert "-in", $smcont, "-outform", "DER", 431*e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, 432*e0c4386eSCy Schubert "-outform", "DER", "-out", "{output}.cms" ], 433*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 434*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 435*e0c4386eSCy Schubert \&final_compare 436*e0c4386eSCy Schubert ], 437*e0c4386eSCy Schubert 438*e0c4386eSCy Schubert [ "resigned content DER format, RSA key, SHA256 md, CAdES-BES compatible", 439*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256", 440*e0c4386eSCy Schubert "-in", $smcont, "-outform", "DER", 441*e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, 442*e0c4386eSCy Schubert "-outform", "DER", "-out", "{output}.cms" ], 443*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-resign", "-cades", "-binary", "-nodetach", "-nosmimecap", "-md", "sha256", 444*e0c4386eSCy Schubert "-inform", "DER", "-in", "{output}.cms", 445*e0c4386eSCy Schubert "-certfile", $smroot, "-signer", catfile($smdir, "smrsa2.pem"), 446*e0c4386eSCy Schubert "-outform", "DER", "-out", "{output}2.cms" ], 447*e0c4386eSCy Schubert 448*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-cades", "-in", "{output}2.cms", "-inform", "DER", 449*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 450*e0c4386eSCy Schubert \&final_compare 451*e0c4386eSCy Schubert ], 452*e0c4386eSCy Schubert); 453*e0c4386eSCy Schubert 454*e0c4386eSCy Schubertmy @smime_cms_cades_ko_tests = ( 455*e0c4386eSCy Schubert [ "sign content DER format, RSA key, not CAdES-BES compatible", 456*e0c4386eSCy Schubert [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", 457*e0c4386eSCy Schubert "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], 458*e0c4386eSCy Schubert "fail to verify token since requiring CAdES-BES compatibility", 459*e0c4386eSCy Schubert [ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", 460*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 461*e0c4386eSCy Schubert \&final_compare 462*e0c4386eSCy Schubert ] 463*e0c4386eSCy Schubert); 464*e0c4386eSCy Schubert 465*e0c4386eSCy Schubert# cades options test - check that some combinations are rejected 466*e0c4386eSCy Schubertmy @smime_cms_cades_invalid_option_tests = ( 467*e0c4386eSCy Schubert [ 468*e0c4386eSCy Schubert [ "-cades", "-noattr" ], 469*e0c4386eSCy Schubert ],[ 470*e0c4386eSCy Schubert [ "-verify", "-cades", "-noattr" ], 471*e0c4386eSCy Schubert ],[ 472*e0c4386eSCy Schubert [ "-verify", "-cades", "-noverify" ], 473*e0c4386eSCy Schubert ], 474*e0c4386eSCy Schubert); 475*e0c4386eSCy Schubert 476*e0c4386eSCy Schubertmy @smime_cms_comp_tests = ( 477*e0c4386eSCy Schubert 478*e0c4386eSCy Schubert [ "compressed content test streaming PEM format", 479*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach", 480*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms" ], 481*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-uncompress", "-in", "{output}.cms", "-inform", "PEM", 482*e0c4386eSCy Schubert "-out", "{output}.txt" ], 483*e0c4386eSCy Schubert \&final_compare 484*e0c4386eSCy Schubert ] 485*e0c4386eSCy Schubert 486*e0c4386eSCy Schubert); 487*e0c4386eSCy Schubert 488*e0c4386eSCy Schubertmy @smime_cms_param_tests = ( 489*e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature", 490*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 491*e0c4386eSCy Schubert "-signer", $smrsa1, 492*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", 493*e0c4386eSCy Schubert "-out", "{output}.cms" ], 494*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 495*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 496*e0c4386eSCy Schubert \&final_compare 497*e0c4386eSCy Schubert ], 498*e0c4386eSCy Schubert 499*e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=max", 500*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 501*e0c4386eSCy Schubert "-signer", $smrsa1, 502*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:max", 503*e0c4386eSCy Schubert "-out", "{output}.cms" ], 504*e0c4386eSCy Schubert sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 222; }, 505*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 506*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 507*e0c4386eSCy Schubert \&final_compare 508*e0c4386eSCy Schubert ], 509*e0c4386eSCy Schubert 510*e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes", 511*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 512*e0c4386eSCy Schubert "-noattr", "-signer", $smrsa1, 513*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", 514*e0c4386eSCy Schubert "-out", "{output}.cms" ], 515*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 516*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 517*e0c4386eSCy Schubert \&final_compare 518*e0c4386eSCy Schubert ], 519*e0c4386eSCy Schubert 520*e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1", 521*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 522*e0c4386eSCy Schubert "-signer", $smrsa1, 523*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_mgf1_md:sha384", 524*e0c4386eSCy Schubert "-out", "{output}.cms" ], 525*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 526*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 527*e0c4386eSCy Schubert \&final_compare 528*e0c4386eSCy Schubert ], 529*e0c4386eSCy Schubert 530*e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=16", 531*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 532*e0c4386eSCy Schubert "-signer", $smrsa1, "-md", "sha256", 533*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:16", 534*e0c4386eSCy Schubert "-out", "{output}.cms" ], 535*e0c4386eSCy Schubert sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 16; }, 536*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 537*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 538*e0c4386eSCy Schubert \&final_compare 539*e0c4386eSCy Schubert ], 540*e0c4386eSCy Schubert 541*e0c4386eSCy Schubert [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=digest", 542*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", 543*e0c4386eSCy Schubert "-signer", $smrsa1, "-md", "sha256", 544*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:digest", 545*e0c4386eSCy Schubert "-out", "{output}.cms" ], 546*e0c4386eSCy Schubert # digest is SHA-256, which produces 32 bytes of output 547*e0c4386eSCy Schubert sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; }, 548*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM", 549*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ], 550*e0c4386eSCy Schubert \&final_compare 551*e0c4386eSCy Schubert ], 552*e0c4386eSCy Schubert 553*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters", 554*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 555*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 556*e0c4386eSCy Schubert "-recip", $smrsa1, 557*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:oaep" ], 558*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 559*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 560*e0c4386eSCy Schubert \&final_compare 561*e0c4386eSCy Schubert ], 562*e0c4386eSCy Schubert 563*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256", 564*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 565*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 566*e0c4386eSCy Schubert "-recip", $smrsa1, 567*e0c4386eSCy Schubert "-keyopt", "rsa_padding_mode:oaep", 568*e0c4386eSCy Schubert "-keyopt", "rsa_oaep_md:sha256" ], 569*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, 570*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 571*e0c4386eSCy Schubert \&final_compare 572*e0c4386eSCy Schubert ], 573*e0c4386eSCy Schubert 574*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, ECDH", 575*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 576*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 577*e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem") ], 578*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 579*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 580*e0c4386eSCy Schubert \&final_compare 581*e0c4386eSCy Schubert ], 582*e0c4386eSCy Schubert 583*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used", 584*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, 585*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 586*e0c4386eSCy Schubert catfile($smdir, "smec1.pem"), 587*e0c4386eSCy Schubert catfile($smdir, "smec3.pem") ], 588*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smec3.pem"), 589*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 590*e0c4386eSCy Schubert \&final_compare 591*e0c4386eSCy Schubert ], 592*e0c4386eSCy Schubert 593*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier", 594*e0c4386eSCy Schubert [ "{cmd1}", @defaultprov, "-encrypt", "-keyid", "-in", $smcont, 595*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 596*e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem") ], 597*e0c4386eSCy Schubert [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 598*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 599*e0c4386eSCy Schubert \&final_compare 600*e0c4386eSCy Schubert ], 601*e0c4386eSCy Schubert 602*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, AES-128-CBC, SHA256 KDF", 603*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 604*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 605*e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem"), "-aes128", 606*e0c4386eSCy Schubert "-keyopt", "ecdh_kdf_md:sha256" ], 607*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 608*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 609*e0c4386eSCy Schubert \&final_compare 610*e0c4386eSCy Schubert ], 611*e0c4386eSCy Schubert 612*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, AES-128-GCM cipher, SHA256 KDF", 613*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 614*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 615*e0c4386eSCy Schubert "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ], 616*e0c4386eSCy Schubert [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"), 617*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 618*e0c4386eSCy Schubert \&final_compare 619*e0c4386eSCy Schubert ], 620*e0c4386eSCy Schubert 621*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH", 622*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 623*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 624*e0c4386eSCy Schubert "-recip", catfile($smdir, "smec2.pem"), "-aes128", 625*e0c4386eSCy Schubert "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ], 626*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"), 627*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 628*e0c4386eSCy Schubert \&final_compare 629*e0c4386eSCy Schubert ], 630*e0c4386eSCy Schubert 631*e0c4386eSCy Schubert [ "enveloped content test streaming S/MIME format, X9.42 DH", 632*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, 633*e0c4386eSCy Schubert "-stream", "-out", "{output}.cms", 634*e0c4386eSCy Schubert "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], 635*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), 636*e0c4386eSCy Schubert "-in", "{output}.cms", "-out", "{output}.txt" ], 637*e0c4386eSCy Schubert \&final_compare 638*e0c4386eSCy Schubert ] 639*e0c4386eSCy Schubert); 640*e0c4386eSCy Schubert 641*e0c4386eSCy Schubertmy @contenttype_cms_test = ( 642*e0c4386eSCy Schubert [ "signed content test - check that content type is added to additional signerinfo, RSA keys", 643*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont, 644*e0c4386eSCy Schubert "-outform", "DER", "-signer", $smrsa1, "-md", "SHA256", 645*e0c4386eSCy Schubert "-out", "{output}.cms" ], 646*e0c4386eSCy Schubert [ "{cmd1}", @prov, "-resign", "-binary", "-nodetach", "-in", "{output}.cms", 647*e0c4386eSCy Schubert "-inform", "DER", "-outform", "DER", 648*e0c4386eSCy Schubert "-signer", catfile($smdir, "smrsa2.pem"), "-md", "SHA256", 649*e0c4386eSCy Schubert "-out", "{output}2.cms" ], 650*e0c4386eSCy Schubert sub { my %opts = @_; contentType_matches("$opts{output}2.cms") == 2; }, 651*e0c4386eSCy Schubert [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER", 652*e0c4386eSCy Schubert "-CAfile", $smroot, "-out", "{output}.txt" ] 653*e0c4386eSCy Schubert ], 654*e0c4386eSCy Schubert); 655*e0c4386eSCy Schubert 656*e0c4386eSCy Schubertmy @incorrect_attribute_cms_test = ( 657*e0c4386eSCy Schubert "bad_signtime_attr.cms", 658*e0c4386eSCy Schubert "no_ct_attr.cms", 659*e0c4386eSCy Schubert "no_md_attr.cms", 660*e0c4386eSCy Schubert "ct_multiple_attr.cms" 661*e0c4386eSCy Schubert); 662*e0c4386eSCy Schubert 663*e0c4386eSCy Schubert# Runs a standard loop on the input array 664*e0c4386eSCy Schubertsub runner_loop { 665*e0c4386eSCy Schubert my %opts = ( @_ ); 666*e0c4386eSCy Schubert my $cnt1 = 0; 667*e0c4386eSCy Schubert 668*e0c4386eSCy Schubert foreach (@{$opts{tests}}) { 669*e0c4386eSCy Schubert $cnt1++; 670*e0c4386eSCy Schubert $opts{output} = "$opts{prefix}-$cnt1"; 671*e0c4386eSCy Schubert SKIP: { 672*e0c4386eSCy Schubert my $skip_reason = check_availability($$_[0]); 673*e0c4386eSCy Schubert skip $skip_reason, 1 if $skip_reason; 674*e0c4386eSCy Schubert my $ok = 1; 675*e0c4386eSCy Schubert 1 while unlink "$opts{output}.txt"; 676*e0c4386eSCy Schubert 677*e0c4386eSCy Schubert foreach (@$_[1..$#$_]) { 678*e0c4386eSCy Schubert if (ref $_ eq 'CODE') { 679*e0c4386eSCy Schubert $ok &&= $_->(%opts); 680*e0c4386eSCy Schubert } else { 681*e0c4386eSCy Schubert my @cmd = map { 682*e0c4386eSCy Schubert my $x = $_; 683*e0c4386eSCy Schubert while ($x =~ /\{([^\}]+)\}/) { 684*e0c4386eSCy Schubert $x = $`.$opts{$1}.$' if exists $opts{$1}; 685*e0c4386eSCy Schubert } 686*e0c4386eSCy Schubert $x; 687*e0c4386eSCy Schubert } @$_; 688*e0c4386eSCy Schubert 689*e0c4386eSCy Schubert diag "CMD: openssl ", join(" ", @cmd); 690*e0c4386eSCy Schubert $ok &&= run(app(["openssl", @cmd])); 691*e0c4386eSCy Schubert $opts{input} = $opts{output}; 692*e0c4386eSCy Schubert } 693*e0c4386eSCy Schubert } 694*e0c4386eSCy Schubert 695*e0c4386eSCy Schubert ok($ok, $$_[0]); 696*e0c4386eSCy Schubert } 697*e0c4386eSCy Schubert } 698*e0c4386eSCy Schubert} 699*e0c4386eSCy Schubert 700*e0c4386eSCy Schubertsub final_compare { 701*e0c4386eSCy Schubert my %opts = @_; 702*e0c4386eSCy Schubert 703*e0c4386eSCy Schubert diag "Comparing $smcont with $opts{output}.txt"; 704*e0c4386eSCy Schubert return compare_text($smcont, "$opts{output}.txt") == 0; 705*e0c4386eSCy Schubert} 706*e0c4386eSCy Schubert 707*e0c4386eSCy Schubertsub zero_compare { 708*e0c4386eSCy Schubert my %opts = @_; 709*e0c4386eSCy Schubert 710*e0c4386eSCy Schubert diag "Checking for zero-length file"; 711*e0c4386eSCy Schubert return (-e "$opts{output}.txt" && -z "$opts{output}.txt"); 712*e0c4386eSCy Schubert} 713*e0c4386eSCy Schubert 714*e0c4386eSCy Schubertsubtest "CMS => PKCS#7 compatibility tests\n" => sub { 715*e0c4386eSCy Schubert plan tests => scalar @smime_pkcs7_tests; 716*e0c4386eSCy Schubert 717*e0c4386eSCy Schubert runner_loop(prefix => 'cms2pkcs7', cmd1 => 'cms', cmd2 => 'smime', 718*e0c4386eSCy Schubert tests => [ @smime_pkcs7_tests ]); 719*e0c4386eSCy Schubert}; 720*e0c4386eSCy Schubertsubtest "CMS <= PKCS#7 compatibility tests\n" => sub { 721*e0c4386eSCy Schubert plan tests => scalar @smime_pkcs7_tests; 722*e0c4386eSCy Schubert 723*e0c4386eSCy Schubert runner_loop(prefix => 'pkcs72cms', cmd1 => 'smime', cmd2 => 'cms', 724*e0c4386eSCy Schubert tests => [ @smime_pkcs7_tests ]); 725*e0c4386eSCy Schubert}; 726*e0c4386eSCy Schubert 727*e0c4386eSCy Schubertsubtest "CMS <=> CMS consistency tests\n" => sub { 728*e0c4386eSCy Schubert plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests); 729*e0c4386eSCy Schubert 730*e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-1', cmd1 => 'cms', cmd2 => 'cms', 731*e0c4386eSCy Schubert tests => [ @smime_pkcs7_tests ]); 732*e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-2', cmd1 => 'cms', cmd2 => 'cms', 733*e0c4386eSCy Schubert tests => [ @smime_cms_tests ]); 734*e0c4386eSCy Schubert}; 735*e0c4386eSCy Schubert 736*e0c4386eSCy Schubertsubtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub { 737*e0c4386eSCy Schubert plan tests => 738*e0c4386eSCy Schubert (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests); 739*e0c4386eSCy Schubert 740*e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms', 741*e0c4386eSCy Schubert tests => [ @smime_cms_param_tests ]); 742*e0c4386eSCy Schubert SKIP: { 743*e0c4386eSCy Schubert skip("Zlib not supported: compression tests skipped", 744*e0c4386eSCy Schubert scalar @smime_cms_comp_tests) 745*e0c4386eSCy Schubert if $no_zlib; 746*e0c4386eSCy Schubert 747*e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms', 748*e0c4386eSCy Schubert tests => [ @smime_cms_comp_tests ]); 749*e0c4386eSCy Schubert } 750*e0c4386eSCy Schubert}; 751*e0c4386eSCy Schubert 752*e0c4386eSCy Schubert# Returns the number of matches of a Content Type Attribute in a binary file. 753*e0c4386eSCy Schubertsub contentType_matches { 754*e0c4386eSCy Schubert # Read in a binary file 755*e0c4386eSCy Schubert my ($in) = @_; 756*e0c4386eSCy Schubert open (HEX_IN, "$in") or die("open failed for $in : $!"); 757*e0c4386eSCy Schubert binmode(HEX_IN); 758*e0c4386eSCy Schubert local $/; 759*e0c4386eSCy Schubert my $str = <HEX_IN>; 760*e0c4386eSCy Schubert 761*e0c4386eSCy Schubert # Find ASN1 data for a Content Type Attribute (with a OID of PKCS7 data) 762*e0c4386eSCy Schubert my @c = $str =~ /\x30\x18\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x03\x31\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01/gs; 763*e0c4386eSCy Schubert 764*e0c4386eSCy Schubert close(HEX_IN); 765*e0c4386eSCy Schubert return scalar(@c); 766*e0c4386eSCy Schubert} 767*e0c4386eSCy Schubert 768*e0c4386eSCy Schubertsub rsapssSaltlen { 769*e0c4386eSCy Schubert my ($in) = @_; 770*e0c4386eSCy Schubert my $exit = 0; 771*e0c4386eSCy Schubert 772*e0c4386eSCy Schubert my @asn1parse = run(app(["openssl", "asn1parse", "-in", $in, "-dump"]), 773*e0c4386eSCy Schubert capture => 1, 774*e0c4386eSCy Schubert statusvar => $exit); 775*e0c4386eSCy Schubert return -1 if $exit != 0; 776*e0c4386eSCy Schubert 777*e0c4386eSCy Schubert my $pssparam_offset = -1; 778*e0c4386eSCy Schubert while ($_ = shift @asn1parse) { 779*e0c4386eSCy Schubert chomp; 780*e0c4386eSCy Schubert next unless /:rsassaPss/; 781*e0c4386eSCy Schubert # This line contains :rsassaPss, the next line contains a raw dump of the 782*e0c4386eSCy Schubert # RSA_PSS_PARAMS sequence; obtain its offset 783*e0c4386eSCy Schubert $_ = shift @asn1parse; 784*e0c4386eSCy Schubert if (/^\s*(\d+):/) { 785*e0c4386eSCy Schubert $pssparam_offset = int($1); 786*e0c4386eSCy Schubert } 787*e0c4386eSCy Schubert } 788*e0c4386eSCy Schubert 789*e0c4386eSCy Schubert if ($pssparam_offset == -1) { 790*e0c4386eSCy Schubert note "Failed to determine RSA_PSS_PARAM offset in CMS. " + 791*e0c4386eSCy Schubert "Was the file correctly signed with RSASSA-PSS?"; 792*e0c4386eSCy Schubert return -1; 793*e0c4386eSCy Schubert } 794*e0c4386eSCy Schubert 795*e0c4386eSCy Schubert my @pssparam = run(app(["openssl", "asn1parse", "-in", $in, 796*e0c4386eSCy Schubert "-strparse", $pssparam_offset]), 797*e0c4386eSCy Schubert capture => 1, 798*e0c4386eSCy Schubert statusvar => $exit); 799*e0c4386eSCy Schubert return -1 if $exit != 0; 800*e0c4386eSCy Schubert 801*e0c4386eSCy Schubert my $saltlen = -1; 802*e0c4386eSCy Schubert # Can't use asn1parse -item RSA_PSS_PARAMS here, because that's deprecated. 803*e0c4386eSCy Schubert # This assumes the salt length is the last field, which may possibly be 804*e0c4386eSCy Schubert # incorrect if there is a non-standard trailer field, but there almost never 805*e0c4386eSCy Schubert # is in PSS. 806*e0c4386eSCy Schubert if ($pssparam[-1] =~ /prim:\s+INTEGER\s+:([A-Fa-f0-9]+)/) { 807*e0c4386eSCy Schubert $saltlen = hex($1); 808*e0c4386eSCy Schubert } 809*e0c4386eSCy Schubert 810*e0c4386eSCy Schubert if ($saltlen == -1) { 811*e0c4386eSCy Schubert note "Failed to determine salt length from RSA_PSS_PARAM struct. " + 812*e0c4386eSCy Schubert "Was the file correctly signed with RSASSA-PSS?"; 813*e0c4386eSCy Schubert return -1; 814*e0c4386eSCy Schubert } 815*e0c4386eSCy Schubert 816*e0c4386eSCy Schubert return $saltlen; 817*e0c4386eSCy Schubert} 818*e0c4386eSCy Schubert 819*e0c4386eSCy Schubertsubtest "CMS Check the content type attribute is added for additional signers\n" => sub { 820*e0c4386eSCy Schubert plan tests => (scalar @contenttype_cms_test); 821*e0c4386eSCy Schubert 822*e0c4386eSCy Schubert runner_loop(prefix => 'cms2cms-added', cmd1 => 'cms', cmd2 => 'cms', 823*e0c4386eSCy Schubert tests => [ @contenttype_cms_test ]); 824*e0c4386eSCy Schubert}; 825*e0c4386eSCy Schubert 826*e0c4386eSCy Schubertsubtest "CMS Check that bad attributes fail when verifying signers\n" => sub { 827*e0c4386eSCy Schubert plan tests => 828*e0c4386eSCy Schubert (scalar @incorrect_attribute_cms_test); 829*e0c4386eSCy Schubert 830*e0c4386eSCy Schubert my $cnt = 0; 831*e0c4386eSCy Schubert foreach my $name (@incorrect_attribute_cms_test) { 832*e0c4386eSCy Schubert my $out = "incorrect-$cnt.txt"; 833*e0c4386eSCy Schubert 834*e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", 835*e0c4386eSCy Schubert catfile($datadir, $name), "-inform", "DER", "-CAfile", 836*e0c4386eSCy Schubert $smroot, "-out", $out ])), 837*e0c4386eSCy Schubert $name); 838*e0c4386eSCy Schubert } 839*e0c4386eSCy Schubert}; 840*e0c4386eSCy Schubert 841*e0c4386eSCy Schubertsubtest "CMS Check that bad encryption algorithm fails\n" => sub { 842*e0c4386eSCy Schubert plan tests => 1; 843*e0c4386eSCy Schubert 844*e0c4386eSCy Schubert SKIP: { 845*e0c4386eSCy Schubert skip "DES or Legacy isn't supported in this build", 1 846*e0c4386eSCy Schubert if disabled("des") || disabled("legacy"); 847*e0c4386eSCy Schubert 848*e0c4386eSCy Schubert my $out = "smtst.txt"; 849*e0c4386eSCy Schubert 850*e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @legacyprov, "-encrypt", 851*e0c4386eSCy Schubert "-in", $smcont, 852*e0c4386eSCy Schubert "-stream", "-recip", $smrsa1, 853*e0c4386eSCy Schubert "-des-ede3", 854*e0c4386eSCy Schubert "-out", $out ])), 855*e0c4386eSCy Schubert "Decrypt message from OpenSSL 1.1.1"); 856*e0c4386eSCy Schubert } 857*e0c4386eSCy Schubert}; 858*e0c4386eSCy Schubert 859*e0c4386eSCy Schubertsubtest "CMS Decrypt message encrypted with OpenSSL 1.1.1\n" => sub { 860*e0c4386eSCy Schubert plan tests => 1; 861*e0c4386eSCy Schubert 862*e0c4386eSCy Schubert SKIP: { 863*e0c4386eSCy Schubert skip "EC or DES isn't supported in this build", 1 864*e0c4386eSCy Schubert if disabled("ec") || disabled("des"); 865*e0c4386eSCy Schubert 866*e0c4386eSCy Schubert my $out = "smtst.txt"; 867*e0c4386eSCy Schubert 868*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", @defaultprov, "-decrypt", 869*e0c4386eSCy Schubert "-inkey", catfile($smdir, "smec3.pem"), 870*e0c4386eSCy Schubert "-in", catfile($datadir, "ciphertext_from_1_1_1.cms"), 871*e0c4386eSCy Schubert "-out", $out ])) 872*e0c4386eSCy Schubert && compare_text($smcont, $out) == 0, 873*e0c4386eSCy Schubert "Decrypt message from OpenSSL 1.1.1"); 874*e0c4386eSCy Schubert } 875*e0c4386eSCy Schubert}; 876*e0c4386eSCy Schubert 877*e0c4386eSCy Schubertsubtest "CAdES <=> CAdES consistency tests\n" => sub { 878*e0c4386eSCy Schubert plan tests => (scalar @smime_cms_cades_tests); 879*e0c4386eSCy Schubert 880*e0c4386eSCy Schubert runner_loop(prefix => 'cms-cades', cmd1 => 'cms', cmd2 => 'cms', 881*e0c4386eSCy Schubert tests => [ @smime_cms_cades_tests ]); 882*e0c4386eSCy Schubert}; 883*e0c4386eSCy Schubert 884*e0c4386eSCy Schubertsubtest "CAdES; cms incompatible arguments tests\n" => sub { 885*e0c4386eSCy Schubert plan tests => (scalar @smime_cms_cades_invalid_option_tests); 886*e0c4386eSCy Schubert 887*e0c4386eSCy Schubert foreach (@smime_cms_cades_invalid_option_tests) { 888*e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @{$$_[0]} ] ))); 889*e0c4386eSCy Schubert } 890*e0c4386eSCy Schubert}; 891*e0c4386eSCy Schubert 892*e0c4386eSCy Schubertsubtest "CAdES ko tests\n" => sub { 893*e0c4386eSCy Schubert plan tests => 2 * scalar @smime_cms_cades_ko_tests; 894*e0c4386eSCy Schubert 895*e0c4386eSCy Schubert foreach (@smime_cms_cades_ko_tests) { 896*e0c4386eSCy Schubert SKIP: { 897*e0c4386eSCy Schubert my $skip_reason = check_availability($$_[0]); 898*e0c4386eSCy Schubert skip $skip_reason, 1 if $skip_reason; 899*e0c4386eSCy Schubert 900*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]); 901*e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]); 902*e0c4386eSCy Schubert } 903*e0c4386eSCy Schubert } 904*e0c4386eSCy Schubert}; 905*e0c4386eSCy Schubert 906*e0c4386eSCy Schubertsubtest "CMS binary input tests\n" => sub { 907*e0c4386eSCy Schubert my $input = srctop_file("test", "smcont.bin"); 908*e0c4386eSCy Schubert my $signed = "smcont.signed"; 909*e0c4386eSCy Schubert my $verified = "smcont.verified"; 910*e0c4386eSCy Schubert 911*e0c4386eSCy Schubert plan tests => 11; 912*e0c4386eSCy Schubert 913*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1, 914*e0c4386eSCy Schubert "-binary", "-in", $input, "-out", $signed])), 915*e0c4386eSCy Schubert "sign binary input with -binary"); 916*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, 917*e0c4386eSCy Schubert "-binary", "-in", $signed, "-out", $verified])), 918*e0c4386eSCy Schubert "verify binary input with -binary"); 919*e0c4386eSCy Schubert is(compare($input, $verified), 0, "binary input retained with -binary"); 920*e0c4386eSCy Schubert 921*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1, 922*e0c4386eSCy Schubert "-in", $input, "-out", $signed.".nobin"])), 923*e0c4386eSCy Schubert "sign binary input without -binary"); 924*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, 925*e0c4386eSCy Schubert "-in", $signed.".nobin", "-out", $verified.".nobin"])), 926*e0c4386eSCy Schubert "verify binary input without -binary"); 927*e0c4386eSCy Schubert is(compare($input, $verified.".nobin"), 1, "binary input not retained without -binary"); 928*e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol", 929*e0c4386eSCy Schubert "-binary", "-in", $signed, "-out", $verified.".crlfeol"])), 930*e0c4386eSCy Schubert "verify binary input wrong crlfeol"); 931*e0c4386eSCy Schubert 932*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-sign", "-md", "sha256", "-signer", $smrsa1, 933*e0c4386eSCy Schubert "-crlfeol", 934*e0c4386eSCy Schubert "-binary", "-in", $input, "-out", $signed.".crlf"])), 935*e0c4386eSCy Schubert "sign binary input with -binary -crlfeol"); 936*e0c4386eSCy Schubert ok(run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, "-crlfeol", 937*e0c4386eSCy Schubert "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf"])), 938*e0c4386eSCy Schubert "verify binary input with -binary -crlfeol"); 939*e0c4386eSCy Schubert is(compare($input, $verified.".crlf"), 0, 940*e0c4386eSCy Schubert "binary input retained with -binary -crlfeol"); 941*e0c4386eSCy Schubert ok(!run(app(["openssl", "cms", "-verify", "-CAfile", $smroot, 942*e0c4386eSCy Schubert "-binary", "-in", $signed.".crlf", "-out", $verified.".crlf2"])), 943*e0c4386eSCy Schubert "verify binary input with -binary missing -crlfeol"); 944*e0c4386eSCy Schubert}; 945*e0c4386eSCy Schubert 946*e0c4386eSCy Schubert# Test case for missing MD algorithm (must not segfault) 947*e0c4386eSCy Schubert 948*e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 4; } }, 949*e0c4386eSCy Schubert sub { 950*e0c4386eSCy Schubert ok(run(app(['openssl', 'smime', '-verify', '-noverify', 951*e0c4386eSCy Schubert '-inform', 'PEM', 952*e0c4386eSCy Schubert '-in', data_file("pkcs7-md4.pem"), 953*e0c4386eSCy Schubert ])), 954*e0c4386eSCy Schubert "Check failure of EVP_DigestInit is handled correctly"); 955*e0c4386eSCy Schubert }); 956*e0c4386eSCy Schubert 957*e0c4386eSCy Schubertsub check_availability { 958*e0c4386eSCy Schubert my $tnam = shift; 959*e0c4386eSCy Schubert 960*e0c4386eSCy Schubert return "$tnam: skipped, EC disabled\n" 961*e0c4386eSCy Schubert if ($no_ec && $tnam =~ /ECDH/); 962*e0c4386eSCy Schubert return "$tnam: skipped, ECDH disabled\n" 963*e0c4386eSCy Schubert if ($no_ec && $tnam =~ /ECDH/); 964*e0c4386eSCy Schubert return "$tnam: skipped, EC2M disabled\n" 965*e0c4386eSCy Schubert if ($no_ec2m && $tnam =~ /K-283/); 966*e0c4386eSCy Schubert return "$tnam: skipped, DH disabled\n" 967*e0c4386eSCy Schubert if ($no_dh && $tnam =~ /X9\.42/); 968*e0c4386eSCy Schubert return "$tnam: skipped, RC2 disabled\n" 969*e0c4386eSCy Schubert if ($no_rc2 && $tnam =~ /RC2/); 970*e0c4386eSCy Schubert return "$tnam: skipped, DES disabled\n" 971*e0c4386eSCy Schubert if ($no_des && $tnam =~ /DES/); 972*e0c4386eSCy Schubert return "$tnam: skipped, DSA disabled\n" 973*e0c4386eSCy Schubert if ($no_dsa && $tnam =~ / DSA/); 974*e0c4386eSCy Schubert 975*e0c4386eSCy Schubert return ""; 976*e0c4386eSCy Schubert} 977*e0c4386eSCy Schubert 978*e0c4386eSCy Schubert# Test case for the locking problem reported in #19643. 979*e0c4386eSCy Schubert# This will fail if the fix is in and deadlock on Windows (and possibly 980*e0c4386eSCy Schubert# other platforms) if not. 981*e0c4386eSCy Schubertok(!run(app(['openssl', 'cms', '-verify', 982*e0c4386eSCy Schubert '-CAfile', srctop_file("test/certs", "pkitsta.pem"), 983*e0c4386eSCy Schubert '-policy', 'anyPolicy', 984*e0c4386eSCy Schubert '-in', srctop_file("test/smime-eml", 985*e0c4386eSCy Schubert "SignedInvalidMappingFromanyPolicyTest7.eml") 986*e0c4386eSCy Schubert ])), 987*e0c4386eSCy Schubert "issue#19643"); 988*e0c4386eSCy Schubert 989*e0c4386eSCy Schubert# Check that we get the expected failure return code 990*e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 6; } }, 991*e0c4386eSCy Schubert sub { 992*e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', '-encrypt', 993*e0c4386eSCy Schubert '-in', srctop_file("test", "smcont.txt"), 994*e0c4386eSCy Schubert '-aes128', '-stream', '-recip', 995*e0c4386eSCy Schubert srctop_file("test/smime-certs", "badrsa.pem"), 996*e0c4386eSCy Schubert ])), 997*e0c4386eSCy Schubert "Check failure during BIO setup with -stream is handled correctly"); 998*e0c4386eSCy Schubert }); 999*e0c4386eSCy Schubert 1000*e0c4386eSCy Schubert# Test case for return value mis-check reported in #21986 1001*e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 3; } }, 1002*e0c4386eSCy Schubert sub { 1003*e0c4386eSCy Schubert SKIP: { 1004*e0c4386eSCy Schubert skip "DSA is not supported in this build", 1 if $no_dsa; 1005*e0c4386eSCy Schubert 1006*e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', '-sign', 1007*e0c4386eSCy Schubert '-in', srctop_file("test", "smcont.txt"), 1008*e0c4386eSCy Schubert '-signer', srctop_file("test/smime-certs", "smdsa1.pem"), 1009*e0c4386eSCy Schubert '-md', 'SHAKE256'])), 1010*e0c4386eSCy Schubert "issue#21986"); 1011*e0c4386eSCy Schubert } 1012*e0c4386eSCy Schubert }); 1013*e0c4386eSCy Schubert 1014*e0c4386eSCy Schubert# Test for problem reported in #22225 1015*e0c4386eSCy Schubertwith({ exit_checker => sub { return shift == 3; } }, 1016*e0c4386eSCy Schubert sub { 1017*e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', '-encrypt', 1018*e0c4386eSCy Schubert '-in', srctop_file("test", "smcont.txt"), 1019*e0c4386eSCy Schubert '-aes-256-ctr', '-recip', 1020*e0c4386eSCy Schubert catfile($smdir, "smec1.pem"), 1021*e0c4386eSCy Schubert ])), 1022*e0c4386eSCy Schubert "Check for failure when cipher does not have an assigned OID (issue#22225)"); 1023*e0c4386eSCy Schubert }); 1024*e0c4386eSCy Schubert 1025*e0c4386eSCy Schubert# Test encrypt to three recipients, and decrypt using key-only; 1026*e0c4386eSCy Schubert# i.e. do not follow the recommended practice of providing the 1027*e0c4386eSCy Schubert# recipient cert in the decrypt op. 1028*e0c4386eSCy Schubert# 1029*e0c4386eSCy Schubert# Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5. 1030*e0c4386eSCy Schubert# 1031*e0c4386eSCy Schubert# Because the cert is not provided during decrypt, all RSA ciphertexts 1032*e0c4386eSCy Schubert# are decrypted in turn, and when/if there is a valid decryption, it 1033*e0c4386eSCy Schubert# is assumed the correct content-key has been recovered. 1034*e0c4386eSCy Schubert# 1035*e0c4386eSCy Schubert# That process may fail with RSAES-PKCS-v1_5 b/c there is a 1036*e0c4386eSCy Schubert# non-negligible chance that decrypting a random input using 1037*e0c4386eSCy Schubert# RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys 1038*e0c4386eSCy Schubert# could be recovered and the wrong one might be used). 1039*e0c4386eSCy Schubert# 1040*e0c4386eSCy Schubert# See https://github.com/openssl/project/issues/380 1041*e0c4386eSCy Schubertsubtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub { 1042*e0c4386eSCy Schubert plan tests => 3; 1043*e0c4386eSCy Schubert 1044*e0c4386eSCy Schubert my $pt = srctop_file("test", "smcont.txt"); 1045*e0c4386eSCy Schubert my $ct = "smtst.cms"; 1046*e0c4386eSCy Schubert my $ptpt = "smtst.txt"; 1047*e0c4386eSCy Schubert 1048*e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', 1049*e0c4386eSCy Schubert @defaultprov, 1050*e0c4386eSCy Schubert '-encrypt', '-aes128', 1051*e0c4386eSCy Schubert '-in', $pt, 1052*e0c4386eSCy Schubert '-out', $ct, 1053*e0c4386eSCy Schubert '-stream', 1054*e0c4386eSCy Schubert '-recip', catfile($smdir, "smrsa1.pem"), 1055*e0c4386eSCy Schubert '-keyopt', 'rsa_padding_mode:oaep', 1056*e0c4386eSCy Schubert '-recip', catfile($smdir, "smrsa2.pem"), 1057*e0c4386eSCy Schubert '-keyopt', 'rsa_padding_mode:oaep', 1058*e0c4386eSCy Schubert '-recip', catfile($smdir, "smrsa3-cert.pem"), 1059*e0c4386eSCy Schubert '-keyopt', 'rsa_padding_mode:oaep', 1060*e0c4386eSCy Schubert ])), 1061*e0c4386eSCy Schubert "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)"); 1062*e0c4386eSCy Schubert ok(run(app(['openssl', 'cms', 1063*e0c4386eSCy Schubert @defaultprov, 1064*e0c4386eSCy Schubert '-decrypt', '-aes128', 1065*e0c4386eSCy Schubert '-in', $ct, 1066*e0c4386eSCy Schubert '-out', $ptpt, 1067*e0c4386eSCy Schubert '-inkey', catfile($smdir, "smrsa3-key.pem"), 1068*e0c4386eSCy Schubert ])), 1069*e0c4386eSCy Schubert "decrypt with key only"); 1070*e0c4386eSCy Schubert is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext"); 1071*e0c4386eSCy Schubert}; 1072