From a10847c427744fb7e7d29953dee130a52251c027 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 5 Aug 2020 10:28:51 +0200 Subject: "Downgrade" provider-native keys to legacy where needed Some sub-systems and openssl sub-commands do not yet deal cleanly with purely provider-native EVP_PKEYs. We compensate that by "downgrading" keys in select places, or ensure that the 'file:' scheme ENGINE loader is activated. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12587) --- test/evp_extra_test.c | 13 +++++++++++++ test/recipes/20-test_pkeyutl.t | 11 +++++++++-- test/recipes/25-test_req.t | 30 +++++++++++++++++++----------- 3 files changed, 41 insertions(+), 13 deletions(-) (limited to 'test') diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index bae6f2339b..f62e26c290 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -33,6 +33,14 @@ #include "internal/sizes.h" #include "crypto/evp.h" +#ifndef OPENSSL_NO_SM2 +/* + * TODO(3.0) remove when provider SM2 keymgmt is implemented and + * EVP_PKEY_set_alias_type() works with provider-native keys. + */ +# define TMP_SM2_HACK +#endif + static OPENSSL_CTX *testctx = NULL; /* @@ -881,6 +889,11 @@ static int test_EVP_SM2_verify(void) if (!TEST_true(pkey != NULL)) goto done; +#ifdef TMP_SM2_HACK + if (!TEST_ptr(EVP_PKEY_get0(pkey))) + goto done; +#endif + if (!TEST_true(EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2))) goto done; diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t index 543038cab9..3c135630f7 100644 --- a/test/recipes/20-test_pkeyutl.t +++ b/test/recipes/20-test_pkeyutl.t @@ -24,14 +24,21 @@ SKIP: { skip "Skipping tests that require EC, SM2 or SM3", 2 if disabled("ec") || disabled("sm2") || disabled("sm3"); + # TODO(3.0) Remove this when we have a SM2 keymgmt and decoder + my @tmp_sm2_hack = qw(-engine loader_attic) + unless disabled('dynamic-engine') || disabled('deprecated-3.0'); + skip "Skipping tests that require dynamic enginess (temporary meaasure)", 2 + unless @tmp_sm2_hack; + # SM2 - ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign', + ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack, '-sign', '-in', srctop_file('test', 'certs', 'sm2.pem'), '-inkey', srctop_file('test', 'certs', 'sm2.key'), '-out', 'sm2.sig', '-rawin', '-digest', 'sm3', '-pkeyopt', 'distid:someid']))), "Sign a piece of data using SM2"); - ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', + ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack, + '-verify', '-certin', '-in', srctop_file('test', 'certs', 'sm2.pem'), '-inkey', srctop_file('test', 'certs', 'sm2.pem'), '-sigfile', 'sm2.sig', '-rawin', diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 8d26be2bf0..544d32963c 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -29,6 +29,14 @@ if (disabled("rsa")) { note("There should not be more that at most 80 per line"); } +# TODO(3.0) This should be removed as soon as missing support is added +# Identified problems: +# - SM2 lacks provider-native keymgmt and decoder +# - ED25519, ED448, X25519 and X448 signature implementations do not +# respond to the "algorithm-id" parameter request. +my @tmp_loader_hack = qw(-engine loader_attic) + unless disabled('dynamic-engine') || disabled('deprecated-3.0'); + # Check for duplicate -addext parameters, and one "working" case. my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", "-config", srctop_file("test", "test.cnf"), @req_new ); @@ -135,15 +143,15 @@ subtest "generating certificate requests with Ed25519" => sub { SKIP: { skip "Ed25519 is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ec") || !@tmp_loader_hack; - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-out", "testreq-ed25519.pem", "-utf8", "-key", srctop_file("test", "tested25519.pem")])), "Generating request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-ed25519.pem", "-noout"])), "Verifying signature on request"); @@ -155,15 +163,15 @@ subtest "generating certificate requests with Ed448" => sub { SKIP: { skip "Ed448 is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ec") || !@tmp_loader_hack; - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-out", "testreq-ed448.pem", "-utf8", "-key", srctop_file("test", "tested448.pem")])), "Generating request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-ed448.pem", "-noout"])), "Verifying signature on request"); @@ -187,28 +195,28 @@ subtest "generating SM2 certificate requests" => sub { SKIP: { skip "SM2 is not supported by this OpenSSL build", 4 - if disabled("sm2"); - ok(run(app(["openssl", "req", + if disabled("sm2") || !@tmp_loader_hack; + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-key", srctop_file("test", "certs", "sm2.key"), "-sigopt", "distid:1234567812345678", "-out", "testreq-sm2.pem", "-sm3"])), "Generating SM2 certificate request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-sm2.pem", "-noout", "-vfyopt", "distid:1234567812345678", "-sm3"])), "Verifying signature on SM2 certificate request"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-new", "-key", srctop_file("test", "certs", "sm2.key"), "-sigopt", "hexdistid:DEADBEEF", "-out", "testreq-sm2.pem", "-sm3"])), "Generating SM2 certificate request with hex id"); - ok(run(app(["openssl", "req", + ok(run(app(["openssl", "req", @tmp_loader_hack, "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq-sm2.pem", "-noout", "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])), -- cgit v1.2.3