From a7a9326f35a2c46ba06fe480bf0d53b6f29edf91 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 29 Nov 2018 17:20:37 +0100
Subject: [PATCH] Add simple Sanity test for pkcs11-tool sign&verify operations

---
 tests/Makefile.am                     |   6 +-
 tests/test-pkcs11-tool-sign-verify.sh | 175 ++++++++++++++++++++++++++
 2 files changed, 179 insertions(+), 2 deletions(-)
 create mode 100755 tests/test-pkcs11-tool-sign-verify.sh

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 3d51b989..e88620a0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,5 +1,7 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
-dist_noinst_SCRIPTS = test-manpage.sh
+dist_noinst_SCRIPTS = test-manpage.sh \
+                      test-pkcs11-tool-sign-verify.sh
 
-TESTS = test-manpage.sh
+TESTS = test-manpage.sh \
+        test-pkcs11-tool-sign-verify.sh
diff --git a/tests/test-pkcs11-tool-sign-verify.sh b/tests/test-pkcs11-tool-sign-verify.sh
new file mode 100755
index 00000000..a0b5bc52
--- /dev/null
+++ b/tests/test-pkcs11-tool-sign-verify.sh
@@ -0,0 +1,175 @@
+## from OpenSC/src/tests/p11test/runtest.sh
+SOPIN="12345678"
+PIN="123456"
+PKCS11_TOOL="../src/tools/pkcs11-tool"
+P11LIB="/usr/lib64/pkcs11/libsofthsm2.so"
+
+ERRORS=0
+function assert() {
+	if [[ $1 != 0 ]]; then
+		echo "====> ERROR: $2"
+		ERRORS=1
+	fi
+}
+
+function generate_key() {
+	TYPE="$1"
+	ID="$2"
+	LABEL="$3"
+
+	# Generate key pair
+	$PKCS11_TOOL --keypairgen --key-type="$TYPE" --login --pin=$PIN \
+		--module="$P11LIB" --label="$LABEL" --id=$ID
+
+	if [[ "$?" -ne "0" ]]; then
+		echo "Couldn't generate $TYPE key pair"
+		return 1
+	fi
+
+	# Extract public key from the card
+	$PKCS11_TOOL --read-object --id $ID --type pubkey --output-file $ID.der \
+		--module="$P11LIB"
+
+	# convert it to more digestible PEM format
+	if [[ ${TYPE:0:3} == "RSA" ]]; then
+		openssl rsa -inform DER -outform PEM -in $ID.der -pubin > $ID.pub
+	else
+		openssl ec -inform DER -outform PEM -in $ID.der -pubin > $ID.pub
+	fi
+	rm $ID.der
+}
+
+function card_setup() {
+	echo "directories.tokendir = .tokens/" > .softhsm2.conf
+	mkdir ".tokens"
+	export SOFTHSM2_CONF=".softhsm2.conf"
+	# Init token
+	softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
+
+	# Generate 1024b RSA Key pair
+	generate_key "RSA:1024" "01" "RSA_auth"
+	# Generate 2048b RSA Key pair
+	generate_key "RSA:2048" "02" "RSA2048"
+	# Generate 256b ECC Key pair
+	# generate_key "EC:secp256r1" "03" "ECC_auth"
+	# Generate 521b ECC Key pair
+	# generate_key "EC:secp521r1" "04" "ECC521"
+	# TODO ECDSA keys tests
+}
+
+function card_cleanup() {
+	rm .softhsm2.conf
+	rm -rf ".tokens"
+	rm 0{1,2}.pub
+}
+
+echo "======================================================="
+echo "Setup SoftHSM"
+echo "======================================================="
+if [[ ! -f $P11LIB ]]; then
+    echo "WARNINIG: The SoftHSM is not installed. Can not run this test"
+    exit 77;
+fi
+card_setup
+echo "data to sign (max 100 bytes)" > data
+
+for HASH in "" "SHA1" "SHA224" "SHA256" "SHA384" "SHA512"; do
+    for SIGN_KEY in "01" "02"; do
+        METHOD="RSA-PKCS"
+        if [[ ! -z $HASH ]]; then
+            METHOD="$HASH-$METHOD"
+        fi
+        echo
+        echo "======================================================="
+        echo "$METHOD: Sign & Verify (KEY $SIGN_KEY)"
+        echo "======================================================="
+        $PKCS11_TOOL --id $SIGN_KEY -s -p $PIN -m $METHOD --module $P11LIB \
+               --input-file data --output-file data.sig
+        assert $? "Failed to Sign data"
+
+        # OpenSSL verification
+        if [[ -z $HASH ]]; then
+            openssl rsautl -verify -inkey $SIGN_KEY.pub -in data.sig -pubin
+        else
+            openssl dgst -keyform PEM -verify $SIGN_KEY.pub -${HASH,,*} \
+                   -signature data.sig data
+        fi
+        assert $? "Failed to Verify signature using OpenSSL"
+
+        # pkcs11-tool verification
+        $PKCS11_TOOL --id $SIGN_KEY --verify -m $METHOD --module $P11LIB \
+               --input-file data --signature-file data.sig
+        assert $? "Failed to Verify signature using pkcs11-tool"
+        rm data.sig
+
+        METHOD="$METHOD-PSS"
+        if [[ "$HASH" == "SHA512" ]]; then
+            continue; # This one is broken
+        fi
+
+        echo
+        echo "======================================================="
+        echo "$METHOD: Sign & Verify (KEY $SIGN_KEY)"
+        echo "======================================================="
+        if [[ -z $HASH ]]; then
+            # hashing is done outside of the module. We chouse here SHA256
+            openssl dgst -binary -sha256 data > data.hash
+            HASH_ALGORITM="--hash-algorithm=SHA256"
+            VERIFY_DGEST="-sha256"
+            VERIFY_OPTS="-sigopt rsa_mgf1_md:sha256"
+        else
+            # hashing is done inside of the module
+            cp data data.hash
+            HASH_ALGORITM=""
+            VERIFY_DGEST="-${HASH,,*}"
+            VERIFY_OPTS="-sigopt rsa_mgf1_md:${HASH,,*}"
+        fi
+        $PKCS11_TOOL --id $SIGN_KEY -s -p $PIN -m $METHOD --module $P11LIB \
+               $HASH_ALGORITM --salt-len=-1 \
+               --input-file data.hash --output-file data.sig
+        assert $? "Failed to Sign data"
+
+        # OpenSSL verification
+        openssl dgst -keyform PEM -verify $SIGN_KEY.pub $VERIFY_DGEST \
+               -sigopt rsa_padding_mode:pss  $VERIFY_OPTS -sigopt rsa_pss_saltlen:-1 \
+               -signature data.sig data
+        assert $? "Failed to Verify signature using openssl"
+
+        # pkcs11-tool verification
+        $PKCS11_TOOL --id $SIGN_KEY --verify -m $METHOD --module $P11LIB \
+               $HASH_ALGORITM --salt-len=-1 \
+               --input-file data.hash --signature-file data.sig
+        assert $? "Failed to Verify signature using pkcs11-tool"
+        rm data.{sig,hash}
+    done
+
+    # Skip hashed algorithms (do not support encryption & decryption)
+    if [[ ! -z "$HASH" ]]; then
+        continue;
+    fi
+    METHOD="RSA-PKCS"
+    for ENC_KEY in "01" "02"; do
+        echo
+        echo "======================================================="
+        echo "$METHOD: Encrypt & Decrypt (KEY $ENC_KEY)"
+        echo "======================================================="
+        # OpenSSL Encryption
+        openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data \
+               -pubin -out data.crypt
+        assert $? "Failed to encrypt data using OpenSSL"
+        $PKCS11_TOOL --id $ENC_KEY --decrypt -p $PIN -m $METHOD \
+               --module $P11LIB --input-file data.crypt > data.decrypted
+        diff data{,.decrypted}
+        assert $? "The decrypted data do not match the original"
+        rm data.{crypt,decrypted}
+
+        # TODO pkcs11-tool encryption not supported
+    done
+done
+
+echo "======================================================="
+echo "Cleanup"
+echo "======================================================="
+card_cleanup
+
+exit $ERRORS