tests: add test for curves openssl doesn't support

Most TPMs support curves that openssl doesn't know.  However, openssl
can explicitly parametrise them, so add a create_nonopenssl_ecc test
to create explicitly parametrised public keys and check they can
derive the same secret.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

2 files changed, 31 insertions, 0 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 9fd36be..9e4bf05 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -10,6 +10,7 @@ TESTS = fail_connect.sh \
 	check_old_keys.sh \
 	check_der.sh \
 	create_ecc.sh \
+	create_nonopenssl_ecc.sh \
 	wrap_ecc.sh \
 	wrap_generic_ecc.sh \
 	wrap_pkcs12.sh \
diff --git a/tests/create_nonopenssl_ecc.sh b/tests/create_nonopenssl_ecc.sh
new file mode 100755
index 0000000..d7adcc0
--- /dev/null
+++ b/tests/create_nonopenssl_ecc.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+bindir=${srcdir}/..
+
+##
+# test is
+# create a private key with a non openssl curve
+# 1. create two private tpm keys
+# 2. get public keys from openssl for these (remember explicit)
+# 3. derive a shared secret using priv1 and pub2
+# 4. derive a shared secret using priv2 and pub1
+# 5. check the secrets are identical
+##
+
+
+for curve in $(${bindir}/create_tpm2_key --list-curves); do
+    if openssl ecparam -name ${curve} 2>&1 | grep -v 'unknown curve'; then
+	continue
+    fi
+    echo "Checking curve ${curve}"
+    ${bindir}/create_tpm2_key --ecc ${curve} key1.tpm || \
+	exit 1
+    openssl pkey -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1
+    ${bindir}/create_tpm2_key --ecc ${curve} key2.tpm || \
+	exit 1
+    openssl pkey -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub || exit 1
+    openssl pkeyutl -engine tpm2 -keyform engine -inkey key1.tpm -peerkey key2.pub -derive -out secret1.bin || exit 1
+    openssl pkeyutl -engine tpm2 -keyform engine -inkey key2.tpm -peerkey key1.pub -derive -out secret2.bin || exit 1
+    diff -b secret1.bin secret2.bin || exit 1
+done