tests: Factor out cert selfsigning to helper

At this moment, this was already copied into two places. This also generates second restricted RSA-PSS key during setup to avoid the need to generate key as part of rsapssam test, which makes it reentrant and should make the uri test a bit faster as we will have less keys. Signed-off-by: Jakub Jelen <[email protected]>
Jakuje · Jan 24, 2025 · 1eb982a · 1eb982a
1 parent 22b4cdd
commit 1eb982a
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 63 deletions.
diff --git a/tests/helpers.sh b/tests/helpers.sh
@@ -86,3 +86,30 @@ if sed --version 2>/dev/null | grep -q 'GNU sed'; then
 else
 	export sed_inplace=("-i" "")
 fi
+
+# Generate self-signed certificate using OpenSSL
+# This is useful for the RSA-PSS certificates that can not be generated by
+# certtool
+selfsign_cert() {
+    KEY="$1"
+    CERT="$2"
+    shift 2
+    export AARGS="$@"
+
+    TMPCA=${TMPPDIR}/tmpca
+    TMP_OPENSSL_CONF=${OPENSSL_CONF}
+    sed -e "s|^dir .*|dir = ${TMPCA}|" \
+        "${OPENSSL_CONF}" > "${OPENSSL_CONF}.tmpca"
+    export OPENSSL_CONF=${OPENSSL_CONF}.tmpca
+
+    mkdir -p "${TMPCA}/newcerts" "${TMPCA}/private"
+    if [ ! -e "${TMPCA}/serial" ]; then
+        echo "01" > "${TMPCA}/serial"
+    fi
+    touch "${TMPCA}/index.txt"
+
+    title PARA "Generating a new selfsigned certificate for ${KEY}"
+    ossl 'req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}'
+    echo "$helper_output"
+    OPENSSL_CONF=${TMP_OPENSSL_CONF}
+}
diff --git a/tests/setup.sh b/tests/setup.sh
@@ -415,7 +415,7 @@ echo "${ECCRT3URI}"
 echo ""
 
 if [ "${SUPPORT_ALLOWED_MECHANISMS}" -eq 1 ]; then
-    # generate RSA-PSS key pair and self-signed RSA-PSS certificate
+    # generate unrestricted RSA-PSS key pair and self-signed RSA-PSS certificate
     KEYID='0010'
     URIKEYID="%00%10"
     TSTCRTN="testRsaPssCert"
@@ -440,6 +440,34 @@ if [ "${SUPPORT_ALLOWED_MECHANISMS}" -eq 1 ]; then
     echo "${RSAPSSPRIURI}"
     echo "${RSAPSSCRTURI}"
     echo ""
+
+    # generate RSA-PSS (3k) key pair restricted to SHA256 digests
+    # and self-signed RSA-PSS certificate
+    KEYID='0011'
+    URIKEYID="%00%11"
+    TSTCRTN="testRsaPss2Cert"
+
+    pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:3092" \
+        --label="${TSTCRTN}" --id="$KEYID" --allowed-mechanisms \
+        SHA256-RSA-PKCS-PSS
+    ca_sign "${TSTCRTN}" "My RsaPss2 Cert" $KEYID \
+        "--sign-params=RSA-PSS" "--hash=SHA256"
+
+    RSAPSS2BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
+    RSAPSS2BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}"
+    RSAPSS2BASEURI="pkcs11:id=${URIKEYID}"
+    RSAPSS2PUBURI="pkcs11:type=public;id=${URIKEYID}"
+    RSAPSS2PRIURI="pkcs11:type=private;id=${URIKEYID}"
+    RSAPSS2CRTURI="pkcs11:type=cert;object=${TSTCRTN}"
+
+    title LINE "RSA-PSS 2 PKCS11 URIS"
+    echo "${RSAPSS2BASEURIWITHPINVALUE}"
+    echo "${RSAPSS2BASEURIWITHPINSOURCE}"
+    echo "${RSAPSS2BASEURI}"
+    echo "${RSAPSS2PUBURI}"
+    echo "${RSAPSS2PRIURI}"
+    echo "${RSAPSS2CRTURI}"
+    echo ""
 fi
 
 
@@ -580,6 +608,13 @@ export RSAPSSBASEURI="${RSAPSSBASEURI}"
 export RSAPSSPUBURI="${RSAPSSPUBURI}"
 export RSAPSSPRIURI="${RSAPSSPRIURI}"
 export RSAPSSCRTURI="${RSAPSSCRTURI}"
+
+export RSAPSS2BASEURIWITHPINVALUE="${RSAPSSB2ASEURIWITHPINVALUE}"
+export RSAPSS2BASEURIWITHPINSOURCE="${RSAPSS2BASEURIWITHPINSOURCE}"
+export RSAPSS2BASEURI="${RSAPSS2BASEURI}"
+export RSAPSS2PUBURI="${RSAPSS2PUBURI}"
+export RSAPSS2PRIURI="${RSAPSS2PRIURI}"
+export RSAPSS2CRTURI="${RSAPSS2CRTURI}"
 DBGSCRIPT
 fi
 

diff --git a/tests/trsapssam b/tests/trsapssam
@@ -4,20 +4,13 @@
 
 source "${TESTSSRCDIR}/helpers.sh"
 
-#Need to enable this or genpkey fails because it can't output the private key
-sed -e "s/#pkcs11-module-encode-provider-uri-to-pem/pkcs11-module-encode-provider-uri-to-pem = true/" \
-    "${OPENSSL_CONF}" > "${OPENSSL_CONF}.rsapss_genpkey"
-OPENSSL_CONF=${OPENSSL_CONF}.rsapss_genpkey
-
-title PARA "Generate RSA PSS key restricted to SHA256"
-ossl '
-genpkey -propquery "?provider=pkcs11"
-        -algorithm "RSA-PSS" -pkeyopt "rsa_pss_keygen_md:SHA256"
-        -pkeyopt "pkcs11_uri:pkcs11:object=Test-RSA-PSS-Restrictions"'
+if [[ "${SUPPORT_ALLOWED_MECHANISMS}" = "0" ]]; then
+    exit 77;
+fi
 
-title PARA "DigestSign and DigestVerify with RSA PSS"
+title PARA "DigestSign and DigestVerify with RSA PSS (SHA256 restriction)"
 ossl '
-pkeyutl -sign -inkey "pkcs11:object=Test-RSA-PSS-Restrictions;type=private"
+pkeyutl -sign -inkey "${RSAPSS2PRIURI}"
               -digest sha256
               -pkeyopt pad-mode:pss
               -pkeyopt mgf1-digest:sha256
@@ -26,7 +19,7 @@ pkeyutl -sign -inkey "pkcs11:object=Test-RSA-PSS-Restrictions;type=private"
               -rawin
               -out ${TMPPDIR}/sha256-rsapps-genpkey-dgstsig.bin'
 ossl '
-pkeyutl -verify -inkey "pkcs11:object=Test-RSA-PSS-Restrictions;type=public" -pubin
+pkeyutl -verify -inkey "${RSAPSS2PUBURI}" -pubin
                 -digest sha256
                 -pkeyopt pad-mode:pss
                 -pkeyopt mgf1-digest:sha256
@@ -38,7 +31,7 @@ pkeyutl -verify -inkey "pkcs11:object=Test-RSA-PSS-Restrictions;type=public" -pu
 FAIL=0
 title PARA "Fail DigestSign with RSA PSS because of restricted Digest"
 ossl '
-pkeyutl -sign -inkey "pkcs11:object=Test-RSA-PSS-Restrictions;type=private"
+pkeyutl -sign -inkey "${RSAPSS2PRIURI}"
               -digest sha384
               -pkeyopt pad-mode:pss
               -pkeyopt mgf1-digest:sha384
@@ -59,16 +52,10 @@ if [ $FAIL -ne 0 ]; then
     exit 1
 fi
 
-title PARA "Generate RSA PSS key"
-ossl '
-genpkey -propquery "?provider=pkcs11"
-        -algorithm "RSA-PSS"
-        -pkeyopt "pkcs11_uri:pkcs11:object=Test-RSA-PSS-Only"'
-
 FAIL=0
 title PARA "Fail Signing with RSA PKCS1 mech and RSA-PSS key"
 ossl '
-pkeyutl -sign -inkey "pkcs11:object=Test-RSA-PSS-Only;type=private"
+pkeyutl -sign -inkey "${RSAPSSPRIURI}"
               -digest sha256
               -pkeyopt rsa_padding_mode:pkcs1
               -in ${RAND64FILE}

diff --git a/tests/ttls b/tests/ttls
@@ -108,27 +108,18 @@ run_tests() {
 
     if [[ -n "$RSAPSSPRIURI" ]]; then
         title PARA "Run sanity test with default values (RSA-PSS)"
-        TMPCA=${TMPPDIR}/tmpca
-        TMP_OPENSSL_CONF=${OPENSSL_CONF}
-        sed -e "s|^dir .*|dir = ${TMPCA}|" \
-            "${OPENSSL_CONF}" > "${OPENSSL_CONF}.tmpca"
-        export OPENSSL_CONF=${OPENSSL_CONF}.tmpca
-
-        mkdir -p "${TMPCA}/newcerts" "${TMPCA}/private"
-        if [ ! -e "${TMPCA}/serial" ]; then
-            echo "01" > "${TMPCA}/serial"
-        fi
-        touch "${TMPCA}/index.txt"
-
-        title PARA "Generating a new CSR with existing RSA-PSS key in token"
-        ossl 'req -batch -noenc -x509 -new -key ${RSAPSSPRIURI}
-            -sigopt rsa_padding_mode:pss
-            -sigopt digest:sha256
-            -sigopt rsa_pss_saltlen:-1
-            -out ${TMPCA}/rsapss-cacert.pem'
-        OPENSSL_CONF=${TMP_OPENSSL_CONF}
-
-        run_test "$RSAPSSPRIURI" "${TMPCA}/rsapss-cacert.pem"
+        selfsign_cert "${RSAPSSPRIURI}" "${TMPPDIR}/rsapss-default.pem" \
+            "-sigopt rsa_padding_mode:pss"
+
+        run_test "$RSAPSSPRIURI" "${TMPPDIR}/rsapss-default.pem"
+
+        title PARA "Run sanity test with RSA-PSS and SHA256"
+        selfsign_cert "${RSAPSS2PRIURI}" "${TMPPDIR}/rsapss-sha256.pem" \
+            "-sigopt rsa_padding_mode:pss" \
+            "-sigopt digest:sha256" \
+            "-sigopt rsa_pss_saltlen:-1"
+
+        run_test "$RSAPSS2PRIURI" "${TMPPDIR}/rsapss-sha256.pem"
     fi
 
     title PARA "Run sanity test with default values (ECDSA)"

diff --git a/tests/ttlsfuzzer b/tests/ttlsfuzzer
@@ -67,28 +67,13 @@ run_tests() {
 
         # do selfsign now using openssl as certool can not create SPKI using
         # RSA-PSS
-        TMPCA=${TMPPDIR}/tmpca
-        TMP_OPENSSL_CONF=${OPENSSL_CONF}
-        sed -e "s|^dir .*|dir = ${TMPCA}|" \
-            "${OPENSSL_CONF}" > "${OPENSSL_CONF}.tmpca"
-        export OPENSSL_CONF=${OPENSSL_CONF}.tmpca
-
-        mkdir -p "${TMPCA}/newcerts" "${TMPCA}/private"
-        if [ ! -e "${TMPCA}/serial" ]; then
-            echo "01" > "${TMPCA}/serial"
-        fi
-        touch "${TMPCA}/index.txt"
-
-        title PARA "Generating a new CSR with existing RSA-PSS key in token"
-        ossl 'req -batch -noenc -x509 -new -key ${RSAPSSPRIURI}
-            -sigopt rsa_padding_mode:pss
-            -sigopt digest:sha256
-            -sigopt rsa_pss_saltlen:-1
-            -out ${TMPCA}/rsapss-cacert.pem'
-        OPENSSL_CONF=${TMP_OPENSSL_CONF}
+        selfsign_cert "${RSAPSSPRIURI}" "${TMPPDIR}/rsapss-default.pem" \
+            "-sigopt rsa_padding_mode:pss" \
+            "-sigopt digest:sha256" \
+            "-sigopt rsa_pss_saltlen:-1"
 
         prepare_test cert.json.rsapss.in \
-            "$RSAPSSPRIURI" "${TMPCA}/rsapss-cacert.pem"
+            "$RSAPSSPRIURI" "${TMPPDIR}/rsapss-default.pem"
     fi
 
     title PARA "Prepare test for ECDSA"