From a7a9326f35a2c46ba06fe480bf0d53b6f29edf91 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 29 Nov 2018 17:20:37 +0100 Subject: [PATCH] Add simple Sanity test for pkcs11-tool sign&verify operations --- tests/Makefile.am | 6 +- tests/test-pkcs11-tool-sign-verify.sh | 175 ++++++++++++++++++++++++++ 2 files changed, 179 insertions(+), 2 deletions(-) create mode 100755 tests/test-pkcs11-tool-sign-verify.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index 3d51b989..e88620a0 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -1,5 +1,7 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in -dist_noinst_SCRIPTS = test-manpage.sh +dist_noinst_SCRIPTS = test-manpage.sh \ + test-pkcs11-tool-sign-verify.sh -TESTS = test-manpage.sh +TESTS = test-manpage.sh \ + test-pkcs11-tool-sign-verify.sh diff --git a/tests/test-pkcs11-tool-sign-verify.sh b/tests/test-pkcs11-tool-sign-verify.sh new file mode 100755 index 00000000..a0b5bc52 --- /dev/null +++ b/tests/test-pkcs11-tool-sign-verify.sh @@ -0,0 +1,175 @@ +## from OpenSC/src/tests/p11test/runtest.sh +SOPIN="12345678" +PIN="123456" +PKCS11_TOOL="../src/tools/pkcs11-tool" +P11LIB="/usr/lib64/pkcs11/libsofthsm2.so" + +ERRORS=0 +function assert() { + if [[ $1 != 0 ]]; then + echo "====> ERROR: $2" + ERRORS=1 + fi +} + +function generate_key() { + TYPE="$1" + ID="$2" + LABEL="$3" + + # Generate key pair + $PKCS11_TOOL --keypairgen --key-type="$TYPE" --login --pin=$PIN \ + --module="$P11LIB" --label="$LABEL" --id=$ID + + if [[ "$?" -ne "0" ]]; then + echo "Couldn't generate $TYPE key pair" + return 1 + fi + + # Extract public key from the card + $PKCS11_TOOL --read-object --id $ID --type pubkey --output-file $ID.der \ + --module="$P11LIB" + + # convert it to more digestible PEM format + if [[ ${TYPE:0:3} == "RSA" ]]; then + openssl rsa -inform DER -outform PEM -in $ID.der -pubin > $ID.pub + else + openssl ec -inform DER -outform PEM -in $ID.der -pubin > $ID.pub + fi + rm $ID.der +} + +function card_setup() { + echo "directories.tokendir = .tokens/" > .softhsm2.conf + mkdir ".tokens" + export SOFTHSM2_CONF=".softhsm2.conf" + # Init token + softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN" + + # Generate 1024b RSA Key pair + generate_key "RSA:1024" "01" "RSA_auth" + # Generate 2048b RSA Key pair + generate_key "RSA:2048" "02" "RSA2048" + # Generate 256b ECC Key pair + # generate_key "EC:secp256r1" "03" "ECC_auth" + # Generate 521b ECC Key pair + # generate_key "EC:secp521r1" "04" "ECC521" + # TODO ECDSA keys tests +} + +function card_cleanup() { + rm .softhsm2.conf + rm -rf ".tokens" + rm 0{1,2}.pub +} + +echo "=======================================================" +echo "Setup SoftHSM" +echo "=======================================================" +if [[ ! -f $P11LIB ]]; then + echo "WARNINIG: The SoftHSM is not installed. Can not run this test" + exit 77; +fi +card_setup +echo "data to sign (max 100 bytes)" > data + +for HASH in "" "SHA1" "SHA224" "SHA256" "SHA384" "SHA512"; do + for SIGN_KEY in "01" "02"; do + METHOD="RSA-PKCS" + if [[ ! -z $HASH ]]; then + METHOD="$HASH-$METHOD" + fi + echo + echo "=======================================================" + echo "$METHOD: Sign & Verify (KEY $SIGN_KEY)" + echo "=======================================================" + $PKCS11_TOOL --id $SIGN_KEY -s -p $PIN -m $METHOD --module $P11LIB \ + --input-file data --output-file data.sig + assert $? "Failed to Sign data" + + # OpenSSL verification + if [[ -z $HASH ]]; then + openssl rsautl -verify -inkey $SIGN_KEY.pub -in data.sig -pubin + else + openssl dgst -keyform PEM -verify $SIGN_KEY.pub -${HASH,,*} \ + -signature data.sig data + fi + assert $? "Failed to Verify signature using OpenSSL" + + # pkcs11-tool verification + $PKCS11_TOOL --id $SIGN_KEY --verify -m $METHOD --module $P11LIB \ + --input-file data --signature-file data.sig + assert $? "Failed to Verify signature using pkcs11-tool" + rm data.sig + + METHOD="$METHOD-PSS" + if [[ "$HASH" == "SHA512" ]]; then + continue; # This one is broken + fi + + echo + echo "=======================================================" + echo "$METHOD: Sign & Verify (KEY $SIGN_KEY)" + echo "=======================================================" + if [[ -z $HASH ]]; then + # hashing is done outside of the module. We chouse here SHA256 + openssl dgst -binary -sha256 data > data.hash + HASH_ALGORITM="--hash-algorithm=SHA256" + VERIFY_DGEST="-sha256" + VERIFY_OPTS="-sigopt rsa_mgf1_md:sha256" + else + # hashing is done inside of the module + cp data data.hash + HASH_ALGORITM="" + VERIFY_DGEST="-${HASH,,*}" + VERIFY_OPTS="-sigopt rsa_mgf1_md:${HASH,,*}" + fi + $PKCS11_TOOL --id $SIGN_KEY -s -p $PIN -m $METHOD --module $P11LIB \ + $HASH_ALGORITM --salt-len=-1 \ + --input-file data.hash --output-file data.sig + assert $? "Failed to Sign data" + + # OpenSSL verification + openssl dgst -keyform PEM -verify $SIGN_KEY.pub $VERIFY_DGEST \ + -sigopt rsa_padding_mode:pss $VERIFY_OPTS -sigopt rsa_pss_saltlen:-1 \ + -signature data.sig data + assert $? "Failed to Verify signature using openssl" + + # pkcs11-tool verification + $PKCS11_TOOL --id $SIGN_KEY --verify -m $METHOD --module $P11LIB \ + $HASH_ALGORITM --salt-len=-1 \ + --input-file data.hash --signature-file data.sig + assert $? "Failed to Verify signature using pkcs11-tool" + rm data.{sig,hash} + done + + # Skip hashed algorithms (do not support encryption & decryption) + if [[ ! -z "$HASH" ]]; then + continue; + fi + METHOD="RSA-PKCS" + for ENC_KEY in "01" "02"; do + echo + echo "=======================================================" + echo "$METHOD: Encrypt & Decrypt (KEY $ENC_KEY)" + echo "=======================================================" + # OpenSSL Encryption + openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data \ + -pubin -out data.crypt + assert $? "Failed to encrypt data using OpenSSL" + $PKCS11_TOOL --id $ENC_KEY --decrypt -p $PIN -m $METHOD \ + --module $P11LIB --input-file data.crypt > data.decrypted + diff data{,.decrypted} + assert $? "The decrypted data do not match the original" + rm data.{crypt,decrypted} + + # TODO pkcs11-tool encryption not supported + done +done + +echo "=======================================================" +echo "Cleanup" +echo "=======================================================" +card_cleanup + +exit $ERRORS