Skip to content

Commit eb476fa

Browse files
manisonsimo5
manison
authored and
simo5
committed
Add test for explicit EC
Signed-off-by: manison <[email protected]>
1 parent bb99305 commit eb476fa

File tree

8 files changed

+195
-3
lines changed

8 files changed

+195
-3
lines changed

.github/workflows/shellcheck.yml

+1
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ jobs:
2424
tdigest
2525
tecc
2626
tecdh
27+
tecxc
2728
tedwards
2829
test-wrapper
2930
thkdf

.reuse/dep5

+1
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ Files: **/Makefile.am
1919
tests/Makefile.am
2020
tests/README
2121
tests/openssl.cnf.in
22+
tests/explicit_ec.*
2223
.clang-format
2324
.clang-format-ignore
2425
packaging/pkcs11-provider.spec

tests/Makefile.am

+4-3
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
EXTRA_DIST = openssl.cnf.in \
2-
lsan.supp
2+
lsan.supp \
3+
explicit_ec.key.der explicit_ec.pub.der
34

45
libspath=@abs_top_builddir@/src/.libs
56
testsblddir=@abs_top_builddir@/tests
@@ -57,7 +58,7 @@ tmp.softhsm:
5758
dist_check_SCRIPTS = \
5859
helpers.sh setup-softhsm.sh setup-softokn.sh softhsm-proxy.sh \
5960
test-wrapper tbasic tcerts tecc tecdh tedwards tdemoca thkdf \
60-
toaepsha2 trsapss tdigest ttls tpubkey tfork turi trand
61+
toaepsha2 trsapss tdigest ttls tpubkey tfork turi trand tecxc
6162

6263
test_LIST = \
6364
basic-softokn.t basic-softhsm.t \
@@ -77,7 +78,7 @@ test_LIST = \
7778
rand-softokn.t rand-softhsm.t \
7879
readkeys-softokn.t readkeys-softhsm.t \
7980
tls-softokn.t tls-softhsm.t \
80-
uri-softokn.t uri-softhsm.t
81+
uri-softokn.t uri-softhsm.t ecxc-softhsm.t
8182

8283
.PHONY: $(test_LIST)
8384

tests/explicit_ec.cnf

+17
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
asn1=SEQUENCE:ec_param
2+
3+
[ec_param]
4+
version=INTEGER:1
5+
fieldID=SEQUENCE:fieldID
6+
curve=SEQUENCE:curve
7+
base_point=FORMAT:HEX,OCTETSTRING:043981fb5d14d3808971275dea9831573301cba0117bea9ab25ef767e188fb4a659d4693e1d27edb94bead8c345db51799
8+
point_order=INTEGER:0x2fbe975bf5652816348bcaf164dc6772e88e010fa5c95c21
9+
cof=INTEGER:0x04
10+
11+
[fieldID]
12+
oid=OID:1.2.840.10045.1.1
13+
p=INTEGER:0x00befa5d6fd594a058d22f2bc4c22009a83685639a85a54d7d
14+
15+
[curve]
16+
a=FORMAT:HEX,OCTETSTRING:6f54e1bd75f76fb5d11bec084bd18f94e68e9e02db73852a
17+
b=FORMAT:HEX,OCTETSTRING:657510e059c61603405486c8a7550ca6530aed3c98a51763

tests/explicit_ec.key.der

268 Bytes
Binary file not shown.

tests/explicit_ec.pub.der

245 Bytes
Binary file not shown.

tests/setup-softhsm.sh

+36
Original file line numberDiff line numberDiff line change
@@ -305,6 +305,30 @@ echo "${ECPRI2URI}"
305305
echo "${ECCRT2URI}"
306306
echo ""
307307

308+
if [ -f /etc/fedora-release ]; then
309+
title PARA "explicit EC unsupported on Fedora"
310+
else
311+
title PARA "generate explicit EC key pair"
312+
KEYID='0007'
313+
URIKEYID="%00%07"
314+
ECXCRTN="ecExplicitCert"
315+
316+
pkcs11-tool --write-object="${TESTSSRCDIR}/explicit_ec.key.der" --type=privkey --login --pin=$PINVALUE \
317+
--module="$P11LIB" --label="${ECXCRTN}" --id="$KEYID"
318+
pkcs11-tool --write-object="${TESTSSRCDIR}/explicit_ec.pub.der" --type=pubkey --login --pin=$PINVALUE \
319+
--module="$P11LIB" --label="${ECXCRTN}" --id="$KEYID"
320+
321+
ECXBASEURI="pkcs11:id=${URIKEYID}"
322+
ECXPUBURI="pkcs11:type=public;id=${URIKEYID}"
323+
ECXPRIURI="pkcs11:type=private;id=${URIKEYID}"
324+
325+
title LINE "EXPLICIT EC PKCS11 URIS"
326+
echo "${ECXBASEURI}"
327+
echo "${ECXPUBURI}"
328+
echo "${ECXPRIURI}"
329+
echo ""
330+
fi
331+
308332
title PARA "Show contents of softhsm token"
309333
echo " ----------------------------------------------------------------------------------------------------"
310334
pkcs11-tool -O --login --pin=$PINVALUE --module="$P11LIB"
@@ -372,6 +396,18 @@ export ECBASE2URIWITHPIN="${ECBASEURIWITHPIN}"
372396
export ECBASE2URI="${ECBASE2URI}"
373397
export ECPRI2URI="${ECPRI2URI}"
374398
export ECCRT2URI="${ECCRT2URI}"
399+
DBGSCRIPT
400+
401+
if [ -n "${ECXBASEURI}" ]; then
402+
cat >> ${TMPPDIR}/testvars <<DBGSCRIPT
403+
404+
export ECXBASEURI="${ECXBASEURI}"
405+
export ECXPUBURI="${ECXPUBURI}"
406+
export ECXPRIURI="${ECXPRIURI}"
407+
DBGSCRIPT
408+
fi
409+
410+
cat >> ${TMPPDIR}/testvars <<DBGSCRIPT
375411
376412
# for listing the separate pkcs11 calls
377413
#export PKCS11SPY="${PKCS11_PROVIDER_MODULE}"

tests/tecxc

+136
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,136 @@
1+
#!/bin/bash -e
2+
# Copyright (C) 2023 Simo Sorce <[email protected]>
3+
# SPDX-License-Identifier: Apache-2.0
4+
5+
# On Fedora they completely removed support for explicit EC from libcrypto,
6+
# so skip the test completely
7+
if [ -f /etc/fedora-release ]; then
8+
exit 0
9+
fi
10+
11+
source "${TESTSSRCDIR}/helpers.sh"
12+
13+
title PARA "Export EC Public key to a file"
14+
ossl 'pkey -in $ECXPUBURI -pubin -pubout -out ${TMPPDIR}/ecout.pub'
15+
title LINE "Print EC Public key from private"
16+
ossl 'pkey -in $ECXPRIURI -pubout -text' "$helper_emit"
17+
output="$helper_output"
18+
FAIL=0
19+
echo "$output" | grep "PKCS11 EC Public Key (190 bits)" > /dev/null 2>&1 || FAIL=1
20+
if [ $FAIL -eq 1 ]; then
21+
echo "Pkcs11 encoder function failed"
22+
echo
23+
echo "Original command output:"
24+
echo "$output"
25+
echo
26+
exit 1
27+
fi
28+
29+
title PARA "Sign and Verify with provided Hash and EC"
30+
ossl 'dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}'
31+
ossl '
32+
pkeyutl -sign -inkey "${ECXBASEURI}"
33+
-in ${TMPPDIR}/sha256.bin
34+
-out ${TMPPDIR}/sha256-ecsig.bin'
35+
36+
ossl '
37+
pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
38+
-in ${TMPPDIR}/sha256.bin
39+
-sigfile ${TMPPDIR}/sha256-ecsig.bin'
40+
41+
ossl '
42+
pkeyutl -verify -inkey "${TMPPDIR}/ecout.pub" -pubin
43+
-in ${TMPPDIR}/sha256.bin
44+
-sigfile ${TMPPDIR}/sha256-ecsig.bin'
45+
46+
title PARA "DigestSign and DigestVerify with ECC (SHA-256)"
47+
ossl '
48+
pkeyutl -sign -inkey "${ECXBASEURI}"
49+
-digest sha256
50+
-in ${RAND64FILE}
51+
-rawin
52+
-out ${TMPPDIR}/sha256-ecdgstsig.bin'
53+
ossl '
54+
pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
55+
-digest sha256
56+
-in ${RAND64FILE}
57+
-rawin
58+
-sigfile ${TMPPDIR}/sha256-ecdgstsig.bin'
59+
60+
title PARA "DigestSign and DigestVerify with ECC (SHA-384)"
61+
ossl '
62+
pkeyutl -sign -inkey "${ECXBASEURI}"
63+
-digest sha384
64+
-in ${RAND64FILE}
65+
-rawin
66+
-out ${TMPPDIR}/sha384-ecdgstsig.bin'
67+
ossl '
68+
pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
69+
-digest sha384
70+
-in ${RAND64FILE}
71+
-rawin
72+
-sigfile ${TMPPDIR}/sha384-ecdgstsig.bin'
73+
74+
title PARA "DigestSign and DigestVerify with ECC (SHA-512)"
75+
ossl '
76+
pkeyutl -sign -inkey "${ECXBASEURI}"
77+
-digest sha512
78+
-in ${RAND64FILE}
79+
-rawin
80+
-out ${TMPPDIR}/sha512-ecdgstsig.bin'
81+
ossl '
82+
pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
83+
-digest sha512
84+
-in ${RAND64FILE}
85+
-rawin
86+
-sigfile ${TMPPDIR}/sha512-ecdgstsig.bin'
87+
88+
title PARA "DigestSign and DigestVerify with ECC (SHA3-256)"
89+
ossl '
90+
pkeyutl -sign -inkey "${ECXBASEURI}"
91+
-digest sha3-256
92+
-in ${RAND64FILE}
93+
-rawin
94+
-out ${TMPPDIR}/sha3-256-ecdgstsig.bin'
95+
ossl '
96+
pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
97+
-digest sha3-256
98+
-in ${RAND64FILE}
99+
-rawin
100+
-sigfile ${TMPPDIR}/sha3-256-ecdgstsig.bin'
101+
102+
title PARA "DigestSign and DigestVerify with ECC (SHA3-384)"
103+
ossl '
104+
pkeyutl -sign -inkey "${ECXBASEURI}"
105+
-digest sha3-384
106+
-in ${RAND64FILE}
107+
-rawin
108+
-out ${TMPPDIR}/sha3-384-ecdgstsig.bin'
109+
ossl '
110+
pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
111+
-digest sha3-384
112+
-in ${RAND64FILE}
113+
-rawin
114+
-sigfile ${TMPPDIR}/sha3-384-ecdgstsig.bin'
115+
116+
title PARA "DigestSign and DigestVerify with ECC (SHA3-512)"
117+
ossl '
118+
pkeyutl -sign -inkey "${ECXBASEURI}"
119+
-digest sha3-512
120+
-in ${RAND64FILE}
121+
-rawin
122+
-out ${TMPPDIR}/sha3-512-ecdgstsig.bin'
123+
ossl '
124+
pkeyutl -verify -inkey "${ECXBASEURI}" -pubin
125+
-digest sha3-512
126+
-in ${RAND64FILE}
127+
-rawin
128+
-sigfile ${TMPPDIR}/sha3-512-ecdgstsig.bin'
129+
130+
title PARA "Test CSR generation from private ECC keys"
131+
ossl '
132+
req -new -batch -key "${ECXPRIURI}" -out ${TMPPDIR}/ecdsa_csr.pem'
133+
ossl '
134+
req -in ${TMPPDIR}/ecdsa_csr.pem -verify -noout'
135+
136+
exit 0

0 commit comments

Comments
 (0)