From ff7d072c818bd71588f3c1a4b98b5f5abb1c8ca9 Mon Sep 17 00:00:00 2001 From: inoguchi <> Date: Sun, 17 May 2020 08:14:26 +0000 Subject: Add GOST certificate test in appstest.sh Enabled by -g option, and default to disabled (RSA certificate is used) --- src/regress/usr.bin/openssl/appstest.sh | 133 +++++++++++++++++++++++++------- 1 file changed, 107 insertions(+), 26 deletions(-) (limited to 'src') diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh index 44b13438f7..dd32d058b4 100755 --- a/src/regress/usr.bin/openssl/appstest.sh +++ b/src/regress/usr.bin/openssl/appstest.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $OpenBSD: appstest.sh,v 1.39 2020/05/17 04:43:16 inoguchi Exp $ +# $OpenBSD: appstest.sh,v 1.40 2020/05/17 08:14:26 inoguchi Exp $ # # Copyright (c) 2016 Kinichiro Inoguchi # @@ -58,7 +58,7 @@ function check_exit_status { } function usage { - echo "usage: appstest.sh [-iq]" + echo "usage: appstest.sh [-egiq]" } function test_usage_lists_others { @@ -691,6 +691,8 @@ __EOF__ # --- server-admin operations (generate server key and csr) --- section_message "server-admin operations (generate server key and csr)" + # RSA certificate + server_key=$server_dir/server_key.pem server_csr=$server_dir/server_csr.pem server_pass=test-server-pass @@ -724,6 +726,8 @@ __EOF__ start_message "req ... generate server csr#2 (interactive mode)" + # RSA certificate (for revoke test) + revoke_key=$server_dir/revoke_key.pem revoke_csr=$server_dir/revoke_csr.pem revoke_pass=test-revoke-pass @@ -737,6 +741,8 @@ revoke.test_dummy.com __EOF__ check_exit_status $? + # ECDSA certificate + ecdsa_key=$server_dir/ecdsa_key.pem ecdsa_csr=$server_dir/ecdsa_csr.pem ecdsa_pass=test-ecdsa-pass @@ -768,6 +774,40 @@ __EOF__ -out $ecdsa_csr.verify.out check_exit_status $? + # GOST certificate + + gost_key=$server_dir/gost_key.pem + gost_csr=$server_dir/gost_csr.pem + gost_pass=test-gost-pass + + if [ $mingw = 0 ] ; then + subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=gost.test_dummy.com/' + else + subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=gost.test_dummy.com\' + fi + + start_message "genpkey ... generate server key#4" + + $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ + -pkeyopt dgst:streebog512 -out $gost_key + check_exit_status $? + + start_message "req ... generate server csr#4" + + $openssl_bin req -new -subj $subj -streebog512 \ + -key $gost_key -keyform pem -passin pass:$gost_pass \ + -addext 'subjectAltName = DNS:gost.test_dummy.com' \ + -out $gost_csr -outform pem + check_exit_status $? + + start_message "req ... verify server csr#4" + + $openssl_bin req -verify -in $gost_csr -inform pem \ + -newhdr -noout -pubkey -subject -modulus -text \ + -nameopt multiline -reqopt compatible \ + -out $gost_csr.verify.out + check_exit_status $? + #---------#---------#---------#---------#---------#---------#--------- # --- CA operations (issue cert for server) --- @@ -794,7 +834,14 @@ __EOF__ ecdsa_cert=$server_dir/ecdsa_cert.pem $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ - -in $ecdsa_csr -out $ecdsa_cert > $ecdsa_cert 2>&1 + -in $ecdsa_csr -out $ecdsa_cert > $ecdsa_cert.log 2>&1 + check_exit_status $? + + start_message "ca ... issue cert for server csr#4" + + gost_cert=$server_dir/gost_cert.pem + $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ + -in $gost_csr -out $gost_cert > $gost_cert.log 2>&1 check_exit_status $? #---------#---------#---------#---------#---------#---------#--------- @@ -1322,9 +1369,14 @@ function test_pkcs { } function test_sc_by_protocol_version { - cid=$1 + sc=$1 ver=$2 msg=$3 + cid=$4 + + if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then + return + fi s_client_out=$user1_dir/s_client_${sc}_${ver}.out @@ -1349,6 +1401,10 @@ function test_sc_all_cipher { sc=$1 ver=$2 + if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then + return + fi + copt=cipher ciphers=$user1_dir/ciphers_${sc}_${ver} @@ -1367,10 +1423,12 @@ function test_sc_all_cipher { s_ciph=$server_dir/s_ciph_${sc}_${ver} cipher_string="" if [ $s_id = "0" ] ; then - if [ $ecdsa_tests = 0 ] ; then - cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" - else + if [ $ecdsa_tests = 1 ] ; then cipher_string="ECDSA+TLSv1.2:!TLSv1.3" + elif [ $gost_tests = 1 ] ; then + cipher_string="kGOST:!NULL:!TLSv1.3" + else + cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" fi fi $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph @@ -1378,10 +1436,12 @@ function test_sc_all_cipher { c_ciph=$user1_dir/c_ciph_${sc}_${ver} cipher_string="" if [ $c_id = "0" ] ; then - if [ $ecdsa_tests = 0 ] ; then - cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" - else + if [ $ecdsa_tests = 1 ] ; then cipher_string="ECDSA+TLSv1.2:!TLSv1.3" + elif [ $gost_tests = 1 ] ; then + cipher_string="kGOST:!NULL:!TLSv1.3" + else + cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" fi fi $c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph @@ -1413,6 +1473,11 @@ function test_sc_all_cipher { function test_sc_session_reuse { sc=$1 ver=$2 + + if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then + return + fi + sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat # Get session ticket to reuse @@ -1460,6 +1525,10 @@ function test_sc_verify { sc=$1 ver=$2 + if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then + return + fi + # invalid verification pattern s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out @@ -1508,16 +1577,21 @@ function test_server_client { port=4433 s_server_out=$server_dir/s_server_${sc}_tls.out - if [ $ecdsa_tests = 0 ] ; then - echo "Using RSA certificate" - crt=$server_cert - key=$server_key - pwd=$server_pass - else + if [ $ecdsa_tests = 1 ] ; then echo "Using ECDSA certificate" crt=$ecdsa_cert key=$ecdsa_key pwd=$ecdsa_pass + elif [ $gost_tests = 1 ] ; then + echo "Using GOST certificate" + crt=$gost_cert + key=$gost_key + pwd=$gost_pass + else + echo "Using RSA certificate" + crt=$server_cert + key=$server_key + pwd=$server_pass fi $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null @@ -1539,10 +1613,10 @@ function test_server_client { sleep 1 # test by protocol version - test_sc_by_protocol_version $c_id tls1 'Protocol : TLSv1$' - test_sc_by_protocol_version $c_id tls1_1 'Protocol : TLSv1\.1$' - test_sc_by_protocol_version $c_id tls1_2 'Protocol : TLSv1\.2$' - test_sc_by_protocol_version $c_id tls1_3 'Protocol : TLSv1\.3$' + test_sc_by_protocol_version $sc tls1 'Protocol : TLSv1$' $c_id + test_sc_by_protocol_version $sc tls1_1 'Protocol : TLSv1\.1$' $c_id + test_sc_by_protocol_version $sc tls1_2 'Protocol : TLSv1\.2$' $c_id + test_sc_by_protocol_version $sc tls1_3 'Protocol : TLSv1\.3$' $c_id # all available ciphers with random order test_sc_all_cipher $sc tls1_2 @@ -1556,10 +1630,12 @@ function test_server_client { test_sc_verify $sc tls1_3 # s_time - start_message "s_time ... connect to TLS/SSL test server" - $c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \ - > $server_dir/s_time_${sc}.log - check_exit_status $? + if [ $gost_tests != 1 ] ; then + start_message "s_time ... connect to TLS/SSL test server" + $c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \ + > $server_dir/s_time_${sc}.log + check_exit_status $? + fi stop_s_server } @@ -1592,14 +1668,19 @@ openssl_bin=${OPENSSL:-/usr/bin/openssl} other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11} ecdsa_tests=0 +gost_tests=0 interop_tests=0 no_long_tests=0 while [ "$1" != "" ]; do case $1 in - -e | --ecdsa) - shift + -e | --ecdsa) shift ecdsa_tests=1 + gost_tests=0 + ;; + -g | --gost) shift + gost_tests=1 + ecdsa_tests=0 ;; -i | --interop) shift interop_tests=1 -- cgit v1.2.3-55-g6feb