From efdaebc20933ae7533c9518a4e22741f4fb8403c Mon Sep 17 00:00:00 2001 From: Shelley Vohr Date: Tue, 20 Jan 2026 19:18:36 +0100 Subject: [PATCH] test,crypto: adjust tests for BoringSSL --- .../parallel/test-crypto-async-sign-verify.js | 18 +-- test/parallel/test-crypto-authenticated.js | 43 ++++--- ...st-crypto-default-shake-lengths-oneshot.js | 4 + test/parallel/test-crypto-dh-curves.js | 2 +- test/parallel/test-crypto-dh-errors.js | 4 +- test/parallel/test-crypto-dh-group-setters.js | 4 + test/parallel/test-crypto-dh-modp2-views.js | 4 + test/parallel/test-crypto-dh-modp2.js | 5 + test/parallel/test-crypto-dh.js | 10 +- test/parallel/test-crypto-hash-stream-pipe.js | 10 +- .../test-crypto-key-objects-to-crypto-key.js | 16 ++- test/parallel/test-crypto-key-objects.js | 121 +++++++++++------- test/parallel/test-crypto-oneshot-hash-xof.js | 4 + test/parallel/test-crypto-rsa-dsa.js | 29 +++-- test/parallel/test-crypto-sign-verify.js | 54 ++++---- test/parallel/test-crypto.js | 115 +++++++++-------- test/parallel/test-tls-client-auth.js | 2 +- test/parallel/test-tls-peer-certificate.js | 8 +- .../test-tls-pfx-authorizationerror.js | 8 +- test/parallel/test-tls-set-sigalgs.js | 9 +- .../test-webcrypto-export-import-cfrg.js | 4 +- test/parallel/test-webcrypto-wrap-unwrap.js | 19 ++- 22 files changed, 299 insertions(+), 194 deletions(-) diff --git a/test/parallel/test-crypto-async-sign-verify.js b/test/parallel/test-crypto-async-sign-verify.js index 9876c4bb6ecd2e..5b35a51d1e1719 100644 --- a/test/parallel/test-crypto-async-sign-verify.js +++ b/test/parallel/test-crypto-async-sign-verify.js @@ -102,17 +102,17 @@ if (!process.features.openssl_is_boringssl) { // ECDSA w/ ieee-p1363 signature encoding test('ec_secp256k1_public.pem', 'ec_secp256k1_private.pem', 'sha384', false, { dsaEncoding: 'ieee-p1363' }); -} -// DSA w/ der signature encoding -test('dsa_public.pem', 'dsa_private.pem', 'sha256', - false); -test('dsa_public.pem', 'dsa_private.pem', 'sha256', - false, { dsaEncoding: 'der' }); + // DSA w/ der signature encoding + test('dsa_public.pem', 'dsa_private.pem', 'sha256', + false); + test('dsa_public.pem', 'dsa_private.pem', 'sha256', + false, { dsaEncoding: 'der' }); -// DSA w/ ieee-p1363 signature encoding -test('dsa_public.pem', 'dsa_private.pem', 'sha256', false, - { dsaEncoding: 'ieee-p1363' }); + // DSA w/ ieee-p1363 signature encoding + test('dsa_public.pem', 'dsa_private.pem', 'sha256', false, + { dsaEncoding: 'ieee-p1363' }); +} // Test Parallel Execution w/ KeyObject is threadsafe in openssl3 { diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js index e8fedf2d5d5072..26dbfc7406abcb 100644 --- a/test/parallel/test-crypto-authenticated.js +++ b/test/parallel/test-crypto-authenticated.js @@ -626,22 +626,25 @@ for (const test of TEST_CASES) { { // CCM cipher without data should not crash, see https://github.com/nodejs/node/issues/38035. - const algo = 'aes-128-ccm'; - const key = Buffer.alloc(16); - const iv = Buffer.alloc(12); - const opts = { authTagLength: 10 }; + if (!ciphers.includes('aes-128-ccm')) { + common.printSkipMessage(`unsupported aes-128-ccm test`); + } else { + const key = Buffer.alloc(16); + const iv = Buffer.alloc(12); + const opts = { authTagLength: 10 }; - const cipher = crypto.createCipheriv(algo, key, iv, opts); - assert.throws(() => { - cipher.final(); - }, hasOpenSSL3 ? { - code: 'ERR_OSSL_TAG_NOT_SET' - } : { - message: /Unsupported state/ - }); + const cipher = crypto.createCipheriv('aes-128-ccm', key, iv, opts); + assert.throws(() => { + cipher.final(); + }, hasOpenSSL3 ? { + code: 'ERR_OSSL_TAG_NOT_SET' + } : { + message: /Unsupported state/ + }); + } } -{ +if (!process.features.openssl_is_boringssl) { const key = Buffer.alloc(32); const iv = Buffer.alloc(12); @@ -653,11 +656,13 @@ for (const test of TEST_CASES) { message: errMessages.authTagLength }); } +} else { + common.printSkipMessage('Skipping unsupported chacha20-poly1305 test'); } // ChaCha20-Poly1305 should respect the authTagLength option and should not // require the authentication tag before calls to update() during decryption. -{ +if (!process.features.openssl_is_boringssl) { const key = Buffer.alloc(32); const iv = Buffer.alloc(12); @@ -697,6 +702,8 @@ for (const test of TEST_CASES) { } } } +} else { + common.printSkipMessage('Skipping unsupported chacha20-poly1305 test'); } // ChaCha20-Poly1305 should default to an authTagLength of 16. When encrypting, @@ -706,7 +713,7 @@ for (const test of TEST_CASES) { // shorter tags as long as their length was valid according to NIST SP 800-38D. // For ChaCha20-Poly1305, we intentionally deviate from that because there are // no recommended or approved authentication tag lengths below 16 bytes. -{ +if (!process.features.openssl_is_boringssl) { const rfcTestCases = TEST_CASES.filter(({ algo, tampered }) => { return algo === 'chacha20-poly1305' && tampered === false; }); @@ -740,10 +747,12 @@ for (const test of TEST_CASES) { assert.strictEqual(plaintext.toString('hex'), testCase.plain); } +} else { + common.printSkipMessage('Skipping unsupported chacha20-poly1305 test'); } // https://github.com/nodejs/node/issues/45874 -{ +if (!process.features.openssl_is_boringssl) { const rfcTestCases = TEST_CASES.filter(({ algo, tampered }) => { return algo === 'chacha20-poly1305' && tampered === false; }); @@ -771,4 +780,6 @@ for (const test of TEST_CASES) { assert.throws(() => { decipher.final(); }, /Unsupported state or unable to authenticate data/); +} else { + common.printSkipMessage('Skipping unsupported chacha20-poly1305 test'); } diff --git a/test/parallel/test-crypto-default-shake-lengths-oneshot.js b/test/parallel/test-crypto-default-shake-lengths-oneshot.js index 90b4c3de21a317..f0d57e4633fad7 100644 --- a/test/parallel/test-crypto-default-shake-lengths-oneshot.js +++ b/test/parallel/test-crypto-default-shake-lengths-oneshot.js @@ -4,6 +4,10 @@ const common = require('../common'); if (!common.hasCrypto) common.skip('missing crypto'); +if (process.features.openssl_is_boringssl) { + common.skip('Skipping unsupported shake128 digest method test'); +} + const { hash } = require('crypto'); common.expectWarning({ diff --git a/test/parallel/test-crypto-dh-curves.js b/test/parallel/test-crypto-dh-curves.js index 81a469c226c261..58b66045dba420 100644 --- a/test/parallel/test-crypto-dh-curves.js +++ b/test/parallel/test-crypto-dh-curves.js @@ -16,7 +16,7 @@ const p = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' + crypto.createDiffieHellman(p, 'hex'); // Confirm DH_check() results are exposed for optional examination. -const bad_dh = crypto.createDiffieHellman('02', 'hex'); +const bad_dh = crypto.createDiffieHellman('abcd', 'hex', 0); assert.notStrictEqual(bad_dh.verifyError, 0); const availableCurves = new Set(crypto.getCurves()); diff --git a/test/parallel/test-crypto-dh-errors.js b/test/parallel/test-crypto-dh-errors.js index d7527d82617efc..5474d094c7af1b 100644 --- a/test/parallel/test-crypto-dh-errors.js +++ b/test/parallel/test-crypto-dh-errors.js @@ -27,13 +27,13 @@ assert.throws(() => crypto.createDiffieHellman('abcdef', 13.37), { for (const bits of [-1, 0, 1]) { if (hasOpenSSL3) { assert.throws(() => crypto.createDiffieHellman(bits), { - code: 'ERR_OSSL_DH_MODULUS_TOO_SMALL', + code: /ERR_OSSL_(BN_BITS|DH_MODULUS)_TOO_SMALL/, name: 'Error', message: /modulus too small/, }); } else { assert.throws(() => crypto.createDiffieHellman(bits), { - code: 'ERR_OSSL_BN_BITS_TOO_SMALL', + code: /ERR_OSSL_(BN_BITS|DH_MODULUS)_TOO_SMALL/, name: 'Error', message: /bits[\s_]too[\s_]small/i, }); diff --git a/test/parallel/test-crypto-dh-group-setters.js b/test/parallel/test-crypto-dh-group-setters.js index 7c774111952ead..37d0a44d0e1e10 100644 --- a/test/parallel/test-crypto-dh-group-setters.js +++ b/test/parallel/test-crypto-dh-group-setters.js @@ -6,6 +6,10 @@ if (!common.hasCrypto) const assert = require('assert'); const crypto = require('crypto'); +if (process.features.openssl_is_boringssl) { + common.skip('Skipping unsupported Diffie-Hellman tests'); +} + // Unlike DiffieHellman, DiffieHellmanGroup does not have any setters. const dhg = crypto.getDiffieHellman('modp1'); assert.strictEqual(dhg.constructor, crypto.DiffieHellmanGroup); diff --git a/test/parallel/test-crypto-dh-modp2-views.js b/test/parallel/test-crypto-dh-modp2-views.js index 8d01731af79394..a28e615b7f35c7 100644 --- a/test/parallel/test-crypto-dh-modp2-views.js +++ b/test/parallel/test-crypto-dh-modp2-views.js @@ -7,6 +7,10 @@ const assert = require('assert'); const crypto = require('crypto'); const { modp2buf } = require('../common/crypto'); +if (process.features.openssl_is_boringssl) { + common.skip('Skipping unsupported Diffie-Hellman tests'); +} + const modp2 = crypto.createDiffieHellmanGroup('modp2'); const views = common.getArrayBufferViews(modp2buf); diff --git a/test/parallel/test-crypto-dh-modp2.js b/test/parallel/test-crypto-dh-modp2.js index 19767d26f4e5fb..eb262f235ff30b 100644 --- a/test/parallel/test-crypto-dh-modp2.js +++ b/test/parallel/test-crypto-dh-modp2.js @@ -6,6 +6,11 @@ if (!common.hasCrypto) const assert = require('assert'); const crypto = require('crypto'); const { modp2buf } = require('../common/crypto'); + +if (process.features.openssl_is_boringssl) { + common.skip('Skipping unsupported Diffie-Hellman tests'); +} + const modp2 = crypto.createDiffieHellmanGroup('modp2'); { diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js index 3c00a5fc73bb9f..9d2f3e1eaebc2c 100644 --- a/test/parallel/test-crypto-dh.js +++ b/test/parallel/test-crypto-dh.js @@ -97,17 +97,21 @@ const { dh3.computeSecret(''); }, { message: hasOpenSSL3 && !hasOpenSSL3WithNewErrorMessage ? 'Unspecified validation error' : - 'Supplied key is too small' }); + /Supplied key is (too small|invalid)/ }); } } // Through a fluke of history, g=0 defaults to DH_GENERATOR (2). -{ +if (!process.features.openssl_is_boringssl) { const g = 0; crypto.createDiffieHellman('abcdef', g); crypto.createDiffieHellman('abcdef', 'hex', g); +} else { + common.printSkipMessage('Skipping unsupported g=0 Diffie-Hellman tests'); } -{ +if (!process.features.openssl_is_boringssl) { crypto.createDiffieHellman('abcdef', Buffer.from([2])); // OK +} else { + common.printSkipMessage('Skipping unsupported g=0 Diffie-Hellman tests'); } diff --git a/test/parallel/test-crypto-hash-stream-pipe.js b/test/parallel/test-crypto-hash-stream-pipe.js index d22281abbd5c3c..5f0c6a4aed2e86 100644 --- a/test/parallel/test-crypto-hash-stream-pipe.js +++ b/test/parallel/test-crypto-hash-stream-pipe.js @@ -30,11 +30,11 @@ const crypto = require('crypto'); const stream = require('stream'); const s = new stream.PassThrough(); -const h = crypto.createHash('sha3-512'); -const expect = '36a38a2a35e698974d4e5791a3f05b05' + - '198235381e864f91a0e8cd6a26b677ec' + - 'dcde8e2b069bd7355fabd68abd6fc801' + - '19659f25e92f8efc961ee3a7c815c758'; +const h = crypto.createHash('sha512'); +const expect = 'fba055c6fd0c5b6645407749ed7a8b41' + + 'b8f629f2163c3ca3701d864adabda1f8' + + '93c37bf82b22fdd151ba8e357f611da4' + + '88a74b6a5525dd9b69554c6ce5138ad7'; s.pipe(h).on('data', common.mustCall(function(c) { assert.strictEqual(c, expect); diff --git a/test/parallel/test-crypto-key-objects-to-crypto-key.js b/test/parallel/test-crypto-key-objects-to-crypto-key.js index 141e51d1ab74a4..cc0c62dac40b10 100644 --- a/test/parallel/test-crypto-key-objects-to-crypto-key.js +++ b/test/parallel/test-crypto-key-objects-to-crypto-key.js @@ -26,10 +26,16 @@ function assertCryptoKey(cryptoKey, keyObject, algorithm, extractable, usages) { { for (const length of [128, 192, 256]) { const key = createSecretKey(randomBytes(length >> 3)); - const algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW']; + let algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW']; if (length === 256) algorithms.push('ChaCha20-Poly1305'); + + if (process.features.openssl_is_boringssl) { + algorithms = algorithms.filter((a) => a !== 'AES-KW' && a !== 'ChaCha20-Poly1305'); + } + for (const algorithm of algorithms) { + console.log(algorithm); const usages = algorithm === 'AES-KW' ? ['wrapKey', 'unwrapKey'] : ['encrypt', 'decrypt']; for (const extractable of [true, false]) { const cryptoKey = key.toCryptoKey(algorithm, extractable, usages); @@ -97,7 +103,13 @@ function assertCryptoKey(cryptoKey, keyObject, algorithm, extractable, usages) { } { - for (const algorithm of ['Ed25519', 'Ed448', 'X25519', 'X448']) { + const algorithms = ['Ed25519', 'X25519']; + + if (!process.features.openssl_is_boringssl) { + algorithms.push('X448', 'Ed448'); + } + + for (const algorithm of algorithms) { const { publicKey, privateKey } = generateKeyPairSync(algorithm.toLowerCase()); assert.throws(() => { publicKey.toCryptoKey(algorithm === 'Ed25519' ? 'X25519' : 'Ed25519', true, []); diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js index e8359ed6d0362c..f7ec6989e78c72 100644 --- a/test/parallel/test-crypto-key-objects.js +++ b/test/parallel/test-crypto-key-objects.js @@ -302,11 +302,11 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', }, hasOpenSSL3 ? { message: 'error:1E08010C:DECODER routines::unsupported', } : { - message: 'error:0909006C:PEM routines:get_name:no start line', + message: /no[.-]start[.-]line/i, code: 'ERR_OSSL_PEM_NO_START_LINE', - reason: 'no start line', + reason: /no[.-]start[.-]line/i, library: 'PEM routines', - function: 'get_name', + function: /get_name|OPENSSL_internal/, }); // This should not abort either: https://github.com/nodejs/node/issues/29904 @@ -329,13 +329,14 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', message: /error:1E08010C:DECODER routines::unsupported/, library: 'DECODER routines' } : { - message: /asn1 encoding/, - library: 'asn1 encoding routines' + message: /asn1 encoding|public key routines/, + library: /asn1 encoding routines|public key routines/ }); } -[ - { private: fixtures.readKey('ed25519_private.pem', 'ascii'), +const infos = [ + { + private: fixtures.readKey('ed25519_private.pem', 'ascii'), public: fixtures.readKey('ed25519_public.pem', 'ascii'), keyType: 'ed25519', jwk: { @@ -343,19 +344,10 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', x: 'K1wIouqnuiA04b3WrMa-xKIKIpfHetNZRv3h9fBf768', d: 'wVK6M3SMhQh3NK-7GRrSV-BVWQx1FO5pW8hhQeu_NdA', kty: 'OKP' - } }, - { private: fixtures.readKey('ed448_private.pem', 'ascii'), - public: fixtures.readKey('ed448_public.pem', 'ascii'), - keyType: 'ed448', - jwk: { - crv: 'Ed448', - x: 'oX_ee5-jlcU53-BbGRsGIzly0V-SZtJ_oGXY0udf84q2hTW2RdstLktvwpkVJOoNb7o' + - 'Dgc2V5ZUA', - d: '060Ke71sN0GpIc01nnGgMDkp0sFNQ09woVo4AM1ffax1-mjnakK0-p-S7-Xf859QewX' + - 'jcR9mxppY', - kty: 'OKP' - } }, - { private: fixtures.readKey('x25519_private.pem', 'ascii'), + } + }, + { + private: fixtures.readKey('x25519_private.pem', 'ascii'), public: fixtures.readKey('x25519_public.pem', 'ascii'), keyType: 'x25519', jwk: { @@ -363,19 +355,39 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', x: 'aSb8Q-RndwfNnPeOYGYPDUN3uhAPnMLzXyfi-mqfhig', d: 'mL_IWm55RrALUGRfJYzw40gEYWMvtRkesP9mj8o8Omc', kty: 'OKP' - } }, - { private: fixtures.readKey('x448_private.pem', 'ascii'), + } + }, +]; + +if (!process.features.openssl_is_boringssl) { + infos.push({ + private: fixtures.readKey('ed448_private.pem', 'ascii'), + public: fixtures.readKey('ed448_public.pem', 'ascii'), + keyType: 'ed448', + jwk: { + crv: 'Ed448', + x: 'oX_ee5-jlcU53-BbGRsGIzly0V-SZtJ_oGXY0udf84q2hTW2RdstLktvwpkVJOoNb7o' + + 'Dgc2V5ZUA', + d: '060Ke71sN0GpIc01nnGgMDkp0sFNQ09woVo4AM1ffax1-mjnakK0-p-S7-Xf859QewX' + + 'jcR9mxppY', + kty: 'OKP' + } + }, { + private: fixtures.readKey('x448_private.pem', 'ascii'), public: fixtures.readKey('x448_public.pem', 'ascii'), keyType: 'x448', jwk: { crv: 'X448', x: 'ioHSHVpTs6hMvghosEJDIR7ceFiE3-Xccxati64oOVJ7NWjfozE7ae31PXIUFq6cVYg' + - 'vSKsDFPA', + 'vSKsDFPA', d: 'tMNtrO_q8dlY6Y4NDeSTxNQ5CACkHiPvmukidPnNIuX_EkcryLEXt_7i6j6YZMKsrWy' + - 'S0jlSYJk', + 'S0jlSYJk', kty: 'OKP' - } }, -].forEach((info) => { + } + }); +} + +infos.forEach((info) => { const keyType = info.keyType; { @@ -417,8 +429,9 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', } }); -[ - { private: fixtures.readKey('ec_p256_private.pem', 'ascii'), +const ecInfos = [ + { + private: fixtures.readKey('ec_p256_private.pem', 'ascii'), public: fixtures.readKey('ec_p256_public.pem', 'ascii'), keyType: 'ec', namedCurve: 'prime256v1', @@ -428,19 +441,10 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', kty: 'EC', x: 'X0mMYR_uleZSIPjNztIkAS3_ud5LhNpbiIFp6fNf2Gs', y: 'UbJuPy2Xi0lW7UYTBxPK3yGgDu9EAKYIecjkHX5s2lI' - } }, - { private: fixtures.readKey('ec_secp256k1_private.pem', 'ascii'), - public: fixtures.readKey('ec_secp256k1_public.pem', 'ascii'), - keyType: 'ec', - namedCurve: 'secp256k1', - jwk: { - crv: 'secp256k1', - d: 'c34ocwTwpFa9NZZh3l88qXyrkoYSxvC0FEsU5v1v4IM', - kty: 'EC', - x: 'cOzhFSpWxhalCbWNdP2H_yUkdC81C9T2deDpfxK7owA', - y: '-A3DAZTk9IPppN-f03JydgHaFvL1fAHaoXf4SX4NXyo' - } }, - { private: fixtures.readKey('ec_p384_private.pem', 'ascii'), + } + }, + { + private: fixtures.readKey('ec_p384_private.pem', 'ascii'), public: fixtures.readKey('ec_p384_public.pem', 'ascii'), keyType: 'ec', namedCurve: 'secp384r1', @@ -450,8 +454,10 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', kty: 'EC', x: 'hON3nzGJgv-08fdHpQxgRJFZzlK-GZDGa5f3KnvM31cvvjJmsj4UeOgIdy3rDAjV', y: 'fidHhtecNCGCfLqmrLjDena1NSzWzWH1u_oUdMKGo5XSabxzD7-8JZxjpc8sR9cl' - } }, - { private: fixtures.readKey('ec_p521_private.pem', 'ascii'), + } + }, + { + private: fixtures.readKey('ec_p521_private.pem', 'ascii'), public: fixtures.readKey('ec_p521_public.pem', 'ascii'), keyType: 'ec', namedCurve: 'secp521r1', @@ -464,8 +470,27 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', 'CbhMeHRavUS6P10rsTtBn', y: 'Ad3flexBeAfXceNzRBH128kFbOWD6W41NjwKRqqIF26vmgW_8COldGKZjFkOSEASxPB' + 'cvA2iFJRUyQ3whC00j0Np' - } }, -].forEach((info) => { + } + }, +]; + +if (!process.features.openssl_is_boringssl) { + ecInfos.push({ + private: fixtures.readKey('ec_secp256k1_private.pem', 'ascii'), + public: fixtures.readKey('ec_secp256k1_public.pem', 'ascii'), + keyType: 'ec', + namedCurve: 'secp256k1', + jwk: { + crv: 'secp256k1', + d: 'c34ocwTwpFa9NZZh3l88qXyrkoYSxvC0FEsU5v1v4IM', + kty: 'EC', + x: 'cOzhFSpWxhalCbWNdP2H_yUkdC81C9T2deDpfxK7owA', + y: '-A3DAZTk9IPppN-f03JydgHaFvL1fAHaoXf4SX4NXyo' + } + }); +} + +ecInfos.forEach((info) => { const { keyType, namedCurve } = info; { @@ -540,7 +565,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', format: 'pem', passphrase: Buffer.alloc(1024, 'a') }), { - message: /bad decrypt/ + message: /bad[_ ]decrypt/i }); const publicKey = createPublicKey(publicDsa); @@ -566,7 +591,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', { // Test RSA-PSS. - { + if (!process.features.openssl_is_boringssl) { // This key pair does not restrict the message digest algorithm or salt // length. const publicPem = fixtures.readKey('rsa_pss_public_2048.pem'); @@ -625,6 +650,8 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', }, { code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS' }); + } else { + common.skip('Skipping unsupported RSA-PSS key test'); } { diff --git a/test/parallel/test-crypto-oneshot-hash-xof.js b/test/parallel/test-crypto-oneshot-hash-xof.js index 75cb4800ff1bd5..b4363c31592763 100644 --- a/test/parallel/test-crypto-oneshot-hash-xof.js +++ b/test/parallel/test-crypto-oneshot-hash-xof.js @@ -7,6 +7,10 @@ if (!common.hasCrypto) common.skip('missing crypto'); const assert = require('assert'); const crypto = require('crypto'); +if (process.features.openssl_is_boringssl) { + common.skip('BoringSSL does not support XOF hash functions'); +} + // Test XOF hash functions and the outputLength option. { // Default outputLengths. diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js index 119bc3c2d20ea7..899cc87cf7df8c 100644 --- a/test/parallel/test-crypto-rsa-dsa.js +++ b/test/parallel/test-crypto-rsa-dsa.js @@ -29,12 +29,11 @@ const dsaPkcs8KeyPem = fixtures.readKey('dsa_private_pkcs8.pem'); const ec = new TextEncoder(); const openssl1DecryptError = { - message: 'error:06065064:digital envelope routines:EVP_DecryptFinal_ex:' + - 'bad decrypt', - code: 'ERR_OSSL_EVP_BAD_DECRYPT', - reason: 'bad decrypt', - function: 'EVP_DecryptFinal_ex', - library: 'digital envelope routines', + message: /bad decrypt|BAD_DECRYPT/i, + code: /ERR_OSSL_(EVP_)?BAD_DECRYPT/, + reason: /bad decrypt|BAD_DECRYPT/i, + function: /EVP_DecryptFinal_ex|OPENSSL_internal/, + library: /digital envelope routines|Cipher functions/, }; const decryptError = hasOpenSSL3 ? @@ -325,9 +324,12 @@ function test_rsa(padding, encryptOaepHash, decryptOaepHash) { } test_rsa('RSA_NO_PADDING'); -test_rsa('RSA_PKCS1_PADDING'); test_rsa('RSA_PKCS1_OAEP_PADDING'); +if (!process.features.openssl_is_boringssl) { + test_rsa('RSA_PKCS1_PADDING'); +} + // Test OAEP with different hash functions. test_rsa('RSA_PKCS1_OAEP_PADDING', undefined, 'sha1'); test_rsa('RSA_PKCS1_OAEP_PADDING', 'sha1', undefined); @@ -489,7 +491,7 @@ assert.throws(() => { // // Test DSA signing and verification // -{ +if (!process.features.openssl_is_boringssl) { const input = 'I AM THE WALRUS'; // DSA signatures vary across runs so there is no static string to verify @@ -512,13 +514,14 @@ assert.throws(() => { verify2.update(input); assert.strictEqual(verify2.verify(dsaPubPem, signature2, 'hex'), true); +} else { + common.printSkipMessage('Skipping unsupported DSA test case'); } - // // Test DSA signing and verification with PKCS#8 private key // -{ +if (!process.features.openssl_is_boringssl) { const input = 'I AM THE WALRUS'; // DSA signatures vary across runs so there is no static string to verify @@ -531,6 +534,8 @@ assert.throws(() => { verify.update(input); assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true); +} else { + common.printSkipMessage('Skipping unsupported DSA test case'); } @@ -547,7 +552,7 @@ const input = 'I AM THE WALRUS'; }, decryptPrivateKeyError); } -{ +if (!process.features.openssl_is_boringssl) { // DSA signatures vary across runs so there is no static string to verify // against. const sign = crypto.createSign('SHA1'); @@ -559,4 +564,6 @@ const input = 'I AM THE WALRUS'; verify.update(input); assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true); +} else { + common.printSkipMessage('Skipping unsupported DSA test case'); } diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js index a66f0a94efd7c9..226db650146ab0 100644 --- a/test/parallel/test-crypto-sign-verify.js +++ b/test/parallel/test-crypto-sign-verify.js @@ -66,8 +66,8 @@ const keySize = 2048; key: keyPem, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING }); - }, { message: hasOpenSSL(3) ? - 'error:1C8000A5:Provider routines::illegal or unsupported padding mode' : + }, { message: (hasOpenSSL(3) || process.features.openssl_is_boringssl) ? + /illegal[_ ]or[_ ]unsupported[_ ]padding[_ ]mode/i : 'bye, bye, error stack' }); delete Object.prototype.opensslErrorStack; @@ -344,16 +344,9 @@ assert.throws( key: keyPem, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING }); - }, hasOpenSSL(3) ? { - code: 'ERR_OSSL_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE', - message: /illegal or unsupported padding mode/, - } : { - code: 'ERR_OSSL_RSA_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE', - message: /illegal or unsupported padding mode/, - opensslErrorStack: [ - 'error:06089093:digital envelope routines:EVP_PKEY_CTX_ctrl:' + - 'command not supported', - ], + }, { + code: /ERR_OSSL_(RSA_|EVP_)?ILLEGAL_OR_UNSUPPORTED_PADDING_MODE/, + message: /illegal[_ ]or[_ ]unsupported[_ ]padding[_ ]mode/i, }); } @@ -418,21 +411,32 @@ assert.throws( /Invalid digest/); } -[ - { private: fixtures.readKey('ed25519_private.pem', 'ascii'), +const keys = [ + { + private: fixtures.readKey('ed25519_private.pem', 'ascii'), public: fixtures.readKey('ed25519_public.pem', 'ascii'), algo: null, - sigLen: 64 }, - { private: fixtures.readKey('ed448_private.pem', 'ascii'), + sigLen: 64 + }, + { + private: fixtures.readKey('rsa_private_2048.pem', 'ascii'), + public: fixtures.readKey('rsa_public_2048.pem', 'ascii'), + algo: 'sha1', + sigLen: 256 + }, +]; + +if (!process.features.openssl_is_boringssl) { + keys.push({ + private: fixtures.readKey('ed448_private.pem', 'ascii'), public: fixtures.readKey('ed448_public.pem', 'ascii'), algo: null, supportsContext: true, - sigLen: 114 }, - { private: fixtures.readKey('rsa_private_2048.pem', 'ascii'), - public: fixtures.readKey('rsa_public_2048.pem', 'ascii'), - algo: 'sha1', - sigLen: 256 }, -].forEach((pair) => { + sigLen: 114 + }); +} + +keys.forEach((pair) => { const algo = pair.algo; { @@ -547,7 +551,11 @@ assert.throws( { const data = Buffer.from('Hello world'); - const keys = [['ec-key.pem', 64], ['dsa_private_1025.pem', 40]]; + const keys = [['ec-key.pem', 64]]; + + if (!process.features.openssl_is_boringssl) { + keys.push(['dsa_private_1025.pem', 40]); + } for (const [file, length] of keys) { const privKey = fixtures.readKey(file); diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js index d21a6bd3d98d6d..f63ad9d499b2aa 100644 --- a/test/parallel/test-crypto.js +++ b/test/parallel/test-crypto.js @@ -62,7 +62,7 @@ assert.throws(() => { // Throws general Error, so there is no opensslErrorStack property. return err instanceof Error && err.name === 'Error' && - /^Error: mac verify failure$/.test(err) && + (/^Error: (mac verify failure|INCORRECT_PASSWORD)$/.test(err)) && !('opensslErrorStack' in err); }); @@ -72,7 +72,7 @@ assert.throws(() => { // Throws general Error, so there is no opensslErrorStack property. return err instanceof Error && err.name === 'Error' && - /^Error: mac verify failure$/.test(err) && + (/^Error: (mac verify failure|INCORRECT_PASSWORD)$/.test(err)) && !('opensslErrorStack' in err); }); @@ -82,7 +82,7 @@ assert.throws(() => { // Throws general Error, so there is no opensslErrorStack property. return err instanceof Error && err.name === 'Error' && - /^Error: not enough data$/.test(err) && + /^Error: (not enough data|BAD_PKCS12_DATA)$/.test(err) && !('opensslErrorStack' in err); }); @@ -145,8 +145,12 @@ assert(crypto.getHashes().includes('sha1')); assert(crypto.getHashes().includes('sha256')); assert(!crypto.getHashes().includes('SHA1')); assert(!crypto.getHashes().includes('SHA256')); -assert(crypto.getHashes().includes('RSA-SHA1')); -assert(!crypto.getHashes().includes('rsa-sha1')); + +if (!process.features.openssl_is_boringssl) { + assert(crypto.getHashes().includes('RSA-SHA1')); + assert(!crypto.getHashes().includes('rsa-sha1')); +} + validateList(crypto.getHashes()); // Make sure all of the hashes are supported by OpenSSL for (const algo of crypto.getHashes()) @@ -197,61 +201,64 @@ assert.throws( } ); -assert.throws(() => { - const priv = [ - '-----BEGIN RSA PRIVATE KEY-----', - 'MIGrAgEAAiEA+3z+1QNF2/unumadiwEr+C5vfhezsb3hp4jAnCNRpPcCAwEAAQIgQNriSQK4', - 'EFwczDhMZp2dvbcz7OUUyt36z3S4usFPHSECEQD/41K7SujrstBfoCPzwC1xAhEA+5kt4BJy', - 'eKN7LggbF3Dk5wIQN6SL+fQ5H/+7NgARsVBp0QIRANxYRukavs4QvuyNhMx+vrkCEQCbf6j/', - 'Ig6/HueCK/0Jkmp+', - '-----END RSA PRIVATE KEY-----', - '', - ].join('\n'); - crypto.createSign('SHA256').update('test').sign(priv); -}, (err) => { - if (!hasOpenSSL3) - assert.ok(!('opensslErrorStack' in err)); - assert.throws(() => { throw err; }, hasOpenSSL3 ? { - name: 'Error', - message: 'error:02000070:rsa routines::digest too big for rsa key', - library: 'rsa routines', - } : { - name: 'Error', - message: /routines:RSA_sign:digest too big for rsa key$/, - library: /rsa routines/i, - function: 'RSA_sign', - reason: /digest[\s_]too[\s_]big[\s_]for[\s_]rsa[\s_]key/i, - code: 'ERR_OSSL_RSA_DIGEST_TOO_BIG_FOR_RSA_KEY' - }); - return true; -}); -if (!hasOpenSSL3) { +if (!process.features.openssl_is_boringssl) { assert.throws(() => { - // The correct header inside `rsa_private_pkcs8_bad.pem` should have been - // -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- - // instead of - // -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- - const sha1_privateKey = fixtures.readKey('rsa_private_pkcs8_bad.pem', - 'ascii'); - // This would inject errors onto OpenSSL's error stack - crypto.createSign('sha1').sign(sha1_privateKey); + const priv = [ + '-----BEGIN RSA PRIVATE KEY-----', + 'MIGrAgEAAiEA+3z+1QNF2/unumadiwEr+C5vfhezsb3hp4jAnCNRpPcCAwEAAQIgQNriSQK4', + 'EFwczDhMZp2dvbcz7OUUyt36z3S4usFPHSECEQD/41K7SujrstBfoCPzwC1xAhEA+5kt4BJy', + 'eKN7LggbF3Dk5wIQN6SL+fQ5H/+7NgARsVBp0QIRANxYRukavs4QvuyNhMx+vrkCEQCbf6j/', + 'Ig6/HueCK/0Jkmp+', + '-----END RSA PRIVATE KEY-----', + '', + ].join('\n'); + crypto.createSign('SHA256').update('test').sign(priv); }, (err) => { - // Do the standard checks, but then do some custom checks afterwards. - assert.throws(() => { throw err; }, { - message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:' + - 'wrong tag', - library: 'asn1 encoding routines', - function: 'asn1_check_tlen', - reason: 'wrong tag', - code: 'ERR_OSSL_ASN1_WRONG_TAG', + if (!hasOpenSSL3) + assert.ok(!('opensslErrorStack' in err)); + assert.throws(() => { throw err; }, hasOpenSSL3 ? { + name: 'Error', + message: 'error:02000070:rsa routines::digest too big for rsa key', + library: 'rsa routines', + } : { + name: 'Error', + message: /routines:RSA_sign:digest too big for rsa key$/, + library: /rsa routines/i, + function: 'RSA_sign', + reason: /digest[\s_]too[\s_]big[\s_]for[\s_]rsa[\s_]key/i, + code: 'ERR_OSSL_RSA_DIGEST_TOO_BIG_FOR_RSA_KEY' }); - // Throws crypto error, so there is an opensslErrorStack property. - // The openSSL stack should have content. - assert(Array.isArray(err.opensslErrorStack)); - assert(err.opensslErrorStack.length > 0); return true; }); + + if (!hasOpenSSL3) { + assert.throws(() => { + // The correct header inside `rsa_private_pkcs8_bad.pem` should have been + // -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- + // instead of + // -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- + const sha1_privateKey = fixtures.readKey('rsa_private_pkcs8_bad.pem', + 'ascii'); + // This would inject errors onto OpenSSL's error stack + crypto.createSign('sha1').sign(sha1_privateKey); + }, (err) => { + // Do the standard checks, but then do some custom checks afterwards. + assert.throws(() => { throw err; }, { + message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:' + + 'wrong tag', + library: 'asn1 encoding routines', + function: 'asn1_check_tlen', + reason: 'wrong tag', + code: 'ERR_OSSL_ASN1_WRONG_TAG', + }); + // Throws crypto error, so there is an opensslErrorStack property. + // The openSSL stack should have content. + assert(Array.isArray(err.opensslErrorStack)); + assert(err.opensslErrorStack.length > 0); + return true; + }); + } } // Make sure memory isn't released before being returned diff --git a/test/parallel/test-tls-client-auth.js b/test/parallel/test-tls-client-auth.js index 04bf40b9a9e1ac..4cbf5635a6a3e7 100644 --- a/test/parallel/test-tls-client-auth.js +++ b/test/parallel/test-tls-client-auth.js @@ -110,7 +110,7 @@ if (tls.DEFAULT_MAX_VERSION === 'TLSv1.3') connect({ // and sends a fatal Alert to the client that the client discovers there has // been a fatal error. pair.client.conn.once('error', common.mustCall((err) => { - assert.strictEqual(err.code, 'ERR_SSL_TLSV13_ALERT_CERTIFICATE_REQUIRED'); + assert.match(err.code, /^ERR_SSL_TLSV1(3)?_ALERT_CERTIFICATE_REQUIRED$/); cleanup(); })); })); diff --git a/test/parallel/test-tls-peer-certificate.js b/test/parallel/test-tls-peer-certificate.js index 6c440ee44b8cf8..fa9c74f1f74369 100644 --- a/test/parallel/test-tls-peer-certificate.js +++ b/test/parallel/test-tls-peer-certificate.js @@ -54,7 +54,7 @@ connect({ assert.strictEqual(peerCert.ca, false); assert.strictEqual(peerCert.issuerCertificate.ca, true); assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org'); - assert.strictEqual(peerCert.serialNumber, '147D36C1C2F74206DE9FAB5F2226D78ADB00A426'); + assert.match(peerCert.serialNumber, /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i); assert.strictEqual(peerCert.exponent, '0x10001'); assert.strictEqual(peerCert.bits, 2048); // The conversion to bits is odd because modulus isn't a buffer, its a hex @@ -94,7 +94,7 @@ connect({ const issuer = peerCert.issuerCertificate; assert.strictEqual(issuer.issuerCertificate, issuer); - assert.strictEqual(issuer.serialNumber, '4AB16C8DFD6A7D0D2DFCABDF9C4B0E92C6AD0229'); + assert.match(issuer.serialNumber, /4AB16C8DFD6A7D0D2DFCABDF9C4B0E92C6AD0229/i); return cleanup(); })); @@ -112,7 +112,7 @@ connect({ assert.ok(peerCert.issuerCertificate); assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org'); - assert.strictEqual(peerCert.serialNumber, '32E8197681DA33185867B52885F678BFDBA51727'); + assert.match(peerCert.serialNumber, /32E8197681DA33185867B52885F678BFDBA51727/i); assert.strictEqual(peerCert.exponent, undefined); assert.strictEqual(peerCert.pubKey, undefined); assert.strictEqual(peerCert.modulus, undefined); @@ -144,7 +144,7 @@ connect({ const issuer = peerCert.issuerCertificate; assert.strictEqual(issuer.issuerCertificate, issuer); - assert.strictEqual(issuer.serialNumber, '32E8197681DA33185867B52885F678BFDBA51727'); + assert.match(issuer.serialNumber, /32E8197681DA33185867B52885F678BFDBA51727/i); return cleanup(); })); diff --git a/test/parallel/test-tls-pfx-authorizationerror.js b/test/parallel/test-tls-pfx-authorizationerror.js index 53fcc0b16b5bd6..ee73ed23693d2d 100644 --- a/test/parallel/test-tls-pfx-authorizationerror.js +++ b/test/parallel/test-tls-pfx-authorizationerror.js @@ -22,8 +22,8 @@ const server = tls rejectUnauthorized: false }, common.mustCall(function(c) { - assert.strictEqual(c.getPeerCertificate().serialNumber, - '147D36C1C2F74206DE9FAB5F2226D78ADB00A426'); + assert.match(c.getPeerCertificate().serialNumber, + /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i); assert.strictEqual(c.authorizationError, null); c.end(); }) @@ -41,8 +41,8 @@ const server = tls // Calling this repeatedly is a regression test that verifies // that .getCertificate() does not accidentally decrease the // reference count of the X509* certificate on the native side. - assert.strictEqual(client.getCertificate().serialNumber, - '147D36C1C2F74206DE9FAB5F2226D78ADB00A426'); + assert.match(client.getCertificate().serialNumber, + /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i); } client.end(); server.close(); diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/parallel/test-tls-set-sigalgs.js index 985ca13ba2ac7d..3ff71f1163d3b1 100644 --- a/test/parallel/test-tls-set-sigalgs.js +++ b/test/parallel/test-tls-set-sigalgs.js @@ -65,13 +65,14 @@ test('RSA-PSS+SHA256:RSA-PSS+SHA512:ECDSA+SHA256', 'RSA-PSS+SHA256:ECDSA+SHA256', ['RSA-PSS+SHA256', 'ECDSA+SHA256']); +const cerr = process.features.openssl_is_boringssl ? + 'ERR_SSL_NO_COMMON_SIGNATURE_ALGORITHMS' : 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS'; + // Do not have shared sigalgs. const handshakeErr = hasOpenSSL(3, 2) ? 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'; test('RSA-PSS+SHA384', 'ECDSA+SHA256', - undefined, handshakeErr, - 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS'); + undefined, handshakeErr, cerr); test('RSA-PSS+SHA384:ECDSA+SHA256', 'ECDSA+SHA384:RSA-PSS+SHA256', - undefined, handshakeErr, - 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS'); + undefined, handshakeErr, cerr); diff --git a/test/parallel/test-webcrypto-export-import-cfrg.js b/test/parallel/test-webcrypto-export-import-cfrg.js index 9cfc6e9e4ecf5a..54f34a2e134ac6 100644 --- a/test/parallel/test-webcrypto-export-import-cfrg.js +++ b/test/parallel/test-webcrypto-export-import-cfrg.js @@ -415,7 +415,7 @@ async function testImportRaw({ name, publicUsages }) { await Promise.all(tests); })().then(common.mustCall()); -{ +if (!process.features.openssl_is_boringssl) { const rsaPublic = crypto.createPublicKey( fixtures.readKey('rsa_public_2048.pem')); const rsaPrivate = crypto.createPrivateKey( @@ -436,4 +436,6 @@ async function testImportRaw({ name, publicUsages }) { { name }, true, privateUsages), { message: /Invalid key type/ }).then(common.mustCall()); } +} else { + common.printSkipMessage('Skipping RSA key import tests'); } diff --git a/test/parallel/test-webcrypto-wrap-unwrap.js b/test/parallel/test-webcrypto-wrap-unwrap.js index bd788ec4ed8828..c6a6f33490595f 100644 --- a/test/parallel/test-webcrypto-wrap-unwrap.js +++ b/test/parallel/test-webcrypto-wrap-unwrap.js @@ -179,13 +179,6 @@ async function generateKeysToWrap() { usages: ['encrypt', 'decrypt'], pair: false, }, - { - algorithm: { - name: 'ChaCha20-Poly1305' - }, - usages: ['encrypt', 'decrypt'], - pair: false, - }, { algorithm: { name: 'HMAC', @@ -210,6 +203,18 @@ async function generateKeysToWrap() { common.printSkipMessage('Skipping unsupported AES-KW test case'); } + if (!process.features.openssl_is_boringssl) { + parameters.push({ + algorithm: { + name: 'ChaCha20-Poly1305' + }, + usages: ['encrypt', 'decrypt'], + pair: false, + }); + } else { + common.printSkipMessage('Skipping unsupported ChaCha20-Poly1305 test case'); + } + if (hasOpenSSL(3, 5)) { for (const name of ['ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']) { parameters.push({