Add test for ASN1_item_verify()

This is a test for openssl#24575 Original idea by Theo Buehler.
t8m · Jun 17, 2024 · 5aaad04 · 5aaad04
1 parent 22dff96
commit 5aaad04
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 1 deletion.
diff --git a/test/certs/ee-self-signed-pss.pem b/test/certs/ee-self-signed-pss.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAjmgAwIBAgIUZxTKBh9L8ApVNcsI5ontnHRbv8wwQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMB0xGzAZBgNVBAMMEmVlLXNlbGYtc2lnbmVkLXBzczAgFw0yNDA2MTcx
+MTA5NTRaGA8yMTI0MDYxODExMDk1NFowHTEbMBkGA1UEAwwSZWUtc2VsZi1zaWdu
+ZWQtcHNzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7b
+LA/Vc/vit6gbenVgK9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8N
+xkP+MTT4KNh16aO7iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7C
+NqAR/8BZNf1JHN0cQjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqC
+GxWL0Zmr5J5vlKrSluVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0do
+pynHP0riIie075Bj1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+
+eTQfSokftwIDAQABo1MwUTAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfhc6Iw
+HwYDVR0jBBgwFoAU55viKq2KbDrLdlHljgeYIpfhc6IwDwYDVR0TAQH/BAUwAwEB
+/zBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEI
+MA0GCWCGSAFlAwQCAQUAogMCASADggEBADjXHPnAha0YQKFCfQZqy8LLgxoQDbfP
+5XKQJ8/FfeJXO9yjEmqOEoWM/QQIlM1gpepOOw8ZRhxcwx93eO+XtvJUA3bW+H73
+jwnqiX5mu1SpA/2IHcifxuOuXUwUh7vtOJGFATHusAn7dS3+tnJSkS+6pvSsJjDu
+0x3fV8rLq1gL9gOC2MdzkLxyp7xmdgibQMI+PyPNgU1e1Qm88Cp5dVNRMdgQ+3CL
+E3h7qfSpSkUCM9rNBc2/rqavQ/UPq5H6r8R9gYd9yR7uGL88B9QI4DQDR8T6x9JG
+0ebWYLuH2xWP9Njl2IbwN3uqQSeRSSqy7UlNo51O+nkvU1vCJGy6aXw=
+-----END CERTIFICATE-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
@@ -226,6 +226,10 @@ OPENSSL_KEYBITS=8192 \
 # self-signed end-entity cert with explicit keyUsage not including KeyCertSign
 openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36525
 
+# self-signed end-entity cert signed with RSA-PSS
+openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed-pss -out ee-self-signed-pss.pem -days 36525 \
+ -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+
 # Proxy certificates, off of ee-client
 # Start with some good ones
 ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \

diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
@@ -304,5 +304,7 @@ ok(run(app(["openssl", "x509", "-req", "-text",
 SKIP: {
  skip "EC is not supported by this OpenSSL build", 1
  if disabled("ec");
- ok(run(test(["x509_test"])), "running x509_test");
+ my $psscert = srctop_file(@certs, "ee-self-signed-pss.pem");
+
+ ok(run(test(["x509_test", $psscert])), "running x509_test");
 }
diff --git a/test/x509_test.c b/test/x509_test.c
@@ -7,7 +7,14 @@
  * https://www.openssl.org/source/license.html
  */
 
+#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_get1/set1_RSA */
+
 #include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/pem.h>
+#include "crypto/x509.h" /* x509_st definition */
 #include "testutil.h"
 
 static EVP_PKEY *pubkey = NULL;
@@ -114,9 +121,73 @@ static int test_x509_crl_tbs_cache(void)
  return ret;
 }
 
+static int test_asn1_item_verify(void)
+{
+ int ret = 0;
+ BIO *bio = NULL;
+ X509 *x509 = NULL;
+ const char *certfile;
+ const ASN1_BIT_STRING *sig = NULL;
+ const X509_ALGOR *alg = NULL;
+ EVP_PKEY *pkey;
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ RSA *rsa = NULL;
+#endif
+
+ if (!TEST_ptr(certfile = test_get_argument(0))
+ || !TEST_ptr(bio = BIO_new_file(certfile, "r"))
+ || !TEST_ptr(x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))
+ || !TEST_ptr(pkey = X509_get0_pubkey(x509)))
+ goto err;
+
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ /* Issue #24575 requires legacy key but the test is useful anyway */
+ if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey)))
+ goto err;
+
+ if (!TEST_int_gt(EVP_PKEY_set1_RSA(pkey, rsa), 0))
+ goto err;
+#endif
+
+ X509_get0_signature(&sig, &alg, x509);
+
+ if (!TEST_int_gt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),
+ (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig,
+ &x509->cert_info, pkey), 0))
+ goto err;
+
+ ERR_set_mark();
+ if (!TEST_int_lt(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),
+ (X509_ALGOR *)alg, (ASN1_BIT_STRING *)sig,
+ NULL, pkey), 0)) {
+ ERR_clear_last_mark();
+ goto err;
+ }
+ ERR_pop_to_mark();
+
+ ret = 1;
+
+ err:
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ RSA_free(rsa);
+#endif
+ X509_free(x509);
+ BIO_free(bio);
+ return ret;
+}
+
+OPT_TEST_DECLARE_USAGE("<pss-self-signed-cert.pem>\n")
+
 int setup_tests(void)
 {
  const unsigned char *p;
+ int cnt;
+
+ cnt = test_get_argument_count();
+ if (cnt != 1) {
+ TEST_error("Must specify a certificate file self-signed with RSA-PSS.\n");
+ return 0;
+ }
 
  p = pubkeydata;
  pubkey = d2i_PUBKEY(NULL, &p, sizeof(pubkeydata));
@@ -138,6 +209,7 @@ int setup_tests(void)
 
  ADD_TEST(test_x509_tbs_cache);
  ADD_TEST(test_x509_crl_tbs_cache);
+ ADD_TEST(test_asn1_item_verify);
  return 1;
 }