From 86605d767a0c7de9462ce4eb70891f8d5e8e248f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iy=C3=A1n?= <me@iyanmv.com>
Date: Sat, 27 Apr 2024 08:46:30 +0200
Subject: [PATCH] Add PKCS#12 test (#400)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add PKCS#12 test

See: oqs-provider/discussions/398

Signed-off-by: Iyán Méndez Veiga <iyan.mendezveiga@hslu.ch>
Signed-off-by: Iyán Méndez Veiga <me@iyanmv.com>
---
 README.md                        |  6 ++-
 scripts/oqsprovider-pkcs12gen.sh | 63 ++++++++++++++++++++++++++++++++
 scripts/runtests.sh              |  2 +-
 3 files changed, 68 insertions(+), 3 deletions(-)
 create mode 100755 scripts/oqsprovider-pkcs12gen.sh

diff --git a/README.md b/README.md
index 797477a8..9f58f618 100644
--- a/README.md
+++ b/README.md
@@ -21,8 +21,9 @@ Currently this provider fully enables quantum-safe cryptography for KEM
 key establishment in TLS1.3 including management of such keys via the
 OpenSSL (3.0) provider interface and hybrid KEM schemes. Also, QSC
 signatures including CMS and CMP functionality are available via the OpenSSL
-EVP interface. Key persistence is provided via the encode/decode
-mechanism and X.509 data structures. Starting with OpenSSL 3.2 support for 
+EVP interface. Key persistence is provided via the encode/decode mechanism,
+X.509 data structures, and PKCS#12 for bundling a private key with its
+corresponding X.509 certificate. Starting with OpenSSL 3.2 support for
 TLS1.3 signature functionality is available and final glitches for CMS
 have been resolved.
 
@@ -185,6 +186,7 @@ Contributors to the `oqsprovider` include:
 - Will Childs-Klein
 - Thomas Bailleux
 - Felipe Ventura
+- Iyán Méndez Veiga
 
 History
 -------
diff --git a/scripts/oqsprovider-pkcs12gen.sh b/scripts/oqsprovider-pkcs12gen.sh
new file mode 100755
index 00000000..734397fc
--- /dev/null
+++ b/scripts/oqsprovider-pkcs12gen.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Use newly built oqsprovider to save PKCS#12 files from keys and
+# and certificates files generated using alg $1.
+# Assumed oqsprovider-certgen.sh to have run before for same algorithm
+
+set -e
+set -x
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <algorithmname>. Exiting."
+    exit 1
+fi
+
+echo "oqsprovider-pkcs12gen.sh commencing..."
+
+if [ -z "$OPENSSL_APP" ]; then
+    echo "OPENSSL_APP env var not set. Exiting."
+    exit 1
+fi
+
+if [ -z "$OPENSSL_MODULES" ]; then
+    echo "Warning: OPENSSL_MODULES env var not set."
+fi
+
+# Set OSX DYLD_LIBRARY_PATH if not already externally set
+if [ -z "$DYLD_LIBRARY_PATH" ]; then
+    export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH
+fi
+
+# Assumes certgen has been run before: Quick check
+if [[ -f tmp/$1_CA.crt &&  -f tmp/$1_CA.key ]]; then
+   echo "Key and certificate using $1 found."
+else
+   echo "File tmp/$1_CA.crt and/or tmp/$1_CA.key not found. Did certgen run before? Exiting."
+   exit -1
+fi
+
+echo "Generating PKCS#12 files..."
+
+# pkcs12 test:
+$OPENSSL_APP pkcs12 -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_1.p12
+
+if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_1.p12 ]; then
+    echo "PKCS#12 generation with oqsprovider enabled failed."
+    exit 1
+fi
+
+# Generate config file with oqsprovider disabled
+sed -e 's/^oqsprovider/# oqsprovider/' "$(pwd)/scripts/openssl-ca.cnf" > tmp/openssl-ca-no-oqsprovider.cnf
+
+# This print an error but OpenSSL returns 0 and .p12 file is generated correctly
+OPENSSL_CONF=tmp/openssl-ca-no-oqsprovider.cnf $OPENSSL_APP pkcs12 -provider default -provider oqsprovider -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_2.p12
+
+if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_2.p12 ]; then
+    echo "PKCS#12 generation with oqsprovider disabled failed."
+    exit 1
+fi
+
+if [ $(cat tmp/$1_srv_1.p12 | $OPENSSL_APP sha256) -neq $(cat tmp/$1_srv_2.p12 | $OPENSSL_APP sha256) ]; then
+    echo "PKCS#12 files differ when oqsprovider is enabled or not."
+    exit 1
+fi
diff --git a/scripts/runtests.sh b/scripts/runtests.sh
index 79762205..308991f1 100755
--- a/scripts/runtests.sh
+++ b/scripts/runtests.sh
@@ -17,7 +17,7 @@ openssl2provider() {
 }
 
 localalgtest() {
-    if ! ( "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certgen.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certverify.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-cmssign.sh" "$1" >> interop.log 2>&1 &&  "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-ca.sh" "$1" >> interop.log 2>&1 ); then
+    if ! ( "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certgen.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certverify.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-cmssign.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-ca.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-pkcs12gen.sh" "$1" >> interop.log 2>&1 ); then
         echo "localalgtest $1 failed. Exiting.".
         cat interop.log
         exit 1