[tests/full] Make keygen-signing test generic over algorithm

bal-e · bal-e · commit 0273ed56dd8e · 2026-01-19T13:52:20.000+01:00
At the moment, 'kmip2pkcs11' only supports RSA-SHA256 and
ECDSAP256SHA256, so those are the only ones we test.
diff --git a/tests/full.rs b/tests/full.rs
@@ -21,9 +21,12 @@ use std::{
     time::Duration,
 };
 
-use domain::crypto::{
-    ring,
-    sign::{SignRaw, Signature},
+use domain::{
+    base::iana::SecurityAlgorithm,
+    crypto::{
+        ring,
+        sign::{GenerateParams, SignRaw, Signature},
+    },
 };
 use kmip::client::pool::SyncConnPool;
 
@@ -195,29 +198,52 @@ fn main() {
     )
     .unwrap();
 
-    // Generate a new RSA-SHA256 key.
-    let key = domain_kmip::sign::generate(
-        "A-pub".into(),
-        "A-priv".into(),
-        domain::crypto::sign::GenerateParams::RsaSha256 { bits: 1024 },
-        0,
-        conn_pool,
-    )
-    .unwrap();
+    print!("test_keygen_signing(RsaSha256 {{ bits: 1024 }})...");
+    test_keygen_signing(&conn_pool, GenerateParams::RsaSha256 { bits: 1024 });
+    println!("ok");
+
+    print!("test_keygen_signing(EcdsaP256Sha256)...");
+    test_keygen_signing(&conn_pool, GenerateParams::EcdsaP256Sha256);
+    println!("ok");
+}
+
+/// Test that key generation and signing works.
+///
+/// A new key will be generated (using the given parameters) and used for
+/// signing. The public key will be retrieved and used to locally verify the
+/// signature.
+fn test_keygen_signing(pool: &SyncConnPool, key_params: GenerateParams) {
+    let algorithm = key_params.algorithm();
+
+    // Generate a new key.
+    let key =
+        domain_kmip::sign::generate("A-pub".into(), "A-priv".into(), key_params, 0, pool.clone())
+            .unwrap();
 
     // Retrive the public key, for local use.
     let dnskey = key.dnskey();
     let pubkey = ring::PublicKey::from_dnskey(&dnskey).unwrap();
 
     // Sign data with this key.
     let data = b"Hello World!";
-    let sig = match key.sign_raw(data).unwrap() {
-        Signature::RsaSha256(sig) => sig,
-        sig => {
-            panic!("Unexpected signature algorithm {:?}", sig.algorithm());
+    let sig = key.sign_raw(data).unwrap();
+    let sig = match (algorithm, &sig) {
+        (SecurityAlgorithm::RSASHA1, Signature::RsaSha1(sig)) => &**sig,
+        (SecurityAlgorithm::RSASHA1_NSEC3_SHA1, Signature::RsaSha1Nsec3Sha1(sig)) => sig,
+        (SecurityAlgorithm::RSASHA256, Signature::RsaSha256(sig)) => sig,
+        (SecurityAlgorithm::RSASHA512, Signature::RsaSha512(sig)) => sig,
+        (SecurityAlgorithm::ECDSAP256SHA256, Signature::EcdsaP256Sha256(sig)) => &**sig,
+        (SecurityAlgorithm::ECDSAP384SHA384, Signature::EcdsaP384Sha384(sig)) => &**sig,
+        (SecurityAlgorithm::ED25519, Signature::Ed25519(sig)) => &**sig,
+        (SecurityAlgorithm::ED448, Signature::Ed448(sig)) => &**sig,
+        (alg, sig) => {
+            panic!(
+                "Unexpected signature algorithm {:?}, expecting {alg:?}",
+                sig.algorithm()
+            );
         }
     };
 
     // Verify the signature.
-    pubkey.verify(data, &sig).unwrap();
+    pubkey.verify(data, sig).unwrap();
 }
