go-mail/pkcs7_test.go

// SPDX-FileCopyrightText: 2022-2023 The go-mail Authors
//
// SPDX-License-Identifier: MIT

package mail

import (
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"io/ioutil"
	"math/big"
	"os"
	"os/exec"
	"testing"
	"time"
)

// TestSign_E2E tests S/MIME singing as e2e
func TestSign_E2E(t *testing.T) {
	cert, err := createTestCertificate()
	if err != nil {
		t.Fatal(err)
	}
	content := []byte("Hello World")
	for _, testDetach := range []bool{false, true} {
		toBeSigned, err := newSignedData(content)
		if err != nil {
			t.Fatalf("Cannot initialize signed data: %s", err)
		}
		if err := toBeSigned.addSigner(cert.Certificate, cert.PrivateKey, SignerInfoConfig{}); err != nil {
			t.Fatalf("Cannot add signer: %s", err)
		}
		if testDetach {
			t.Log("Testing detached signature")
			toBeSigned.detach()
		} else {
			t.Log("Testing attached signature")
		}
		signed, err := toBeSigned.finish()
		if err != nil {
			t.Fatalf("Cannot finish signing data: %s", err)
		}
		if err := pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: signed}); err != nil {
			t.Fatalf("Cannot write signed data: %s", err)
		}
	}
}

func TestOpenSSLVerifyDetachedSignature(t *testing.T) {
	rootCert, err := createTestCertificateByIssuer("PKCS7 Test Root CA", nil)
	if err != nil {
		t.Fatalf("Cannot generate root cert: %s", err)
	}
	signerCert, err := createTestCertificateByIssuer("PKCS7 Test Signer Cert", rootCert)
	if err != nil {
		t.Fatalf("Cannot generate signer cert: %s", err)
	}
	content := []byte("Hello World")
	toBeSigned, err := newSignedData(content)
	if err != nil {
		t.Fatalf("Cannot initialize signed data: %s", err)
	}
	if err := toBeSigned.addSigner(signerCert.Certificate, signerCert.PrivateKey, SignerInfoConfig{}); err != nil {
		t.Fatalf("Cannot add signer: %s", err)
	}
	toBeSigned.detach()
	signed, err := toBeSigned.finish()
	if err != nil {
		t.Fatalf("Cannot finish signing data: %s", err)
	}

	// write the root cert to a temp file
	tmpRootCertFile, err := ioutil.TempFile("", "pkcs7TestRootCA")
	if err != nil {
		t.Fatal(err)
	}
	defer os.Remove(tmpRootCertFile.Name()) // clean up
	fd, err := os.OpenFile(tmpRootCertFile.Name(), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0755)
	if err != nil {
		t.Fatal(err)
	}
	pem.Encode(fd, &pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Certificate.Raw})
	fd.Close()

	// write the signature to a temp file
	tmpSignatureFile, err := ioutil.TempFile("", "pkcs7Signature")
	if err != nil {
		t.Fatal(err)
	}
	defer os.Remove(tmpSignatureFile.Name()) // clean up
	ioutil.WriteFile(tmpSignatureFile.Name(), signed, 0755)

	// write the content to a temp file
	tmpContentFile, err := ioutil.TempFile("", "pkcs7Content")
	if err != nil {
		t.Fatal(err)
	}
	defer os.Remove(tmpContentFile.Name()) // clean up
	ioutil.WriteFile(tmpContentFile.Name(), content, 0755)

	// call openssl to verify the signature on the content using the root
	opensslCMD := exec.Command("openssl", "smime", "-verify",
		"-in", tmpSignatureFile.Name(), "-inform", "DER",
		"-content", tmpContentFile.Name(),
		"-CAfile", tmpRootCertFile.Name())
	out, err := opensslCMD.Output()
	t.Logf("%s", out)
	if err != nil {
		t.Fatalf("openssl command failed with %s", err)
	}
}

type certKeyPair struct {
	Certificate *x509.Certificate
	PrivateKey  *rsa.PrivateKey
}

func createTestCertificate() (*certKeyPair, error) {
	signer, err := createTestCertificateByIssuer("Eddard Stark", nil)
	if err != nil {
		return nil, err
	}
	fmt.Println("Created root cert")
	if err := pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: signer.Certificate.Raw}); err != nil {
		return nil, err
	}
	pair, err := createTestCertificateByIssuer("Jon Snow", signer)
	if err != nil {
		return nil, err
	}
	fmt.Println("Created signer cert")
	if err := pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: pair.Certificate.Raw}); err != nil {
		return nil, err
	}
	return pair, nil
}

func createTestCertificateByIssuer(name string, issuer *certKeyPair) (*certKeyPair, error) {
	priv, err := rsa.GenerateKey(rand.Reader, 1024)
	if err != nil {
		return nil, err
	}
	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 32)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		return nil, err
	}

	template := x509.Certificate{
		SerialNumber:       serialNumber,
		SignatureAlgorithm: x509.SHA256WithRSA,
		Subject: pkix.Name{
			CommonName:   name,
			Organization: []string{"Acme Co"},
		},
		NotBefore:   time.Now(),
		NotAfter:    time.Now().AddDate(1, 0, 0),
		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection},
	}
	var issuerCert *x509.Certificate
	var issuerKey crypto.PrivateKey
	if issuer != nil {
		issuerCert = issuer.Certificate
		issuerKey = issuer.PrivateKey
	} else {
		template.IsCA = true
		template.KeyUsage |= x509.KeyUsageCertSign
		issuerCert = &template
		issuerKey = priv
	}
	cert, err := x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.Public(), issuerKey)
	if err != nil {
		return nil, err
	}
	leaf, err := x509.ParseCertificate(cert)
	if err != nil {
		return nil, err
	}
	return &certKeyPair{
		Certificate: leaf,
		PrivateKey:  priv,
	}, nil
}
feat: migrated resources from external repo to remove external dependency 2024-10-17 15:48:42 +02:00			`// SPDX-FileCopyrightText: 2022-2023 The go-mail Authors`
			`//`
			`// SPDX-License-Identifier: MIT`

			`package mail`

			`import (`
			`"crypto"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"fmt"`
			`"io/ioutil"`
			`"math/big"`
			`"os"`
			`"os/exec"`
			`"testing"`
			`"time"`
			`)`

			`// TestSign_E2E tests S/MIME singing as e2e`
			`func TestSign_E2E(t *testing.T) {`
			`cert, err := createTestCertificate()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`content := []byte("Hello World")`
			`for _, testDetach := range []bool{false, true} {`
			`toBeSigned, err := newSignedData(content)`
			`if err != nil {`
			`t.Fatalf("Cannot initialize signed data: %s", err)`
			`}`
			`if err := toBeSigned.addSigner(cert.Certificate, cert.PrivateKey, SignerInfoConfig{}); err != nil {`
			`t.Fatalf("Cannot add signer: %s", err)`
			`}`
			`if testDetach {`
			`t.Log("Testing detached signature")`
			`toBeSigned.detach()`
			`} else {`
			`t.Log("Testing attached signature")`
			`}`
			`signed, err := toBeSigned.finish()`
			`if err != nil {`
			`t.Fatalf("Cannot finish signing data: %s", err)`
			`}`
			`if err := pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: signed}); err != nil {`
			`t.Fatalf("Cannot write signed data: %s", err)`
			`}`
			`}`
			`}`

			`func TestOpenSSLVerifyDetachedSignature(t *testing.T) {`
			`rootCert, err := createTestCertificateByIssuer("PKCS7 Test Root CA", nil)`
			`if err != nil {`
			`t.Fatalf("Cannot generate root cert: %s", err)`
			`}`
			`signerCert, err := createTestCertificateByIssuer("PKCS7 Test Signer Cert", rootCert)`
			`if err != nil {`
			`t.Fatalf("Cannot generate signer cert: %s", err)`
			`}`
			`content := []byte("Hello World")`
			`toBeSigned, err := newSignedData(content)`
			`if err != nil {`
			`t.Fatalf("Cannot initialize signed data: %s", err)`
			`}`
			`if err := toBeSigned.addSigner(signerCert.Certificate, signerCert.PrivateKey, SignerInfoConfig{}); err != nil {`
			`t.Fatalf("Cannot add signer: %s", err)`
			`}`
			`toBeSigned.detach()`
			`signed, err := toBeSigned.finish()`
			`if err != nil {`
			`t.Fatalf("Cannot finish signing data: %s", err)`
			`}`

			`// write the root cert to a temp file`
			`tmpRootCertFile, err := ioutil.TempFile("", "pkcs7TestRootCA")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`defer os.Remove(tmpRootCertFile.Name()) // clean up`
			`fd, err := os.OpenFile(tmpRootCertFile.Name(), os.O_WRONLY\|os.O_CREATE\|os.O_TRUNC, 0755)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`pem.Encode(fd, &pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Certificate.Raw})`
			`fd.Close()`

			`// write the signature to a temp file`
			`tmpSignatureFile, err := ioutil.TempFile("", "pkcs7Signature")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`defer os.Remove(tmpSignatureFile.Name()) // clean up`
			`ioutil.WriteFile(tmpSignatureFile.Name(), signed, 0755)`

			`// write the content to a temp file`
			`tmpContentFile, err := ioutil.TempFile("", "pkcs7Content")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`defer os.Remove(tmpContentFile.Name()) // clean up`
			`ioutil.WriteFile(tmpContentFile.Name(), content, 0755)`

			`// call openssl to verify the signature on the content using the root`
			`opensslCMD := exec.Command("openssl", "smime", "-verify",`
			`"-in", tmpSignatureFile.Name(), "-inform", "DER",`
			`"-content", tmpContentFile.Name(),`
			`"-CAfile", tmpRootCertFile.Name())`
			`out, err := opensslCMD.Output()`
			`t.Logf("%s", out)`
			`if err != nil {`
			`t.Fatalf("openssl command failed with %s", err)`
			`}`
			`}`

			`type certKeyPair struct {`
			`Certificate *x509.Certificate`
			`PrivateKey *rsa.PrivateKey`
			`}`

			`func createTestCertificate() (*certKeyPair, error) {`
			`signer, err := createTestCertificateByIssuer("Eddard Stark", nil)`
			`if err != nil {`
			`return nil, err`
			`}`
			`fmt.Println("Created root cert")`
			`if err := pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: signer.Certificate.Raw}); err != nil {`
			`return nil, err`
			`}`
			`pair, err := createTestCertificateByIssuer("Jon Snow", signer)`
			`if err != nil {`
			`return nil, err`
			`}`
			`fmt.Println("Created signer cert")`
			`if err := pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: pair.Certificate.Raw}); err != nil {`
			`return nil, err`
			`}`
			`return pair, nil`
			`}`

			`func createTestCertificateByIssuer(name string, issuer certKeyPair) (certKeyPair, error) {`
			`priv, err := rsa.GenerateKey(rand.Reader, 1024)`
			`if err != nil {`
			`return nil, err`
			`}`
			`serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 32)`
			`serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)`
			`if err != nil {`
			`return nil, err`
			`}`

			`template := x509.Certificate{`
			`SerialNumber: serialNumber,`
			`SignatureAlgorithm: x509.SHA256WithRSA,`
			`Subject: pkix.Name{`
			`CommonName: name,`
			`Organization: []string{"Acme Co"},`
			`},`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().AddDate(1, 0, 0),`
			`KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection},`
			`}`
			`var issuerCert *x509.Certificate`
			`var issuerKey crypto.PrivateKey`
			`if issuer != nil {`
			`issuerCert = issuer.Certificate`
			`issuerKey = issuer.PrivateKey`
			`} else {`
			`template.IsCA = true`
			`template.KeyUsage \|= x509.KeyUsageCertSign`
			`issuerCert = &template`
			`issuerKey = priv`
			`}`
			`cert, err := x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.Public(), issuerKey)`
			`if err != nil {`
			`return nil, err`
			`}`
			`leaf, err := x509.ParseCertificate(cert)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &certKeyPair{`
			`Certificate: leaf,`
			`PrivateKey: priv,`
			`}, nil`
			`}`