1#! /usr/bin/env perl
2# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9use strict;
10use warnings;
11
12use File::Spec;
13use File::Basename;
14use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
15use OpenSSL::Test::Utils;
16use File::Compare qw/compare_text/;
17
18setup("test_pkeyutl");
19
20plan tests => 14;
21
22# For the tests below we use the cert itself as the TBS file
23
24SKIP: {
25    skip "Skipping tests that require EC, SM2 or SM3", 4
26        if disabled("ec") || disabled("sm2") || disabled("sm3");
27
28    # SM2
29    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign',
30                      '-in', srctop_file('test', 'certs', 'sm2.pem'),
31                      '-inkey', srctop_file('test', 'certs', 'sm2.key'),
32                      '-out', 'sm2.sig', '-rawin',
33                      '-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
34                      "Sign a piece of data using SM2");
35    ok_nofips(run(app(([ 'openssl', 'pkeyutl',
36                      '-verify', '-certin',
37                      '-in', srctop_file('test', 'certs', 'sm2.pem'),
38                      '-inkey', srctop_file('test', 'certs', 'sm2.pem'),
39                      '-sigfile', 'sm2.sig', '-rawin',
40                      '-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
41                      "Verify an SM2 signature against a piece of data");
42    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-encrypt',
43                      '-in', srctop_file('test', 'data2.bin'),
44                      '-inkey', srctop_file('test', 'certs', 'sm2-pub.key'),
45                      '-pubin', '-out', 'sm2.enc']))),
46                      "Encrypt a piece of data using SM2");
47    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-decrypt',
48                      '-in', 'sm2.enc',
49                      '-inkey', srctop_file('test', 'certs', 'sm2.key'),
50                      '-out', 'sm2.dat'])))
51                      && compare_text('sm2.dat',
52                                      srctop_file('test', 'data2.bin')) == 0,
53                      "Decrypt a piece of data using SM2");
54}
55
56SKIP: {
57    skip "Skipping tests that require EC", 4
58        if disabled("ec");
59
60    # Ed25519
61    ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',
62                  srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
63                  '-inkey', srctop_file('test', 'certs', 'server-ed25519-key.pem'),
64                  '-out', 'Ed25519.sig', '-rawin']))),
65                  "Sign a piece of data using Ed25519");
66    ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',
67                  srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
68                  '-inkey', srctop_file('test', 'certs', 'server-ed25519-cert.pem'),
69                  '-sigfile', 'Ed25519.sig', '-rawin']))),
70                  "Verify an Ed25519 signature against a piece of data");
71
72    # Ed448
73    ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',
74                  srctop_file('test', 'certs', 'server-ed448-cert.pem'),
75                  '-inkey', srctop_file('test', 'certs', 'server-ed448-key.pem'),
76                  '-out', 'Ed448.sig', '-rawin']))),
77                  "Sign a piece of data using Ed448");
78    ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin', '-in',
79                  srctop_file('test', 'certs', 'server-ed448-cert.pem'),
80                  '-inkey', srctop_file('test', 'certs', 'server-ed448-cert.pem'),
81                  '-sigfile', 'Ed448.sig', '-rawin']))),
82                  "Verify an Ed448 signature against a piece of data");
83}
84
85sub tsignverify {
86    my $testtext = shift;
87    my $privkey = shift;
88    my $pubkey = shift;
89    my @extraopts = @_;
90
91    my $data_to_sign = srctop_file('test', 'data.bin');
92    my $other_data = srctop_file('test', 'data2.bin');
93    my $sigfile = basename($privkey, '.pem') . '.sig';
94
95    my @args = ();
96    plan tests => 5;
97
98    @args = ('openssl', 'pkeyutl', '-sign',
99             '-inkey', $privkey,
100             '-out', $sigfile,
101             '-in', $data_to_sign);
102    push(@args, @extraopts);
103    ok(run(app([@args])),
104       $testtext.": Generating signature");
105
106    @args = ('openssl', 'pkeyutl', '-sign',
107             '-inkey', $privkey,
108             '-keyform', 'DER',
109             '-out', $sigfile,
110             '-in', $data_to_sign);
111    push(@args, @extraopts);
112    ok(!run(app([@args])),
113       $testtext.": Checking that mismatching keyform fails");
114
115    @args = ('openssl', 'pkeyutl', '-verify',
116             '-inkey', $privkey,
117             '-sigfile', $sigfile,
118             '-in', $data_to_sign);
119    push(@args, @extraopts);
120    ok(run(app([@args])),
121       $testtext.": Verify signature with private key");
122
123    @args = ('openssl', 'pkeyutl', '-verify',
124             '-keyform', 'PEM',
125             '-inkey', $pubkey, '-pubin',
126             '-sigfile', $sigfile,
127             '-in', $data_to_sign);
128    push(@args, @extraopts);
129    ok(run(app([@args])),
130       $testtext.": Verify signature with public key");
131
132    @args = ('openssl', 'pkeyutl', '-verify',
133             '-inkey', $pubkey, '-pubin',
134             '-sigfile', $sigfile,
135             '-in', $other_data);
136    push(@args, @extraopts);
137    ok(!run(app([@args])),
138       $testtext.": Expect failure verifying mismatching data");
139}
140
141SKIP: {
142    skip "RSA is not supported by this OpenSSL build", 1
143        if disabled("rsa");
144
145    subtest "RSA CLI signature generation and verification" => sub {
146        tsignverify("RSA",
147                    srctop_file("test","testrsa.pem"),
148                    srctop_file("test","testrsapub.pem"),
149                    "-rawin", "-digest", "sha256");
150    };
151
152    subtest "RSA CLI signature and verification with pkeyopt" => sub {
153        tsignverify("RSA",
154                    srctop_file("test","testrsa.pem"),
155                    srctop_file("test","testrsapub.pem"),
156                    "-rawin", "-digest", "sha256",
157                    "-pkeyopt", "rsa_padding_mode:pss");
158    };
159}
160
161SKIP: {
162    skip "DSA is not supported by this OpenSSL build", 1
163        if disabled("dsa");
164
165    subtest "DSA CLI signature generation and verification" => sub {
166        tsignverify("DSA",
167                    srctop_file("test","testdsa.pem"),
168                    srctop_file("test","testdsapub.pem"),
169                    "-rawin", "-digest", "sha256");
170    };
171}
172
173SKIP: {
174    skip "ECDSA is not supported by this OpenSSL build", 1
175        if disabled("ec");
176
177    subtest "ECDSA CLI signature generation and verification" => sub {
178        tsignverify("ECDSA",
179                    srctop_file("test","testec-p256.pem"),
180                    srctop_file("test","testecpub-p256.pem"),
181                    "-rawin", "-digest", "sha256");
182    };
183}
184
185SKIP: {
186    skip "EdDSA is not supported by this OpenSSL build", 2
187        if disabled("ec");
188
189    subtest "Ed2559 CLI signature generation and verification" => sub {
190        tsignverify("Ed25519",
191                    srctop_file("test","tested25519.pem"),
192                    srctop_file("test","tested25519pub.pem"),
193                    "-rawin");
194    };
195
196    subtest "Ed448 CLI signature generation and verification" => sub {
197        tsignverify("Ed448",
198                    srctop_file("test","tested448.pem"),
199                    srctop_file("test","tested448pub.pem"),
200                    "-rawin");
201    };
202}
203