diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2020-05-09 12:44:32 -0700 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2020-05-09 13:18:20 -0700 |
commit | 8cbccaf4088b6883601fa87164cb2fff78a1f24f (patch) | |
tree | 9e0d866c757dddd8adfdc4f0b61ce8d833328c16 | |
parent | afec8169d57f735ddd2cd5edf93808d952ef7929 (diff) | |
download | openssl_tpm2_engine-8cbccaf4088b6883601fa87164cb2fff78a1f24f.tar.gz |
tests: add test for curves openssl doesn't support
Most TPMs support curves that openssl doesn't know. However, openssl
can explicitly parametrise them, so add a create_nonopenssl_ecc test
to create explicitly parametrised public keys and check they can
derive the same secret.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | tests/Makefile.am | 1 | ||||
-rwxr-xr-x | tests/create_nonopenssl_ecc.sh | 30 |
2 files changed, 31 insertions, 0 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 9fd36be..9e4bf05 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -10,6 +10,7 @@ TESTS = fail_connect.sh \ check_old_keys.sh \ check_der.sh \ create_ecc.sh \ + create_nonopenssl_ecc.sh \ wrap_ecc.sh \ wrap_generic_ecc.sh \ wrap_pkcs12.sh \ diff --git a/tests/create_nonopenssl_ecc.sh b/tests/create_nonopenssl_ecc.sh new file mode 100755 index 0000000..d7adcc0 --- /dev/null +++ b/tests/create_nonopenssl_ecc.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +bindir=${srcdir}/.. + +## +# test is +# create a private key with a non openssl curve +# 1. create two private tpm keys +# 2. get public keys from openssl for these (remember explicit) +# 3. derive a shared secret using priv1 and pub2 +# 4. derive a shared secret using priv2 and pub1 +# 5. check the secrets are identical +## + + +for curve in $(${bindir}/create_tpm2_key --list-curves); do + if openssl ecparam -name ${curve} 2>&1 | grep -v 'unknown curve'; then + continue + fi + echo "Checking curve ${curve}" + ${bindir}/create_tpm2_key --ecc ${curve} key1.tpm || \ + exit 1 + openssl pkey -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1 + ${bindir}/create_tpm2_key --ecc ${curve} key2.tpm || \ + exit 1 + openssl pkey -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub || exit 1 + openssl pkeyutl -engine tpm2 -keyform engine -inkey key1.tpm -peerkey key2.pub -derive -out secret1.bin || exit 1 + openssl pkeyutl -engine tpm2 -keyform engine -inkey key2.tpm -peerkey key1.pub -derive -out secret2.bin || exit 1 + diff -b secret1.bin secret2.bin || exit 1 +done |