From a95585a25ab25668b931a78b7543f707a3354db8 Mon Sep 17 00:00:00 2001 From: djm <> Date: Fri, 29 Apr 2005 05:37:34 +0000 Subject: import of openssl-0.9.7g; tested on platforms from alpha to zaurus, ok deraadt@ --- src/lib/libssl/test/CAss.cnf | 8 ++++ src/lib/libssl/test/P1ss.cnf | 37 +++++++++++++++++ src/lib/libssl/test/P2ss.cnf | 45 +++++++++++++++++++++ src/lib/libssl/test/Uss.cnf | 8 ++++ src/lib/libssl/test/bctest | 2 +- src/lib/libssl/test/tcrl | 2 +- src/lib/libssl/test/testca | 3 ++ src/lib/libssl/test/testenc | 20 +++++----- src/lib/libssl/test/testgen | 6 +-- src/lib/libssl/test/testss | 86 +++++++++++++++++++++++++++++++++++----- src/lib/libssl/test/testssl | 14 +++---- src/lib/libssl/test/testsslproxy | 10 +++++ src/lib/libssl/test/tpkcs7 | 2 +- src/lib/libssl/test/tpkcs7d | 2 +- src/lib/libssl/test/treq | 2 +- src/lib/libssl/test/trsa | 4 +- src/lib/libssl/test/tsid | 2 +- src/lib/libssl/test/tx509 | 2 +- 18 files changed, 215 insertions(+), 40 deletions(-) create mode 100644 src/lib/libssl/test/P1ss.cnf create mode 100644 src/lib/libssl/test/P2ss.cnf create mode 100644 src/lib/libssl/test/testsslproxy (limited to 'src/lib/libssl/test') diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf index b941b7ae15..21da59a73a 100644 --- a/src/lib/libssl/test/CAss.cnf +++ b/src/lib/libssl/test/CAss.cnf @@ -23,3 +23,11 @@ organizationName_value = Dodgy Brothers commonName = Common Name (eg, YOUR name) commonName_value = Dodgy CA + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true,pathlen:1 +keyUsage = cRLSign, keyCertSign +issuerAltName=issuer:copy + diff --git a/src/lib/libssl/test/P1ss.cnf b/src/lib/libssl/test/P1ss.cnf new file mode 100644 index 0000000000..876a0d35f8 --- /dev/null +++ b/src/lib/libssl/test/P1ss.cnf @@ -0,0 +1,37 @@ +# +# SSLeay example configuration file. +# This is mostly being used for generation of certificate requests. +# + +RANDFILE = ./.rnd + +#################################################################### +[ req ] +default_bits = 512 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +default_md = md2 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_value = AU + +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers + +0.commonName = Common Name (eg, YOUR name) +0.commonName_value = Brother 1 + +1.commonName = Common Name (eg, YOUR name) +1.commonName_value = Brother 2 + +2.commonName = Common Name (eg, YOUR name) +2.commonName_value = Proxy 1 + +[ v3_proxy ] +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB diff --git a/src/lib/libssl/test/P2ss.cnf b/src/lib/libssl/test/P2ss.cnf new file mode 100644 index 0000000000..373a87e7c2 --- /dev/null +++ b/src/lib/libssl/test/P2ss.cnf @@ -0,0 +1,45 @@ +# +# SSLeay example configuration file. +# This is mostly being used for generation of certificate requests. +# + +RANDFILE = ./.rnd + +#################################################################### +[ req ] +default_bits = 512 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +default_md = md2 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_value = AU + +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers + +0.commonName = Common Name (eg, YOUR name) +0.commonName_value = Brother 1 + +1.commonName = Common Name (eg, YOUR name) +1.commonName_value = Brother 2 + +2.commonName = Common Name (eg, YOUR name) +2.commonName_value = Proxy 1 + +3.commonName = Common Name (eg, YOUR name) +3.commonName_value = Proxy 2 + +[ v3_proxy ] +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +proxyCertInfo=critical,@proxy_ext + +[ proxy_ext ] +language=id-ppl-anyLanguage +pathlen=0 +policy=text:BC diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf index c89692d519..0c0ebb5f67 100644 --- a/src/lib/libssl/test/Uss.cnf +++ b/src/lib/libssl/test/Uss.cnf @@ -26,3 +26,11 @@ organizationName_value = Dodgy Brothers 1.commonName = Common Name (eg, YOUR name) 1.commonName_value = Brother 2 + +[ v3_ee ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +issuerAltName=issuer:copy + diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest index bdb3218f7a..e81fc0733a 100644 --- a/src/lib/libssl/test/bctest +++ b/src/lib/libssl/test/bctest @@ -1,6 +1,6 @@ #!/bin/sh -# This script is used by test/Makefile.ssl to check whether a sane 'bc' +# This script is used by test/Makefile to check whether a sane 'bc' # is installed. # ('make test_bn' should not try to run 'bc' if it does not exist or if # it is a broken 'bc' version that is known to cause trouble.) diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl index f71ef7a863..3ffed12a03 100644 --- a/src/lib/libssl/test/tcrl +++ b/src/lib/libssl/test/tcrl @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl crl' +cmd='../util/shlib_wrap.sh ../apps/openssl crl' if [ "$1"x != "x" ]; then t=$1 diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca index 8215ebb5d1..5b2faa78f1 100644 --- a/src/lib/libssl/test/testca +++ b/src/lib/libssl/test/testca @@ -11,6 +11,9 @@ export SH PATH SSLEAY_CONFIG="-config CAss.cnf" export SSLEAY_CONFIG +OPENSSL="`pwd`/../util/shlib_wrap.sh openssl" +export OPENSSL + /bin/rm -fr demoCA $SH ../apps/CA.sh -newca <$test; echo cat -$cmd enc < $test > $test.cipher -$cmd enc < $test.cipher >$test.clear +$cmd enc -non-fips-allow < $test > $test.cipher +$cmd enc -non-fips-allow < $test.cipher >$test.clear cmp $test $test.clear if [ $? != 0 ] then @@ -17,8 +17,8 @@ else /bin/rm $test.cipher $test.clear fi echo base64 -$cmd enc -a -e < $test > $test.cipher -$cmd enc -a -d < $test.cipher >$test.clear +$cmd enc -non-fips-allow -a -e < $test > $test.cipher +$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear cmp $test $test.clear if [ $? != 0 ] then @@ -30,8 +30,8 @@ fi for i in `$cmd list-cipher-commands` do echo $i - $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher - $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear + $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher + $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear cmp $test $test.$i.clear if [ $? != 0 ] then @@ -41,8 +41,8 @@ do fi echo $i base64 - $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher - $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear + $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher + $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear cmp $test $test.$i.clear if [ $? != 0 ] then diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen index 3798543e04..524c0d134c 100644 --- a/src/lib/libssl/test/testgen +++ b/src/lib/libssl/test/testgen @@ -17,7 +17,7 @@ echo "generating certificate request" echo "string to make the random number generator think it has entropy" >> ./.rnd -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' @@ -29,13 +29,13 @@ echo "This could take some time." rm -f testkey.pem testreq.pem -../apps/openssl req -config test.cnf $req_new -out testreq.pem +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem if [ $? != 0 ]; then echo problems creating request exit 1 fi -../apps/openssl req -config test.cnf -verify -in testreq.pem -noout +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout if [ $? != 0 ]; then echo signature on req is wrong exit 1 diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss index 8d3557f356..1a426857d3 100644 --- a/src/lib/libssl/test/testss +++ b/src/lib/libssl/test/testss @@ -1,9 +1,9 @@ #!/bin/sh -digest='-md5' -reqcmd="../apps/openssl req" -x509cmd="../apps/openssl x509 $digest" -verifycmd="../apps/openssl verify" +digest='-sha1' +reqcmd="../util/shlib_wrap.sh ../apps/openssl req" +x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest" +verifycmd="../util/shlib_wrap.sh ../apps/openssl verify" dummycnf="../apps/openssl.cnf" CAkey="keyCA.ss" @@ -17,12 +17,24 @@ Ukey="keyU.ss" Ureq="reqU.ss" Ucert="certU.ss" +P1conf="P1ss.cnf" +P1key="keyP1.ss" +P1req="reqP1.ss" +P1cert="certP1.ss" +P1intermediate="tmp_intP1.ss" + +P2conf="P2ss.cnf" +P2key="keyP2.ss" +P2req="reqP2.ss" +P2cert="certP2.ss" +P2intermediate="tmp_intP2.ss" + echo echo "make a certificate request using 'req'" echo "string to make the random number generator think it has entropy" >> ./.rnd -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' @@ -35,7 +47,7 @@ if [ $? != 0 ]; then fi echo echo "convert the certificate request into a self signed certificate using 'x509'" -$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss +$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss if [ $? != 0 ]; then echo "error using 'x509' to self sign a certificate request" exit 1 @@ -68,18 +80,18 @@ if [ $? != 0 ]; then fi echo -echo "make another certificate request using 'req'" +echo "make a user certificate request using 'req'" $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss if [ $? != 0 ]; then - echo "error using 'req' to generate a certificate request" + echo "error using 'req' to generate a user certificate request" exit 1 fi echo -echo "sign certificate request with the just created CA via 'x509'" -$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss +echo "sign user certificate request with the just created CA via 'x509'" +$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss if [ $? != 0 ]; then - echo "error using 'x509' to sign a certificate request" + echo "error using 'x509' to sign a user certificate request" exit 1 fi @@ -88,6 +100,50 @@ echo echo "Certificate details" $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert +echo +echo "make a proxy certificate request using 'req'" +$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss +if [ $? != 0 ]; then + echo "error using 'req' to generate a proxy certificate request" + exit 1 +fi + +echo +echo "sign proxy certificate request with the just created user certificate via 'x509'" +$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss +if [ $? != 0 ]; then + echo "error using 'x509' to sign a proxy certificate request" + exit 1 +fi + +cat $Ucert > $P1intermediate +$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert +echo +echo "Certificate details" +$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert + +echo +echo "make another proxy certificate request using 'req'" +$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss +if [ $? != 0 ]; then + echo "error using 'req' to generate another proxy certificate request" + exit 1 +fi + +echo +echo "sign second proxy certificate request with the first proxy certificate via 'x509'" +$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss +if [ $? != 0 ]; then + echo "error using 'x509' to sign a second proxy certificate request" + exit 1 +fi + +cat $Ucert $P1cert > $P2intermediate +$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert +echo +echo "Certificate details" +$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert + echo echo The generated CA certificate is $CAcert echo The generated CA private key is $CAkey @@ -95,5 +151,13 @@ echo The generated CA private key is $CAkey echo The generated user certificate is $Ucert echo The generated user private key is $Ukey +echo The first generated proxy certificate is $P1cert +echo The first generated proxy private key is $P1key + +echo The second generated proxy certificate is $P2cert +echo The second generated proxy private key is $P2key + /bin/rm err.ss +#/bin/rm $P1intermediate +#/bin/rm $P2intermediate exit 0 diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl index ca8e718022..8ac90ae5ee 100644 --- a/src/lib/libssl/test/testssl +++ b/src/lib/libssl/test/testssl @@ -10,9 +10,9 @@ if [ "$2" = "" ]; then else cert="$2" fi -ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" +ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" -if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then +if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then dsa_cert=YES else dsa_cert=NO @@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 ############################################################################# -if ../apps/openssl no-dh; then +if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping anonymous DH tests else echo test tls1 with 1024bit anonymous DH, multiple handshakes $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 fi -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping RSA tests else echo test tls1 with 1024bit RSA, no DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 - if ../apps/openssl no-dh; then + if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping RSA+DHE tests else echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 fi fi diff --git a/src/lib/libssl/test/testsslproxy b/src/lib/libssl/test/testsslproxy new file mode 100644 index 0000000000..58bbda8ab7 --- /dev/null +++ b/src/lib/libssl/test/testsslproxy @@ -0,0 +1,10 @@ +#! /bin/sh + +echo 'Testing a lot of proxy conditions.' +echo 'Some of them may turn out being invalid, which is fine.' +for auth in A B C BC; do + for cond in A B C 'A|B&!C'; do + sh ./testssl $1 $2 $3 "-proxy -proxy_auth $auth -proxy_cond $cond" + if [ $? = 3 ]; then exit 1; fi + done +done diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7 index cf3bd9fadb..79bb6e0edf 100644 --- a/src/lib/libssl/test/tpkcs7 +++ b/src/lib/libssl/test/tpkcs7 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl pkcs7' +cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' if [ "$1"x != "x" ]; then t=$1 diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d index 18f9311b06..20394b34c4 100644 --- a/src/lib/libssl/test/tpkcs7d +++ b/src/lib/libssl/test/tpkcs7d @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl pkcs7' +cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' if [ "$1"x != "x" ]; then t=$1 diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq index 47a8273cde..7e020210a5 100644 --- a/src/lib/libssl/test/treq +++ b/src/lib/libssl/test/treq @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl req -config ../apps/openssl.cnf' +cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf' if [ "$1"x != "x" ]; then t=$1 diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa index 413e2ec0a0..67b4a98841 100644 --- a/src/lib/libssl/test/trsa +++ b/src/lib/libssl/test/trsa @@ -7,12 +7,12 @@ else fi export PATH -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping rsa conversion test exit 0 fi -cmd='../apps/openssl rsa' +cmd='../util/shlib_wrap.sh ../apps/openssl rsa' if [ "$1"x != "x" ]; then t=$1 diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid index 40a1dfa97c..fb4a7213b9 100644 --- a/src/lib/libssl/test/tsid +++ b/src/lib/libssl/test/tsid @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl sess_id' +cmd='../util/shlib_wrap.sh ../apps/openssl sess_id' if [ "$1"x != "x" ]; then t=$1 diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509 index d380963abc..1b9c8661f3 100644 --- a/src/lib/libssl/test/tx509 +++ b/src/lib/libssl/test/tx509 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl x509' +cmd='../util/shlib_wrap.sh ../apps/openssl x509' if [ "$1"x != "x" ]; then t=$1 -- cgit v1.2.3-55-g6feb