aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Bottomley <James.Bottomley@HansenPartnership.com>2023-03-16 15:43:20 -0400
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2023-03-17 12:18:45 -0400
commit989c6cc75c953b5c580324d2c5ca77e912ea67a2 (patch)
tree06b90dd78991d696feee209b15f6b4554ef69f41
parent83798b7a24a3f03737c32595abbe67aa235769dd (diff)
downloadopenssl_tpm2_engine-989c6cc75c953b5c580324d2c5ca77e912ea67a2.tar.gz
tests: make engine specification and inputs variables
Essentially this means modifying the engine tests to specify a provider or an engine. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Diffstat
-rwxr-xr-xtests/check_auth.sh4
-rwxr-xr-xtests/check_counter_timer.sh6
-rwxr-xr-xtests/check_der.sh4
-rwxr-xr-xtests/check_enhanced_auth.sh36
-rwxr-xr-xtests/check_importable.sh8
-rwxr-xr-xtests/check_old_keys.sh4
-rwxr-xr-xtests/check_rsa_oaep_pss.sh8
-rwxr-xr-xtests/check_signed_policies.sh14
-rwxr-xr-xtests/check_tpm_directory.sh4
-rwxr-xr-xtests/check_wrap_auth.sh4
-rwxr-xr-xtests/create_ecc.sh2
-rwxr-xr-xtests/create_non_tpm_keys.sh6
-rwxr-xr-xtests/create_nonopenssl_ecc.sh8
-rwxr-xr-xtests/create_tpm_key.sh6
-rwxr-xr-xtests/create_tpm_key_auth.sh6
-rwxr-xr-xtests/da_check.sh6
-rwxr-xr-xtests/derive_ecc.sh4
-rwxr-xr-xtests/dynamic_engine.sh4
-rw-r--r--tests/engine/Makefile.am6
-rwxr-xr-xtests/fail_connect.sh32
-rwxr-xr-xtests/restricted_parent.sh10
-rwxr-xr-xtests/test_nv_key.sh18
-rwxr-xr-xtests/wrap_ecc.sh4
-rwxr-xr-xtests/wrap_generic_ecc.sh2
-rwxr-xr-xtests/wrap_pkcs12.sh2
-rwxr-xr-xtests/wrap_tpm_key.sh4
26 files changed, 108 insertions, 104 deletions
diff --git a/tests/check_auth.sh b/tests/check_auth.sh
index e6cc50f..3e717ad 100755
--- a/tests/check_auth.sh
+++ b/tests/check_auth.sh
@@ -8,7 +8,7 @@
# 3. encode a message using the TPM key
# 4. verify the message through the public key
${bindir}/create_tpm2_key -a -k passw0rd key2.tpm && \
-openssl rsa -engine tpm2 -inform engine -pubin -in key2.tpm -pubout -out key2.pub && \
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+openssl rsa $ENGINE $INFORM -pubin -in key2.tpm -pubout -out key2.pub && \
+echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
diff --git a/tests/check_counter_timer.sh b/tests/check_counter_timer.sh
index ac87009..eb2b69e 100755
--- a/tests/check_counter_timer.sh
+++ b/tests/check_counter_timer.sh
@@ -28,8 +28,8 @@ echo "00080009" >> policy.txt
##
echo "policy counter timer" > plain.txt
${bindir}/create_tpm2_key key.tpm -a -k paSSW0RD -c policy.txt && \
-openssl rsa -engine tpm2 -inform engine -pubin -in key.tpm -pubout -out key.pub && \
-openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
+openssl rsa $ENGINE $INFORM -pubin -in key.tpm -pubout -out key.pub && \
+openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
##
@@ -44,7 +44,7 @@ tssclockset -hi o -clock ${clock} || exit 1
# now the signing operation should fail
##
echo "Check key failure due to counter timer policy"
-openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg 2> tmp.txt && exit 1
+openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg 2> tmp.txt && exit 1
# check we got the right failure message
grep "Policy Failure: Counter Timer at offset 8 is not <=" tmp.txt
diff --git a/tests/check_der.sh b/tests/check_der.sh
index c06516b..79ab008 100755
--- a/tests/check_der.sh
+++ b/tests/check_der.sh
@@ -10,7 +10,7 @@
# 5. verify the message through the public key
${bindir}/create_tpm2_key -a -k passw0rd key2.tpm && \
openssl asn1parse -in key2.tpm -out key2.der && \
-openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.der -pubout -out key2.pub && \
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.der -passin pass:passw0rd -out tmp.msg && \
+openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.der -pubout -out key2.pub && \
+echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key2.der -passin pass:passw0rd -out tmp.msg && \
openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh
index 19865c7..240a338 100755
--- a/tests/check_enhanced_auth.sh
+++ b/tests/check_enhanced_auth.sh
@@ -18,7 +18,7 @@ fi
${bindir}/create_tpm2_key key.tpm -c ${testdir}/policies/policy_bogus.txt
a=0; while [ $a -lt 5 ]; do
a=$[$a+1]
- echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1
+ echo "This is a message" | openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1
done
##
@@ -51,8 +51,8 @@ for h in "sha1" "" "sha384"; do
# 4. verify the message through the public key
echo "This is a Message" > plain.txt
${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c ${testdir}/policies/policy_authvalue.txt && \
- openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
- openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -in plain.txt -out tmp.msg && \
+ openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+ openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -in plain.txt -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1
##
@@ -66,8 +66,8 @@ for h in "sha1" "" "sha384"; do
${tss_pcrreset_cmd} -ha 16
${tss_pcrextend_cmd} -ha 16 -ic aaa
${bindir}/create_tpm2_key ${n} key2.tpm -c ${testdir}/policies/policy_pcr${h}.txt && \
- openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+ openssl rsa $ENGINE $INFORM -in key2.tpm -pubout -out key2.pub && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1
##
@@ -79,8 +79,8 @@ for h in "sha1" "" "sha384"; do
# 5. verify the message through the public key
${tss_pcrreset_cmd} -ha 16
${bindir}/create_tpm2_key ${n} key2.tpm -c ${testdir}/policies/policy_pcr${h}.txt
- openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+ openssl rsa $ENGINE $INFORM -in key2.tpm -pubout -out key2.pub && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin
if [ $? -ne 1 ]; then
echo "TPM key should not be accessible"
@@ -99,8 +99,8 @@ for h in "sha1" "" "sha384"; do
${tss_pcrreset_cmd} -ha 16
${tss_pcrextend_cmd} -ha 16 -ic aaa
${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_authvalue_pcr.txt && \
- openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1
##
@@ -115,8 +115,8 @@ for h in "sha1" "" "sha384"; do
${tss_pcrreset_cmd} -ha 16
${tss_pcrextend_cmd} -ha 16 -ic aaa
${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_pcr_authvalue.txt && \
- openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1
##
@@ -127,25 +127,25 @@ for h in "sha1" "" "sha384"; do
# 4. extend mentioned PCR and verify key fails
##
${bindir}/create_tpm2_key ${n} -a -k passw0rd key.tpm --pcr-lock 1,2,3-15,17-23 --pcr-lock sha1:1-4 --pcr-lock sha384:10-20 || exit 1
- openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key.tpm -pubout -out key.pub || exit 1
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
+ openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key.tpm -pubout -out key.pub || exit 1
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
${tss_pcrextend_cmd} -ha 16 -ic $RANDOM
${tss_pcrextend_cmd} -ha 5 -halg sha1 -ic $RANDOM
${tss_pcrextend_cmd} -ha 9 -halg sha384 -ic $RANDOM
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
${tss_pcrextend_cmd} -ha 1 -halg sha1 -ic $RANDOM
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg && exit 1
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg && exit 1
##
# Check a smaller PCR lock with no auth
##
${bindir}/create_tpm2_key ${n} --pcr-lock 2,4,7,10 --pcr-lock sha1:1,3 key.tpm || exit 1
- openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1
+ openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg || exit 1
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
${tss_pcrextend_cmd} -ha 4 -halg sha256 -ic $RANDOM
- echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1
+ echo "This is a message" | openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1
done
exit 0
diff --git a/tests/check_importable.sh b/tests/check_importable.sh
index b2c15ab..72faec5 100755
--- a/tests/check_importable.sh
+++ b/tests/check_importable.sh
@@ -15,13 +15,13 @@ for n in sha1 sha256 sha384; do
# check an EC key with a cert and password
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out key.priv || exit 1
${bindir}/create_tpm2_key --import srk.pub --wrap key.priv -n ${n} -a -k passw0rd key.tpm || exit 1
- openssl req -new -x509 -subj '/CN=test/' -key key.tpm -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm -passin pass:passw0rd $ENGINE $KEYFORM -out tmp.crt || exit 1
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
# Check the loadability of an importable key
NV=81000201
${bindir}/load_tpm2_key key.tpm ${NV} || exit 1
- openssl req -new -x509 -subj '/CN=test/' -key //nvkey:${NV} -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1
+ openssl req -new -x509 -subj '/CN=test/' -key //nvkey:${NV} -passin pass:passw0rd $ENGINE $KEYFORM -out tmp.crt || exit 1
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
tssevictcontrol -hi o -ho ${NV} -hp ${NV}
@@ -29,8 +29,8 @@ for n in sha1 sha256 sha384; do
openssl genrsa 2048 > key.priv || exit 1
tsspcrreset -ha 16
${bindir}/create_tpm2_key --import srk.pub -n ${n} --wrap key.priv -c ${POLICYFILE} key.tpm || exit 1
- openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && exit 1
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && exit 1
tsspcrextend -ha 16 -ic aaa
- openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt || exit 1
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt || exit 1
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
done
diff --git a/tests/check_old_keys.sh b/tests/check_old_keys.sh
index b5778a2..0840b97 100755
--- a/tests/check_old_keys.sh
+++ b/tests/check_old_keys.sh
@@ -13,6 +13,6 @@
openssl genrsa 2048 > key1.priv && \
${bindir}/create_tpm2_key --deprecated -a -k passw0rd -p 81000001 -w key1.priv key1.tpm && \
grep -e "-----BEGIN TSS2 KEY BLOB-----" key1.tpm && \
-openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \
-echo "This is another message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \
+openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \
+echo "This is another message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \
openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin
diff --git a/tests/check_rsa_oaep_pss.sh b/tests/check_rsa_oaep_pss.sh
index b0ecdba..f1e971b 100755
--- a/tests/check_rsa_oaep_pss.sh
+++ b/tests/check_rsa_oaep_pss.sh
@@ -1,24 +1,24 @@
#!/bin/bash
-
+set -x
openssl genrsa 2048 > key.priv || exit 1
openssl rsa -in key.priv -out key.pub -pubout || exit 1
${bindir}/create_tpm2_key --wrap key.priv -a -k passw0rd key.tpm || exit 1
echo "Checked encryption of OAEP PSS" > tmp.txt
openssl rsautl -encrypt -oaep -in tmp.txt -out tmp.msg -inkey key.pub -pubin || exit 1
-openssl rsautl -decrypt -oaep -in tmp.msg -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd || exit 1
+openssl rsautl -decrypt -oaep -in tmp.msg $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd || exit 1
##
# this PSS signature will be padded manually and done as an unpadded encrypt
# by the TPM
##
openssl sha256 -out tmp.md -binary tmp.txt || exit 1
-openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -pkeyopt rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.md -out tmp.msg -passin pass:passw0rd || exit 1
+openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -pkeyopt rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.md -out tmp.msg -passin pass:passw0rd || exit 1
# OpenSSL bug in some versions returns false for correct signature
openssl pkeyutl -verify -inkey key.pub -pubin -pkeyopt rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.md -sigfile tmp.msg|grep 'Signature Verified Successfully'|| exit 1
##
# finally an OAEP encrypt which triggers an unpadded decrypt
##
openssl pkeyutl -encrypt -inkey key.pub -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.txt -out tmp.msg || exit 1
-openssl pkeyutl -decrypt -engine tpm2 -keyform engine -inkey key.tpm -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.msg -out recover.txt -passin pass:passw0rd || exit 1
+openssl pkeyutl -decrypt $ENGINE $KEYFORM -inkey key.tpm -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.msg -out recover.txt -passin pass:passw0rd || exit 1
diff -q tmp.txt recover.txt || exit 1
diff --git a/tests/check_signed_policies.sh b/tests/check_signed_policies.sh
index b3eaddf..46405d3 100755
--- a/tests/check_signed_policies.sh
+++ b/tests/check_signed_policies.sh
@@ -36,7 +36,7 @@ for alg in EC RSA; do
fi
openssl pkey -in policy.key -pubout -out policy.pub
${bindir}/create_tpm2_key ${n} --signed-policy policy.pub key.tpm || exit 1
- openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -in plain.txt -out tmp.msg && exit 1
+ openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -in plain.txt -out tmp.msg && exit 1
echo ${DATA} | ${bindir}/seal_tpm2_data --signed-policy policy.pub seal.tpm || exit 1
${bindir}/unseal_tpm2_data seal.tpm && exit 1
@@ -51,7 +51,7 @@ for alg in EC RSA; do
${tss_pcrreset_cmd} -ha 16
${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 key.tpm policy.key || exit 1
${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 seal.tpm policy.key || exit 1
- openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1
+ openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 key.tpm policy.key || exit 1
${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 seal.tpm policy.key || exit 1
@@ -62,23 +62,23 @@ for alg in EC RSA; do
${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 key.tpm policy.key || exit 1
${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 seal.tpm policy.key || exit 1
${tss_pcrreset_cmd} -ha 16
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \
openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1
${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1
${tss_pcrextend_cmd} -ha 16 -ic aaa
- openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1
+ openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1
${bindir}/unseal_tpm2_data seal.tpm && exit 1
done
diff --git a/tests/check_tpm_directory.sh b/tests/check_tpm_directory.sh
index f40e192..26049d1 100755
--- a/tests/check_tpm_directory.sh
+++ b/tests/check_tpm_directory.sh
@@ -17,7 +17,7 @@ $bindir/create_tpm2_key -p 81000001 -rsa -a -k passw0rd key.tpm || exit 1
mkdir testdir
chmod u-w testdir || exit 1
cd testdir || exit 1
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey ../key.tpm -passin pass:passw0rd -out ../tmp.msg
+echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey ../key.tpm -passin pass:passw0rd -out ../tmp.msg
cd ..
##
@@ -47,7 +47,7 @@ $bindir/create_tpm2_key -p 81000001 -rsa -a -k passw0rd key.tpm || exit 1
rm -f fifo
rm -f tmp.msg
mkfifo fifo || exit 1
-cat fifo | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg &
+cat fifo | openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg &
pid=$!
while [ ! -f tmp.msg ] && [ -d /proc/$pid ]; do
sleep 0.5
diff --git a/tests/check_wrap_auth.sh b/tests/check_wrap_auth.sh
index 25bdc7d..ed54bea 100755
--- a/tests/check_wrap_auth.sh
+++ b/tests/check_wrap_auth.sh
@@ -12,6 +12,6 @@
##
openssl genrsa 2048 > key1.priv && \
${bindir}/create_tpm2_key -a -k passw0rd -p 81000001 -w key1.priv key1.tpm && \
-openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \
-echo "This is another message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \
+openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \
+echo "This is another message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \
openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin
diff --git a/tests/create_ecc.sh b/tests/create_ecc.sh
index 9fecdd2..bbb3014 100755
--- a/tests/create_ecc.sh
+++ b/tests/create_ecc.sh
@@ -14,7 +14,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
${bindir}/create_tpm2_key -p 81000001 --ecc ${curve} key.tpm || \
exit 1
for hash in sha1 sha256 sha384; do
- openssl req -new -x509 -${hash} -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \
+ openssl req -new -x509 -${hash} -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \
exit 1
done
diff --git a/tests/create_non_tpm_keys.sh b/tests/create_non_tpm_keys.sh
index 275c2d5..3d654fb 100755
--- a/tests/create_non_tpm_keys.sh
+++ b/tests/create_non_tpm_keys.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-
+set -x
##
# test is
@@ -13,7 +13,7 @@
##
for alg in "EC -pkeyopt ec_paramgen_curve:prime256v1" "RSA -pkeyopt rsa_keygen_bits:2048"; do
openssl genpkey -algorithm ${alg} > key.priv && \
- openssl req -new -x509 -subj '/CN=test/' -key key.priv -engine tpm2 -out tmp.crt && \
- openssl verify -CAfile tmp.crt -engine tpm2 -check_ss_sig tmp.crt || \
+ openssl req -new -x509 -subj '/CN=test/' -key key.priv $ENGINE -out tmp.crt && \
+ openssl verify -CAfile tmp.crt $ENGINE -check_ss_sig tmp.crt || \
exit 1
done
diff --git a/tests/create_nonopenssl_ecc.sh b/tests/create_nonopenssl_ecc.sh
index 6774584..a23a4cf 100755
--- a/tests/create_nonopenssl_ecc.sh
+++ b/tests/create_nonopenssl_ecc.sh
@@ -19,11 +19,11 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
echo "Checking curve ${curve}"
${bindir}/create_tpm2_key --ecc ${curve} key1.tpm || \
exit 1
- openssl pkey -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1
+ openssl pkey $ENGINE $INFORM -in key1.tpm -pubout -out key1.pub || exit 1
${bindir}/create_tpm2_key --ecc ${curve} key2.tpm || \
exit 1
- openssl pkey -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub || exit 1
- openssl pkeyutl -engine tpm2 -keyform engine -inkey key1.tpm -peerkey key2.pub -derive -out secret1.bin || exit 1
- openssl pkeyutl -engine tpm2 -keyform engine -inkey key2.tpm -peerkey key1.pub -derive -out secret2.bin || exit 1
+ openssl pkey $ENGINE $INFORM -in key2.tpm -pubout -out key2.pub || exit 1
+ openssl pkeyutl $ENGINE $KEYFORM -inkey key1.tpm -peerkey key2.pub -derive -out secret1.bin || exit 1
+ openssl pkeyutl $ENGINE $KEYFORM -inkey key2.tpm -peerkey key1.pub -derive -out secret2.bin || exit 1
diff -b secret1.bin secret2.bin || exit 1
done
diff --git a/tests/create_tpm_key.sh b/tests/create_tpm_key.sh
index a56b4be..a1077ac 100755
--- a/tests/create_tpm_key.sh
+++ b/tests/create_tpm_key.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-
+set -x
##
# The Intel tss currently fails with the null seed, so skip the test
@@ -20,8 +20,8 @@ fi
for parent in "" "-p 81000001" "-p owner" "${TESTNULL}" "-p platform" "-p endorsement"; do
echo "Handle: ${parent}"
${bindir}/create_tpm2_key ${parent} key0.tpm || exit 1
- openssl rsa -engine tpm2 -inform engine -in key0.tpm -pubout -out key0.pub || exit 1
- echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key0.tpm -out tmp.msg || exit 1
+ openssl rsa $ENGINE $INFORM -in key0.tpm -pubout -out key0.pub || exit 1
+ echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key0.tpm -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key0.pub -pubin || exit 1
done
diff --git a/tests/create_tpm_key_auth.sh b/tests/create_tpm_key_auth.sh
index 4edd703..bbde12c 100755
--- a/tests/create_tpm_key_auth.sh
+++ b/tests/create_tpm_key_auth.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-
+set -x
auth=4ffsiurh4
@@ -12,11 +12,11 @@ tsshierarchychangeauth -hi p -pwdn ${auth}
# 3. encode a message using the TPM key
# 4. verify the message through the public key
${bindir}/create_tpm2_key -p platform -b ${auth} key0.tpm || exit 1
-openssl rsa -engine tpm2 -inform engine -in key0.tpm -pubout -out key0.pub || exit 1
+openssl rsa $ENGINE $INFORM -in key0.tpm -pubout -out key0.pub || exit 1
# openssl has no way to specify the engine ctrl for the pin so we cheat
# and do it in the openssl.cnf file via an environment variable
export SRKPIN=${auth}
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key0.tpm -out tmp.msg || exit 1
+echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key0.tpm -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key0.pub -pubin || exit 1
tsshierarchychangeauth -hi p -pwda ${auth}
diff --git a/tests/da_check.sh b/tests/da_check.sh
index b2134a4..b82d739 100755
--- a/tests/da_check.sh
+++ b/tests/da_check.sh
@@ -12,7 +12,7 @@ ${bindir}/create_tpm2_key --rsa --da -a -k passw0rd key.tpm || exit 1
count=1;
while true; do
echo "This is a message" |
- openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passwrd -out tmp.msg 2>tmp.txt
+ openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passwrd -out tmp.msg 2>tmp.txt
val=$?
cat tmp.txt
if [ $val -ne 1 ]; then
@@ -38,7 +38,7 @@ done
echo "Locked out after $count tries"
# try with correct password, should still be locked out
echo "This is a message" |
-openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg 2>tmp.txt
+openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg 2>tmp.txt
val=$?
cat tmp.txt
if [ $val -ne 1 ]; then
@@ -53,4 +53,4 @@ fi
# clear the TPM DA (this would normally be password protected)
tssdictionaryattacklockreset
echo "This is a message" |
-openssl rsautl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
+openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1
diff --git a/tests/derive_ecc.sh b/tests/derive_ecc.sh
index 5475b60..69ec381 100755
--- a/tests/derive_ecc.sh
+++ b/tests/derive_ecc.sh
@@ -28,7 +28,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
fi
echo "Checking curve ${curve} explicitly named"
${bindir}/create_tpm2_key -p 81000001 --ecc ${curve} key0.tpm || exit 1
- openssl pkey -engine tpm2 -inform engine -in key0.tpm -pubout -out key0.pub || exit 1
+ openssl pkey $ENGINE $INFORM -in key0.tpm -pubout -out key0.pub || exit 1
#openssl ecparam -name ${curve} > key1.param
#openssl genpkey -paramfile key1.param -out key1.priv || exit 1
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -pkeyopt ec_param_enc:named_curve -out key1.priv || exit 1
@@ -36,7 +36,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
# OK have two private and two public keys now generate two
# derivations, one from key0.tpm and key1.pub and the other from
# key1.priv and key0.pub.
- openssl pkeyutl -derive -engine tpm2 -keyform engine -inkey key0.tpm -peerkey key1.pub -out derive.1 || exit 1
+ openssl pkeyutl -derive $ENGINE $KEYFORM -inkey key0.tpm -peerkey key1.pub -out derive.1 || exit 1
openssl pkeyutl -derive -inkey key1.priv -peerkey key0.pub -out derive.2 || exit 1
# if we got it right, both derivations should be the same
cmp derive.1 derive.2 || exit 1
diff --git a/tests/dynamic_engine.sh b/tests/dynamic_engine.sh
index ee7c5e7..5012dad 100755
--- a/tests/dynamic_engine.sh
+++ b/tests/dynamic_engine.sh
@@ -9,10 +9,10 @@ export OPENSSL_ENGINES=${testdir}/../src/engine/.libs
ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so
testkey() {
- openssl pkey -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1
+ openssl pkey $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1
# must be 32 bytes exactly for ECDSA signatures
echo -n "12345678901234567890123456789012" > tmp.plain
- openssl pkeyutl -sign -engine tpm2 -keyform engine -in tmp.plain -inkey key.tpm -out tmp.msg || exit 1
+ openssl pkeyutl -sign $ENGINE $KEYFORM -in tmp.plain -inkey key.tpm -out tmp.msg || exit 1
openssl pkeyutl -verify -in tmp.plain -sigfile tmp.msg -inkey key.pub -pubin || exit 1
}
diff --git a/tests/engine/Makefile.am b/tests/engine/Makefile.am
index c0617a5..be350b5 100644
--- a/tests/engine/Makefile.am
+++ b/tests/engine/Makefile.am
@@ -43,7 +43,11 @@ AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; export TPM_INTERFACE_TYPE; \
TPMSERVER=$(TPMSERVER); export TPMSERVER; \
TSSTYPE=@TSSTYPE@; export TSSTYPE; \
SWTPM=$(SWTPM); export SWTPM; \
- SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL;
+ SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL; \
+ ENGINE="-engine tpm2"; export ENGINE; \
+ INFORM="-inform engine"; export INFORM; \
+ KEYFORM="-keyform engine"; export KEYFORM; \
+ CAKEYFORM="-CAkeyform engine"; export CAKEYFORM;
TEST_EXTENSIONS = .sh
diff --git a/tests/fail_connect.sh b/tests/fail_connect.sh
index a69907f..6675adb 100755
--- a/tests/fail_connect.sh
+++ b/tests/fail_connect.sh
@@ -23,25 +23,25 @@ fi
##
# This is a real TPM key so the ASN.1 parses correctly
##
-echo "-----BEGIN TSS2 KEY BLOB-----
-MIICFwYFZ4EFCgKgAwEBAaEGAgSBAAABooIBHASCARgBFgABAAsAAgRgAAAAEAAQ
-CAAAAAAAAQDe92kKAADnax0VXfanY1VrsSAYyHudOVaFtkja8+JL3l4IMM4M19Wi
-0q42V/yeqY1FTEgd4gO8pYDtDdYrxNGe1Z7Hl5JuZigXRUqtqR6KCmTLYxW+mwkD
-iarJsZnYOawNtDDt4kQdV/saD9WbmX9NSsKA8/T256B7/AY9FWYtz8v41J/ZJfL1
-Cs6y5LAe/HiJc+dODFjZsPSS/CgGeiEguUh8g11BdnDocrgsXZGzIhZYP/t1lZA9
-AbfPAxf04Cj3NGd0kdLwCrNBbirMKXHuryPkBAKlvhseylFjZz39GjVh+wY745bc
-FVwEV382mn6fvR3G5qqkdxPEUzFzJCePBIHgAN4AINHqRAW9YlEmDtMrKevZNgKT
-N+FKyLR/dVBo0HT9BW6ZABD4tdfB5ZLkW5Seos7Ey8l0ov+yaOeBhARVovXR6tJG
-21VdUo0n2Eauc1ehaZ6dFAoU7rpgID3UtfBfgLLEoymS44Y8xqLgpWMQLg7pHMic
-JZ84jI3HuhPJTo4fDTeHf7aI/1uAfsPe0q0zzND5+cF2Maw6Wm6gsjAJsSoLD0MO
-2vJiwPzr1X9f9PGbhlkciOj/IJRHiu423I4ymvFEVgKMVZg4BEpQBrWIWyMceVRx
-QL4QAdW9Ac4kKt4=
------END TSS2 KEY BLOB-----" > tmp.tpm
+echo "-----BEGIN TSS2 PRIVATE KEY-----
+MIICEgYGZ4EFCgEDoAMBAQECBEAAAAEEggEYARYAAQALAAIEYAAAABAAEAgAAAAA
+AAEAmhZqBqBvWkQUQno1blrLz0PhzSiF1+Hs/9P57vm3IKt02XAsiXzfipso+uiq
+UxECUc1zESO6XI5Qeo/3a2XNJMpJ9e2U7vsD/9TaNoA4yXQ3pDVRbyTQsKYv4QG9
++jPwWnaz8cw8JLJ3rIjVbrb2VXl6u7OtgWNBXpsUlrHQRopiOsnk9NNV5C7dwrct
+/XOUr2sJBBAPKGBnb0KLO9IfyFBiet1Sn/eSIce5QrF4zPLnntqAJLHKRaVB95Lg
++MOQ1p5+ZiBun780FW7EHSbfgwunxU7FK5CkOb8GfO5b9fg+/MO6GoCh1F5psJTX
+mLEkGQF1c9Myts4Cc+Zbu1g8vwSB4ADeACDpW/gnAcRnH0qn2VZ7W3jpPJKrYDbv
+xxSr7wAuXopD6QAQ+gwemszEUlHXssutoiUbPcDwGZ7Iwb0wGNcK6CEKh9k1UECa
+giDcPZ8AMVK3XWlqCK5jXWgwXyX3n5gqafHjW878HH8tkMbTzLVjsszodG6JIBT5
+hWslwvPCknPRgkbo2GxXjaigVeameT/k1v3qn2hDSU/b70QcI1xeq0Uh5HeS5ok3
+heJUXsSYKGCfbbobhWVno/dAc4sOXd7BwwdclWYkDoQOpqUPWb4QqIbuYYb1Ha6K
+q1DxkJAF
+-----END TSS2 PRIVATE KEY-----" > tmp.tpm
##
# conversion to public key doesn't actually contact the TPM
# so this should succeed
##
-openssl pkey -engine tpm2 -inform engine -in tmp.tpm -pubout -out tmp.pub 2> tmp.txt
+openssl pkey $ENGINE $INFORM -in tmp.tpm -pubout -out tmp.pub 2> tmp.txt
if [ $? -ne 0 ]; then
echo "TPM key import failed with $?"
cat tmp.txt
@@ -51,7 +51,7 @@ fi
# key operation does contact the TPM and should fail
##
echo "This is a message" |\
-openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey tmp.tpm -out tmp.msg 2> tmp.txt
+openssl pkeyutl -sign $ENGINE $KEYFORM -inkey tmp.tpm -out tmp.msg 2> tmp.txt
if [ $? -ne 1 ]; then
echo "TPM key signing failed with $?"
cat tmp.txt
diff --git a/tests/restricted_parent.sh b/tests/restricted_parent.sh
index 2373d1e..11e166f 100755
--- a/tests/restricted_parent.sh
+++ b/tests/restricted_parent.sh
@@ -33,8 +33,8 @@ ${bindir}/load_tpm2_key keyecc.tpm ${NV2} || exit 1
##
for parent in ${NV2} ${NV}; do
${bindir}/create_tpm2_key -p ${parent} key.tpm || exit 1
- openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1
- echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1
+ openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1
+ echo "This is a test of moveable keys" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1
done
# on exit key 1 is parented to ${NV}
@@ -42,7 +42,7 @@ tssclear -hi p || exit 1
${bindir}/create_tpm2_key --restricted -w keyrsa.priv keyrsa.tpm || exit 1
${bindir}/load_tpm2_key keyrsa.tpm ${NV} || exit 1
-echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1
+echo "This is a test of moveable keys" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1
##
@@ -69,12 +69,12 @@ ${bindir}/load_tpm2_key --auth-parent Passw0rd key3.tpm ${NV2} || exit 1
tssclear -hi p
${bindir}/create_tpm2_key --restricted -w keyecc.priv keyecc.tpm || exit 1
${bindir}/load_tpm2_key keyecc.tpm ${NV2} || exit 1
-openssl pkey -engine tpm2 -inform engine -in //nvkey:${NV2} -pubout -out keyecc.pub || exit 1
+openssl pkey $ENGINE $INFORM -in //nvkey:${NV2} -pubout -out keyecc.pub || exit 1
openssl genrsa 2048 > key.priv || exit 1
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key1.priv
for key in key.priv key1.priv; do
${bindir}/create_tpm2_key --parent ${NV2} --import keyecc.pub --wrap ${key} key.tpm || exit 1
- openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt || exit 1
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt || exit 1
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1
done
diff --git a/tests/test_nv_key.sh b/tests/test_nv_key.sh
index 5b56b50..5ef4549 100755
--- a/tests/test_nv_key.sh
+++ b/tests/test_nv_key.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-
+set -x
##
@@ -17,8 +17,8 @@ tsscreate -rsa -gp -hp 81000001 -opr key.tpmpriv -opu key.tpmpub || exit 1
key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') || exit 1
tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1
tssflushcontext -ha ${key}
-openssl rsa -engine tpm2 -inform engine -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
-echo "This is an internal key message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey //nvkey:${nvkey} -out tmp.msg || exit 1
+openssl rsa $ENGINE $INFORM -pubin -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
+echo "This is an internal key message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey //nvkey:${nvkey} -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1
tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey}
@@ -28,8 +28,8 @@ key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') |
tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1
tssflushcontext -ha ${key}
-openssl rsa -engine tpm2 -inform engine -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
-echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} -engine tpm2 -engine tpm2 -keyform engine -inkey //nvkey:${nvkey} -out tmp.msg || exit 1
+openssl rsa $ENGINE $INFORM -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
+echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} $ENGINE $KEYFORM -inkey //nvkey:${nvkey} -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1
tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey}
@@ -38,8 +38,8 @@ tsscreate -rsa -gp -hp 81000001 -pwdk ${auth} -da -opr key.tpmpriv -opu key.tpmp
key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') || exit 1
tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1
tssflushcontext -ha ${key}
-openssl rsa -engine tpm2 -inform engine -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
-echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} -engine tpm2 -engine tpm2 -keyform engine -inkey //nvkey:${nvkey} -out tmp.msg || exit 1
+openssl rsa $ENGINE $INFORM -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
+echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} $ENGINE $KEYFORM -inkey //nvkey:${nvkey} -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1
tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey}
@@ -49,9 +49,9 @@ key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') |
tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1
tssflushcontext -ha ${key}
-openssl rsa -engine tpm2 -inform engine -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
+openssl rsa $ENGINE $INFORM -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1
export NVPREFIX="wibble:"
-echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} -engine tpm2 -engine tpm2 -keyform engine -inkey ${NVPREFIX}${nvkey} -out tmp.msg || exit 1
+echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} $ENGINE $KEYFORM -inkey ${NVPREFIX}${nvkey} -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1
tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey}
diff --git a/tests/wrap_ecc.sh b/tests/wrap_ecc.sh
index e2ca530..63fa445 100755
--- a/tests/wrap_ecc.sh
+++ b/tests/wrap_ecc.sh
@@ -15,7 +15,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
openssl ecparam -param_enc named_curve -genkey -name ${curve} > tmp.param && \
openssl genpkey -paramfile tmp.param -out key.priv && \
${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \
- openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \
exit 1
done
@@ -27,7 +27,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
openssl ecparam -param_enc explicit -genkey -name ${curve} > tmp.param && \
openssl genpkey -paramfile tmp.param -out key.priv && \
${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \
- openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \
exit 1
done
diff --git a/tests/wrap_generic_ecc.sh b/tests/wrap_generic_ecc.sh
index 6a49943..4cc0172 100755
--- a/tests/wrap_generic_ecc.sh
+++ b/tests/wrap_generic_ecc.sh
@@ -13,7 +13,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do
fi
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -out key.priv && \
${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \
- openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \
+ openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \
openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \
exit 1
done
diff --git a/tests/wrap_pkcs12.sh b/tests/wrap_pkcs12.sh
index 5603eff..60f04ef 100755
--- a/tests/wrap_pkcs12.sh
+++ b/tests/wrap_pkcs12.sh
@@ -16,6 +16,6 @@ openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in tmp.crt
${bindir}/create_tpm2_key -w tmp.p12 key.tpm || exit 1
openssl req -new -newkey rsa:2048 -keyout key1.priv -subj '/CN=test intermediate/' -out tmp1.csr -nodes || exit 1
-openssl x509 -req -in tmp1.csr -CA tmp.crt -CAkey key.tpm -CAkeyform engine -engine tpm2 -set_serial 1 -out tmp1.crt -days 365 || exit 1
+openssl x509 -req -in tmp1.csr -CA tmp.crt -CAkey key.tpm $CAKEYFORM $ENGINE -set_serial 1 -out tmp1.crt -days 365 || exit 1
openssl verify -CAfile tmp.crt tmp1.crt || exit 1
diff --git a/tests/wrap_tpm_key.sh b/tests/wrap_tpm_key.sh
index 6621275..29be460 100755
--- a/tests/wrap_tpm_key.sh
+++ b/tests/wrap_tpm_key.sh
@@ -23,8 +23,8 @@ openssl genrsa 2048 > key1.priv || exit 1;
for parent in "" "-p 81000001" "-p owner" "${TESTNULL}" "-p platform" "-p endorsement"; do
echo "Handle: ${parent}"
${bindir}/create_tpm2_key ${parent} -w key1.priv key1.tpm || exit 1
- openssl rsa -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1
- echo "This is another message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -out tmp.msg || exit 1
+ openssl rsa $ENGINE $INFORM -in key1.tpm -pubout -out key1.pub || exit 1
+ echo "This is another message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key1.tpm -out tmp.msg || exit 1
openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1
done
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-22 07:45:01 +0000