diff --git a/scripts/cmd_test/clean-cmd-test.sh b/scripts/cmd_test/clean-cmd-test.sh index df9bb8d8..785388a7 100755 --- a/scripts/cmd_test/clean-cmd-test.sh +++ b/scripts/cmd_test/clean-cmd-test.sh @@ -33,5 +33,6 @@ clean_all_cmd_tests() { clean_cmd_test "aes" clean_cmd_test "ecc" clean_cmd_test "hash" + clean_cmd_test "req" clean_cmd_test "rsa" } diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh index 635450c1..e086538b 100755 --- a/scripts/cmd_test/do-cmd-tests.sh +++ b/scripts/cmd_test/do-cmd-tests.sh @@ -84,8 +84,13 @@ echo -e "\n=== Running ECC Key Generation Test ===" "${REPO_ROOT}/scripts/cmd_test/ecc-cmd-test.sh" ECC_RESULT=$? +# Run the Certificate Request test +echo -e "\n=== Running Certificate Request Test ===" +"${REPO_ROOT}/scripts/cmd_test/req-cmd-test.sh" +REQ_RESULT=$? + # Check results -if [ $HASH_RESULT -eq 0 ] && [ $AES_RESULT -eq 0 ] && [ $RSA_RESULT -eq 0 ] && [ $ECC_RESULT -eq 0 ]; then +if [ $HASH_RESULT -eq 0 ] && [ $AES_RESULT -eq 0 ] && [ $RSA_RESULT -eq 0 ] && [ $ECC_RESULT -eq 0 ] && [ $REQ_RESULT -eq 0 ]; then echo -e "\n=== All Command-Line Tests Passed ===" if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then echo "Force fail mode was enabled" @@ -97,6 +102,7 @@ if [ $HASH_RESULT -eq 0 ] && [ $AES_RESULT -eq 0 ] && [ $RSA_RESULT -eq 0 ] && [ echo "AES Test Result: $AES_RESULT (0=success)" echo "RSA Test Result: $RSA_RESULT (0=success)" echo "ECC Test Result: $ECC_RESULT (0=success)" + echo "REQ Test Result: $REQ_RESULT (0=success)" exit 0 else echo -e "\n=== Command-Line Tests Failed ===" @@ -110,5 +116,6 @@ else echo "AES Test Result: $AES_RESULT (0=success)" echo "RSA Test Result: $RSA_RESULT (0=success)" echo "ECC Test Result: $ECC_RESULT (0=success)" + echo "REQ Test Result: $REQ_RESULT (0=success)" exit 1 fi diff --git a/scripts/cmd_test/req-cmd-test.sh b/scripts/cmd_test/req-cmd-test.sh new file mode 100755 index 00000000..1278f398 --- /dev/null +++ b/scripts/cmd_test/req-cmd-test.sh @@ -0,0 +1,121 @@ +#!/bin/bash +# req-cmd-test.sh - Certificate request test for wolfProvider + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +source "${SCRIPT_DIR}/cmd-test-common.sh" +source "${SCRIPT_DIR}/clean-cmd-test.sh" +cmd_test_env_setup "req-test.log" +clean_cmd_test "req" + +exec > >(tee -a "$LOG_FILE") 2>&1 +mkdir -p req_outputs + +CURVES=("prime256v1" "secp384r1" "secp521r1") +HASH_ALGORITHMS=("sha256" "sha384" "sha512") +PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default") + +echo "=== Running Certificate Request (X.509) Tests ===" + +# Skip tests for FIPS mode (unless force-failing) +if [ "${WOLFSSL_ISFIPS}" = "1" ] && [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then + echo "INFO: FIPS mode detected" + echo "INFO: Skipping req tests for FIPS mode" + echo "SUCCESS: Certificate Request tests skipped for FIPS build" + exit 0 +fi + +# Function to test certificate creation +test_cert_creation() { + local curve=$1 + local hash_alg=$2 + local req_provider_args=$3 + + req_provider_name=$(get_provider_name "$req_provider_args") + local key_file="req_outputs/key_${curve}_${hash_alg}.pem" + local cert_file="req_outputs/cert_${curve}_${hash_alg}_${req_provider_name//lib/}.pem" + + echo -e "\n=== Testing Certificate Creation (${curve}/${hash_alg}) - req with ${req_provider_name} ===" + + # Generate EC key with default provider + echo "Generating EC key with curve ${curve} using default provider..." + use_default_provider + if $OPENSSL_BIN ecparam -genkey -name ${curve} -out "$key_file" \ + -provider default 2>/dev/null; then + echo "[PASS] EC key generation successful" + # Don't call check_force_fail for default provider operations in force fail mode + # as default provider operations are expected to succeed + if [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then + check_force_fail + fi + else + echo "[FAIL] EC key generation failed" + FAIL=1 + return + fi + + # Set provider for req command + if [[ "$req_provider_args" == *"libwolfprov"* ]]; then + use_wolf_provider + else + use_default_provider + fi + + # Create certificate with specified provider + echo "Creating self-signed certificate with ${hash_alg} using ${req_provider_name}..." + if $OPENSSL_BIN req -x509 -new -key "$key_file" -${hash_alg} -days 365 \ + -out "$cert_file" -subj "/CN=test-${curve}-${hash_alg}" ${req_provider_args} 2>/dev/null; then + echo "[PASS] Certificate creation successful" + # Only call check_force_fail for wolfProvider operations, or when not in force fail mode + if [[ "$req_provider_args" == *"libwolfprov"* ]] || [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then + check_force_fail + fi + else + echo "[FAIL] Certificate creation failed" + FAIL=1 + return + fi + + # Check if certificate file exists and is non-empty + if [ -s "$cert_file" ]; then + echo "[PASS] Certificate file exists and is non-empty" + # Only call check_force_fail for wolfProvider operations, or when not in force fail mode + if [[ "$req_provider_args" == *"libwolfprov"* ]] || [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then + check_force_fail + fi + else + echo "[FAIL] Certificate file does not exist or is empty" + FAIL=1 + fi +} + +# Main test execution +echo "Starting certificate request tests..." + +for curve in "${CURVES[@]}"; do + for hash_alg in "${HASH_ALGORITHMS[@]}"; do + for provider_arg in "${PROVIDER_ARGS[@]}"; do + test_cert_creation "$curve" "$hash_alg" "$provider_arg" + done + done +done + +# Force-fail handling (same pattern as other cmd tests) +if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then + if [ $FORCE_FAIL_PASSED -eq 1 ]; then + echo -e "\n=== Certificate Request Tests Failed With Force Fail Enabled ===" + echo "ERROR: Some tests passed when they should have failed" + exit 1 + else + echo -e "\n=== Certificate Request Tests Passed With Force Fail Enabled ===" + echo "SUCCESS: All tests failed as expected" + exit 0 + fi +else + if [ $FAIL -eq 0 ]; then + echo -e "\n=== All Certificate Request tests completed successfully ===" + exit 0 + else + echo -e "\n=== Certificate Request tests completed with failures ===" + exit 1 + fi +fi diff --git a/src/wp_ecdsa_sig.c b/src/wp_ecdsa_sig.c index d647abbf..5e6c0666 100644 --- a/src/wp_ecdsa_sig.c +++ b/src/wp_ecdsa_sig.c @@ -725,32 +725,35 @@ static int wp_ecdsa_digest_verify_final(wp_EcdsaSigCtx *ctx, unsigned char *sig, * @return 1 on success. * @return 0 on failure. */ -static int wp_ecdsa_get_alg_id(wp_EcdsaSigCtx *ctx, OSSL_PARAM *p) -{ - int ok = 0; - - if (XMEMCMP(ctx->mdName, "SHA256", 7) == 0) { - static const unsigned char ecdsa_sha256[] = { - 0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 2 - }; - ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha256, sizeof(ecdsa_sha256)); - } - if (XMEMCMP(ctx->mdName, "SHA384", 7) == 0) { - static const unsigned char ecdsa_sha384[] = { - 0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 3 - }; - ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha384, sizeof(ecdsa_sha384)); - } - if (XMEMCMP(ctx->mdName, "SHA512", 7) == 0) { - static const unsigned char ecdsa_sha512[] = { - 0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 4 - }; - ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha512, sizeof(ecdsa_sha512)); - } - /* TODO: support more digests */ - - return ok; -} + static int wp_ecdsa_get_alg_id(wp_EcdsaSigCtx *ctx, OSSL_PARAM *p) + { + int ok = 0; + + if ((XMEMCMP(ctx->mdName, "SHA256", 7) == 0) || + (XMEMCMP(ctx->mdName, "sha256", 7) == 0)) { + static const unsigned char ecdsa_sha256[] = { + 0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 2 + }; + ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha256, sizeof(ecdsa_sha256)); + } + if ((XMEMCMP(ctx->mdName, "SHA384", 7) == 0) || + (XMEMCMP(ctx->mdName, "sha384", 7) == 0)) { + static const unsigned char ecdsa_sha384[] = { + 0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 3 + }; + ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha384, sizeof(ecdsa_sha384)); + } + if ((XMEMCMP(ctx->mdName, "SHA512", 7) == 0) || + (XMEMCMP(ctx->mdName, "sha512", 7) == 0)) { + static const unsigned char ecdsa_sha512[] = { + 0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 4 + }; + ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha512, sizeof(ecdsa_sha512)); + } + /* TODO: support more digests */ + + return ok; + } /** * Put data from ECDSA signture context object into parameter objects. diff --git a/src/wp_file_store.c b/src/wp_file_store.c index 508c6c56..1bb6d55d 100644 --- a/src/wp_file_store.c +++ b/src/wp_file_store.c @@ -431,6 +431,17 @@ static OSSL_DECODER_CTX* wp_file_setup_decoders(wp_FileCtx* ctx) return decCtx; } +static void wp_bio_consume_all(BIO* bio) +{ + char buffer[128]; + int bytes_read = 0; + + /* Consume everything */ + do { + bytes_read = BIO_read(bio, buffer, sizeof(buffer)); + } while (bytes_read > 0); +} + /** * Load the data from a file. * @@ -454,6 +465,9 @@ static int wp_file_load(wp_FileCtx* ctx, OSSL_CALLBACK* objCb, void* objCbArg, } if (ctx->decCtx == NULL) { ok = 0; + /* If we error here, we dont consume the BIO at all and simply return 0, + * however callers loop is until EOF. Set BIO to EOF on early error */ + wp_bio_consume_all(ctx->bio); } if (ok) { diff --git a/test/standalone/test_common.sh b/test/standalone/test_common.sh new file mode 100644 index 00000000..11b9cc31 --- /dev/null +++ b/test/standalone/test_common.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# test_common.sh - Common utilities for standalone tests +# +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfProvider. +# +# wolfProvider is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfProvider is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with wolfProvider. If not, see . + +# Function to detect if wolfProvider was built with --replace-default +# Returns 0 if replace-default is detected, 1 otherwise +detect_replace_default_build() { + local libcrypto_path="" + + # Try common locations relative to the test root + local test_root="${ROOT_DIR:-}" + + if [ -z "$test_root" ]; then + # Fallback: try to determine root from current location + test_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." &>/dev/null && pwd)" + fi + + # Try common locations + if [ -n "${OPENSSL_LIB_PATH:-}" ] && [ -f "${OPENSSL_LIB_PATH}/libcrypto.so" ]; then + libcrypto_path="${OPENSSL_LIB_PATH}/libcrypto.so" + elif [ -f "${test_root}/openssl-install/lib64/libcrypto.so" ]; then + libcrypto_path="${test_root}/openssl-install/lib64/libcrypto.so" + elif [ -f "${test_root}/openssl-install/lib/libcrypto.so" ]; then + libcrypto_path="${test_root}/openssl-install/lib/libcrypto.so" + else + return 1 # Can't find libcrypto, assume standard build + fi + + # Check for replace-default patch symbols in libcrypto + if strings "$libcrypto_path" 2>/dev/null | grep -q "load_wolfprov_and_init"; then + return 0 # Replace-default build detected + else + return 1 # Standard build + fi +} diff --git a/test/standalone/tests/hardload/run.sh b/test/standalone/tests/hardload/run.sh index 17326bea..04b0b4db 100755 --- a/test/standalone/tests/hardload/run.sh +++ b/test/standalone/tests/hardload/run.sh @@ -24,12 +24,13 @@ if ! source "$ROOT_DIR/scripts/env-setup" >/dev/null; then exit 1 fi +# Source common test utilities +source "$ROOT_DIR/test/standalone/test_common.sh" + +# Check if this is a replace-default build WP_USING_REPLACE_DEFAULT="0" -if [ -f "$OPENSSL_LIB_PATH/libcrypto.so" ]; then - # Check for wolfProvider symbols in libcrypto - if nm -D "$OPENSSL_LIB_PATH/libcrypto.so" 2>/dev/null | grep -q "wolfprov_provider_init"; then - WP_USING_REPLACE_DEFAULT="1" - fi +if detect_replace_default_build; then + WP_USING_REPLACE_DEFAULT="1" fi # Configure environment based on build type diff --git a/test/standalone/tests/sha256_simple/run.sh b/test/standalone/tests/sha256_simple/run.sh index 3062b99d..a3e41235 100755 --- a/test/standalone/tests/sha256_simple/run.sh +++ b/test/standalone/tests/sha256_simple/run.sh @@ -24,12 +24,13 @@ if ! source "$ROOT_DIR/scripts/env-setup" >/dev/null; then exit 1 fi +# Source common test utilities +source "$ROOT_DIR/test/standalone/test_common.sh" + +# Check if this is a replace-default build WP_USING_REPLACE_DEFAULT="0" -if [ -f "$OPENSSL_LIB_PATH/libcrypto.so" ]; then - # Check for wolfProvider symbols in libcrypto - if nm -D "$OPENSSL_LIB_PATH/libcrypto.so" 2>/dev/null | grep -q "wolfprov_provider_init"; then - WP_USING_REPLACE_DEFAULT="1" - fi +if detect_replace_default_build; then + WP_USING_REPLACE_DEFAULT="1" fi # Configure environment based on build type