#! /usr/bin/env perl
# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use File::Spec::Functions;
use File::Copy;
use MIME::Base64;
use OpenSSL::Test qw(:DEFAULT srctop_file srctop_dir bldtop_file data_file);
use OpenSSL::Test::Utils;
my $test_name = "test_store";
setup($test_name);
my $mingw = config('target') =~ m|^mingw|;
my @noexist_files =
( "test/blahdiblah.pem",
"test/blahdibleh.der" );
my @src_files =
( "test/testx509.pem",
"test/testrsa.pem",
"test/testrsapub.pem",
"test/testcrl.pem",
"apps/server.pem" );
my @generated_files =
(
### generated from the source files
"testx509.der",
"testrsa.der",
"testrsapub.der",
"testcrl.der",
### generated locally
"rsa-key-pkcs1.pem", "rsa-key-pkcs1.der",
"rsa-key-pkcs1-aes128.pem",
"rsa-key-pkcs8.pem", "rsa-key-pkcs8.der",
"rsa-key-pkcs8-pbes1-sha1-3des.pem", "rsa-key-pkcs8-pbes1-sha1-3des.der",
"rsa-key-pkcs8-pbes2-sha1.pem", "rsa-key-pkcs8-pbes2-sha1.der",
"rsa-key-sha1-3des-sha1.p12", "rsa-key-sha1-3des-sha256.p12",
"rsa-key-aes256-cbc-sha256.p12",
"rsa-key-md5-des-sha1.p12",
"rsa-key-aes256-cbc-md5-des-sha256.p12",
"rsa-key-pkcs8-pbes2-sha256.pem", "rsa-key-pkcs8-pbes2-sha256.der",
"rsa-key-pkcs8-pbes1-md5-des.pem", "rsa-key-pkcs8-pbes1-md5-des.der",
"dsa-key-pkcs1.pem", "dsa-key-pkcs1.der",
"dsa-key-pkcs1-aes128.pem",
"dsa-key-pkcs8.pem", "dsa-key-pkcs8.der",
"dsa-key-pkcs8-pbes2-sha1.pem", "dsa-key-pkcs8-pbes2-sha1.der",
"dsa-key-aes256-cbc-sha256.p12",
"ec-key-pkcs1.pem", "ec-key-pkcs1.der",
"ec-key-pkcs1-aes128.pem",
"ec-key-pkcs8.pem", "ec-key-pkcs8.der",
"ec-key-pkcs8-pbes2-sha1.pem", "ec-key-pkcs8-pbes2-sha1.der",
"ec-key-aes256-cbc-sha256.p12",
);
my %generated_file_files =
$^O eq 'linux'
? ( "test/testx509.pem" => "file:testx509.pem",
"test/testrsa.pem" => "file:testrsa.pem",
"test/testrsapub.pem" => "file:testrsapub.pem",
"test/testcrl.pem" => "file:testcrl.pem",
"apps/server.pem" => "file:server.pem" )
: ();
my @noexist_file_files =
( "file:blahdiblah.pem",
"file:test/blahdibleh.der" );
my $n = (3 * scalar @noexist_files)
+ (6 * scalar @src_files)
+ (4 * scalar @generated_files)
+ (scalar keys %generated_file_files)
+ (scalar @noexist_file_files)
+ 3
+ 11;
plan tests => $n;
indir "store_$$" => sub {
SKIP:
{
skip "failed initialisation", $n unless init();
my $rehash = init_rehash();
foreach (@noexist_files) {
my $file = srctop_file($_);
ok(!run(app(["openssl", "storeutl", "-noout", $file])));
ok(!run(app(["openssl", "storeutl", "-noout",
to_abs_file($file)])));
{
local $ENV{MSYS2_ARG_CONV_EXCL} = "file:";
ok(!run(app(["openssl", "storeutl", "-noout",
to_abs_file_uri($file)])));
}
}
foreach (@src_files) {
my $file = srctop_file($_);
ok(run(app(["openssl", "storeutl", "-noout", $file])));
ok(run(app(["openssl", "storeutl", "-noout", to_abs_file($file)])));
SKIP:
{
skip "file: tests disabled on MingW", 4 if $mingw;
ok(run(app(["openssl", "storeutl", "-noout",
to_abs_file_uri($file)])));
ok(run(app(["openssl", "storeutl", "-noout",
to_abs_file_uri($file, 0, "")])));
ok(run(app(["openssl", "storeutl", "-noout",
to_abs_file_uri($file, 0, "localhost")])));
ok(!run(app(["openssl", "storeutl", "-noout",
to_abs_file_uri($file, 0, "dummy")])));
}
}
foreach (@generated_files) {
ok(run(app(["openssl", "storeutl", "-noout", "-passin",
"pass:password", $_])));
ok(run(app(["openssl", "storeutl", "-noout", "-passin",
"pass:password", to_abs_file($_)])));
SKIP:
{
skip "file: tests disabled on MingW", 2 if $mingw;
ok(run(app(["openssl", "storeutl", "-noout", "-passin",
"pass:password", to_abs_file_uri($_)])));
ok(!run(app(["openssl", "storeutl", "-noout", "-passin",
"pass:password", to_file_uri($_)])));
}
}
foreach (values %generated_file_files) {
SKIP:
{
skip "file: tests disabled on MingW", 1 if $mingw;
ok(run(app(["openssl", "storeutl", "-noout", $_])));
}
}
foreach (@noexist_file_files) {
SKIP:
{
skip "file: tests disabled on MingW", 1 if $mingw;
ok(!run(app(["openssl", "storeutl", "-noout", $_])));
}
}
{
my $dir = srctop_dir("test", "certs");
ok(run(app(["openssl", "storeutl", "-noout", $dir])));
ok(run(app(["openssl", "storeutl", "-noout",
to_abs_file($dir, 1)])));
SKIP:
{
skip "file: tests disabled on MingW", 1 if $mingw;
ok(run(app(["openssl", "storeutl", "-noout",
to_abs_file_uri($dir, 1)])));
}
}
ok(!run(app(['openssl', 'storeutl', '-noout',
'-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
srctop_file('test', 'testx509.pem')])),
"Checking that -subject can't be used with a single file");
ok(run(app(['openssl', 'storeutl', '-certs', '-noout',
srctop_file('test', 'testx509.pem')])),
"Checking that -certs returns 1 object on a certificate file");
ok(run(app(['openssl', 'storeutl', '-certs', '-noout',
srctop_file('test', 'testcrl.pem')])),
"Checking that -certs returns 0 objects on a CRL file");
ok(run(app(['openssl', 'storeutl', '-crls', '-noout',
srctop_file('test', 'testx509.pem')])),
"Checking that -crls returns 0 objects on a certificate file");
ok(run(app(['openssl', 'storeutl', '-crls', '-noout',
srctop_file('test', 'testcrl.pem')])),
"Checking that -crls returns 1 object on a CRL file");
SKIP: {
skip "failed rehash initialisation", 6 unless $rehash;
# subject from testx509.pem:
# '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert'
# issuer from testcrl.pem:
# '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority'
ok(run(app(['openssl', 'storeutl', '-noout',
'-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
catdir(curdir(), 'rehash')])));
ok(run(app(['openssl', 'storeutl', '-noout',
'-subject',
'/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority',
catdir(curdir(), 'rehash')])));
ok(run(app(['openssl', 'storeutl', '-noout', '-certs',
'-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
catdir(curdir(), 'rehash')])));
ok(run(app(['openssl', 'storeutl', '-noout', '-crls',
'-subject', '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert',
catdir(curdir(), 'rehash')])));
ok(run(app(['openssl', 'storeutl', '-noout', '-certs',
'-subject',
'/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority',
catdir(curdir(), 'rehash')])));
ok(run(app(['openssl', 'storeutl', '-noout', '-crls',
'-subject',
'/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority',
catdir(curdir(), 'rehash')])));
}
}
}, create => 1, cleanup => 1;
sub init {
return (
# rsa-key-pkcs1.pem
run(app(["openssl", "genrsa",
"-out", "rsa-key-pkcs1.pem", "2432"]))
# dsa-key-pkcs1.pem
&& run(app(["openssl", "dsaparam", "-genkey",
"-out", "dsa-key-pkcs1.pem", "1024"]))
# ec-key-pkcs1.pem (one might think that 'genec' would be practical)
&& run(app(["openssl", "ecparam", "-genkey", "-name", "prime256v1",
"-out", "ec-key-pkcs1.pem"]))
# rsa-key-pkcs1-aes128.pem
&& run(app(["openssl", "rsa", "-passout", "pass:password", "-aes128",
"-in", "rsa-key-pkcs1.pem",
"-out", "rsa-key-pkcs1-aes128.pem"]))
# dsa-key-pkcs1-aes128.pem
&& run(app(["openssl", "dsa", "-passout", "pass:password", "-aes128",
"-in", "dsa-key-pkcs1.pem",
"-out", "dsa-key-pkcs1-aes128.pem"]))
# ec-key-pkcs1-aes128.pem
&& run(app(["openssl", "ec", "-passout", "pass:password", "-aes128",
"-in", "ec-key-pkcs1.pem",
"-out", "ec-key-pkcs1-aes128.pem"]))
# *-key-pkcs8.pem
&& runall(sub {
my $dstfile = shift;
(my $srcfile = $dstfile)
=~ s/-key-pkcs8\.pem$/-key-pkcs1.pem/i;
run(app(["openssl", "pkcs8", "-topk8", "-nocrypt",
"-in", $srcfile, "-out", $dstfile]));
}, grep(/-key-pkcs8\.pem$/, @generated_files))
# *-key-pkcs8-pbes1-sha1-3des.pem
&& runall(sub {
my $dstfile = shift;
(my $srcfile = $dstfile)
=~ s/-key-pkcs8-pbes1-sha1-3des\.pem$
/-key-pkcs8.pem/ix;
run(app(["openssl", "pkcs8", "-topk8",
"-passout", "pass:password",
"-v1", "pbeWithSHA1And3-KeyTripleDES-CBC",
"-in", $srcfile, "-out", $dstfile]));
}, grep(/-key-pkcs8-pbes1-sha1-3des\.pem$/, @generated_files))
# *-key-pkcs8-pbes1-md5-des.pem
&& runall(sub {
my $dstfile = shift;
(my $srcfile = $dstfile)
=~ s/-key-pkcs8-pbes1-md5-des\.pem$
/-key-pkcs8.pem/ix;
run(app(["openssl", "pkcs8", "-topk8",
"-passout", "pass:password",
"-v1", "pbeWithSHA1And3-KeyTripleDES-CBC",
"-in", $srcfile, "-out", $dstfile]));
}, grep(/-key-pkcs8-pbes1-md5-des\.pem$/, @generated_files))
# *-key-pkcs8-pbes2-sha1.pem
&& runall(sub {
my $dstfile = shift;
(my $srcfile = $dstfile)
=~ s/-key-pkcs8-pbes2-sha1\.pem$
/-key-pkcs8.pem/ix;
run(app(["openssl", "pkcs8", "-topk8",
"-passout", "pass:password",
"-v2", "aes256", "-v2prf", "hmacWithSHA1",
"-in", $srcfile, "-out", $dstfile]));
}, grep(/-key-pkcs8-pbes2-sha1\.pem$/, @generated_files))
# *-key-pkcs8-pbes2-sha1.pem
&& runall(sub {
my $dstfile = shift;
(my $srcfile = $dstfile)
=~ s/-key-pkcs8-pbes2-sha256\.pem$
/-key-pkcs8.pem/ix;
run(app(["openssl", "pkcs8", "-topk8",
"-passout", "pass:password",
"-v2", "aes256", "-v2prf", "hmacWithSHA256",
"-in", $srcfile, "-out", $dstfile]));
}, grep(/-key-pkcs8-pbes2-sha256\.pem$/, @generated_files))
# *-cert.pem (intermediary for the .p12 inits)
&& run(app(["openssl", "req", "-x509",
"-config", data_file("ca.cnf"), "-nodes",
"-out", "cacert.pem", "-keyout", "cakey.pem"]))
&& runall(sub {
my $srckey = shift;
(my $dstfile = $srckey) =~ s|-key-pkcs8\.|-cert.|;
(my $csr = $dstfile) =~ s|\.pem|.csr|;
(run(app(["openssl", "req", "-new",
"-config", data_file("user.cnf"),
"-key", $srckey, "-out", $csr]))
&&
run(app(["openssl", "x509", "-days", "3650",
"-CA", "cacert.pem",
"-CAkey", "cakey.pem",
"-set_serial", time(), "-req",
"-in", $csr, "-out", $dstfile])));
}, grep(/-key-pkcs8\.pem$/, @generated_files))
# *.p12
&& runall(sub {
my $dstfile = shift;
my ($type, $certpbe_index, $keypbe_index,
$macalg_index) =
$dstfile =~ m{^(.*)-key-(?|
# cert and key PBE are same
() #
([^-]*-[^-]*)- # key & cert PBE
([^-]*) # MACalg
|
# cert and key PBE are not same
([^-]*-[^-]*)- # cert PBE
([^-]*-[^-]*)- # key PBE
([^-]*) # MACalg
)\.}x;
if (!$certpbe_index) {
$certpbe_index = $keypbe_index;
}
my $srckey = "$type-key-pkcs8.pem";
my $srccert = "$type-cert.pem";
my %pbes =
(
"sha1-3des" => "pbeWithSHA1And3-KeyTripleDES-CBC",
"md5-des" => "pbeWithMD5AndDES-CBC",
"aes256-cbc" => "AES-256-CBC",
);
my %macalgs =
(
"sha1" => "SHA1",
"sha256" => "SHA256",
);
my $certpbe = $pbes{$certpbe_index};
my $keypbe = $pbes{$keypbe_index};
my $macalg = $macalgs{$macalg_index};
if (!defined($certpbe) || !defined($keypbe)
|| !defined($macalg)) {
print STDERR "Cert PBE for $pbe_index not defined\n"
unless defined $certpbe;
print STDERR "Key PBE for $pbe_index not defined\n"
unless defined $keypbe;
print STDERR "MACALG for $macalg_index not defined\n"
unless defined $macalg;
print STDERR "(destination file was $dstfile)\n";
return 0;
}
run(app(["openssl", "pkcs12", "-inkey", $srckey,
"-in", $srccert, "-passout", "pass:password",
"-export", "-macalg", $macalg,
"-certpbe", $certpbe, "-keypbe", $keypbe,
"-out", $dstfile]));
}, grep(/\.p12/, @generated_files))
# *.der (the end all init)
&& runall(sub {
my $dstfile = shift;
(my $srcfile = $dstfile) =~ s/\.der$/.pem/i;
if (! -f $srcfile) {
$srcfile = srctop_file("test", $srcfile);
}
my $infh;
unless (open $infh, $srcfile) {
return 0;
}
my $l;
while (($l = <$infh>) !~ /^-----BEGIN\s/
|| $l =~ /^-----BEGIN.*PARAMETERS-----/) {
}
my $b64 = "";
while (($l = <$infh>) !~ /^-----END\s/) {
$l =~ s|\R$||;
$b64 .= $l unless $l =~ /:/;
}
close $infh;
my $der = decode_base64($b64);
unless (length($b64) / 4 * 3 - length($der) < 3) {
print STDERR "Length error, ",length($b64),
" bytes of base64 became ",length($der),
" bytes of der? ($srcfile => $dstfile)\n";
return 0;
}
my $outfh;
unless (open $outfh, ">:raw", $dstfile) {
return 0;
}
print $outfh $der;
close $outfh;
return 1;
}, grep(/\.der$/, @generated_files))
&& runall(sub {
my $srcfile = shift;
my $dstfile = $generated_file_files{$srcfile};
unless (copy srctop_file($srcfile), $dstfile) {
warn "$!\n";
return 0;
}
return 1;
}, keys %generated_file_files)
);
}
sub init_rehash {
return (
mkdir(catdir(curdir(), 'rehash'))
&& copy(srctop_file('test', 'testx509.pem'),
catdir(curdir(), 'rehash'))
&& copy(srctop_file('test', 'testcrl.pem'),
catdir(curdir(), 'rehash'))
&& run(app(['openssl', 'rehash', catdir(curdir(), 'rehash')]))
);
}
sub runall {
my ($function, @items) = @_;
foreach (@items) {
return 0 unless $function->($_);
}
return 1;
}
# According to RFC8089, a relative file: path is invalid. We still produce
# them for testing purposes.
sub to_file_uri {
my ($file, $isdir, $authority) = @_;
my $vol;
my $dir;
die "to_file_uri: No file given\n" if !defined($file) || $file eq '';
($vol, $dir, $file) = File::Spec->splitpath($file, $isdir // 0);
# Make sure we have a Unix style directory.
$dir = join('/', File::Spec->splitdir($dir));
# Canonicalise it (note: it seems to be only needed on Unix)
while (1) {
my $newdir = $dir;
$newdir =~ s|/[^/]*[^/\.]+[^/]*/\.\./|/|g;
last if $newdir eq $dir;
$dir = $newdir;
}
# Take care of the corner cases the loop can't handle, and that $dir
# ends with a / unless it's empty
$dir =~ s|/[^/]*[^/\.]+[^/]*/\.\.$|/|;
$dir =~ s|^[^/]*[^/\.]+[^/]*/\.\./|/|;
$dir =~ s|^[^/]*[^/\.]+[^/]*/\.\.$||;
if ($isdir // 0) {
$dir =~ s|/$|| if $dir ne '/';
} else {
$dir .= '/' if $dir ne '' && $dir !~ m|/$|;
}
# If the file system has separate volumes (at present, Windows and VMS)
# we need to handle them. In URIs, they are invariably the first
# component of the path, which is always absolute.
# On VMS, user:[foo.bar] translates to /user/foo/bar
# On Windows, c:\Users\Foo translates to /c:/Users/Foo
if ($vol ne '') {
$vol =~ s|:||g if ($^O eq "VMS");
$dir = '/' . $dir if $dir ne '' && $dir !~ m|^/|;
$dir = '/' . $vol . $dir;
}
$file = $dir . $file;
return "file://$authority$file" if defined $authority;
return "file:$file";
}
sub to_abs_file {
my ($file) = @_;
return File::Spec->rel2abs($file);
}
sub to_abs_file_uri {
my ($file, $isdir, $authority) = @_;
die "to_abs_file_uri: No file given\n" if !defined($file) || $file eq '';
return to_file_uri(to_abs_file($file), $isdir, $authority);
}