libp11 PKCS#11 provider tests

Author: olszomal

tests/Makefile.am

@@ -15,10 +15,12 @@ check_PROGRAMS = \
 	fork-change-slot \
 	list-tokens \
 	rsa-pss-sign \
+	rsa-pss-sign-prov \
 	rsa-oaep \
 	check-privkey \
 	store-cert \
-	dup-key
+	dup-key \
+	dup-key-prov
 dist_check_SCRIPTS = \
 	rsa-testpkcs11.softhsm \
 	rsa-testfork.softhsm \
@@ -36,7 +38,11 @@ dist_check_SCRIPTS = \
 	fork-change-slot.softhsm \
 	case-insensitive.softhsm \
 	pkcs11-uri-without-token.softhsm \
-	search-all-matching-tokens.softhsm
+	search-all-matching-tokens.softhsm \
+	provider-pkey-copy.softhsm \
+	provider-rsa-pss-sign.softhsm \
+	provider-pkcs11-uri-without-token.softhsm \
+	provider-search-all-matching-tokens.softhsm
 dist_check_DATA = \
 	rsa-cert.der rsa-privkey.der rsa-pubkey.der \
 	ec-cert.der ec-privkey.der ec-pubkey.der

tests/dup-key-prov.c

@@ -0,0 +1,185 @@
+/*
+ * Copyright © 2025 Mobi - Com Polska Sp. z o.o.
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <openssl/opensslv.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/err.h>
+#include <openssl/store.h>
+#include <openssl/provider.h>
+#include <openssl/ui.h>
+
+DEFINE_STACK_OF(OSSL_PROVIDER)
+static STACK_OF(OSSL_PROVIDER) *providers;
+
+static void display_openssl_errors(void) {
+	unsigned long e;
+	const char *file = NULL, *func = NULL, *reason = NULL;
+	int line = 0, flags = 0;
+	char err_buf[256];
+
+	while ((e = ERR_get_error_all(&file, &line, &func, &reason, &flags))) {
+		ERR_error_string_n(e, err_buf, sizeof(err_buf));
+		fprintf(stderr, "%s:%d: %s: %s: %s\n", file ? file : "unknown file",
+			line, func ? func : "unknown function",
+			err_buf, reason ? reason : "unknown reason");
+	}
+}
+
+static EVP_PKEY *load_pkey(const char *uri)
+{
+	EVP_PKEY *pkey = NULL;
+	OSSL_STORE_INFO *info;
+	OSSL_STORE_CTX *store_ctx;
+
+	store_ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL);
+	if (!store_ctx) {
+		return NULL;
+	}
+	if (!OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_PKEY)) {
+		OSSL_STORE_close(store_ctx);
+		return NULL;
+	}
+	info = OSSL_STORE_load(store_ctx);
+	if (info == NULL) {
+		OSSL_STORE_close(store_ctx);
+		return NULL;
+	}
+	if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
+		pkey = OSSL_STORE_INFO_get1_PKEY(info);
+	}
+	OSSL_STORE_INFO_free(info);
+	OSSL_STORE_close(store_ctx);
+	return pkey;
+}
+
+static void provider_free(OSSL_PROVIDER *prov)
+{
+        printf("Provider \"%s\" unloaded.\n", OSSL_PROVIDER_get0_name(prov));
+        OSSL_PROVIDER_unload(prov);
+}
+
+static void providers_cleanup(void)
+{
+        sk_OSSL_PROVIDER_pop_free(providers, provider_free);
+        providers = NULL;
+}
+
+static int provider_load(const char *pname)
+{
+        OSSL_PROVIDER *prov = OSSL_PROVIDER_load(NULL, pname);
+        if (prov == NULL) {
+                fprintf(stderr, "Unable to load provider: %s\n", pname);
+                return 0; /* FAILED */
+        }
+        if (providers == NULL) {
+                providers = sk_OSSL_PROVIDER_new_null();
+        }
+        if (providers == NULL || !sk_OSSL_PROVIDER_push(providers, prov)) {
+                providers_cleanup();
+                return 0; /* FAILED */
+        }
+        printf("Provider \"%s\" set.\n", OSSL_PROVIDER_get0_name(prov));
+        return 1; /* OK */
+}
+
+int main(int argc, char *argv[])
+{
+	EVP_PKEY *private_key = NULL;
+	EVP_PKEY *private_key_dup = NULL;
+	int ret = EXIT_FAILURE;
+
+	if (argc < 1) {
+		fprintf(stderr, "Usage: %s [private key URL]\n", argv[0]);
+		return ret;
+	}
+
+	/* Load PKCS#11 provider */
+        if (!OSSL_PROVIDER_available(NULL, "pkcs11prov")) {
+		if (!provider_load("pkcs11prov")) {
+			fprintf(stderr, "Failed to load \"pkcs11prov\" provider\n");
+			display_openssl_errors();
+			goto cleanup;
+		}
+		/* load the default provider explicitly */
+		if (!provider_load("default")) {
+			fprintf(stderr, "Failed to load \"default\" provider\n");
+			display_openssl_errors();
+			goto cleanup;
+		}
+	}
+
+	/* Load private key */
+	private_key = load_pkey(argv[1]);
+	if (!private_key) {
+		fprintf(stderr, "Cannot load private key: %s\n", argv[1]);
+		display_openssl_errors();
+		goto cleanup;
+	}
+	printf("Private key found.\n");
+
+	private_key_dup = EVP_PKEY_dup(private_key);
+	if (!private_key_dup) {
+		fprintf(stderr, "Cannot duplicate private key\n");
+		display_openssl_errors();
+		goto cleanup;
+	}	
+	printf("Duplicate private key created.\n");
+
+	EVP_PKEY_free(private_key_dup);
+	EVP_PKEY_free(private_key);
+
+	/* Do it one more time */
+	private_key = load_pkey(argv[1]);
+	if (!private_key) {
+		fprintf(stderr, "Cannot load private key: %s\n", argv[1]);
+		display_openssl_errors();
+		goto cleanup;
+	}
+	printf("Private key found.\n");
+
+	ret = EXIT_SUCCESS;
+cleanup:
+	EVP_PKEY_free(private_key);
+	providers_cleanup();
+
+	return ret;
+}
+
+#else
+
+int main() {
+	return EXIT_SUCCESS;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+

tests/openssl.cnf

@@ -29,7 +29,7 @@ module = /usr/lib64/ossl-modules/pkcs11prov.so
 pkcs11_module = /usr/lib64/opensc-pkcs11.so
 
 # set the debug level
-debug_level = 5
+debug_level = 7
 
 # force login to the PKCS#11 module
 #force_login = 1

tests/provider-ec-copy.softhsm

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright © 2025 Mobi - Com Polska Sp. z o.o.
+# Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+outdir="output.$$"
+
+PRIVATE_KEY="pkcs11:token=libp11-0;id=%01%02%03%04;object=server-key-0;type=private;pin-value=1234"
+
+# Load common test functions
+. ${srcdir}/common.sh
+
+if [[ "${OPENSSL_VERSION}" =~ ^[012].* ]]; then
+	echo "Skipping test with OpenSSL ${OPENSSL_VERSION}"
+	exit 77
+fi
+
+# Do the token initialization
+init_token "ec" "1" "libp11" ${ID} "server-key" "privkey" "" ""
+
+# Ensure the use of the locally built provider; applies after running 'pkcs11-tool'
+unset OPENSSL_ENGINES
+export OPENSSL_MODULES="../src/.libs/"
+export PKCS11_MODULE_PATH=${MODULE}
+echo "OPENSSL_MODULES=${OPENSSL_MODULES}"
+echo "PKCS11_MODULE_PATH=${PKCS11_MODULE_PATH}"
+
+# Load openssl settings
+TEMP_LD_LIBRARY_PATH=${LD_LIBRARY_PATH}
+. ${srcdir}/openssl-settings.sh
+
+# Run the test
+${WRAPPER} ./dup-key-prov ${PRIVATE_KEY}
+if [[ $? -ne 0 ]]; then
+	echo "Could not duplicate private key"
+	exit 1
+fi
+
+# Restore settings
+export LD_LIBRARY_PATH=${TEMP_LD_LIBRARY_PATH}
+
+rm -rf "$outdir"
+
+exit 0

tests/provider-pkcs11-uri-without-token.softhsm

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# Copyright © 2024 Mobi - Com Polska Sp. z o.o.
+# Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+# This test checks if it is possible to use the keys without specifying the
+# token if there is only one initialized token available.
+
+outdir="output.$$"
+
+# These URIs don't contain the token specification
+PRIVATE_KEY="pkcs11:object=server-key-0;type=private;pin-value=1234"
+PUBLIC_KEY="pkcs11:object=server-key-0;type=public"
+CERTIFICATE="pkcs11:object=server-key-0;type=cert"
+
+# Load common test functions
+. ${srcdir}/common.sh
+
+if [[ "${OPENSSL_VERSION}" =~ ^[012].* ]]; then
+	echo "Skipping test with OpenSSL ${OPENSSL_VERSION}"
+	exit 77
+fi
+
+# Do the token initialization
+init_token "rsa" "1" "libp11" ${ID} "server-key" "privkey" "pubkey" "cert"
+
+# Ensure the use of the locally built provider; applies after running 'pkcs11-tool'
+unset OPENSSL_ENGINES
+export OPENSSL_MODULES="../src/.libs/"
+export PKCS11_MODULE_PATH=${MODULE}
+echo "OPENSSL_MODULES=${OPENSSL_MODULES}"
+echo "PKCS11_MODULE_PATH=${PKCS11_MODULE_PATH}"
+
+# Create input file
+echo "secret" >"${outdir}/in.txt"
+
+# Load openssl settings
+TEMP_LD_LIBRARY_PATH=${LD_LIBRARY_PATH}
+. ${srcdir}/openssl-settings.sh
+
+# Run the test
+# Generate signature without specifying the token in the PKCS#11 URI
+${WRAPPER} ${OPENSSL} pkeyutl -provider pkcs11prov -provider default \
+	-inkey ${PRIVATE_KEY} -sign -out "${outdir}/signature.bin" \
+	-in "${outdir}/in.txt"
+if [[ $? -ne 0 ]]; then
+	echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
+	exit 1
+fi
+
+# Verify the signature using the public without specifying the token
+${OPENSSL} pkeyutl -provider pkcs11prov -provider default -pubin \
+	-inkey ${PUBLIC_KEY} -verify -sigfile "${outdir}/signature.bin" \
+	-in "${outdir}/in.txt"
+if [[ $? -ne 0 ]]; then
+	echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
+	exit 1
+fi
+
+# Verify the signature using a certificate without specifying the token
+${OPENSSL} pkeyutl -provider pkcs11prov -provider default -certin \
+	-inkey ${PUBLIC_KEY} -verify -sigfile "${outdir}/signature.bin" \
+	-in "${outdir}/in.txt"
+if [[ $? -ne 0 ]]; then
+	echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
+	exit 1
+fi
+
+# Restore settings
+export LD_LIBRARY_PATH=${TEMP_LD_LIBRARY_PATH}
+
+rm -rf "$outdir"
+
+exit 0