diff options
Diffstat (limited to 'test/recipes/15-test_ecparam.t')
| -rw-r--r-- | test/recipes/15-test_ecparam.t | 176 |
1 files changed, 176 insertions, 0 deletions
diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t new file mode 100644 index 000000000000..37bf620f35ee --- /dev/null +++ b/test/recipes/15-test_ecparam.t @@ -0,0 +1,176 @@ +#! /usr/bin/env perl +# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use File::Compare qw/compare_text/; +use OpenSSL::Glob; +use OpenSSL::Test qw/:DEFAULT data_file srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; + +setup("test_ecparam"); + +plan skip_all => "EC or EC2M isn't supported in this build" + if disabled("ec") || disabled("ec2m"); + +my @valid = glob(data_file("valid", "*.pem")); +my @noncanon = glob(data_file("noncanon", "*.pem")); +my @invalid = glob(data_file("invalid", "*.pem")); + +plan tests => 12; + +sub checkload { + my $files = shift; # List of files + my $valid = shift; # Check should pass or fail? + my $app = shift; # Which application + my $opt = shift; # Additional option + + foreach (@$files) { + if ($valid) { + ok(run(app(['openssl', $app, '-noout', $opt, '-in', $_]))); + } else { + ok(!run(app(['openssl', $app, '-noout', $opt, '-in', $_]))); + } + } +} + +sub checkcompare { + my $files = shift; # List of files + my $app = shift; # Which application + + foreach (@$files) { + my $testout = "$app.tst"; + + ok(run(app(['openssl', $app, '-out', $testout, '-in', $_]))); + ok(!compare_text($_, $testout, sub { + my $in1 = $_[0]; + my $in2 = $_[1]; + $in1 =~ s/\r\n/\n/g; + $in2 =~ s/\r\n/\n/g; + $in1 ne $in2}), "Original file $_ is the same as new one"); + } +} + +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); + +subtest "Check loading valid parameters by ecparam with -check" => sub { + plan tests => scalar(@valid); + checkload(\@valid, 1, "ecparam", "-check"); +}; + +subtest "Check loading valid parameters by ecparam with -check_named" => sub { + plan tests => scalar(@valid); + checkload(\@valid, 1, "ecparam", "-check_named"); +}; + +subtest "Check loading valid parameters by pkeyparam with -check" => sub { + plan tests => scalar(@valid); + checkload(\@valid, 1, "pkeyparam", "-check"); +}; + +subtest "Check loading non-canonically encoded parameters by ecparam with -check" => sub { + plan tests => scalar(@noncanon); + checkload(\@noncanon, 1, "ecparam", "-check"); +}; + +subtest "Check loading non-canonically encoded parameters by ecparam with -check_named" => sub { + plan tests => scalar(@noncanon); + checkload(\@noncanon, 1, "ecparam", "-check_named"); +}; + +subtest "Check loading non-canonically encoded parameters by pkeyparam with -check" => sub { + plan tests => scalar(@noncanon); + checkload(\@noncanon, 1, "pkeyparam", "-check"); +}; + +subtest "Check loading invalid parameters by ecparam with -check" => sub { + plan tests => scalar(@invalid); + checkload(\@invalid, 0, "ecparam", "-check"); +}; + +subtest "Check loading invalid parameters by ecparam with -check_named" => sub { + plan tests => scalar(@invalid); + checkload(\@invalid, 0, "ecparam", "-check_named"); +}; + +subtest "Check loading invalid parameters by pkeyparam with -check" => sub { + plan tests => scalar(@invalid); + checkload(\@invalid, 0, "pkeyparam", "-check"); +}; + +subtest "Check ecparam does not change the parameter file on output" => sub { + plan tests => 2 * scalar(@valid); + checkcompare(\@valid, "ecparam"); +}; + +subtest "Check pkeyparam does not change the parameter file on output" => sub { + plan tests => 2 * scalar(@valid); + checkcompare(\@valid, "pkeyparam"); +}; + +subtest "Check loading of fips and non-fips params" => sub { + plan skip_all => "FIPS is disabled" + if $no_fips; + plan tests => 8; + + my $fipsconf = srctop_file("test", "fips-and-base.cnf"); + my $defaultconf = srctop_file("test", "default.cnf"); + + $ENV{OPENSSL_CONF} = $fipsconf; + + ok(run(app(['openssl', 'ecparam', + '-in', data_file('valid', 'secp384r1-explicit.pem'), + '-check'])), + "Loading explicitly encoded valid curve"); + + ok(run(app(['openssl', 'ecparam', + '-in', data_file('valid', 'secp384r1-named.pem'), + '-check'])), + "Loading named valid curve"); + + ok(!run(app(['openssl', 'ecparam', + '-in', data_file('valid', 'secp112r1-named.pem'), + '-check'])), + "Fail loading named non-fips curve"); + + ok(!run(app(['openssl', 'pkeyparam', + '-in', data_file('valid', 'secp112r1-named.pem'), + '-check'])), + "Fail loading named non-fips curve using pkeyparam"); + + ok(run(app(['openssl', 'ecparam', + '-provider', 'default', + '-propquery', '?fips!=yes', + '-in', data_file('valid', 'secp112r1-named.pem'), + '-check'])), + "Loading named non-fips curve in FIPS mode with non-FIPS property". + " query"); + + ok(run(app(['openssl', 'pkeyparam', + '-provider', 'default', + '-propquery', '?fips!=yes', + '-in', data_file('valid', 'secp112r1-named.pem'), + '-check'])), + "Loading named non-fips curve in FIPS mode with non-FIPS property". + " query using pkeyparam"); + + ok(!run(app(['openssl', 'ecparam', + '-genkey', '-name', 'secp112r1'])), + "Fail generating key for named non-fips curve"); + + ok(run(app(['openssl', 'ecparam', + '-provider', 'default', + '-propquery', '?fips!=yes', + '-genkey', '-name', 'secp112r1'])), + "Generating key for named non-fips curve with non-FIPS property query"); + + $ENV{OPENSSL_CONF} = $defaultconf; +}; |