tests: use optional propquery for pkcs11prov to allow decoder fallback

olszomal · olszomal · commit c882db378f05 · 2026-03-31T14:57:31.000+02:00
diff --git a/tests/check-all-prov.c b/tests/check-all-prov.c
@@ -51,8 +51,13 @@ int main(int argc, char *argv[])
 		return ret;
 	}
 
-	/* Load private key, public key and certificate */
-	load_objects(argv[1], "provider=pkcs11prov", NULL, obj_set);
+	/*
+	 * Load private key, public key and certificate.
+	 * Use "?provider=pkcs11prov" to prefer pkcs11prov but allow fallback to default.
+	 * This enables default provider decoders (e.g. for SubjectPublicKeyInfo (SPKI))
+	 * to construct EVP_PKEY from X509 when pkcs11prov does not implement them.
+	 */
+	load_objects(argv[1], "?provider=pkcs11prov", NULL, obj_set);
 
 	if (!obj_set->private_key) {
 		printf("Cannot load private key: %s\n", argv[1]);
diff --git a/tests/provider-pkcs11-uri-without-token.softhsm b/tests/provider-pkcs11-uri-without-token.softhsm
@@ -67,6 +67,7 @@ fi
 
 # Verify the signature using the public without specifying the token
 ${OPENSSL} pkeyutl -provider pkcs11prov -provider default -pubin \
+	-propquery "provider=pkcs11prov" \
 	-inkey ${PUBLIC_KEY} -verify -sigfile "${outdir}/signature.bin" \
 	-in "${outdir}/in.txt"
 if [[ $? -ne 0 ]]; then
@@ -75,7 +76,12 @@ if [[ $? -ne 0 ]]; then
 fi
 
 # Verify the signature using a certificate without specifying the token
+#
+# Use "?provider=pkcs11prov" to prefer pkcs11prov but allow fallback to default.
+# This enables default provider decoders (e.g. for SubjectPublicKeyInfo (SPKI))
+# to construct EVP_PKEY from X509 when pkcs11prov does not implement them.
 ${OPENSSL} pkeyutl -provider pkcs11prov -provider default -certin \
+	-propquery "?provider=pkcs11prov" \
 	-inkey ${PUBLIC_KEY} -verify -sigfile "${outdir}/signature.bin" \
 	-in "${outdir}/in.txt"
 if [[ $? -ne 0 ]]; then
@@ -88,6 +94,7 @@ ${OPENSSL} dgst -sha256 -binary -out "${outdir}/hash.bin" "${outdir}/in.txt"
 
 # Sign the SHA-256 digest with an RSA key using RSA-PSS (raw input)
 ${OPENSSL} pkeyutl -provider pkcs11prov -provider default \
+	-propquery "provider=pkcs11prov" \
 	-inkey ${PRIVATE_KEY} -sign -rawin -pkeyopt rsa_padding_mode:pss \
 	-out "${outdir}/signature.bin" -in "${outdir}/hash.bin"
 
