Merge pull request #54 from perl-net-saml2/xmlsec-updates

timlegge · web-flow · commit dbcff0518855 · 2023-03-12T21:18:52.000-03:00
Fix tests for changes to xmlsec output
diff --git a/t/002_xmlsec.t b/t/002_xmlsec.t
@@ -3,22 +3,19 @@
 use strict;
 use warnings;
 
+use Test::Lib;
+use Test::XML::Sig;
 use Test::More qw/ no_plan /;
-use File::Which;
-
 
 BEGIN {
     use_ok( 'XML::Sig' );
 }
 
-SKIP: {
-    skip "xmlsec1 not installed", 4 unless which('xmlsec1');
-
-    # Try whether xmlsec is correctly installed which
-    # doesn't seem to be the case on every cpan testing machine
+my $xmlsec  = get_xmlsec_features;
+my $lax_key_search = $xmlsec->{lax_key_search} ? '--lax-key-search' :  '';
 
-    my $output = `xmlsec1 --version`;
-    skip "xmlsec1 not correctly installed", 6 if $?;
+SKIP: {
+    skip "xmlsec1 not installed", 4 unless $xmlsec->{installed};
 
     my $xml = '<?xml version="1.0"?>'."\n".'<foo ID="XML-SIG_1">'."\n".'    <bar>123</bar>'."\n".'</foo>';
     my $sig = XML::Sig->new( { key => 't/rsa.private.key', cert => 't/rsa.cert.pem' } );
@@ -28,8 +25,8 @@ SKIP: {
     ok( open XML, '>', 'tmp.xml' );
     print XML $signed;
     close XML;
-    my $verify_response = `xmlsec1 --verify --id-attr:ID "foo" --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "Response is OK for xmlsec1" )
+    my $verify_response = `xmlsec1 --verify $lax_key_search --id-attr:ID "foo" --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem tmp.xml 2>&1`;
+    ok( $verify_response =~ m/OK/, "Response is OK for xmlsec1" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
 
     unlink 'tmp.xml';
diff --git a/t/008_sign_saml.t b/t/008_sign_saml.t
@@ -56,7 +56,7 @@ foreach my $key ('t/dsa.private-2048.key', 't/dsa.private-3072.key', 't/dsa.priv
         }
 
         my $verify_response = `xmlsec1 --verify --id-attr:ID "ArtifactResolve" t/dsa.xml 2>&1`;
-        ok( $verify_response =~ m/^OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )
+        ok( $verify_response =~ m/OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )
             or warn "calling xmlsec1 failed: '$verify_response'\n";
         unlink 't/dsa.xml';
     }
@@ -74,7 +74,7 @@ ok($xmlsec_ret, "xmlsec1: DSA Verifed Successfully");
     SKIP: {
         skip "xmlsec1 not installed", 1 unless which('xmlsec1');
         my $verify_response = `xmlsec1 --verify --id-attr:ID "ArtifactResolve" t/signed/saml_request-xmlsec1-dsa-signed.xml 2>&1`;
-        ok( $verify_response =~ m/^OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )
+        ok( $verify_response =~ m/OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )
             or warn "calling xmlsec1 failed: '$verify_response'\n";
     }
 }
diff --git a/t/011-sign_multiple_sections.t b/t/011-sign_multiple_sections.t
@@ -51,7 +51,7 @@ SKIP: {
     }
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "Response" --id-attr:ID "Assertion" t/rsa.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "RSA verify XML:Sig signed: xmlsec1 Response is OK" )
+    ok( $verify_response =~ m/OK/, "RSA verify XML:Sig signed: xmlsec1 Response is OK" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
 }
 
@@ -89,7 +89,7 @@ SKIP: {
     }
 
     my $verify_response = `xmlsec1 --verify --id-attr:ID "Response" --id-attr:ID "Assertion" t/dsa.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "DSA verify XML:Sig signed: xmlsec1 Response is OK" )
+    ok( $verify_response =~ m/OK/, "DSA verify XML:Sig signed: xmlsec1 Response is OK" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
 }
 
diff --git a/t/015_ecdsa_signing.t b/t/015_ecdsa_signing.t
@@ -23,9 +23,9 @@ SKIP: {
     skip "xmlsec1 not installed", 1 unless which('xmlsec1');
 
     my $verify_response = `xmlsec1 --verify --trusted-pem t/ecdsa.public.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "ECDSA Response is verified using xmlsec1" )
+    ok( $verify_response =~ m/OK/, "ECDSA Response is verified using xmlsec1" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
-    if ($verify_response =~ m/^OK/) {
+    if ($verify_response =~ m/OK/) {
         unlink 't/tmp.xml';
     } else{
         print $signed;
diff --git a/t/016-SigningAlgorithms.t b/t/016-SigningAlgorithms.t
@@ -30,7 +30,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml is verified using xmlsec1" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml is verified using xmlsec1" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
     }
@@ -58,7 +58,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml RSA is verified using xmlsec1 - no X509" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml RSA is verified using xmlsec1 - no X509" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
 
@@ -89,7 +89,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml RSA is verified using xmlsec1" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml RSA is verified using xmlsec1" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
     }
@@ -114,9 +114,9 @@ foreach my $alg (@hash_alg) {
         close XML;
 
         my $verify_response = `xmlsec1 --verify --trusted-pem t/ecdsa.public.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
-        ok( $verify_response =~ m/^OK/, "ECDSA Response is verified using xmlsec1" )
+        ok( $verify_response =~ m/OK/, "ECDSA Response is verified using xmlsec1" )
             or warn "calling xmlsec1 failed: '$verify_response'\n";
-        if ($verify_response =~ m/^OK/) {
+        if ($verify_response =~ m/OK/) {
             unlink 't/tmp.xml';
         } else{
             print $signed;
diff --git a/t/017-DigestAlgorithms.t b/t/017-DigestAlgorithms.t
@@ -35,7 +35,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml is verified using xmlsec1" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml is verified using xmlsec1" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
     }
@@ -66,7 +66,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml RSA is verified using xmlsec1 - no X509" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml RSA is verified using xmlsec1 - no X509" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
 
@@ -100,7 +100,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml RSA is verified using xmlsec1" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml RSA is verified using xmlsec1" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
 
@@ -130,9 +130,9 @@ foreach my $alg (@hash_alg) {
         close XML;
 
         my $verify_response = `xmlsec1 --verify --trusted-pem t/ecdsa.public.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
-        ok( $verify_response =~ m/^OK/, "ECDSA Response is verified using xmlsec1" )
+        ok( $verify_response =~ m/OK/, "ECDSA Response is verified using xmlsec1" )
             or warn "calling xmlsec1 failed: '$verify_response'\n";
-        if ($verify_response =~ m/^OK/) {
+        if ($verify_response =~ m/OK/) {
             unlink 't/tmp.xml';
         } else{
             print $signed;
diff --git a/t/018-DigestSignatureAlgorithms.t b/t/018-DigestSignatureAlgorithms.t
@@ -45,7 +45,7 @@ foreach my $key ('t/dsa.private.key', 't/dsa.private-2048.key', 't/dsa.private-3
             close XML;
 
             my $verify_response = `xmlsec1 --verify --id-attr:ID "foo" t/tmp-dsa-$sig->{sig_hash}-nox509-$digalg.xml 2>&1`;
-            ok( $verify_response =~ m/^OK/, "t/tmp-dsa-$sig->{sig_hash}-nox509-$digalg.xml is verified using xmlsec1" )
+            ok( $verify_response =~ m/OK/, "t/tmp-dsa-$sig->{sig_hash}-nox509-$digalg.xml is verified using xmlsec1" )
                 or warn "calling xmlsec1 failed: '$verify_response'\n";
             unlink "t/tmp-dsa-$sig->{sig_hash}-nox509-$digalg.xml";
         }
@@ -79,9 +79,9 @@ foreach my $key ('t/dsa.private.key', 't/dsa.private-2048.key', 't/dsa.private-3
             close XML;
 
             my $verify_response = `xmlsec1 --verify --id-attr:ID "foo" --pubkey-cert-pem t/dsa.public.pem --trusted-pem t/dsa.public.pem t/tmp-dsa-$sig->{sig_hash}-x509-$digalg.xml 2>&1`;
-            ok( $verify_response =~ m/^OK/, "t/tmp-dsa-$sig->{sig_hash}-x509-$digalg.xml is verified using xmlsec1" )
+            ok( $verify_response =~ m/OK/, "t/tmp-dsa-$sig->{sig_hash}-x509-$digalg.xml is verified using xmlsec1" )
                 or warn "calling xmlsec1 failed: '$verify_response'\n";
-            if ($verify_response =~ m/^OK/) {
+            if ($verify_response =~ m/OK/) {
                 unlink "t/tmp-dsa-$sig->{sig_hash}-x509-$digalg.xml";
             } else{
                 print $signed;
@@ -120,7 +120,7 @@ foreach my $sigalg (@hash) {
             close XML;
 
             my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "foo" t/tmp-rsa-$sigalg-nox509-$digalg.xml 2>&1`;
-            ok( $verify_response =~ m/^OK/, "t/tmp-rsa-$sigalg-nox509-$digalg.xml RSA is verified using xmlsec1 - no X509" )
+            ok( $verify_response =~ m/OK/, "t/tmp-rsa-$sigalg-nox509-$digalg.xml RSA is verified using xmlsec1 - no X509" )
                 or warn "calling xmlsec1 failed: '$verify_response'\n";
             unlink "t/tmp-rsa-$sigalg-nox509-$digalg.xml";
 
@@ -157,7 +157,7 @@ foreach my $sigalg (@hash) {
             close XML;
 
             my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "foo" t/tmp-rsa-$sigalg-x509-$digalg.xml 2>&1`;
-            ok( $verify_response =~ m/^OK/, "t/tmp-rsa-$sigalg-x509-$digalg.xml RSA is verified using xmlsec1" )
+            ok( $verify_response =~ m/OK/, "t/tmp-rsa-$sigalg-x509-$digalg.xml RSA is verified using xmlsec1" )
                 or warn "calling xmlsec1 failed: '$verify_response'\n";
             unlink "t/tmp-rsa-$sigalg-x509-$digalg.xml";
 
@@ -196,9 +196,9 @@ foreach my $sigalg (@hash) {
             close XML;
 
             my $verify_response = `xmlsec1 --verify --trusted-pem t/ecdsa.public.pem --id-attr:ID "foo" t/tmp-ecdsa-$sigalg-x509-$digalg.xml 2>&1`;
-            ok( $verify_response =~ m/^OK/, "ECDSA Response is verified using xmlsec1" )
+            ok( $verify_response =~ m/OK/, "ECDSA Response is verified using xmlsec1" )
                 or warn "calling xmlsec1 failed: '$verify_response'\n";
-            if ($verify_response =~ m/^OK/) {
+            if ($verify_response =~ m/OK/) {
                 unlink "t/tmp-ecdsa-$sigalg-x509-$digalg.xml";
             } else{
                 print $signed;
diff --git a/t/019_dsakeys.t b/t/019_dsakeys.t
@@ -31,7 +31,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/dsa.public.pem --trusted-pem t/dsa.public.pem  --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
 }
diff --git a/t/020_dsakeys-2048.t b/t/020_dsakeys-2048.t
@@ -33,7 +33,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/dsa.public-2048.pem --trusted-pem t/dsa.public-2048.pem  --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
 }
diff --git a/t/021_dsakeys-3072.t b/t/021_dsakeys-3072.t
@@ -33,7 +33,7 @@ SKIP: {
     close XML;
 
     my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/dsa.public-3072.pem --trusted-pem t/dsa.public-3072.pem  --id-attr:ID "foo" t/tmp.xml 2>&1`;
-    ok( $verify_response =~ m/^OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )
+    ok( $verify_response =~ m/OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )
         or warn "calling xmlsec1 failed: '$verify_response'\n";
     unlink "t/tmp.xml";
 }
diff --git a/t/023_hmac.t b/t/023_hmac.t
@@ -42,9 +42,9 @@ foreach my $alg (@hash_alg) {
         print XML $signed;
         close XML;
         my $verify_response = `xmlsec1 --verify --keys-file t/xmlsec-keys.xml --id-attr:ID "foo" tmp-$alg.xml 2>&1`;
-        ok( $verify_response =~ m/^OK/, "Response is OK for xmlsec1" )
+        ok( $verify_response =~ m/OK/, "Response is OK for xmlsec1" )
             or warn "calling xmlsec1 failed: '$verify_response'\n";
-        if ($verify_response =~ m/^OK/) {
+        if ($verify_response =~ m/OK/) {
             unlink "tmp-$alg.xml";
         } else{
             print $signed;
diff --git a/t/lib/Test/XML/Sig/Util.pm b/t/lib/Test/XML/Sig/Util.pm
@@ -51,6 +51,8 @@ sub get_xmlsec_features {
                     minor       => $minor,
                     patch       => $patch,
                     ripemd160   => ($major >= 1 and $minor >= 3) ? 1 : 0,
+                    aes_gcm     => ($major <= 1 and $minor <= 2 and $patch <= 27) ? 0 : 1,
+                    lax_key_search => ($major >= 1 and $minor >= 3) ? 1 : 0,
                 );
     return \%xmlsec;
 }

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ foreach my $key ('t/dsa.private-2048.key', 't/dsa.private-3072.key', 't/dsa.priv`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	my $verify_response = `xmlsec1 --verify --id-attr:ID "ArtifactResolve" t/dsa.xml 2>&1`;
`59`		`- ok( $verify_response =~ m/^OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )`
	`59`	`+ ok( $verify_response =~ m/OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )`
`60`	`60`	`or warn "calling xmlsec1 failed: '$verify_response'\n";`
`61`	`61`	`unlink 't/dsa.xml';`
`62`	`62`	`}`
`@@ -74,7 +74,7 @@ ok($xmlsec_ret, "xmlsec1: DSA Verifed Successfully");`
`74`	`74`	`SKIP: {`
`75`	`75`	`skip "xmlsec1 not installed", 1 unless which('xmlsec1');`
`76`	`76`	my $verify_response = `xmlsec1 --verify --id-attr:ID "ArtifactResolve" t/signed/saml_request-xmlsec1-dsa-signed.xml 2>&1`;
`77`		`- ok( $verify_response =~ m/^OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )`
	`77`	`+ ok( $verify_response =~ m/OK/, "DSA verify XML:Sig signed with $key: xmlsec1 Response is OK" )`
`78`	`78`	`or warn "calling xmlsec1 failed: '$verify_response'\n";`
`79`	`79`	`}`
`80`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ SKIP: {`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/rsa.cert.pem --untrusted-pem t/intermediate.pem --trusted-pem t/cacert.pem --id-attr:ID "Response" --id-attr:ID "Assertion" t/rsa.xml 2>&1`;
`54`		`- ok( $verify_response =~ m/^OK/, "RSA verify XML:Sig signed: xmlsec1 Response is OK" )`
	`54`	`+ ok( $verify_response =~ m/OK/, "RSA verify XML:Sig signed: xmlsec1 Response is OK" )`
`55`	`55`	`or warn "calling xmlsec1 failed: '$verify_response'\n";`
`56`	`56`	`}`
`57`	`57`
`@@ -89,7 +89,7 @@ SKIP: {`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	my $verify_response = `xmlsec1 --verify --id-attr:ID "Response" --id-attr:ID "Assertion" t/dsa.xml 2>&1`;
`92`		`- ok( $verify_response =~ m/^OK/, "DSA verify XML:Sig signed: xmlsec1 Response is OK" )`
	`92`	`+ ok( $verify_response =~ m/OK/, "DSA verify XML:Sig signed: xmlsec1 Response is OK" )`
`93`	`93`	`or warn "calling xmlsec1 failed: '$verify_response'\n";`
`94`	`94`	`}`
`95`	`95`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ SKIP: {`
`31`	`31`	`close XML;`
`32`	`32`
`33`	`33`	my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/dsa.public.pem --trusted-pem t/dsa.public.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
`34`		`- ok( $verify_response =~ m/^OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )`
	`34`	`+ ok( $verify_response =~ m/OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )`
`35`	`35`	`or warn "calling xmlsec1 failed: '$verify_response'\n";`
`36`	`36`	`unlink "t/tmp.xml";`
`37`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ SKIP: {`
`33`	`33`	`close XML;`
`34`	`34`
`35`	`35`	my $verify_response = `xmlsec1 --verify --pubkey-cert-pem t/dsa.public-2048.pem --trusted-pem t/dsa.public-2048.pem --id-attr:ID "foo" t/tmp.xml 2>&1`;
`36`		`- ok( $verify_response =~ m/^OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )`
	`36`	`+ ok( $verify_response =~ m/OK/, "t/tmp.xml is verified using xmlsec1 and X509Certificate" )`
`37`	`37`	`or warn "calling xmlsec1 failed: '$verify_response'\n";`
`38`	`38`	`unlink "t/tmp.xml";`
`39`	`39`	`}`