[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue Jun 6 16:52:15 UTC 2017
The branch master has been updated
via 1efd98f95dd9499854b0685801aa3362d6e14fb2 (commit)
via 09ddb8785a5418fc849354f110ac5b8bb4ab26d2 (commit)
via e514ff0f7368b75b312d69da7b3a82ee57141967 (commit)
via 6d2523e0378edabad236bf052d465448dc387c9d (commit)
via 7b9863392bff83e7822384a07a11a91feb4e003f (commit)
from bf0d560938f133df2ebd2026ff80fe3f51f07b40 (commit)
- Log -----------------------------------------------------------------
commit 1efd98f95dd9499854b0685801aa3362d6e14fb2
Author: Paul Yang <paulyang.inf at gmail.com>
Date: Tue Jun 6 18:43:14 2017 +0800
Fix coding style
Signed-off-by: Paul Yang <paulyang.inf at gmail.com>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
commit 09ddb8785a5418fc849354f110ac5b8bb4ab26d2
Author: Paul Yang <paulyang.inf at gmail.com>
Date: Mon Jun 5 03:56:07 2017 +0800
Fix doc nits in X509_check_private_key.pod
remove the tailing dot
Signed-off-by: Paul Yang <paulyang.inf at gmail.com>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
commit e514ff0f7368b75b312d69da7b3a82ee57141967
Author: Paul Yang <paulyang.inf at gmail.com>
Date: Mon Jun 5 03:41:19 2017 +0800
Set local variable to 0 to avoid build error
Signed-off-by: Paul Yang <paulyang.inf at gmail.com>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
commit 6d2523e0378edabad236bf052d465448dc387c9d
Author: Paul Yang <paulyang.inf at gmail.com>
Date: Mon Jun 5 03:16:40 2017 +0800
Add test cases for X509_check_private_key
To test X509_check_private_key and relatives.
Add a CSR and corresponding RSA private key to test
X509_REQ_check_private_key function.
Signed-off-by: Paul Yang <paulyang.inf at gmail.com>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
commit 7b9863392bff83e7822384a07a11a91feb4e003f
Author: Paul Yang <paulyang.inf at gmail.com>
Date: Mon Jun 5 03:14:15 2017 +0800
Document X509_check_private_key and relative
Document two private key check functions:
X509_check_private_key
X509_REQ_check_private_key
Signed-off-by: Paul Yang <paulyang.inf at gmail.com>
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/X509_check_private_key.pod | 54 +++++++++++++
test/build.info | 6 +-
test/certs/x509-check-key.pem | 28 +++++++
test/certs/x509-check.csr | 15 ++++
test/recipes/60-test_x509_check_cert_pkey.t | 39 ++++++++++
test/x509_check_cert_pkey_test.c | 114 ++++++++++++++++++++++++++++
6 files changed, 255 insertions(+), 1 deletion(-)
create mode 100644 doc/man3/X509_check_private_key.pod
create mode 100644 test/certs/x509-check-key.pem
create mode 100644 test/certs/x509-check.csr
create mode 100644 test/recipes/60-test_x509_check_cert_pkey.t
create mode 100644 test/x509_check_cert_pkey_test.c
diff --git a/doc/man3/X509_check_private_key.pod b/doc/man3/X509_check_private_key.pod
new file mode 100644
index 0000000..a1fb07b
--- /dev/null
+++ b/doc/man3/X509_check_private_key.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+X509_check_private_key, X509_REQ_check_private_key - check the consistency
+of a private key with the public key in an X509 certificate or certificate
+request
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ int X509_check_private_key(X509 *x, EVP_PKEY *k);
+
+ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
+
+=head1 DESCRIPTION
+
+X509_check_private_key() function checks the consistency of private
+key B<k> with the public key in B<x>.
+
+X509_REQ_check_private_key() is equivalent to X509_check_private_key()
+except that B<x> represents a certificate request of structure B<X509_REQ>.
+
+=head1 RETURN VALUE
+
+X509_check_private_key() and X509_REQ_check_private_key() return 1 if
+the keys match each other, and 0 if not.
+
+If the key is invalid or an error occurred, the reason code can be
+obtained using L<ERR_get_error(3)>.
+
+=head1 BUGS
+
+The B<check_private_key> functions don't check if B<k> itself is indeed
+a private key or not. It merely compares the public materials (e.g. exponent
+and modulus of an RSA key) and/or key parameters (e.g. EC params of an EC key)
+of a key pair. So if you pass a public key to these functions in B<k>, it will
+return success.
+
+=head1 SEE ALSO
+
+L<ERR_get_error(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/test/build.info b/test/build.info
index 3dd7590..5bb570e 100644
--- a/test/build.info
+++ b/test/build.info
@@ -41,7 +41,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
pkey_meth_test uitest cipherbytes_test asn1_encode_test \
- x509_time_test x509_dup_cert_test recordlentest \
+ x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \
time_offset_test pemtest
SOURCE[aborttest]=aborttest.c
@@ -301,6 +301,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
INCLUDE[x509_dup_cert_test]=../include
DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a
+ SOURCE[x509_check_cert_pkey_test]=x509_check_cert_pkey_test.c
+ INCLUDE[x509_check_cert_pkey_test]=../include
+ DEPEND[x509_check_cert_pkey_test]=../libcrypto libtestutil.a
+
SOURCE[pemtest]=pemtest.c
INCLUDE[pemtest]=../include .
DEPEND[pemtest]=../libcrypto libtestutil.a
diff --git a/test/certs/x509-check-key.pem b/test/certs/x509-check-key.pem
new file mode 100644
index 0000000..20888d0
--- /dev/null
+++ b/test/certs/x509-check-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCd6jpgFiM/ZW6d
+CJlEIxmKk7rH7MRL93wW32o5duTwtT1cs/y+ylfey0l5tYBzGMxjUPNeYGTBqiuz
+6ueVyMvbe3wymXPp+zzoaq3if3Jycb+1gurSyiQpF6T1PLmfJDgQQT0XnI7qRwHI
+5FJTvKM9mpv3iKohBseT/a8yfdk27zFYrSMZjfaqZc+0a18bHi/SgNN36Lj+vnPc
+s2DzS8ymBJ10Zq6icy6xL30sHDKPOKKrD8+EJ6suUm5CpLL4N6jPOmk9Dj7XQv2Y
+woX2S0Ys6dFpHuGBJ1NngBW/0Zm9oseDOxxqplPGIYa8nN7BIrTwAJEhkmKTEi9P
+8APIi6DVAgMBAAECggEAMWkKnuoOWVXJiIUaP8GjykJzHP8uZH6paxa4zAYxmEd9
+TbZbjO8PE30UHmr2KA1IVoMLwynyHM68Ie2MTMepUaGPuN1e8YVVB3vpsIckLj79
+NzQheZcaPWlSihFYGz1f9WYUUYEBDrjtDAi04dKSWUI5LviqEu9mHx4vZWMPRiqP
+mrtp3CH34ViJL4v4TtvEeuOvLf4mYpfWe1Il7U2eYSqcxO0lCwk7nd/JCzpPWA7C
+TQZSTtp5AQ4OT7LPFZIgs/87Qi8fuEEvN+6rt07r0j6/gPOVa2xoj4a7MJYsxi9O
+s1xA8Q+xjUEnjHth1MLCrmHYbJuWptIqgPTkVvB2OQKBgQDSAywBvs7PDdt+BLTc
+6J4g/gOL/17ATysmhUGJ6VxrNulViLtiFeyf3p4vj/fSa2y4ZnP/hHovzfces1Bd
+6YXtPGIuRNOnVdlYx2Y/OGrw0baxRAIW8D6Z4ms1n8hesGssteKZeaT4ojIPpJS1
+c1UtextX5OBLYaiFxwTb1Q6bAwKBgQDAfpbrlBN4936glc5uFmKNvFfNB8P30+Bk
+DFtth5TMsCL406aUlIl4lkBrXAgUTndRai2cWYD9ffsXQmm+yx1q5kO6akeAaueq
+WMo3ViZnxK8Fe4oF4M9OoaEQRcVmV5jFMKH9S268B8/x96lNh/i7M58nB5AeNDlV
+AMyHW2vhRwKBgAxduXKk3KKei0UhW9ECNYV1z5mnwNmMD9tlz1Uik5mQky7BLV96
+MQO85Q2h6ZLPVoiJJ91s3JECDMIXBu1wub0daB6XWOsqh/DNVPz2An4JqztG6OSW
+4ujGx09SCEdjFfx8/UnSOt+VFWOMamFA2EwkSpjjVj26E2VFMckMA58nAoGADabs
+vTh7SREEgg8d3ODpjHPXJktuspzsRSw7L8F15C55zHv2TINcXJkLaJHWYNpPzA5j
+vbr7Uv8kV7n2FfoB1BsQop/3AjySwZoafWI2xxVD9HeWimQvT7xW1/iaz29W/mU8
+l+JJsDw9m0OdVkpWcbBvkS0QI5RAnK650r/BHvECgYB6s9Qp5osOCdtPli7MYyD6
+mw+61DSgThUgKa7j96NG2ToYeNWTdf2Fd4Xa7s6MWryaGY+IMSRga24CM+WvaaAL
+iGZLY8dfpM/yDr0pva4WF66ARajDhNx1wvOBQJpHnldX0G4gYczIsIWgUhzo4eH8
+37OzKradFq+avGmtCBeV8A==
+-----END PRIVATE KEY-----
diff --git a/test/certs/x509-check.csr b/test/certs/x509-check.csr
new file mode 100644
index 0000000..179d05a
--- /dev/null
+++ b/test/certs/x509-check.csr
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPeDUwOS1jaGVjay10ZXN0MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAneo6YBYjP2VunQiZRCMZipO6x+zES/d8
+Ft9qOXbk8LU9XLP8vspX3stJebWAcxjMY1DzXmBkwaors+rnlcjL23t8Mplz6fs8
+6Gqt4n9ycnG/tYLq0sokKRek9Ty5nyQ4EEE9F5yO6kcByORSU7yjPZqb94iqIQbH
+k/2vMn3ZNu8xWK0jGY32qmXPtGtfGx4v0oDTd+i4/r5z3LNg80vMpgSddGauonMu
+sS99LBwyjziiqw/PhCerLlJuQqSy+DeozzppPQ4+10L9mMKF9ktGLOnRaR7hgSdT
+Z4AVv9GZvaLHgzscaqZTxiGGvJzewSK08ACRIZJikxIvT/ADyIug1QIDAQABoAAw
+DQYJKoZIhvcNAQELBQADggEBABN+XkwFoyyN1+b5SYhUzdQFj0ZfhzNxiMXOFR/n
+ww0gW7KCAhZd90aPBtQjEORzsCUX2xhllglXaojw+wOaEMaJDMDzojJelan1TEWJ
+Vyvklj8OBoH25ur5Y8iWrnMivkb4hU1Mrd4QxF697FVVTniwVyUy8Xfn6D44vEII
+gyCUk/jCD6MAD6/hBaexetqrbUQyVrtPewYgXrJokRDGDzFlG3jcXvl3CV2iib2X
+hAbiaAJmlgZwIMeu/60YgJoIWwilG7dYq9hvcpyfQhYXa9BbOz62WRsLvT0Ewue9
+81kzAkwhfvGauPh/yjP+6K5HY09KdOtg30xtwUtT4IU5yHQ=
+-----END CERTIFICATE REQUEST-----
diff --git a/test/recipes/60-test_x509_check_cert_pkey.t b/test/recipes/60-test_x509_check_cert_pkey.t
new file mode 100644
index 0000000..794e719
--- /dev/null
+++ b/test/recipes/60-test_x509_check_cert_pkey.t
@@ -0,0 +1,39 @@
+#! /usr/bin/env perl
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_x509_check_cert_pkey");
+
+plan tests => 6;
+
+# rsa
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "servercert.pem"),
+ srctop_file("test", "certs", "serverkey.pem"), "cert", "ok"])));
+# mismatched rsa
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "servercert.pem"),
+ srctop_file("test", "certs", "wrongkey.pem"), "cert", "failed"])));
+# dsa
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "server-dsa-cert.pem"),
+ srctop_file("test", "certs", "server-dsa-key.pem"), "cert", "ok"])));
+# ecc
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "server-ecdsa-cert.pem"),
+ srctop_file("test", "certs", "server-ecdsa-key.pem"), "cert", "ok"])));
+# certificate request (rsa)
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "x509-check.csr"),
+ srctop_file("test", "certs", "x509-check-key.pem"), "req", "ok"])));
+# mismatched certificate request (rsa)
+ok(run(test(["x509_check_cert_pkey_test",
+ srctop_file("test", "certs", "x509-check.csr"),
+ srctop_file("test", "certs", "wrongkey.pem"), "req", "failed"])));
diff --git a/test/x509_check_cert_pkey_test.c b/test/x509_check_cert_pkey_test.c
new file mode 100644
index 0000000..003bab8
--- /dev/null
+++ b/test/x509_check_cert_pkey_test.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include "testutil.h"
+
+/*
+ * c: path of a cert in PEM format
+ * k: path of a key in PEM format
+ * t: API type, "cert" for X509_ and "req" for X509_REQ_ APIs.
+ * e: expected, "ok" for success, "failed" for what should fail.
+ */
+static int test_x509_check_cert_pkey(const char *c, const char *k,
+ const char *t, const char *e)
+{
+ BIO *bio = NULL;
+ X509 *x509 = NULL;
+ X509_REQ *x509_req = NULL;
+ EVP_PKEY *pkey = NULL;
+ int ret = 0, type = 0, expected = 0, result = 0;
+
+ /*
+ * we check them first thus if fails we don't need to do
+ * those PEM parsing operations.
+ */
+ if (strcmp(t, "cert") == 0) {
+ type = 1;
+ } else if (strcmp(t, "req") == 0) {
+ type = 2;
+ } else {
+ TEST_error("invalid 'type'");
+ goto failed;
+ }
+
+ if (strcmp(e, "ok") == 0) {
+ expected = 1;
+ } else if (strcmp(e, "failed") == 0) {
+ expected = 0;
+ } else {
+ TEST_error("invalid 'expected'");
+ goto failed;
+ }
+
+ /* process private key */
+ if (!TEST_ptr(bio = BIO_new_file(k, "r")))
+ goto failed;
+
+ if (!TEST_ptr(pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)))
+ goto failed;
+
+ BIO_free(bio);
+
+ /* process cert or cert request, use the same local var */
+ if (!TEST_ptr(bio = BIO_new_file(c, "r")))
+ goto failed;
+
+ switch (type) {
+ case 1:
+ x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+ if (x509 == NULL) {
+ TEST_error("read PEM x509 failed");
+ goto failed;
+ }
+
+ result = X509_check_private_key(x509, pkey);
+ break;
+ case 2:
+ x509_req = PEM_read_bio_X509_REQ(bio, NULL, NULL, NULL);
+ if (x509_req == NULL) {
+ TEST_error("read PEM x509 req failed");
+ goto failed;
+ }
+
+ result = X509_REQ_check_private_key(x509_req, pkey);
+ break;
+ default:
+ /* should never be here */
+ break;
+ }
+
+ if (!TEST_int_eq(result, expected)) {
+ TEST_error("check private key: expected: %d, got: %d", expected, result);
+ goto failed;
+ }
+
+ ret = 1;
+failed:
+ BIO_free(bio);
+ X509_free(x509);
+ X509_REQ_free(x509_req);
+ EVP_PKEY_free(pkey);
+ return ret;
+}
+
+int test_main(int argc, char **argv)
+{
+ if (!TEST_int_eq(argc, 5)) {
+ TEST_info("usage: x509_check_cert_pkey cert.pem|cert.req"
+ " key.pem cert|req <expected>");
+ return 1;
+ }
+
+ return !test_x509_check_cert_pkey(argv[1], argv[2], argv[3], argv[4]);
+}
More information about the openssl-commits
mailing list