|
| 1 | +use strict; |
| 2 | +use warnings; |
| 3 | +use Test::More; |
| 4 | +use MIME::Base64; |
| 5 | +use Crypt::OpenSSL::RSA; |
| 6 | + |
| 7 | +BEGIN { plan tests => 22 } |
| 8 | + |
| 9 | +# --- Generate a key pair for testing --- |
| 10 | + |
| 11 | +my $rsa = Crypt::OpenSSL::RSA->generate_key(2048); |
| 12 | + |
| 13 | +# --- Extract PEM public keys --- |
| 14 | + |
| 15 | +my $pkcs1_pem = $rsa->get_public_key_string(); # PKCS#1 (BEGIN RSA PUBLIC KEY) |
| 16 | +my $x509_pem = $rsa->get_public_key_x509_string(); # X.509 (BEGIN PUBLIC KEY) |
| 17 | + |
| 18 | +# --- Convert PEM to DER by stripping headers and base64-decoding --- |
| 19 | + |
| 20 | +sub pem_to_der { |
| 21 | + my ($pem) = @_; |
| 22 | + $pem =~ s/-----BEGIN [^-]+-----//; |
| 23 | + $pem =~ s/-----END [^-]+-----//; |
| 24 | + $pem =~ s/\s+//g; |
| 25 | + return decode_base64($pem); |
| 26 | +} |
| 27 | + |
| 28 | +my $pkcs1_der = pem_to_der($pkcs1_pem); |
| 29 | +my $x509_der = pem_to_der($x509_pem); |
| 30 | + |
| 31 | +# Sanity check: DER data starts with ASN.1 SEQUENCE tag |
| 32 | +is( ord(substr($pkcs1_der, 0, 1)), 0x30, "PKCS#1 DER starts with SEQUENCE tag" ); |
| 33 | +is( ord(substr($x509_der, 0, 1)), 0x30, "X.509 DER starts with SEQUENCE tag" ); |
| 34 | + |
| 35 | +# --- Load DER keys via new_public_key --- |
| 36 | + |
| 37 | +my ($pub_from_x509_der, $pub_from_pkcs1_der); |
| 38 | + |
| 39 | +ok( $pub_from_x509_der = Crypt::OpenSSL::RSA->new_public_key($x509_der), |
| 40 | + "new_public_key loads X.509 DER key" ); |
| 41 | + |
| 42 | +ok( $pub_from_pkcs1_der = Crypt::OpenSSL::RSA->new_public_key($pkcs1_der), |
| 43 | + "new_public_key loads PKCS#1 DER key" ); |
| 44 | + |
| 45 | +# --- Verify round-trip: DER-loaded keys produce the same PEM output --- |
| 46 | + |
| 47 | +is( $pub_from_x509_der->get_public_key_x509_string(), $x509_pem, |
| 48 | + "X.509 DER key exports to same X.509 PEM" ); |
| 49 | + |
| 50 | +is( $pub_from_x509_der->get_public_key_string(), $pkcs1_pem, |
| 51 | + "X.509 DER key exports to same PKCS#1 PEM" ); |
| 52 | + |
| 53 | +is( $pub_from_pkcs1_der->get_public_key_x509_string(), $x509_pem, |
| 54 | + "PKCS#1 DER key exports to same X.509 PEM" ); |
| 55 | + |
| 56 | +is( $pub_from_pkcs1_der->get_public_key_string(), $pkcs1_pem, |
| 57 | + "PKCS#1 DER key exports to same PKCS#1 PEM" ); |
| 58 | + |
| 59 | +# --- Verify DER-loaded keys can actually verify signatures --- |
| 60 | + |
| 61 | +$rsa->use_sha256_hash(); |
| 62 | +my $plaintext = "Hello, DER world!"; |
| 63 | +my $sig = $rsa->sign($plaintext); |
| 64 | + |
| 65 | +$pub_from_x509_der->use_sha256_hash(); |
| 66 | +ok( $pub_from_x509_der->verify($plaintext, $sig), |
| 67 | + "X.509 DER-loaded key verifies signature" ); |
| 68 | + |
| 69 | +$pub_from_pkcs1_der->use_sha256_hash(); |
| 70 | +ok( $pub_from_pkcs1_der->verify($plaintext, $sig), |
| 71 | + "PKCS#1 DER-loaded key verifies signature" ); |
| 72 | + |
| 73 | +# --- Private key DER support --- |
| 74 | + |
| 75 | +my $priv_pem = $rsa->get_private_key_string(); |
| 76 | +my $priv_der = pem_to_der($priv_pem); |
| 77 | + |
| 78 | +is( ord(substr($priv_der, 0, 1)), 0x30, "Private key DER starts with SEQUENCE tag" ); |
| 79 | + |
| 80 | +my $priv_from_der; |
| 81 | +ok( $priv_from_der = Crypt::OpenSSL::RSA->new_private_key($priv_der), |
| 82 | + "new_private_key loads DER-encoded private key" ); |
| 83 | + |
| 84 | +ok( $priv_from_der->is_private(), |
| 85 | + "DER-loaded private key is recognized as private" ); |
| 86 | + |
| 87 | +is( $priv_from_der->get_public_key_x509_string(), $x509_pem, |
| 88 | + "DER-loaded private key exports same public key" ); |
| 89 | + |
| 90 | +# Verify DER-loaded private key can sign and original public key can verify |
| 91 | +$priv_from_der->use_sha256_hash(); |
| 92 | +my $sig2 = $priv_from_der->sign($plaintext); |
| 93 | +ok( $pub_from_x509_der->verify($plaintext, $sig2), |
| 94 | + "signature from DER-loaded private key verifies" ); |
| 95 | + |
| 96 | +# Error: DER-like data for private key |
| 97 | +eval { Crypt::OpenSSL::RSA->new_private_key("\x30\x00") }; |
| 98 | +ok( $@, "new_private_key croaks on truncated DER data" ); |
| 99 | + |
| 100 | +# Error: bogus binary data for private key |
| 101 | +eval { Crypt::OpenSSL::RSA->new_private_key("\x01\x02\x03\x04") }; |
| 102 | +like( $@, qr/unrecognized key format/, |
| 103 | + "new_private_key gives helpful error on random binary data" ); |
| 104 | + |
| 105 | +# PEM private keys still work through the wrapper |
| 106 | +my $priv_from_pem; |
| 107 | +ok( $priv_from_pem = Crypt::OpenSSL::RSA->new_private_key($priv_pem), |
| 108 | + "new_private_key still loads PEM-encoded private key" ); |
| 109 | + |
| 110 | +# --- Error cases --- |
| 111 | + |
| 112 | +# DER-like data that isn't a valid key (no RSA OID, so falls through to PKCS#1 path) |
| 113 | +eval { Crypt::OpenSSL::RSA->new_public_key("\x30\x00") }; |
| 114 | +ok( $@, "new_public_key croaks on truncated DER data" ); |
| 115 | + |
| 116 | +# Completely bogus binary data (not starting with 0x30) |
| 117 | +eval { Crypt::OpenSSL::RSA->new_public_key("\x01\x02\x03\x04") }; |
| 118 | +like( $@, qr/unrecognized key format/, |
| 119 | + "new_public_key gives helpful error on random binary data" ); |
| 120 | + |
| 121 | +# Empty string |
| 122 | +eval { Crypt::OpenSSL::RSA->new_public_key("") }; |
| 123 | +like( $@, qr/unrecognized key format/, |
| 124 | + "new_public_key gives helpful error on empty string" ); |
| 125 | + |
| 126 | +# PEM header for wrong type |
| 127 | +eval { Crypt::OpenSSL::RSA->new_public_key("-----BEGIN CERTIFICATE-----\nfoo\n-----END CERTIFICATE-----\n") }; |
| 128 | +like( $@, qr/unrecognized key format/, |
| 129 | + "new_public_key gives helpful error on certificate PEM" ); |
0 commit comments