Commit 0321c2919c for openssl.org

commit 0321c2919c72f9bfef9e4f63ae10b94888c55bb4
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date:   Wed Jul 8 12:32:18 2026 +0200

    apps: test pkeyutl app -rev option

    Add coverage for the -rev option of the pkeyutl app, checking that the
    input buffer is reversed before the operation and that -rev is rejected
    together with raw input.

    Assisted-by: Claude:claude-opus-4-8

    Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Mon Jul 13 15:35:56 2026
    (Merged from https://github.com/openssl/openssl/pull/31891)

diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 7964a0db06..dec9b4b183 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text compare/;

 setup("test_pkeyutl");

-plan tests => 32;
+plan tests => 33;

 # For the tests below we use the cert itself as the TBS file

@@ -187,6 +187,42 @@ SKIP: {
                     "-pkeyopt", "rsa_padding_mode:pss");
     };

+    subtest "pkeyutl -rev reverses the input buffer" => sub {
+        plan tests => 4;
+
+        my $key = srctop_file("test", "testrsa.pem");
+        my $in = "rev_in.bin";
+        my $in_rev = "rev_in_reversed.bin";
+
+        # A non-palindromic input, short enough to be signed as a raw digest.
+        my $data = "0123456789abcdefghijklmnopqrstuv";
+        open(my $fh, '>:raw', $in) or die "cannot create $in: $!";
+        print $fh $data;
+        close($fh);
+        open($fh, '>:raw', $in_rev) or die "cannot create $in_rev: $!";
+        print $fh scalar reverse $data;
+        close($fh);
+
+        # RSA signing is deterministic, so signing with -rev must match signing
+        # the manually reversed input.
+        ok(run(app(['openssl', 'pkeyutl', '-sign', '-inkey', $key,
+                    '-rev', '-in', $in, '-out', 'rev.sig'])),
+           "Sign with -rev");
+        ok(run(app(['openssl', 'pkeyutl', '-sign', '-inkey', $key,
+                    '-in', $in_rev, '-out', 'rev_manual.sig'])),
+           "Sign the manually reversed input");
+        is(compare('rev.sig', 'rev_manual.sig'), 0,
+           "-rev signature matches signing the reversed input");
+
+        # -rev is rejected together with raw input.
+        with({ exit_checker => sub { return shift == 1; } },
+            sub {
+                ok(run(app(['openssl', 'pkeyutl', '-sign', '-inkey', $key,
+                            '-rawin', '-digest', 'sha256', '-rev', '-in', $in])),
+                   "-rev cannot be used with -rawin");
+            });
+    };
+
 }

 SKIP: {