1e1051a39Sopenharmony_ci#! /usr/bin/env perl
2e1051a39Sopenharmony_ci# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3e1051a39Sopenharmony_ci#
4e1051a39Sopenharmony_ci# Licensed under the Apache License 2.0 (the "License").  You may not use
5e1051a39Sopenharmony_ci# this file except in compliance with the License.  You can obtain a copy
6e1051a39Sopenharmony_ci# in the file LICENSE in the source distribution or at
7e1051a39Sopenharmony_ci# https://www.openssl.org/source/license.html
8e1051a39Sopenharmony_ci
9e1051a39Sopenharmony_ciuse strict;
10e1051a39Sopenharmony_ciuse warnings;
11e1051a39Sopenharmony_ci
12e1051a39Sopenharmony_ciuse OpenSSL::Test qw/:DEFAULT srctop_file with/;
13e1051a39Sopenharmony_ciuse OpenSSL::Test::Utils;
14e1051a39Sopenharmony_ci
15e1051a39Sopenharmony_ciuse Encode;
16e1051a39Sopenharmony_ci
17e1051a39Sopenharmony_cisetup("test_pkcs12");
18e1051a39Sopenharmony_ci
19e1051a39Sopenharmony_cimy $pass = "σύνθημα γνώρισμα";
20e1051a39Sopenharmony_ci
21e1051a39Sopenharmony_cimy $savedcp;
22e1051a39Sopenharmony_ciif (eval { require Win32::API; 1; }) {
23e1051a39Sopenharmony_ci    # Trouble is that Win32 perl uses CreateProcessA, which
24e1051a39Sopenharmony_ci    # makes it problematic to pass non-ASCII arguments, from perl[!]
25e1051a39Sopenharmony_ci    # that is. This is because CreateProcessA is just a wrapper for
26e1051a39Sopenharmony_ci    # CreateProcessW and will call MultiByteToWideChar and use
27e1051a39Sopenharmony_ci    # system default locale. Since we attempt Greek pass-phrase
28e1051a39Sopenharmony_ci    # conversion can be done only with Greek locale.
29e1051a39Sopenharmony_ci
30e1051a39Sopenharmony_ci    Win32::API->Import("kernel32","UINT GetSystemDefaultLCID()");
31e1051a39Sopenharmony_ci    if (GetSystemDefaultLCID() != 0x408) {
32e1051a39Sopenharmony_ci        plan skip_all => "Non-Greek system locale";
33e1051a39Sopenharmony_ci    } else {
34e1051a39Sopenharmony_ci        # Ensure correct code page so that VERBOSE output is right.
35e1051a39Sopenharmony_ci        Win32::API->Import("kernel32","UINT GetConsoleOutputCP()");
36e1051a39Sopenharmony_ci        Win32::API->Import("kernel32","BOOL SetConsoleOutputCP(UINT cp)");
37e1051a39Sopenharmony_ci        $savedcp = GetConsoleOutputCP();
38e1051a39Sopenharmony_ci        SetConsoleOutputCP(1253);
39e1051a39Sopenharmony_ci        $pass = Encode::encode("cp1253",Encode::decode("utf-8",$pass));
40e1051a39Sopenharmony_ci    }
41e1051a39Sopenharmony_ci} elsif ($^O eq "MSWin32") {
42e1051a39Sopenharmony_ci    plan skip_all => "Win32::API unavailable";
43e1051a39Sopenharmony_ci} elsif ($^O ne "VMS") {
44e1051a39Sopenharmony_ci    # Running MinGW tests transparently under Wine apparently requires
45e1051a39Sopenharmony_ci    # UTF-8 locale...
46e1051a39Sopenharmony_ci
47e1051a39Sopenharmony_ci    foreach(`locale -a`) {
48e1051a39Sopenharmony_ci        s/\R$//;
49e1051a39Sopenharmony_ci        if ($_ =~ m/^C\.UTF\-?8/i) {
50e1051a39Sopenharmony_ci            $ENV{LC_ALL} = $_;
51e1051a39Sopenharmony_ci            last;
52e1051a39Sopenharmony_ci        }
53e1051a39Sopenharmony_ci    }
54e1051a39Sopenharmony_ci}
55e1051a39Sopenharmony_ci$ENV{OPENSSL_WIN32_UTF8}=1;
56e1051a39Sopenharmony_ci
57e1051a39Sopenharmony_ciplan tests => 20;
58e1051a39Sopenharmony_ci
59e1051a39Sopenharmony_ci# Test different PKCS#12 formats
60e1051a39Sopenharmony_ciok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
61e1051a39Sopenharmony_ci# Test with legacy APIs
62e1051a39Sopenharmony_ciok(run(test(["pkcs12_format_test", "-legacy"])), "test pkcs12 formats using legacy APIs");
63e1051a39Sopenharmony_ci# Test with a non-default library context (and no loaded providers in the default context)
64e1051a39Sopenharmony_ciok(run(test(["pkcs12_format_test", "-context"])), "test pkcs12 formats using a non-default library context");
65e1051a39Sopenharmony_ci
66e1051a39Sopenharmony_ciSKIP: {
67e1051a39Sopenharmony_ci     skip "VMS doesn't have command line UTF-8 support yet in DCL", 1
68e1051a39Sopenharmony_ci         if $^O eq "VMS";
69e1051a39Sopenharmony_ci
70e1051a39Sopenharmony_ci     # just see that we can read shibboleth.pfx protected with $pass
71e1051a39Sopenharmony_ci     ok(run(app(["openssl", "pkcs12", "-noout",
72e1051a39Sopenharmony_ci                 "-password", "pass:$pass",
73e1051a39Sopenharmony_ci                 "-in", srctop_file("test", "shibboleth.pfx")])),
74e1051a39Sopenharmony_ci        "test_load_cert_pkcs12");
75e1051a39Sopenharmony_ci}
76e1051a39Sopenharmony_ci
77e1051a39Sopenharmony_cimy @path = qw(test certs);
78e1051a39Sopenharmony_cimy $outfile1 = "out1.p12";
79e1051a39Sopenharmony_cimy $outfile2 = "out2.p12";
80e1051a39Sopenharmony_cimy $outfile3 = "out3.p12";
81e1051a39Sopenharmony_cimy $outfile4 = "out4.p12";
82e1051a39Sopenharmony_cimy $outfile5 = "out5.p12";
83e1051a39Sopenharmony_ci
84e1051a39Sopenharmony_ci# Test the -chain option with -untrusted
85e1051a39Sopenharmony_ciok(run(app(["openssl", "pkcs12", "-export", "-chain",
86e1051a39Sopenharmony_ci            "-CAfile",  srctop_file(@path,  "sroot-cert.pem"),
87e1051a39Sopenharmony_ci            "-untrusted", srctop_file(@path, "ca-cert.pem"),
88e1051a39Sopenharmony_ci            "-in", srctop_file(@path, "ee-cert.pem"),
89e1051a39Sopenharmony_ci            "-nokeys", "-passout", "pass:", "-out", $outfile1])),
90e1051a39Sopenharmony_ci   "test_pkcs12_chain_untrusted");
91e1051a39Sopenharmony_ci
92e1051a39Sopenharmony_ci# Test the -passcerts option
93e1051a39Sopenharmony_ciSKIP: {
94e1051a39Sopenharmony_ci    skip "Skipping PKCS#12 test because DES is disabled in this build", 1
95e1051a39Sopenharmony_ci        if disabled("des");
96e1051a39Sopenharmony_ci    ok(run(app(["openssl", "pkcs12", "-export",
97e1051a39Sopenharmony_ci            "-in", srctop_file(@path, "ee-cert.pem"),
98e1051a39Sopenharmony_ci            "-certfile", srctop_file(@path, "v3-certs-TDES.p12"),
99e1051a39Sopenharmony_ci            "-passcerts", "pass:v3-certs",
100e1051a39Sopenharmony_ci            "-nokeys", "-passout", "pass:v3-certs", "-descert",
101e1051a39Sopenharmony_ci            "-out", $outfile2])),
102e1051a39Sopenharmony_ci   "test_pkcs12_passcerts");
103e1051a39Sopenharmony_ci}
104e1051a39Sopenharmony_ci
105e1051a39Sopenharmony_ciSKIP: {
106e1051a39Sopenharmony_ci    skip "Skipping legacy PKCS#12 test because the required algorithms are disabled", 1
107e1051a39Sopenharmony_ci        if disabled("des") || disabled("rc2") || disabled("legacy");
108e1051a39Sopenharmony_ci    # Test reading legacy PKCS#12 file
109e1051a39Sopenharmony_ci    ok(run(app(["openssl", "pkcs12", "-export",
110e1051a39Sopenharmony_ci                "-in", srctop_file(@path, "v3-certs-RC2.p12"),
111e1051a39Sopenharmony_ci                "-passin", "pass:v3-certs",
112e1051a39Sopenharmony_ci                "-provider", "default", "-provider", "legacy",
113e1051a39Sopenharmony_ci                "-nokeys", "-passout", "pass:v3-certs", "-descert",
114e1051a39Sopenharmony_ci                "-out", $outfile3])),
115e1051a39Sopenharmony_ci    "test_pkcs12_passcerts_legacy");
116e1051a39Sopenharmony_ci}
117e1051a39Sopenharmony_ci
118e1051a39Sopenharmony_ci# Test export of PEM file with both cert and key
119e1051a39Sopenharmony_ci# -nomac necessary to avoid legacy provider requirement
120e1051a39Sopenharmony_ciok(run(app(["openssl", "pkcs12", "-export",
121e1051a39Sopenharmony_ci        "-inkey", srctop_file(@path, "cert-key-cert.pem"),
122e1051a39Sopenharmony_ci        "-in", srctop_file(@path, "cert-key-cert.pem"),
123e1051a39Sopenharmony_ci        "-passout", "pass:v3-certs",
124e1051a39Sopenharmony_ci        "-nomac", "-out", $outfile4], stderr => "outerr.txt")),
125e1051a39Sopenharmony_ci   "test_export_pkcs12_cert_key_cert");
126e1051a39Sopenharmony_ciopen DATA, "outerr.txt";
127e1051a39Sopenharmony_cimy @match = grep /:error:/, <DATA>;
128e1051a39Sopenharmony_ciclose DATA;
129e1051a39Sopenharmony_ciok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr_empty");
130e1051a39Sopenharmony_ci
131e1051a39Sopenharmony_ciok(run(app(["openssl", "pkcs12",
132e1051a39Sopenharmony_ci            "-in", $outfile4,
133e1051a39Sopenharmony_ci            "-passin", "pass:v3-certs",
134e1051a39Sopenharmony_ci            "-nomacver", "-nodes"])),
135e1051a39Sopenharmony_ci  "test_import_pkcs12_cert_key_cert");
136e1051a39Sopenharmony_ci
137e1051a39Sopenharmony_ciok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
138e1051a39Sopenharmony_ci            "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
139e1051a39Sopenharmony_ci            "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
140e1051a39Sopenharmony_ci   "test nokeys single cert");
141e1051a39Sopenharmony_ci
142e1051a39Sopenharmony_cimy @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
143e1051a39Sopenharmony_ci                          "-passin", "pass:"]), capture => 1);
144e1051a39Sopenharmony_ci
145e1051a39Sopenharmony_ci# Test that with one input certificate, we get one output certificate
146e1051a39Sopenharmony_ciok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
147e1051a39Sopenharmony_ci   "test one cert in output");
148e1051a39Sopenharmony_ci# Test that the expected friendly name is present in the output
149e1051a39Sopenharmony_ciok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
150e1051a39Sopenharmony_ci
151e1051a39Sopenharmony_ci# Test some bad pkcs12 files
152e1051a39Sopenharmony_cimy $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
153e1051a39Sopenharmony_cimy $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
154e1051a39Sopenharmony_cimy $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12");
155e1051a39Sopenharmony_ci
156e1051a39Sopenharmony_ciwith({ exit_checker => sub { return shift == 1; } },
157e1051a39Sopenharmony_ci     sub {
158e1051a39Sopenharmony_ci        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])),
159e1051a39Sopenharmony_ci           "test bad pkcs12 file 1");
160e1051a39Sopenharmony_ci
161e1051a39Sopenharmony_ci        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
162e1051a39Sopenharmony_ci                    "-nomacver"])),
163e1051a39Sopenharmony_ci           "test bad pkcs12 file 1 (nomacver)");
164e1051a39Sopenharmony_ci
165e1051a39Sopenharmony_ci        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
166e1051a39Sopenharmony_ci                    "-info"])),
167e1051a39Sopenharmony_ci           "test bad pkcs12 file 1 (info)");
168e1051a39Sopenharmony_ci
169e1051a39Sopenharmony_ci        ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])),
170e1051a39Sopenharmony_ci           "test bad pkcs12 file 2");
171e1051a39Sopenharmony_ci
172e1051a39Sopenharmony_ci        ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:",
173e1051a39Sopenharmony_ci                    "-info"])),
174e1051a39Sopenharmony_ci           "test bad pkcs12 file 2 (info)");
175e1051a39Sopenharmony_ci
176e1051a39Sopenharmony_ci        ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])),
177e1051a39Sopenharmony_ci           "test bad pkcs12 file 3");
178e1051a39Sopenharmony_ci
179e1051a39Sopenharmony_ci        ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:",
180e1051a39Sopenharmony_ci                    "-info"])),
181e1051a39Sopenharmony_ci           "test bad pkcs12 file 3 (info)");
182e1051a39Sopenharmony_ci     });
183e1051a39Sopenharmony_ci
184e1051a39Sopenharmony_ciSetConsoleOutputCP($savedcp) if (defined($savedcp));
185