From 007761ec0bdd6aa139371b26489c839c9ac3e8a8 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 17 Jun 2024 12:19:45 +0200 Subject: Add test for ASN1_item_verify() This is a test for https://github.com/openssl/openssl/issues/24575 Original idea by Theo Buehler. Reviewed-by: Tom Cosgrove Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/24576) (cherry picked from commit 2f0b4974dfbd9bc71e1164e0742fc7fdb2b2b70e) --- test/certs/ee-self-signed-pss.pem | 21 ++++++++++++ test/certs/setup.sh | 4 +++ test/recipes/25-test_x509.t | 4 ++- test/x509_test.c | 72 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 test/certs/ee-self-signed-pss.pem diff --git a/test/certs/ee-self-signed-pss.pem b/test/certs/ee-self-signed-pss.pem new file mode 100644 index 0000000000..fab433321c --- /dev/null +++ b/test/certs/ee-self-signed-pss.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhTCCAjmgAwIBAgIUZxTKBh9L8ApVNcsI5ontnHRbv8wwQQYJKoZIhvcNAQEK +MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF +AKIDAgEgMB0xGzAZBgNVBAMMEmVlLXNlbGYtc2lnbmVkLXBzczAgFw0yNDA2MTcx +MTA5NTRaGA8yMTI0MDYxODExMDk1NFowHTEbMBkGA1UEAwwSZWUtc2VsZi1zaWdu +ZWQtcHNzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7b +LA/Vc/vit6gbenVgK9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8N +xkP+MTT4KNh16aO7iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7C +NqAR/8BZNf1JHN0cQjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqC +GxWL0Zmr5J5vlKrSluVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0do +pynHP0riIie075Bj1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+ +eTQfSokftwIDAQABo1MwUTAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfhc6Iw +HwYDVR0jBBgwFoAU55viKq2KbDrLdlHljgeYIpfhc6IwDwYDVR0TAQH/BAUwAwEB +/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEI +MA0GCWCGSAFlAwQCAQUAogMCASADggEBADjXHPnAha0YQKFCfQZqy8LLgxoQDbfP +5XKQJ8/FfeJXO9yjEmqOEoWM/QQIlM1gpepOOw8ZRhxcwx93eO+XtvJUA3bW+H73 +jwnqiX5mu1SpA/2IHcifxuOuXUwUh7vtOJGFATHusAn7dS3+tnJSkS+6pvSsJjDu +0x3fV8rLq1gL9gOC2MdzkLxyp7xmdgibQMI+PyPNgU1e1Qm88Cp5dVNRMdgQ+3CL +E3h7qfSpSkUCM9rNBc2/rqavQ/UPq5H6r8R9gYd9yR7uGL88B9QI4DQDR8T6x9JG +0ebWYLuH2xWP9Njl2IbwN3uqQSeRSSqy7UlNo51O+nkvU1vCJGy6aXw= +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index d517384301..4280ac3a8d 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -226,6 +226,10 @@ OPENSSL_KEYBITS=8192 \ # self-signed end-entity cert with explicit keyUsage not including KeyCertSign openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525 +# self-signed end-entity cert signed with RSA-PSS +openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed-pss -out ee-self-signed-pss.pem -days 36525 \ + -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest + # Proxy certificates, off of ee-client # Start with some good ones ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \ diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index 739ac746ba..13dce34076 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -271,5 +271,7 @@ ok(-e $ca_serial_dot_in_dir); SKIP: { skip "EC is not supported by this OpenSSL build", 1 if disabled("ec"); - ok(run(test(["x509_test"])), "running x509_test"); + my $psscert = srctop_file(@certs, "ee-self-signed-pss.pem"); + + ok(run(test(["x509_test", $psscert])), "running x509_test"); } diff --git a/test/x509_test.c b/test/x509_test.c index f5a67c63d9..3996d5010d 100644 --- a/test/x509_test.c +++ b/test/x509_test.c @@ -7,7 +7,14 @@ * https://www.openssl.org/source/license.html */ +#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_get1/set1_RSA */ + #include +#include +#include +#include +#include +#include "crypto/x509.h" /* x509_st definition */ #include "testutil.h" static EVP_PKEY *pubkey = NULL; @@ -114,9 +121,73 @@ static int test_x509_crl_tbs_cache(void) return ret; } +static int test_asn1_item_verify(void) +{ + int ret = 0; + BIO *bio = NULL; + X509 *x509 = NULL; + const char *certfile; + const ASN1_BIT_STRING *sig = NULL; + const X509_ALGOR *alg = NULL; + EVP_PKEY *pkey; +#ifndef OPENSSL_NO_DEPRECATED_3_0 + RSA *rsa = NULL; +#endif + + if (!TEST_ptr(certfile = test_get_argument(0)) + || !TEST_ptr(bio = BIO_new_file(certfile, "r")) + || !TEST_ptr(x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) + || !TEST_ptr(pkey = X509_get0_pubkey(x509))) + goto err; + +#ifndef OPENSSL_NO_DEPRECATED_3_0 + /* Issue #24575 requires legacy key but the test is useful anyway */ + if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey))) + goto err; + + if (!TEST_int_gt(EVP_PKEY_set1_RSA(pkey, rsa), 0)) + goto err; +#endif + + X509_get0_signature(&sig, &alg, x509); + + if (!TEST_int_gt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), + (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig, + &x509->cert_info, pkey), 0)) + goto err; + + ERR_set_mark(); + if (!TEST_int_lt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), + (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig, + NULL, pkey), 0)) { + ERR_clear_last_mark(); + goto err; + } + ERR_pop_to_mark(); + + ret = 1; + + err: +#ifndef OPENSSL_NO_DEPRECATED_3_0 + RSA_free(rsa); +#endif + X509_free(x509); + BIO_free(bio); + return ret; +} + +OPT_TEST_DECLARE_USAGE("\n") + int setup_tests(void) { const unsigned char *p; + int cnt; + + cnt = test_get_argument_count(); + if (cnt != 1) { + TEST_error("Must specify a certificate file self-signed with RSA-PSS.\n"); + return 0; + } p = pubkeydata; pubkey = d2i_PUBKEY(NULL, &p, sizeof(pubkeydata)); @@ -138,6 +209,7 @@ int setup_tests(void) ADD_TEST(test_x509_tbs_cache); ADD_TEST(test_x509_crl_tbs_cache); + ADD_TEST(test_asn1_item_verify); return 1; } -- cgit v1.2.3