From 19914fec9bac08ca7c7917eddc1b7d1dba67e4a7 Mon Sep 17 00:00:00 2001 From: Lutz Jaenicke Date: Wed, 15 Jun 2022 19:01:43 +0200 Subject: cms: Create test for for purpose verification in cms application The tests only cover the correct handling of the codesigning purpose in the certificates in the context of the cms command line tool. The interpretation of the certificate purpose is tested in the context of the "verify" app. The correct handling of the cms objects is tested by other tests in 80-test_cms.t. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/18567) --- test/recipes/80-test_cms.t | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) (limited to 'test/recipes/80-test_cms.t') diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 11a6636863..e10e086005 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) $no_rc2 = 1 if disabled("legacy"); -plan tests => 14; +plan tests => 15; ok(run(test(["pkcs7_test"])), "test pkcs7"); @@ -889,6 +889,50 @@ subtest "CMS signed digest, S/MIME format" => sub { "Verify CMS signed digest, S/MIME format"); }; +subtest "CMS code signing test" => sub { + plan tests => 7; + my $sig_file = "signature.p7s"; + ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont, + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "smrsa1.pem"), + "-out", $sig_file])), + "accept perform CMS signature with smime certificate"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-content", $smcont])), + "accept verify CMS signature with smime certificate"); + + ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-purpose", "codesign", + "-content", $smcont])), + "fail verify CMS signature with smime certificate for purpose code signing"); + + ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-purpose", "football", + "-content", $smcont])), + "fail verify CMS signature with invalid purpose argument"); + + ok(run(app(["openssl", "cms", @prov, "-sign", "-in", $smcont, + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "csrsa1.pem"), + "-out", $sig_file])), + "accept perform CMS signature with code signing certificate"); + + ok(run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-purpose", "codesign", + "-content", $smcont])), + "accept verify CMS signature with code signing certificate for purpose code signing"); + + ok(!run(app(["openssl", "cms", @prov, "-verify", "-in", $sig_file, + "-CAfile", catfile($smdir, "smroot.pem"), + "-content", $smcont])), + "fail verify CMS signature with code signing certificate for purpose smime_sign"); +}; + sub check_availability { my $tnam = shift; -- cgit v1.2.3