summaryrefslogtreecommitdiffstats
path: root/test/recipes
diff options
context:
space:
mode:
Diffstat (limited to 'test/recipes')
-rw-r--r--test/recipes/15-test_gendh.t33
-rw-r--r--test/recipes/15-test_gendhparam.t170
-rw-r--r--test/recipes/20-test_dhparam_check.t14
-rw-r--r--test/recipes/20-test_dhparam_check_data/valid/dh_5114_1.pem (renamed from test/recipes/20-test_dhparam_check_data/invalid/dh5114_1_pkcs3.pem)0
-rw-r--r--test/recipes/20-test_dhparam_check_data/valid/dh_5114_2.pem (renamed from test/recipes/20-test_dhparam_check_data/invalid/dh5114_2_pkcs3.pem)0
-rw-r--r--test/recipes/20-test_dhparam_check_data/valid/dh_5114_3.pem (renamed from test/recipes/20-test_dhparam_check_data/invalid/dh5114_3_pkcs3.pem)0
-rw-r--r--test/recipes/20-test_dhparam_check_data/valid/dhx_5114_2.pem14
7 files changed, 191 insertions, 40 deletions
diff --git a/test/recipes/15-test_gendh.t b/test/recipes/15-test_gendh.t
index 87dd73f438..39112f1bfe 100644
--- a/test/recipes/15-test_gendh.t
+++ b/test/recipes/15-test_gendh.t
@@ -18,34 +18,7 @@ setup("test_gendh");
plan skip_all => "This test is unsupported in a no-dh build" if disabled("dh");
-plan tests => 13;
-
-ok(run(app([ 'openssl', 'genpkey', '-genparam',
- '-algorithm', 'DH',
- '-pkeyopt', 'gindex:1',
- '-pkeyopt', 'type:fips186_4',
- '-text'])),
- "genpkey DH params fips186_4 with verifiable g");
-
-ok(run(app([ 'openssl', 'genpkey', '-genparam',
- '-algorithm', 'DH',
- '-pkeyopt', 'type:fips186_4',
- '-text'])),
- "genpkey DH params fips186_4 with unverifiable g");
-
-ok(run(app([ 'openssl', 'genpkey', '-genparam',
- '-algorithm', 'DH',
- '-pkeyopt', 'pbits:2048',
- '-pkeyopt', 'qbits:224',
- '-pkeyopt', 'digest:SHA512-224',
- '-pkeyopt', 'type:fips186_4'])),
- "genpkey DH params fips186_4 with truncated SHA");
-
-ok(run(app([ 'openssl', 'genpkey', '-genparam',
- '-algorithm', 'DH',
- '-pkeyopt', 'type:fips186_2',
- '-text'])),
- "genpkey DH params fips186_2");
+plan tests => 9;
ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH',
'-pkeyopt', 'type:group',
@@ -59,7 +32,7 @@ ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH',
"genpkey DH group ffdhe2048");
ok(run(app([ 'openssl', 'genpkey', '-genparam',
- '-algorithm', 'DH',
+ '-algorithm', 'DHX',
'-pkeyopt', 'gindex:1',
'-pkeyopt', 'type:fips186_4',
'-out', 'dhgen.pem' ])),
@@ -70,7 +43,7 @@ ok(run(app([ 'openssl', 'genpkey', '-genparam',
ok(run(app([ 'openssl', 'genpkey',
'-paramfile', 'dhgen.pem',
'-pkeyopt', 'gindex:1',
- '-pkeyopt', 'hexseed:0102030405060708090A0B0C0D0E0F1011121314',
+ '-pkeyopt', 'hexseed:ed2927f2139eb61495d6641efda1243f93ebe482b5bfc2c755a53825',
'-pkeyopt', 'pcounter:25',
'-text' ])),
"genpkey DH fips186_4 with PEM params");
diff --git a/test/recipes/15-test_gendhparam.t b/test/recipes/15-test_gendhparam.t
new file mode 100644
index 0000000000..b5fe644889
--- /dev/null
+++ b/test/recipes/15-test_gendhparam.t
@@ -0,0 +1,170 @@
+#! /usr/bin/env perl
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils;
+
+setup("test_gendhparam");
+
+my @testdata = (
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
+ expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
+ message => 'DH fips186_4 param gen with verifiable g',
+ },
+ {
+ algorithm => 'DH',
+ pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
+ expect => [ 'ERROR' ],
+ message => 'fips186_4 param gen should fail if DHX is not used',
+ },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ "type:fips186_4", 'digest:SHA512-224', 'gindex:1' ],
+ expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
+ message => 'DH fips186_4 param gen with verifiable g and truncated digest',
+ },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ 'type:fips186_2', 'pbits:1024', 'qbits:160' ],
+ expect => [ 'BEGIN X9.42 DH PARAMETERS', 'h:', 'pcounter:', 'SEED:' ],
+ message => 'DHX fips186_2 param gen with a selected p and q size with unverifyable g',
+ },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
+ message => 'DHX fips186_2 param gen with a selected p and q size using aliased',
+ expect => [ "BEGIN X9.42 DH PARAMETERS" ],
+ },
+ {
+ algorithm => 'DH',
+ pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
+ message => 'DH fips186_2 param gen with a selected p and q size using aliases should fail',
+ expect => [ "ERROR" ],
+ },
+ {
+ algorithm => 'DH',
+ pkeyopts => [ 'group:ffdhe2048'],
+ expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
+ message => 'DH named group ffdhe selection',
+ },
+ {
+ algorithm => 'DH',
+ pkeyopts => [ 'dh_param:ffdhe8192'],
+ expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
+ message => 'DH named group ffdhe selection using alias',
+ },
+ {
+ algorithm => 'DH',
+ pkeyopts => [ 'group:modp_3072'],
+ expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
+ message => 'DH named group modp selection',
+ },
+ {
+ algorithm => 'DH',
+ pkeyopts => [ 'dh_param:modp_4096'],
+ message => 'DH named group modp selection using alias',
+ expect => [ 'BEGIN DH PARAMETERS', 'GROUP:'],
+ },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ 'group:dh_2048_256' ],
+ expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
+ message => 'DHX RFC5114 named group selection',
+ },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ 'dh_param:dh_2048_224' ],
+ expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
+ message => 'DHX RFC5114 named group selection using alias',
+ },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ 'dh_rfc5114:2'],
+ expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
+ message => 'DHX RFC5114 named group selection using an id',
+ },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
+ expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
+ message => 'DHX paramgen_type is ignored if the group is set',
+ },
+ {
+ algorithm => 'DH',
+ pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
+ expect => [ 'ERROR' ],
+ message => "Setting dh_paramgen_type to fips186 should fail for DH keys",
+ },
+# These tests using the safeprime generator were removed as they are slow..
+# {
+# algorithm => 'DH',
+# pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
+# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
+# message => 'DH safe prime generator',
+# },
+# {
+# algorithm => 'DH',
+# pkeyopts => [ 'dh_paramgen_type:0', 'dh_paramgen_generator:5'],
+# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
+# message => 'DH safe prime generator using an alias',
+# },
+ {
+ algorithm => 'DHX',
+ pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
+ expect => [ 'ERROR' ],
+ message => 'safe prime generator should fail for DHX',
+ },
+);
+
+plan skip_all => "DH isn't supported in this build" if disabled("dh");
+
+plan tests => scalar @testdata;
+
+foreach my $test (@testdata) {
+ my $alg = $test->{algorithm};
+ my $msg = $test->{message};
+ my @testargs = @{ $test->{pkeyopts} };
+ my @expected = @{ $test->{expect} };
+ my @pkeyopts= ();
+ foreach (@testargs) {
+ push(@pkeyopts, '-pkeyopt');
+ push(@pkeyopts, $_);
+ }
+ my @lines = run(app(['openssl', 'genpkey', '-genparam',
+ '-algorithm', $alg, '-text', @pkeyopts]),
+ capture => 1);
+ ok(compareline(\@lines, \@expected), $msg);
+}
+
+# Check that the stdout output matches the expected value.
+sub compareline {
+ my ($ref_lines, $ref_expected) = @_;
+ my @lines = @$ref_lines;
+ my @expected = @$ref_expected;
+
+ if (@lines == 0 and $expected[0] eq 'ERROR') {
+ return 1;
+ }
+ print "-----------------\n";
+ foreach (@lines) {
+ print $_;
+ }
+ print "-----------------\n";
+ foreach my $ex (@expected) {
+ if ( !grep { index($_, $ex) >= 0 } @lines) {
+ print "ERROR: Cannot find: $ex\n";
+ return 0;
+ }
+ }
+ return 1;
+}
diff --git a/test/recipes/20-test_dhparam_check.t b/test/recipes/20-test_dhparam_check.t
index f3882ad2b3..b929afb326 100644
--- a/test/recipes/20-test_dhparam_check.t
+++ b/test/recipes/20-test_dhparam_check.t
@@ -28,16 +28,10 @@ TESTDIR=test/recipes/20-test_dhparam_check_data/valid
rm -rf $TESTDIR
mkdir -p $TESTDIR
-#TODO(3.0): These 3 currently create invalid output - see issue #14145
-./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:1 -out $TESTDIR/dh5114_1.pem
-./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:2 -out $TESTDIR/dh5114_2.pem
-./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:3 -out $TESTDIR/dh5114_3.pem
-
-#TODO(3.0): These 4 currently create invalid output - see issue #14145
-./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:1024 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p1024_t1862.pem
-./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:2048 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p2048_t1862.pem
-./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:2048 -pkeyopt type:fips186_4 -out $TESTDIR/dh_p2048_t1864.pem
-./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:3072 -pkeyopt type:fips186_2 -out $TESTDIR/dh_p3072_t1862.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:1 -out $TESTDIR/dh_5114_1.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:2 -out $TESTDIR/dh_5114_2.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:3 -out $TESTDIR/dh_5114_3.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt dh_rfc5114:2 -out $TESTDIR/dhx_5114_2.pem
./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:1024 -pkeyopt qbits:160 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p1024_q160_t1862.pem
./util/opensslwrap.sh genpkey -genparam -algorithm DHX -pkeyopt pbits:1024 -pkeyopt qbits:224 -pkeyopt type:fips186_2 -out $TESTDIR/dhx_p1024_q224_t1862.pem
diff --git a/test/recipes/20-test_dhparam_check_data/invalid/dh5114_1_pkcs3.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_5114_1.pem
index abc5225db8..abc5225db8 100644
--- a/test/recipes/20-test_dhparam_check_data/invalid/dh5114_1_pkcs3.pem
+++ b/test/recipes/20-test_dhparam_check_data/valid/dh_5114_1.pem
diff --git a/test/recipes/20-test_dhparam_check_data/invalid/dh5114_2_pkcs3.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_5114_2.pem
index d1fadc1a90..d1fadc1a90 100644
--- a/test/recipes/20-test_dhparam_check_data/invalid/dh5114_2_pkcs3.pem
+++ b/test/recipes/20-test_dhparam_check_data/valid/dh_5114_2.pem
diff --git a/test/recipes/20-test_dhparam_check_data/invalid/dh5114_3_pkcs3.pem b/test/recipes/20-test_dhparam_check_data/valid/dh_5114_3.pem
index 514f7a9bcd..514f7a9bcd 100644
--- a/test/recipes/20-test_dhparam_check_data/invalid/dh5114_3_pkcs3.pem
+++ b/test/recipes/20-test_dhparam_check_data/valid/dh_5114_3.pem
diff --git a/test/recipes/20-test_dhparam_check_data/valid/dhx_5114_2.pem b/test/recipes/20-test_dhparam_check_data/valid/dhx_5114_2.pem
new file mode 100644
index 0000000000..8887cb174b
--- /dev/null
+++ b/test/recipes/20-test_dhparam_check_data/valid/dhx_5114_2.pem
@@ -0,0 +1,14 @@
+-----BEGIN X9.42 DH PARAMETERS-----
+MIICKQKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW
+26+aPEB7od8V6z1oijCcGA4d5rhaEnSgpm0/gVKtasISkDfJ7e/aTfjZHo/vVbc5
+S3rVt9C2wSIHyfmNEe002/bGugssi7wnvmoA4KC5xJcIs7+KMXCRiDaBKGEwvImF
+2xYC5xRBXZMwJ4Jzx94x79xzEPcSH9WgdBWYfZrcCkhtzfk6zEQyg4cxXXXhmMZB
+pIDNhqG55YfovmDmnMkosrnFIXLkEwQumyPxCw4W55djybU9z0uoCinj+3PBa451
+uX7zY+L/ox9xz53lOE5xuBwKxN/+DBDmTwKCAQEArEAy708tmuOd8wtcj/2sUGze
+vnuJmYyvdIZqCM/k/+OmgkpOELmm8N2SHwGnDEr6q3OddwDCn1LFfbF8YgqGUr5e
+kAGo1mrXwXZpEBmZAkr00CcnWsE0i7inYtBSG8mK4kcVBCLqHtQJk51U2nRgzbX2
+xrJQcXy+8YDrNBGOmNEZUppF1vg0Vm4wJeMWozDvu3eobwwasVsFGuPUKMj4rLcK
+gTcVC47rEOGD7dGZY93Z4mPkdwWJ72qiHn9fL/OBtTnM40CdE81Wavu0jWwBkYHh
+vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+gId
+AIAcDTTFjZP+mXF3EB+AU1pHOM68vziambNjces=
+-----END X9.42 DH PARAMETERS-----
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 20:01:41 +0000