From 91f2b15f2ecd9dd92b6ed2563b10c1a126db2643 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 12 Dec 2020 22:04:05 +0100 Subject: TEST: Prefer using precomputed RSA and DH keys for more efficient tests Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13715) --- test/CAtsa.cnf | 1 - test/ca-and-certs.cnf | 4 ---- test/certs/dhk2048.pem | 14 +++++++++++ test/endecode_test.c | 34 +++++++++++++++++---------- test/endecoder_legacy_test.c | 31 +++++++++++++++++++++++- test/evp_libctx_test.c | 5 ++-- test/proxy.cnf | 4 ---- test/recipes/04-test_encoder_decoder.t | 5 +++- test/recipes/04-test_encoder_decoder_legacy.t | 6 +++-- test/recipes/25-test_req.t | 2 ++ test/recipes/25-test_verify_store.t | 4 ++++ test/recipes/80-test_ca.t | 10 +++++--- test/recipes/80-test_ssl_old.t | 20 ++++++++-------- test/recipes/80-test_tsa.t | 7 ++++-- test/test.cnf | 4 ---- 15 files changed, 104 insertions(+), 47 deletions(-) create mode 100644 test/certs/dhk2048.pem diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index e7ca8c5a1e..e232e7023e 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -48,7 +48,6 @@ emailAddress = optional #---------------------------------------------------------------------- [ req ] -default_bits = 2048 default_md = sha1 distinguished_name = $ENV::TSDNSECT encrypt_rsa_key = no diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf index 598db2b6a0..f6663924ae 100644 --- a/test/ca-and-certs.cnf +++ b/test/ca-and-certs.cnf @@ -3,8 +3,6 @@ CN2 = Brother 2 #################################################################### [ req ] -default_bits = 2048 -default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no default_md = sha1 @@ -19,8 +17,6 @@ commonName_value = Dodgy CA #################################################################### [ userreq ] -default_bits = 2048 -default_keyfile = keySS.pem distinguished_name = user_dn encrypt_rsa_key = no default_md = sha256 diff --git a/test/certs/dhk2048.pem b/test/certs/dhk2048.pem new file mode 100644 index 0000000000..1e1cef4b8c --- /dev/null +++ b/test/certs/dhk2048.pem @@ -0,0 +1,14 @@ +-----BEGIN PRIVATE KEY----- +MIICKgIBADCCARsGCSqGSIb3DQEDATCCAQwCggEBAP//////////yQ/aoiFowjTE +xmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP +4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJ +KGZR7ORbPcIAfLihY78FmNpINhxV05ppFj+o/STPX4NlXSPco62WHGLzViCFUrue +1SkHcJaWbWcMNU5KvJgE8XRsCMoYIXwykF5GLjbOO+OedywYDoYDmyeDouwHoo+1 +xV3wb0xSyd4ry/aVWBcYOZVJfOqVauUV0iYYmPoFEBVyjlqKrKpo//////////8C +AQICAgf/BIIBBAKCAQBPXxEkDA2EWknARF2EzUo6gc1eFNdKMVwa7aT3e2ClTIkN +B4Y6XsJCS5C4q0vKhHtdH5LswCxUPfTQQAOlKPzcdMcGuOvx8gl90kvaOuxnD0wQ +rpRmC64FbN+h503UJuGuNTFO2AvgLVb6EA637soAcWR6qLtRJ3wDpr1OW/ertIUj +jhzD1i255j+z6UVQBNLy882AUSHfjr1UzWTYfcyn1zpQbZtbIh+0O5cloIl6Ek4N +c3NtCgwAmTROrsKqHGmaW+pw4sOAAtNJByPT0y725s7tq4mAJKJgCc2J8Lbwbx9Z +s+tEoCidGYuBRNouVH6I6POwjIhdpU0kIscdv+w8 +-----END PRIVATE KEY----- diff --git a/test/endecode_test.c b/test/endecode_test.c index 9d0ebeb7e7..f851f73ffd 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -88,6 +88,7 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) } #endif +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) static EVP_PKEY *make_key(const char *type, EVP_PKEY *template, OSSL_PARAM *genparams) { @@ -109,6 +110,7 @@ static EVP_PKEY *make_key(const char *type, EVP_PKEY *template, EVP_PKEY_CTX_free(ctx); return pkey; } +#endif /* Main test driver */ @@ -1182,6 +1184,9 @@ static int create_ec_explicit_trinomial_params(OSSL_PARAM_BLD *bld) # endif /* OPENSSL_NO_EC2M */ #endif /* OPENSSL_NO_EC */ +#define USAGE "rsa-key.pem rsa-pss-key.pem\n" +OPT_TEST_DECLARE_USAGE(USAGE) + int setup_tests(void) { # ifndef OPENSSL_NO_RC4 @@ -1207,12 +1212,14 @@ int setup_tests(void) }; #endif - /* 7 is the default magic number */ - static unsigned int rsapss_min_saltlen = 7; - OSSL_PARAM RSA_PSS_params[] = { - OSSL_PARAM_uint("saltlen", &rsapss_min_saltlen), - OSSL_PARAM_END - }; + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + if (test_get_argument_count() != 2) { + TEST_error("usage: endecode_test %s", USAGE); + return 0; + } #ifndef OPENSSL_NO_EC if (!TEST_ptr(bnctx = BN_CTX_new_ex(NULL)) @@ -1237,15 +1244,16 @@ int setup_tests(void) TEST_info("Generating keys..."); #ifndef OPENSSL_NO_DH + TEST_info("Generating DH keys..."); MAKE_DOMAIN_KEYS(DH, "DH", NULL); MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL); - TEST_info("Generating keys...DH done"); #endif #ifndef OPENSSL_NO_DSA + TEST_info("Generating DSA keys..."); MAKE_DOMAIN_KEYS(DSA, "DSA", DSA_params); - TEST_info("Generating keys...DSA done"); #endif #ifndef OPENSSL_NO_EC + TEST_info("Generating EC keys..."); MAKE_DOMAIN_KEYS(EC, "EC", EC_params); MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit); @@ -1257,12 +1265,12 @@ int setup_tests(void) MAKE_KEYS(ED448, "ED448", NULL); MAKE_KEYS(X25519, "X25519", NULL); MAKE_KEYS(X448, "X448", NULL); - TEST_info("Generating keys...EC done"); #endif - MAKE_KEYS(RSA, "RSA", NULL); - TEST_info("Generating keys...RSA done"); - MAKE_KEYS(RSA_PSS, "RSA-PSS", RSA_PSS_params); - TEST_info("Generating keys...RSA_PSS done"); + TEST_info("Loading RSA key..."); + ok = ok && TEST_ptr(key_RSA = load_pkey_pem(test_get_argument(0), NULL)); + TEST_info("Loading RSA_PSS key..."); + ok = ok && TEST_ptr(key_RSA_PSS = load_pkey_pem(test_get_argument(1), NULL)); + TEST_info("Generating keys done"); if (ok) { #ifndef OPENSSL_NO_DH diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c index 9e54f1f03b..b3bd4f5872 100644 --- a/test/endecoder_legacy_test.c +++ b/test/endecoder_legacy_test.c @@ -674,19 +674,48 @@ static int test_key(int idx) return ok; } +#define USAGE "rsa-key.pem dh-key.pem\n" +OPT_TEST_DECLARE_USAGE(USAGE) + int setup_tests(void) { size_t i; + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + if (test_get_argument_count() != 2) { + TEST_error("usage: endecoder_legacy_test %s", USAGE); + return 0; + } + TEST_info("Generating keys..."); for (i = 0; i < OSSL_NELEM(keys); i++) { +#ifndef OPENSSL_NO_DH + if (strcmp(keys[i].keytype, "DH") == 0) { + if (!TEST_ptr(keys[i].key = + load_pkey_pem(test_get_argument(1), NULL))) + return 0; + continue; + } +#endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 + if (strcmp(keys[i].keytype, "RSA") == 0) { + if (!TEST_ptr(keys[i].key = + load_pkey_pem(test_get_argument(0), NULL))) + return 0; + continue; + } +#endif + TEST_info("Generating %s key...", keys[i].keytype); if (!TEST_ptr(keys[i].key = make_key(keys[i].keytype, keys[i].template_params))) return 0; } - TEST_info("Generating key... done"); + TEST_info("Generating keys done"); ADD_ALL_TESTS(test_key, OSSL_NELEM(test_stanzas)); return 1; diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index 1fcfdadeef..5e8f436cca 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -530,15 +530,16 @@ static int kem_rsa_gen_recover(void) unsigned char ct[256] = { 0, }; unsigned char unwrap[256] = { 0, }; size_t ctlen = 0, unwraplen = 0, secretlen = 0; + int bits = 2048; - ret = TEST_true(rsa_keygen(2048, &pub, &priv)) + ret = TEST_true(rsa_keygen(bits, &pub, &priv)) && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL)) && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1) && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1) && TEST_int_eq(EVP_PKEY_encapsulate(sctx, NULL, &ctlen, NULL, &secretlen), 1) && TEST_int_eq(ctlen, secretlen) - && TEST_int_eq(ctlen, 2048 / 8) + && TEST_int_eq(ctlen, bits / 8) && TEST_int_eq(EVP_PKEY_encapsulate(sctx, ct, &ctlen, secret, &secretlen), 1) && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL)) diff --git a/test/proxy.cnf b/test/proxy.cnf index e6b60542bb..ceac227c04 100644 --- a/test/proxy.cnf +++ b/test/proxy.cnf @@ -2,8 +2,6 @@ ## Config file for proxy certificate testing. [ req ] -default_bits = 2048 -default_keyfile = keySS.pem distinguished_name = req_distinguished_name_p1 encrypt_rsa_key = no default_md = sha256 @@ -29,8 +27,6 @@ proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB #################################################################### [ proxy2_req ] -default_bits = 2048 -default_keyfile = keySS.pem distinguished_name = req_distinguished_name_p2 encrypt_rsa_key = no default_md = sha256 diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t index 2041eb1fb9..0152519716 100644 --- a/test/recipes/04-test_encoder_decoder.t +++ b/test/recipes/04-test_encoder_decoder.t @@ -20,4 +20,7 @@ plan tests => 1; $ENV{OPENSSL_MODULES} = abs_path(bldtop_dir("providers")); $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default-and-legacy.cnf")); -ok(run(test(["endecode_test"]))); +my $rsa_key = srctop_file("test", "certs", "ee-key.pem"); +my $pss_key = srctop_file("test", "certs", "ca-pss-key.pem"); + +ok(run(test(["endecode_test", $rsa_key, $pss_key]))); diff --git a/test/recipes/04-test_encoder_decoder_legacy.t b/test/recipes/04-test_encoder_decoder_legacy.t index d6671b2215..f278e17e48 100644 --- a/test/recipes/04-test_encoder_decoder_legacy.t +++ b/test/recipes/04-test_encoder_decoder_legacy.t @@ -20,8 +20,10 @@ plan skip_all => "Not available in a no-deprecated build" if disabled("deprecated"); plan tests => 1; - $ENV{OPENSSL_MODULES} = abs_path(bldtop_dir("providers")); $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default.cnf")); -ok(run(test(["endecoder_legacy_test"]))); +my $rsa_key = srctop_file("test", "certs", "ee-key.pem"); +my $dh_key = srctop_file("test", "certs", "dhk2048.pem"); + +ok(run(test(["endecoder_legacy_test", $rsa_key, $dh_key]))); diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 0fcb56a46a..9783fe3960 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -33,6 +33,7 @@ if (disabled("rsa")) { # Check for duplicate -addext parameters, and one "working" case. my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", + "-key", srctop_file("test", "certs", "ee-key.pem"), "-config", srctop_file("test", "test.cnf"), @req_new ); my $val = "subjectAltName=DNS:example.com"; my $val2 = " " . $val; @@ -288,6 +289,7 @@ subtest "generating certificate requests" => sub { plan tests => 2; ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), + "-key", srctop_file("test", "certs", "ee-key.pem"), @req_new, "-out", "testreq.pem"])), "Generating request"); diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t index 920b608a37..a2268c59e4 100644 --- a/test/recipes/25-test_verify_store.t +++ b/test/recipes/25-test_verify_store.t @@ -17,6 +17,8 @@ setup("test_verify_store"); plan tests => 10; my $dummycnf = srctop_file("apps", "openssl.cnf"); +my $cakey = srctop_file("test", "certs", "ca-key.pem"); +my $ukey = srctop_file("test", "certs", "ee-key.pem"); my $cnf = srctop_file("test", "ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; @@ -33,6 +35,7 @@ SKIP: { qw(-new -section userreq), -config => $cnf, -out => $CAreq, + -key => $cakey, -keyout => $CAkey ); skip 'failure', 8 unless @@ -73,6 +76,7 @@ SKIP: { qw(-new -section userreq), -config => $cnf, -out => $Ureq, + -key => $ukey, -keyout => $Ukey ); skip 'failure', 2 unless diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t index 4b145264ad..59a09ee917 100644 --- a/test/recipes/80-test_ca.t +++ b/test/recipes/80-test_ca.t @@ -29,15 +29,18 @@ rmtree("demoCA", { safe => 0 }); plan tests => 15; SKIP: { + my $cakey = srctop_file("test", "certs", "ca-key.pem"); $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; skip "failed creating CA structure", 4 - if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)), + if !ok(run(perlapp(["CA.pl","-newca", + "-extra-req", "-key $cakey"], stdin => undef)), 'creating CA structure'); + my $eekey = srctop_file("test", "certs", "ee-key.pem"); $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; skip "failed creating new certificate request", 3 if !ok(run(perlapp(["CA.pl","-newreq", - '-extra-req', '-outform DER -section userreq'])), + '-extra-req', "-outform DER -section userreq -key $eekey"])), 'creating certificate request'); $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config '.$std_openssl_cnf; skip "failed to sign certificate request", 2 @@ -50,8 +53,9 @@ plan tests => 15; skip "CT not configured, can't use -precert", 1 if disabled("ct"); + my $eekey2 = srctop_file("test", "certs", "ee-key-3072.pem"); $ENV{OPENSSL_CONFIG} = '-config ' . $cnf; - ok(run(perlapp(["CA.pl", "-precert", '-extra-req', '-section userreq'], stderr => undef)), + ok(run(perlapp(["CA.pl", "-precert", '-extra-req', "-section userreq -key $eekey2"], stderr => undef)), 'creating new pre-certificate'); } diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index d01b2b72a8..59f364d7f7 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -46,12 +46,12 @@ my @genpkeycmd = ("openssl", "genpkey"); my $dummycnf = srctop_file("apps", "openssl.cnf"); my $cnf = srctop_file("test", "ca-and-certs.cnf"); -my $CAkey = "keyCA.ss"; +my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss" my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; my $CAreq="reqCA.ss"; my $CAreq2="req2CA.ss"; # temp -my $Ukey="keyU.ss"; +my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss"; my $Ureq="reqU.ss"; my $Ucert="certU.ss"; my $Dkey="keyD.ss"; @@ -62,11 +62,11 @@ my $Ereq="reqE.ss"; my $Ecert="certE.ss"; my $proxycnf=srctop_file("test", "proxy.cnf"); -my $P1key="keyP1.ss"; +my $P1key= srctop_file("test", "certs", "alt1-key.pem"); # "keyP1.ss"; my $P1req="reqP1.ss"; my $P1cert="certP1.ss"; my $P1intermediate="tmp_intP1.ss"; -my $P2key="keyP2.ss"; +my $P2key= srctop_file("test", "certs", "alt2-key.pem"); # "keyP2.ss"; my $P2req="reqP2.ss"; my $P2cert="certP2.ss"; my $P2intermediate="tmp_intP2.ss"; @@ -125,7 +125,7 @@ sub testss { SKIP: { skip 'failure', 16 unless ok(run(app([@reqcmd, "-config", $cnf, - "-out", $CAreq, "-keyout", $CAkey, + "-out", $CAreq, "-key", $CAkey, @req_new])), 'make cert request'); @@ -159,7 +159,7 @@ sub testss { skip 'failure', 10 unless ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq", - "-out", $Ureq, "-keyout", $Ukey, @req_new], + "-out", $Ureq, "-key", $Ukey, @req_new], stdout => "err.ss")), 'make a user cert request'); @@ -271,7 +271,7 @@ sub testss { skip 'failure', 5 unless ok(run(app([@reqcmd, "-config", $proxycnf, - "-out", $P1req, "-keyout", $P1key, @req_new], + "-out", $P1req, "-key", $P1key, @req_new], stdout => "err.ss")), 'make a proxy cert request'); @@ -294,7 +294,7 @@ sub testss { skip 'failure', 2 unless ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req", - "-out", $P2req, "-keyout", $P2key, + "-out", $P2req, "-key", $P2key, @req_new], stdout => "err.ss")), 'make another proxy cert request'); @@ -427,11 +427,11 @@ sub testssl { my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; if (!$no_dsa) { - push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; + push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; } if (!$no_ec) { - push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; + push @exkeys, "-s_cert", "certE.ss", "-s_key", $Ekey; } my @protocols = (); diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t index 6fa005aebc..a76d4a9d05 100644 --- a/test/recipes/80-test_tsa.t +++ b/test/recipes/80-test_tsa.t @@ -25,6 +25,7 @@ plan skip_all => "TS is not supported by this OpenSSL build" # here, however, to be available in all subroutines. my $openssl_conf; my $testtsa; +my $tsacakey; my $CAtsa; my @QUERY = ("openssl", "ts", "-query"); my @REPLY; @@ -38,12 +39,13 @@ sub create_tsa_cert { ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", "-out", "tsa_req${INDEX}.pem", + "-key", srctop_file("test", "certs", "alt${INDEX}-key.pem"), "-keyout", "tsa_key${INDEX}.pem"]))); note "using extension $EXT"; ok(run(app(["openssl", "x509", "-req", "-in", "tsa_req${INDEX}.pem", "-out", "tsa_cert${INDEX}.pem", - "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", + "-CA", "tsaca.pem", "-CAkey", $tsacakey, "-CAcreateserial", "-extfile", $openssl_conf, "-extensions", $EXT]))); } @@ -90,6 +92,7 @@ indir "tsa" => sub { $openssl_conf = srctop_file("test", "CAtsa.cnf"); $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); + $tsacakey = srctop_file("test", "certs", "ca-key.pem"); $CAtsa = srctop_file("test", "CAtsa.cnf"); @REPLY = ("openssl", "ts", "-config", $openssl_conf, "-reply"); @@ -102,7 +105,7 @@ indir "tsa" => sub skip "failed", 19 unless ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", "-x509", "-noenc", - "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), + "-out", "tsaca.pem", "-key", $tsacakey])), 'creating a new CA for the TSA tests'); skip "failed", 18 diff --git a/test/test.cnf b/test/test.cnf index a686c3d8bd..8b2f92ad8e 100644 --- a/test/test.cnf +++ b/test/test.cnf @@ -49,15 +49,11 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 2048 -default_keyfile = testkey.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no # Make altreq be identical to req [ altreq ] -default_bits = 2048 -default_keyfile = testkey.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -- cgit v1.2.3