Add test for ASN1_item_verify()

This is a test for https://github.com/openssl/openssl/issues/24575
Original idea by Theo Buehler.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24576)

(cherry picked from commit 2f0b4974dfbd9bc71e1164e0742fc7fdb2b2b70e)

4 files changed, 100 insertions, 1 deletions

diff --git a/test/certs/ee-self-signed-pss.pem b/test/certs/ee-self-signed-pss.pem
new file mode 100644
index 0000000000..fab433321c
--- /dev/null
+++ b/test/certs/ee-self-signed-pss.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAjmgAwIBAgIUZxTKBh9L8ApVNcsI5ontnHRbv8wwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMB0xGzAZBgNVBAMMEmVlLXNlbGYtc2lnbmVkLXBzczAgFw0yNDA2MTcx
+MTA5NTRaGA8yMTI0MDYxODExMDk1NFowHTEbMBkGA1UEAwwSZWUtc2VsZi1zaWdu
+ZWQtcHNzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7b
+LA/Vc/vit6gbenVgK9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8N
+xkP+MTT4KNh16aO7iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7C
+NqAR/8BZNf1JHN0cQjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqC
+GxWL0Zmr5J5vlKrSluVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0do
+pynHP0riIie075Bj1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+
+eTQfSokftwIDAQABo1MwUTAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfhc6Iw
+HwYDVR0jBBgwFoAU55viKq2KbDrLdlHljgeYIpfhc6IwDwYDVR0TAQH/BAUwAwEB
+/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEI
+MA0GCWCGSAFlAwQCAQUAogMCASADggEBADjXHPnAha0YQKFCfQZqy8LLgxoQDbfP
+5XKQJ8/FfeJXO9yjEmqOEoWM/QQIlM1gpepOOw8ZRhxcwx93eO+XtvJUA3bW+H73
+jwnqiX5mu1SpA/2IHcifxuOuXUwUh7vtOJGFATHusAn7dS3+tnJSkS+6pvSsJjDu
+0x3fV8rLq1gL9gOC2MdzkLxyp7xmdgibQMI+PyPNgU1e1Qm88Cp5dVNRMdgQ+3CL
+E3h7qfSpSkUCM9rNBc2/rqavQ/UPq5H6r8R9gYd9yR7uGL88B9QI4DQDR8T6x9JG
+0ebWYLuH2xWP9Njl2IbwN3uqQSeRSSqy7UlNo51O+nkvU1vCJGy6aXw=
+-----END CERTIFICATE-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index d517384301..4280ac3a8d 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -226,6 +226,10 @@ OPENSSL_KEYBITS=8192 \
 # self-signed end-entity cert with explicit keyUsage not including KeyCertSign
 openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525
 
+# self-signed end-entity cert signed with RSA-PSS
+openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed-pss -out ee-self-signed-pss.pem -days 36525 \
+    -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+
 # Proxy certificates, off of ee-client
 # Start with some good ones
 ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 739ac746ba..13dce34076 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -271,5 +271,7 @@ ok(-e $ca_serial_dot_in_dir);
 SKIP: {
     skip "EC is not supported by this OpenSSL build", 1
         if disabled("ec");
-    ok(run(test(["x509_test"])), "running x509_test");
+    my $psscert = srctop_file(@certs, "ee-self-signed-pss.pem");
+
+    ok(run(test(["x509_test", $psscert])), "running x509_test");
 }
diff --git a/test/x509_test.c b/test/x509_test.c
index f5a67c63d9..3996d5010d 100644
--- a/test/x509_test.c
+++ b/test/x509_test.c
@@ -7,7 +7,14 @@
  * https://www.openssl.org/source/license.html
  */
 
+#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_get1/set1_RSA */
+
 #include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/pem.h>
+#include "crypto/x509.h" /* x509_st definition */
 #include "testutil.h"
 
 static EVP_PKEY *pubkey = NULL;
@@ -114,9 +121,73 @@ static int test_x509_crl_tbs_cache(void)
     return ret;
 }
 
+static int test_asn1_item_verify(void)
+{
+    int ret = 0;
+    BIO *bio = NULL;
+    X509 *x509 = NULL;
+    const char *certfile;
+    const ASN1_BIT_STRING *sig = NULL;
+    const X509_ALGOR *alg = NULL;
+    EVP_PKEY *pkey;
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+    RSA *rsa = NULL;
+#endif
+
+    if (!TEST_ptr(certfile = test_get_argument(0))
+        || !TEST_ptr(bio = BIO_new_file(certfile, "r"))
+        || !TEST_ptr(x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))
+        || !TEST_ptr(pkey = X509_get0_pubkey(x509)))
+        goto err;
+
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+    /* Issue #24575 requires legacy key but the test is useful anyway */
+    if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey)))
+        goto err;
+
+    if (!TEST_int_gt(EVP_PKEY_set1_RSA(pkey, rsa), 0))
+        goto err;
+#endif
+
+    X509_get0_signature(&sig, &alg, x509);
+
+    if (!TEST_int_gt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),
+                                      (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig,
+                                      &x509->cert_info, pkey), 0))
+        goto err;
+
+    ERR_set_mark();
+    if (!TEST_int_lt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),
+                                     (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig,
+                                     NULL, pkey), 0)) {
+        ERR_clear_last_mark();
+        goto err;
+    }
+    ERR_pop_to_mark();
+
+    ret = 1;
+
+ err:
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+    RSA_free(rsa);
+#endif
+    X509_free(x509);
+    BIO_free(bio);
+    return ret;
+}
+
+OPT_TEST_DECLARE_USAGE("<pss-self-signed-cert.pem>\n")
+
 int setup_tests(void)
 {
     const unsigned char *p;
+    int cnt;
+
+    cnt = test_get_argument_count();
+    if (cnt != 1) {
+        TEST_error("Must specify a certificate file self-signed with RSA-PSS.\n");
+        return 0;
+    }
 
     p = pubkeydata;
     pubkey = d2i_PUBKEY(NULL, &p, sizeof(pubkeydata));
@@ -138,6 +209,7 @@ int setup_tests(void)
 
     ADD_TEST(test_x509_tbs_cache);
     ADD_TEST(test_x509_crl_tbs_cache);
+    ADD_TEST(test_asn1_item_verify);
     return 1;
 }