Add explicit EC test

manison · manison · commit 947c0c1315ff · 2023-05-30T14:27:17.000+02:00
Signed-off-by: manison &lt;manison@users.noreply.github.com&gt;
diff --git a/.reuse/dep5 b/.reuse/dep5
@@ -19,6 +19,7 @@ Files: **/Makefile.am
        tests/Makefile.am
        tests/README
        tests/openssl.cnf.in
+       tests/explicit_ec.*
        .clang-format
        .clang-format-ignore
        packaging/pkcs11-provider.spec
diff --git a/tests/Makefile.am b/tests/Makefile.am
@@ -52,7 +52,7 @@ tmp.softhsm:
 dist_check_SCRIPTS = \
 	helpers.sh setup-softhsm.sh setup-softokn.sh softhsm-proxy.sh \
 	test-wrapper tbasic tcerts tecc tecdh tedwards tdemoca thkdf \
-	toaepsha2 trsapss tdigest ttls tpubkey tfork turi trand
+	toaepsha2 trsapss tdigest ttls tpubkey tfork turi trand tecxc
 
 test_LIST = \
 	basic-softokn basic-softhsm \
@@ -72,7 +72,7 @@ test_LIST = \
 	rand-softokn rand-softhsm \
 	readkeys-softokn readkeys-softhsm \
 	tls-softokn tls-softhsm \
-	uri-softokn uri-softhsm
+	uri-softokn uri-softhsm ecxc-softhsm
 
 .PHONY: $(test_LIST)
 
diff --git a/tests/explicit_ec.cnf b/tests/explicit_ec.cnf
@@ -0,0 +1,17 @@
+asn1=SEQUENCE:ec_param
+
+[ec_param]
+version=INTEGER:1
+fieldID=SEQUENCE:fieldID
+curve=SEQUENCE:curve
+base_point=FORMAT:HEX,OCTETSTRING:043981fb5d14d3808971275dea9831573301cba0117bea9ab25ef767e188fb4a659d4693e1d27edb94bead8c345db51799
+point_order=INTEGER:0x2fbe975bf5652816348bcaf164dc6772e88e010fa5c95c21
+cof=INTEGER:0x04
+
+[fieldID]
+oid=OID:1.2.840.10045.1.1
+p=INTEGER:0x00befa5d6fd594a058d22f2bc4c22009a83685639a85a54d7d 
+
+[curve]
+a=FORMAT:HEX,OCTETSTRING:6f54e1bd75f76fb5d11bec084bd18f94e68e9e02db73852a
+b=FORMAT:HEX,OCTETSTRING:657510e059c61603405486c8a7550ca6530aed3c98a51763
diff --git a/tests/explicit_ec.key.der b/tests/explicit_ec.key.der
diff --git a/tests/explicit_ec.pub.der b/tests/explicit_ec.pub.der
diff --git a/tests/setup-softhsm.sh b/tests/setup-softhsm.sh
@@ -307,6 +307,30 @@ echo "${ECPRI2URI}"
 echo "${ECCRT2URI}"
 echo ""
 
+title PARA "generate explicit EC key pair"
+KEYID='0007'
+URIKEYID="%00%07"
+ECXCRT="${TMPPDIR}/ecExplicitCert"
+ECXCRTN="ecExplicitCert"
+
+pkcs11-tool --write-object=explicit_ec.key.der --type=privkey --login --pin=$PINVALUE --module="$P11LIB" \
+	--label="${ECXCRTN}" --id="$KEYID"
+pkcs11-tool --write-object=explicit_ec.pub.der --type=pubkey --login --pin=$PINVALUE --module="$P11LIB" \
+	--label="${ECXCRTN}" --id="$KEYID"
+#ca_sign $ECXCRT $ECXCRTN "My Explicit EC Cert" $KEYID
+
+ECXBASEURI="pkcs11:id=${URIKEYID}"
+ECXPUBURI="pkcs11:type=public;id=${URIKEYID}"
+ECXPRIURI="pkcs11:type=private;id=${URIKEYID}"
+#ECXCRTURI="pkcs11:type=cert;object=${ECXCRTN}"
+
+title LINE "EXPLICIT EC PKCS11 URIS"
+echo "${ECXBASEURI}"
+echo "${ECXPUBURI}"
+echo "${ECXPRIURI}"
+#echo "${ECXCRTURI}"
+echo ""
+
 title PARA "Show contents of softhsm token"
 echo " ----------------------------------------------------------------------------------------------------"
 pkcs11-tool -O --login --pin=$PINVALUE --module="$P11LIB"
@@ -375,6 +399,10 @@ export ECBASE2URI="${ECBASE2URI}"
 export ECPRI2URI="${ECPRI2URI}"
 export ECCRT2URI="${ECCRT2URI}"
 
+export ECXBASEURI="${ECXBASEURI}"
+export ECXPUBURI="${ECXPUBURI}"
+export ECXPRIURI="${ECXPRIURI}"
+
 # for listing the separate pkcs11 calls
 #export PKCS11SPY="${PKCS11_PROVIDER_MODULE}"
 #export PKCS11_PROVIDER_MODULE=/usr/lib64/pkcs11-spy.so
diff --git a/tests/tecxc b/tests/tecxc
@@ -0,0 +1,128 @@
+#!/bin/bash -e
+# Copyright (C) 2023 Simo Sorce <simo@redhat.com>
+# SPDX-License-Identifier: Apache-2.0
+
+source ${TESTSSRCDIR}/helpers.sh
+
+title PARA "Export EC Public key to a file"
+ossl 'pkey -in $ECXPUBURI -pubin -pubout -out ${TMPPDIR}/ecout.pub'
+title LINE "Print EC Public key from private"
+ossl 'pkey -in $ECXPRIURI -pubout -text' output
+FAIL=0
+echo $output | grep "PKCS11 EC Public Key (190 bits)" > /dev/null 2>&1 || FAIL=1
+if [ $FAIL -eq 1 ]; then
+    echo "Pkcs11 encoder function failed"
+    echo
+    echo "Original command output:"
+    echo "$output"
+    echo
+    exit 1
+fi
+
+title PARA "Sign and Verify with provided Hash and EC"
+ossl '
+pkeyutl -sign -inkey "${ECXBASEURI}"
+              -in ${TMPPDIR}/sha256.bin
+              -out ${TMPPDIR}/sha256-ecsig.bin'
+
+ossl '
+pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
+                -in ${TMPPDIR}/sha256.bin
+                -sigfile ${TMPPDIR}/sha256-ecsig.bin'
+
+ossl '
+pkeyutl -verify -inkey "${TMPPDIR}/ecout.pub" -pubin
+                -in ${TMPPDIR}/sha256.bin
+                -sigfile ${TMPPDIR}/sha256-ecsig.bin'
+
+title PARA "DigestSign and DigestVerify with ECC (SHA-256)"
+ossl '
+pkeyutl -sign -inkey "${ECXBASEURI}"
+              -digest sha256
+              -in ${RAND64FILE}
+              -rawin
+              -out ${TMPPDIR}/sha256-ecdgstsig.bin'
+ossl '
+pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
+                -digest sha256
+                -in ${RAND64FILE}
+                -rawin
+                -sigfile ${TMPPDIR}/sha256-ecdgstsig.bin'
+
+title PARA "DigestSign and DigestVerify with ECC (SHA-384)"
+ossl '
+pkeyutl -sign -inkey "${ECXBASEURI}"
+              -digest sha384
+              -in ${RAND64FILE}
+              -rawin
+              -out ${TMPPDIR}/sha384-ecdgstsig.bin'
+ossl '
+pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
+                -digest sha384
+                -in ${RAND64FILE}
+                -rawin
+                -sigfile ${TMPPDIR}/sha384-ecdgstsig.bin'
+
+title PARA "DigestSign and DigestVerify with ECC (SHA-512)"
+ossl '
+pkeyutl -sign -inkey "${ECXBASEURI}"
+              -digest sha512
+              -in ${RAND64FILE}
+              -rawin
+              -out ${TMPPDIR}/sha512-ecdgstsig.bin'
+ossl '
+pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
+                -digest sha512
+                -in ${RAND64FILE}
+                -rawin
+                -sigfile ${TMPPDIR}/sha512-ecdgstsig.bin'
+
+title PARA "DigestSign and DigestVerify with ECC (SHA3-256)"
+ossl '
+pkeyutl -sign -inkey "${ECXBASEURI}"
+              -digest sha3-256
+              -in ${RAND64FILE}
+              -rawin
+              -out ${TMPPDIR}/sha3-256-ecdgstsig.bin'
+ossl '
+pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
+                -digest sha3-256
+                -in ${RAND64FILE}
+                -rawin
+                -sigfile ${TMPPDIR}/sha3-256-ecdgstsig.bin'
+
+title PARA "DigestSign and DigestVerify with ECC (SHA3-384)"
+ossl '
+pkeyutl -sign -inkey "${ECXBASEURI}"
+              -digest sha3-384
+              -in ${RAND64FILE}
+              -rawin
+              -out ${TMPPDIR}/sha3-384-ecdgstsig.bin'
+ossl '
+pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
+                -digest sha3-384
+                -in ${RAND64FILE}
+                -rawin
+                -sigfile ${TMPPDIR}/sha3-384-ecdgstsig.bin'
+
+title PARA "DigestSign and DigestVerify with ECC (SHA3-512)"
+ossl '
+pkeyutl -sign -inkey "${ECXBASEURI}"
+              -digest sha3-512
+              -in ${RAND64FILE}
+              -rawin
+              -out ${TMPPDIR}/sha3-512-ecdgstsig.bin'
+ossl '
+pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
+                -digest sha3-512
+                -in ${RAND64FILE}
+                -rawin
+                -sigfile ${TMPPDIR}/sha3-512-ecdgstsig.bin'
+
+title PARA "Test CSR generation from private ECC keys"
+ossl '
+req -new -batch -key "${ECXPRIURI}" -out ${TMPPDIR}/ecdsa_csr.pem'
+ossl '
+req -in ${TMPPDIR}/ecdsa_csr.pem -verify -noout'
+
+exit 0
