[PATCH 10/13] build: Add more test certificates in various formats

[PATCH 10/13] build: Add more test certificates in various formats

[Andrew Zaborowski]

[-- Attachment #1: Type: text/plain, Size: 3599 bytes --]

Add a binary X.509 test certificate and PKCS#12 files using various
cipher combinations.
---
 Makefile.am | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index 28082aa..66c08c1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -213,6 +213,7 @@ cert_files = unit/cert-chain.pem \
 			unit/cert-server.pem \
 			unit/cert-server-key-pkcs8.pem \
 			unit/cert-client.pem \
+			unit/cert-client.crt \
 			unit/cert-client-key-pkcs1.pem \
 			unit/cert-client-key-pkcs1-des.pem \
 			unit/cert-client-key-pkcs1-des3.pem \
@@ -226,6 +227,12 @@ cert_files = unit/cert-chain.pem \
 			unit/cert-client-key-pkcs8-v2-des-ede3.pem \
 			unit/cert-client-key-pkcs8-v2-aes128.pem \
 			unit/cert-client-key-pkcs8-v2-aes256.pem \
+			unit/cert-entity-pkcs12-nomac.p12 \
+			unit/cert-entity-pkcs12-rc2-sha1.p12 \
+			unit/cert-entity-pkcs12-des-sha256.p12 \
+			unit/cert-entity-pkcs12-rc4-sha384.p12 \
+			unit/cert-entity-pkcs12-pkcs5-sha512.p12 \
+			unit/cert-entity-combined.pem \
 			unit/cert-no-keyid.pem
 
 cert_checks = unit/cert-intca \
@@ -484,6 +491,9 @@ unit/cert-client.pem: unit/cert-client.csr unit/cert-ca.pem unit/gencerts.cnf
 unit/cert-client: unit/cert-client.pem unit/cert-ca.pem
 	$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca.pem $<
 
+unit/cert-client.crt: unit/cert-client.pem
+	$(AM_V_GEN)openssl x509 -in $< -out $@ -outform der
+
 unit/cert-intca-key.pem:
 	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
 
@@ -550,6 +560,24 @@ unit/cert-no-keyid.pem: unit/cert-no-keyid.csr unit/cert-ca2.pem unit/gencerts.c
 unit/cert-no-keyid: unit/cert-no-keyid.pem unit/cert-ca2.pem
 	$(AM_V_GEN)openssl verify -CAfile $(builddir)/unit/cert-ca2.pem $<
 
+unit/cert-entity-pkcs12-nomac.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -out $@ -export -passout pass:abc -nomac # defaut ciphers
+
+unit/cert-entity-pkcs12-rc2-sha1.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1
+
+unit/cert-entity-pkcs12-des-sha256.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-2DES -macalg sha256
+
+unit/cert-entity-pkcs12-rc4-sha384.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384
+
+unit/cert-entity-pkcs12-pkcs5-sha512.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe des-cbc -keypbe des-cbc -macalg sha512
+
+unit/cert-entity-combined.pem: unit/cert-entity-pkcs12-rc2-sha1.p12
+	$(AM_V_GEN)openssl pkcs12 -in $< -out $@ -passin pass:abc -passout pass:abc
+
 unit/key-plaintext.h: unit/plaintext.txt
 	$(AM_V_GEN)xxd -i < $< > $@
 
-- 
2.27.0

[PATCH 11/13] unit: Add l_pem_load_container_file tests

[Andrew Zaborowski]

[-- Attachment #1: Type: text/plain, Size: 4290 bytes --]

---
 unit/test-pem.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)

diff --git a/unit/test-pem.c b/unit/test-pem.c
index f875adc..eddb6c6 100644
--- a/unit/test-pem.c
+++ b/unit/test-pem.c
@@ -337,6 +337,74 @@ static void test_encrypted_pkey(const void *data)
 	l_key_free(pkey2);
 }
 
+static bool test_cert_count(struct l_cert *cert, void *user_data)
+{
+	int *count = user_data;
+
+	(*count)++;
+	return false;
+}
+
+struct test_load_file_params {
+	const char *path;
+	bool expect_cert;
+	bool expect_certchain;
+	bool expect_privkey;
+	bool expect_encrypted;
+};
+
+#define TEST_LOAD_PARAMS(fn, cert, certchain, privkey, encrypted)	\
+	(&(struct test_load_file_params) {				\
+		CERTDIR fn, (cert), (certchain), (privkey), (encrypted) })
+
+static void test_load_file(const void *data)
+{
+	const struct test_load_file_params *params = data;
+	struct l_certchain *certchain;
+	struct l_key *privkey;
+	bool encrypted;
+
+	l_pem_load_container_file(params->path, false, &certchain,
+					&privkey, &encrypted);
+	assert(encrypted == params->expect_encrypted);
+
+	if (encrypted) {
+		/*
+		 * Depending on the format the certificates may be encrypted
+		 * or unencrypted even when the private key was encrypted.
+		 */
+		if (certchain) {
+			assert(params->expect_privkey);
+			l_certchain_free(certchain);
+			certchain = NULL;
+		}
+
+		assert(!privkey);
+
+		l_pem_load_container_file(params->path, "abc", &certchain,
+						&privkey, &encrypted);
+	}
+
+	assert(!!certchain == params->expect_cert);
+	assert(!!privkey == params->expect_privkey);
+
+	if (certchain) {
+		int count = 0;
+
+		l_certchain_walk_from_leaf(certchain, test_cert_count, &count);
+		assert(count == (params->expect_certchain ? 3 : 1));
+
+		if (params->expect_certchain)
+			assert(l_certchain_verify(certchain, NULL, NULL));
+	}
+
+	if (certchain)
+		l_certchain_free(certchain);
+
+	if (privkey)
+		l_key_free(privkey);
+}
+
 int main(int argc, char *argv[])
 {
 	l_test_init(&argc, &argv);
@@ -409,6 +477,56 @@ int main(int argc, char *argv[])
 				CERTDIR "cert-client-key-pkcs1-aes256.pem");
 	}
 
+	l_test_add("detect-format/PEM PKCS#1 unencrypted private key",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-client-key-pkcs1.pem",
+						false, false, true, false));
+	l_test_add("detect-format/PEM PKCS#1 encrypted private key",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-client-key-pkcs1-des.pem",
+						false, false, true, true));
+	l_test_add("detect-format/PEM PKCS#8 unencrypted private key",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-client-key-pkcs8.pem",
+						false, false, true, false));
+	l_test_add("detect-format/PEM PKCS#8 encrypted private key",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-client-key-pkcs8-sha1-des.pem",
+						false, false, true, true));
+	l_test_add("detect-format/PEM X.509 certificate",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-client.pem",
+						true, false, false, false));
+	l_test_add("detect-format/DER X.509 certificate",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-client.crt",
+						true, false, false, false));
+	l_test_add("detect-format/PEM combined",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-entity-combined.pem",
+						true, true, true, true));
+	l_test_add("detect-format/DER PKCS#12 combined",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-entity-pkcs12-nomac.p12",
+						true, false, true, true));
+
+	l_test_add("pkcs#12/Combined RC2-based ciphers + SHA1",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-entity-pkcs12-rc2-sha1.p12",
+						true, true, true, true));
+	l_test_add("pkcs#12/Combined DES-based ciphers + SHA256",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-entity-pkcs12-des-sha256.p12",
+						true, true, true, true));
+	l_test_add("pkcs#12/Combined RC4-based ciphers + SHA384",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-entity-pkcs12-rc4-sha384.p12",
+						true, true, true, true));
+	l_test_add("pkcs#12/Combined PKCS#5 ciphers + SHA512",
+			test_load_file,
+			TEST_LOAD_PARAMS("cert-entity-pkcs12-pkcs5-sha512.p12",
+						true, true, true, true));
+
 done:
 	return l_test_run();
 }
-- 
2.27.0

[PATCH 12/13] unit: Re-add the ARC4 test

[Andrew Zaborowski]

[-- Attachment #1: Type: text/plain, Size: 2303 bytes --]

---
 unit/test-cipher.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/unit/test-cipher.c b/unit/test-cipher.c
index 7dddffd..8eca796 100644
--- a/unit/test-cipher.c
+++ b/unit/test-cipher.c
@@ -103,6 +103,60 @@ static void test_aes_ctr(const void *data)
 	l_cipher_free(cipher);
 }
 
+static void test_arc4(const void *data)
+{
+	struct l_cipher *cipher;
+	char buf[256];
+	int r;
+
+	static const unsigned char expect_plaintext[] = {
+		0xbb, 0xf3, 0x16, 0xe8, 0xd9, 0x40, 0xaf, 0x0a, 0xd3,
+	};
+	static const unsigned char expect_pedia[] = {
+		0x10, 0x21, 0xbf, 0x04, 0x20,
+	};
+	static const unsigned char expect_attack[] = {
+		0x45, 0xa0, 0x1f, 0x64, 0x5f, 0xc3, 0x5b, 0x38, 0x35, 0x52,
+		0x54, 0x4b, 0x9b, 0xf5,
+	};
+
+	assert(l_cipher_is_supported(L_CIPHER_ARC4));
+
+	cipher = l_cipher_new(L_CIPHER_ARC4, "Key", 3);
+	assert(cipher);
+	l_cipher_encrypt(cipher, "Plaintext", buf, 9);
+	assert(!memcmp(buf, expect_plaintext, 9));
+	l_cipher_free(cipher);
+
+	cipher = l_cipher_new(L_CIPHER_ARC4, "Wiki", 4);
+	assert(cipher);
+	l_cipher_encrypt(cipher, "pedia", buf, 5);
+	assert(!memcmp(buf, expect_pedia, 5));
+	l_cipher_free(cipher);
+
+	cipher = l_cipher_new(L_CIPHER_ARC4, "Secret", 6);
+	assert(cipher);
+	l_cipher_encrypt(cipher, "Attack at dawn", buf, 14);
+	assert(!memcmp(buf, expect_attack, 14));
+	l_cipher_free(cipher);
+
+	cipher = l_cipher_new(L_CIPHER_ARC4, KEY_STR, KEY_LEN);
+	assert(cipher);
+
+	memcpy(buf, FIXED_STR, FIXED_LEN);
+
+	l_cipher_encrypt(cipher, buf, buf, FIXED_LEN);
+
+	r = memcmp(buf, FIXED_STR, FIXED_LEN);
+	assert(r);
+
+	l_cipher_decrypt(cipher, buf, buf, FIXED_LEN);
+	l_cipher_free(cipher);
+
+	r = memcmp(buf, FIXED_STR, FIXED_LEN);
+	assert(!r);
+}
+
 struct aead_test_vector {
 	enum l_aead_cipher_type type;
 	char *aad;
@@ -337,6 +391,8 @@ int main(int argc, char *argv[])
 	if (l_cipher_is_supported(L_CIPHER_AES_CTR))
 		l_test_add("aes_ctr", test_aes_ctr, NULL);
 
+	l_test_add("arc4", test_arc4, NULL);
+
 	if (l_aead_cipher_is_supported(L_AEAD_CIPHER_AES_CCM)) {
 		l_test_add("aes_ccm long nonce", test_aead, &ccm_long_nonce);
 		l_test_add("aes_ccm short nonce", test_aead, &ccm_short_nonce);
-- 
2.27.0

[PATCH 13/13] unit: Add some RC2 test vectors

[Andrew Zaborowski]

[-- Attachment #1: Type: text/plain, Size: 2216 bytes --]

---
 unit/test-cipher.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/unit/test-cipher.c b/unit/test-cipher.c
index 8eca796..15fe25b 100644
--- a/unit/test-cipher.c
+++ b/unit/test-cipher.c
@@ -379,6 +379,61 @@ static void test_aead(const void *data)
 	l_free(tag);
 }
 
+struct rc2_test_vector {
+	const char *key;
+	const char *plaintext;
+	const char *ciphertext;
+};
+
+/* RFC2268 Section 5 (where Effective key length == 8 * Key length) */
+static const struct rc2_test_vector rc2_test_1 = {
+	.key = "ffffffffffffffff",
+	.plaintext = "ffffffffffffffff",
+	.ciphertext = "278b27e42e2f0d49",
+};
+
+static const struct rc2_test_vector rc2_test_2 = {
+	.key = "3000000000000000",
+	.plaintext = "1000000000000001",
+	.ciphertext = "30649edf9be7d2c2",
+};
+
+static const struct rc2_test_vector rc2_test_3 = {
+	.key = "88bca90e90875a7f0f79c384627bafb2",
+	.plaintext = "0000000000000000",
+	.ciphertext = "2269552ab0f85ca6",
+};
+
+static void test_rc2(const void *data)
+{
+	const struct rc2_test_vector *v = data;
+	uint8_t *key;
+	size_t key_length;
+	struct l_cipher *cipher;
+	uint8_t *plaintext;
+	uint8_t *ciphertext;
+	uint8_t buf[8];
+
+	assert(l_cipher_is_supported(L_CIPHER_RC2_CBC));
+
+	key = l_util_from_hexstring(v->key, &key_length);
+	plaintext = l_util_from_hexstring(v->plaintext, NULL);
+	ciphertext = l_util_from_hexstring(v->ciphertext, NULL);
+
+	cipher = l_cipher_new(L_CIPHER_RC2_CBC, key, key_length);
+	assert(cipher);
+	l_cipher_encrypt(cipher, plaintext, buf, 8);
+	assert(!memcmp(buf, ciphertext, 8));
+
+	l_cipher_decrypt(cipher, buf, buf, 8);
+	l_cipher_free(cipher);
+	assert(!memcmp(buf, plaintext, 8));
+
+	l_free(plaintext);
+	l_free(ciphertext);
+	l_free(key);
+}
+
 int main(int argc, char *argv[])
 {
 	l_test_init(&argc, &argv);
@@ -408,5 +463,9 @@ int main(int argc, char *argv[])
 		l_test_add("aes_gcm test 6", test_aead, &gcm_test6);
 	}
 
+	l_test_add("rc2/test 1", test_rc2, &rc2_test_1);
+	l_test_add("rc2/test 2", test_rc2, &rc2_test_2);
+	l_test_add("rc2/test 3", test_rc2, &rc2_test_3);
+
 	return l_test_run();
 }
-- 
2.27.0

Re: [PATCH 10/13] build: Add more test certificates in various formats

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 308 bytes --]

Hi Andrew,

On 12/10/20 1:32 PM, Andrew Zaborowski wrote:
> Add a binary X.509 test certificate and PKCS#12 files using various
> cipher combinations.
> ---
>   Makefile.am | 28 ++++++++++++++++++++++++++++
>   1 file changed, 28 insertions(+)
> 

Patch 10 & 13 applied, thanks.

Regards,
-Denis

Re: [PATCH 12/13] unit: Re-add the ARC4 test

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 257 bytes --]

Hi Andrew,

On 12/10/20 1:32 PM, Andrew Zaborowski wrote:
> ---
>   unit/test-cipher.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 56 insertions(+)
> 

This and patch 4 have now been applied as well.

Regards,
-Denis