diff --git a/tests/scripts/func.sh b/tests/scripts/func.sh index fc52119..4a9b324 100755 --- a/tests/scripts/func.sh +++ b/tests/scripts/func.sh @@ -1,8 +1,11 @@ #!/bin/bash +OK="\033[32mok\033[0m" +FAIL="\033[31mfail\033[0m" + gen_and_check() { e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1) - test $? -eq 0 || exit $? + test $? -eq 0 && echo -n "." || exit $? glabel="" case $1 in *"192"*) @@ -25,13 +28,25 @@ gen_and_check() { glabel="RSA ${bits} bits" ;; esac - grep -q "${glabel}" <<< $e || exit $? + grep -q "${glabel}" <<< $e && echo -n "." || exit $? } gen_and_delete() { gen_and_check $1 + test $? -eq 0 && echo -n "." || exit $? pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? } reset() { python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent > /dev/null 2>&1 test $? -eq 0 || exit $? } + +keygen_and_export() { + gen_and_check $1 + test $? -eq 0 && echo -n "." || exit $? + pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? + IFS=: read -r mk bts <<< "$1" + openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? +} diff --git a/tests/scripts/initialize.sh b/tests/scripts/initialize.sh index 8f2ebc6..39426c8 100755 --- a/tests/scripts/initialize.sh +++ b/tests/scripts/initialize.sh @@ -4,17 +4,20 @@ source ./tests/scripts/func.sh reset # Change SO-PIN +echo -n " Test SO-PIN change..." pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e ".\t${OK}" || exit $? # Change PIN +echo -n " Test PIN change..." pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e ".\t${OK}" || exit $? # Reset PIN +echo -n " Test PIN reset..." pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? @@ -23,9 +26,10 @@ pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e ".\t${OK}" || exit $? # Wrong PIN (1st and 2nd PIN_INCORRECT, 3rd PIN_LOCKED) +echo -n " Test wrong PIN attempts..." e=$(pkcs11-tool --login --pin 123456 -I 2>&1) test $? -eq 1 && echo -n "." || exit $? grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? @@ -34,11 +38,12 @@ test $? -eq 1 && echo -n "." || exit $? grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? e=$(pkcs11-tool --login --pin 123456 -I 2>&1) test $? -eq 1 && echo -n "." || exit $? -grep -q CKR_PIN_LOCKED <<< $e && echo -n "." || exit $? +grep -q CKR_PIN_LOCKED <<< $e && echo -e "\t${OK}" || exit $? # Reset PIN +echo -n " Test restore PIN..." pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --login --pin 648219 -I > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e "\t${OK}" || exit $? diff --git a/tests/scripts/keygen.sh b/tests/scripts/keygen.sh index a43cb97..0b59f71 100755 --- a/tests/scripts/keygen.sh +++ b/tests/scripts/keygen.sh @@ -4,14 +4,10 @@ source ./tests/scripts/func.sh reset test $? -eq 0 || exit $? -gen_and_delete "rsa:1024" && echo -n "." || exit $? -gen_and_delete "rsa:2048" && echo -n "." || exit $? -gen_and_delete "ec:secp192r1" && echo -n "." || exit $? -gen_and_delete "ec:secp256r1" && echo -n "." || exit $? -gen_and_delete "ec:secp384r1" && echo -n "." || exit $? -gen_and_delete "ec:secp521r1" && echo -n "." || exit $? -gen_and_delete "ec:brainpoolP256r1" && echo -n "." || exit $? -gen_and_delete "ec:brainpoolP384r1" && echo -n "." || exit $? -gen_and_delete "ec:brainpoolP512r1" && echo -n "." || exit $? -gen_and_delete "ec:secp192k1" && echo -n "." || exit $? -gen_and_delete "ec:secp256k1" && echo -n "." || exit $? +algs=("rsa:1024" "rsa:2048" "ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1") +for alg in ${algs[*]}; do + IFS=: read -r a s <<< "${alg}" + au=$(awk '{print toupper($0)}' <<<${a}) + echo -n " Test ${au} ${s}..." + gen_and_delete ${alg} && echo -e ".\t${OK}" || exit $? +done diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh index 0c22f1c..3e15984 100755 --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -1,13 +1,23 @@ #!/bin/bash -echo -n "Test initialization..." +source ./tests/scripts/func.sh +echo "==== Test initialization ====" ./tests/scripts/initialize.sh -test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} -echo -n "Test keygen..." +echo "==== Test keygen ====" ./tests/scripts/keygen.sh -test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} -echo -n "Test sign and verify..." +echo "==== Test sign and verify ====" ./tests/scripts/sign_and_verify.sh -test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} diff --git a/tests/scripts/sign_and_verify.sh b/tests/scripts/sign_and_verify.sh index 6853ba2..a9c7581 100755 --- a/tests/scripts/sign_and_verify.sh +++ b/tests/scripts/sign_and_verify.sh @@ -9,24 +9,16 @@ echo ${TEST_DATA} > data create_dgst() { openssl dgst -$1 -binary -out data.$1 data > /dev/null 2>&1 -} - -create_dgst sha1 -create_dgst sha224 -create_dgst sha256 -create_dgst sha384 -create_dgst sha512 - -keygen_and_export() { - gen_and_check $1 - test $? -eq 0 && echo -n "." || exit $? - pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null - test $? -eq 0 && echo -n "." || exit $? - IFS=: read -r mk bts <<< "$1" - openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null test $? -eq 0 && echo -n "." || exit $? } +dgsts=("sha1" "sha224" "sha256" "sha384" "sha512") +for dgst in ${dgsts[*]}; do + echo -n " Create digest ${dgst}..." + create_dgst ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? +done + # $1 sign mechanism # $2 sign input file # $3 sign parameters @@ -34,9 +26,9 @@ keygen_and_export() { # $5 vrfy parameters sign_and_verify() { pkcs11-tool --id 1 --sign --pin 648219 --mechanism $1 -i $2 -o data.sig $3 > /dev/null 2>&1 - test $? -eq 0 || exit $? + test $? -eq 0 && echo -n "." || exit $? e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in $4 -sigfile data.sig $5 2>&1) - test $? -eq 0 || exit $? + test $? -eq 0 && echo -n "." || exit $? grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? } @@ -61,62 +53,52 @@ sign_and_verify_rsa_pss_dgst() { test $? -eq 0 && echo -n "." || exit $? } -sign_and_verify_ec() { - sign_and_verify ECDSA data.sha1 "--signature-format openssl" data.sha1 - sign_and_verify ECDSA data.sha224 "--signature-format openssl" data.sha224 - sign_and_verify ECDSA data.sha256 "--signature-format openssl" data.sha256 - sign_and_verify ECDSA data.sha384 "--signature-format openssl" data.sha384 - sign_and_verify ECDSA data.sha512 "--signature-format openssl" data.sha512 -} - -sign_and_verify_ec_dgst() { - sign_and_verify ECDSA-SHA1 data "--signature-format openssl" data.sha1 - sign_and_verify ECDSA-SHA224 data "--signature-format openssl" data.sha224 - sign_and_verify ECDSA-SHA256 data "--signature-format openssl" data.sha256 - sign_and_verify ECDSA-SHA384 data "--signature-format openssl" data.sha384 - sign_and_verify ECDSA-SHA512 data "--signature-format openssl" data.sha512 -} - keygen_sign_and_verify_ec() { + echo " Test ECDSA with $1" + echo -n " Keygen $1..." keygen_and_export $1 - sign_and_verify_ec - sign_and_verify_ec_dgst + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + for dgst in ${dgsts[*]}; do + dgstu=$(awk '{print toupper($0)}' <<<${dgst}) + echo -n " Test ECDSA with ${dgst} and $1..." + sign_and_verify ECDSA "data.${dgst}" "--signature-format openssl" data.${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + echo -n " Test ECDSA-${dgstu} with $1..." + sign_and_verify "ECDSA-${dgstu}" data "--signature-format openssl" data.${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + done + echo -n " Delete $1..." pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 + test $? -eq 0 && echo -e ".\t${OK}" || exit $? } -echo -n '+' - -keygen_sign_and_verify_ec "ec:secp192r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp256r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp384r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp521r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:brainpoolP256r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:brainpoolP384r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:brainpoolP512r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp192k1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp256k1" && echo -n "+" || exit $? - -echo -n '+' +algs=("ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1") +for alg in ${algs[*]}; do + keygen_sign_and_verify_ec ${alg} || exit $? +done +echo " Test RSA PKCS" +echo -n " Keygen rsa:2048..." keygen_and_export "rsa:2048" +test $? -eq 0 && echo -e ".\t${OK}" || exit $? +echo -n " Test RSA-PKCS..." pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS -i data -o data.sig > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in data -sigfile data.sig 2>&1) test $? -eq 0 && echo -n "." || exit $? -grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? +grep -q "Signature Verified Successfully" <<< $e && echo -e ".\t${OK}" || exit $? -echo -n "+" - -sign_and_verify_rsa_pkcs sha1 -sign_and_verify_rsa_pkcs sha224 -sign_and_verify_rsa_pkcs sha256 -sign_and_verify_rsa_pkcs sha384 -sign_and_verify_rsa_pkcs sha512 - -echo -n "+" +for dgst in ${dgsts[*]}; do + dgstu=$(awk '{print toupper($0)}' <<<${dgst}) + echo -n " Test RSA-PKCS-${dgstu}..." + sign_and_verify_rsa_pkcs ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? +done +echo -n " Test RSA-X-509..." cp data data_pad +test $? -eq 0 && echo -n "." || exit $? dd if=/dev/zero bs=1 count=227 >> data_pad > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1 @@ -125,22 +107,19 @@ TDATA=$(tr -d '\0' < <(openssl rsautl -verify -inkey 1.pub -in data.sig -pubin - if [[ ${TEST_DATA} != "$TDATA" ]]; then exit 1 fi +test $? -eq 0 && echo -e ".\t${OK}" || exit $? -echo -n "+" - -#sign_and_verify_rsa_pss sha1 -sign_and_verify_rsa_pss sha224 -sign_and_verify_rsa_pss sha256 -sign_and_verify_rsa_pss sha384 -sign_and_verify_rsa_pss sha512 - -echo -n "+" - -sign_and_verify_rsa_pss_dgst sha1 -sign_and_verify_rsa_pss_dgst sha224 -sign_and_verify_rsa_pss_dgst sha256 -sign_and_verify_rsa_pss_dgst sha384 -sign_and_verify_rsa_pss_dgst sha512 +for dgst in ${dgsts[*]}; do + dgstu=$(awk '{print toupper($0)}' <<<${dgst}) + if [[ "${dgst}" != "sha1" ]]; then + echo -n " Test RSA-PKCS-PSS with ${dgst}..." + sign_and_verify_rsa_pss ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + fi + echo -n " Test ${dgstu}-RSA-PKCS-PSS..." + sign_and_verify_rsa_pss_dgst ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? +done rm -rf data* 1.* pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1