OTP-8649 dg/public_key-test-coverage

author: Raimo Niskanen <[email protected]> 2010-06-01 08:15:05 +0000
committer: Erlang/OTP <[email protected]> 2010-06-01 08:15:05 +0000
commit: 736719a1aa5c48d34a717a971495e674a6aca336 (patch)
tree: 934765fb4123c6ddd7253a32419b6683dd10a048 /lib/public_key/test/public_key_SUITE.erl
parent: 61ed122ce262cbaaf39738f4381b01de54fe86ca (diff)
download: otp-736719a1aa5c48d34a717a971495e674a6aca336.tar.gz
otp-736719a1aa5c48d34a717a971495e674a6aca336.tar.bz2
otp-736719a1aa5c48d34a717a971495e674a6aca336.zip
1 files changed, 161 insertions, 77 deletions
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 8cc36e490d..6a3d6bfcf5 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -101,14 +101,13 @@ all(doc) ->
 
 all(suite) -> 
     [app, 
+     dh, 
      pem_to_der, 
-     decode_private_key
-%%    encrypt_decrypt, 
-%%     rsa_verify
-%%      dsa_verify_sign,
-%%      pkix_encode_decode,
-%%      pkix_verify_sign, 
-%%      pkix_path_validation
+     decode_private_key,
+     encrypt_decrypt, 
+     sign_verify,
+     pkix,
+     pkix_path_validation
     ].
 
 %% Test cases starts here.
@@ -118,20 +117,35 @@ app(doc) ->
     "Test that the public_key app file is ok";
 app(suite) ->
     [];
-app(Config) when list(Config) ->
+app(Config) when is_list(Config) ->
     ok = test_server:app_test(public_key).
 
+dh(doc) ->
+    "Test diffie-hellman functions file is ok";
+dh(suite) ->
+    [];
+dh(Config) when is_list(Config) ->
+    Datadir = ?config(data_dir, Config),
+    {ok,[DerDHparams = {dh_params, _, _}]} = 
+	public_key:pem_to_der(filename:join(Datadir, "dh.pem")),
+    {ok, DHps = #'DHParameter'{prime=P,base=G}} = public_key:decode_dhparams(DerDHparams),
+    DHKeys = {Private,_Public} = public_key:gen_key(DHps),
+    test_server:format("DHparams = ~p~nDH Keys~p~n", [DHps, DHKeys]),
+    {_Private,_Public2} = pubkey_crypto:gen_key(diffie_hellman, [crypto:erlint(Private), P, G]),
+    ok.
+    
+
 pem_to_der(doc) -> 
     ["Check that supported PEM files are decoded into the expected entry type"];
 pem_to_der(suite) -> 
     [];
 pem_to_der(Config) when is_list(Config) -> 
     Datadir = ?config(data_dir, Config),
-    {ok,[{dsa_private_key, _, not_encrypted}]} = 
+    {ok,DSAKey =[{dsa_private_key, _, not_encrypted}]} = 
 	public_key:pem_to_der(filename:join(Datadir, "dsa.pem")), 
     {ok,[{rsa_private_key, _, _}]} = 
 	public_key:pem_to_der(filename:join(Datadir, "client_key.pem")),
-    {ok,[{rsa_private_key, _, _}]} = 
+    {ok, [{rsa_private_key, _, _}]} = 
 	public_key:pem_to_der(filename:join(Datadir, "rsa.pem")),
     {ok,[{rsa_private_key, _, _}]} = 
 	public_key:pem_to_der(filename:join(Datadir, "rsa.pem"), "abcd1234"),
@@ -144,12 +158,18 @@ pem_to_der(Config) when is_list(Config) ->
 	public_key:pem_to_der(filename:join(Datadir, "client_cert.pem")),
     {ok,[{cert_req, _, _}]} = 
 	public_key:pem_to_der(filename:join(Datadir, "req.pem")),
-    {ok,[{cert, _, _}, {cert, _, _}]} = 
+    {ok, Certs = [{cert, _, _}, {cert, _, _}]} = 
 	public_key:pem_to_der(filename:join(Datadir, "cacerts.pem")),
 
-    {ok, Bin1} = file:read_file(filename:join(Datadir, "cacerts.pem")),    
+    {ok, Bin1} = file:read_file(filename:join(Datadir, "cacerts.pem")),
     {ok, [{cert, _, _}, {cert, _, _}]} = public_key:pem_to_der(Bin1),
+
+    ok = public_key:der_to_pem(filename:join(Datadir, "wcacerts.pem"), Certs), 
+    ok = public_key:der_to_pem(filename:join(Datadir, "wdsa.pem"), DSAKey), 
     
+    {ok, Certs} = public_key:pem_to_der(filename:join(Datadir, "wcacerts.pem")),
+    {ok, DSAKey} = public_key:pem_to_der(filename:join(Datadir, "wdsa.pem")),
+
     ok.
 %%--------------------------------------------------------------------
 decode_private_key(doc) -> 
@@ -178,84 +198,148 @@ encrypt_decrypt(doc) ->
 encrypt_decrypt(suite) -> 
     [];
 encrypt_decrypt(Config) when is_list(Config) -> 
-    RSAPrivateKey = #'RSAPrivateKey'{publicExponent = 17,	
-				     modulus = 3233,
-				     privateExponent = 2753,
-				     prime1 = 61,
-				     prime2 = 53,
-				     version = 'two-prime'},
-    Msg = <<0,123>>,   
-    {ok, Encrypted} = public_key:encrypt(Msg, RSAPrivateKey, [{block_type, 2}]),
-    test_server:format("Expected 855, Encrypted  ~p ~n", [Encrypted]),
+    {PrivateKey, _DerKey} = pkey_test:gen_rsa(64),
+    #'RSAPrivateKey'{modulus=Mod, publicExponent=Exp} = PrivateKey,
+    PublicKey = #'RSAPublicKey'{modulus=Mod, publicExponent=Exp},
+    Msg = list_to_binary(lists:duplicate(5, "Foo bar 100")),
+    RsaEncrypted = public_key:encrypt_private(Msg, PrivateKey),
+    Msg = public_key:decrypt_public(RsaEncrypted, PublicKey),
+    Msg = public_key:decrypt_public(RsaEncrypted, PrivateKey),
+    RsaEncrypted2 = public_key:encrypt_public(Msg, PublicKey),
+    RsaEncrypted3 = public_key:encrypt_public(Msg, PrivateKey),
+    Msg = public_key:decrypt_private(RsaEncrypted2, PrivateKey),
+    Msg = public_key:decrypt_private(RsaEncrypted3, PrivateKey),
+
     ok.
+       
+%%--------------------------------------------------------------------
+sign_verify(doc) -> 
+    ["Checks that we can sign and verify signatures."];
+sign_verify(suite) -> 
+    [];
+sign_verify(Config) when is_list(Config) -> 
+    %% Make cert signs and validates the signature using RSA and DSA
+    Ca = {_, CaKey} = pkey_test:make_cert([]),
+    {ok, PrivateRSA = #'RSAPrivateKey'{modulus=Mod, publicExponent=Exp}} = 
+	public_key:decode_private_key(CaKey),
+
+    CertInfo = {Cert1,CertKey1} = pkey_test:make_cert([{key, dsa}, {issuer, Ca}]),
+
+    PublicRSA = #'RSAPublicKey'{modulus=Mod, publicExponent=Exp},
+    true = public_key:verify_signature(Cert1, PublicRSA, undefined),
+
+    {Cert2,_CertKey} = pkey_test:make_cert([{issuer, CertInfo}]),
+
+    {ok, #'DSAPrivateKey'{p=P, q=Q, g=G, y=Y, x=_X}} = 
+	public_key:decode_private_key(CertKey1),
+    true = public_key:verify_signature(Cert2, Y, #'Dss-Parms'{p=P, q=Q, g=G}),
     
+    %% RSA sign
+    Msg0 = lists:duplicate(5, "Foo bar 100"),
+    Msg  = list_to_binary(Msg0),
+    RSASign = public_key:sign(sha, Msg0, PrivateRSA),
+    RSASign = public_key:sign(Msg, PrivateRSA),
+    true = public_key:verify_signature(Msg, sha, RSASign, PublicRSA), 
+    false = public_key:verify_signature(<<1:8, Msg/binary>>, sha, RSASign, PublicRSA), 
+    false = public_key:verify_signature(Msg, sha, <<1:8, RSASign/binary>>, PublicRSA), 
+    RSASign = public_key:sign(sha, Msg, PrivateRSA),
 
+    RSASign1 = public_key:sign(md5, Msg, PrivateRSA),
+    true = public_key:verify_signature(Msg, md5, RSASign1, PublicRSA), 
+    
+    %% DSA sign
+    Datadir = ?config(data_dir, Config),
+    {ok,[DsaKey = {dsa_private_key, _, _}]} = 
+	public_key:pem_to_der(filename:join(Datadir, "dsa.pem")), 
+    {ok, DSAPrivateKey} = public_key:decode_private_key(DsaKey),
+    #'DSAPrivateKey'{p=P1, q=Q1, g=G1, y=Y1, x=_X1} = DSAPrivateKey,
+    DSASign = public_key:sign(Msg, DSAPrivateKey),
+    DSAPublicKey = Y1,
+    DSAParams = #'Dss-Parms'{p=P1, q=Q1, g=G1},
+    true = public_key:verify_signature(Msg, sha, DSASign, DSAPublicKey, DSAParams), 
+    false = public_key:verify_signature(<<1:8, Msg/binary>>, sha, DSASign, DSAPublicKey, DSAParams), 
+    false = public_key:verify_signature(Msg, sha, <<1:8, DSASign/binary>>, DSAPublicKey, DSAParams), 
+    
+    ok.
 
+pkix(doc) ->
+    "Misc pkix tests not covered elsewhere";
+pkix(suite) ->
+    [];
+pkix(Config) when is_list(Config) ->
+    Datadir = ?config(data_dir, Config),
+    {ok,Certs0} = public_key:pem_to_der(filename:join(Datadir, "cacerts.pem")),
+    {ok,Certs1} = public_key:pem_to_der(filename:join(Datadir, "client_cert.pem")),
+    TestTransform = fun({cert, CertDer, not_encrypted}) ->
+			    {ok, PlainCert} = public_key:pkix_decode_cert(CertDer, plain),
+			    {ok, OtpCert} = public_key:pkix_decode_cert(CertDer, otp),
+			    CertDer = public_key:pkix_encode_cert(OtpCert),
+			    CertDer = public_key:pkix_encode_cert(PlainCert),
 
+			    OTPSubj = (OtpCert#'OTPCertificate'.tbsCertificate)#'OTPTBSCertificate'.subject,
+			    Subj = public_key:pkix_transform(OTPSubj, encode),
+			    {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj),
+			    Subj2 = (PlainCert#'Certificate'.tbsCertificate)#'TBSCertificate'.subject,
+			    {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj2),
+			    OTPSubj = public_key:pkix_transform(Subj2, decode),
 
+			    false = public_key:pkix_is_fixed_dh_cert(CertDer)
+		    end,
+    [TestTransform(Cert) || Cert <- Certs0 ++ Certs1],
 
+    true = public_key:pkix_is_self_signed(element(2,hd(Certs0))),
+    false = public_key:pkix_is_self_signed(element(2,hd(Certs1))),
 
+    CaIds = [element(2, public_key:pkix_issuer_id(Cert, self)) || {cert, Cert, _} <- Certs0],
+    {ok, IssuerId = {_, IssuerName}} = public_key:pkix_issuer_id(element(2,hd(Certs1)), other),
+    true = lists:member(IssuerId, CaIds),
 
+    %% Should be normalized allready
+    TestStr   = {rdnSequence, [[{'AttributeTypeAndValue', {2,5,4,3},{printableString,"ERLANGCA"}}],
+			       [{'AttributeTypeAndValue', {2,5,4,3},{printableString," erlang  ca "}}]]},
+    VerifyStr = {rdnSequence, [[{'AttributeTypeAndValue', {2,5,4,3},{printableString,"erlang ca"}}],
+			       [{'AttributeTypeAndValue', {2,5,4,3},{printableString,"erlangca"}}]]},
+    VerifyStr = public_key:pkix_normalize_general_name(TestStr),
 
-%%     Datadir = ?config(data_dir, Config),
-%%      {ok,[{rsa_private_key, EncKey}]} = 
-%% 	public_key:pem_to_der(filename:join(Datadir, "server_key.pem")), 
-%%     {ok, Key} = public_key:decode_private_key(EncKey, rsa),
-%%     RSAPublicKey = #'RSAPublicKey'{publicExponent =
-%% 				   Key#'RSAPrivateKey'.publicExponent,
-%% 				   modulus = Key#'RSAPrivateKey'.modulus},
-%%     {ok, Msg} = file:read_file(filename:join(Datadir, "msg.txt")),
-%%     Hash = crypto:sha(Msg),
-%%     {ok, Encrypted} = public_key:encrypt(Hash, Key, [{block_type, 2}]),
-%%     test_server:format("Encrypted ~p", [Encrypted]),
-%%     {ok, Decrypted} = public_key:decrypt(Encrypted, 
-%% 					 RSAPublicKey, [{block_type, 1}]),
-%%     test_server:format("Encrypted ~p", [Decrypted]),
-%%     true = Encrypted == Decrypted. 
-    
-%%--------------------------------------------------------------------
-rsa_verify(doc) -> 
-    ["Cheks that we can verify an rsa signature."];
-rsa_verify(suite) -> 
+    ok.
+
+pkix_path_validation(doc) ->
+    "Misc pkix tests not covered elsewhere";
+pkix_path_validation(suite) ->
     [];
-rsa_verify(Config) when is_list(Config) -> 
-    Datadir = ?config(data_dir, Config),
-    
-    {ok,[{cert, DerCert}]} = 
-	public_key:pem_to_der(filename:join(Datadir, "server_cert.pem")),
+pkix_path_validation(Config) when is_list(Config) ->
+    CaK = {Trusted,_} = 
+	pkey_test:make_cert([{key, dsa},
+			     {subject, [
+					{name, "Public Key"},
+					{?'id-at-name', {printableString, "public_key"}},
+					{?'id-at-pseudonym', {printableString, "pubkey"}},
+					{city, "Stockholm"},
+					{country, "SE"},
+					{org, "erlang"},
+					{org_unit, "testing dep"}
+				       ]}
+			    ]),
+    ok = pkey_test:write_pem("/tmp", "cacert", CaK),
+
+    CertK1 = {Cert1, _} = pkey_test:make_cert([{issuer, CaK}]),
+    CertK2 = {Cert2,_} = pkey_test:make_cert([{issuer, CertK1}, {digest, md5}, {extensions, false}]),
+    ok = pkey_test:write_pem("/tmp", "cert", CertK2),
+
+    {ok, _} = public_key:pkix_path_validation(Trusted, [Cert1], []),
     
-    {ok, OTPCert} = public_key:pkix_decode_cert(DerCert, otp),
+    {error, {bad_cert,invalid_issuer}} = public_key:pkix_path_validation(Trusted, [Cert2], []),
+    %%{error, {bad_cert,invalid_issuer}} = public_key:pkix_path_validation(Trusted, [Cert2], [{verify,false}]), 
     
-    {0, Signature} = OTPCert#'Certificate'.signature,
-    TBSCert =  OTPCert#'Certificate'.tbsCertificate,
+    {ok, _} = public_key:pkix_path_validation(Trusted, [Cert1, Cert2], []),    
+    {error, issuer_not_found} = public_key:pkix_issuer_id(Cert2, other),
 
-    #'TBSCertificate'{subjectPublicKeyInfo = Info} = TBSCert,
+    CertK3 = {Cert3,_}  = pkey_test:make_cert([{issuer, CertK1}, {extensions, [{basic_constraints, false}]}]),
+    {Cert4,_}  = pkey_test:make_cert([{issuer, CertK3}]),
+    {error, E={bad_cert,missing_basic_constraint}} = 
+	public_key:pkix_path_validation(Trusted, [Cert1, Cert3,Cert4], []),
     
-    #'SubjectPublicKeyInfo'{subjectPublicKey = RSAPublicKey} = Info,
-    
-    EncTBSCert = encoded_tbs_cert(DerCert),
-    Digest = crypto:sha(EncTBSCert),
-
-    public_key:verify_signature(Digest, Signature, RSAPublicKey).
-
-
-%% Signature is generated in the following way (in datadir):
-%% openssl dgst -sha1 -binary -out rsa_signature -sign server_key.pem msg.txt
-%%{ok, Signature} = file:read_file(filename:join(Datadir, "rsa_signature")),
-%%{ok, Signature} = file:read_file(filename:join(Datadir, "rsa_signature")),
-%% {ok, Msg} = file:read_file(filename:join(Datadir, "msg.txt")),
-%% Digest = crypto:sha(Msg),
-%% {ok,[{rsa_private_key, EncKey}]} = 
-%%	public_key:pem_to_der(filename:join(Datadir, "server_key.pem")), 
-%%    {ok, Key} = public_key:decode_private_key(EncKey, rsa),
-%%    RSAPublicKey = #'RSAPublicKey'{publicExponent =
-%%				   Key#'RSAPrivateKey'.publicExponent,
-%%				   modulus = Key#'RSAPrivateKey'.modulus},
-
-encoded_tbs_cert(Cert) ->
-    {ok, PKIXCert} = 
-	'OTP-PUB-KEY':decode_TBSCert_exclusive(Cert),
-    {'Certificate',
-     {'Certificate_tbsCertificate', EncodedTBSCert}, _, _} = PKIXCert,
-    EncodedTBSCert.
+    {ok, {_,_,[E]}} = public_key:pkix_path_validation(Trusted, [Cert1, Cert3,Cert4], [{verify,false}]),
 
+    % test_server:format("PV ~p ~n", [Result]),
+    ok.
author	Raimo Niskanen <[email protected]>	2010-06-01 08:15:05 +0000
committer	Erlang/OTP <[email protected]>	2010-06-01 08:15:05 +0000
commit	736719a1aa5c48d34a717a971495e674a6aca336 (patch)
tree	934765fb4123c6ddd7253a32419b6683dd10a048 /lib/public_key/test/public_key_SUITE.erl
parent	61ed122ce262cbaaf39738f4381b01de54fe86ca (diff)
download	otp-736719a1aa5c48d34a717a971495e674a6aca336.tar.gz otp-736719a1aa5c48d34a717a971495e674a6aca336.tar.bz2 otp-736719a1aa5c48d34a717a971495e674a6aca336.zip