blob: 10cb08a9f76588bc0f253c0cc7e30c3c5eb98b82 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
#!/usr/bin/tclsh
lappend auto_path [file dirname [info script]]
package require ossltest
package require test
cd $::test::dir
set testname [file rootname [file tail $::argv0]]
start_tests "Тесты на cms -encrypt с участием эталонных серверов"
proc make_fn {alg} {
return [string map {":" "_"} $alg]
}
proc map {str list} {
set result {}
foreach a $list {
lappend result [subst $str]
}
return $result
}
if {![file exist encrypt.dat]} {
makeFile encrypt.dat [string repeat "Test data to encrypt.\n" 100]
}
#if {![info exist env(/NO_RSA)]} {
#test "Creating RSA CA" {
# makeCA ${testname}CA-RSA rsa:512
#} 0 1
#
set ::test::ca cmsencCA-RSA
#foreach user {U_cms_enc_rsa_1 U_cms_enc_rsa_2} {
#test "Make registered user $user" {
# makeRegisteredUser $user rsa:512 CAname ${testname}CA-RSA
#} 0 1
#}
set hosts tls-ref-cp21
foreach hstname $hosts {
#test -createsfiles cms_enc_rsa.msg "RSA User 1 encrypts message for RSA user 2" {
# openssl "cms -encrypt -in encrypt.dat -des -out cms_enc_rsa.msg U_cms_enc_rsa_2/cert.pem"
# file isfile cms_enc_rsa.msg
#} 0 1
test "RSA User 1 cannot decrypt message for RSA user 2" {
grep "Error" [openssl_remote "cms_enc_rsa.msg U_cms_enc_rsa_1" "$hstname" "cms -decrypt -in TESTPATH/cms_enc_rsa.msg -recip TESTPATH/U_cms_enc_rsa_1/cert.pem -inkey TESTPATH/U_cms_enc_rsa_1/seckey.pem" "rsa"]
} 1 {Error decrypting CMS}
test -skip {![file exists cms_decrypt.rsa]} "RSA User 2 (with cert) can decrypt message for RSA user 2" {
set expected [getFile encrypt.dat]
openssl_remote "U_cms_enc_rsa_2" "$hstname" "cms -decrypt -in TESTPATH/cms_enc_rsa.msg -recip TESTPATH/U_cms_enc_rsa_2/cert.pem -inkey TESTPATH/U_cms_enc_rsa_2/seckey.pem -out TESTPATH/cms_decrypt.rsa" "rsa"
set result [getFile cms_decrypt.rsa]
string eq $expected $result
} 0 1
test -skip{![file exists cms_decrypt_nocert.rsa]} "RSA User 2 (without cert) can decrypt message for RSA user 2" {
set expected [getFile encrypt.dat]
openssl_remote "$hstname" "cms -decrypt -in TESTPATH/cms_enc_rsa.msg -inkey TESTPATH/U_cms_enc_rsa_2/seckey.pem -out TESTPATH/cms_decrypt_nocert.rsa" "rsa"
set result [getFile cms_decrypt_nocert.rsa]
string eq $expected $result
} 0 1
}
#test "Creating CA 2001" {
# makeCA ${testname}CA gost2001:A
#} 0 1
#test "Creating CA 2012" {
# makeCA
#} 0 1
#
set hosts [list tls-ref-cp21 tls-ref-cp20]
foreach hstname $hosts {
if {[info exist env(ENC_LIST)]} {
set enc_list $env(ENC_LIST)
} else {
switch -exact [engine_name] {
"ccore" {set enc_list {gost2001:XA:1.2.643.2.2.31.3 gost2001:XB:1.2.643.2.2.31.4 }}
"open" {set enc_list {gost2001:XA:1.2.643.2.2.31.3 gost2001:XB:1.2.643.2.2.31.4 }}
}
}
save_env2 {OPENSSL_CONF CRYPT_PARAMS}
makeFile cmsenc1.cnf [regsub -all "\n\\s*CRYPT_PARAMS\\s*=\[\^\n]*" [getConfig] ""]
set ::env(OPENSSL_CONF) [file join [pwd] cmsenc1.cnf]
foreach enc_tuple $enc_list {
if {![regexp {^([^:]*:[^:]*):(.*)$} $enc_tuple -> alg crypt_param]} {
set alg $enc_tuple
set crypt_param {}
}
set alg_fn [make_fn $enc_tuple]
set username U_cms_enc_$alg_fn
switch -glob $alg {
gost2012* {set ::test::ca cmsCA-2012}
* {set ::test::ca cmsCA}
}
#test "Creating user $username with key $alg" {
# makeRegisteredUser $username $alg
# if {![file exists $username/req.pem]&&[file exists $username/cert.pem]} {
# file delete $username/cert.pem
# }
# file exists $username/cert.pem
#} 0 1
if {[string length $crypt_param]} {
set env(CRYPT_PARAMS) $crypt_param
} else {
if {[info exists env(CRYPT_PARAMS)]} {unset env(CRYPT_PARAMS)}
}
#test -createsfiles cms_enc_$alg_fn.msg "Encrypting for $username" {
# grep "rror" [openssl "cms -encrypt -in encrypt.dat -gost89 -out cms_enc_$alg_fn.msg U_cms_enc_$alg_fn/cert.pem"]
#} 0 ""
if {[info exists env(CRYPT_PARAMS)]} {unset env(CRYPT_PARAMS)}
#test -createsfiles cms_enc_$alg_fn.pem "Extracting CMS from encrypted structure for $username" {
# openssl "cms -cmsout -out cms_enc_$alg_fn.pem -outform PEM -in cms_enc_$alg_fn.msg"
# file isfile cms_enc_$alg_fn.pem
#} 0 1
#test -skip {![file exists cms_enc_$alg_fn.pem]} "Checking oids in pkcs7 structure for $username" {
# extract_oids cms_enc_$alg_fn.pem PEM
#} 0 [mkObjList [alg_id $alg] [param_pubkey $alg] [param_hash $alg] crypt89_cc [param_encr $crypt_param]]
#test "Decrypting file encrypted for $username" {
# set expected [getFile encrypt.dat]
# openssl_remote "$username U_cms_enc_$alg_fn cms_enc_$alg_fn.msg" "$hstname" "cms -decrypt -in TESTPATH/cms_enc_$alg_fn.msg -recip TESTPATH/U_cms_enc_$alg_fn/cert.pem -inkey TESTPATH/U_cms_enc_$alg_fn/seckey.pem -out TESTPATH/cms_decrypt.$alg_fn" "$testname"
# set result [getRemoteFile "$hstname" "TESTPATH/cms_decrypt.$alg_fn" "$testname"]
# string eq $expected $result
#} 0 1
test "Decrypting file encrypted for $username" {
set expected [getFile encrypt.dat]
set result [openssl_remote "$username U_cms_enc_$alg_fn cms_enc_$alg_fn.msg" "$hstname" "cms -decrypt -in TESTPATH/cms_enc_$alg_fn.msg -recip TESTPATH/U_cms_enc_$alg_fn/cert.pem -inkey TESTPATH/U_cms_enc_$alg_fn/seckey.pem" "$testname"]
string eq $expected $result
} 0 1
if {[string length $crypt_param]} {
set env(CRYPT_PARAMS) $crypt_param
} else {
if {[info exists env(CRYPT_PARAMS)]} {unset env(CRYPT_PARAMS)}
}
#test -createsfiles cms_enc_t_$alg_fn.msg "Encrypting for $username - text format" {
# grep "rror" [openssl "cms -encrypt -text -in encrypt.dat -gost89 -out cms_enc_t_$alg_fn.msg U_cms_enc_$alg_fn/cert.pem"]
#} 0 ""
if {[info exists env(CRYPT_PARAMS)]} {unset env(CRYPT_PARAMS)}
test -createsfiles cms_decrypt_t.$alg_fn "Decrypting file text-encrypted for $username" {
set expected [getFile encrypt.dat]
set result [openssl_remote "cms_enc_t_$alg_fn.msg U_cms_enc_$alg_fn" "$hstname" "cms -decrypt -text -in TESTPATH/cms_enc_t_$alg_fn.msg -recip TESTPATH/U_cms_enc_$alg_fn/cert.pem -inkey TESTPATH/U_cms_enc_$alg_fn/seckey.pem" "$testname"]
string eq $expected $result
} 0 1
test -createsfiles cms_decrypt_t_nocert.$alg_fn "Decrypting file text-encrypted for $username without cert" {
set expected [getFile encrypt.dat]
set result [openssl_remote "cms_enc_t_$alg_fn.msg U_cms_enc_$alg_fn" "$hstname" "cms -decrypt -text -in TESTPATH/cms_enc_t_$alg_fn.msg -inkey TESTPATH/U_cms_enc_$alg_fn/seckey.pem" "$testname"]
string eq $expected $result
} 0 1
}
#test -createfiles cms_enc_4all_old "Encrypt for all" {
# puts stdout $enc_list
# grep "rror" [openssl "cms -encrypt -in encrypt.dat -gost89 -out cms_enc_4all_old.msg [map {U_cms_enc_[make_fn $a]/cert.pem} $enc_list]"]
#} 0 ""
foreach enc_tuple $enc_list {
if {![regexp {^([^:]*:[^:]*):(.*)$} $enc_tuple -> alg crypt_param]} {
set alg $enc_tuple
set crypt_param {}
}
set alg_fn [make_fn $enc_tuple]
set username U_cms_enc_$alg_fn
if {[string length $crypt_param]} {
set env(CRYPT_PARAMS) $crypt_param
} else {
if {[info exists env(CRYPT_PARAMS)]} {unset env(CRYPT_PARAMS)}
}
test -createfiles cms_enc_4all_old "Encrypt for all" {
grep "rror" [openssl "cms -encrypt -in encrypt.dat -gost89 -out cms_enc_4all_old.msg [map {U_cms_enc_[make_fn $a]/cert.pem} $enc_list]"]
} 0 ""
test -skip {![file exists cms_enc_4all_old.msg]} "Decrypting gost-encrypted file, recipient $alg_fn" {
set expected [getFile encrypt.dat]
set result [openssl_remote "cms_enc_4all_old.msg $username" "$hstname" "cms -decrypt -in TESTPATH/cms_enc_4all_old.msg -recip TESTPATH/$username/cert.pem -inkey TESTPATH/$username/seckey.pem" "$testname"]
string eq $expected $result
} 0 1
test -skip {![file exists cms_enc_4all_old.msg]} -createsfiles cms_decrypt_4all_nocert.$alg_fn "Decrypting gost-encrypted file without cert, recipient $alg_fn" {
set expected [getFile encrypt.dat]
set result [openssl_remote "cms_enc_4all_old.msg $username" "$hstname" "cms -decrypt -in TESTPATH/cms_enc_4all_old.msg -inkey TESTPATH/$username/seckey.pem" "$testname"]
string eq $expected $result
} 0 1
}
restore_env2 {OPENSSL_CONF CRYPT_PARAMS}
}
end_tests
|
