Add simlified storepubkey test

bukka · bukka · commit b31dd82b8e13 · 2026-03-14T20:35:01.000+01:00
diff --git a/tests/meson.build b/tests/meson.build
@@ -112,6 +112,7 @@ test_programs = {
   'tcmpkeys': ['tcmpkeys.c', 'util.c'],
   'tfork': ['tfork.c', 'util.c'],
   'trefresh': ['trefresh.c', 'util.c'],
+  'tstorepubkey': ['tstorepubkey.c', 'util.c'],
   'tpkey': ['tpkey.c', 'util.c'],
   'pincache': ['pincache.c'],
   'ccerts': ['ccerts.c', 'util.c'],
diff --git a/tests/tdefaultslot b/tests/tdefaultslot
@@ -22,6 +22,7 @@ pkeyutl -sign -inkey "${PRIURI2}"
 
 env
 
-echo $CHECKER "${TESTBLDDIR}/trefresh" "${PRIURI2}" "${PUBURI2}" ${SEEDFILE} "${TMPPDIR}/sha256-sig.bin"
+# echo $CHECKER "${TESTBLDDIR}/trefresh" "${PRIURI2}" "${PUBURI2}" ${SEEDFILE} "${TMPPDIR}/sha256-sig.bin"
+echo $CHECKER "${TESTBLDDIR}/tstorepubkey" "${PRIURI2}" "${PUBURI2}" ${SEEDFILE} "${TMPPDIR}/sha256-sig.bin"
 
 export OPENSSL_CONF=${ORIG_OPENSSL_CONF}
diff --git a/tests/tstorepubkey.c b/tests/tstorepubkey.c
@@ -0,0 +1,153 @@
+/* Copyright (C) 2025 Jakub Zelenka <jakub.openssl@gmail.com>
+   SPDX-License-Identifier: Apache-2.0 */
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/store.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include "util.h"
+
+static unsigned char *read_file(const char *filename, size_t *len) {
+    FILE *fp = fopen(filename, "rb");
+    if (!fp) {
+        PRINTERR("Failed to open file: %s\n", filename);
+        return NULL;
+    }
+
+    fseek(fp, 0, SEEK_END);
+    *len = ftell(fp);
+    fseek(fp, 0, SEEK_SET);
+
+    unsigned char *data = malloc(*len);
+    if (!data) {
+        PRINTERR("Failed to allocate memory for file\n");
+        fclose(fp);
+        return NULL;
+    }
+
+    if (fread(data, 1, *len, fp) != *len) {
+        PRINTERR("Failed to read file\n");
+        free(data);
+        fclose(fp);
+        return NULL;
+    }
+
+    fclose(fp);
+    return data;
+}
+
+static void verify_op(EVP_PKEY *key, const char *input_file,
+                      const unsigned char *sig, size_t sig_len,
+                      pid_t pid, const char *stage) {
+    EVP_MD_CTX *mdctx = NULL;
+    unsigned char *input_data = NULL;
+    size_t input_len;
+    int ret;
+
+    input_data = read_file(input_file, &input_len);
+    if (!input_data) {
+        PRINTERR("Failed to read input file (pid = %d, stage = %s)\n", pid,
+                 stage);
+        exit(EXIT_FAILURE);
+    }
+
+    mdctx = EVP_MD_CTX_new();
+    if (!mdctx) {
+        PRINTERR("Failed to create MD_CTX (pid = %d, stage = %s)\n", pid,
+                 stage);
+        free(input_data);
+        exit(EXIT_FAILURE);
+    }
+
+    ret = EVP_DigestVerifyInit_ex(mdctx, NULL, "sha256", NULL,
+                                  "provider=pkcs11", key, NULL);
+    if (ret != 1) {
+        PRINTERROSSL("Failed to init digest verify (pid = %d, stage = %s)\n",
+                     pid, stage);
+        EVP_MD_CTX_free(mdctx);
+        free(input_data);
+        exit(EXIT_FAILURE);
+    }
+
+    ret = EVP_DigestVerifyUpdate(mdctx, input_data, input_len);
+    if (ret != 1) {
+        PRINTERROSSL("Failed to update digest verify (pid = %d, stage = %s)\n",
+                     pid, stage);
+        EVP_MD_CTX_free(mdctx);
+        free(input_data);
+        exit(EXIT_FAILURE);
+    }
+
+    ret = EVP_DigestVerifyFinal(mdctx, sig, sig_len);
+    if (ret != 1) {
+        PRINTERROSSL("Failed to verify signature (pid = %d, stage = %s)\n",
+                     pid, stage);
+        EVP_MD_CTX_free(mdctx);
+        free(input_data);
+        exit(EXIT_FAILURE);
+    }
+
+    EVP_MD_CTX_free(mdctx);
+    free(input_data);
+}
+
+int main(int argc, char *argv[]) {
+    EVP_PKEY *pubkey, *pubkey_main, *privkey;
+    unsigned char *sig;
+    size_t sig_len;
+    pid_t pid = 0;
+    int status;
+
+    if (argc != 5) {
+        fprintf(stderr, "Usage: %s <privkey_uri> <pubkey_uri> <input_file> <signature_file>\n", argv[0]);
+        exit(EXIT_FAILURE);
+    }
+
+    const char *privkey_uri = argv[1];
+    const char *pubkey_uri = argv[2];
+    const char *input_file = argv[3];
+    const char *sig_file = argv[4];
+
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+
+    sig = read_file(sig_file, &sig_len);
+    if (!sig) {
+        exit(EXIT_FAILURE);
+    }
+
+    privkey = load_key(privkey_uri);
+    if (!privkey) {
+        free(sig);
+        exit(EXIT_FAILURE);
+    }
+
+    pubkey_main = load_key_ex(pubkey_uri, "provider=pkcs11");
+    if (!pubkey_main) {
+        EVP_PKEY_free(privkey);
+        free(sig);
+        exit(EXIT_FAILURE);
+    }
+
+    /* Duplication to do import */
+    pubkey = EVP_PKEY_dup(pubkey_main);
+    EVP_PKEY_free(pubkey_main);
+    if (!pubkey) {
+        EVP_PKEY_free(privkey);
+        free(sig);
+        exit(EXIT_FAILURE);
+    }
+
+    /* verify and pub encrypt in child as refresh after for happens there */
+    verify_op(pubkey, input_file, sig, sig_len, pid, "post-fork");
+    EVP_PKEY_free(privkey);
+    EVP_PKEY_free(pubkey);
+
+    free(sig);
+
+    exit(EXIT_SUCCESS);
+}
