1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
#! /usr/bin/env perl
# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test::Utils;
use File::Compare qw(compare_text);
use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips is_nofips/;
setup("test_pkcs8");
plan tests => 15;
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'pc5-key.pem'),
'-out', 'pbkdf2_default_saltlen.pem',
'-passout', 'pass:password']))),
"Convert a private key to PKCS5 v2.0 format using PBKDF2 with the default saltlen");
# We expect the output to be of the form "0:d=0 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687"
# i.e. 2 byte header + 16 byte salt.
ok(run(app(([ 'openssl', 'asn1parse',
'-in', 'pbkdf2_default_saltlen.pem',
'-offset', '34', '-length', '18']))),
"Check the default size of the PBKDF2 PARAM 'salt length' is 16");
SKIP: {
skip "scrypt is not supported by this OpenSSL build", 4
if disabled("scrypt");
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'pc5-key.pem'),
'-scrypt',
'-out', 'scrypt_default_saltlen.pem',
'-passout', 'pass:password']))),
"Convert a private key to PKCS5 v2.0 format using scrypt with the default saltlen");
# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:FAC7F37508E6B7A805BF4B13861B3687"
# i.e. 2 byte header + 16 byte salt.
ok(run(app(([ 'openssl', 'asn1parse',
'-in', 'scrypt_default_saltlen.pem',
'-offset', '34', '-length', '18']))),
"Check the default size of the SCRYPT PARAM 'salt length' = 16");
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'pc5-key.pem'),
'-scrypt',
'-saltlen', '8',
'-out', 'scrypt_64bit_saltlen.pem',
'-passout', 'pass:password']))),
"Convert a private key to PKCS5 v2.0 format using scrypt with a salt length of 8 bytes");
# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:3C1147976A2B61CA"
# i.e. 2 byte header + 8 byte salt.
ok(run(app(([ 'openssl', 'asn1parse',
'-in', 'scrypt_64bit_saltlen.pem',
'-offset', '34', '-length', '10']))),
"Check the size of the SCRYPT PARAM 'salt length' is 8");
}
SKIP: {
skip "legacy provider is not supported by this OpenSSL build", 4
if disabled('legacy') || disabled("des");
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'pc5-key.pem'),
'-v1', "PBE-MD5-DES",
'-provider', 'legacy',
'-provider', 'default',
'-out', 'pbe1.pem',
'-passout', 'pass:password']))),
"Convert a private key to PKCS5 v1.5 format using pbeWithMD5AndDES-CBC with the default saltlen");
ok(run(app(([ 'openssl', 'asn1parse',
'-in', 'pbe1.pem',
'-offset', '19', '-length', '10']))),
"Check the default size of the PBE PARAM 'salt length' = 8");
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'pc5-key.pem'),
'-v1', "PBE-MD5-DES",
'-saltlen', '16',
'-provider', 'legacy',
'-provider', 'default',
'-out', 'pbe1_128bitsalt.pem',
'-passout', 'pass:password']))),
"Convert a private key to PKCS5 v1.5 format using pbeWithMD5AndDES-CBC with the 16 byte saltlen");
ok(run(app(([ 'openssl', 'asn1parse',
'-in', 'pbe1_128bitsalt.pem',
'-offset', '19', '-length', '18']))),
"Check the size of the PBE PARAM 'salt length' = 16");
};
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'pc5-key.pem'),
'-saltlen', '8',
'-out', 'pbkdf2_64bit_saltlen.pem',
'-passout', 'pass:password']))),
"Convert a private key to PKCS5 v2.0 format using pbkdf2 with a salt length of 8 bytes");
# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:3C1147976A2B61CA"
# i.e. 2 byte header + 8 byte salt.
ok(run(app(([ 'openssl', 'asn1parse',
'-in', 'pbkdf2_64bit_saltlen.pem',
'-offset', '34', '-length', '10']))),
"Check the size of the PBKDF2 PARAM 'salt length' is 8");
SKIP: {
skip "SM2, SM3 or SM4 is not supported by this OpenSSL build", 3
if disabled("sm2") || disabled("sm3") || disabled("sm4");
ok_nofips(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'sm2.key'),
'-out', 'sm2-pbes2-sm4-hmacWithSM3.key',
'-passout', 'pass:password',
'-v2', 'sm4', '-v2prf', 'hmacWithSM3']))),
"Convert a private key to PKCS#5 v2.0 format using SM4 and hmacWithSM3");
ok_nofips(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', 'sm2-pbes2-sm4-hmacWithSM3.key',
'-out', 'sm2.key',
'-passin', 'pass:password', '-nocrypt',
'-v2', 'sm4', '-v2prf', 'hmacWithSM3']))),
"Convert from PKCS#5 v2.0 format to PKCS#8 unencrypted format");
is_nofips(compare_text(srctop_file('test', 'certs', 'sm2.key'), 'sm2.key',
sub {
my $in1 = $_[0];
my $in2 = $_[1];
$in1 =~ s/\r\n/\n/g;
$in2 =~ s/\r\n/\n/g;
$in1 ne $in2
}), 0, "compare test/certs/sm2.key to sm2.key")
}
|
