Add test for dynamic engine keys to detect possible use after free

Add a test to make sure that the engine isn't torn down while keys are
currently active (this is succeeding for statically configured engines
but failing for dynamic engines).

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

2 files changed, 30 insertions, 0 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index b1ea531..c983389 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -26,6 +26,7 @@ TESTS += check_curves.sh \
 	check_rsa_oaep_pss.sh \
 	restricted_parent.sh \
 	seal_unseal.sh \
+	dynamic_engine.sh \
 	stop_sw_tpm.sh
 
 fail_connect.sh: tpm_server_found
diff --git a/tests/dynamic_engine.sh b/tests/dynamic_engine.sh
new file mode 100755
index 0000000..d0a0615
--- /dev/null
+++ b/tests/dynamic_engine.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -x
+
+bindir=${srcdir}/..
+
+# to work with the dynamic engine, we unset the openssl.cnf that
+# specifies a built in engine
+unset OPENSSL_CONF
+export OPENSSL_ENGINES=${srcdir}/../.libs
+ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so
+
+testkey() {
+    openssl pkey -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1
+    # must be 32 bytes exactly for ECDSA signatures
+    echo -n "12345678901234567890123456789012" > tmp.plain
+    openssl pkeyutl -sign -engine tpm2 -keyform engine -in tmp.plain -inkey key.tpm -out tmp.msg || exit 1
+    openssl pkeyutl -verify -in tmp.plain -sigfile tmp.msg -inkey key.pub -pubin || exit 1
+}
+
+# check use of rsa key
+${bindir}/create_tpm2_key --rsa key.tpm || exit 1
+
+testkey
+
+${bindir}/create_tpm2_key --ec prime256v1 key.tpm || exit 1
+
+testkey
+
+exit 0