dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

Refactor tests

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2023-10-09 00:34:50 +02:00
parent cb1bba4f13
commit c44d7db4e1
5 changed files with 102 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
tests/scripts/func.sh
View File

@@ -1,8 +1,11 @@
#!/bin/bash #!/bin/bash
OK="\033[32mok\033[0m"
FAIL="\033[31mfail\033[0m"
gen_and_check() { gen_and_check() {
e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1) e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1)
test $? -eq 0 || exit $? test $? -eq 0 && echo -n "." || exit $?
glabel="" glabel=""
case $1 in case $1 in
*"192"*) *"192"*)
@@ -25,13 +28,25 @@ gen_and_check() {
glabel="RSA ${bits} bits" glabel="RSA ${bits} bits"
;; ;;
esac esac
grep -q "${glabel}" <<< $e || exit $? grep -q "${glabel}" <<< $e && echo -n "." || exit $?
} }
gen_and_delete() { gen_and_delete() {
gen_and_check $1 gen_and_check $1
test $? -eq 0 && echo -n "." || exit $?
pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $?
} }
reset() { reset() {
python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent > /dev/null 2>&1 python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent > /dev/null 2>&1
test $? -eq 0 || exit $? test $? -eq 0 || exit $?
} }
keygen_and_export() {
gen_and_check $1
test $? -eq 0 && echo -n "." || exit $?
pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null
test $? -eq 0 && echo -n "." || exit $?
IFS=: read -r mk bts <<< "$1"
openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null
test $? -eq 0 && echo -n "." || exit $?
}

15
tests/scripts/initialize.sh
View File

@@ -4,17 +4,20 @@ source ./tests/scripts/func.sh
reset reset
# Change SO-PIN # Change SO-PIN
echo -n " Test SO-PIN change..."
pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1 pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 > /dev/null 2>&1 pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -e ".\t${OK}" || exit $?
# Change PIN # Change PIN
echo -n " Test PIN change..."
pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1 pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -e ".\t${OK}" || exit $?
# Reset PIN # Reset PIN
echo -n " Test PIN reset..."
pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
@@ -23,9 +26,10 @@ pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 > /dev/null 2>&1 pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -e ".\t${OK}" || exit $?
# Wrong PIN (1st and 2nd PIN_INCORRECT, 3rd PIN_LOCKED) # Wrong PIN (1st and 2nd PIN_INCORRECT, 3rd PIN_LOCKED)
echo -n " Test wrong PIN attempts..."
e=$(pkcs11-tool --login --pin 123456 -I 2>&1) e=$(pkcs11-tool --login --pin 123456 -I 2>&1)
test $? -eq 1 && echo -n "." || exit $? test $? -eq 1 && echo -n "." || exit $?
grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $?
@@ -34,11 +38,12 @@ test $? -eq 1 && echo -n "." || exit $?
grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $?
e=$(pkcs11-tool --login --pin 123456 -I 2>&1) e=$(pkcs11-tool --login --pin 123456 -I 2>&1)
test $? -eq 1 && echo -n "." || exit $? test $? -eq 1 && echo -n "." || exit $?
grep -q CKR_PIN_LOCKED <<< $e && echo -n "." || exit $? grep -q CKR_PIN_LOCKED <<< $e && echo -e "\t${OK}" || exit $?
# Reset PIN # Reset PIN
echo -n " Test restore PIN..."
pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
pkcs11-tool --login --pin 648219 -I > /dev/null 2>&1 pkcs11-tool --login --pin 648219 -I > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -e "\t${OK}" || exit $?

18
tests/scripts/keygen.sh
View File

@@ -4,14 +4,10 @@ source ./tests/scripts/func.sh
reset reset
test $? -eq 0 || exit $? test $? -eq 0 || exit $?
gen_and_delete "rsa:1024" && echo -n "." || exit $? algs=("rsa:1024" "rsa:2048" "ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1")
gen_and_delete "rsa:2048" && echo -n "." || exit $? for alg in ${algs[*]}; do
gen_and_delete "ec:secp192r1" && echo -n "." || exit $? IFS=: read -r a s <<< "${alg}"
gen_and_delete "ec:secp256r1" && echo -n "." || exit $? au=$(awk '{print toupper($0)}' <<<${a})
gen_and_delete "ec:secp384r1" && echo -n "." || exit $? echo -n " Test ${au} ${s}..."
gen_and_delete "ec:secp521r1" && echo -n "." || exit $? gen_and_delete ${alg} && echo -e ".\t${OK}" || exit $?
gen_and_delete "ec:brainpoolP256r1" && echo -n "." || exit $? done
gen_and_delete "ec:brainpoolP384r1" && echo -n "." || exit $?
gen_and_delete "ec:brainpoolP512r1" && echo -n "." || exit $?
gen_and_delete "ec:secp192k1" && echo -n "." || exit $?
gen_and_delete "ec:secp256k1" && echo -n "." || exit $?

22
tests/scripts/pkcs11.sh
View File

@@ -1,13 +1,23 @@
#!/bin/bash #!/bin/bash
echo -n "Test initialization..." source ./tests/scripts/func.sh
echo "==== Test initialization ===="
./tests/scripts/initialize.sh ./tests/scripts/initialize.sh
test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) test $? -eq 0 || {
echo -e "\t${FAIL}"
exit 1
}
echo -n "Test keygen..." echo "==== Test keygen ===="
./tests/scripts/keygen.sh ./tests/scripts/keygen.sh
test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) test $? -eq 0 || {
echo -e "\t${FAIL}"
exit 1
}
echo -n "Test sign and verify..." echo "==== Test sign and verify ===="
./tests/scripts/sign_and_verify.sh ./tests/scripts/sign_and_verify.sh
test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) test $? -eq 0 || {
echo -e "\t${FAIL}"
exit 1
}

125
tests/scripts/sign_and_verify.sh
View File

@@ -9,24 +9,16 @@ echo ${TEST_DATA} > data
create_dgst() { create_dgst() {
openssl dgst -$1 -binary -out data.$1 data > /dev/null 2>&1 openssl dgst -$1 -binary -out data.$1 data > /dev/null 2>&1
}
create_dgst sha1
create_dgst sha224
create_dgst sha256
create_dgst sha384
create_dgst sha512
keygen_and_export() {
gen_and_check $1
test $? -eq 0 && echo -n "." || exit $?
pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null
test $? -eq 0 && echo -n "." || exit $?
IFS=: read -r mk bts <<< "$1"
openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
} }
dgsts=("sha1" "sha224" "sha256" "sha384" "sha512")
for dgst in ${dgsts[*]}; do
echo -n " Create digest ${dgst}..."
create_dgst ${dgst}
test $? -eq 0 && echo -e ".\t${OK}" || exit $?
done
# $1 sign mechanism # $1 sign mechanism
# $2 sign input file # $2 sign input file
# $3 sign parameters # $3 sign parameters
@@ -34,9 +26,9 @@ keygen_and_export() {
# $5 vrfy parameters # $5 vrfy parameters
sign_and_verify() { sign_and_verify() {
pkcs11-tool --id 1 --sign --pin 648219 --mechanism $1 -i $2 -o data.sig $3 > /dev/null 2>&1 pkcs11-tool --id 1 --sign --pin 648219 --mechanism $1 -i $2 -o data.sig $3 > /dev/null 2>&1
test $? -eq 0 || exit $? test $? -eq 0 && echo -n "." || exit $?
e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in $4 -sigfile data.sig $5 2>&1) e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in $4 -sigfile data.sig $5 2>&1)
test $? -eq 0 || exit $? test $? -eq 0 && echo -n "." || exit $?
grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $?
} }
@@ -61,62 +53,52 @@ sign_and_verify_rsa_pss_dgst() {
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
} }
sign_and_verify_ec() {
sign_and_verify ECDSA data.sha1 "--signature-format openssl" data.sha1
sign_and_verify ECDSA data.sha224 "--signature-format openssl" data.sha224
sign_and_verify ECDSA data.sha256 "--signature-format openssl" data.sha256
sign_and_verify ECDSA data.sha384 "--signature-format openssl" data.sha384
sign_and_verify ECDSA data.sha512 "--signature-format openssl" data.sha512
}
sign_and_verify_ec_dgst() {
sign_and_verify ECDSA-SHA1 data "--signature-format openssl" data.sha1
sign_and_verify ECDSA-SHA224 data "--signature-format openssl" data.sha224
sign_and_verify ECDSA-SHA256 data "--signature-format openssl" data.sha256
sign_and_verify ECDSA-SHA384 data "--signature-format openssl" data.sha384
sign_and_verify ECDSA-SHA512 data "--signature-format openssl" data.sha512
}
keygen_sign_and_verify_ec() { keygen_sign_and_verify_ec() {
echo " Test ECDSA with $1"
echo -n " Keygen $1..."
keygen_and_export $1 keygen_and_export $1
sign_and_verify_ec test $? -eq 0 && echo -e ".\t${OK}" || exit $?
sign_and_verify_ec_dgst for dgst in ${dgsts[*]}; do
dgstu=$(awk '{print toupper($0)}' <<<${dgst})
echo -n " Test ECDSA with ${dgst} and $1..."
sign_and_verify ECDSA "data.${dgst}" "--signature-format openssl" data.${dgst}
test $? -eq 0 && echo -e ".\t${OK}" || exit $?
echo -n " Test ECDSA-${dgstu} with $1..."
sign_and_verify "ECDSA-${dgstu}" data "--signature-format openssl" data.${dgst}
test $? -eq 0 && echo -e ".\t${OK}" || exit $?
done
echo -n " Delete $1..."
pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
test $? -eq 0 && echo -e ".\t${OK}" || exit $?
} }
echo -n '+' algs=("ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1")
for alg in ${algs[*]}; do
keygen_sign_and_verify_ec "ec:secp192r1" && echo -n "+" || exit $? keygen_sign_and_verify_ec ${alg} || exit $?
keygen_sign_and_verify_ec "ec:secp256r1" && echo -n "+" || exit $? done
keygen_sign_and_verify_ec "ec:secp384r1" && echo -n "+" || exit $?
keygen_sign_and_verify_ec "ec:secp521r1" && echo -n "+" || exit $?
keygen_sign_and_verify_ec "ec:brainpoolP256r1" && echo -n "+" || exit $?
keygen_sign_and_verify_ec "ec:brainpoolP384r1" && echo -n "+" || exit $?
keygen_sign_and_verify_ec "ec:brainpoolP512r1" && echo -n "+" || exit $?
keygen_sign_and_verify_ec "ec:secp192k1" && echo -n "+" || exit $?
keygen_sign_and_verify_ec "ec:secp256k1" && echo -n "+" || exit $?
echo -n '+'
echo " Test RSA PKCS"
echo -n " Keygen rsa:2048..."
keygen_and_export "rsa:2048" keygen_and_export "rsa:2048"
test $? -eq 0 && echo -e ".\t${OK}" || exit $?
echo -n " Test RSA-PKCS..."
pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS -i data -o data.sig > /dev/null 2>&1 pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS -i data -o data.sig > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in data -sigfile data.sig 2>&1) e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in data -sigfile data.sig 2>&1)
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? grep -q "Signature Verified Successfully" <<< $e && echo -e ".\t${OK}" || exit $?
echo -n "+" for dgst in ${dgsts[*]}; do
dgstu=$(awk '{print toupper($0)}' <<<${dgst})
sign_and_verify_rsa_pkcs sha1 echo -n " Test RSA-PKCS-${dgstu}..."
sign_and_verify_rsa_pkcs sha224 sign_and_verify_rsa_pkcs ${dgst}
sign_and_verify_rsa_pkcs sha256 test $? -eq 0 && echo -e ".\t${OK}" || exit $?
sign_and_verify_rsa_pkcs sha384 done
sign_and_verify_rsa_pkcs sha512
echo -n "+"
echo -n " Test RSA-X-509..."
cp data data_pad cp data data_pad
test $? -eq 0 && echo -n "." || exit $?
dd if=/dev/zero bs=1 count=227 >> data_pad > /dev/null 2>&1 dd if=/dev/zero bs=1 count=227 >> data_pad > /dev/null 2>&1
test $? -eq 0 && echo -n "." || exit $? test $? -eq 0 && echo -n "." || exit $?
pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1 pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1
@@ -125,22 +107,19 @@ TDATA=$(tr -d '\0' < <(openssl rsautl -verify -inkey 1.pub -in data.sig -pubin -
if [[ ${TEST_DATA} != "$TDATA" ]]; then if [[ ${TEST_DATA} != "$TDATA" ]]; then
exit 1 exit 1
fi fi
test $? -eq 0 && echo -e ".\t${OK}" || exit $?
echo -n "+" for dgst in ${dgsts[*]}; do
dgstu=$(awk '{print toupper($0)}' <<<${dgst})
#sign_and_verify_rsa_pss sha1 if [[ "${dgst}" != "sha1" ]]; then
sign_and_verify_rsa_pss sha224 echo -n " Test RSA-PKCS-PSS with ${dgst}..."
sign_and_verify_rsa_pss sha256 sign_and_verify_rsa_pss ${dgst}
sign_and_verify_rsa_pss sha384 test $? -eq 0 && echo -e ".\t${OK}" || exit $?
sign_and_verify_rsa_pss sha512 fi
echo -n " Test ${dgstu}-RSA-PKCS-PSS..."
echo -n "+" sign_and_verify_rsa_pss_dgst ${dgst}
test $? -eq 0 && echo -e ".\t${OK}" || exit $?
sign_and_verify_rsa_pss_dgst sha1 done
sign_and_verify_rsa_pss_dgst sha224
sign_and_verify_rsa_pss_dgst sha256
sign_and_verify_rsa_pss_dgst sha384
sign_and_verify_rsa_pss_dgst sha512
rm -rf data* 1.* rm -rf data* 1.*
pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1