xref: /openssl/test/recipes/80-test_pkcs12.t (revision d7b659e1) 
1#! /usr/bin/env perl
2# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9use strict;
10use warnings;
11
12use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir with/;
13use OpenSSL::Test::Utils;
14
15use Encode;
16
17setup("test_pkcs12");
18
19my $pass = "σύνθημα γνώρισμα";
20
21my $savedcp;
22if (eval { require Win32::API; 1; }) {
23    # Trouble is that Win32 perl uses CreateProcessA, which
24    # makes it problematic to pass non-ASCII arguments, from perl[!]
25    # that is. This is because CreateProcessA is just a wrapper for
26    # CreateProcessW and will call MultiByteToWideChar and use
27    # system default locale. Since we attempt Greek pass-phrase
28    # conversion can be done only with Greek locale.
29
30    Win32::API->Import("kernel32","UINT GetSystemDefaultLCID()");
31    if (GetSystemDefaultLCID() != 0x408) {
32        plan skip_all => "Non-Greek system locale";
33    } else {
34        # Ensure correct code page so that VERBOSE output is right.
35        Win32::API->Import("kernel32","UINT GetConsoleOutputCP()");
36        Win32::API->Import("kernel32","BOOL SetConsoleOutputCP(UINT cp)");
37        $savedcp = GetConsoleOutputCP();
38        SetConsoleOutputCP(1253);
39        $pass = Encode::encode("cp1253",Encode::decode("utf-8",$pass));
40    }
41} elsif ($^O eq "MSWin32") {
42    plan skip_all => "Win32::API unavailable";
43} elsif ($^O ne "VMS") {
44    # Running MinGW tests transparently under Wine apparently requires
45    # UTF-8 locale...
46
47    foreach(`locale -a`) {
48        s/\R$//;
49        if ($_ =~ m/^C\.UTF\-?8/i) {
50            $ENV{LC_ALL} = $_;
51            last;
52        }
53    }
54}
55$ENV{OPENSSL_WIN32_UTF8}=1;
56
57my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
58
59plan tests => $no_fips ? 45 : 51;
60
61# Test different PKCS#12 formats
62ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
63# Test with legacy APIs
64ok(run(test(["pkcs12_format_test", "-legacy"])), "test pkcs12 formats using legacy APIs");
65# Test with a non-default library context (and no loaded providers in the default context)
66ok(run(test(["pkcs12_format_test", "-context"])), "test pkcs12 formats using a non-default library context");
67
68SKIP: {
69     skip "VMS doesn't have command line UTF-8 support yet in DCL", 1
70         if $^O eq "VMS";
71
72     # just see that we can read shibboleth.pfx protected with $pass
73     ok(run(app(["openssl", "pkcs12", "-noout",
74                 "-password", "pass:$pass",
75                 "-in", srctop_file("test", "shibboleth.pfx")])),
76        "test_load_cert_pkcs12");
77}
78
79my @path = qw(test certs);
80my $outfile1 = "out1.p12";
81my $outfile2 = "out2.p12";
82my $outfile3 = "out3.p12";
83my $outfile4 = "out4.p12";
84my $outfile5 = "out5.p12";
85my $outfile6 = "out6.p12";
86my $outfile7 = "out7.p12";
87
88# Test the -chain option with -untrusted
89ok(run(app(["openssl", "pkcs12", "-export", "-chain",
90            "-CAfile",  srctop_file(@path,  "sroot-cert.pem"),
91            "-untrusted", srctop_file(@path, "ca-cert.pem"),
92            "-in", srctop_file(@path, "ee-cert.pem"),
93            "-nokeys", "-passout", "pass:", "-out", $outfile1])),
94   "test_pkcs12_chain_untrusted");
95
96# Test the -passcerts option
97SKIP: {
98    skip "Skipping PKCS#12 test because DES is disabled in this build", 1
99        if disabled("des");
100    ok(run(app(["openssl", "pkcs12", "-export",
101            "-in", srctop_file(@path, "ee-cert.pem"),
102            "-certfile", srctop_file(@path, "v3-certs-TDES.p12"),
103            "-passcerts", "pass:v3-certs",
104            "-nokeys", "-passout", "pass:v3-certs", "-descert",
105            "-out", $outfile2])),
106   "test_pkcs12_passcerts");
107}
108
109SKIP: {
110    skip "Skipping legacy PKCS#12 test because the required algorithms are disabled", 1
111        if disabled("des") || disabled("rc2") || disabled("legacy");
112    # Test reading legacy PKCS#12 file
113    ok(run(app(["openssl", "pkcs12", "-export",
114                "-in", srctop_file(@path, "v3-certs-RC2.p12"),
115                "-passin", "pass:v3-certs",
116                "-provider", "default", "-provider", "legacy",
117                "-nokeys", "-passout", "pass:v3-certs", "-descert",
118                "-out", $outfile3])),
119    "test_pkcs12_passcerts_legacy");
120}
121
122# Test export of PEM file with both cert and key
123# -nomac necessary to avoid legacy provider requirement
124ok(run(app(["openssl", "pkcs12", "-export",
125        "-inkey", srctop_file(@path, "cert-key-cert.pem"),
126        "-in", srctop_file(@path, "cert-key-cert.pem"),
127        "-passout", "pass:v3-certs",
128        "-nomac", "-out", $outfile4], stderr => "outerr.txt")),
129   "test_export_pkcs12_cert_key_cert");
130open DATA, "outerr.txt";
131my @match = grep /:error:/, <DATA>;
132close DATA;
133ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr_empty");
134
135ok(run(app(["openssl", "pkcs12",
136            "-in", $outfile4,
137            "-passin", "pass:v3-certs",
138            "-nomacver", "-nodes"])),
139  "test_import_pkcs12_cert_key_cert");
140
141ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
142            "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
143            "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
144   "test nokeys single cert");
145
146my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
147                          "-passin", "pass:"]), capture => 1);
148
149# Test that with one input certificate, we get one output certificate
150ok(grep(/subject=CN\s*=\s*server.example/, @pkcs12info) == 1,
151   "test one cert in output");
152
153# Test that the expected friendly name is present in the output
154ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
155
156# Test there's no Oracle Trusted Key Usage bag attribute
157ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,
158    "test no oracle trusted key usage");
159
160# Test export of PEM file with both cert and key, without password.
161# -nomac necessary to avoid legacy provider requirement
162{
163    ok(run(app(["openssl", "pkcs12", "-export",
164            "-inkey", srctop_file(@path, "cert-key-cert.pem"),
165            "-in", srctop_file(@path, "cert-key-cert.pem"),
166            "-passout", "pass:",
167            "-nomac", "-out", $outfile6], stderr => "outerr6.txt")),
168    "test_export_pkcs12_cert_key_cert_no_pass");
169    open DATA, "outerr6.txt";
170    my @match = grep /:error:/, <DATA>;
171    close DATA;
172    ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty");
173}
174
175my %pbmac1_tests = (
176    pbmac1_defaults => {args => [], lookup => "hmacWithSHA256"},
177    pbmac1_nondefaults => {args => ["-pbmac1_pbkdf2_md", "sha512", "-macalg", "sha384"], lookup => "hmacWithSHA512"},
178);
179
180for my $instance (sort keys %pbmac1_tests) {
181    my $extra_args = $pbmac1_tests{$instance}{args};
182    my $lookup     = $pbmac1_tests{$instance}{lookup};
183    # Test export of PEM file with both cert and key, with password.
184    {
185        my $pbmac1_id = $instance;
186        ok(run(app(["openssl", "pkcs12", "-export", "-pbmac1_pbkdf2",
187                "-inkey", srctop_file(@path, "cert-key-cert.pem"),
188                "-in", srctop_file(@path, "cert-key-cert.pem"),
189                "-passout", "pass:1234",
190                @$extra_args,
191                "-out", "$pbmac1_id.p12"], stderr => "${pbmac1_id}_err.txt")),
192        "test_export_pkcs12_${pbmac1_id}");
193        open DATA, "${pbmac1_id}_err.txt";
194        my @match = grep /:error:/, <DATA>;
195        close DATA;
196        ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_${pbmac1_id}_err.empty");
197
198        ok(run(app(["openssl", "pkcs12", "-in", "$pbmac1_id.p12", "-info", "-noout",
199                "-passin", "pass:1234"], stderr => "${pbmac1_id}_info.txt")),
200        "test_export_pkcs12_${pbmac1_id}_info");
201        open DATA, "${pbmac1_id}_info.txt";
202        my @match = grep /$lookup/, <DATA>;
203        close DATA;
204        ok(scalar @match > 0 ? 1 : 0, "test_export_pkcs12_${pbmac1_id}_info");
205    }
206}
207
208# Test pbmac1 pkcs12 good files, RFC 9579
209for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
210{
211    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
212    ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])),
213      "test pbmac1 pkcs12 file $file");
214}
215
216
217unless ($no_fips) {
218    my $provpath = bldtop_dir("providers");
219    my $provconf = srctop_file("test", "fips-and-base.cnf");
220    my $provname = 'fips';
221    my @prov = ("-provider-path", $provpath,
222                "-provider", $provname);
223    local $ENV{OPENSSL_CONF} = $provconf;
224
225# Test pbmac1 pkcs12 good files, RFC 9579
226    for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
227    {
228        my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
229        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-password", "pass:1234", "-noenc"])),
230           "test pbmac1 pkcs12 file $file");
231
232        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-info", "-noout",
233                    "-passin", "pass:1234"], stderr => "${file}_info.txt")),
234           "test_export_pkcs12_${file}_info");
235    }
236}
237
238# Test pbmac1 pkcs12 bad files, RFC 9579
239for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
240{
241    my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
242    with({ exit_checker => sub { return shift == 1; } },
243        sub {
244            ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])),
245            "test pbmac1 pkcs12 bad file $file");
246            }
247        );
248}
249
250# Test some bad pkcs12 files
251my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
252my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
253my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12");
254
255with({ exit_checker => sub { return shift == 1; } },
256     sub {
257        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])),
258           "test bad pkcs12 file 1");
259
260        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
261                    "-nomacver"])),
262           "test bad pkcs12 file 1 (nomacver)");
263
264        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
265                    "-info"])),
266           "test bad pkcs12 file 1 (info)");
267
268        ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])),
269           "test bad pkcs12 file 2");
270
271        ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:",
272                    "-info"])),
273           "test bad pkcs12 file 2 (info)");
274
275        ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])),
276           "test bad pkcs12 file 3");
277
278        ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:",
279                    "-info"])),
280           "test bad pkcs12 file 3 (info)");
281     });
282
283# Test with Oracle Trusted Key Usage specified in openssl.cnf
284{
285    ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7,
286                "-jdktrust", "anyExtendedKeyUsage", "-in", srctop_file(@path, "ee-cert.pem"),
287                "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
288       "test nokeys single cert");
289
290    my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile7,
291                          "-passin", "pass:"]), capture => 1);
292    ok(grep(/Trusted key usage \(Oracle\): Any Extended Key Usage \(2.5.29.37.0\)/, @pkcs12info) == 1,
293        "test oracle trusted key usage is set");
294
295    delete $ENV{OPENSSL_CONF}
296}
297
298# Tests for pkcs12_parse
299ok(run(test(["pkcs12_api_test",
300             "-in", $outfile1,
301             "-has-ca", 1,
302             ])), "Test pkcs12_parse()");
303
304SKIP: {
305    skip "Skipping PKCS#12 parse test because DES is disabled in this build", 1
306        if disabled("des");
307    ok(run(test(["pkcs12_api_test",
308                 "-in", $outfile2,
309                 "-pass", "v3-certs",
310                 "-has-ca", 1,
311                 ])), "Test pkcs12_parse()");
312}
313
314SKIP: {
315    skip "Skipping PKCS#12 parse test because the required algorithms are disabled", 1
316        if disabled("des") || disabled("rc2") || disabled("legacy");
317    ok(run(test(["pkcs12_api_test",
318                 "-in", $outfile3,
319                 "-pass", "v3-certs",
320                 "-has-ca", 1,
321                 ])), "Test pkcs12_parse()");
322}
323
324ok(run(test(["pkcs12_api_test",
325             "-in", $outfile4,
326             "-pass", "v3-certs",
327             "-has-ca", 1,
328             "-has-key", 1,
329             "-has-cert", 1,
330             ])), "Test pkcs12_parse()");
331
332ok(run(test(["pkcs12_api_test",
333             "-in", $outfile5,
334             "-has-ca", 1,
335             ])), "Test pkcs12_parse()");
336
337ok(run(test(["pkcs12_api_test",
338             "-in", $outfile6,
339             "-pass", "",
340             "-has-ca", 1,
341             "-has-key", 1,
342             "-has-cert", 1,
343             ])), "Test pkcs12_parse()");
344
345SetConsoleOutputCP($savedcp) if (defined($savedcp));
346