1#! /usr/bin/env perl
2# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9use strict;
10use warnings;
11
12use OpenSSL::Test qw/:DEFAULT srctop_file with/;
13use OpenSSL::Test::Utils;
14
15use Encode;
16
17setup("test_pkcs12");
18
19my $pass = "σύνθημα γνώρισμα";
20
21my $savedcp;
22if (eval { require Win32::API; 1; }) {
23    # Trouble is that Win32 perl uses CreateProcessA, which
24    # makes it problematic to pass non-ASCII arguments, from perl[!]
25    # that is. This is because CreateProcessA is just a wrapper for
26    # CreateProcessW and will call MultiByteToWideChar and use
27    # system default locale. Since we attempt Greek pass-phrase
28    # conversion can be done only with Greek locale.
29
30    Win32::API->Import("kernel32","UINT GetSystemDefaultLCID()");
31    if (GetSystemDefaultLCID() != 0x408) {
32        plan skip_all => "Non-Greek system locale";
33    } else {
34        # Ensure correct code page so that VERBOSE output is right.
35        Win32::API->Import("kernel32","UINT GetConsoleOutputCP()");
36        Win32::API->Import("kernel32","BOOL SetConsoleOutputCP(UINT cp)");
37        $savedcp = GetConsoleOutputCP();
38        SetConsoleOutputCP(1253);
39        $pass = Encode::encode("cp1253",Encode::decode("utf-8",$pass));
40    }
41} elsif ($^O eq "MSWin32") {
42    plan skip_all => "Win32::API unavailable";
43} elsif ($^O ne "VMS") {
44    # Running MinGW tests transparently under Wine apparently requires
45    # UTF-8 locale...
46
47    foreach(`locale -a`) {
48        s/\R$//;
49        if ($_ =~ m/^C\.UTF\-?8/i) {
50            $ENV{LC_ALL} = $_;
51            last;
52        }
53    }
54}
55$ENV{OPENSSL_WIN32_UTF8}=1;
56
57plan tests => 17;
58
59# Test different PKCS#12 formats
60ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
61# Test with legacy APIs
62ok(run(test(["pkcs12_format_test", "-legacy"])), "test pkcs12 formats using legacy APIs");
63# Test with a non-default library context (and no loaded providers in the default context)
64ok(run(test(["pkcs12_format_test", "-context"])), "test pkcs12 formats using a non-default library context");
65
66SKIP: {
67     skip "VMS doesn't have command line UTF-8 support yet in DCL", 1
68         if $^O eq "VMS";
69
70     # just see that we can read shibboleth.pfx protected with $pass
71     ok(run(app(["openssl", "pkcs12", "-noout",
72                 "-password", "pass:$pass",
73                 "-in", srctop_file("test", "shibboleth.pfx")])),
74        "test_load_cert_pkcs12");
75}
76
77my @path = qw(test certs);
78my $outfile1 = "out1.p12";
79my $outfile2 = "out2.p12";
80my $outfile3 = "out3.p12";
81my $outfile4 = "out4.p12";
82my $outfile5 = "out5.p12";
83
84# Test the -chain option with -untrusted
85ok(run(app(["openssl", "pkcs12", "-export", "-chain",
86            "-CAfile",  srctop_file(@path,  "sroot-cert.pem"),
87            "-untrusted", srctop_file(@path, "ca-cert.pem"),
88            "-in", srctop_file(@path, "ee-cert.pem"),
89            "-nokeys", "-passout", "pass:", "-out", $outfile1])),
90   "test_pkcs12_chain_untrusted");
91
92# Test the -passcerts option
93SKIP: {
94    skip "Skipping PKCS#12 test because DES is disabled in this build", 1
95        if disabled("des");
96    ok(run(app(["openssl", "pkcs12", "-export",
97            "-in", srctop_file(@path, "ee-cert.pem"),
98            "-certfile", srctop_file(@path, "v3-certs-TDES.p12"),
99            "-passcerts", "pass:v3-certs",
100            "-nokeys", "-passout", "pass:v3-certs", "-descert",
101            "-out", $outfile2])),
102   "test_pkcs12_passcerts");
103}
104
105SKIP: {
106    skip "Skipping legacy PKCS#12 test because the required algorithms are disabled", 1
107        if disabled("des") || disabled("rc2") || disabled("legacy");
108    # Test reading legacy PKCS#12 file
109    ok(run(app(["openssl", "pkcs12", "-export",
110                "-in", srctop_file(@path, "v3-certs-RC2.p12"),
111                "-passin", "pass:v3-certs",
112                "-provider", "default", "-provider", "legacy",
113                "-nokeys", "-passout", "pass:v3-certs", "-descert",
114                "-out", $outfile3])),
115    "test_pkcs12_passcerts_legacy");
116}
117
118# Test export of PEM file with both cert and key
119# -nomac necessary to avoid legacy provider requirement
120ok(run(app(["openssl", "pkcs12", "-export",
121        "-inkey", srctop_file(@path, "cert-key-cert.pem"),
122        "-in", srctop_file(@path, "cert-key-cert.pem"),
123        "-passout", "pass:v3-certs",
124        "-nomac", "-out", $outfile4], stderr => "outerr.txt")),
125   "test_export_pkcs12_cert_key_cert");
126open DATA, "outerr.txt";
127my @match = grep /:error:/, <DATA>;
128close DATA;
129ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr_empty");
130
131ok(run(app(["openssl", "pkcs12",
132            "-in", $outfile4,
133            "-passin", "pass:v3-certs",
134            "-nomacver", "-nodes"])),
135  "test_import_pkcs12_cert_key_cert");
136
137ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
138            "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
139            "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
140   "test nokeys single cert");
141
142my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
143                          "-passin", "pass:"]), capture => 1);
144
145# Test that with one input certificate, we get one output certificate
146ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
147   "test one cert in output");
148# Test that the expected friendly name is present in the output
149ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
150
151# Test some bad pkcs12 files
152my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
153my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
154my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12");
155
156with({ exit_checker => sub { return shift == 1; } },
157     sub {
158        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])),
159           "test bad pkcs12 file 1");
160
161        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
162                    "-nomacver"])),
163           "test bad pkcs12 file 1 (nomacver)");
164
165        ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])),
166           "test bad pkcs12 file 2");
167
168        ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])),
169           "test bad pkcs12 file 3");
170     });
171
172SetConsoleOutputCP($savedcp) if (defined($savedcp));
173