Update command line tests for WPFF

Author: padelsbach

scripts/cmd_test/cmd-test-common.sh

@@ -17,6 +17,8 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
+OPENSSL_BIN=${OPENSSL_BIN:-openssl}
+
 cmd_test_env_setup() {
     local log_file_name=$1
     SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
@@ -48,35 +50,52 @@ cmd_test_env_setup() {
     echo "OPENSSL_BIN: ${OPENSSL_BIN}"
 }
 
+# Check if default provider is in use
+# Note that this may be wolfProvider if built as replace-default
+is_default_provider() {
+    return $($OPENSSL_BIN list -providers | grep -qi "default")
+}
+
 # Function to use default provider only
 use_default_provider() {
     unset OPENSSL_MODULES
     unset OPENSSL_CONF
 
     # Verify that we are using the default provider
-    if ${OPENSSL_BIN} list -providers | grep -q "wolfprov"; then
-        echo "FAIL: unable to switch to default provider, wolfProvider is still active"
+    if ! is_default_provider; then
+        echo "FAIL: unable to switch to default provider"
+        openssl list -providers
         exit 1
     fi
     echo "Switched to default provider"
 }
 
+is_wolf_provider() {
+    return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider")
+}
+
 # Function to use wolf provider only
 use_wolf_provider() {
     export OPENSSL_MODULES=$WOLFPROV_PATH
     export OPENSSL_CONF=${WOLFPROV_CONFIG}
 
     # Verify that we are using wolfProvider
-    if ! ${OPENSSL_BIN} list -providers | grep -q "wolfprov"; then
-        echo "FAIL: unable to switch to wolfProvider, default provider is still active"
+    if ! is_wolf_provider; then
+        echo "FAIL: unable to switch to wolfProvider"
         exit 1
     fi
     echo "Switched to wolfProvider"
 }
 
+is_replace_default() {
+    return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider")
+}
+
 # Helper function to handle force fail checks
 check_force_fail() {
-    if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
+    if is_default_provider && ! is_replace_default; then
+        echo "OPENSSL Default provider active, no forced failures expected."
+    elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
         echo "[PASS] Test passed when force fail was enabled"
         FORCE_FAIL_PASSED=1
     fi

scripts/cmd_test/ecc-cmd-test.sh

@@ -117,6 +117,18 @@ test_sign_verify_pkeyutl() {
     local data_file="ecc_outputs/test_data.txt"
 
     echo -e "\n=== Testing ECC (${curve}) Sign/Verify with pkeyutl Using ${provider_name} ==="
+
+    if [ ! -f "$key_file" ] || [ ! -f "$pub_key_file" ]; then
+        echo "[FAIL] Key files for ECC (${curve}) not found, cannot run sign/verify tests"
+        FAIL=1
+        exit 1
+    fi
+
+    if [ ! -f "$data_file" ]; then
+        echo "[FAIL] Test data file not found, cannot run sign/verify tests"
+        FAIL=1
+        exit 1
+    fi
 
     # Test 1: Sign and verify with OpenSSL default
     use_default_provider
@@ -193,6 +205,12 @@ generate_and_test_key() {
     provider_name=$(get_provider_name "$provider_args")
 
     echo -e "\n=== Testing ECC Key Generation (${curve}) with ${provider_name} ==="
+
+    if [ -f "$output_file" ]; then
+        echo "ECC key file $output_file already exists, removing it."
+        rm -f "$output_file"
+    fi
+
     echo "Generating ECC key (${curve})..."
 
     if $OPENSSL_BIN genpkey -algorithm EC \
@@ -239,6 +257,14 @@ for curve in "${CURVES[@]}"; do
         # Generate key with current provider
         generate_and_test_key "$curve" "$test_provider"
 
+        # If WPFF is set, we need to run again to actually create the 
+        # key files
+        if [ $WOLFPROV_FORCE_FAIL -ne 0 ]; then
+            WOLFPROV_FORCE_FAIL=0
+            generate_and_test_key "$curve" "$test_provider"
+            WOLFPROV_FORCE_FAIL=1
+        fi
+
         # Test sign/verify interoperability
         test_sign_verify_pkeyutl "$curve" "$test_provider"
     done

scripts/cmd_test/req-cmd-test.sh

@@ -35,6 +35,16 @@ test_cert_creation() {
     local cert_file="req_outputs/cert_${curve}_${hash_alg}_${req_provider_name//lib/}.pem"
 
     echo -e "\n=== Testing Certificate Creation (${curve}/${hash_alg}) - req with ${req_provider_name} ==="
+
+    if [ -f "$key_file" ]; then
+        echo "Key file $key_file already exists, removing it."
+        rm -f "$key_file"
+    fi
+
+    if [ -f "$cert_file" ]; then
+        echo "Certificate file $cert_file already exists, removing it."
+        rm -f "$cert_file"
+    fi
 
     # Generate EC key with default provider
     echo "Generating EC key with curve ${curve} using default provider..."

scripts/cmd_test/rsa-cmd-test.sh

@@ -37,23 +37,8 @@ KEY_TYPES=("RSA" "RSA-PSS")
 KEY_SIZES=("2048" "3072" "4096")
 PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
 
-OPENSSL_BIN=${OPENSSL_BIN:-openssl}
-
 echo "=== Running RSA Key Generation Tests ==="
 
-rsa_check_force_fail() {
-    local openssl_providers=$($OPENSSL_BIN list -providers)
-    is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)
-    if [ $is_openssl_default_provider -eq 1 ]; then
-        # With the OpenSSL provider, don't expect failures
-        echo "OPENSSL Default provider active, no forced failures expected."
-    elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
-        echo "[PASS] Test passed when force fail was enabled"
-        FORCE_FAIL_PASSED=1
-        exit 1
-    fi
-}
-
 # Function to validate key
 validate_key() {
     local key_type=$1
@@ -76,15 +61,15 @@ validate_key() {
         return
     else
         echo "[PASS] ${key_type} key file exists and has content"
-        rsa_check_force_fail
+        check_force_fail
     fi
 
     # Only try to extract public key if file exists and has content
     local pub_key_file="rsa_outputs/${key_type}_${key_size}_pub.pem"
     if $OPENSSL_BIN pkey -in "$key_file" -pubout -out "$pub_key_file" \
         ${provider_args} -passin pass: >/dev/null; then
         echo "[PASS] ${key_type} Public key extraction successful"
-        rsa_check_force_fail
+        check_force_fail
     else
         echo "[FAIL] ${key_type} Public key extraction failed"
         FAIL=1
@@ -169,6 +154,8 @@ test_sign_verify_pkeyutl() {
 
     # Get the provider name
     provider_name=$(get_provider_name "$provider_args")
+
+    echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl Using ${provider_name} ==="
 
     # Handle different key naming conventions
     local key_prefix="${key_type}"
@@ -192,18 +179,16 @@ test_sign_verify_pkeyutl() {
         exit 1
     fi
 
-    echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl Using ${provider_name} ==="
-    
     # Test 1: Sign and verify with OpenSSL default
     use_default_provider
     echo "Test 1: Sign and verify with OpenSSL default (${key_type})"
     local default_sig_file="rsa_outputs/${key_prefix}_${key_size}_default_sig.bin"
     if $sign_func "$key_file" "$data_file" "$default_sig_file" "$provider_args"; then
         echo "[PASS] Signing with OpenSSL default successful"
-        rsa_check_force_fail
+        check_force_fail
         if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
             echo "[PASS] Default provider verify successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] Default provider verify failed"
             FAIL=1
@@ -219,10 +204,10 @@ test_sign_verify_pkeyutl() {
     local wolf_sig_file="rsa_outputs/${key_prefix}_${key_size}_wolf_sig.bin"
     if $sign_func "$key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
         echo "[PASS] Signing with wolfProvider successful"
-        rsa_check_force_fail
+        check_force_fail
         if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
             echo "[PASS] wolfProvider sign/verify successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] wolfProvider verify failed"
             FAIL=1
@@ -238,7 +223,7 @@ test_sign_verify_pkeyutl() {
         use_wolf_provider
         if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
             echo "[PASS] wolfProvider can verify OpenSSL default signature"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] wolfProvider cannot verify OpenSSL default signature"
             FAIL=1
@@ -248,7 +233,7 @@ test_sign_verify_pkeyutl() {
         echo "Test 4: Cross-provider verification (wolf sign, default verify)"
         if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
             echo "[PASS] OpenSSL default can verify wolfProvider signature"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] OpenSSL default cannot verify wolfProvider signature"
             FAIL=1
@@ -263,15 +248,16 @@ generate_and_test_key() {
     local provider_args=$3
     local output_file="rsa_outputs/${key_type}_${key_size}.pem"
 
+    # Get the provider name
+    provider_name=$(get_provider_name "$provider_args")
+
+    echo -e "\n=== Testing ${key_type} Key Generation (${key_size}) with ${provider_name} ==="
+
     if [ -f "$output_file" ]; then
         echo "Output file $output_file already exists, removing it."
         rm -f "$output_file"
     fi
 
-    # Get the provider name
-    provider_name=$(get_provider_name "$provider_args")
-    
-    echo -e "\n=== Testing ${key_type} Key Generation (${key_size}) with ${provider_name} ==="
     echo "Generating ${key_type} key (${key_size})..."
     if [ "$key_type" = "RSA-PSS" ]; then
         # For RSA-PSS, specify all parameters
@@ -283,7 +269,7 @@ generate_and_test_key() {
             -pkeyopt rsa_pss_keygen_saltlen:-1 \
             -out "$output_file" 2>/dev/null; then
             echo "[PASS] RSA-PSS key generation successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] RSA-PSS key generation failed"
             FAIL=1
@@ -295,7 +281,7 @@ generate_and_test_key() {
             -pkeyopt rsa_keygen_bits:${key_size} \
             -out "$output_file" 2>/dev/null; then
             echo "[PASS] RSA key generation successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] RSA key generation failed"
             FAIL=1
@@ -305,7 +291,7 @@ generate_and_test_key() {
     # Verify the key was generated
     if [ -s "$output_file" ]; then
         echo "[PASS] ${key_type} key (${key_size}) generation successful"
-        rsa_check_force_fail
+        check_force_fail
     else
         echo "[FAIL] ${key_type} key (${key_size}) generation failed"
         FAIL=1
@@ -322,7 +308,7 @@ generate_and_test_key() {
     if $OPENSSL_BIN pkey -in "$output_file" -check \
         ${provider_args} -passin pass: >/dev/null; then
         echo "[PASS] ${provider_name} can use ${key_type} key (${key_size})"
-        rsa_check_force_fail
+        check_force_fail
     else
         echo "[FAIL] ${provider_name} cannot use ${key_type} key (${key_size})"
         FAIL=1

scripts/verify-install.sh

@@ -200,7 +200,6 @@ verify_wolfprovider() {
     local replace_default="$2"
     local no_wp="$3"
 
-    is_openssl_fips=$(echo "$openssl_version" | grep -v "nonfips" | grep -qi "fips" && echo 1 || echo 0)
     is_openssl_replace_default=$(echo "$openssl_version" | grep -qi "wolfProvider" && echo 1 || echo 0)
     is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)
 
@@ -215,7 +214,6 @@ verify_wolfprovider() {
         echo "fips: $fips"
         echo "replace_default: $replace_default"
         echo "no_wp: $no_wp"
-        echo "DEBUG: is_openssl_fips: $is_openssl_fips"
         echo "DEBUG: is_openssl_replace_default: $is_openssl_replace_default"
         echo "DEBUG: is_openssl_default_provider: $is_openssl_default_provider"
         echo "DEBUG: is_wp_active: $is_wp_active"
@@ -251,16 +249,6 @@ verify_wolfprovider() {
         elif [ $is_wp_default -ne 1 ]; then
             handle_error "wolfProvider is not the default provider"
         fi
-        
-        if [ $fips -eq 1 ]; then
-            if [ $is_openssl_fips -ne 1 ]; then
-                handle_error "OpenSSL is not FIPS"
-            fi
-        else
-            if [ $is_openssl_fips -eq 1 ]; then
-                handle_error "OpenSSL is FIPS"
-            fi
-        fi
     else
         if [ $is_openssl_replace_default -eq 1 ]; then
             handle_error "OpenSSL is replace default"