1 /*
2 * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/asn1.h>
11 #include <openssl/pem.h>
12 #include "internal/sizes.h"
13 #include "crypto/evp.h"
14 #include "testutil.h"
15
16 /* Collected arguments */
17 static const char *eecert_filename = NULL; /* For test_x509_file() */
18 static const char *cacert_filename = NULL; /* For test_x509_file() */
19 static const char *pubkey_filename = NULL; /* For test_spki_file() */
20
21 #define ALGORITHMID_NAME "algorithm-id"
22
test_spki_aid(X509_PUBKEY * pubkey,const char * filename)23 static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename)
24 {
25 const ASN1_OBJECT *oid;
26 X509_ALGOR *alg = NULL;
27 EVP_PKEY *pkey = NULL;
28 EVP_KEYMGMT *keymgmt = NULL;
29 void *keydata = NULL;
30 char name[OSSL_MAX_NAME_SIZE] = "";
31 unsigned char *algid_legacy = NULL;
32 int algid_legacy_len = 0;
33 static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE];
34 size_t algid_prov_len = 0;
35 const OSSL_PARAM *gettable_params = NULL;
36 OSSL_PARAM params[] = {
37 OSSL_PARAM_octet_string(ALGORITHMID_NAME,
38 &algid_prov, sizeof(algid_prov)),
39 OSSL_PARAM_END
40 };
41 int ret = 0;
42
43 if (!TEST_true(X509_PUBKEY_get0_param(NULL, NULL, NULL, &alg, pubkey))
44 || !TEST_ptr(pkey = X509_PUBKEY_get0(pubkey)))
45 goto end;
46
47 if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0))
48 goto end;
49
50 X509_ALGOR_get0(&oid, NULL, NULL, alg);
51 if (!TEST_int_gt(OBJ_obj2txt(name, sizeof(name), oid, 0), 0))
52 goto end;
53
54 /*
55 * We use an internal functions to ensure we have a provided key.
56 * Note that |keydata| should not be freed, as it's cached in |pkey|.
57 * The |keymgmt|, however, should, as its reference count is incremented
58 * in this function.
59 */
60 if ((keydata = evp_pkey_export_to_provider(pkey, NULL,
61 &keymgmt, NULL))
62 == NULL) {
63 TEST_info("The public key found in '%s' doesn't have provider support."
64 " Skipping...",
65 filename);
66 ret = 1;
67 goto end;
68 }
69
70 if (!TEST_true(EVP_KEYMGMT_is_a(keymgmt, name))) {
71 TEST_info("The AlgorithmID key type (%s) for the public key found in"
72 " '%s' doesn't match the key type of the extracted public"
73 " key.",
74 name, filename);
75 ret = 1;
76 goto end;
77 }
78
79 if (!TEST_ptr(gettable_params = EVP_KEYMGMT_gettable_params(keymgmt))
80 || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) {
81 TEST_info("The %s provider keymgmt appears to lack support for algorithm-id."
82 " Skipping...",
83 name);
84 ret = 1;
85 goto end;
86 }
87
88 algid_prov[0] = '\0';
89 if (!TEST_true(evp_keymgmt_get_params(keymgmt, keydata, params)))
90 goto end;
91 algid_prov_len = params[0].return_size;
92
93 /* We now have all the algorithm IDs we need, let's compare them */
94 if (TEST_mem_eq(algid_legacy, algid_legacy_len,
95 algid_prov, algid_prov_len))
96 ret = 1;
97
98 end:
99 EVP_KEYMGMT_free(keymgmt);
100 OPENSSL_free(algid_legacy);
101 return ret;
102 }
103
test_x509_spki_aid(X509 * cert,const char * filename)104 static int test_x509_spki_aid(X509 *cert, const char *filename)
105 {
106 X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);
107
108 return test_spki_aid(pubkey, filename);
109 }
110
test_x509_sig_aid(X509 * eecert,const char * ee_filename,X509 * cacert,const char * ca_filename)111 static int test_x509_sig_aid(X509 *eecert, const char *ee_filename,
112 X509 *cacert, const char *ca_filename)
113 {
114 const ASN1_OBJECT *sig_oid = NULL;
115 const X509_ALGOR *alg = NULL;
116 int sig_nid = NID_undef, dig_nid = NID_undef, pkey_nid = NID_undef;
117 EVP_MD_CTX *mdctx = NULL;
118 EVP_PKEY_CTX *pctx = NULL;
119 EVP_PKEY *pkey = NULL;
120 unsigned char *algid_legacy = NULL;
121 int algid_legacy_len = 0;
122 static unsigned char algid_prov[OSSL_MAX_ALGORITHM_ID_SIZE];
123 size_t algid_prov_len = 0;
124 const OSSL_PARAM *gettable_params = NULL;
125 OSSL_PARAM params[] = {
126 OSSL_PARAM_octet_string("algorithm-id",
127 &algid_prov, sizeof(algid_prov)),
128 OSSL_PARAM_END
129 };
130 int ret = 0;
131
132 X509_get0_signature(NULL, &alg, eecert);
133 X509_ALGOR_get0(&sig_oid, NULL, NULL, alg);
134 if (!TEST_int_eq(X509_ALGOR_cmp(alg, X509_get0_tbs_sigalg(eecert)), 0))
135 goto end;
136 if (!TEST_int_ne(sig_nid = OBJ_obj2nid(sig_oid), NID_undef)
137 || !TEST_true(OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid))
138 || !TEST_ptr(pkey = X509_get0_pubkey(cacert)))
139 goto end;
140
141 if (!TEST_true(EVP_PKEY_is_a(pkey, OBJ_nid2sn(pkey_nid)))) {
142 TEST_info("The '%s' pubkey can't be used to verify the '%s' signature",
143 ca_filename, ee_filename);
144 TEST_info("Signature algorithm is %s (pkey type %s, hash type %s)",
145 OBJ_nid2sn(sig_nid), OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid));
146 TEST_info("Pkey key type is %s", EVP_PKEY_get0_type_name(pkey));
147 goto end;
148 }
149
150 if (!TEST_int_ge(algid_legacy_len = i2d_X509_ALGOR(alg, &algid_legacy), 0))
151 goto end;
152
153 if (!TEST_ptr(mdctx = EVP_MD_CTX_new())
154 || !TEST_true(EVP_DigestVerifyInit_ex(mdctx, &pctx,
155 OBJ_nid2sn(dig_nid),
156 NULL, NULL, pkey, NULL))) {
157 TEST_info("Couldn't initialize a DigestVerify operation with "
158 "pkey type %s and hash type %s",
159 OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid));
160 goto end;
161 }
162
163 if (!TEST_ptr(gettable_params = EVP_PKEY_CTX_gettable_params(pctx))
164 || !TEST_ptr(OSSL_PARAM_locate_const(gettable_params, ALGORITHMID_NAME))) {
165 TEST_info("The %s provider keymgmt appears to lack support for algorithm-id"
166 " Skipping...",
167 OBJ_nid2sn(pkey_nid));
168 ret = 1;
169 goto end;
170 }
171
172 algid_prov[0] = '\0';
173 if (!TEST_true(EVP_PKEY_CTX_get_params(pctx, params)))
174 goto end;
175 algid_prov_len = params[0].return_size;
176
177 /* We now have all the algorithm IDs we need, let's compare them */
178 if (TEST_mem_eq(algid_legacy, algid_legacy_len,
179 algid_prov, algid_prov_len))
180 ret = 1;
181
182 end:
183 EVP_MD_CTX_free(mdctx);
184 /* pctx is free by EVP_MD_CTX_free() */
185 OPENSSL_free(algid_legacy);
186 return ret;
187 }
188
test_spki_file(void)189 static int test_spki_file(void)
190 {
191 X509_PUBKEY *pubkey = NULL;
192 BIO *b = BIO_new_file(pubkey_filename, "r");
193 int ret = 0;
194
195 if (b == NULL) {
196 TEST_error("Couldn't open '%s' for reading\n", pubkey_filename);
197 TEST_openssl_errors();
198 goto end;
199 }
200
201 if ((pubkey = PEM_read_bio_X509_PUBKEY(b, NULL, NULL, NULL)) == NULL) {
202 TEST_error("'%s' doesn't appear to be a SubjectPublicKeyInfo in PEM format\n",
203 pubkey_filename);
204 TEST_openssl_errors();
205 goto end;
206 }
207
208 ret = test_spki_aid(pubkey, pubkey_filename);
209 end:
210 BIO_free(b);
211 X509_PUBKEY_free(pubkey);
212 return ret;
213 }
214
test_x509_files(void)215 static int test_x509_files(void)
216 {
217 X509 *eecert = NULL, *cacert = NULL;
218 BIO *bee = NULL, *bca = NULL;
219 int ret = 0;
220
221 if ((bee = BIO_new_file(eecert_filename, "r")) == NULL) {
222 TEST_error("Couldn't open '%s' for reading\n", eecert_filename);
223 TEST_openssl_errors();
224 goto end;
225 }
226 if ((bca = BIO_new_file(cacert_filename, "r")) == NULL) {
227 TEST_error("Couldn't open '%s' for reading\n", cacert_filename);
228 TEST_openssl_errors();
229 goto end;
230 }
231
232 if ((eecert = PEM_read_bio_X509(bee, NULL, NULL, NULL)) == NULL) {
233 TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n",
234 eecert_filename);
235 TEST_openssl_errors();
236 goto end;
237 }
238 if ((cacert = PEM_read_bio_X509(bca, NULL, NULL, NULL)) == NULL) {
239 TEST_error("'%s' doesn't appear to be a X.509 certificate in PEM format\n",
240 cacert_filename);
241 TEST_openssl_errors();
242 goto end;
243 }
244
245 ret = test_x509_sig_aid(eecert, eecert_filename, cacert, cacert_filename)
246 & test_x509_spki_aid(eecert, eecert_filename)
247 & test_x509_spki_aid(cacert, cacert_filename);
248 end:
249 BIO_free(bee);
250 BIO_free(bca);
251 X509_free(eecert);
252 X509_free(cacert);
253 return ret;
254 }
255
256 typedef enum OPTION_choice {
257 OPT_ERR = -1,
258 OPT_EOF = 0,
259 OPT_X509,
260 OPT_SPKI,
261 OPT_TEST_ENUM
262 } OPTION_CHOICE;
263
test_get_options(void)264 const OPTIONS *test_get_options(void)
265 {
266 static const OPTIONS test_options[] = {
267 OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("file...\n"),
268 { "x509", OPT_X509, '-', "Test X.509 certificates. Requires two files" },
269 { "spki", OPT_SPKI, '-', "Test public keys in SubjectPublicKeyInfo form. Requires one file" },
270 { OPT_HELP_STR, 1, '-',
271 "file...\tFile(s) to run tests on. All files must be PEM encoded.\n" },
272 { NULL }
273 };
274 return test_options;
275 }
276
setup_tests(void)277 int setup_tests(void)
278 {
279 OPTION_CHOICE o;
280 int n, x509 = 0, spki = 0, testcount = 0;
281
282 while ((o = opt_next()) != OPT_EOF) {
283 switch (o) {
284 case OPT_X509:
285 x509 = 1;
286 break;
287 case OPT_SPKI:
288 spki = 1;
289 break;
290 case OPT_TEST_CASES:
291 break;
292 default:
293 case OPT_ERR:
294 return 0;
295 }
296 }
297
298 /* |testcount| adds all the given test types together */
299 testcount = x509 + spki;
300
301 if (testcount < 1)
302 BIO_printf(bio_err, "No test type given\n");
303 else if (testcount > 1)
304 BIO_printf(bio_err, "Only one test type may be given\n");
305 if (testcount != 1)
306 return 0;
307
308 n = test_get_argument_count();
309 if (spki && n == 1) {
310 pubkey_filename = test_get_argument(0);
311 } else if (x509 && n == 2) {
312 eecert_filename = test_get_argument(0);
313 cacert_filename = test_get_argument(1);
314 }
315
316 if (spki && pubkey_filename == NULL) {
317 BIO_printf(bio_err, "Missing -spki argument\n");
318 return 0;
319 } else if (x509 && (eecert_filename == NULL || cacert_filename == NULL)) {
320 BIO_printf(bio_err, "Missing -x509 argument(s)\n");
321 return 0;
322 }
323
324 if (x509)
325 ADD_TEST(test_x509_files);
326 if (spki)
327 ADD_TEST(test_spki_file);
328 return 1;
329 }
330