/* SPDX-License-Identifier: LGPL-2.1+ */
/*
* Dan Williams <dcbw@redhat.com>
* Copyright (C) 2007 - 2011 Red Hat, Inc.
*/
#include "nm-default.h"
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include "nm-crypto-impl.h"
#include "nm-utils.h"
#include "nm-errors.h"
#include "nm-core-internal.h"
#include "nm-utils/nm-test-utils.h"
#define TEST_CERT_DIR NM_BUILD_SRCDIR "/libnm-core/tests/certs"
#if 0
static const char *pem_rsa_key_begin = "-----BEGIN RSA PRIVATE KEY-----";
static const char *pem_rsa_key_end = "-----END RSA PRIVATE KEY-----";
static const char *pem_dsa_key_begin = "-----BEGIN DSA PRIVATE KEY-----";
static const char *pem_dsa_key_end = "-----END DSA PRIVATE KEY-----";
static void
dump_key_to_pem (const char *key, gsize key_len, int key_type)
{
char *b64 = NULL;
GString *str = NULL;
const char *start_tag;
const char *end_tag;
char *p;
switch (key_type) {
case NM_CRYPTO_KEY_TYPE_RSA:
start_tag = pem_rsa_key_begin;
end_tag = pem_rsa_key_end;
break;
case NM_CRYPTO_KEY_TYPE_DSA:
start_tag = pem_dsa_key_begin;
end_tag = pem_dsa_key_end;
break;
default:
g_warning ("Unknown key type %d", key_type);
return;
}
b64 = g_base64_encode ((const unsigned char *) key, key_len);
if (!b64) {
g_warning ("Couldn't base64 encode the key.");
goto out;
}
str = g_string_new (NULL);
g_string_append (str, start_tag);
g_string_append_c (str, '\n');
for (p = b64; p < (b64 + strlen (b64)); p += 64) {
g_string_append_len (str, p, strnlen (p, 64));
g_string_append_c (str, '\n');
}
g_string_append (str, end_tag);
g_string_append_c (str, '\n');
g_message ("Decrypted private key:\n\n%s", str->str);
out:
g_free (b64);
if (str)
g_string_free (str, TRUE);
}
#endif
static void
test_cert(gconstpointer test_data)
{
gs_free char * path = NULL;
gs_unref_bytes GBytes *cert = NULL;
NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
GError * error = NULL;
gboolean success;
path = g_build_filename(TEST_CERT_DIR, (const char *) test_data, NULL);
success = nm_crypto_load_and_verify_certificate(path, &format, &cert, &error);
nmtst_assert_success(success, error);
g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_X509);
g_assert(nm_utils_file_is_certificate(path));
}
static void
test_load_private_key(const char *path,
const char *password,
const char *decrypted_path,
int expected_error)
{
NMCryptoKeyType key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
gboolean is_encrypted = FALSE;
gs_unref_bytes GBytes *array = NULL;
GError * error = NULL;
g_assert(nm_utils_file_is_private_key(path, &is_encrypted));
g_assert(is_encrypted);
array = nmtst_crypto_decrypt_openssl_private_key(path, password, &key_type, &error);
/* Even if the password is wrong, we should determine the key type */
g_assert_cmpint(key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
if (expected_error != -1) {
g_assert(array == NULL);
g_assert_error(error, NM_CRYPTO_ERROR, expected_error);
g_clear_error(&error);
return;
}
if (password == NULL) {
g_assert(array == NULL);
g_assert_no_error(error);
return;
}
g_assert(array != NULL);
if (decrypted_path) {
gs_free char *contents = NULL;
gsize length;
/* Compare the crypto decrypted key against a known-good decryption */
if (!g_file_get_contents(decrypted_path, &contents, &length, NULL))
g_assert_not_reached();
g_assert(nm_utils_gbytes_equal_mem(array, contents, length));
}
}
static void
test_load_pkcs12(const char *path, const char *password, int expected_error)
{
NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
gboolean is_encrypted = FALSE;
GError * error = NULL;
g_assert(nm_utils_file_is_private_key(path, NULL));
format = nm_crypto_verify_private_key(path, password, &is_encrypted, &error);
if (expected_error != -1) {
g_assert_error(error, NM_CRYPTO_ERROR, expected_error);
g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
g_clear_error(&error);
} else {
g_assert_no_error(error);
g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_PKCS12);
g_assert(is_encrypted);
}
}
static void
test_load_pkcs12_no_password(const char *path)
{
NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
gboolean is_encrypted = FALSE;
GError * error = NULL;
g_assert(nm_utils_file_is_private_key(path, NULL));
/* We should still get a valid returned crypto file format */
format = nm_crypto_verify_private_key(path, NULL, &is_encrypted, &error);
g_assert_no_error(error);
g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_PKCS12);
g_assert(is_encrypted);
}
static void
test_is_pkcs12(const char *path, gboolean expect_fail)
{
gboolean is_pkcs12;
GError * error = NULL;
is_pkcs12 = nm_crypto_is_pkcs12_file(path, &error);
if (expect_fail) {
g_assert_error(error, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_INVALID_DATA);
g_assert(!is_pkcs12);
g_clear_error(&error);
} else {
g_assert_no_error(error);
g_assert(is_pkcs12);
}
}
static void
test_load_pkcs8(const char *path, const char *password, int expected_error)
{
NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
gboolean is_encrypted = FALSE;
GError * error = NULL;
g_assert(nm_utils_file_is_private_key(path, NULL));
format = nm_crypto_verify_private_key(path, password, &is_encrypted, &error);
if (expected_error != -1) {
g_assert_error(error, NM_CRYPTO_ERROR, expected_error);
g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
g_clear_error(&error);
} else {
g_assert_no_error(error);
g_assert_cmpint(format, ==, NM_CRYPTO_FILE_FORMAT_RAW_KEY);
g_assert(is_encrypted);
}
}
static void
test_encrypt_private_key(const char *path, const char *password)
{
NMCryptoKeyType key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
gs_unref_bytes GBytes *array = NULL;
gs_unref_bytes GBytes *encrypted = NULL;
gs_unref_bytes GBytes *re_decrypted = NULL;
GError * error = NULL;
array = nmtst_crypto_decrypt_openssl_private_key(path, password, &key_type, &error);
nmtst_assert_success(array, error);
g_assert_cmpint(key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
/* Now re-encrypt the private key */
encrypted = nmtst_crypto_rsa_key_encrypt(g_bytes_get_data(array, NULL),
g_bytes_get_size(array),
password,
NULL,
&error);
nmtst_assert_success(encrypted, error);
/* Then re-decrypt the private key */
key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
re_decrypted = nmtst_crypto_decrypt_openssl_private_key_data(g_bytes_get_data(encrypted, NULL),
g_bytes_get_size(encrypted),
password,
&key_type,
&error);
nmtst_assert_success(re_decrypted, error);
g_assert_cmpint(key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
/* Compare the original decrypted key with the re-decrypted key */
g_assert(g_bytes_equal(array, re_decrypted));
}
static void
test_key(gconstpointer test_data)
{
char **parts, *path, *password, *decrypted_path;
int len;
parts = g_strsplit((const char *) test_data, ", ", -1);
len = g_strv_length(parts);
if (len != 2 && len != 3)
g_error("wrong number of arguments (<key file>, <password>, [<decrypted key file>])");
path = g_build_filename(TEST_CERT_DIR, parts[0], NULL);
password = parts[1];
decrypted_path = parts[2] ? g_build_filename(TEST_CERT_DIR, parts[2], NULL) : NULL;
test_is_pkcs12(path, TRUE);
test_load_private_key(path, password, decrypted_path, -1);
test_load_private_key(path, "blahblahblah", NULL, NM_CRYPTO_ERROR_DECRYPTION_FAILED);
test_load_private_key(path, NULL, NULL, -1);
test_encrypt_private_key(path, password);
g_free(path);
g_free(decrypted_path);
g_strfreev(parts);
}
static void
test_key_decrypted(gconstpointer test_data)
{
const char *file = (const char *) test_data;
gboolean is_encrypted = FALSE;
char * path;
path = g_build_filename(TEST_CERT_DIR, file, NULL);
g_assert(nm_utils_file_is_private_key(path, &is_encrypted));
g_assert(!is_encrypted);
g_free(path);
}
static void
test_pkcs12(gconstpointer test_data)
{
char **parts, *path, *password;
parts = g_strsplit((const char *) test_data, ", ", -1);
if (g_strv_length(parts) != 2)
g_error("wrong number of arguments (<file>, <password>)");
path = g_build_filename(TEST_CERT_DIR, parts[0], NULL);
password = parts[1];
test_is_pkcs12(path, FALSE);
test_load_pkcs12(path, password, -1);
test_load_pkcs12(path, "blahblahblah", NM_CRYPTO_ERROR_DECRYPTION_FAILED);
test_load_pkcs12_no_password(path);
g_free(path);
g_strfreev(parts);
}
static void
test_pkcs8(gconstpointer test_data)
{
char **parts, *path, *password;
parts = g_strsplit((const char *) test_data, ", ", -1);
if (g_strv_length(parts) != 2)
g_error("wrong number of arguments (<file>, <password>)");
path = g_build_filename(TEST_CERT_DIR, parts[0], NULL);
password = parts[1];
test_is_pkcs12(path, TRUE);
/* Note: NSS and gnutls < 3.5.4 don't support all the ciphers that openssl
* can use with PKCS#8 and thus the password can't be actually verified with
* such libraries.
*/
test_load_pkcs8(path, password, -1);
g_free(path);
g_strfreev(parts);
}
#define SALT "sodium chloride"
#define SHORT_PASSWORD "short"
#define LONG_PASSWORD "this is a longer password than the short one"
#define SHORT_DIGEST 16
#define LONG_DIGEST 57
struct {
const char *salt, *password;
gsize digest_size;
const char *result;
} md5_tests[] = {
{NULL, SHORT_PASSWORD, SHORT_DIGEST, "4f09daa9d95bcb166a302407a0e0babe"},
{NULL,
SHORT_PASSWORD,
LONG_DIGEST,
"4f09daa9d95bcb166a302407a0e0babeb7d62e5baf706830d007c253f0fe7584ad7e92dc00a599ec277293c298ae7"
"0ee3904c348e23be61c91"},
{SALT, SHORT_PASSWORD, SHORT_DIGEST, "774771f7292210233b5724991d1f9894"},
{SALT,
SHORT_PASSWORD,
LONG_DIGEST,
"774771f7292210233b5724991d1f98941a6ffdb45e4dc7fa04b1fa6aceed379c1ade0577bc8f261d109942ed57369"
"21c052664d72e0d5bade9"},
{NULL, LONG_PASSWORD, SHORT_DIGEST, "e9c03517f81ff29bb777dac21fb1699c"},
{NULL,
LONG_PASSWORD,
LONG_DIGEST,
"e9c03517f81ff29bb777dac21fb1699c50968c7ccd8db4f0a59d00ffd87b05876d45f25a927d51a8400c35af60fbd"
"64584349a8b7435d62fd9"},
{SALT, LONG_PASSWORD, SHORT_DIGEST, "4e5c076e2f85f5e03994acbf3a9e10d6"},
{SALT,
LONG_PASSWORD,
LONG_DIGEST,
"4e5c076e2f85f5e03994acbf3a9e10d61a6969c9fdf47ae8b1f7e2725b3767b05cc974bfcb5344b630c91761e015e"
"09d7794b5065662533bc9"},
{NULL, "", SHORT_DIGEST, "d41d8cd98f00b204e9800998ecf8427e"},
{SALT, "", SHORT_DIGEST, "7df1e0494c977195005d82a1809685e4"},
};
static void
test_md5(void)
{
char digest[LONG_DIGEST], *hex;
int i;
for (i = 0; i < G_N_ELEMENTS(md5_tests); i++) {
memset(digest, 0, sizeof(digest));
nm_crypto_md5_hash((const guint8 *) md5_tests[i].salt,
/* nm_crypto_md5_hash() used to clamp salt_len to 8. It
* doesn't any more, so we need to do it here now to
* get output that matches md5_tests[i].result.
*/
md5_tests[i].salt ? 8 : 0,
(const guint8 *) md5_tests[i].password,
strlen(md5_tests[i].password),
(guint8 *) digest,
md5_tests[i].digest_size);
hex = nm_utils_bin2hexstr(digest, md5_tests[i].digest_size, -1);
g_assert_cmpstr(hex, ==, md5_tests[i].result);
g_free(hex);
}
}
NMTST_DEFINE();
int
main(int argc, char **argv)
{
GError * error = NULL;
gboolean success;
int ret;
nmtst_init(&argc, &argv, TRUE);
success = _nm_crypto_init(&error);
g_assert_no_error(error);
g_assert(success);
g_test_add_data_func("/libnm/crypto/cert/pem", "test_ca_cert.pem", test_cert);
g_test_add_data_func("/libnm/crypto/cert/pem-2", "test2_ca_cert.pem", test_cert);
g_test_add_data_func("/libnm/crypto/cert/der", "test_ca_cert.der", test_cert);
g_test_add_data_func("/libnm/crypto/cert/pem-no-ending-newline",
"ca-no-ending-newline.pem",
test_cert);
g_test_add_data_func("/libnm/crypto/cert/pem-combined", "test_key_and_cert.pem", test_cert);
g_test_add_data_func("/libnm/crypto/cert/pem-combined-2", "test2_key_and_cert.pem", test_cert);
g_test_add_data_func("/libnm/crypto/key/padding-6",
"test_key_and_cert.pem, test, test-key-only-decrypted.der",
test_key);
g_test_add_data_func("/libnm/crypto/key/key-only",
"test-key-only.pem, test, test-key-only-decrypted.der",
test_key);
g_test_add_data_func("/libnm/crypto/key/padding-8",
"test2_key_and_cert.pem, 12345testing",
test_key);
g_test_add_data_func("/libnm/crypto/key/aes-128",
"test-aes-128-key.pem, test-aes-password",
test_key);
g_test_add_data_func("/libnm/crypto/key/aes-256",
"test-aes-256-key.pem, test-aes-password",
test_key);
g_test_add_data_func("/libnm/crypto/key/decrypted",
"test-key-only-decrypted.pem",
test_key_decrypted);
g_test_add_data_func("/libnm/crypto/PKCS#12/1", "test-cert.p12, test", test_pkcs12);
g_test_add_data_func("/libnm/crypto/PKCS#12/2", "test2-cert.p12, 12345testing", test_pkcs12);
g_test_add_data_func("/libnm/crypto/PKCS#8", "pkcs8-enc-key.pem, 1234567890", test_pkcs8);
g_test_add_func("/libnm/crypto/md5", test_md5);
ret = g_test_run();
return ret;
}