diff --git a/scripts/cmd_test/cmd-test-common.sh b/scripts/cmd_test/cmd-test-common.sh index f1eba6f1..e4190c1d 100644 --- a/scripts/cmd_test/cmd-test-common.sh +++ b/scripts/cmd_test/cmd-test-common.sh @@ -17,22 +17,54 @@ # You should have received a copy of the GNU General Public License # along with wolfProvider. If not, see . +COMMON_SETUP_DONE=0 + cmd_test_env_setup() { + # Fail flags + FAIL=0 + FORCE_FAIL_PASSED=0 + + if [ $COMMON_SETUP_DONE -ne 0 ]; then + echo "Setup already completed, skipping." + return + fi + local log_file_name=$1 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" # Set up environment export LOG_FILE="${SCRIPT_DIR}/${log_file_name}" touch "$LOG_FILE" - # OPENSSL_BIN must be set by the caller + # If OPENSSL_BIN is not set, assume we are using a local build if [ -z "${OPENSSL_BIN:-}" ]; then - echo "Error: OPENSSL_BIN environment variable is not set" | tee -a "$LOG_FILE" - exit 1 - fi + echo "OPENSSL_BIN not set, assuming local build" + # Check if the install directories exist + if [ ! -d "${REPO_ROOT}/openssl-install" ] || + [ ! -d "${REPO_ROOT}/wolfssl-install" ]; then + echo "[FAIL] OpenSSL or wolfSSL install directories not found" + echo "Please set OPENSSL_BIN or run build-wolfprovider.sh first" + exit 1 + fi - # Fail flags - FAIL=0 - FORCE_FAIL_PASSED=0 + # Setup the environment for a local build + source "${REPO_ROOT}/scripts/env-setup" + else + echo "Using user-provided OPENSSL_BIN: ${OPENSSL_BIN}" + # We are using a user-provided OpenSSL binary, manually set the test + # environment variables rather than using env-setup. + # Find the location of the wolfProvider modules + if [ -z "${WOLFPROV_PATH:-}" ]; then + export WOLFPROV_PATH=$(find /usr/lib /usr/local/lib -type d -name ossl-modules 2>/dev/null | head -n 1) + fi + # Set the path to the wolfProvider config file + if [ -z "${WOLFPROV_CONFIG:-}" ]; then + if [ "${WOLFSSL_ISFIPS:-0}" = "1" ]; then + export WOLFPROV_CONFIG="${REPO_ROOT}/provider-fips.conf" + else + export WOLFPROV_CONFIG="${REPO_ROOT}/provider.conf" + fi + fi + fi # Get the force fail parameter if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then @@ -46,6 +78,17 @@ cmd_test_env_setup() { echo "Environment variables:" echo "OPENSSL_MODULES: ${OPENSSL_MODULES}" echo "OPENSSL_BIN: ${OPENSSL_BIN}" + echo "WOLFPROV_PATH: ${WOLFPROV_PATH}" + echo "WOLFPROV_CONFIG: ${WOLFPROV_CONFIG}" + echo "LOG_FILE: ${LOG_FILE}" + + COMMON_SETUP_DONE=1 +} + +# Check if default provider is in use +# Note that this may be wolfProvider if built as replace-default +is_default_provider() { + return $($OPENSSL_BIN list -providers | grep -qi "default") } # Function to use default provider only @@ -54,29 +97,41 @@ use_default_provider() { unset OPENSSL_CONF # Verify that we are using the default provider - if ${OPENSSL_BIN} list -providers | grep -q "wolfprov"; then - echo "FAIL: unable to switch to default provider, wolfProvider is still active" + if ! is_default_provider; then + echo "FAIL: unable to switch to default provider" + $OPENSSL_BIN list -providers exit 1 fi echo "Switched to default provider" } +is_wolf_provider() { + return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider") +} + # Function to use wolf provider only use_wolf_provider() { export OPENSSL_MODULES=$WOLFPROV_PATH export OPENSSL_CONF=${WOLFPROV_CONFIG} # Verify that we are using wolfProvider - if ! ${OPENSSL_BIN} list -providers | grep -q "wolfprov"; then - echo "FAIL: unable to switch to wolfProvider, default provider is still active" + if ! is_wolf_provider; then + echo "FAIL: unable to switch to wolfProvider" + $OPENSSL_BIN list -providers exit 1 fi echo "Switched to wolfProvider" } +is_replace_default() { + return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider") +} + # Helper function to handle force fail checks check_force_fail() { - if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then + if is_default_provider && ! is_replace_default; then + echo "OPENSSL Default provider active, no forced failures expected." + elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then echo "[PASS] Test passed when force fail was enabled" FORCE_FAIL_PASSED=1 fi diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh index e086538b..63eec558 100755 --- a/scripts/cmd_test/do-cmd-tests.sh +++ b/scripts/cmd_test/do-cmd-tests.sh @@ -25,35 +25,7 @@ REPO_ROOT="$( cd "${SCRIPT_DIR}/../.." &> /dev/null && pwd )" UTILS_DIR="${REPO_ROOT}/scripts" source "${SCRIPT_DIR}/cmd-test-common.sh" - -# If OPENSSL_BIN is not set, assume we are using a local build -if [ -z "${OPENSSL_BIN:-}" ]; then - # Check if the install directories exist - if [ ! -d "${REPO_ROOT}/openssl-install" ] || - [ ! -d "${REPO_ROOT}/wolfssl-install" ]; then - echo "[FAIL] OpenSSL or wolfSSL install directories not found" - echo "Please set OPENSSL_BIN or run build-wolfprovider.sh first" - exit 1 - fi - - # Setup the environment for a local build - source "${REPO_ROOT}/scripts/env-setup" -else - # We are using a user-provided OpenSSL binary, manually set the test - # environment variables rather than using env-setup. - # Find the location of the wolfProvider modules - if [ -z "${WOLFPROV_PATH:-}" ]; then - export WOLFPROV_PATH=$(find /usr/lib /usr/local/lib -type d -name ossl-modules 2>/dev/null | head -n 1) - fi - # Set the path to the wolfProvider config file - if [ -z "${WOLFPROV_CONFIG:-}" ]; then - if [ "${WOLFSSL_ISFIPS:-0}" = "1" ]; then - export WOLFPROV_CONFIG="${REPO_ROOT}/provider-fips.conf" - else - export WOLFPROV_CONFIG="${REPO_ROOT}/provider.conf" - fi - fi -fi +cmd_test_env_setup echo "=== Running wolfProvider Command-Line Tests ===" echo "Using OPENSSL_BIN: ${OPENSSL_BIN}" diff --git a/scripts/cmd_test/ecc-cmd-test.sh b/scripts/cmd_test/ecc-cmd-test.sh index 2cbe19d9..31182f46 100755 --- a/scripts/cmd_test/ecc-cmd-test.sh +++ b/scripts/cmd_test/ecc-cmd-test.sh @@ -117,6 +117,18 @@ test_sign_verify_pkeyutl() { local data_file="ecc_outputs/test_data.txt" echo -e "\n=== Testing ECC (${curve}) Sign/Verify with pkeyutl Using ${provider_name} ===" + + if [ ! -f "$key_file" ] || [ ! -f "$pub_key_file" ]; then + echo "[FAIL] Key files for ECC (${curve}) not found, cannot run sign/verify tests" + FAIL=1 + exit 1 + fi + + if [ ! -f "$data_file" ]; then + echo "[FAIL] Test data file not found, cannot run sign/verify tests" + FAIL=1 + exit 1 + fi # Test 1: Sign and verify with OpenSSL default use_default_provider @@ -193,6 +205,12 @@ generate_and_test_key() { provider_name=$(get_provider_name "$provider_args") echo -e "\n=== Testing ECC Key Generation (${curve}) with ${provider_name} ===" + + if [ -f "$output_file" ]; then + echo "ECC key file $output_file already exists, removing it." + rm -f "$output_file" + fi + echo "Generating ECC key (${curve})..." if $OPENSSL_BIN genpkey -algorithm EC \ @@ -239,6 +257,14 @@ for curve in "${CURVES[@]}"; do # Generate key with current provider generate_and_test_key "$curve" "$test_provider" + # If WPFF is set, we need to run again to actually create the + # key files + if [ $WOLFPROV_FORCE_FAIL -ne 0 ]; then + WOLFPROV_FORCE_FAIL=0 + generate_and_test_key "$curve" "$test_provider" + WOLFPROV_FORCE_FAIL=1 + fi + # Test sign/verify interoperability test_sign_verify_pkeyutl "$curve" "$test_provider" done diff --git a/scripts/cmd_test/req-cmd-test.sh b/scripts/cmd_test/req-cmd-test.sh index 1278f398..39935884 100755 --- a/scripts/cmd_test/req-cmd-test.sh +++ b/scripts/cmd_test/req-cmd-test.sh @@ -35,6 +35,16 @@ test_cert_creation() { local cert_file="req_outputs/cert_${curve}_${hash_alg}_${req_provider_name//lib/}.pem" echo -e "\n=== Testing Certificate Creation (${curve}/${hash_alg}) - req with ${req_provider_name} ===" + + if [ -f "$key_file" ]; then + echo "Key file $key_file already exists, removing it." + rm -f "$key_file" + fi + + if [ -f "$cert_file" ]; then + echo "Certificate file $cert_file already exists, removing it." + rm -f "$cert_file" + fi # Generate EC key with default provider echo "Generating EC key with curve ${curve} using default provider..." diff --git a/scripts/cmd_test/rsa-cmd-test.sh b/scripts/cmd_test/rsa-cmd-test.sh index 42ad5363..4b23815a 100755 --- a/scripts/cmd_test/rsa-cmd-test.sh +++ b/scripts/cmd_test/rsa-cmd-test.sh @@ -37,23 +37,8 @@ KEY_TYPES=("RSA" "RSA-PSS") KEY_SIZES=("2048" "3072" "4096") PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default") -OPENSSL_BIN=${OPENSSL_BIN:-openssl} - echo "=== Running RSA Key Generation Tests ===" -rsa_check_force_fail() { - local openssl_providers=$($OPENSSL_BIN list -providers) - is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0) - if [ $is_openssl_default_provider -eq 1 ]; then - # With the OpenSSL provider, don't expect failures - echo "OPENSSL Default provider active, no forced failures expected." - elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then - echo "[PASS] Test passed when force fail was enabled" - FORCE_FAIL_PASSED=1 - exit 1 - fi -} - # Function to validate key validate_key() { local key_type=$1 @@ -76,7 +61,7 @@ validate_key() { return else echo "[PASS] ${key_type} key file exists and has content" - rsa_check_force_fail + check_force_fail fi # Only try to extract public key if file exists and has content @@ -84,7 +69,7 @@ validate_key() { if $OPENSSL_BIN pkey -in "$key_file" -pubout -out "$pub_key_file" \ ${provider_args} -passin pass: >/dev/null; then echo "[PASS] ${key_type} Public key extraction successful" - rsa_check_force_fail + check_force_fail else echo "[FAIL] ${key_type} Public key extraction failed" FAIL=1 @@ -169,6 +154,8 @@ test_sign_verify_pkeyutl() { # Get the provider name provider_name=$(get_provider_name "$provider_args") + + echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl Using ${provider_name} ===" # Handle different key naming conventions local key_prefix="${key_type}" @@ -192,18 +179,16 @@ test_sign_verify_pkeyutl() { exit 1 fi - echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl Using ${provider_name} ===" - # Test 1: Sign and verify with OpenSSL default use_default_provider echo "Test 1: Sign and verify with OpenSSL default (${key_type})" local default_sig_file="rsa_outputs/${key_prefix}_${key_size}_default_sig.bin" if $sign_func "$key_file" "$data_file" "$default_sig_file" "$provider_args"; then echo "[PASS] Signing with OpenSSL default successful" - rsa_check_force_fail + check_force_fail if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then echo "[PASS] Default provider verify successful" - rsa_check_force_fail + check_force_fail else echo "[FAIL] Default provider verify failed" FAIL=1 @@ -219,10 +204,10 @@ test_sign_verify_pkeyutl() { local wolf_sig_file="rsa_outputs/${key_prefix}_${key_size}_wolf_sig.bin" if $sign_func "$key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then echo "[PASS] Signing with wolfProvider successful" - rsa_check_force_fail + check_force_fail if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then echo "[PASS] wolfProvider sign/verify successful" - rsa_check_force_fail + check_force_fail else echo "[FAIL] wolfProvider verify failed" FAIL=1 @@ -238,7 +223,7 @@ test_sign_verify_pkeyutl() { use_wolf_provider if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then echo "[PASS] wolfProvider can verify OpenSSL default signature" - rsa_check_force_fail + check_force_fail else echo "[FAIL] wolfProvider cannot verify OpenSSL default signature" FAIL=1 @@ -248,7 +233,7 @@ test_sign_verify_pkeyutl() { echo "Test 4: Cross-provider verification (wolf sign, default verify)" if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then echo "[PASS] OpenSSL default can verify wolfProvider signature" - rsa_check_force_fail + check_force_fail else echo "[FAIL] OpenSSL default cannot verify wolfProvider signature" FAIL=1 @@ -263,15 +248,16 @@ generate_and_test_key() { local provider_args=$3 local output_file="rsa_outputs/${key_type}_${key_size}.pem" + # Get the provider name + provider_name=$(get_provider_name "$provider_args") + + echo -e "\n=== Testing ${key_type} Key Generation (${key_size}) with ${provider_name} ===" + if [ -f "$output_file" ]; then echo "Output file $output_file already exists, removing it." rm -f "$output_file" fi - # Get the provider name - provider_name=$(get_provider_name "$provider_args") - - echo -e "\n=== Testing ${key_type} Key Generation (${key_size}) with ${provider_name} ===" echo "Generating ${key_type} key (${key_size})..." if [ "$key_type" = "RSA-PSS" ]; then # For RSA-PSS, specify all parameters @@ -283,7 +269,7 @@ generate_and_test_key() { -pkeyopt rsa_pss_keygen_saltlen:-1 \ -out "$output_file" 2>/dev/null; then echo "[PASS] RSA-PSS key generation successful" - rsa_check_force_fail + check_force_fail else echo "[FAIL] RSA-PSS key generation failed" FAIL=1 @@ -295,7 +281,7 @@ generate_and_test_key() { -pkeyopt rsa_keygen_bits:${key_size} \ -out "$output_file" 2>/dev/null; then echo "[PASS] RSA key generation successful" - rsa_check_force_fail + check_force_fail else echo "[FAIL] RSA key generation failed" FAIL=1 @@ -305,7 +291,7 @@ generate_and_test_key() { # Verify the key was generated if [ -s "$output_file" ]; then echo "[PASS] ${key_type} key (${key_size}) generation successful" - rsa_check_force_fail + check_force_fail else echo "[FAIL] ${key_type} key (${key_size}) generation failed" FAIL=1 @@ -322,7 +308,7 @@ generate_and_test_key() { if $OPENSSL_BIN pkey -in "$output_file" -check \ ${provider_args} -passin pass: >/dev/null; then echo "[PASS] ${provider_name} can use ${key_type} key (${key_size})" - rsa_check_force_fail + check_force_fail else echo "[FAIL] ${provider_name} cannot use ${key_type} key (${key_size})" FAIL=1 diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh index f7cd123f..aee5b664 100755 --- a/scripts/verify-install.sh +++ b/scripts/verify-install.sh @@ -249,7 +249,6 @@ verify_wolfprovider() { elif [ $is_wp_default -ne 1 ]; then handle_error "wolfProvider is not the default provider" fi - else if [ $is_openssl_replace_default -eq 1 ]; then handle_error "OpenSSL is replace default"