openssl
The atago project wrote these specs on its own initiative and runs them in its own CI, to exercise atago against a real program. They are not openssl’s official test suite, and the openssl project is not affiliated with atago.
Summary #
2 suites · 9 scenarios
Contents #
- openssl + changes (key and cert generation footprints) — 2 scenarios
- openssl (third-party CLI, no build required) — 7 scenarios
- sha256 digest of a fixed input is exact and stable
- base64 encode and decode round-trip via stdin
- rand -hex emits exactly the requested entropy
- a generated private key is valid and yields its public half
- symmetric encryption round-trips and a wrong password fails loudly
- a self-signed certificate carries the requested subject
- signing with the private key verifies with the public key
openssl + changes (key and cert generation footprints) #
Source: test/e2e/thirdparty/openssl/changes.atago.yaml
Scenario: genrsa writes exactly the key file #
only when openssl version succeeds
When #
openssl genrsa -out key.pem 2048
Then #
- exit code is
0 - the step changed exactly created
key.pem, modified nothing, deleted nothing
Scenario: a self-signed cert is the only new file the req step creates #
only when openssl version succeeds
When #
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -subj /CN=atago-test -days 1
Then #
- after
openssl genrsa -out key.pem 2048:- exit code is
0
- exit code is
- after
openssl req -new -x509 -key key.pem -out cert.pem -subj /CN=atago-test -days 1:- exit code is
0 - the step changed exactly created
cert.pem, modified nothing, deleted nothing - file
cert.pemcontainsBEGIN CERTIFICATE
- exit code is
openssl (third-party CLI, no build required) #
Source: test/e2e/thirdparty/openssl/openssl.atago.yaml
Scenario: sha256 digest of a fixed input is exact and stable #
Given #
- Fixture file
msg.txtis created.
Inputs #
Fixture msg.txt:
the quick brown fox
When #
openssl dgst -sha256 -r msg.txt
Then #
- exit code is
0 - stdout contains
6e459fed18ddb06d57c8e9f0d000c302c7e01389926db6e89884bfbe91a2a5df
Scenario: base64 encode and decode round-trip via stdin #
Inputs #
stdin for openssl:
round-trip me
stdin for openssl:
${encoded}
When #
openssl base64
# capture ${encoded} from stdout
openssl base64 -d
Then #
- after
openssl base64 -d:- exit code is
0 - stdout contains
round-trip me
- exit code is
Scenario: rand -hex emits exactly the requested entropy #
When #
openssl rand -hex 16
Then #
- exit code is
0 - stdout matches
/^[0-9a-f]{32} ?$/
Scenario: a generated private key is valid and yields its public half #
When #
openssl genpkey -algorithm ed25519 -out key.pem
openssl pkey -in key.pem -check -noout
openssl pkey -in key.pem -pubout -out pub.pem
Then #
- after
openssl genpkey -algorithm ed25519 -out key.pem:- exit code is
0 - file
key.pemcontainsBEGIN PRIVATE KEY
- exit code is
- after
openssl pkey -in key.pem -check -noout:- exit code is
0 - stdout contains
Key is valid
- exit code is
- after
openssl pkey -in key.pem -pubout -out pub.pem:- exit code is
0 - file
pub.pemcontainsBEGIN PUBLIC KEY
- exit code is
Scenario: symmetric encryption round-trips and a wrong password fails loudly #
Given #
- Fixture file
secret.txtis created.
Inputs #
Fixture secret.txt:
attack at dawn
When #
openssl enc -aes-256-cbc -pbkdf2 -pass pass:correct-horse -in secret.txt -out secret.enc
openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:correct-horse -in secret.enc -out roundtrip.txt
openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:wrong-password -in secret.enc -out garbage.txt
Then #
- after
openssl enc -aes-256-cbc -pbkdf2 -pass pass:correct-horse -in secret.txt -out secret.enc:- exit code is
0 - file
secret.encexists - file
secret.encis checked
- exit code is
- after
openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:correct-horse -in secret.enc -out roundtrip.txt:- exit code is
0 - file
roundtrip.txtcontainsattack at dawn
- exit code is
- after
openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:wrong-password -in secret.enc -out garbage.txt:- exit code is not
0 - stderr contains
bad decrypt
- exit code is not
Generated artifacts #
secret.enc
Scenario: a self-signed certificate carries the requested subject #
When #
openssl req -x509 -newkey ed25519 -keyout ca.key -out ca.crt -nodes -days 1 -subj /CN=atago-test
openssl x509 -in ca.crt -noout -subject
openssl verify -CAfile ca.crt ca.crt
Then #
- after
openssl req -x509 -newkey ed25519 -keyout ca.key -out ca.crt -nodes -days 1 -subj /CN=atago-test:- exit code is
0
- exit code is
- after
openssl x509 -in ca.crt -noout -subject:- exit code is
0 - stdout contains
atago-test
- exit code is
- after
openssl verify -CAfile ca.crt ca.crt:- exit code is
0 - stdout contains
OK
- exit code is
Scenario: signing with the private key verifies with the public key #
Given #
- Fixture file
payload.txtis created. - Fixture file
payload.txtis created.
Inputs #
Fixture payload.txt:
sign me
Fixture payload.txt:
sign me (tampered)
When #
openssl genpkey -algorithm ed25519 -out sk.pem
openssl pkey -in sk.pem -pubout -out vk.pem
openssl pkeyutl -sign -inkey sk.pem -rawin -in payload.txt -out payload.sig
openssl pkeyutl -verify -pubin -inkey vk.pem -rawin -in payload.txt -sigfile payload.sig
openssl pkeyutl -verify -pubin -inkey vk.pem -rawin -in payload.txt -sigfile payload.sig
Then #
- after
openssl pkeyutl -sign -inkey sk.pem -rawin -in payload.txt -out payload.sig:- exit code is
0
- exit code is
- after
openssl pkeyutl -verify -pubin -inkey vk.pem -rawin -in payload.txt -sigfile payload.sig:- exit code is
0 - stdout contains
Signature Verified Successfully
- exit code is
- after
openssl pkeyutl -verify -pubin -inkey vk.pem -rawin -in payload.txt -sigfile payload.sig:- exit code is not
0
- exit code is not