Add test cases for X509_check_private_key

To test X509_check_private_key and relatives.

Add a CSR and corresponding RSA private key to test
X509_REQ_check_private_key function.
Signed-off-by: NPaul Yang <paulyang.inf@gmail.com>
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)

test/build.info

@@ -41,7 +41,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
           bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
           pkey_meth_test uitest cipherbytes_test asn1_encode_test \
-          x509_time_test x509_dup_cert_test recordlentest \
+          x509_time_test x509_dup_cert_test x509_check_cert_pkey_test recordlentest \
           time_offset_test pemtest
 
   SOURCE[aborttest]=aborttest.c
@@ -301,6 +301,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
   INCLUDE[x509_dup_cert_test]=../include
   DEPEND[x509_dup_cert_test]=../libcrypto libtestutil.a
 
+  SOURCE[x509_check_cert_pkey_test]=x509_check_cert_pkey_test.c
+  INCLUDE[x509_check_cert_pkey_test]=../include
+  DEPEND[x509_check_cert_pkey_test]=../libcrypto libtestutil.a
+
   SOURCE[pemtest]=pemtest.c
   INCLUDE[pemtest]=../include .
   DEPEND[pemtest]=../libcrypto libtestutil.a

test/certs/x509-check-key.pem

+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCd6jpgFiM/ZW6d
+CJlEIxmKk7rH7MRL93wW32o5duTwtT1cs/y+ylfey0l5tYBzGMxjUPNeYGTBqiuz
+6ueVyMvbe3wymXPp+zzoaq3if3Jycb+1gurSyiQpF6T1PLmfJDgQQT0XnI7qRwHI
+5FJTvKM9mpv3iKohBseT/a8yfdk27zFYrSMZjfaqZc+0a18bHi/SgNN36Lj+vnPc
+s2DzS8ymBJ10Zq6icy6xL30sHDKPOKKrD8+EJ6suUm5CpLL4N6jPOmk9Dj7XQv2Y
+woX2S0Ys6dFpHuGBJ1NngBW/0Zm9oseDOxxqplPGIYa8nN7BIrTwAJEhkmKTEi9P
+8APIi6DVAgMBAAECggEAMWkKnuoOWVXJiIUaP8GjykJzHP8uZH6paxa4zAYxmEd9
+TbZbjO8PE30UHmr2KA1IVoMLwynyHM68Ie2MTMepUaGPuN1e8YVVB3vpsIckLj79
+NzQheZcaPWlSihFYGz1f9WYUUYEBDrjtDAi04dKSWUI5LviqEu9mHx4vZWMPRiqP
+mrtp3CH34ViJL4v4TtvEeuOvLf4mYpfWe1Il7U2eYSqcxO0lCwk7nd/JCzpPWA7C
+TQZSTtp5AQ4OT7LPFZIgs/87Qi8fuEEvN+6rt07r0j6/gPOVa2xoj4a7MJYsxi9O
+s1xA8Q+xjUEnjHth1MLCrmHYbJuWptIqgPTkVvB2OQKBgQDSAywBvs7PDdt+BLTc
+6J4g/gOL/17ATysmhUGJ6VxrNulViLtiFeyf3p4vj/fSa2y4ZnP/hHovzfces1Bd
+6YXtPGIuRNOnVdlYx2Y/OGrw0baxRAIW8D6Z4ms1n8hesGssteKZeaT4ojIPpJS1
+c1UtextX5OBLYaiFxwTb1Q6bAwKBgQDAfpbrlBN4936glc5uFmKNvFfNB8P30+Bk
+DFtth5TMsCL406aUlIl4lkBrXAgUTndRai2cWYD9ffsXQmm+yx1q5kO6akeAaueq
+WMo3ViZnxK8Fe4oF4M9OoaEQRcVmV5jFMKH9S268B8/x96lNh/i7M58nB5AeNDlV
+AMyHW2vhRwKBgAxduXKk3KKei0UhW9ECNYV1z5mnwNmMD9tlz1Uik5mQky7BLV96
+MQO85Q2h6ZLPVoiJJ91s3JECDMIXBu1wub0daB6XWOsqh/DNVPz2An4JqztG6OSW
+4ujGx09SCEdjFfx8/UnSOt+VFWOMamFA2EwkSpjjVj26E2VFMckMA58nAoGADabs
+vTh7SREEgg8d3ODpjHPXJktuspzsRSw7L8F15C55zHv2TINcXJkLaJHWYNpPzA5j
+vbr7Uv8kV7n2FfoB1BsQop/3AjySwZoafWI2xxVD9HeWimQvT7xW1/iaz29W/mU8
+l+JJsDw9m0OdVkpWcbBvkS0QI5RAnK650r/BHvECgYB6s9Qp5osOCdtPli7MYyD6
+mw+61DSgThUgKa7j96NG2ToYeNWTdf2Fd4Xa7s6MWryaGY+IMSRga24CM+WvaaAL
+iGZLY8dfpM/yDr0pva4WF66ARajDhNx1wvOBQJpHnldX0G4gYczIsIWgUhzo4eH8
+37OzKradFq+avGmtCBeV8A==
+-----END PRIVATE KEY-----

test/certs/x509-check.csr

+-----BEGIN CERTIFICATE REQUEST-----
+MIICXzCCAUcCAQAwGjEYMBYGA1UEAwwPeDUwOS1jaGVjay10ZXN0MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAneo6YBYjP2VunQiZRCMZipO6x+zES/d8
+Ft9qOXbk8LU9XLP8vspX3stJebWAcxjMY1DzXmBkwaors+rnlcjL23t8Mplz6fs8
+6Gqt4n9ycnG/tYLq0sokKRek9Ty5nyQ4EEE9F5yO6kcByORSU7yjPZqb94iqIQbH
+k/2vMn3ZNu8xWK0jGY32qmXPtGtfGx4v0oDTd+i4/r5z3LNg80vMpgSddGauonMu
+sS99LBwyjziiqw/PhCerLlJuQqSy+DeozzppPQ4+10L9mMKF9ktGLOnRaR7hgSdT
+Z4AVv9GZvaLHgzscaqZTxiGGvJzewSK08ACRIZJikxIvT/ADyIug1QIDAQABoAAw
+DQYJKoZIhvcNAQELBQADggEBABN+XkwFoyyN1+b5SYhUzdQFj0ZfhzNxiMXOFR/n
+ww0gW7KCAhZd90aPBtQjEORzsCUX2xhllglXaojw+wOaEMaJDMDzojJelan1TEWJ
+Vyvklj8OBoH25ur5Y8iWrnMivkb4hU1Mrd4QxF697FVVTniwVyUy8Xfn6D44vEII
+gyCUk/jCD6MAD6/hBaexetqrbUQyVrtPewYgXrJokRDGDzFlG3jcXvl3CV2iib2X
+hAbiaAJmlgZwIMeu/60YgJoIWwilG7dYq9hvcpyfQhYXa9BbOz62WRsLvT0Ewue9
+81kzAkwhfvGauPh/yjP+6K5HY09KdOtg30xtwUtT4IU5yHQ=
+-----END CERTIFICATE REQUEST-----

test/recipes/60-test_x509_check_cert_pkey.t

+#! /usr/bin/env perl
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_x509_check_cert_pkey");
+
+plan tests => 6;
+
+# rsa
+ok(run(test(["x509_check_cert_pkey_test",
+             srctop_file("test", "certs", "servercert.pem"),
+             srctop_file("test", "certs", "serverkey.pem"), "cert", "ok"])));
+# mismatched rsa
+ok(run(test(["x509_check_cert_pkey_test",
+             srctop_file("test", "certs", "servercert.pem"),
+             srctop_file("test", "certs", "wrongkey.pem"), "cert", "failed"])));
+# dsa
+ok(run(test(["x509_check_cert_pkey_test",
+             srctop_file("test", "certs", "server-dsa-cert.pem"),
+             srctop_file("test", "certs", "server-dsa-key.pem"), "cert", "ok"])));
+# ecc
+ok(run(test(["x509_check_cert_pkey_test",
+             srctop_file("test", "certs", "server-ecdsa-cert.pem"),
+             srctop_file("test", "certs", "server-ecdsa-key.pem"), "cert", "ok"])));
+# certificate request (rsa)
+ok(run(test(["x509_check_cert_pkey_test",
+             srctop_file("test", "certs", "x509-check.csr"),
+             srctop_file("test", "certs", "x509-check-key.pem"), "req", "ok"])));
+# mismatched certificate request (rsa)
+ok(run(test(["x509_check_cert_pkey_test",
+             srctop_file("test", "certs", "x509-check.csr"),
+             srctop_file("test", "certs", "wrongkey.pem"), "req", "failed"])));

test/x509_check_cert_pkey_test.c

+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include "testutil.h"
+
+/*
+ * c: path of a cert in PEM format
+ * k: path of a key in PEM format
+ * t: API type, "cert" for X509_ and "req" for X509_REQ_ APIs.
+ * e: expected, "ok" for success, "failed" for what should fail.
+ */
+static int test_x509_check_cert_pkey(const char *c, const char *k,
+    const char *t, const char *e)
+{
+    BIO *bio = NULL;
+    X509 *x509 = NULL;
+    X509_REQ *x509_req = NULL;
+    EVP_PKEY *pkey = NULL;
+    int ret = 0, type = 0, expected = 0, result;
+
+    /*
+     * we check them first thus if fails we don't need to do
+     * those PEM parsing operations.
+     */
+    if (strcmp(t, "cert") == 0) {
+        type = 1;
+    } else if (strcmp(t, "req") == 0) {
+        type = 2;
+    } else {
+        TEST_error("invalid 'type'");
+        goto failed;
+    }
+
+    if (strcmp(e, "ok") == 0) {
+        expected = 1;
+    } else if (strcmp(e, "failed") == 0) {
+        expected = 2;
+    } else {
+        TEST_error("invalid 'expected'");
+        goto failed;
+    }
+
+    /* process private key */
+    bio = BIO_new_file(k, "r");
+    if (bio == NULL) {
+        TEST_error("create BIO for private key failed");
+        goto failed;
+    }
+
+    pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+    if (pkey == NULL) {
+        TEST_error("read PEM private key failed");
+        goto failed;
+    }
+
+    BIO_free(bio);
+
+    /* process cert or cert request, use the same local var */
+    bio = BIO_new_file(c, "r");
+    if (bio == NULL) {
+        TEST_error("create BIO for cert or cert req failed");
+        goto failed;
+    }
+
+    switch (type) {
+        case 1:
+            x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+            if (x509 == NULL) {
+                TEST_error("read PEM x509 failed");
+                goto failed;
+            }
+
+            result = X509_check_private_key(x509, pkey);
+            break;
+        case 2:
+            x509_req = PEM_read_bio_X509_REQ(bio, NULL, NULL, NULL);
+            if (x509_req == NULL) {
+                TEST_error("read PEM x509 req failed");
+                goto failed;
+            }
+
+            result = X509_REQ_check_private_key(x509_req, pkey);
+            break;
+        default:
+            /* should never be here */
+            break;
+    }
+
+    if (expected == 1) {
+        /* expected == 1 means we expect an "ok" */
+        if (!TEST_int_eq(result, 1)) {
+            TEST_error("check private key: expected: 1, got: %d", result);
+            goto failed;
+        }
+    } else {
+        if (!TEST_int_eq(result, 0)) {
+            TEST_error("check private key: expected: 0, got: %d", result);
+            goto failed;
+        }
+    }
+
+out:
+    if (bio)
+        BIO_free(bio);
+    if (x509)
+        X509_free(x509);
+    if (x509_req)
+        X509_REQ_free(x509_req);
+    if (pkey)
+        EVP_PKEY_free(pkey);
+    return ret;
+
+failed:
+    ret = 1;
+    goto out;
+}
+
+int test_main(int argc, char **argv)
+{
+    if (!TEST_int_eq(argc, 5)) {
+        TEST_info("usage: x509_check_cert_pkey cert.pem|cert.req"
+                  " key.pem cert|req <expected>");
+        return 1;
+    }
+
+    return test_x509_check_cert_pkey(argv[1], argv[2], argv[3], argv[4]);
+}