From 25e9de6adae3d6df9fb4cca9f75c9be5697c4f00 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 20 Aug 2024 16:50:41 +0200 Subject: [PATCH 1/2] tests: Enable EdDSA tests with kryoptic Signed-off-by: Jakub Jelen --- tests/meson.build | 6 +- tests/setup-kryoptic.sh | 118 ++++++++++++++++++++++------------------ 2 files changed, 68 insertions(+), 56 deletions(-) diff --git a/tests/meson.build b/tests/meson.build index c6ffb37e..5a9022b6 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -125,13 +125,13 @@ tests = { 'pubkey': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'certs': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'ecc': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'edwards': {'suites': ['softhsm']}, + 'edwards': {'suites': ['softhsm', 'kryoptic']}, 'ecdh': {'suites': ['softokn', 'kryoptic']}, 'democa': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false}, 'digest': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'fork': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'oaepsha2': {'suites': ['softokn', 'kryoptic']}, - 'hkdf': {'suites': ['softokn']}, + 'hkdf': {'suites': ['softokn', 'kryoptic']}, 'rsapss': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'rsapssam': {'suites': ['softhsm']}, 'genkey': {'suites': ['softokn', 'softhsm', 'kryoptic']}, @@ -141,7 +141,7 @@ tests = { 'tls': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false}, 'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'ecxc': {'suites': ['softhsm', 'kryoptic']}, - 'cms': {'suites': ['softokn']}, + 'cms': {'suites': ['softokn', 'kryoptic']}, } test_wrapper = find_program('test-wrapper') diff --git a/tests/setup-kryoptic.sh b/tests/setup-kryoptic.sh index 176c550d..6c2a820c 100755 --- a/tests/setup-kryoptic.sh +++ b/tests/setup-kryoptic.sh @@ -243,32 +243,31 @@ echo "${ECPEERPRIURI}" echo "${ECPEERCRTURI}" echo "" -# TODO: not supported yet by Kryoptic -## generate ED25519 -#KEYID='0004' -#URIKEYID="%00%04" -#EDCRT="${TMPPDIR}/edcert" -#EDCRTN="edCert" -# -## shellcheck disable=SC2086 -#pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:edwards25519" \ -# --label="${EDCRTN}" --id="$KEYID" -#ca_sign "$EDCRT" $EDCRTN "My ED25519 Cert" $KEYID -# -#EDBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" -#EDBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" -#EDBASEURI="pkcs11:id=${URIKEYID}" -#EDPUBURI="pkcs11:type=public;id=${URIKEYID}" -#EDPRIURI="pkcs11:type=private;id=${URIKEYID}" -#EDCRTURI="pkcs11:type=cert;object=${EDCRTN}" -# -#title LINE "ED25519 PKCS11 URIS" -#echo "${EDBASEURIWITHPINVALUE}" -#echo "${EDBASEURIWITHPINSOURCE}" -#echo "${EDBASEURI}" -#echo "${EDPUBURI}" -#echo "${EDPRIURI}" -#echo "${EDCRTURI}" +# generate ED25519 +KEYID='0004' +URIKEYID="%00%04" +EDCRT="${TMPPDIR}/edcert" +EDCRTN="edCert" + +# shellcheck disable=SC2086 +pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:edwards25519" \ + --label="${EDCRTN}" --id="$KEYID" +ca_sign "$EDCRT" $EDCRTN "My ED25519 Cert" $KEYID + +EDBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" +EDBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" +EDBASEURI="pkcs11:id=${URIKEYID}" +EDPUBURI="pkcs11:type=public;id=${URIKEYID}" +EDPRIURI="pkcs11:type=private;id=${URIKEYID}" +EDCRTURI="pkcs11:type=cert;object=${EDCRTN}" + +title LINE "ED25519 PKCS11 URIS" +echo "${EDBASEURIWITHPINVALUE}" +echo "${EDBASEURIWITHPINSOURCE}" +echo "${EDBASEURI}" +echo "${EDPUBURI}" +echo "${EDPRIURI}" +echo "${EDCRTURI}" title PARA "generate RSA key pair, self-signed certificate, remove public key" @@ -353,33 +352,32 @@ else echo "" fi -# TODO: ALWAYS_AUTHENTICATE behavior not supported yet -#title PARA "generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate" -#KEYID='0008' -#URIKEYID="%00%08" -#TSTCRT="${TMPPDIR}/eccert3" -#TSTCRTN="ecCert3" -# -## shellcheck disable=SC2086 -#pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:secp521r1" \ -# --label="${TSTCRTN}" --id="$KEYID" --always-auth -#ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 3" $KEYID -# -#ECBASE3URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -#ECBASE3URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" -#ECBASE3URI="pkcs11:id=${URIKEYID}" -#ECPUB3URI="pkcs11:type=public;id=${URIKEYID}" -#ECPRI3URI="pkcs11:type=private;id=${URIKEYID}" -#ECCRT3URI="pkcs11:type=cert;object=${TSTCRTN}" -# -#title LINE "EC3 PKCS11 URIS" -#echo "${ECBASE3URIWITHPINVALUE}" -#echo "${ECBASE3URIWITHPINSOURCE}" -#echo "${ECBASE3URI}" -#echo "${ECPUB3URI}" -#echo "${ECPRI3URI}" -#echo "${ECCRT3URI}" -#echo "" +title PARA "generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate" +KEYID='0008' +URIKEYID="%00%08" +TSTCRT="${TMPPDIR}/eccert3" +TSTCRTN="ecCert3" + +# shellcheck disable=SC2086 +pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:secp521r1" \ + --label="${TSTCRTN}" --id="$KEYID" --always-auth +ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 3" $KEYID + +ECBASE3URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" +ECBASE3URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" +ECBASE3URI="pkcs11:id=${URIKEYID}" +ECPUB3URI="pkcs11:type=public;id=${URIKEYID}" +ECPRI3URI="pkcs11:type=private;id=${URIKEYID}" +ECCRT3URI="pkcs11:type=cert;object=${TSTCRTN}" + +title LINE "EC3 PKCS11 URIS" +echo "${ECBASE3URIWITHPINVALUE}" +echo "${ECBASE3URIWITHPINSOURCE}" +echo "${ECBASE3URI}" +echo "${ECPUB3URI}" +echo "${ECPRI3URI}" +echo "${ECCRT3URI}" +echo "" title PARA "Show contents of kryoptic token" echo " ----------------------------------------------------------------------------------------------------" @@ -439,6 +437,13 @@ export ECPEERPUBURI="${ECPEERPUBURI}" export ECPEERPRIURI="${ECPEERPRIURI}" export ECPEERCRTURI="${ECPEERCRTURI}" +export EDBASEURIWITHPINVALUE="${EDBASEURIWITHPINVALUE}" +export EDBASEURIWITHPINSOURCE="${EDBASEURIWITHPINSOURCE}" +export EDBASEURI="${EDBASEURI}" +export EDPUBURI="${EDPUBURI}" +export EDPRIURI="${EDPRIURI}" +export EDCRTURI="${EDCRTURI}" + export BASE2URIWITHPINVALUE="${BASEURIWITHPINVALUE}" export BASE2URIWITHPINSOURCE="${BASEURIWITHPINSOURCE}" export BASE2URI="${BASE2URI}" @@ -450,6 +455,13 @@ export ECBASE2URIWITHPINSOURCE="${ECBASE2URIWITHPINSOURCE}" export ECBASE2URI="${ECBASE2URI}" export ECPRI2URI="${ECPRI2URI}" export ECCRT2URI="${ECCRT2URI}" + +export ECBASE3URIWITHPINVALUE="${ECBASE3URIWITHPINVALUE}" +export ECBASE3URIWITHPINSOURCE="${ECBASE3URIWITHPINSOURCE}" +export ECBASE3URI="${ECBASE3URI}" +export ECPUB3URI="${ECPUB3URI}" +export ECPRI3URI="${ECPRI3URI}" +export ECCRT3URI="${ECCRT3URI}" DBGSCRIPT if [ -n "${ECXBASEURI}" ]; then From f82445284c1c1c1515f268f2f7af541db552e359 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 20 Aug 2024 16:50:57 +0200 Subject: [PATCH 2/2] tests: Print openssl output on error Signed-off-by: Jakub Jelen --- tests/trsapssam | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/trsapssam b/tests/trsapssam index 7594024c..dd3944d6 100755 --- a/tests/trsapssam +++ b/tests/trsapssam @@ -55,6 +55,7 @@ FAIL=0 echo "$output" | grep "mechanism not allowed with this key" > /dev/null 2>&1 || FAIL=1 if [ $FAIL -ne 0 ]; then echo "Signature seem to have failed for unrelated reasons" + echo "$output"; exit 1 fi @@ -82,5 +83,6 @@ FAIL=0 echo "$output" | grep "An invalid mechanism was specified to the cryptographic operation" > /dev/null 2>&1 || FAIL=1 if [ $FAIL -ne 0 ]; then echo "Signature seem to have failed for unrelated reasons" + echo "$output"; exit 1 fi