Improved provider tests

Author: olszomal

tests/Makefile.am

@@ -26,7 +26,8 @@ check_PROGRAMS = \
 	store-cert \
 	store-cert-prov \
 	dup-key \
-	dup-key-prov
+	dup-key-prov \
+	check-all-prov
 dist_check_SCRIPTS = \
 	rsa-testpkcs11.softhsm \
 	rsa-testfork.softhsm \
@@ -49,8 +50,10 @@ dist_check_SCRIPTS = \
 	provider-rsa-pss-sign.softhsm \
 	provider-rsa-oaep.softhsm \
 	provider-rsa-check-privkey.softhsm \
+	provider-rsa-check-all.softhsm \
 	provider-ec-evp-sign.softhsm \
 	provider-ec-check-privkey.softhsm \
+	provider-ec-check-all.softhsm \
 	provider-ec-cert-store.softhsm \
 	provider-ec-copy.softhsm \
 	provider-fork-change-slot.softhsm \
@@ -68,6 +71,7 @@ check_privkey_prov_SOURCES = check-privkey-prov.c helpers_prov.c
 rsa_pss_sign_prov_SOURCES = rsa-pss-sign-prov.c helpers_prov.c
 rsa_oaep_prov_SOURCES = rsa-oaep-prov.c helpers_prov.c
 store_cert_prov_SOURCES = store-cert-prov.c helpers_prov.c
+check_all_prov_SOURCES = check-all-prov.c helpers_prov.c
 
 TESTS = $(dist_check_SCRIPTS)
 

tests/check-all-prov.c

@@ -0,0 +1,96 @@
+/*
+ * Copyright © 2025 Mobi - Com Polska Sp. z o.o.
+ * Author: Małgorzata Olszówka <[email protected]>
+ * All rights reserved.
+ *
+ * PKCS#11 provider test
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "helpers_prov.h"
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+int main(int argc, char *argv[])
+{
+	OBJ_SET *obj_set;
+	int ret = EXIT_FAILURE;
+
+	if (argc < 1) {
+		fprintf(stderr, "usage: %s [object URL]\n", argv[0]);
+		return ret;
+	}
+
+	obj_set = OPENSSL_zalloc(sizeof(OBJ_SET));
+	if (!obj_set)
+		return ret;
+
+	/* Load pkcs11prov and default providers */
+        if (!providers_load()) {
+		display_openssl_errors();
+		return ret;
+        }
+
+	/* Load private key, public key and certificate */
+	load_objects(argv[1], NULL, obj_set);
+
+	if (!obj_set->private_key) {
+		printf("Cannot load private key: %s\n", argv[1]);
+		goto cleanup;
+	}
+	if (!obj_set->public_key) {
+		printf("Cannot load public key: %s\n", argv[1]);
+		goto cleanup;
+	}
+	if (!obj_set->cert) {
+		printf("Cannot load certificate: %s\n", argv[1]);
+		goto cleanup;
+	}
+	ret = X509_check_private_key(obj_set->cert, obj_set->private_key);
+	if (!ret) {
+		printf("Could not check private key.\n");
+		display_openssl_errors();
+		goto cleanup;
+	}
+	printf("Key and certificate matched.\n");
+	ret = EXIT_SUCCESS;
+
+cleanup:
+	EVP_PKEY_free(obj_set->private_key);
+	EVP_PKEY_free(obj_set->public_key);
+	X509_free(obj_set->cert);
+	OPENSSL_free(obj_set);
+	providers_cleanup();
+	printf("\n");
+	return ret;
+}
+
+#else
+
+int main() {
+	return 0;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
+/* vim: set noexpandtab: */

tests/check-privkey-prov.c

@@ -38,7 +38,7 @@ int main(int argc, char *argv[])
 	int ret = EXIT_FAILURE;
 
 	if (argc < 2) {
-		fprintf(stderr, "usage: %s [certificate (PEM or URL)] [private key URL]n", argv[0]);
+		fprintf(stderr, "usage: %s [certificate (PEM or URL)] [private key URL]\n", argv[0]);
 		return ret;
 	}
 

tests/helpers_prov.c

@@ -49,6 +49,40 @@ void display_openssl_errors(void)
 	}
 }
 
+ /* store_type == 0 means here multiple types of credentials are to be loaded */
+void load_objects(const char *uri, const UI_METHOD *ui_method, OBJ_SET *obj_set) {
+    OSSL_STORE_CTX *store_ctx;
+    int type;
+
+    store_ctx = OSSL_STORE_open(uri, ui_method, NULL, NULL, NULL);
+    if (!store_ctx)
+        return; /* FAILED */
+
+    while (!OSSL_STORE_eof(store_ctx)) {
+        OSSL_STORE_INFO *object = OSSL_STORE_load(store_ctx);
+
+        if (!object)
+            continue;
+
+        type = OSSL_STORE_INFO_get_type(object);
+        switch (type) {
+        case OSSL_STORE_INFO_PKEY:
+            obj_set->private_key = OSSL_STORE_INFO_get1_PKEY(object);
+            break;
+        case OSSL_STORE_INFO_PUBKEY:
+            obj_set->public_key = OSSL_STORE_INFO_get1_PUBKEY(object);
+            break;
+        case OSSL_STORE_INFO_CERT:
+            obj_set->cert = OSSL_STORE_INFO_get1_CERT(object);
+            break;
+        default:
+            break; /* skip any other type */
+        }
+        OSSL_STORE_INFO_free(object);
+    }
+    OSSL_STORE_close(store_ctx);
+}
+
 EVP_PKEY *load_pkey(const char *uri, const UI_METHOD *ui_method)
 {
 	EVP_PKEY *pkey = NULL;

tests/helpers_prov.h

@@ -38,7 +38,14 @@
 #include <openssl/provider.h>
 #include <openssl/ui.h>
 
+typedef struct {
+	EVP_PKEY *private_key;
+	EVP_PKEY *public_key;
+	X509 *cert;
+} OBJ_SET;
+
 void display_openssl_errors(void);
+void load_objects(const char *uri, const UI_METHOD *ui_method, OBJ_SET *set);
 EVP_PKEY *load_pkey(const char *uri, const UI_METHOD *ui_method);
 EVP_PKEY *load_pubkey(const char *uri);
 X509 *load_cert(const char *uri);

tests/provider-ec-check-all.softhsm

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright © 2025 Mobi - Com Polska Sp. z o.o.
+# Author: Małgorzata Olszówka <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+outdir="output.$$"
+
+# Load common test functions
+. ${srcdir}/common.sh
+
+URL="pkcs11:token=libp11-0;id=%01%02%03%04;object=server-key-0;pin-value=${PIN}"
+
+if [[ "${OPENSSL_VERSION}" =~ ^[012].* ]]; then
+	echo "Skipping test with OpenSSL ${OPENSSL_VERSION}"
+	exit 77
+fi
+
+# Do the token initialization
+init_token "ec" "1" "libp11" ${ID} "server-key" "privkey" "pubkey" "cert"
+
+# Ensure the use of the locally built provider; applies after running 'pkcs11-tool'
+unset OPENSSL_ENGINES
+export OPENSSL_MODULES="../src/.libs/"
+export PKCS11_MODULE_PATH=${MODULE}
+echo "OPENSSL_MODULES=${OPENSSL_MODULES}"
+echo "PKCS11_MODULE_PATH=${PKCS11_MODULE_PATH}"
+
+# Load openssl settings
+TEMP_LD_LIBRARY_PATH=${LD_LIBRARY_PATH}
+. ${srcdir}/openssl-settings.sh
+
+# Run the test
+${WRAPPER} ./check-all-prov ${URL}
+if [[ $? -ne 0 ]]; then
+	echo "Provider get all objects test failed."
+	exit 1
+fi
+
+# Restore settings
+export LD_LIBRARY_PATH=${TEMP_LD_LIBRARY_PATH}
+
+rm -rf "$outdir"
+
+exit 0

tests/provider-rsa-check-all.softhsm

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright © 2025 Mobi - Com Polska Sp. z o.o.
+# Author: Małgorzata Olszówka <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+outdir="output.$$"
+
+# Load common test functions
+. ${srcdir}/common.sh
+
+URL="pkcs11:token=libp11-0;id=%01%02%03%04;object=server-key-0;pin-value=${PIN}"
+
+if [[ "${OPENSSL_VERSION}" =~ ^[012].* ]]; then
+	echo "Skipping test with OpenSSL ${OPENSSL_VERSION}"
+	exit 77
+fi
+
+# Do the token initialization
+init_token "rsa" "1" "libp11" ${ID} "server-key" "privkey" "pubkey" "cert"
+
+# Ensure the use of the locally built provider; applies after running 'pkcs11-tool'
+unset OPENSSL_ENGINES
+export OPENSSL_MODULES="../src/.libs/"
+export PKCS11_MODULE_PATH=${MODULE}
+echo "OPENSSL_MODULES=${OPENSSL_MODULES}"
+echo "PKCS11_MODULE_PATH=${PKCS11_MODULE_PATH}"
+
+# Load openssl settings
+TEMP_LD_LIBRARY_PATH=${LD_LIBRARY_PATH}
+. ${srcdir}/openssl-settings.sh
+
+# Run the test
+${WRAPPER} ./check-all-prov ${URL}
+if [[ $? -ne 0 ]]; then
+	echo "Provider get all objects test failed."
+	exit 1
+fi
+
+# Restore settings
+export LD_LIBRARY_PATH=${TEMP_LD_LIBRARY_PATH}
+
+rm -rf "$outdir"
+
+exit 0