diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2019-02-27 08:34:48 -0800 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2019-02-27 08:34:48 -0800 |
| commit | 80124356e2ed509cdaf4b0277cc71ce25e933f26 (patch) | |
| tree | c8e58ea2e1a0ea3bc25170b16fea3f4c6bada26a | |
| parent | 79b13381c1bd3176d93cdd6f9f79d7583e6e02ae (diff) | |
| download | openssl-pkcs11-export-80124356e2ed509cdaf4b0277cc71ce25e933f26.tar.gz | |
Elliptic Curve Signature Checks
Apparently this is somewhat hard to do: the pkcs11 engine from libp11
0.4.9 has the C_Sign routines stubbed out, so the only way of checking
is with gnutls p11tool and, apparently, gnutls doesn't understand
parametrised curves. Therefore, signature testing is limited to named
curves until I can find another test programme.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
| -rwxr-xr-x | tests/init.sh | 24 | ||||
| -rwxr-xr-x | tests/p11tool_checks.sh | 8 |
2 files changed, 29 insertions, 3 deletions
diff --git a/tests/init.sh b/tests/init.sh index 7e566ae..584a375 100755 --- a/tests/init.sh +++ b/tests/init.sh @@ -13,11 +13,19 @@ openssl rsa -in key-pass.key -passin pass:Passw0rd -pubout -out key-pass.pub || ## # create engine key equivalents by changing the guards ## -openssl pkcs8 -topk8 -in key-nopass.key -passout pass:Eng1ne -out tmp.key +openssl pkcs8 -topk8 -in key-nopass.key -passout pass:Eng1ne -out tmp.key || exit 1 sed 's/ENCRYPTED PRIVATE KEY/TEST ENGINE PRIVATE KEY/' < tmp.key > key-engine.key - ## -# now create a config file naming the two keys +# EC KEY +## +# named curve +openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -aes-128-cbc -pass pass:Passw0rd -out key-p256.key || exit 1 +openssl pkey -in key-p256.key -passin pass:Passw0rd -pubout -out key-p256.pub || exit 1 +# parametrised curve +openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:brainpoolP384r1 -pkeyopt ec_param_enc:explicit -aes-256-cfb -pass pass:Passw0rd -out key-bp.key || exit 1 +openssl pkey -in key-bp.key -passin pass:Passw0rd -pubout -out key-bp.pub || exit 1 +## +# now create a config file naming the keys ## cat >> ${OPENSSL_PKCS11_CONF} <<EOF [key-pass] @@ -36,4 +44,14 @@ engine = testengine public key = ${srcdir}/key-pass.pub private key = ${srcdir}/key-engine.key +[key-p256] +id = key-p256 +public key = ${srcdir}/key-p256.pub +private key = ${srcdir}/key-p256.key + +[key-bp] +id = key-bp +public key = ${srcdir}/key-bp.pub +private key = ${srcdir}/key-bp.key + EOF diff --git a/tests/p11tool_checks.sh b/tests/p11tool_checks.sh index 1d3d447..da48734 100755 --- a/tests/p11tool_checks.sh +++ b/tests/p11tool_checks.sh @@ -16,3 +16,11 @@ export GNUTLS_PIN for f in "" "--sign-params=RSA-PSS"; do ${P11TOOL} --test-sign ${f} 'pkcs11:manufacturer=openssl-pkcs11-export;token=key-pass;object=key-pass' || exit 1 done +## +# Elliptic curve checks +## +${P11TOOL} --test-sign 'pkcs11:manufacturer=openssl-pkcs11-export;token=key-p256;object=key-p256' || exit 1 +## +# gnutls cannot currently handle parametrised curves, only named ones +## +#${P11TOOL} --test-sign 'pkcs11:manufacturer=openssl-pkcs11-export;token=key-bp;object=key-bp' || exit 1 |