Add GOST certificate test in appstest.sh

Enabled by -g option, and default to disabled (RSA certificate is used)

1 files changed, 107 insertions, 26 deletions

diff --git a/regress/usr.bin/openssl/appstest.sh b/regress/usr.bin/openssl/appstest.sh
index 44b13438f70..dd32d058b46 100755
--- a/regress/usr.bin/openssl/appstest.sh
+++ b/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.39 2020/05/17 04:43:16 inoguchi Exp $
+# $OpenBSD: appstest.sh,v 1.40 2020/05/17 08:14:26 inoguchi Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -58,7 +58,7 @@ function check_exit_status {
 }
 
 function usage {
-	echo "usage: appstest.sh [-iq]"
+	echo "usage: appstest.sh [-egiq]"
 }
 
 function test_usage_lists_others {
@@ -691,6 +691,8 @@ __EOF__
 	# --- server-admin operations (generate server key and csr) ---
 	section_message "server-admin operations (generate server key and csr)"
 	
+	# RSA certificate
+
 	server_key=$server_dir/server_key.pem
 	server_csr=$server_dir/server_csr.pem
 	server_pass=test-server-pass
@@ -724,6 +726,8 @@ __EOF__
 
 	start_message "req ... generate server csr#2 (interactive mode)"
 	
+	# RSA certificate (for revoke test)
+
 	revoke_key=$server_dir/revoke_key.pem
 	revoke_csr=$server_dir/revoke_csr.pem
 	revoke_pass=test-revoke-pass
@@ -737,6 +741,8 @@ revoke.test_dummy.com
 __EOF__
 	check_exit_status $?
 
+	# ECDSA certificate
+
 	ecdsa_key=$server_dir/ecdsa_key.pem
 	ecdsa_csr=$server_dir/ecdsa_csr.pem
 	ecdsa_pass=test-ecdsa-pass
@@ -768,6 +774,40 @@ __EOF__
 		-out $ecdsa_csr.verify.out
 	check_exit_status $?
 
+	# GOST certificate
+
+	gost_key=$server_dir/gost_key.pem
+	gost_csr=$server_dir/gost_csr.pem
+	gost_pass=test-gost-pass
+
+	if [ $mingw = 0 ] ; then
+		subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=gost.test_dummy.com/'
+	else
+		subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=gost.test_dummy.com\'
+	fi
+	
+	start_message "genpkey ... generate server key#4"
+
+	$openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \
+		-pkeyopt dgst:streebog512 -out $gost_key
+	check_exit_status $?
+
+	start_message "req ... generate server csr#4"
+
+	$openssl_bin req -new -subj $subj -streebog512 \
+		-key $gost_key -keyform pem -passin pass:$gost_pass \
+		-addext 'subjectAltName = DNS:gost.test_dummy.com' \
+		-out $gost_csr -outform pem
+	check_exit_status $?
+	
+	start_message "req ... verify server csr#4"
+
+	$openssl_bin req -verify -in $gost_csr -inform pem \
+		-newhdr -noout -pubkey -subject -modulus -text \
+		-nameopt multiline -reqopt compatible \
+		-out $gost_csr.verify.out
+	check_exit_status $?
+
 	#---------#---------#---------#---------#---------#---------#---------
 	
 	# --- CA operations (issue cert for server) ---
@@ -794,7 +834,14 @@ __EOF__
 	
 	ecdsa_cert=$server_dir/ecdsa_cert.pem
 	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
-		-in $ecdsa_csr -out $ecdsa_cert > $ecdsa_cert 2>&1
+		-in $ecdsa_csr -out $ecdsa_cert > $ecdsa_cert.log 2>&1
+	check_exit_status $?
+	
+	start_message "ca ... issue cert for server csr#4"
+	
+	gost_cert=$server_dir/gost_cert.pem
+	$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
+		-in $gost_csr -out $gost_cert > $gost_cert.log 2>&1
 	check_exit_status $?
 	
 	#---------#---------#---------#---------#---------#---------#---------
@@ -1322,9 +1369,14 @@ function test_pkcs {
 }
 
 function test_sc_by_protocol_version {
-	cid=$1
+	sc=$1
 	ver=$2
 	msg=$3
+	cid=$4
+
+	if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then
+		return
+	fi
 
 	s_client_out=$user1_dir/s_client_${sc}_${ver}.out
 	
@@ -1349,6 +1401,10 @@ function test_sc_all_cipher {
 	sc=$1
 	ver=$2
 
+	if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then
+		return
+	fi
+
 	copt=cipher
 	ciphers=$user1_dir/ciphers_${sc}_${ver}
 
@@ -1367,10 +1423,12 @@ function test_sc_all_cipher {
 		s_ciph=$server_dir/s_ciph_${sc}_${ver}
 		cipher_string=""
 		if [ $s_id = "0" ] ; then
-			if [ $ecdsa_tests = 0 ] ; then
-				cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
-			else
+			if [ $ecdsa_tests = 1 ] ; then
 				cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
+			elif [ $gost_tests = 1 ] ; then
+				cipher_string="kGOST:!NULL:!TLSv1.3"
+			else
+				cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
 			fi
 		fi
 		$s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph
@@ -1378,10 +1436,12 @@ function test_sc_all_cipher {
 		c_ciph=$user1_dir/c_ciph_${sc}_${ver}
 		cipher_string=""
 		if [ $c_id = "0" ] ; then
-			if [ $ecdsa_tests = 0 ] ; then
-				cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
-			else
+			if [ $ecdsa_tests = 1 ] ; then
 				cipher_string="ECDSA+TLSv1.2:!TLSv1.3"
+			elif [ $gost_tests = 1 ] ; then
+				cipher_string="kGOST:!NULL:!TLSv1.3"
+			else
+				cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3"
 			fi
 		fi
 		$c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph
@@ -1413,6 +1473,11 @@ function test_sc_all_cipher {
 function test_sc_session_reuse {
 	sc=$1
 	ver=$2
+
+	if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then
+		return
+	fi
+
 	sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat
 
 	# Get session ticket to reuse
@@ -1460,6 +1525,10 @@ function test_sc_verify {
 	sc=$1
 	ver=$2
 
+	if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then
+		return
+	fi
+
 	# invalid verification pattern
 	
 	s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out
@@ -1508,16 +1577,21 @@ function test_server_client {
 	port=4433
 	s_server_out=$server_dir/s_server_${sc}_tls.out
 
-	if [ $ecdsa_tests = 0 ] ; then
-		echo "Using RSA certificate"
-		crt=$server_cert
-		key=$server_key
-		pwd=$server_pass
-	else
+	if [ $ecdsa_tests = 1 ] ; then
 		echo "Using ECDSA certificate"
 		crt=$ecdsa_cert
 		key=$ecdsa_key
 		pwd=$ecdsa_pass
+	elif [ $gost_tests = 1 ] ; then
+		echo "Using GOST certificate"
+		crt=$gost_cert
+		key=$gost_key
+		pwd=$gost_pass
+	else
+		echo "Using RSA certificate"
+		crt=$server_cert
+		key=$server_key
+		pwd=$server_pass
 	fi
 
 	$s_bin version | grep 'OpenSSL 1.1.1' > /dev/null
@@ -1539,10 +1613,10 @@ function test_server_client {
 	sleep 1
 	
 	# test by protocol version
-	test_sc_by_protocol_version $c_id tls1 'Protocol  : TLSv1$'
-	test_sc_by_protocol_version $c_id tls1_1 'Protocol  : TLSv1\.1$'
-	test_sc_by_protocol_version $c_id tls1_2 'Protocol  : TLSv1\.2$'
-	test_sc_by_protocol_version $c_id tls1_3 'Protocol  : TLSv1\.3$'
+	test_sc_by_protocol_version $sc tls1   'Protocol  : TLSv1$'    $c_id
+	test_sc_by_protocol_version $sc tls1_1 'Protocol  : TLSv1\.1$' $c_id
+	test_sc_by_protocol_version $sc tls1_2 'Protocol  : TLSv1\.2$' $c_id
+	test_sc_by_protocol_version $sc tls1_3 'Protocol  : TLSv1\.3$' $c_id
 	
 	# all available ciphers with random order
 	test_sc_all_cipher $sc tls1_2
@@ -1556,10 +1630,12 @@ function test_server_client {
 	test_sc_verify $sc tls1_3
 	
 	# s_time
-	start_message "s_time ... connect to TLS/SSL test server"
-	$c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \
-		> $server_dir/s_time_${sc}.log
-	check_exit_status $?
+	if [ $gost_tests != 1 ] ; then
+		start_message "s_time ... connect to TLS/SSL test server"
+		$c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \
+			> $server_dir/s_time_${sc}.log
+		check_exit_status $?
+	fi
 	
 	stop_s_server
 }
@@ -1592,14 +1668,19 @@ openssl_bin=${OPENSSL:-/usr/bin/openssl}
 other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11}
 
 ecdsa_tests=0
+gost_tests=0
 interop_tests=0
 no_long_tests=0
 
 while [ "$1" != "" ]; do
 	case $1 in
-		-e | --ecdsa)
-					shift
+		-e | --ecdsa)		shift
 					ecdsa_tests=1
+					gost_tests=0
+					;;
+		-g | --gost)		shift
+					gost_tests=1
+					ecdsa_tests=0
 					;;
 		-i | --interop)		shift
 					interop_tests=1