wolfSSL · padelsbach · Oct 3, 2025 · Sep 23, 2025 · Sep 23, 2025 · Sep 23, 2025
diff --git a/scripts/cmd_test/clean-cmd-test.sh b/scripts/cmd_test/clean-cmd-test.sh
@@ -33,5 +33,6 @@ clean_all_cmd_tests() {
     clean_cmd_test "aes"
     clean_cmd_test "ecc"
     clean_cmd_test "hash"
+    clean_cmd_test "req"
     clean_cmd_test "rsa"
 }
diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh
@@ -84,8 +84,13 @@ echo -e "\n=== Running ECC Key Generation Test ==="
 "${REPO_ROOT}/scripts/cmd_test/ecc-cmd-test.sh"
 ECC_RESULT=$?
 
+# Run the Certificate Request test
+echo -e "\n=== Running Certificate Request Test ==="
+"${REPO_ROOT}/scripts/cmd_test/req-cmd-test.sh"
+REQ_RESULT=$?
+
 # Check results
-if [ $HASH_RESULT -eq 0 ] && [ $AES_RESULT -eq 0 ] && [ $RSA_RESULT -eq 0 ] && [ $ECC_RESULT -eq 0 ]; then
+if [ $HASH_RESULT -eq 0 ] && [ $AES_RESULT -eq 0 ] && [ $RSA_RESULT -eq 0 ] && [ $ECC_RESULT -eq 0 ] && [ $REQ_RESULT -eq 0 ]; then
     echo -e "\n=== All Command-Line Tests Passed ==="
     if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
         echo "Force fail mode was enabled"
@@ -97,6 +102,7 @@ if [ $HASH_RESULT -eq 0 ] && [ $AES_RESULT -eq 0 ] && [ $RSA_RESULT -eq 0 ] && [
     echo "AES Test Result: $AES_RESULT (0=success)"
     echo "RSA Test Result: $RSA_RESULT (0=success)"
     echo "ECC Test Result: $ECC_RESULT (0=success)"
+    echo "REQ Test Result: $REQ_RESULT (0=success)"
     exit 0
 else
     echo -e "\n=== Command-Line Tests Failed ==="
@@ -110,5 +116,6 @@ else
     echo "AES Test Result: $AES_RESULT (0=success)"
     echo "RSA Test Result: $RSA_RESULT (0=success)"
     echo "ECC Test Result: $ECC_RESULT (0=success)"
+    echo "REQ Test Result: $REQ_RESULT (0=success)"
     exit 1
 fi
diff --git a/scripts/cmd_test/req-cmd-test.sh b/scripts/cmd_test/req-cmd-test.sh
@@ -0,0 +1,121 @@
+#!/bin/bash
+# req-cmd-test.sh - Certificate request test for wolfProvider
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${SCRIPT_DIR}/cmd-test-common.sh"
+source "${SCRIPT_DIR}/clean-cmd-test.sh"
+cmd_test_env_setup "req-test.log"
+clean_cmd_test "req"
+
+exec > >(tee -a "$LOG_FILE") 2>&1
+mkdir -p req_outputs
+
+CURVES=("prime256v1" "secp384r1" "secp521r1") 
+HASH_ALGORITHMS=("sha256" "sha384" "sha512")
+PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
+
+echo "=== Running Certificate Request (X.509) Tests ==="
+
+# Skip tests for FIPS mode (unless force-failing)
+if [ "${WOLFSSL_ISFIPS}" = "1" ] && [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
+    echo "INFO: FIPS mode detected"
+    echo "INFO: Skipping req tests for FIPS mode"
+    echo "SUCCESS: Certificate Request tests skipped for FIPS build"
+    exit 0
+fi
+
+# Function to test certificate creation
+test_cert_creation() {
+    local curve=$1
+    local hash_alg=$2
+    local req_provider_args=$3
+
+    req_provider_name=$(get_provider_name "$req_provider_args")
+    local key_file="req_outputs/key_${curve}_${hash_alg}.pem"
+    local cert_file="req_outputs/cert_${curve}_${hash_alg}_${req_provider_name//lib/}.pem"
+
+    echo -e "\n=== Testing Certificate Creation (${curve}/${hash_alg}) - req with ${req_provider_name} ==="
+
+    # Generate EC key with default provider
+    echo "Generating EC key with curve ${curve} using default provider..."
+    use_default_provider
+    if $OPENSSL_BIN ecparam -genkey -name ${curve} -out "$key_file" \
+        -provider default 2>/dev/null; then
+        echo "[PASS] EC key generation successful"
+        # Don't call check_force_fail for default provider operations in force fail mode
+        # as default provider operations are expected to succeed
+        if [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
+            check_force_fail
+        fi
+    else
+        echo "[FAIL] EC key generation failed"
+        FAIL=1
+        return
+    fi
+
+    # Set provider for req command
+    if [[ "$req_provider_args" == *"libwolfprov"* ]]; then
+        use_wolf_provider
+    else
+        use_default_provider
+    fi
+
+    # Create certificate with specified provider
+    echo "Creating self-signed certificate with ${hash_alg} using ${req_provider_name}..."
+    if $OPENSSL_BIN req -x509 -new -key "$key_file" -${hash_alg} -days 365 \
+        -out "$cert_file" -subj "/CN=test-${curve}-${hash_alg}" ${req_provider_args} 2>/dev/null; then
+        echo "[PASS] Certificate creation successful"
+        # Only call check_force_fail for wolfProvider operations, or when not in force fail mode
+        if [[ "$req_provider_args" == *"libwolfprov"* ]] || [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
+            check_force_fail
+        fi
+    else
+        echo "[FAIL] Certificate creation failed"
+        FAIL=1
+        return
+    fi
+
+    # Check if certificate file exists and is non-empty
+    if [ -s "$cert_file" ]; then
+        echo "[PASS] Certificate file exists and is non-empty"
+        # Only call check_force_fail for wolfProvider operations, or when not in force fail mode
+        if [[ "$req_provider_args" == *"libwolfprov"* ]] || [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
+            check_force_fail
+        fi
+    else
+        echo "[FAIL] Certificate file does not exist or is empty"
+        FAIL=1
+    fi
+}
+
+# Main test execution
+echo "Starting certificate request tests..."
+
+for curve in "${CURVES[@]}"; do
+    for hash_alg in "${HASH_ALGORITHMS[@]}"; do
+        for provider_arg in "${PROVIDER_ARGS[@]}"; do
+            test_cert_creation "$curve" "$hash_alg" "$provider_arg"
+        done
+    done
+done
+
+# Force-fail handling (same pattern as other cmd tests)
+if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
+    if [ $FORCE_FAIL_PASSED -eq 1 ]; then
+        echo -e "\n=== Certificate Request Tests Failed With Force Fail Enabled ==="
+        echo "ERROR: Some tests passed when they should have failed"
+        exit 1
+    else
+        echo -e "\n=== Certificate Request Tests Passed With Force Fail Enabled ==="
+        echo "SUCCESS: All tests failed as expected"
+        exit 0
+    fi
+else
+    if [ $FAIL -eq 0 ]; then
+        echo -e "\n=== All Certificate Request tests completed successfully ==="
+        exit 0
+    else
+        echo -e "\n=== Certificate Request tests completed with failures ==="
+        exit 1
+    fi
+fi
diff --git a/src/wp_ecdsa_sig.c b/src/wp_ecdsa_sig.c
@@ -725,32 +725,35 @@ static int wp_ecdsa_digest_verify_final(wp_EcdsaSigCtx *ctx, unsigned char *sig,
  * @return  1 on success.
  * @return  0 on failure.
  */
-static int wp_ecdsa_get_alg_id(wp_EcdsaSigCtx *ctx, OSSL_PARAM *p)
-{
-    int ok = 0;
-
-    if (XMEMCMP(ctx->mdName, "SHA256", 7) == 0) {
-        static const unsigned char ecdsa_sha256[] = {
-            0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 2
-        };
-        ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha256, sizeof(ecdsa_sha256));
-    }
-    if (XMEMCMP(ctx->mdName, "SHA384", 7) == 0) {
-        static const unsigned char ecdsa_sha384[] = {
-            0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 3
-        };
-        ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha384, sizeof(ecdsa_sha384));
-    }
-    if (XMEMCMP(ctx->mdName, "SHA512", 7) == 0) {
-        static const unsigned char ecdsa_sha512[] = {
-            0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 4
-        };
-        ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha512, sizeof(ecdsa_sha512));
-    }
-    /* TODO: support more digests */
-
-    return ok;
-}
+ static int wp_ecdsa_get_alg_id(wp_EcdsaSigCtx *ctx, OSSL_PARAM *p)
+ {
+     int ok = 0;
+
+     if ((XMEMCMP(ctx->mdName, "SHA256", 7) == 0) ||
+         (XMEMCMP(ctx->mdName, "sha256", 7) == 0)) {
+         static const unsigned char ecdsa_sha256[] = {
+             0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 2
+         };
+         ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha256, sizeof(ecdsa_sha256));
+     }
+     if ((XMEMCMP(ctx->mdName, "SHA384", 7) == 0) ||
+         (XMEMCMP(ctx->mdName, "sha384", 7) == 0)) {
+         static const unsigned char ecdsa_sha384[] = {
+             0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 3
+         };
+         ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha384, sizeof(ecdsa_sha384));
+     }
+     if ((XMEMCMP(ctx->mdName, "SHA512", 7) == 0) ||
+         (XMEMCMP(ctx->mdName, "sha512", 7) == 0)) {
+         static const unsigned char ecdsa_sha512[] = {
+             0x30, 0x0a, 0x06, 0x08, 42, 134, 72, 206, 61, 4, 3, 4
+         };
+         ok = OSSL_PARAM_set_octet_string(p, ecdsa_sha512, sizeof(ecdsa_sha512));
+     }
+     /* TODO: support more digests */
+
+     return ok;
+ }
 
 /**
  * Put data from ECDSA signture context object into parameter objects.

diff --git a/src/wp_file_store.c b/src/wp_file_store.c
@@ -431,6 +431,17 @@ static OSSL_DECODER_CTX* wp_file_setup_decoders(wp_FileCtx* ctx)
     return decCtx;
 }
 
+static void wp_bio_consume_all(BIO* bio)
+{
+    char buffer[128];
+    int bytes_read = 0;
+
+    /* Consume everything */
+    do {
+        bytes_read = BIO_read(bio, buffer, sizeof(buffer));
+    } while (bytes_read > 0);
+}
+
 /**
  * Load the data from a file.
  *
@@ -454,6 +465,9 @@ static int wp_file_load(wp_FileCtx* ctx, OSSL_CALLBACK* objCb, void* objCbArg,
     }
     if (ctx->decCtx == NULL) {
         ok = 0;
+        /* If we error here, we dont consume the BIO at all and simply return 0,
+         * however callers loop is until EOF. Set BIO to EOF on early error */
+         wp_bio_consume_all(ctx->bio);
     }
 
     if (ok) {

diff --git a/test/standalone/test_common.sh b/test/standalone/test_common.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# test_common.sh - Common utilities for standalone tests
+#
+# Copyright (C) 2006-2025 wolfSSL Inc.
+#
+# This file is part of wolfProvider.
+#
+# wolfProvider is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# wolfProvider is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
+
+# Function to detect if wolfProvider was built with --replace-default
+# Returns 0 if replace-default is detected, 1 otherwise
+detect_replace_default_build() {
+    local libcrypto_path=""
+
+    # Try common locations relative to the test root
+    local test_root="${ROOT_DIR:-}"
+
+    if [ -z "$test_root" ]; then
+        # Fallback: try to determine root from current location
+        test_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." &>/dev/null && pwd)"
+    fi
+
+    # Try common locations
+    if [ -n "${OPENSSL_LIB_PATH:-}" ] && [ -f "${OPENSSL_LIB_PATH}/libcrypto.so" ]; then
+        libcrypto_path="${OPENSSL_LIB_PATH}/libcrypto.so"
+    elif [ -f "${test_root}/openssl-install/lib64/libcrypto.so" ]; then
+        libcrypto_path="${test_root}/openssl-install/lib64/libcrypto.so"
+    elif [ -f "${test_root}/openssl-install/lib/libcrypto.so" ]; then
+        libcrypto_path="${test_root}/openssl-install/lib/libcrypto.so"
+    else
+        return 1  # Can't find libcrypto, assume standard build
+    fi
+
+    # Check for replace-default patch symbols in libcrypto
+    if strings "$libcrypto_path" 2>/dev/null | grep -q "load_wolfprov_and_init"; then
+        return 0  # Replace-default build detected
+    else
+        return 1  # Standard build
+    fi
+}
diff --git a/test/standalone/tests/hardload/run.sh b/test/standalone/tests/hardload/run.sh
@@ -24,12 +24,13 @@ if ! source "$ROOT_DIR/scripts/env-setup" >/dev/null; then
     exit 1
 fi
 
+# Source common test utilities
+source "$ROOT_DIR/test/standalone/test_common.sh"
+
+# Check if this is a replace-default build
 WP_USING_REPLACE_DEFAULT="0"
-if [ -f "$OPENSSL_LIB_PATH/libcrypto.so" ]; then
-    # Check for wolfProvider symbols in libcrypto
-    if nm -D "$OPENSSL_LIB_PATH/libcrypto.so" 2>/dev/null | grep -q "wolfprov_provider_init"; then
-        WP_USING_REPLACE_DEFAULT="1"
-    fi
+if detect_replace_default_build; then
+    WP_USING_REPLACE_DEFAULT="1"
 fi
 
 # Configure environment based on build type

diff --git a/test/standalone/tests/sha256_simple/run.sh b/test/standalone/tests/sha256_simple/run.sh
@@ -24,12 +24,13 @@ if ! source "$ROOT_DIR/scripts/env-setup" >/dev/null; then
     exit 1
 fi
 
+# Source common test utilities
+source "$ROOT_DIR/test/standalone/test_common.sh"
+
+# Check if this is a replace-default build
 WP_USING_REPLACE_DEFAULT="0"
-if [ -f "$OPENSSL_LIB_PATH/libcrypto.so" ]; then
-    # Check for wolfProvider symbols in libcrypto
-    if nm -D "$OPENSSL_LIB_PATH/libcrypto.so" 2>/dev/null | grep -q "wolfprov_provider_init"; then
-        WP_USING_REPLACE_DEFAULT="1"
-    fi
+if detect_replace_default_build; then
+    WP_USING_REPLACE_DEFAULT="1"
 fi
 
 # Configure environment based on build type