diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-07 00:19:32 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-08-18 01:58:45 +0900 |
commit | 675e2906764a141040144b8586a5f3d32e228f6f (patch) | |
tree | 74e9c565572d122a518efb59a4c6cc4e83a8b8fa | |
parent | 12e12e1070b7447e228163062fa81e127f69e750 (diff) | |
download | ruby-openssl-675e2906764a141040144b8586a5f3d32e228f6f.tar.gz |
test: rework PEM/DER encoding and decoding tests
Check that PKey::*.new actually read the ASN.1 structure, and
PKey::PKey#to_der and #export return the expected structure.
-rw-r--r-- | test/test_pkey_dh.rb | 41 | ||||
-rw-r--r-- | test/test_pkey_dsa.rb | 243 | ||||
-rw-r--r-- | test/test_pkey_ec.rb | 153 | ||||
-rw-r--r-- | test/test_pkey_rsa.rb | 312 | ||||
-rw-r--r-- | test/utils.rb | 34 |
5 files changed, 374 insertions, 409 deletions
diff --git a/test/test_pkey_dh.rb b/test/test_pkey_dh.rb index 78dedd1b..470c952e 100644 --- a/test/test_pkey_dh.rb +++ b/test/test_pkey_dh.rb @@ -3,7 +3,8 @@ require_relative 'utils' if defined?(OpenSSL::TestUtils) -class OpenSSL::TestPKeyDH < OpenSSL::TestCase +class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase + DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024 NEW_KEYLEN = 256 @@ -35,20 +36,26 @@ class OpenSSL::TestPKeyDH < OpenSSL::TestCase end end - def test_to_der - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 - der = dh.to_der - dh2 = OpenSSL::PKey::DH.new(der) - assert_equal_params(dh, dh2) - assert_no_key(dh2) - end - - def test_to_pem - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 - pem = dh.to_pem - dh2 = OpenSSL::PKey::DH.new(pem) - assert_equal_params(dh, dh2) - assert_no_key(dh2) + def test_DHparams + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(DH1024.p), + OpenSSL::ASN1::Integer(DH1024.g) + ]) + key = OpenSSL::PKey::DH.new(asn1.to_der) + assert_same_dh dup_public(DH1024), key + + pem = <<~EOF + -----BEGIN DH PARAMETERS----- + MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 + pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG + AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC + -----END DH PARAMETERS----- + EOF + key = OpenSSL::PKey::DH.new(pem) + assert_same_dh dup_public(DH1024), key + + assert_equal asn1.to_der, DH1024.to_der + assert_equal pem, DH1024.export end def test_public_key @@ -104,6 +111,10 @@ class OpenSSL::TestPKeyDH < OpenSSL::TestCase assert(dh.pub_key) assert(dh.priv_key) end + + def assert_same_dh(expected, key) + check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) + end end end diff --git a/test/test_pkey_dsa.rb b/test/test_pkey_dsa.rb index ed79e0de..a65fc222 100644 --- a/test/test_pkey_dsa.rb +++ b/test/test_pkey_dsa.rb @@ -4,7 +4,9 @@ require 'base64' if defined?(OpenSSL::TestUtils) -class OpenSSL::TestPKeyDSA < OpenSSL::TestCase +class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase + DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + def test_private key = OpenSSL::PKey::DSA.new(256) assert(key.private?) @@ -68,29 +70,102 @@ end assert(key.verify(digest2, sig, data)) end - def test_read_DSA_PUBKEY - p = 7188211954100152441468596248707152960171255279130004340103875772401008316444412091945435731597638374542374929457672178957081124632837356913990200866056699 - q = 957032439192465935099784319494405376402293318491 - g = 122928973717064636255205666162891733518376475981809749897454444301389338825906076467196186192907631719698166056821519884939865041993585844526937010746285 - y = 1235756183583465414789073313502727057075641172514181938731172021825149551960029708596057102104063395063907739571546165975727369183495540798749742124846271 - algo = OpenSSL::ASN1::ObjectId.new('DSA') - params = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(p), - OpenSSL::ASN1::Integer.new(q), - OpenSSL::ASN1::Integer.new(g)]) - algo_id = OpenSSL::ASN1::Sequence.new ([algo, params]) - pub_key = OpenSSL::ASN1::Integer.new(y) - seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)]) - key = OpenSSL::PKey::DSA.new(seq.to_der) - assert(key.public?) - assert(!key.private?) - assert_equal(p, key.p) - assert_equal(q, key.q) - assert_equal(g, key.g) - assert_equal(y, key.pub_key) - assert_equal(nil, key.priv_key) + def test_DSAPrivateKey + # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(0), + OpenSSL::ASN1::Integer(DSA512.p), + OpenSSL::ASN1::Integer(DSA512.q), + OpenSSL::ASN1::Integer(DSA512.g), + OpenSSL::ASN1::Integer(DSA512.pub_key), + OpenSSL::ASN1::Integer(DSA512.priv_key) + ]) + key = OpenSSL::PKey::DSA.new(asn1.to_der) + assert_predicate key, :private? + assert_same_dsa DSA512, key + + pem = <<~EOF + -----BEGIN DSA PRIVATE KEY----- + MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok + RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D + AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR + S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ + Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S + 55jreJD3Se3slps= + -----END DSA PRIVATE KEY----- + EOF + key = OpenSSL::PKey::DSA.new(pem) + assert_same_dsa DSA512, key + + assert_equal asn1.to_der, DSA512.to_der + assert_equal pem, DSA512.export + end + + def test_DSAPrivateKey_encrypted + # key = abcdef + pem = <<~EOF + -----BEGIN DSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-128-CBC,F8BB7BFC7EAB9118AC2E3DA16C8DB1D9 + + D2sIzsM9MLXBtlF4RW42u2GB9gX3HQ3prtVIjWPLaKBYoToRUiv8WKsjptfZuLSB + 74ZPdMS7VITM+W1HIxo/tjS80348Cwc9ou8H/E6WGat8ZUk/igLOUEII+coQS6qw + QpuLMcCIavevX0gjdjEIkojBB81TYDofA1Bp1z1zDI/2Zhw822xapI79ZF7Rmywt + OSyWzFaGipgDpdFsGzvT6//z0jMr0AuJVcZ0VJ5lyPGQZAeVBlbYEI4T72cC5Cz7 + XvLiaUtum6/sASD2PQqdDNpgx/WA6Vs1Po2kIUQIM5TIwyJI0GdykZcYm6xIK/ta + Wgx6c8K+qBAIVrilw3EWxw== + -----END DSA PRIVATE KEY----- + EOF + key = OpenSSL::PKey::DSA.new(pem, "abcdef") + assert_same_dsa DSA512, key + key = OpenSSL::PKey::DSA.new(pem) { "abcdef" } + assert_same_dsa DSA512, key + + cipher = OpenSSL::Cipher.new("aes-128-cbc") + exported = DSA512.to_pem(cipher, "abcdef\0\1") + assert_same_dsa DSA512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") + assert_raise(OpenSSL::PKey::DSAError) { + OpenSSL::PKey::DSA.new(exported, "abcdef") + } + end + + def test_PUBKEY + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::ObjectId("DSA"), + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(DSA512.p), + OpenSSL::ASN1::Integer(DSA512.q), + OpenSSL::ASN1::Integer(DSA512.g) + ]) + ]), + OpenSSL::ASN1::BitString( + OpenSSL::ASN1::Integer(DSA512.pub_key).to_der + ) + ]) + key = OpenSSL::PKey::DSA.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_dsa dup_public(DSA512), key + + pem = <<~EOF + -----BEGIN PUBLIC KEY----- + MIHxMIGoBgcqhkjOOAQBMIGcAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgT + YiEEHaOYhkIxv0OkRZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB + 4DZGH7UyarcaGy6DAkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqo + ji3/lHdKoVdTQNuRS/m6DlCwhjRjiQ/lBRgCLCcaA0QAAkEAjN891JBjzpMj4bWg + sACmMggFf57DS0Ti+5++Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxX + oXi9OA== + -----END PUBLIC KEY----- + EOF + key = OpenSSL::PKey::DSA.new(pem) + assert_same_dsa dup_public(DSA512), key + + assert_equal asn1.to_der, dup_public(DSA512).to_der + assert_equal pem, dup_public(DSA512).export end def test_read_DSAPublicKey_pem + # TODO: where is the standard? PKey::DSA.new can read only PEM p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699 q = 979494906553787301107832405790107343409973851677 g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845 @@ -114,127 +189,6 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ== assert_equal(nil, key.priv_key) end - def test_read_DSA_PUBKEY_pem - p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699 - q = 979494906553787301107832405790107343409973851677 - g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845 - y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695 - pem = <<-EOF ------BEGIN PUBLIC KEY----- -MIHxMIGoBgcqhkjOOAQBMIGcAkEA6hXntfQXEo78+s1r8yShbOQIpX+HOESnTNsV -2yJzD6EiMntLpJ38WUOWjz0dBnYW69YnrAYszWPTSvf34XapswIVAKuSEhdIb6Kz -fuHPUhoF4S52MHYdAkBHQCWhq8G+2yeDyhuyMtvsQqcH6lJ4ev8F0hDdUft9Ys6q -qTMV5GtgwPNSmXfpeS1jpirwQliVb2kIyYFU3L91A0QAAkEAyJSJ+g+P/knVcgDw -wTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4VUC/phySExY0PdcqItkR/xYA -YNMbNw== ------END PUBLIC KEY----- - EOF - key = OpenSSL::PKey::DSA.new(pem) - assert(key.public?) - assert(!key.private?) - assert_equal(p, key.p) - assert_equal(q, key.q) - assert_equal(g, key.g) - assert_equal(y, key.pub_key) - assert_equal(nil, key.priv_key) - end - - def test_export_format_is_DSA_PUBKEY_pem - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.public_key.to_pem - pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...------- - asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem)) - assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag) - assert_equal(2, asn1.value.size) - seq = asn1.value - assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag) - assert_equal(2, seq[0].value.size) - algo_id = seq[0].value - assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag) - assert_equal('DSA', algo_id[0].value) - assert_equal(OpenSSL::ASN1::SEQUENCE, algo_id[1].tag) - assert_equal(3, algo_id[1].value.size) - params = algo_id[1].value - assert_equal(OpenSSL::ASN1::INTEGER, params[0].tag) - assert_equal(key.p, params[0].value) - assert_equal(OpenSSL::ASN1::INTEGER, params[1].tag) - assert_equal(key.q, params[1].value) - assert_equal(OpenSSL::ASN1::INTEGER, params[2].tag) - assert_equal(key.g, params[2].value) - assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag) - assert_equal(0, seq[1].unused_bits) - pub_key = OpenSSL::ASN1.decode(seq[1].value) - assert_equal(OpenSSL::ASN1::INTEGER, pub_key.tag) - assert_equal(key.pub_key, pub_key.value) - end - - def test_read_private_key_der - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - der = key.to_der - key2 = OpenSSL::PKey.read(der) - assert(key2.private?) - assert_equal(der, key2.to_der) - end - - def test_read_private_key_pem - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.to_pem - key2 = OpenSSL::PKey.read(pem) - assert(key2.private?) - assert_equal(pem, key2.to_pem) - end - - def test_read_public_key_der - key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key - der = key.to_der - key2 = OpenSSL::PKey.read(der) - assert(!key2.private?) - assert_equal(der, key2.to_der) - end - - def test_read_public_key_pem - key = OpenSSL::TestUtils::TEST_KEY_DSA256.public_key - pem = key.to_pem - key2 = OpenSSL::PKey.read(pem) - assert(!key2.private?) - assert_equal(pem, key2.to_pem) - end - - def test_read_private_key_pem_pw - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - #callback form for password - key2 = OpenSSL::PKey.read(pem) do - 'secret' - end - assert(key2.private?) - # pass password directly - key2 = OpenSSL::PKey.read(pem, 'secret') - assert(key2.private?) - #omit pem equality check, will be different due to cipher iv - end - - def test_export_password_length - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec') - end - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr') - assert(pem) - end - - def test_export_password_funny - key = OpenSSL::TestUtils::TEST_KEY_DSA256 - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd") - assert_raise(OpenSSL::PKey::PKeyError) do - OpenSSL::PKey.read(pem, "pass") - end - key2 = OpenSSL::PKey.read(pem, "pass\0wd") - assert(key2.private?) - key3 = OpenSSL::PKey::DSA.new(pem, "pass\0wd") - assert(key3.private?) - end - def test_dup key = OpenSSL::PKey::DSA.new(256) key2 = key.dup @@ -244,13 +198,16 @@ YNMbNw== end private - def check_sign_verify(digest) key = OpenSSL::TestUtils::TEST_KEY_DSA256 data = 'Sign me!' sig = key.sign(digest, data) assert(key.verify(digest, sig, data)) end + + def assert_same_dsa(expected, key) + check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) + end end end diff --git a/test/test_pkey_ec.rb b/test/test_pkey_ec.rb index da72aafa..b89fa38d 100644 --- a/test/test_pkey_ec.rb +++ b/test/test_pkey_ec.rb @@ -3,7 +3,9 @@ require_relative 'utils' if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC) -class OpenSSL::TestEC < OpenSSL::TestCase +class OpenSSL::TestEC < OpenSSL::PKeyTestCase + P256 = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 + def test_ec_key builtin_curves = OpenSSL::PKey::EC.builtin_curves assert_not_empty builtin_curves @@ -107,75 +109,87 @@ class OpenSSL::TestEC < OpenSSL::TestCase assert_equal a, b end - def test_read_private_key_der - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - der = ec.to_der - ec2 = OpenSSL::PKey.read(der) - assert(ec2.private_key?) - assert_equal(der, ec2.to_der) - end - - def test_read_private_key_pem - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - pem = ec.to_pem - ec2 = OpenSSL::PKey.read(pem) - assert(ec2.private_key?) - assert_equal(pem, ec2.to_pem) - end - - def test_read_public_key_der - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - ec2 = OpenSSL::PKey::EC.new(ec.group) - ec2.public_key = ec.public_key - der = ec2.to_der - ec3 = OpenSSL::PKey.read(der) - assert(!ec3.private_key?) - assert_equal(der, ec3.to_der) - end - - def test_read_public_key_pem - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - ec2 = OpenSSL::PKey::EC.new(ec.group) - ec2.public_key = ec.public_key - pem = ec2.to_pem - ec3 = OpenSSL::PKey.read(pem) - assert(!ec3.private_key?) - assert_equal(pem, ec3.to_pem) + def test_ECPrivateKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(1), + OpenSSL::ASN1::OctetString(P256.private_key.to_s(2)), + OpenSSL::ASN1::ASN1Data.new( + [OpenSSL::ASN1::ObjectId("prime256v1")], + 0, :CONTEXT_SPECIFIC + ), + OpenSSL::ASN1::ASN1Data.new( + [OpenSSL::ASN1::BitString(P256.public_key.to_bn.to_s(2))], + 1, :CONTEXT_SPECIFIC + ) + ]) + key = OpenSSL::PKey::EC.new(asn1.to_der) + assert_predicate key, :private? + assert_same_ec P256, key + + pem = <<~EOF + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49 + AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt + CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== + -----END EC PRIVATE KEY----- + EOF + key = OpenSSL::PKey::EC.new(pem) + assert_same_ec P256, key + + assert_equal asn1.to_der, P256.to_der + assert_equal pem, P256.export end - def test_read_private_key_pem_pw - ec = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - pem = ec.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - #callback form for password - ec2 = OpenSSL::PKey.read(pem) do - 'secret' - end - assert(ec2.private_key?) - # pass password directly - ec2 = OpenSSL::PKey.read(pem, 'secret') - assert(ec2.private_key?) - #omit pem equality check, will be different due to cipher iv + def test_ECPrivateKey_encrypted + # key = abcdef + pem = <<~EOF + -----BEGIN EC PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-128-CBC,85743EB6FAC9EA76BF99D9328AFD1A66 + + nhsP1NHxb53aeZdzUe9umKKyr+OIwQq67eP0ONM6E1vFTIcjkDcFLR6PhPFufF4m + y7E2HF+9uT1KPQhlE+D63i1m1Mvez6PWfNM34iOQp2vEhaoHHKlR3c43lLyzaZDI + 0/dGSU5SzFG+iT9iFXCwCvv+bxyegkBOyALFje1NAsM= + -----END EC PRIVATE KEY----- + EOF + key = OpenSSL::PKey::EC.new(pem, "abcdef") + assert_same_ec P256, key + key = OpenSSL::PKey::EC.new(pem) { "abcdef" } + assert_same_ec P256, key + + cipher = OpenSSL::Cipher.new("aes-128-cbc") + exported = P256.to_pem(cipher, "abcdef\0\1") + assert_same_ec P256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1") + assert_raise(OpenSSL::PKey::ECError) { + OpenSSL::PKey::EC.new(exported, "abcdef") + } end - def test_export_password_length - key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec') - end - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr') - assert(pem) - end - - def test_export_password_funny - key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd") - assert_raise(OpenSSL::PKey::PKeyError) do - OpenSSL::PKey.read(pem, "pass") - end - key2 = OpenSSL::PKey.read(pem, "pass\0wd") - assert(key2.private_key?) - key3 = OpenSSL::PKey::EC.new(pem, "pass\0wd") - assert(key3.private_key?) + def test_PUBKEY + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::ObjectId("id-ecPublicKey"), + OpenSSL::ASN1::ObjectId("prime256v1") + ]), + OpenSSL::ASN1::BitString( + P256.public_key.to_bn.to_s(2) + ) + ]) + key = OpenSSL::PKey::EC.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_ec dup_public(P256), key + + pem = <<~EOF + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7l + SZ/ArK41eGy5wAzU/0G51XttCeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== + -----END PUBLIC KEY----- + EOF + key = OpenSSL::PKey::EC.new(pem) + assert_same_ec dup_public(P256), key + + assert_equal asn1.to_der, dup_public(P256).to_der + assert_equal pem, dup_public(P256).export end def test_ec_group @@ -272,7 +286,7 @@ class OpenSSL::TestEC < OpenSSL::TestCase raise if $!.message !~ /unsupported field/ end - p256_key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 + p256_key = P256 p256_g = p256_key.group assert_equal(p256_key.public_key, p256_g.generator.mul(p256_key.private_key)) @@ -286,6 +300,11 @@ class OpenSSL::TestEC < OpenSSL::TestCase # test Group: asn1_flag, point_conversion + private + + def assert_same_ec(expected, key) + check_component(expected, key, [:group, :public_key, :private_key]) + end end end diff --git a/test/test_pkey_rsa.rb b/test/test_pkey_rsa.rb index c512c3e3..4215b77a 100644 --- a/test/test_pkey_rsa.rb +++ b/test/test_pkey_rsa.rb @@ -4,7 +4,9 @@ require 'base64' if defined?(OpenSSL::TestUtils) -class OpenSSL::TestPKeyRSA < OpenSSL::TestCase +class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase + RSA1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 + def test_padding key = OpenSSL::PKey::RSA.new(512, 3) @@ -69,7 +71,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase end def test_sign_verify - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + key = RSA1024 digest = OpenSSL::Digest::SHA1.new data = 'Sign me!' sig = key.sign(digest, data) @@ -77,7 +79,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase end def test_digest_state_irrelevant_sign - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + key = RSA1024 digest1 = OpenSSL::Digest::SHA1.new digest2 = OpenSSL::Digest::SHA1.new data = 'Sign me!' @@ -88,7 +90,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase end def test_digest_state_irrelevant_verify - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + key = RSA1024 digest1 = OpenSSL::Digest::SHA1.new digest2 = OpenSSL::Digest::SHA1.new data = 'Sign me!' @@ -99,169 +101,131 @@ class OpenSSL::TestPKeyRSA < OpenSSL::TestCase assert(key.verify(digest2, sig, data)) end - def test_read_RSAPublicKey - modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351 - exponent = 65537 - seq = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]) - key = OpenSSL::PKey::RSA.new(seq.to_der) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) - assert_equal([], OpenSSL.errors) - end - - def test_read_RSA_PUBKEY - modulus = 10664264882656732240315063514678024569492171560814833397008094754351396057398262071307709191731289492697968568138092052265293364132872019762410446076526351 - exponent = 65537 - algo = OpenSSL::ASN1::ObjectId.new('rsaEncryption') - null_params = OpenSSL::ASN1::Null.new(nil) - algo_id = OpenSSL::ASN1::Sequence.new ([algo, null_params]) - pub_key = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]) - seq = OpenSSL::ASN1::Sequence.new([algo_id, OpenSSL::ASN1::BitString.new(pub_key.to_der)]) - key = OpenSSL::PKey::RSA.new(seq.to_der) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) - assert_equal([], OpenSSL.errors) - end - - def test_read_RSAPublicKey_pem - modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061 - exponent = 65537 - pem = <<-EOF ------BEGIN RSA PUBLIC KEY----- -MEgCQQCzyh2RIZK62E2PbTWqUljD+K23XR9AGBKNtXjal6WD2yRGcLqzPJLNCa60 -AudJR1JobbIbDJrQu6AXnWh5k/YtAgMBAAE= ------END RSA PUBLIC KEY----- + def test_RSAPrivateKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(0), + OpenSSL::ASN1::Integer(RSA1024.n), + OpenSSL::ASN1::Integer(RSA1024.e), + OpenSSL::ASN1::Integer(RSA1024.d), + OpenSSL::ASN1::Integer(RSA1024.p), + OpenSSL::ASN1::Integer(RSA1024.q), + OpenSSL::ASN1::Integer(RSA1024.dmp1), + OpenSSL::ASN1::Integer(RSA1024.dmq1), + OpenSSL::ASN1::Integer(RSA1024.iqmp) + ]) + key = OpenSSL::PKey::RSA.new(asn1.to_der) + assert_predicate key, :private? + assert_same_rsa RSA1024, key + + pem = <<~EOF + -----BEGIN RSA PRIVATE KEY----- + MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx + aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/ + Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB + AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0 + maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T + gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572 + 74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE + JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX + sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII + 8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA + wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi + qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD + dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA== + -----END RSA PRIVATE KEY----- EOF key = OpenSSL::PKey::RSA.new(pem) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) - end - - def test_read_RSA_PUBKEY_pem - modulus = 9416340886363418692990906464787534854462163316648195510702927337693641649864839352187127240942127674615733815606532506566068276485089353644309497938966061 - exponent = 65537 - pem = <<-EOF ------BEGIN PUBLIC KEY----- -MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALPKHZEhkrrYTY9tNapSWMP4rbdd -H0AYEo21eNqXpYPbJEZwurM8ks0JrrQC50lHUmhtshsMmtC7oBedaHmT9i0C -AwEAAQ== ------END PUBLIC KEY----- + assert_same_rsa RSA1024, key + + assert_equal asn1.to_der, RSA1024.to_der + assert_equal pem, RSA1024.export + end + + def test_RSAPrivateKey_encrypted + # key = abcdef + pem = <<~EOF + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 + + zgJniZZQfvv8TFx3LzV6zhAQVayvQVZlAYqFq2yWbbxzF7C+IBhKQle9IhUQ9j/y + /jkvol550LS8vZ7TX5WxyDLe12cdqzEvpR6jf3NbxiNysOCxwG4ErhaZGP+krcoB + ObuL0nvls/+3myy5reKEyy22+0GvTDjaChfr+FwJjXMG+IBCLscYdgZC1LQL6oAn + 9xY5DH3W7BW4wR5ttxvtN32TkfVQh8xi3jrLrduUh+hV8DTiAiLIhv0Vykwhep2p + WZA+7qbrYaYM8GLLgLrb6LfBoxeNxAEKiTpl1quFkm+Hk1dKq0EhVnxHf92x0zVF + jRGZxAMNcrlCoE4f5XK45epVZSZvihdo1k73GPbp84aZ5P/xlO4OwZ3i4uCQXynl + jE9c+I+4rRWKyPz9gkkqo0+teJL8ifeKt/3ab6FcdA0aArynqmsKJMktxmNu83We + YVGEHZPeOlyOQqPvZqWsLnXQUfg54OkbuV4/4mWSIzxFXdFy/AekSeJugpswMXqn + oNck4qySNyfnlyelppXyWWwDfVus9CVAGZmJQaJExHMT/rQFRVchlmY0Ddr5O264 + gcjv90o1NBOc2fNcqjivuoX7ROqys4K/YdNQ1HhQ7usJghADNOtuLI8ZqMh9akXD + Eqp6Ne97wq1NiJj0nt3SJlzTnOyTjzrTe0Y+atPkVKp7SsjkATMI9JdhXwGhWd7a + qFVl0owZiDasgEhyG2K5L6r+yaJLYkPVXZYC/wtWC3NEchnDWZGQcXzB4xROCQkD + OlWNYDkPiZioeFkA3/fTMvG4moB2Pp9Q4GU5fJ6k43Ccu1up8dX/LumZb4ecg5/x + -----END RSA PRIVATE KEY----- + EOF + key = OpenSSL::PKey::RSA.new(pem, "abcdef") + assert_same_rsa RSA1024, key + key = OpenSSL::PKey::RSA.new(pem) { "abcdef" } + assert_same_rsa RSA1024, key + + cipher = OpenSSL::Cipher.new("aes-128-cbc") + exported = RSA1024.to_pem(cipher, "abcdef\0\1") + assert_same_rsa RSA1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1") + assert_raise(OpenSSL::PKey::RSAError) { + OpenSSL::PKey::RSA.new(exported, "abcdef") + } + end + + def test_RSAPublicKey + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(RSA1024.n), + OpenSSL::ASN1::Integer(RSA1024.e) + ]) + key = OpenSSL::PKey::RSA.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_rsa dup_public(RSA1024), key + + pem = <<~EOF + -----BEGIN RSA PUBLIC KEY----- + MIGJAoGBAMvCxLDUQKc+1P4+Q6AeFwYDvWfALb+cvzlUEadGoPE6qNWHsLFoo8RF + geyTgE8KQTduu1OE9Zz2SMcRBDu5/1jWtsLPSVrI2ofLLBARUsWanVyki39DeB4u + /xkP2mKGjAokPIwOI3oCthSZlzO9bj3voxTf6XngTqUX8l8URTmHAgMBAAE= + -----END RSA PUBLIC KEY----- EOF key = OpenSSL::PKey::RSA.new(pem) - assert(key.public?) - assert(!key.private?) - assert_equal(modulus, key.n) - assert_equal(exponent, key.e) - assert_equal(nil, key.d) - assert_equal(nil, key.p) - assert_equal(nil, key.q) - end - - def test_export_format_is_RSA_PUBKEY - key = OpenSSL::PKey::RSA.new(512) - asn1 = OpenSSL::ASN1.decode(key.public_key.to_der) - check_PUBKEY(asn1, key) - end - - def test_export_format_is_RSA_PUBKEY_pem - key = OpenSSL::PKey::RSA.new(512) - pem = key.public_key.to_pem - pem.gsub!(/^-+(\w|\s)+-+$/, "") # eliminate --------BEGIN...------- - asn1 = OpenSSL::ASN1.decode(Base64.decode64(pem)) - check_PUBKEY(asn1, key) - end - - def test_read_private_key_der - der = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_der - key = OpenSSL::PKey.read(der) - assert(key.private?) - assert_equal(der, key.to_der) - end - - def test_read_private_key_pem - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem - key = OpenSSL::PKey.read(pem) - assert(key.private?) - assert_equal(pem, key.to_pem) - end - - def test_read_public_key_der - der = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_der - key = OpenSSL::PKey.read(der) - assert(!key.private?) - assert_equal(der, key.to_der) - end - - def test_read_public_key_pem - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.public_key.to_pem - key = OpenSSL::PKey.read(pem) - assert(!key.private?) - assert_equal(pem, key.to_pem) - end - - def test_read_private_key_pem_pw - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - #callback form for password - key = OpenSSL::PKey.read(pem) do - 'secret' - end - assert(key.private?) - # pass password directly - key = OpenSSL::PKey.read(pem, 'secret') - assert(key.private?) - #omit pem equality check, will be different due to cipher iv - end - - def test_read_private_key_pem_pw_exception - pem = OpenSSL::TestUtils::TEST_KEY_RSA1024.to_pem(OpenSSL::Cipher.new('AES-128-CBC'), 'secret') - # it raises an ArgumentError from PEM reading. The exception raised inside are ignored for now. - assert_raise(OpenSSL::PKey::PKeyError) do - OpenSSL::PKey.read(pem) do - raise RuntimeError - end - end - end - - def test_export_password_length - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec') - end - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr') - assert(pem) - end + assert_same_rsa dup_public(RSA1024), key + end + + def test_PUBKEY + asn1 = OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::ObjectId("rsaEncryption"), + OpenSSL::ASN1::Null(nil) + ]), + OpenSSL::ASN1::BitString( + OpenSSL::ASN1::Sequence([ + OpenSSL::ASN1::Integer(RSA1024.n), + OpenSSL::ASN1::Integer(RSA1024.e) + ]).to_der + ) + ]) + key = OpenSSL::PKey::RSA.new(asn1.to_der) + assert_not_predicate key, :private? + assert_same_rsa dup_public(RSA1024), key + + pem = <<~EOF + -----BEGIN PUBLIC KEY----- + MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLwsSw1ECnPtT+PkOgHhcGA71n + wC2/nL85VBGnRqDxOqjVh7CxaKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbC + z0layNqHyywQEVLFmp1cpIt/Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU + 3+l54E6lF/JfFEU5hwIDAQAB + -----END PUBLIC KEY----- + EOF + key = OpenSSL::PKey::RSA.new(pem) + assert_same_rsa dup_public(RSA1024), key - def test_export_password_funny - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - # this assertion may fail in the future because of OpenSSL change. - # the current upper limit is 1024 - assert_raise(OpenSSL::OpenSSLError) do - key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr' * 1024) - end - # password containing NUL byte - pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), "pass\0wd") - assert_raise(OpenSSL::PKey::PKeyError) do - OpenSSL::PKey.read(pem, "pass") - end - key2 = OpenSSL::PKey.read(pem, "pass\0wd") - assert(key2.private?) - key3 = OpenSSL::PKey::RSA.new(pem, "pass\0wd") - assert(key3.private?) + assert_equal asn1.to_der, dup_public(RSA1024).to_der + assert_equal pem, dup_public(RSA1024).export end def test_dup @@ -273,29 +237,9 @@ AwEAAQ== end private - - def check_PUBKEY(asn1, key) - assert_equal(OpenSSL::ASN1::SEQUENCE, asn1.tag) - assert_equal(2, asn1.value.size) - seq = asn1.value - assert_equal(OpenSSL::ASN1::SEQUENCE, seq[0].tag) - assert_equal(2, seq[0].value.size) - algo_id = seq[0].value - assert_equal(OpenSSL::ASN1::OBJECT, algo_id[0].tag) - assert_equal('rsaEncryption', algo_id[0].value) - assert_equal(OpenSSL::ASN1::NULL, algo_id[1].tag) - assert_equal(nil, algo_id[1].value) - assert_equal(OpenSSL::ASN1::BIT_STRING, seq[1].tag) - assert_equal(0, seq[1].unused_bits) - pub_key = OpenSSL::ASN1.decode(seq[1].value) - assert_equal(OpenSSL::ASN1::SEQUENCE, pub_key.tag) - assert_equal(2, pub_key.value.size) - assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[0].tag) - assert_equal(key.n, pub_key.value[0].value) - assert_equal(OpenSSL::ASN1::INTEGER, pub_key.value[1].tag) - assert_equal(key.e, pub_key.value[1].value) + def assert_same_rsa(expected, key) + check_component(expected, key, [:n, :e, :d, :p, :q, :dmp1, :dmq1, :iqmp]) end - end end diff --git a/test/utils.rb b/test/utils.rb index fc303d1d..1237a511 100644 --- a/test/utils.rb +++ b/test/utils.rb @@ -372,5 +372,39 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC end end + class OpenSSL::PKeyTestCase < OpenSSL::TestCase + def check_component(base, test, keys) + keys.each { |comp| + assert_equal base.send(comp), test.send(comp) + } + end + + def dup_public(key) + case key + when OpenSSL::PKey::RSA + rsa = OpenSSL::PKey::RSA.new + rsa.set_key(key.n, key.e, nil) + rsa + when OpenSSL::PKey::DSA + dsa = OpenSSL::PKey::DSA.new + dsa.set_pqg(key.p, key.q, key.g) + dsa.set_key(key.pub_key, nil) + dsa + when OpenSSL::PKey::DH + dh = OpenSSL::PKey::DH.new + dh.set_pqg(key.p, nil, key.g) + dh + else + if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key + ec = OpenSSL::PKey::EC.new(key.group) + ec.public_key = key.public_key + ec + else + raise "unknown key type" + end + end + end + end + end if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION) and /\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION |