Extend the ttls test to be able to test different configurations

.github/workflows/address-sanitizer.yml

@@ -57,7 +57,7 @@ jobs:
         run: |
           meson compile -C builddir
           meson test --num-processes 1 -C builddir
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: Address sanitizer logs on ${{ matrix.name }}

.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         run: |
           meson compile -C builddir
           meson test --num-processes 1 -C builddir
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: Test logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }}
@@ -79,7 +79,7 @@ jobs:
             if [ "${{ matrix.compiler }}" = "gcc" ]; then
               meson test --num-processes 1 -C builddir --setup=valgrind
             fi
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: Test valgrind logs ${{ matrix.name }}, ${{ matrix.compiler }}, ${{ matrix.token }}
@@ -126,10 +126,10 @@ jobs:
 
           meson compile -j$(sysctl -n hw.ncpu || echo 2) -C builddir
           meson test --num-processes 1 -C builddir
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
-          name: Test logs on macOS-12 with ${{ matrix.token }}
+          name: Test logs on macOS-14 with ${{ matrix.token }}
           path: |
             builddir/meson-logs/*
             builddir/tests/*.log

.github/workflows/kryoptic.yml

@@ -89,7 +89,7 @@ jobs:
           KRYOPTIC: ${{ steps.kryoptic_setup.outputs.KRYOPTIC }}
         run:
           meson test --num-processes 1 -C builddir
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: Test logs kryoptic

.github/workflows/scan-build.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Scan Build
         run: |
           SCANBUILD=$PWD/.github/scan-build.sh ninja -C builddir scan-build
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: Scan Build logs

tests/setup-kryoptic.sh

@@ -109,6 +109,7 @@ expiration_days = 365
 email = "[email protected]"
 signing_key
 encryption_key
+cert_signing_key
 HEREDOC
 export GNUTLS_PIN=$PINVALUE
 SERIAL=1
@@ -117,24 +118,31 @@ SERIAL=1
 title LINE "Creating new Self Sign CA"
 KEYID='0000'
 URIKEYID="%00%00"
-CACRT="${TMPPDIR}/CAcert"
+CACRT="${TMPPDIR}/CAcert.crt"
+CACRT_PEM="${TMPPDIR}/CAcert.pem"
 CACRTN="caCert"
 
 
 ((SERIAL+=1))
 # shellcheck disable=SC2086
 pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="RSA:2048" \
 	--label="${CACRTN}" --id="${KEYID}" 2>&1
-"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \
+"${certtool}" --generate-self-signed --outfile="${CACRT}" \
 	--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
         --load-privkey "pkcs11:object=$CACRTN;type=private" \
         --load-pubkey "pkcs11:object=$CACRTN;type=public" --outder 2>&1
 # shellcheck disable=SC2086
-pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}.crt" --type=cert \
+pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}" --type=cert \
         --id=$KEYID --label="$CACRTN" 2>&1
 
+# convert the DER cert to PEM
+openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM"
+
 # the organization identification is not in the CA
 echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg"
+# the cert_signing_key and "ca" should be only on the CA
+sed -i -e "/cert_signing_key/d" "${TMPPDIR}/cert.cfg"
+
 
 ca_sign() {
     CRT=$1
@@ -151,7 +159,7 @@ ca_sign() {
         --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
 	--load-privkey "pkcs11:object=$LABEL;type=private" \
         --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \
-        --load-ca-certificate "${CACRT}.crt" --inder \
+        --load-ca-certificate "${CACRT}" --inder \
         --load-ca-privkey="pkcs11:object=$CACRTN;type=private" 2>&1
 # shellcheck disable=SC2086
     pkcs11-tool ${P11DEFARGS} --write-object "${CRT}.crt" --type=cert \
@@ -388,21 +396,21 @@ sed -e "s|@libtoollibs@|${LIBSPATH}|g" \
     -e "s|@testsdir@|${TMPPDIR}|g" \
     -e "s|@SHARED_EXT@|${SHARED_EXT}|g" \
     -e "s|@PINFILE@|${PINFILE}|g" \
-    -e "s|##QUIRKS|pkcs11-module-quirks = no-deinit|g" \
     -e "/pkcs11-module-init-args/d" \
     "${TESTSSRCDIR}/openssl.cnf.in" > "${OPENSSL_CONF}"
 
 title LINE "Export test variables to ${TMPPDIR}/testvars"
 cat >> "${TMPPDIR}/testvars" <<DBGSCRIPT
 export P11LIB=${P11LIB}
-export P11KITCLIENTPATH=${P11KITCLIENTPATH}
 export PKCS11_PROVIDER_MODULE=${P11LIB}
 export PKCS11_PROVIDER_DEBUG="file:${TMPPDIR}/p11prov-debug.log"
 export OPENSSL_CONF="${OPENSSL_CONF}"
 export KRYOPTIC_CONF="${TMPPDIR}/tokens/kryoptic.sql"
 export TESTSSRCDIR="${TESTSSRCDIR}"
 export TESTBLDDIR="${TESTBLDDIR}"
 
+export CACRT="${CACRT_PEM}"
+
 export TOKDIR="${TOKDIR}"
 export TMPPDIR="${TMPPDIR}"
 export PINVALUE="${PINVALUE}"

tests/setup-softhsm.sh

@@ -39,11 +39,6 @@ else
 	sed_inplace=("-i" "")
 fi
 
-if [ "$P11KITCLIENTPATH" = "" ]; then
-    echo "Missing P11KITCLIENTPATH env variable"
-    exit 0
-fi
-
 find_softhsm() {
     for _lib in "$@" ; do
         if test -f "$_lib" ; then
@@ -121,6 +116,7 @@ expiration_days = 365
 email = "[email protected]"
 signing_key
 encryption_key
+cert_signing_key
 HEREDOC
 export GNUTLS_PIN=$PINVALUE
 SERIAL=1
@@ -131,20 +127,26 @@ softhsm2-util --init-token --label "token_name" --free --pin $PINVALUE --so-pin
 title LINE "Creating new Self Sign CA"
 KEYID='0000'
 URIKEYID="%00%00"
-CACRT="${TMPPDIR}/CAcert"
+CACRT="${TMPPDIR}/CAcert.crt"
+CACRT_PEM="${TMPPDIR}/CAcert.pem"
 CACRTN="caCert"
 ((SERIAL+=1))
 pkcs11-tool --keypairgen --key-type="RSA:2048" --login --pin=$PINVALUE \
 	--module="$P11LIB" --label="${CACRTN}" --id="$KEYID"
-"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \
+"${certtool}" --generate-self-signed --outfile="${CACRT}" \
 	--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
         --load-privkey "pkcs11:object=$CACRTN;type=private" \
         --load-pubkey "pkcs11:object=$CACRTN;type=public" --outder
-pkcs11-tool --write-object "${CACRT}.crt" --type=cert --id=$KEYID \
+pkcs11-tool --write-object "${CACRT}" --type=cert --id=$KEYID \
         --label="$CACRTN" --module="$P11LIB"
 
+# convert the DER cert to PEM
+openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM"
+
 # the organization identification is not in the CA
 echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg"
+# the cert_signing_key and "ca" should be only on the CA
+sed -e "/^cert_signing_key$/d" -e "/^ca$/d" "${sed_inplace[@]}" "${TMPPDIR}/cert.cfg"
 
 ca_sign() {
     CRT=$1
@@ -161,7 +163,7 @@ ca_sign() {
         --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
 	--load-privkey "pkcs11:object=$LABEL;type=private" \
         --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \
-        --load-ca-certificate "${CACRT}.crt" --inder \
+        --load-ca-certificate "${CACRT}" --inder \
         --load-ca-privkey="pkcs11:object=$CACRTN;type=private"
     pkcs11-tool --write-object "${CRT}.crt" --type=cert --id="$KEYID" \
         --label="$LABEL" --module="$P11LIB"
@@ -392,7 +394,6 @@ sed -e "s|@libtoollibs@|${LIBSPATH}|g" \
 title LINE "Export test variables to ${TMPPDIR}/testvars"
 cat >> "${TMPPDIR}/testvars" <<DBGSCRIPT
 export P11LIB=${P11LIB}
-export P11KITCLIENTPATH=${P11KITCLIENTPATH}
 export PKCS11_PROVIDER_MODULE=${P11LIB}
 export PKCS11_PROVIDER_DEBUG="file:${TMPPDIR}/p11prov-debug.log"
 export OPENSSL_CONF="${OPENSSL_CONF}"
@@ -406,6 +407,8 @@ export PINVALUE="${PINVALUE}"
 export SEEDFILE="${TMPPDIR}/noisefile.bin"
 export RAND64FILE="${TMPPDIR}/64krandom.bin"
 
+export CACRT="${CACRT_PEM}"
+
 export BASEURIWITHPINVALUE="${BASEURIWITHPINVALUE}"
 export BASEURIWITHPINSOURCE="${BASEURIWITHPINSOURCE}"
 export BASEURI="${BASEURI}"

tests/setup-softokn.sh

@@ -42,7 +42,8 @@ certutil -N -d "${TOKDIR}" -f "${PINFILE}"
 
 title LINE "Creating new Self Sign CA"
 ((SERIAL+=1))
-certutil -S -s "CN=Issuer" -n selfCA -x -t "C,C,C" \
+CACRTN="selfCA"
+certutil -S -s "CN=Issuer" -n "${CACRTN}" -x -t "C,C,C" \
     -m "${SERIAL}" -1 -2 -5 --keyUsage certSigning,crlSigning \
     --nsCertType sslCA,smimeCA,objectSigningCA \
     -f "${PINFILE}" -d "${TOKDIR}" -z "${SEEDFILE}" >/dev/null 2>&1 <<CERTSCRIPT
@@ -51,6 +52,10 @@ y
 n
 CERTSCRIPT
 
+CACRT="${TMPPDIR}/CAcert.crt"
+title LINE "Read CA cert of of the token"
+certutil -L -a -n "${CACRTN}" -d "${TOKDIR}" -o "$CACRT"
+
 # RSA
 TSTCRT="${TMPPDIR}/testcert"
 TSTCRTN="testCert"
@@ -181,6 +186,8 @@ export PINVALUE="${PINVALUE}"
 export SEEDFILE="${TMPPDIR}/noisefile.bin"
 export RAND64FILE="${TMPPDIR}/64krandom.bin"
 
+export CACRT="${CACRT}"
+
 export BASEURIWITHPINVALUE="${BASEURIWITHPINVALUE}"
 export BASEURIWITHPINSOURCE="${BASEURIWITHPINSOURCE}"
 export BASEURI="${BASEURI}"

tests/softhsm-proxy.sh

@@ -9,6 +9,11 @@ if [ -z "$XDG_RUNTIME_DIR" ]; then
     export XDG_RUNTIME_DIR=$PWD
 fi
 
+if [ "$P11KITCLIENTPATH" = "" ]; then
+    echo "Missing P11KITCLIENTPATH env variable"
+    exit 0
+fi
+
 title PARA "Start the p11-kit server and check if it works"
 # shellcheck disable=SC2046 # we want to split these for eval
 eval $(p11-kit server --provider "$P11LIB" "pkcs11:")

tests/ttls

@@ -25,38 +25,64 @@ trap 'wait_for_server_at_exit $SERVER_PID;' EXIT
 
 PORT=23456
 
-expect -c "spawn $CHECKER openssl s_server -accept \"${PORT}\" -naccept 1 -key \"${PRIURI}\" -cert \"${CRTURI}\";
-    set timeout 60;
-    expect {
-        \"ACCEPT\" {};
-        default {exit 1;};
-    }
-    set server_ready [open \"${TMPPDIR}/s_server_ready\" w+];
-    puts \$server_ready \"READY\n\";
-    close \$server_ready;
-    expect {
-        \"END SSL SESSION PARAMETERS\" {};
-        default {exit 1;};
-    }
-    send \" TLS SUCCESSFUL \n\"
-    send \"Q\n\"
-    expect {
-        eof {exit 0;};
-        default {exit 1;};
-    }" > "${TMPPDIR}/s_server_output" &
-SERVER_PID=$!
-
-read -r < "${TMPPDIR}/s_server_ready"
-
-expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\";
-    set timeout 60;
-    expect {
-        \" TLS SUCCESSFUL \" {};
-        default {exit 1;};
-    }
-    expect {
-        eof {exit 0;};
-        default {exit 1;};
-    }"
+run_test() {
+    KEY="$1"
+    CERT="$2"
+    SRV_ARGS=$3
+    CLNT_ARGS=$4
+    expect -c "spawn $CHECKER openssl s_server -accept \"${PORT}\" -naccept 1 -key \"${KEY}\" -cert \"${CERT}\" $SRV_ARGS;
+        set timeout 60;
+        expect {
+            \"ACCEPT\" {};
+            default {exit 1;};
+        }
+        set server_ready [open \"${TMPPDIR}/s_server_ready\" w+];
+        puts \$server_ready \"READY\n\";
+        close \$server_ready;
+        expect {
+            \"END SSL SESSION PARAMETERS\" {};
+            default {exit 1;};
+        }
+        send \" TLS SUCCESSFUL \n\"
+        send \"Q\n\"
+        expect {
+            eof {exit 0;};
+            default {exit 1;};
+        }" > "${TMPPDIR}/s_server_output" &
+    SERVER_PID=$!
+
+    read -r < "${TMPPDIR}/s_server_ready"
+
+    expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\" -CAfile \"${CACRT}\" $CLNT_ARGS;
+        set timeout 60;
+        expect {
+            \" TLS SUCCESSFUL \" {};
+            default {exit 1;};
+        }
+        expect {
+            eof {exit 0;};
+            default {exit 1;};
+        }"
+
+    wait_for_server_at_exit $SERVER_PID
+}
+
+title PARA "Run sanity test with default values (RSA)"
+run_test "$PRIURI" "$CRTURI"
+
+title PARA "Run sanity test with default values (ECDSA)"
+run_test "$ECPRIURI" "$ECCRTURI"
+
+title PARA "Run test with TLS 1.2"
+run_test "$PRIURI" "$CRTURI" "" "-tls1_2"
+
+title PARA "Run test with explicit TLS 1.3"
+run_test "$PRIURI" "$CRTURI" "" "-tls1_3"
+
+title PARA "Run test with TLS 1.2 (ECDSA)"
+run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2"
+
+title PARA "Run test with TLS 1.2 and ECDH"
+run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1"
 
 exit 0;