From bce73f0df698fee4ceab2b3a1ef31cb92cf0ca50 Mon Sep 17 00:00:00 2001
From: Huw Jones <huw@pexip.com>
Date: Wed, 13 Aug 2025 20:48:54 +0100
Subject: [PATCH 1/3] rsa: improve coverage of de-/serialisation methods

* Serialise the test key in several different formats
* Compare serialisation output directly against known good
  (to prevent regressions)
* Rename the test keys to have a consistent naming scheme
* Add more deserialisation tests covering different input formats
---
 openssl/src/cipher_ctx.rs                 |   2 +-
 openssl/src/envelope.rs                   |   2 +-
 openssl/src/rsa.rs                        |  86 ++++++++++++++++++----
 openssl/test/rsa.der                      | Bin 0 -> 1191 bytes
 openssl/test/rsa.pem                      |  55 +++++++-------
 openssl/test/rsa.pkcs1.der                | Bin 0 -> 1191 bytes
 openssl/test/rsa.pkcs1.pem                |  27 +++++++
 openssl/test/rsa.pub.der                  | Bin 0 -> 294 bytes
 openssl/test/{rsa.pem.pub => rsa.pub.pem} |   0
 openssl/test/rsa.pub.pkcs1.der            | Bin 0 -> 270 bytes
 openssl/test/rsa.pub.pkcs1.pem            |   8 ++
 11 files changed, 138 insertions(+), 42 deletions(-)
 create mode 100644 openssl/test/rsa.der
 create mode 100644 openssl/test/rsa.pkcs1.der
 create mode 100644 openssl/test/rsa.pkcs1.pem
 create mode 100644 openssl/test/rsa.pub.der
 rename openssl/test/{rsa.pem.pub => rsa.pub.pem} (100%)
 create mode 100644 openssl/test/rsa.pub.pkcs1.der
 create mode 100644 openssl/test/rsa.pub.pkcs1.pem

diff --git a/openssl/src/cipher_ctx.rs b/openssl/src/cipher_ctx.rs
index dc8887239c..815af5b87b 100644
--- a/openssl/src/cipher_ctx.rs
+++ b/openssl/src/cipher_ctx.rs
@@ -735,7 +735,7 @@ mod test {
     #[cfg(not(any(boringssl, awslc)))]
     fn seal_open() {
         let private_pem = include_bytes!("../test/rsa.pem");
-        let public_pem = include_bytes!("../test/rsa.pem.pub");
+        let public_pem = include_bytes!("../test/rsa.pub.pem");
         let private_key = PKey::private_key_from_pem(private_pem).unwrap();
         let public_key = PKey::public_key_from_pem(public_pem).unwrap();
         let cipher = Cipher::aes_256_cbc();
diff --git a/openssl/src/envelope.rs b/openssl/src/envelope.rs
index f6ebc722f4..f84216f214 100644
--- a/openssl/src/envelope.rs
+++ b/openssl/src/envelope.rs
@@ -158,7 +158,7 @@ mod test {
     #[test]
     fn public_encrypt_private_decrypt() {
         let private_pem = include_bytes!("../test/rsa.pem");
-        let public_pem = include_bytes!("../test/rsa.pem.pub");
+        let public_pem = include_bytes!("../test/rsa.pub.pem");
         let private_key = PKey::private_key_from_pem(private_pem).unwrap();
         let public_key = PKey::public_key_from_pem(public_pem).unwrap();
         let cipher = Cipher::aes_256_cbc();
diff --git a/openssl/src/rsa.rs b/openssl/src/rsa.rs
index b3adcddad2..b2e339bc2f 100644
--- a/openssl/src/rsa.rs
+++ b/openssl/src/rsa.rs
@@ -683,17 +683,37 @@ cfg_if! {
 #[cfg(test)]
 mod test {
     use crate::symm::Cipher;
+    use std::str::from_utf8;
 
     use super::*;
 
     #[test]
-    fn test_from_password() {
+    fn test_private_key_from_pem() {
+        Rsa::private_key_from_pem(include_bytes!("../test/rsa.pem")).unwrap();
+    }
+
+    #[test]
+    fn test_private_key_from_pem_pkcs1() {
+        Rsa::private_key_from_pem(include_bytes!("../test/rsa.pkcs1.pem")).unwrap();
+    }
+    #[test]
+    fn test_private_key_from_der() {
+        Rsa::private_key_from_der(include_bytes!("../test/rsa.der")).unwrap();
+    }
+
+    #[test]
+    fn test_private_key_from_der_pkcs1() {
+        Rsa::private_key_from_der(include_bytes!("../test/rsa.pkcs1.der")).unwrap();
+    }
+
+    #[test]
+    fn test_private_key_from_pem_password() {
         let key = include_bytes!("../test/rsa-encrypted.pem");
         Rsa::private_key_from_pem_passphrase(key, b"mypass").unwrap();
     }
 
     #[test]
-    fn test_from_password_callback() {
+    fn test_private_key_from_pem_callback() {
         let mut password_queried = false;
         let key = include_bytes!("../test/rsa-encrypted.pem");
         Rsa::private_key_from_pem_callback(key, |password| {
@@ -707,8 +727,18 @@ mod test {
     }
 
     #[test]
-    fn test_to_password() {
-        let key = Rsa::generate(2048).unwrap();
+    fn test_private_key_to_pem() {
+        let key = Rsa::private_key_from_der(include_bytes!("../test/rsa.der")).unwrap();
+        let pem = key.private_key_to_pem().unwrap();
+        assert_eq!(
+            from_utf8(&pem).unwrap(),
+            include_str!("../test/rsa.pkcs1.pem").replace("\r\n", "\n")
+        );
+    }
+
+    #[test]
+    fn test_private_key_to_pem_password() {
+        let key = Rsa::private_key_from_der(include_bytes!("../test/rsa.der")).unwrap();
         let pem = key
             .private_key_to_pem_passphrase(Cipher::aes_128_cbc(), b"foobar")
             .unwrap();
@@ -716,9 +746,16 @@ mod test {
         assert!(Rsa::private_key_from_pem_passphrase(&pem, b"fizzbuzz").is_err());
     }
 
+    #[test]
+    fn test_private_key_to_der_pkcs1() {
+        let key = super::Rsa::private_key_from_pem(include_bytes!("../test/rsa.pem")).unwrap();
+        let der = key.private_key_to_der().unwrap();
+        assert_eq!(der, include_bytes!("../test/rsa.pkcs1.der"));
+    }
+
     #[test]
     fn test_public_encrypt_private_decrypt_with_padding() {
-        let key = include_bytes!("../test/rsa.pem.pub");
+        let key = include_bytes!("../test/rsa.pub.pem");
         let public_key = Rsa::public_key_from_pem(key).unwrap();
 
         let mut result = vec![0; public_key.size() as usize];
@@ -780,25 +817,48 @@ mod test {
     }
 
     #[test]
-    #[should_panic]
     fn test_public_key_from_pem_pkcs1_file_panic() {
         let key = include_bytes!("../test/key.pem.pub");
-        Rsa::public_key_from_pem_pkcs1(key).unwrap();
+        assert!(Rsa::public_key_from_pem_pkcs1(key).is_err());
     }
 
     #[test]
     fn test_public_key_to_pem_pkcs1() {
-        let keypair = super::Rsa::generate(512).unwrap();
+        let keypair = super::Rsa::private_key_from_der(include_bytes!("../test/rsa.der")).unwrap();
         let pubkey_pem = keypair.public_key_to_pem_pkcs1().unwrap();
-        super::Rsa::public_key_from_pem_pkcs1(&pubkey_pem).unwrap();
+        assert_eq!(
+            from_utf8(&pubkey_pem).unwrap(),
+            include_str!("../test/rsa.pub.pkcs1.pem").replace("\r\n", "\n")
+        );
     }
 
     #[test]
-    #[should_panic]
-    fn test_public_key_from_pem_pkcs1_generate_panic() {
-        let keypair = super::Rsa::generate(512).unwrap();
+    fn test_public_key_to_pem() {
+        let keypair = super::Rsa::private_key_from_der(include_bytes!("../test/rsa.der")).unwrap();
         let pubkey_pem = keypair.public_key_to_pem().unwrap();
-        super::Rsa::public_key_from_pem_pkcs1(&pubkey_pem).unwrap();
+        assert_eq!(
+            from_utf8(&pubkey_pem).unwrap(),
+            include_str!("../test/rsa.pub.pem").replace("\r\n", "\n")
+        );
+    }
+
+    #[test]
+    fn test_public_key_to_der() {
+        let keypair = super::Rsa::private_key_from_pem(include_bytes!("../test/rsa.pem")).unwrap();
+        let pubkey_der = keypair.public_key_to_der().unwrap();
+        assert_eq!(pubkey_der, include_bytes!("../test/rsa.pub.der"));
+    }
+
+    #[test]
+    fn test_public_key_to_der_pkcs1() {
+        let keypair = super::Rsa::private_key_from_pem(include_bytes!("../test/rsa.pem")).unwrap();
+        let pubkey_der = keypair.public_key_to_der_pkcs1().unwrap();
+        assert_eq!(pubkey_der, include_bytes!("../test/rsa.pub.pkcs1.der"));
+    }
+
+    #[test]
+    fn test_public_key_from_pem_pkcs1_generate_panic() {
+        assert!(Rsa::public_key_from_der_pkcs1(include_bytes!("../test/rsa.pub.der")).is_err());
     }
 
     #[test]
diff --git a/openssl/test/rsa.der b/openssl/test/rsa.der
new file mode 100644
index 0000000000000000000000000000000000000000..500c05fafcad453788d4e3d594a75426771b2cd6
GIT binary patch
literal 1191
zcmV;Y1X%kpf&`-i0RRGm0RaG^_!bJ{<H@vT&W$Z)Vq-Qdl6}4@;qWAP{1zq5kfAo?
zi`g`n#kT5W-FFe@d~_-KR<Qeuj|iIFOKFKb!81Qo?a&#xcZ4M`?2%98g?DLLOX@;^
z(<~2Fzhab669bmKZkyk3z0$p-XO8Tk#%T8evyH#|ILI_C;{I(X`rb-fNOYH-)Va@^
z-o(dS1%)gu4_^4C!F2<Y`9$dLWWf-|wnt!^q<A{(oNSucRWUG7V~c}kTyJlBf}@sj
zDj#GUg465rIU*TJAGU^vELRrw3ivgRnv0zm!$5M6e}~wb7})%)XRU-;3@*=glQ}j#
z2LnxSU~irw;8a%1<>{dU0|5X50)hbm60UKiY0U~N!+uh1MF3YH9bt7HWa&w8dtzA+
zoeQOWmOMZnKhG~L)4lA7<paOQLz@dI$S-|2muDYR6Yki-S|!-k&Y%Kb<Et)<e|aHq
z#yjd(CsVWrM8=^}C)u)<ML?jt;iCmsm@Q79-d|)T@l8u{G(ojp$2*%!?aY#_<C1<i
z^?eNeUUh-`Q7n&1VX5m2fcU5fMskW(|3*h2G$jT*ol|5lUfv#r))NRC`dlK=Q7Bv1
zJCr+CU5SbXXjBvBJUnb=CI27ePCeXk@YQ5c{iKVbE)Y(g>z}w7f#Jlx@?DZg^iarU
zl6h$7b2RipPj#nI;W<=pI*N0h0)c@5;2gvd>qw?$T~tO*3Z%Pjpty3kbf&4%AO1)O
zc<|k~F&ci5F8Rc@_f&Q!E2tN2vsroY6gMgwC@JI<YtRAEd_O-fPbJjJH1<4k3Hzev
zb||3Snsdelj&1KE+|>zC=Mmk(ZB>Tyr}}m3gp|R6gW$GTLinK7=RdO9aPS#N0)c@5
zxdX(036-`o^iwRc^TC-EU0*us$KUSUdXlEJeksNqLZEu7T4elS37N&GupR-xjJ7PN
zR#JPs#b9{*3#+B=INmJ>nGg0b53a52Yy+B?zaCJ2PH;f_c-w+k$gvXbURlG<2`}Z;
z<+T!Z)DnRQDqeVAy7SuOaFPQPKT%oN0)c=B0-slKB&(my6_CYbDc1W8<@g||^L40Z
z`O8B9lXyG)yE$$}Ddz7|H$WoYhPs5=?^u%??#0kwr9aOjwlnxsik|IJ=z9rxFr%Mc
zl9PMp0!vlfHuvDboy)f=bvS=vTKl%kHoL3mc|0ov&Z}nIxiPx+3svlz`7s>;9b%0F
zfq?*r|9bjjwMYKomK!dc&0S|0)18c`J+^5dIGK&-hjDf+U8an}L!~%77HhIS#c=3H
z2FidQ_4c~vBWen-qjwIERMDu~9AAwnnec)$9or9Fk3IkTOpTWiE86}DDiMvQV>yV3
z4og*8oaTD+Zoj3n!AhOyvc%n%tKHJlB20Axfq)^0dkk}-t!wd<1JJP(Hniv~jkha)
z`%oq-UHCa%$0csK&ul=qV2xQeqb<4@K_;aq1}?3PqXqkZ7k@yMH_6<&agNv^7`*Qf
zcOas~b@|&S+73Lm7SM$2B^Qo@ja;kLo3j=gz!)E=_#x;HdeeC}`IInJtqCb1?krg@
FLv^ygK$-vm

literal 0
HcmV?d00001

diff --git a/openssl/test/rsa.pem b/openssl/test/rsa.pem
index d8185fed66..7c0f6fd1e2 100644
--- a/openssl/test/rsa.pem
+++ b/openssl/test/rsa.pem
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd/wWJcyQoTbji9k0
-l8W26mPddxHmfHQp+Vaw+4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL+yRT+SFd2lZS+pC
-gNMsD1W/YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb/7OMg0LOL+bSf63kpaSHSX
-ndS5z5rexMdbBYUsLA9e+KXBdQOS+UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uD
-Zlxvb3qCo5ZwKh9kG4LT6/I5IhlJH7aGhyxXFvUK+DWNmoudF8NAco9/h9iaGNj8
-q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQIDAQABAoIBABKucaRpzQorw35S
-bEUAVx8dYXUdZOlJcHtiWQ+dC6V8ljxAHj/PLyzTveyI5QO/xkObCyjIL303l2cf
-UhPu2MFaJdjVzqACXuOrLot/eSFvxjvqVidTtAZExqFRJ9mylUVAoLvhowVWmC1O
-n95fZCXxTUtxNEG1Xcc7m0rtzJKs45J+N/V9DP1edYH6USyPSWGp6wuA+KgHRnKK
-Vf9GRx80JQY7nVNkL17eHoTWEwga+lwi0FEoW9Y7lDtWXYmKBWhUE+U8PGxlJf8f
-40493HDw1WRQ/aSLoS4QTp3rn7gYgeHEvfJdkkf0UMhlknlo53M09EFPdadQ4TlU
-bjqKc50CgYEA4BzEEOtIpmVdVEZNCqS7baC4crd0pqnRH/5IB3jw3bcxGn6QLvnE
-tfdUdiYrqBdss1l58BQ3KhooKeQTa9AB0Hw/Py5PJdTJNPY8cQn7ouZ2KKDcmnPG
-BY5t7yLc1QlQ5xHdwW1VhvKn+nXqhJTBgIPgtldC+KDV5z+y2XDwGUcCgYEAuQPE
-fgmVtjL0Uyyx88GZFF1fOunH3+7cepKmtH4pxhtCoHqpWmT8YAmZxaewHgHAjLYs
-p1ZSe7zFYHj7C6ul7TjeLQeZD/YwD66t62wDmpe/HlB+TnBA+njbglfIsRLtXlnD
-zQkv5dTltRJ11BKBBypeeF6689rjcJIDEz9RWdcCgYAHAp9XcCSrn8wVkMVkKdb7
-DOX4IKjzdahm+ctDAJN4O/y7OW5FKebvUjdAIt2GuoTZ71iTG+7F0F+lP88jtjP4
-U4qe7VHoewl4MKOfXZKTe+YCS1XbNvfgwJ3Ltyl1OH9hWvu2yza7q+d5PCsDzqtm
-27kxuvULVeya+TEdAB1ijQKBgQCH/3r6YrVH/uCWGy6bzV1nGNOdjKc9tmkfOJmN
-54dxdixdpozCQ6U4OxZrsj3FcOhHBsqAHvX2uuYjagqvo3cOj1TRqNocX40omfCC
-Mx3bD1yPPf/6TI2XECva/ggqEY2mYzmIiA5LVVmc5nrybr+lssFKneeyxN2Wq93S
-0iJMdQKBgCGHewxzoa1r8ZMD0LETNrToK423K377UCYqXfg5XMclbrjPbEC3YI1Z
-NqMtuhdBJqUnBi6tjKMF+34Xf0CUN8ncuXGO2CAYvO8PdyCixHX52ybaDjy1FtCE
-6yUXjoKNXKvUm7MWGsAYH6f4IegOetN5NvmUMFStCSkh7ixZLkN1
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCh+BYK4uPJtGXO
+jS1lYmM2K5J9vinh8CR3/BYlzJChNuOL2TSXxbbqY913EeZ8dCn5VrD7io8ImtxL
+aYk8wTM/U+3QGbh3hCUv7JFP5IV3aVlL6kKA0ywPVb9ilE8TA5a8bpvfbr3SvaNn
+juygxmj3AbONv/s4yDQs4v5tJ/reSlpIdJed1LnPmt7Ex1sFhSwsD174pcF1A5L5
+ROjtZMEQxrZHYJqkeDrrnGya11UxMFBji4NmXG9veoKjlnAqH2QbgtPr8jkiGUkf
+toaHLFcW9Qr4NY2ai50Xw0Byj3+H2JoY2PyrZ62EWQwuz3WTOTY8BwNNb2BvniHg
+VFbK5emhAgMBAAECggEAEq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyW
+PEAeP88vLNO97IjlA7/GQ5sLKMgvfTeXZx9SE+7YwVol2NXOoAJe46sui395IW/G
+O+pWJ1O0BkTGoVEn2bKVRUCgu+GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzj
+kn439X0M/V51gfpRLI9JYanrC4D4qAdGcopV/0ZHHzQlBjudU2QvXt4ehNYTCBr6
+XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl/x/jTj3ccPDVZFD9pIuhLhBOneufuBiB
+4cS98l2SR/RQyGWSeWjnczT0QU91p1DhOVRuOopznQKBgQDgHMQQ60imZV1URk0K
+pLttoLhyt3SmqdEf/kgHePDdtzEafpAu+cS191R2JiuoF2yzWXnwFDcqGigp5BNr
+0AHQfD8/Lk8l1Mk09jxxCfui5nYooNyac8YFjm3vItzVCVDnEd3BbVWG8qf6deqE
+lMGAg+C2V0L4oNXnP7LZcPAZRwKBgQC5A8R+CZW2MvRTLLHzwZkUXV866cff7tx6
+kqa0finGG0KgeqlaZPxgCZnFp7AeAcCMtiynVlJ7vMVgePsLq6XtON4tB5kP9jAP
+rq3rbAOal78eUH5OcED6eNuCV8ixEu1eWcPNCS/l1OW1EnXUEoEHKl54Xrrz2uNw
+kgMTP1FZ1wKBgAcCn1dwJKufzBWQxWQp1vsM5fggqPN1qGb5y0MAk3g7/Ls5bkUp
+5u9SN0Ai3Ya6hNnvWJMb7sXQX6U/zyO2M/hTip7tUeh7CXgwo59dkpN75gJLVds2
+9+DAncu3KXU4f2Fa+7bLNrur53k8KwPOq2bbuTG69QtV7Jr5MR0AHWKNAoGBAIf/
+evpitUf+4JYbLpvNXWcY052Mpz22aR84mY3nh3F2LF2mjMJDpTg7FmuyPcVw6EcG
+yoAe9fa65iNqCq+jdw6PVNGo2hxfjSiZ8IIzHdsPXI89//pMjZcQK9r+CCoRjaZj
+OYiIDktVWZzmevJuv6WywUqd57LE3Zar3dLSIkx1AoGAIYd7DHOhrWvxkwPQsRM2
+tOgrjbcrfvtQJipd+DlcxyVuuM9sQLdgjVk2oy26F0EmpScGLq2MowX7fhd/QJQ3
+ydy5cY7YIBi87w93IKLEdfnbJtoOPLUW0ITrJReOgo1cq9SbsxYawBgfp/gh6A56
+03k2+ZQwVK0JKSHuLFkuQ3U=
+-----END PRIVATE KEY-----
diff --git a/openssl/test/rsa.pkcs1.der b/openssl/test/rsa.pkcs1.der
new file mode 100644
index 0000000000000000000000000000000000000000..500c05fafcad453788d4e3d594a75426771b2cd6
GIT binary patch
literal 1191
zcmV;Y1X%kpf&`-i0RRGm0RaG^_!bJ{<H@vT&W$Z)Vq-Qdl6}4@;qWAP{1zq5kfAo?
zi`g`n#kT5W-FFe@d~_-KR<Qeuj|iIFOKFKb!81Qo?a&#xcZ4M`?2%98g?DLLOX@;^
z(<~2Fzhab669bmKZkyk3z0$p-XO8Tk#%T8evyH#|ILI_C;{I(X`rb-fNOYH-)Va@^
z-o(dS1%)gu4_^4C!F2<Y`9$dLWWf-|wnt!^q<A{(oNSucRWUG7V~c}kTyJlBf}@sj
zDj#GUg465rIU*TJAGU^vELRrw3ivgRnv0zm!$5M6e}~wb7})%)XRU-;3@*=glQ}j#
z2LnxSU~irw;8a%1<>{dU0|5X50)hbm60UKiY0U~N!+uh1MF3YH9bt7HWa&w8dtzA+
zoeQOWmOMZnKhG~L)4lA7<paOQLz@dI$S-|2muDYR6Yki-S|!-k&Y%Kb<Et)<e|aHq
z#yjd(CsVWrM8=^}C)u)<ML?jt;iCmsm@Q79-d|)T@l8u{G(ojp$2*%!?aY#_<C1<i
z^?eNeUUh-`Q7n&1VX5m2fcU5fMskW(|3*h2G$jT*ol|5lUfv#r))NRC`dlK=Q7Bv1
zJCr+CU5SbXXjBvBJUnb=CI27ePCeXk@YQ5c{iKVbE)Y(g>z}w7f#Jlx@?DZg^iarU
zl6h$7b2RipPj#nI;W<=pI*N0h0)c@5;2gvd>qw?$T~tO*3Z%Pjpty3kbf&4%AO1)O
zc<|k~F&ci5F8Rc@_f&Q!E2tN2vsroY6gMgwC@JI<YtRAEd_O-fPbJjJH1<4k3Hzev
zb||3Snsdelj&1KE+|>zC=Mmk(ZB>Tyr}}m3gp|R6gW$GTLinK7=RdO9aPS#N0)c@5
zxdX(036-`o^iwRc^TC-EU0*us$KUSUdXlEJeksNqLZEu7T4elS37N&GupR-xjJ7PN
zR#JPs#b9{*3#+B=INmJ>nGg0b53a52Yy+B?zaCJ2PH;f_c-w+k$gvXbURlG<2`}Z;
z<+T!Z)DnRQDqeVAy7SuOaFPQPKT%oN0)c=B0-slKB&(my6_CYbDc1W8<@g||^L40Z
z`O8B9lXyG)yE$$}Ddz7|H$WoYhPs5=?^u%??#0kwr9aOjwlnxsik|IJ=z9rxFr%Mc
zl9PMp0!vlfHuvDboy)f=bvS=vTKl%kHoL3mc|0ov&Z}nIxiPx+3svlz`7s>;9b%0F
zfq?*r|9bjjwMYKomK!dc&0S|0)18c`J+^5dIGK&-hjDf+U8an}L!~%77HhIS#c=3H
z2FidQ_4c~vBWen-qjwIERMDu~9AAwnnec)$9or9Fk3IkTOpTWiE86}DDiMvQV>yV3
z4og*8oaTD+Zoj3n!AhOyvc%n%tKHJlB20Axfq)^0dkk}-t!wd<1JJP(Hniv~jkha)
z`%oq-UHCa%$0csK&ul=qV2xQeqb<4@K_;aq1}?3PqXqkZ7k@yMH_6<&agNv^7`*Qf
zcOas~b@|&S+73Lm7SM$2B^Qo@ja;kLo3j=gz!)E=_#x;HdeeC}`IInJtqCb1?krg@
FLv^ygK$-vm

literal 0
HcmV?d00001

diff --git a/openssl/test/rsa.pkcs1.pem b/openssl/test/rsa.pkcs1.pem
new file mode 100644
index 0000000000..d8185fed66
--- /dev/null
+++ b/openssl/test/rsa.pkcs1.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd/wWJcyQoTbji9k0
+l8W26mPddxHmfHQp+Vaw+4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL+yRT+SFd2lZS+pC
+gNMsD1W/YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb/7OMg0LOL+bSf63kpaSHSX
+ndS5z5rexMdbBYUsLA9e+KXBdQOS+UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uD
+Zlxvb3qCo5ZwKh9kG4LT6/I5IhlJH7aGhyxXFvUK+DWNmoudF8NAco9/h9iaGNj8
+q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQIDAQABAoIBABKucaRpzQorw35S
+bEUAVx8dYXUdZOlJcHtiWQ+dC6V8ljxAHj/PLyzTveyI5QO/xkObCyjIL303l2cf
+UhPu2MFaJdjVzqACXuOrLot/eSFvxjvqVidTtAZExqFRJ9mylUVAoLvhowVWmC1O
+n95fZCXxTUtxNEG1Xcc7m0rtzJKs45J+N/V9DP1edYH6USyPSWGp6wuA+KgHRnKK
+Vf9GRx80JQY7nVNkL17eHoTWEwga+lwi0FEoW9Y7lDtWXYmKBWhUE+U8PGxlJf8f
+40493HDw1WRQ/aSLoS4QTp3rn7gYgeHEvfJdkkf0UMhlknlo53M09EFPdadQ4TlU
+bjqKc50CgYEA4BzEEOtIpmVdVEZNCqS7baC4crd0pqnRH/5IB3jw3bcxGn6QLvnE
+tfdUdiYrqBdss1l58BQ3KhooKeQTa9AB0Hw/Py5PJdTJNPY8cQn7ouZ2KKDcmnPG
+BY5t7yLc1QlQ5xHdwW1VhvKn+nXqhJTBgIPgtldC+KDV5z+y2XDwGUcCgYEAuQPE
+fgmVtjL0Uyyx88GZFF1fOunH3+7cepKmtH4pxhtCoHqpWmT8YAmZxaewHgHAjLYs
+p1ZSe7zFYHj7C6ul7TjeLQeZD/YwD66t62wDmpe/HlB+TnBA+njbglfIsRLtXlnD
+zQkv5dTltRJ11BKBBypeeF6689rjcJIDEz9RWdcCgYAHAp9XcCSrn8wVkMVkKdb7
+DOX4IKjzdahm+ctDAJN4O/y7OW5FKebvUjdAIt2GuoTZ71iTG+7F0F+lP88jtjP4
+U4qe7VHoewl4MKOfXZKTe+YCS1XbNvfgwJ3Ltyl1OH9hWvu2yza7q+d5PCsDzqtm
+27kxuvULVeya+TEdAB1ijQKBgQCH/3r6YrVH/uCWGy6bzV1nGNOdjKc9tmkfOJmN
+54dxdixdpozCQ6U4OxZrsj3FcOhHBsqAHvX2uuYjagqvo3cOj1TRqNocX40omfCC
+Mx3bD1yPPf/6TI2XECva/ggqEY2mYzmIiA5LVVmc5nrybr+lssFKneeyxN2Wq93S
+0iJMdQKBgCGHewxzoa1r8ZMD0LETNrToK423K377UCYqXfg5XMclbrjPbEC3YI1Z
+NqMtuhdBJqUnBi6tjKMF+34Xf0CUN8ncuXGO2CAYvO8PdyCixHX52ybaDjy1FtCE
+6yUXjoKNXKvUm7MWGsAYH6f4IegOetN5NvmUMFStCSkh7ixZLkN1
+-----END RSA PRIVATE KEY-----
diff --git a/openssl/test/rsa.pub.der b/openssl/test/rsa.pub.der
new file mode 100644
index 0000000000000000000000000000000000000000..242d20b48f675892c17da3509c084e6987c67994
GIT binary patch
literal 294
zcmV+>0ondAf&n5h4F(A+hDe6@4FLfG1potr0S^E$f&mHwf&l>lq4*XG;^WD*WzLN)
zWnyDCE0TS_DdF%Wcl;J5%#fir<BQoem&LZ~W8HTV=6rN1`Bt#|ijN4I+)HVRJi#+R
zQ|-_hxOaplFYJ*|<b`)>Sxf3dfYU4wRlj1CPZI-{yl$J{ZoSgIqi2rnpvGwT0ke(2
z`#8unEaLucC;Hw>T1a%4oz%I{n%>06TLpzIEDv7zrNMOrlKDjF?PS3a#<oXbnxuF-
z>zr(w*HtkvP-BaOW?XM?dV-^ta4H{U8-mm8@;M?INguX`hb&hX^$Pekjhc&{7sEhu
skAH{Qni$ypt7ol*Sqv`Eb(1+ZJO=|!Z(whpA>dS2%H`>y0s{d60ej7dRR910

literal 0
HcmV?d00001

diff --git a/openssl/test/rsa.pem.pub b/openssl/test/rsa.pub.pem
similarity index 100%
rename from openssl/test/rsa.pem.pub
rename to openssl/test/rsa.pub.pem
diff --git a/openssl/test/rsa.pub.pkcs1.der b/openssl/test/rsa.pub.pkcs1.der
new file mode 100644
index 0000000000000000000000000000000000000000..e8026cdaa549ee0d08cc7c8f86bc83d4d719f924
GIT binary patch
literal 270
zcmV+p0rCDYf&mHwf&l>lq4*XG;^WD*WzLN)WnyDCE0TS_DdF%Wcl;J5%#fir<BQoe
zm&LZ~W8HTV=6rN1`Bt#|ijN4I+)HVRJi#+RQ|-_hxOaplFYJ*|<b`)>Sxf3dfYU4w
zRlj1CPZI-{yl$J{ZoSgIqi2rnpvGwT0ke(2`#8unEaLucC;Hw>T1a%4oz%I{n%>06
zTLpzIEDv7zrNMOrlKDjF?PS3a#<oXbnxuF->zr(w*HtkvP-BaOW?XM?dV-^ta4H{U
z8-mm8@;M?INguX`hb&hX^$Pekjhc&{7sEhukAH{Qni$ypt7ol*Sqv`Eb(1+ZJO=|!
UZ(whpA>dS2%H`>y0s{d60mDy&6#xJL

literal 0
HcmV?d00001

diff --git a/openssl/test/rsa.pub.pkcs1.pem b/openssl/test/rsa.pub.pkcs1.pem
new file mode 100644
index 0000000000..864ee0c537
--- /dev/null
+++ b/openssl/test/rsa.pub.pkcs1.pem
@@ -0,0 +1,8 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd/wWJcyQoTbji9k0l8W2
+6mPddxHmfHQp+Vaw+4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL+yRT+SFd2lZS+pCgNMs
+D1W/YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb/7OMg0LOL+bSf63kpaSHSXndS5
+z5rexMdbBYUsLA9e+KXBdQOS+UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxv
+b3qCo5ZwKh9kG4LT6/I5IhlJH7aGhyxXFvUK+DWNmoudF8NAco9/h9iaGNj8q2et
+hFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQIDAQAB
+-----END RSA PUBLIC KEY-----

From 72a2c10791fa818c7028e07f31de94665be2bfb1 Mon Sep 17 00:00:00 2001
From: Huw Jones <huw@pexip.com>
Date: Wed, 20 Aug 2025 12:32:33 +0100
Subject: [PATCH 2/3] ec: add coverage of de-/serialisation methods

---
 openssl/src/ec.rs             |  81 ++++++++++++++++++++++++++++++++++
 openssl/test/ec-encrypted.pem |   8 ++++
 openssl/test/ec.der           | Bin 0 -> 121 bytes
 openssl/test/ec.pem           |   5 +++
 openssl/test/ec.pub.der       | Bin 0 -> 91 bytes
 openssl/test/ec.pub.pem       |   4 ++
 openssl/test/ec.trad.pem      |   5 +++
 7 files changed, 103 insertions(+)
 create mode 100644 openssl/test/ec-encrypted.pem
 create mode 100644 openssl/test/ec.der
 create mode 100644 openssl/test/ec.pem
 create mode 100644 openssl/test/ec.pub.der
 create mode 100644 openssl/test/ec.pub.pem
 create mode 100644 openssl/test/ec.trad.pem

diff --git a/openssl/src/ec.rs b/openssl/src/ec.rs
index 30a9f26ea3..a4d2de4288 100644
--- a/openssl/src/ec.rs
+++ b/openssl/src/ec.rs
@@ -1026,10 +1026,91 @@ impl<T> fmt::Debug for EcKey<T> {
 #[cfg(test)]
 mod test {
     use hex::FromHex;
+    use std::str::from_utf8;
 
     use super::*;
     use crate::bn::{BigNum, BigNumContext};
     use crate::nid::Nid;
+    use crate::symm::Cipher;
+
+    #[test]
+    fn test_private_key_from_pem() {
+        EcKey::private_key_from_pem(include_bytes!("../test/ec.pem")).unwrap();
+    }
+
+    #[test]
+    fn test_private_key_from_pem_trad() {
+        EcKey::private_key_from_pem(include_bytes!("../test/ec.trad.pem")).unwrap();
+    }
+
+    #[test]
+    fn test_private_key_from_pem_password() {
+        let key = include_bytes!("../test/ec-encrypted.pem");
+        EcKey::private_key_from_pem_passphrase(key, b"mypass").unwrap();
+    }
+
+    #[test]
+    fn test_private_key_from_pem_callback() {
+        let mut password_queried = false;
+        let key = include_bytes!("../test/ec-encrypted.pem");
+        EcKey::private_key_from_pem_callback(key, |password| {
+            password_queried = true;
+            password[..6].copy_from_slice(b"mypass");
+            Ok(6)
+        })
+        .unwrap();
+
+        assert!(password_queried);
+    }
+
+    #[test]
+    fn test_private_key_from_der() {
+        EcKey::private_key_from_der(include_bytes!("../test/ec.der")).unwrap();
+    }
+
+    #[test]
+    fn test_private_key_to_pem() {
+        let key = EcKey::private_key_from_pem(include_bytes!("../test/ec.pem")).unwrap();
+        let pem = key.private_key_to_pem().unwrap();
+        assert_eq!(
+            from_utf8(&pem).unwrap(),
+            include_str!("../test/ec.trad.pem").replace("\r\n", "\n")
+        );
+    }
+
+    #[test]
+    fn test_private_key_to_pem_password() {
+        let key = EcKey::private_key_from_pem(include_bytes!("../test/ec.pem")).unwrap();
+        let pem = key
+            .private_key_to_pem_passphrase(Cipher::aes_128_cbc(), b"foobar")
+            .unwrap();
+        EcKey::private_key_from_pem_passphrase(&pem, b"foobar").unwrap();
+        assert!(EcKey::private_key_from_pem_passphrase(&pem, b"fizzbuzz").is_err());
+    }
+
+    #[test]
+    fn test_private_key_to_der() {
+        let key = EcKey::private_key_from_pem(include_bytes!("../test/ec.pem")).unwrap();
+        let der = key.private_key_to_der().unwrap();
+        assert_eq!(der, include_bytes!("../test/ec.der"));
+    }
+
+    #[test]
+    fn test_public_key_to_pem() {
+        let keypair = EcKey::private_key_from_pem(include_bytes!("../test/ec.pem")).unwrap();
+        let pubkey_pem = keypair.public_key_to_pem().unwrap();
+        assert_eq!(
+            from_utf8(&pubkey_pem).unwrap(),
+            include_str!("../test/ec.pub.pem").replace("\r\n", "\n")
+        );
+    }
+
+    #[test]
+    fn test_public_key_to_der() {
+        let keypair = EcKey::private_key_from_pem(include_bytes!("../test/ec.pem")).unwrap();
+        let pubkey_der = keypair.public_key_to_der().unwrap();
+        assert_eq!(pubkey_der, include_bytes!("../test/ec.pub.der"));
+    }
 
     #[test]
     fn key_new_by_curve_name() {
diff --git a/openssl/test/ec-encrypted.pem b/openssl/test/ec-encrypted.pem
new file mode 100644
index 0000000000..09fb1c456d
--- /dev/null
+++ b/openssl/test/ec-encrypted.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,0CE431CD7484C8C28D0D45E4A1B66BC5
+
+PwoYZlzNjwHZmo3rFTXBeIx/LVow/2MLcZiTW1xmrK62CJYkwum3HooRHTTuTnea
+r89nGbVqndEIUauZj9/b3z+vaGDisp5cIvqizoQdHwlg7ymDcCdA16kNIu57avV4
+wXqC9DbpPeXbv++J4u7oYpjBiOKeysxwecKrJt1PVIo=
+-----END EC PRIVATE KEY-----
diff --git a/openssl/test/ec.der b/openssl/test/ec.der
new file mode 100644
index 0000000000000000000000000000000000000000..d81691326bdca90e80176afda1e1c0cd5b924a1b
GIT binary patch
literal 121
zcmV-<0EYiCcLD(c1R%}|V!zJ_v-2V|os104?XML|KU~p$>5P8KngUdI^#Gs>1_&yK
zNX|V20SBQ(13~}<&TL+~*9mnYFw+fv(Cv_(`ImYq>;dj#US{uq>H~<P!p`vk@Kody
bT&3@6;XZMiy&f+K-FF;G?e0Qd31?dy?>#i`

literal 0
HcmV?d00001

diff --git a/openssl/test/ec.pem b/openssl/test/ec.pem
new file mode 100644
index 0000000000..9328c454d8
--- /dev/null
+++ b/openssl/test/ec.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgzgpiv88Is/MiM52M
+DM3trxVKP1zRfemMfsmaAlR29QChRANCAATObF661wl1ITDTDX3Q7ZCe+Zd6KOwB
+7mJeZu9/6gOIosLO8QDwVOQSXKXvaeE+cZq9Hi8J3XccSe3uQl0JZ1sb
+-----END PRIVATE KEY-----
diff --git a/openssl/test/ec.pub.der b/openssl/test/ec.pub.der
new file mode 100644
index 0000000000000000000000000000000000000000..acc2b435f5578f1c7fa2a219c70b1d29176ffed8
GIT binary patch
literal 91
zcmXqrG!SNE*J|@PXUoLM#sOw9GqN)~F|eG=iQ9FZvsBUGGH>mLw-e_5oL;5zhVfle
uT-y8kSIixY4xRhR@FC=hP|VWznGfv>XYG~K=e%1k<N5ZTQ!HnCv@`(oStX|c

literal 0
HcmV?d00001

diff --git a/openssl/test/ec.pub.pem b/openssl/test/ec.pub.pem
new file mode 100644
index 0000000000..96c4fa5098
--- /dev/null
+++ b/openssl/test/ec.pub.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzmxeutcJdSEw0w190O2QnvmXeijs
+Ae5iXmbvf+oDiKLCzvEA8FTkElyl72nhPnGavR4vCd13HEnt7kJdCWdbGw==
+-----END PUBLIC KEY-----
diff --git a/openssl/test/ec.trad.pem b/openssl/test/ec.trad.pem
new file mode 100644
index 0000000000..2c85c779ec
--- /dev/null
+++ b/openssl/test/ec.trad.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIM4KYr/PCLPzIjOdjAzN7a8VSj9c0X3pjH7JmgJUdvUAoAoGCCqGSM49
+AwEHoUQDQgAEzmxeutcJdSEw0w190O2QnvmXeijsAe5iXmbvf+oDiKLCzvEA8FTk
+Elyl72nhPnGavR4vCd13HEnt7kJdCWdbGw==
+-----END EC PRIVATE KEY-----

From 781434e497e64191729329aa478a6612dd521bd4 Mon Sep 17 00:00:00 2001
From: Huw Jones <huw@pexip.com>
Date: Wed, 20 Aug 2025 13:46:40 +0100
Subject: [PATCH 3/3] dsa: improve coverage of de-/serialisation methods

---
 openssl/src/dsa.rs                        |  61 ++++++++++++++++++++++
 openssl/test/dsa.pub.der                  | Bin 0 -> 443 bytes
 openssl/test/{dsa.pem.pub => dsa.pub.pem} |   0
 3 files changed, 61 insertions(+)
 create mode 100644 openssl/test/dsa.pub.der
 rename openssl/test/{dsa.pem.pub => dsa.pub.pem} (100%)

diff --git a/openssl/src/dsa.rs b/openssl/src/dsa.rs
index 621dcb9438..fbb2b077c6 100644
--- a/openssl/src/dsa.rs
+++ b/openssl/src/dsa.rs
@@ -539,6 +539,8 @@ mod test {
     use crate::pkey::PKey;
     #[cfg(not(any(boringssl, awslc_fips)))]
     use crate::sign::{Signer, Verifier};
+    use crate::symm::Cipher;
+    use std::str::from_utf8;
 
     #[test]
     pub fn test_generate() {
@@ -694,4 +696,63 @@ mod test {
         let s = format!("{:?}", sig);
         assert_eq!(s, "DsaSig { r: 774484690634577222213819810519929266740561094381, s: 910998676210681457251421818099943952372231273347 }");
     }
+
+    #[test]
+    fn test_private_key_to_pem() {
+        let key = Dsa::generate(512).unwrap();
+        let pem = key.private_key_to_pem().unwrap();
+        let pem_str = from_utf8(&pem).unwrap();
+        assert!(
+            pem_str.contains("-----BEGIN DSA PRIVATE KEY-----"),
+            "{pem_str}"
+        );
+    }
+
+    #[test]
+    fn test_private_key_to_pem_password() {
+        let key = Dsa::generate(512).unwrap();
+        let pem = key
+            .private_key_to_pem_passphrase(Cipher::aes_128_cbc(), b"foobar")
+            .unwrap();
+        let pem_str = from_utf8(&pem).unwrap();
+        assert!(
+            pem_str.contains("-----BEGIN DSA PRIVATE KEY-----"),
+            "{pem_str}"
+        );
+        assert!(pem_str.contains("ENCRYPTED"), "{pem_str}");
+        assert!(pem_str.contains("AES-128-CBC"), "{pem_str}");
+    }
+
+    #[test]
+    fn test_private_key_to_der() {
+        let key = Dsa::generate(512).unwrap();
+        key.private_key_to_der().unwrap();
+    }
+
+    #[test]
+    fn test_public_key_from_pem() {
+        Dsa::public_key_from_pem(include_bytes!("../test/dsa.pub.pem")).unwrap();
+    }
+
+    #[test]
+    fn test_public_key_from_der() {
+        Dsa::public_key_from_der(include_bytes!("../test/dsa.pub.der")).unwrap();
+    }
+
+    #[test]
+    fn test_public_key_to_pem() {
+        let key = Dsa::public_key_from_der(include_bytes!("../test/dsa.pub.der")).unwrap();
+        let pem = key.public_key_to_pem().unwrap();
+        assert_eq!(
+            from_utf8(&pem).unwrap(),
+            include_str!("../test/dsa.pub.pem").replace("\r\n", "\n")
+        );
+    }
+
+    #[test]
+    fn test_public_key_to_der() {
+        let key = Dsa::public_key_from_pem(include_bytes!("../test/dsa.pub.pem")).unwrap();
+        let der = key.public_key_to_der().unwrap();
+        assert_eq!(der, include_bytes!("../test/dsa.pub.der"));
+    }
 }
diff --git a/openssl/test/dsa.pub.der b/openssl/test/dsa.pub.der
new file mode 100644
index 0000000000000000000000000000000000000000..155ef84062fae20d49ebc8a63c90903a9e8231c0
GIT binary patch
literal 443
zcmV;s0Yv^Vf&sTMf&nWA2P%e0&Nu`CFoFRd0)c@5q$%&?wStK?2A^n7<b!6KB;gNH
zT?3*nIo3HB9-dTuxO)2DHhHGf8bLi+5G5eE8VAgWazfts?C8wh{rM#Wr`{xQYWMU1
zF#pkCg}WZ7+oH(m_GJ_<ucV};qys6*z;~hyWp-S>)Sx^sbOWlZX@waouEMf8`rZb@
z_>0#c0u=y=5<E^fm2mw2v6#k-ICBu77+^61fq+QGdFg0Ny;Ln&#Yo?!k|P$`oGpa1
zb4V%WR>^tK{OOM;X`Op9yNgz(a|;gHInph=<Gf?#%Q7lwG4EI}1eiLkeYHNH%pUwk
zrLt~kmVmsQ(E?hQ)6KJ8zOVp~)elu@+z$vlg0Kb~D<SGpn+E<*`;5!}c&gP%gf4QN
ziTDG7g#ZG9fdHeafNI0E_{Chi%OS@V7hKnqF2;N`AHgFZL}&MN6K&$W)x37CKzZi?
z0f=m{ji&r7DMI{;!|NUj_&62EF(v?a`eBZH=H(Q84&C4|qa<hk-NR%t;TAkfDH{-X
lE&-97{=O9QA%+6ONRMZgpO$~A$YGPc;sX#pOgwLi>CgC5(mVhF

literal 0
HcmV?d00001

diff --git a/openssl/test/dsa.pem.pub b/openssl/test/dsa.pub.pem
similarity index 100%
rename from openssl/test/dsa.pem.pub
rename to openssl/test/dsa.pub.pem