1#! /usr/bin/env perl 2# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use strict; 10use warnings; 11 12use File::Spec; 13use File::Basename; 14use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/; 15use OpenSSL::Test::Utils; 16 17setup("test_pkeyutl"); 18 19plan tests => 12; 20 21# For the tests below we use the cert itself as the TBS file 22 23SKIP: { 24 skip "Skipping tests that require EC, SM2 or SM3", 2 25 if disabled("ec") || disabled("sm2") || disabled("sm3"); 26 27 # SM2 28 ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign', 29 '-in', srctop_file('test', 'certs', 'sm2.pem'), 30 '-inkey', srctop_file('test', 'certs', 'sm2.key'), 31 '-out', 'sm2.sig', '-rawin', 32 '-digest', 'sm3', '-pkeyopt', 'distid:someid']))), 33 "Sign a piece of data using SM2"); 34 ok_nofips(run(app(([ 'openssl', 'pkeyutl', 35 '-verify', '-certin', 36 '-in', srctop_file('test', 'certs', 'sm2.pem'), 37 '-inkey', srctop_file('test', 'certs', 'sm2.pem'), 38 '-sigfile', 'sm2.sig', '-rawin', 39 '-digest', 'sm3', '-pkeyopt', 'distid:someid']))), 40 "Verify an SM2 signature against a piece of data"); 41} 42 43SKIP: { 44 skip "Skipping tests that require EC", 4 45 if disabled("ec"); 46 47 # Ed25519 48 ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in', 49 srctop_file('test', 'certs', 'server-ed25519-cert.pem'), 50 '-inkey', srctop_file('test', 'certs', 'server-ed25519-key.pem'), 51 '-out', 'Ed25519.sig', '-rawin']))), 52 "Sign a piece of data using Ed25519"); 53 ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in', 54 srctop_file('test', 'certs', 'server-ed25519-cert.pem'), 55 '-inkey', srctop_file('test', 'certs', 'server-ed25519-cert.pem'), 56 '-sigfile', 'Ed25519.sig', '-rawin']))), 57 "Verify an Ed25519 signature against a piece of data"); 58 59 # Ed448 60 ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in', 61 srctop_file('test', 'certs', 'server-ed448-cert.pem'), 62 '-inkey', srctop_file('test', 'certs', 'server-ed448-key.pem'), 63 '-out', 'Ed448.sig', '-rawin']))), 64 "Sign a piece of data using Ed448"); 65 ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in', 66 srctop_file('test', 'certs', 'server-ed448-cert.pem'), 67 '-inkey', srctop_file('test', 'certs', 'server-ed448-cert.pem'), 68 '-sigfile', 'Ed448.sig', '-rawin']))), 69 "Verify an Ed448 signature against a piece of data"); 70} 71 72sub tsignverify { 73 my $testtext = shift; 74 my $privkey = shift; 75 my $pubkey = shift; 76 my @extraopts = @_; 77 78 my $data_to_sign = srctop_file('test', 'data.bin'); 79 my $other_data = srctop_file('test', 'data2.bin'); 80 my $sigfile = basename($privkey, '.pem') . '.sig'; 81 82 my @args = (); 83 plan tests => 5; 84 85 @args = ('openssl', 'pkeyutl', '-sign', 86 '-inkey', $privkey, 87 '-out', $sigfile, 88 '-in', $data_to_sign); 89 push(@args, @extraopts); 90 ok(run(app([@args])), 91 $testtext.": Generating signature"); 92 93 @args = ('openssl', 'pkeyutl', '-sign', 94 '-inkey', $privkey, 95 '-keyform', 'DER', 96 '-out', $sigfile, 97 '-in', $data_to_sign); 98 push(@args, @extraopts); 99 ok(!run(app([@args])), 100 $testtext.": Checking that mismatching keyform fails"); 101 102 @args = ('openssl', 'pkeyutl', '-verify', 103 '-inkey', $privkey, 104 '-sigfile', $sigfile, 105 '-in', $data_to_sign); 106 push(@args, @extraopts); 107 ok(run(app([@args])), 108 $testtext.": Verify signature with private key"); 109 110 @args = ('openssl', 'pkeyutl', '-verify', 111 '-keyform', 'PEM', 112 '-inkey', $pubkey, '-pubin', 113 '-sigfile', $sigfile, 114 '-in', $data_to_sign); 115 push(@args, @extraopts); 116 ok(run(app([@args])), 117 $testtext.": Verify signature with public key"); 118 119 @args = ('openssl', 'pkeyutl', '-verify', 120 '-inkey', $pubkey, '-pubin', 121 '-sigfile', $sigfile, 122 '-in', $other_data); 123 push(@args, @extraopts); 124 ok(!run(app([@args])), 125 $testtext.": Expect failure verifying mismatching data"); 126} 127 128SKIP: { 129 skip "RSA is not supported by this OpenSSL build", 1 130 if disabled("rsa"); 131 132 subtest "RSA CLI signature generation and verification" => sub { 133 tsignverify("RSA", 134 srctop_file("test","testrsa.pem"), 135 srctop_file("test","testrsapub.pem"), 136 "-rawin", "-digest", "sha256"); 137 }; 138 139 subtest "RSA CLI signature and verification with pkeyopt" => sub { 140 tsignverify("RSA", 141 srctop_file("test","testrsa.pem"), 142 srctop_file("test","testrsapub.pem"), 143 "-rawin", "-digest", "sha256", 144 "-pkeyopt", "rsa_padding_mode:pss"); 145 }; 146} 147 148SKIP: { 149 skip "DSA is not supported by this OpenSSL build", 1 150 if disabled("dsa"); 151 152 subtest "DSA CLI signature generation and verification" => sub { 153 tsignverify("DSA", 154 srctop_file("test","testdsa.pem"), 155 srctop_file("test","testdsapub.pem"), 156 "-rawin", "-digest", "sha256"); 157 }; 158} 159 160SKIP: { 161 skip "ECDSA is not supported by this OpenSSL build", 1 162 if disabled("ec"); 163 164 subtest "ECDSA CLI signature generation and verification" => sub { 165 tsignverify("ECDSA", 166 srctop_file("test","testec-p256.pem"), 167 srctop_file("test","testecpub-p256.pem"), 168 "-rawin", "-digest", "sha256"); 169 }; 170} 171 172SKIP: { 173 skip "EdDSA is not supported by this OpenSSL build", 2 174 if disabled("ec"); 175 176 subtest "Ed2559 CLI signature generation and verification" => sub { 177 tsignverify("Ed25519", 178 srctop_file("test","tested25519.pem"), 179 srctop_file("test","tested25519pub.pem"), 180 "-rawin"); 181 }; 182 183 subtest "Ed448 CLI signature generation and verification" => sub { 184 tsignverify("Ed448", 185 srctop_file("test","tested448.pem"), 186 srctop_file("test","tested448pub.pem"), 187 "-rawin"); 188 }; 189} 190
