Add ECDSA certificate test in appstest.sh

Enabled by -e option, and default to disabled (RSA certificate is used)
author: inoguchi <> 2020-05-15 13:45:36 +0000
committer: inoguchi <> 2020-05-15 13:45:36 +0000
commit: 8d23794cdbf0058b490db9d1ba80902c84ca9312 (patch)
tree: 82d60b66a2c5866793d278dc12f2309b3bf8ba6c /src
parent: 6329d2977bd69549421d0dcc87b6706edf1dd095 (diff)
download: openbsd-8d23794cdbf0058b490db9d1ba80902c84ca9312.tar.gz
openbsd-8d23794cdbf0058b490db9d1ba80902c84ca9312.tar.bz2
openbsd-8d23794cdbf0058b490db9d1ba80902c84ca9312.zip
1 files changed, 71 insertions, 8 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
index ed7332c4b3..94a7755f3a 100755
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.34 2020/05/14 14:09:11 inoguchi Exp $
+# $OpenBSD: appstest.sh,v 1.35 2020/05/15 13:45:36 inoguchi Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -733,6 +733,37 @@ revoke.test_dummy.com
 __EOF__
        check_exit_status $?
+        ecdsa_key=$server_dir/ecdsa_key.pem
+        ecdsa_csr=$server_dir/ecdsa_csr.pem
+        ecdsa_pass=test-ecdsa-pass
+        if [ $mingw = 0 ] ; then
+                subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=ecdsa.test_dummy.com/'
+        else
+                subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test_dummy.com\'
+        fi
+        
+        start_message "ecparam ... generate server key#3"
+        $openssl_bin ecparam -name prime256v1 -genkey -out $ecdsa_key
+        check_exit_status $?
+        start_message "req ... generate server csr#3"
+        $openssl_bin req -new -subj $subj -sha256 \
+                -key $ecdsa_key -keyform pem -passin pass:$ecdsa_pass \
+                -addext 'subjectAltName = DNS:localhost.test_dummy.com' \
+                -out $ecdsa_csr -outform pem
+        check_exit_status $?
+        
+        start_message "req ... verify server csr#3"
+        $openssl_bin req -verify -in $ecdsa_csr -inform pem \
+                -newhdr -noout -pubkey -subject -modulus -text \
+                -nameopt multiline -reqopt compatible \
+                -out $ecdsa_csr.verify.out
+        check_exit_status $?
        #---------#---------#---------#---------#---------#---------#---------
        
        # --- CA operations (issue cert for server) ---
@@ -754,6 +785,13 @@ __EOF__
                -passin pass:$ca_pass -CAcreateserial -out $revoke_cert
        check_exit_status $?
        
+        start_message "ca ... issue cert for server csr#3"
+        
+        ecdsa_cert=$server_dir/ecdsa_cert.pem
+        $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+                -in $ecdsa_csr -out $ecdsa_cert
+        check_exit_status $?
+        
        #---------#---------#---------#---------#---------#---------#---------
        
        # --- CA operations (revoke cert and generate crl) ---
@@ -1328,6 +1366,18 @@ function test_server_client {
        sess_dat=$user1_dir/s_client_${sc}_sess.dat
        s_server_out=$server_dir/s_server_${sc}_tls.out
+        if [ $ecdsa_tests = 0 ] ; then
+                echo "Using RSA certificate"
+                crt=$server_cert
+                key=$server_key
+                pwd=$server_pass
+        else
+                echo "Using ECDSA certificate"
+                crt=$ecdsa_cert
+                key=$ecdsa_key
+                pwd=$ecdsa_pass
+        fi
        $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null
        if [ $? -eq 0 ] ; then
                extra_opts="-4"
@@ -1337,7 +1387,7 @@ function test_server_client {
        
        start_message "s_server ... start TLS/SSL test server"
        $s_bin s_server -accept $port -CAfile $ca_cert \
-                -cert $server_cert -key $server_key -pass pass:$server_pass \
+                -cert $crt -key $key -pass pass:$pwd \
                -context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
                -alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \
                -msg -tlsextdebug > $s_server_out 2>&1 &
@@ -1355,18 +1405,26 @@ function test_server_client {
        # all available ciphers with random order
        
        s_ciph=$server_dir/s_ciph_${sc}
+        cipher_string=""
        if [ $s_id = "0" ] ; then
-                $s_bin ciphers -v ALL:!ECDSA:!kGOST:!TLSv1.3 | awk '{print $1}' > $s_ciph
+                if [ $ecdsa_tests = 0 ] ; then
-        else
+                        cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
-                $s_bin ciphers -v | awk '{print $1}' > $s_ciph
+                else
+                        cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
+                fi
        fi
+        $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph
        c_ciph=$user1_dir/c_ciph_${sc}
+        cipher_string=""
        if [ $c_id = "0" ] ; then
-                $c_bin ciphers -v ALL:!ECDSA:!kGOST:!TLSv1.3 | awk '{print $1}' > $c_ciph
+                if [ $ecdsa_tests = 0 ] ; then
-        else
+                        cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
-                $c_bin ciphers -v | awk '{print $1}' > $c_ciph
+                else
+                        cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
+                fi
        fi
+        $c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph
        ciphers=$user1_dir/ciphers_${sc}
        grep -x -f $s_ciph $c_ciph | sort -R > $ciphers
@@ -1483,11 +1541,16 @@ function test_version {
 openssl_bin=${OPENSSL:-/usr/bin/openssl}
 other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11}
+ecdsa_tests=0
 interop_tests=0
 no_long_tests=0
 while [ "$1" != "" ]; do
        case $1 in
+                -e | --ecdsa)
+                                        shift
+                                        ecdsa_tests=1
+                                        ;;
                -i | --interop)         shift
                                        interop_tests=1
                                        ;;
author	inoguchi <>	2020-05-15 13:45:36 +0000
committer	inoguchi <>	2020-05-15 13:45:36 +0000
commit	8d23794cdbf0058b490db9d1ba80902c84ca9312 (patch)
tree	82d60b66a2c5866793d278dc12f2309b3bf8ba6c /src
parent	6329d2977bd69549421d0dcc87b6706edf1dd095 (diff)
download	openbsd-8d23794cdbf0058b490db9d1ba80902c84ca9312.tar.gz openbsd-8d23794cdbf0058b490db9d1ba80902c84ca9312.tar.bz2 openbsd-8d23794cdbf0058b490db9d1ba80902c84ca9312.zip

diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh index ed7332c4b3..94a7755f3a 100755 --- a/src/regress/usr.bin/openssl/appstest.sh +++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $OpenBSD: appstest.sh,v 1.34 2020/05/14 14:09:11 inoguchi Exp $	3	# $OpenBSD: appstest.sh,v 1.35 2020/05/15 13:45:36 inoguchi Exp $
4	#	4	#
5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>	5	# Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
6	#	6	#
@@ -733,6 +733,37 @@ revoke.test_dummy.com
733	__EOF__	733	__EOF__
734	check_exit_status $?	734	check_exit_status $?
735		735
		736	ecdsa_key=$server_dir/ecdsa_key.pem
		737	ecdsa_csr=$server_dir/ecdsa_csr.pem
		738	ecdsa_pass=test-ecdsa-pass
		739
		740	if [ $mingw = 0 ] ; then
		741	subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=ecdsa.test_dummy.com/'
		742	else
		743	subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=ecdsa.test_dummy.com\'
		744	fi
		745
		746	start_message "ecparam ... generate server key#3"
		747
		748	$openssl_bin ecparam -name prime256v1 -genkey -out $ecdsa_key
		749	check_exit_status $?
		750
		751	start_message "req ... generate server csr#3"
		752
		753	$openssl_bin req -new -subj $subj -sha256 \
		754	-key $ecdsa_key -keyform pem -passin pass:$ecdsa_pass \
		755	-addext 'subjectAltName = DNS:localhost.test_dummy.com' \
		756	-out $ecdsa_csr -outform pem
		757	check_exit_status $?
		758
		759	start_message "req ... verify server csr#3"
		760
		761	$openssl_bin req -verify -in $ecdsa_csr -inform pem \
		762	-newhdr -noout -pubkey -subject -modulus -text \
		763	-nameopt multiline -reqopt compatible \
		764	-out $ecdsa_csr.verify.out
		765	check_exit_status $?
		766
736	#---------#---------#---------#---------#---------#---------#---------	767	#---------#---------#---------#---------#---------#---------#---------
737		768
738	# --- CA operations (issue cert for server) ---	769	# --- CA operations (issue cert for server) ---
@@ -754,6 +785,13 @@ __EOF__
754	-passin pass:$ca_pass -CAcreateserial -out $revoke_cert	785	-passin pass:$ca_pass -CAcreateserial -out $revoke_cert
755	check_exit_status $?	786	check_exit_status $?
756		787
		788	start_message "ca ... issue cert for server csr#3"
		789
		790	ecdsa_cert=$server_dir/ecdsa_cert.pem
		791	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
		792	-in $ecdsa_csr -out $ecdsa_cert
		793	check_exit_status $?
		794
757	#---------#---------#---------#---------#---------#---------#---------	795	#---------#---------#---------#---------#---------#---------#---------
758		796
759	# --- CA operations (revoke cert and generate crl) ---	797	# --- CA operations (revoke cert and generate crl) ---
@@ -1328,6 +1366,18 @@ function test_server_client {
1328	sess_dat=$user1_dir/s_client_${sc}_sess.dat	1366	sess_dat=$user1_dir/s_client_${sc}_sess.dat
1329	s_server_out=$server_dir/s_server_${sc}_tls.out	1367	s_server_out=$server_dir/s_server_${sc}_tls.out
1330		1368
		1369	if [ $ecdsa_tests = 0 ] ; then
		1370	echo "Using RSA certificate"
		1371	crt=$server_cert
		1372	key=$server_key
		1373	pwd=$server_pass
		1374	else
		1375	echo "Using ECDSA certificate"
		1376	crt=$ecdsa_cert
		1377	key=$ecdsa_key
		1378	pwd=$ecdsa_pass
		1379	fi
		1380
1331	$s_bin version \| grep 'OpenSSL 1.1.1' > /dev/null	1381	$s_bin version \| grep 'OpenSSL 1.1.1' > /dev/null
1332	if [ $? -eq 0 ] ; then	1382	if [ $? -eq 0 ] ; then
1333	extra_opts="-4"	1383	extra_opts="-4"
@@ -1337,7 +1387,7 @@ function test_server_client {
1337		1387
1338	start_message "s_server ... start TLS/SSL test server"	1388	start_message "s_server ... start TLS/SSL test server"
1339	$s_bin s_server -accept $port -CAfile $ca_cert \	1389	$s_bin s_server -accept $port -CAfile $ca_cert \
1340	-cert $server_cert -key $server_key -pass pass:$server_pass \	1390	-cert $crt -key $key -pass pass:$pwd \
1341	-context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \	1391	-context "appstest.sh" -id_prefix "APPSTEST.SH" -crl_check \
1342	-alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \	1392	-alpn "http/1.1,spdy/3" -www -cipher ALL $extra_opts \
1343	-msg -tlsextdebug > $s_server_out 2>&1 &	1393	-msg -tlsextdebug > $s_server_out 2>&1 &
@@ -1355,18 +1405,26 @@ function test_server_client {
1355	# all available ciphers with random order	1405	# all available ciphers with random order
1356		1406
1357	s_ciph=$server_dir/s_ciph_${sc}	1407	s_ciph=$server_dir/s_ciph_${sc}
		1408	cipher_string=""
1358	if [ $s_id = "0" ] ; then	1409	if [ $s_id = "0" ] ; then
1359	$s_bin ciphers -v ALL:!ECDSA:!kGOST:!TLSv1.3 \| awk '{print $1}' > $s_ciph	1410	if [ $ecdsa_tests = 0 ] ; then
1360	else	1411	cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
1361	$s_bin ciphers -v \| awk '{print $1}' > $s_ciph	1412	else
		1413	cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
		1414	fi
1362	fi	1415	fi
		1416	$s_bin ciphers -v $cipher_string \| awk '{print $1}' > $s_ciph
1363		1417
1364	c_ciph=$user1_dir/c_ciph_${sc}	1418	c_ciph=$user1_dir/c_ciph_${sc}
		1419	cipher_string=""
1365	if [ $c_id = "0" ] ; then	1420	if [ $c_id = "0" ] ; then
1366	$c_bin ciphers -v ALL:!ECDSA:!kGOST:!TLSv1.3 \| awk '{print $1}' > $c_ciph	1421	if [ $ecdsa_tests = 0 ] ; then
1367	else	1422	cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
1368	$c_bin ciphers -v \| awk '{print $1}' > $c_ciph	1423	else
		1424	cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
		1425	fi
1369	fi	1426	fi
		1427	$c_bin ciphers -v $cipher_string \| awk '{print $1}' > $c_ciph
1370		1428
1371	ciphers=$user1_dir/ciphers_${sc}	1429	ciphers=$user1_dir/ciphers_${sc}
1372	grep -x -f $s_ciph $c_ciph \| sort -R > $ciphers	1430	grep -x -f $s_ciph $c_ciph \| sort -R > $ciphers
@@ -1483,11 +1541,16 @@ function test_version {
1483	openssl_bin=${OPENSSL:-/usr/bin/openssl}	1541	openssl_bin=${OPENSSL:-/usr/bin/openssl}
1484	other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11}	1542	other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11}
1485		1543
		1544	ecdsa_tests=0
1486	interop_tests=0	1545	interop_tests=0
1487	no_long_tests=0	1546	no_long_tests=0
1488		1547
1489	while [ "$1" != "" ]; do	1548	while [ "$1" != "" ]; do
1490	case $1 in	1549	case $1 in
		1550	-e \| --ecdsa)
		1551	shift
		1552	ecdsa_tests=1
		1553	;;
1491	-i \| --interop) shift	1554	-i \| --interop) shift
1492	interop_tests=1	1555	interop_tests=1
1493	;;	1556	;;