Add more options to genrsa (#2770)

smittals2 · web-flow · commit 0cb5d6568577 · 2025-10-27T12:51:57.000-04:00
### Issues:
`CryptoAlg-3387`

### Description of changes: 
Added options: 
- passout
- des3
- aes 128, aes 192, aes 256


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
diff --git a/tool-openssl/genrsa.cc b/tool-openssl/genrsa.cc
@@ -18,6 +18,11 @@ static const char kKeyArgName[] = "key_size";
 static const argument_t kArguments[] = {
     {"-help", kBooleanArgument, "Display this summary"},
     {"-out", kOptionalArgument, "Output file to write the key to"},
+    {"-aes128", kBooleanArgument, "Encrypt the private key with AES-128-CBC"},
+    {"-aes192", kBooleanArgument, "Encrypt the private key with AES-192-CBC"},
+    {"-aes256", kBooleanArgument, "Encrypt the private key with AES-256-CBC"},
+    {"-des3", kBooleanArgument, "Encrypt the private key with DES3"},
+    {"-passout", kOptionalArgument, "Output file pass phrase source"},
     {"", kOptionalArgument, ""}};
 
 static void DisplayHelp(BIO *bio) {
@@ -105,10 +110,15 @@ bool genrsaTool(const args_list_t &args) {
   ordered_args::ordered_args_map_t parsed_args;
   args_list_t extra_args{};
   std::string out_path;
-  bool help = false;
+  bool help = false, aes128 = false, aes192 = false, aes256 = false, des3 = false;
+  bssl::UniquePtr<std::string> passout_arg(new std::string());
   bssl::UniquePtr<BIO> bio;
   bssl::UniquePtr<EVP_PKEY> pkey;
   unsigned KeySizeBits = 0;
+  const EVP_CIPHER *cipher = NULL;
+  const char *password = NULL;
+  int password_len = 0;
+  int cipher_count = 0;
 
   // Parse command line arguments
   if (!ordered_args::ParseOrderedKeyValueArguments(parsed_args, extra_args,
@@ -122,6 +132,11 @@ bool genrsaTool(const args_list_t &args) {
 
   ordered_args::GetBoolArgument(&help, "-help", parsed_args);
   ordered_args::GetString(&out_path, "-out", "", parsed_args);
+  ordered_args::GetBoolArgument(&aes128, "-aes128", parsed_args);
+  ordered_args::GetBoolArgument(&aes192, "-aes192", parsed_args);
+  ordered_args::GetBoolArgument(&aes256, "-aes256", parsed_args);
+  ordered_args::GetBoolArgument(&des3, "-des3", parsed_args);
+  ordered_args::GetString(passout_arg.get(), "-passout", "", parsed_args);
 
   // Parse and validate key size first (catches multiple key sizes)
   if (!ParseKeySize(extra_args, KeySizeBits)) {
@@ -146,6 +161,13 @@ bool genrsaTool(const args_list_t &args) {
     return true;  // Help display is a successful exit
   }
 
+  if (!passout_arg->empty()) {
+    if (!pass_util::ExtractPassword(passout_arg)) {
+      fprintf(stderr, "Error: Failed to extract password\n");
+      goto err;
+    }
+  }
+
   // Set up output BIO
   bio = CreateOutputBIO(out_path);
   if (!bio) {
@@ -159,9 +181,32 @@ bool genrsaTool(const args_list_t &args) {
     goto err;
   }
 
-  // Write the key
-  if (!PEM_write_bio_PrivateKey(bio.get(), pkey.get(), NULL, NULL, 0, NULL,
-                                NULL)) {
+  // Cipher selection and mutual exclusion validation
+  cipher_count = aes128 + aes192 + aes256 + des3;
+  if (cipher_count > 1) {
+    fprintf(stderr, "Error: Only one encryption cipher may be specified\n");
+    goto err;
+  }
+
+  if (aes128) {
+    cipher = EVP_get_cipherbyname("aes-128-cbc");
+  } else if (aes192) {
+    cipher = EVP_get_cipherbyname("aes-192-cbc");
+  } else if (aes256) {
+    cipher = EVP_get_cipherbyname("aes-256-cbc");
+  } else if (des3) {
+    cipher = EVP_get_cipherbyname("des-ede3-cbc");
+  } else {
+    cipher = NULL;
+  }
+
+  // Write the key with optional encryption
+  password = (!passout_arg->empty()) ? passout_arg->c_str() : NULL;
+  password_len = (!passout_arg->empty()) ? static_cast<int>(passout_arg->length()) : 0;
+  
+  if (!PEM_write_bio_PrivateKey(bio.get(), pkey.get(), cipher,
+                                (unsigned char*)password, password_len,
+                                NULL, NULL)) {
     goto err;
   }
 
diff --git a/tool-openssl/genrsa_test.cc b/tool-openssl/genrsa_test.cc
@@ -17,6 +17,18 @@
 
 const std::vector<unsigned> kStandardKeySizes = {1024, 2048, 3072, 4096};
 
+struct CipherTestCase {
+  const char* cipher_flag;    // "-aes128", "-des3", etc.
+  const char* cipher_name;    // "AES-128-CBC", "DES3-CBC", etc.
+};
+
+static const CipherTestCase kCipherTestCases[] = {
+  {"-des3", "DES3-CBC"},
+  {"-aes128", "AES-128-CBC"},
+  {"-aes192", "AES-192-CBC"},
+  {"-aes256", "AES-256-CBC"},
+};
+
 
 class GenRSATestBase : public ::testing::Test {
  protected:
@@ -63,7 +75,49 @@ class GenRSATestBase : public ::testing::Test {
       unsigned actual_bits = RSA_bits(rsa.get());
       if (actual_bits != expected_bits) {
         ADD_FAILURE() << "Key size mismatch. Expected: " << expected_bits
-                      << " bits, Got: " << actual_bits << " bits";
+                     << " bits, Got: " << actual_bits << " bits";
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  bool ValidateEncryptedKeyFile(const char *path, const char *password, unsigned expected_bits = 0) {
+    if (!path) {
+      ADD_FAILURE() << "Path parameter is null";
+      return false;
+    }
+
+    if (!password) {
+      ADD_FAILURE() << "Password parameter is null";
+      return false;
+    }
+
+    bssl::UniquePtr<BIO> bio(BIO_new_file(path, "rb"));
+    if (!bio) {
+      ADD_FAILURE() << "Failed to open encrypted key file: " << path;
+      return false;
+    }
+
+    bssl::UniquePtr<RSA> rsa(
+        PEM_read_bio_RSAPrivateKey(bio.get(), nullptr, nullptr, 
+                                  const_cast<char*>(password)));
+    if (!rsa) {
+      ADD_FAILURE() << "Failed to parse encrypted RSA key from PEM file";
+      return false;
+    }
+
+    if (RSA_check_key(rsa.get()) != 1) {
+      ADD_FAILURE() << "Encrypted RSA key failed consistency check";
+      return false;
+    }
+
+    if (expected_bits > 0) {
+      unsigned actual_bits = RSA_bits(rsa.get());
+      if (actual_bits != expected_bits) {
+        ADD_FAILURE() << "Key size mismatch. Expected: " << expected_bits
+                     << " bits, Got: " << actual_bits << " bits";
         return false;
       }
     }
@@ -100,6 +154,10 @@ class GenRSAParamTest : public GenRSATestBase,
                         public ::testing::WithParamInterface<unsigned> {};
 
 
+class GenRSACipherParamTest : public GenRSATestBase,
+                              public ::testing::WithParamInterface<CipherTestCase> {};
+
+
 TEST_P(GenRSAParamTest, GeneratesKeyFile) {
   unsigned key_size = GetParam();
   
@@ -151,6 +209,36 @@ TEST_P(GenRSAParamTest, OpenSSLCompatibility) {
 INSTANTIATE_TEST_SUITE_P(StandardKeySizes, GenRSAParamTest,
                          ::testing::ValuesIn(kStandardKeySizes));
 
+TEST_P(GenRSACipherParamTest, EncryptedKeyGeneration) {
+  const CipherTestCase& cipher_test = GetParam();
+  
+  args_list_t args{cipher_test.cipher_flag, "-passout", "pass:testpassword", "-out", out_path_tool, "2048"};
+  EXPECT_TRUE(genrsaTool(args)) << cipher_test.cipher_name << " encrypted key generation should work";
+  EXPECT_TRUE(ValidateEncryptedKeyFile(out_path_tool, "testpassword"))
+      << cipher_test.cipher_name << " encrypted key should be valid";
+}
+
+TEST_P(GenRSACipherParamTest, OpenSSLCompatibility) {
+  const CipherTestCase& cipher_test = GetParam();
+  
+  if (!HasCrossCompatibilityTools()) {
+    GTEST_SKIP() << "Skipping test: AWSLC_TOOL_PATH and/or OPENSSL_TOOL_PATH "
+                    "environment variables are not set";
+    return;
+  }
+
+  args_list_t args{cipher_test.cipher_flag, "-passout", "pass:testpassword", "-out", out_path_tool, "2048"};
+  EXPECT_TRUE(genrsaTool(args)) << "AWS-LC " << cipher_test.cipher_name << " key generation failed";
+
+  std::string verify_cmd = std::string(openssl_executable_path) + 
+                         " rsa -in " + out_path_tool + 
+                         " -passin pass:testpassword -check -noout";
+  EXPECT_EQ(system(verify_cmd.c_str()), 0) << "OpenSSL verification of AWS-LC " << cipher_test.cipher_name << " key failed";
+}
+
+INSTANTIATE_TEST_SUITE_P(AllCiphers, GenRSACipherParamTest,
+                         ::testing::ValuesIn(kCipherTestCases));
+
 TEST_F(GenRSATest, DefaultKeyGeneration) {
   args_list_t args{"-out", out_path_tool};
   EXPECT_TRUE(genrsaTool(args)) << "Default key generation failed";
@@ -210,17 +298,27 @@ TEST_F(GenRSATest, FileIOErrors) {
 }
 
 TEST_F(GenRSATest, ArgumentValidation) {
-  // Test missing key size (should use default)
-  {
-    args_list_t args{"-out", out_path_tool};
-    EXPECT_TRUE(genrsaTool(args)) << "Default key size should work";
-    EXPECT_TRUE(ValidateKeyFile(out_path_tool))
-        << "Default key should be valid";
-  }
-
   // Test help takes precedence
   {
     args_list_t args{"-help", "-out", out_path_tool, "2048"};
     EXPECT_TRUE(genrsaTool(args)) << "Help should work even with other args";
   }
 }
+
+TEST_F(GenRSATest, CipherMutualExclusionValidation) {
+  // Test that multiple cipher options are rejected
+  {
+    args_list_t args{"-aes128", "-aes256", "-passout", "pass:testpassword", "-out", out_path_tool, "2048"};
+    EXPECT_FALSE(genrsaTool(args)) << "Command should fail with multiple cipher options";
+  }
+
+  {
+    args_list_t args{"-aes128", "-des3", "-passout", "pass:testpassword", "-out", out_path_tool, "2048"};
+    EXPECT_FALSE(genrsaTool(args)) << "Command should fail with multiple cipher options";
+  }
+
+  {
+    args_list_t args{"-aes192", "-des3", "-passout", "pass:testpassword", "-out", out_path_tool, "2048"};
+    EXPECT_FALSE(genrsaTool(args)) << "Command should fail with multiple cipher options";
+  }
+}
