From 41fabe9af3733e1a617eb1a6868d7b31ba7a4ebb Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Mon, 10 Nov 2025 18:12:35 -0800
Subject: [PATCH 1/3] Refactor cmd tests

---
 scripts/cmd_test/aes-cmd-test.sh    |  10 +-
 scripts/cmd_test/cmd-test-common.sh | 224 ++++++++++++++++++----------
 scripts/cmd_test/do-cmd-tests.sh    | 217 ++++++++++++++++++++++-----
 scripts/cmd_test/ecc-cmd-test.sh    |  10 +-
 scripts/cmd_test/hash-cmd-test.sh   |  10 +-
 scripts/cmd_test/req-cmd-test.sh    |  28 +++-
 scripts/cmd_test/rsa-cmd-test.sh    |  24 ++-
 7 files changed, 380 insertions(+), 143 deletions(-)

diff --git a/scripts/cmd_test/aes-cmd-test.sh b/scripts/cmd_test/aes-cmd-test.sh
index e0ed0da4..bdaf51ae 100755
--- a/scripts/cmd_test/aes-cmd-test.sh
+++ b/scripts/cmd_test/aes-cmd-test.sh
@@ -2,6 +2,9 @@
 # aes-cmd-test.sh
 # AES encryption test for wolfProvider
 #
+# NOTE: This script is designed to be called from do-cmd-tests.sh
+# Do not run this script directly - use do-cmd-tests.sh instead
+#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -22,12 +25,9 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
-cmd_test_env_setup "aes-test.log"
+cmd_test_init "aes-test.log"
 clean_cmd_test "aes"
 
-# Redirect all output to log file
-exec > >(tee -a "$LOG_FILE") 2>&1
-
 # Create test data and output directories
 mkdir -p aes_outputs
 echo "This is test data for AES encryption testing." > aes_outputs/test_data.txt
@@ -42,8 +42,6 @@ else
     MODES=("ecb" "cbc" "ctr" "cfb")
 fi
 
-echo "=== Running AES Algorithm Comparisons ==="
-
 # Run tests for each key size and mode
 for key_size in "${KEY_SIZES[@]}"; do
     for mode in "${MODES[@]}"; do
diff --git a/scripts/cmd_test/cmd-test-common.sh b/scripts/cmd_test/cmd-test-common.sh
index e4190c1d..bcd6a57a 100644
--- a/scripts/cmd_test/cmd-test-common.sh
+++ b/scripts/cmd_test/cmd-test-common.sh
@@ -17,78 +17,91 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
-COMMON_SETUP_DONE=0
+# Global variables to store wolfProvider installation mode
+# Only initialize if not already set (allows parent script to export values)
+WOLFPROV_REPLACE_DEFAULT=${WOLFPROV_REPLACE_DEFAULT:-0}
+WOLFPROV_FIPS=${WOLFPROV_FIPS:-0}
+WOLFPROV_INSTALLED=${WOLFPROV_INSTALLED:-0}
+
+# Function to detect wolfProvider installation mode
+detect_wolfprovider_mode() {
+    if [ -z "${REPO_ROOT:-}" ]; then
+        REPO_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )"/../.. &> /dev/null && pwd )"
+    fi
 
-cmd_test_env_setup() {
-    # Fail flags
-    FAIL=0
-    FORCE_FAIL_PASSED=0
+    # Get OpenSSL version and initial provider info
+    local openssl_version=$(${OPENSSL_BIN} version 2>/dev/null)
+    local openssl_providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
 
-    if [ $COMMON_SETUP_DONE -ne 0 ]; then
-        echo "Setup already completed, skipping."
-        return
+    # Detect if wolfProvider is currently active
+    if echo "$openssl_providers" | grep -qi "wolfSSL Provider"; then
+        WOLFPROV_INSTALLED=1
+        echo "Detected: wolfProvider is currently active"
+    else
+        WOLFPROV_INSTALLED=0
+        echo "Detected: wolfProvider is not currently active"
     fi
 
-    local log_file_name=$1
-    SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-    # Set up environment
-    export LOG_FILE="${SCRIPT_DIR}/${log_file_name}"
-    touch "$LOG_FILE"
-
-    # If OPENSSL_BIN is not set, assume we are using a local build
-    if [ -z "${OPENSSL_BIN:-}" ]; then
-        echo "OPENSSL_BIN not set, assuming local build"
-        # Check if the install directories exist
-        if [ ! -d "${REPO_ROOT}/openssl-install" ] || 
-        [ ! -d "${REPO_ROOT}/wolfssl-install" ]; then
-            echo "[FAIL] OpenSSL or wolfSSL install directories not found"
-            echo "Please set OPENSSL_BIN or run build-wolfprovider.sh first"
-            exit 1
-        fi
+    # Detect if FIPS mode is active
+    if echo "$openssl_providers" | grep -qi "wolfSSL Provider FIPS"; then
+        WOLFPROV_FIPS=1
+        echo "Detected: wolfProvider FIPS mode"
+    else
+        WOLFPROV_FIPS=0
+        echo "Detected: wolfProvider non-FIPS mode"
+    fi
 
-        # Setup the environment for a local build
-        source "${REPO_ROOT}/scripts/env-setup"
+    # Detect replace-default mode
+    if echo "$openssl_providers" | grep -q "default" && echo "$openssl_providers" | grep -qi "wolfSSL Provider"; then
+        WOLFPROV_REPLACE_DEFAULT=1
+        echo "Detected: wolfProvider installed in replace-default mode (provider: default)"
+    elif echo "$openssl_providers" | grep -qi "libwolfprov"; then
+        WOLFPROV_REPLACE_DEFAULT=0
+        echo "Detected: wolfProvider installed in non-replace-default mode (provider: libwolfprov)"
     else
-        echo "Using user-provided OPENSSL_BIN: ${OPENSSL_BIN}"
-        # We are using a user-provided OpenSSL binary, manually set the test
-        # environment variables rather than using env-setup.
-        # Find the location of the wolfProvider modules
-        if [ -z "${WOLFPROV_PATH:-}" ]; then
-            export WOLFPROV_PATH=$(find /usr/lib /usr/local/lib -type d -name ossl-modules 2>/dev/null | head -n 1)
-        fi
-        # Set the path to the wolfProvider config file
-        if [ -z "${WOLFPROV_CONFIG:-}" ]; then
-            if [ "${WOLFSSL_ISFIPS:-0}" = "1" ]; then
-                export WOLFPROV_CONFIG="${REPO_ROOT}/provider-fips.conf"
-            else
-                export WOLFPROV_CONFIG="${REPO_ROOT}/provider.conf"
-            fi  
-        fi
+        WOLFPROV_REPLACE_DEFAULT=0
+        echo "Detected: wolfProvider not in replace-default mode"
     fi
 
-    # Get the force fail parameter
-    if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
-        echo "Force fail mode enabled"
+    # Print detection summary
+    echo "wolfProvider mode detection:"
+    echo "  REPLACE_DEFAULT: $WOLFPROV_REPLACE_DEFAULT"
+    echo "  FIPS: $WOLFPROV_FIPS"
+    echo "  INSTALLED: $WOLFPROV_INSTALLED"
+}
+
+
+# Function to setup the environment for the command-line tests
+cmd_test_env_setup() {
+    # OPENSSL_BIN must be set by the caller
+    if [ -z "${OPENSSL_BIN:-}" ]; then
+        echo "Error: OPENSSL_BIN environment variable is not set"
+        exit 1
     fi
-    if [ "${WOLFSSL_ISFIPS}" = "1" ]; then
-        echo "FIPS mode enabled"
+
+    # Detect wolfProvider installation mode (only if not already detected)
+    if [ -z "${WOLFPROV_MODE_DETECTED:-}" ]; then
+        detect_wolfprovider_mode
+        export WOLFPROV_MODE_DETECTED=1
     fi
+}
 
-    # Print environment for verification
-    echo "Environment variables:"
-    echo "OPENSSL_MODULES: ${OPENSSL_MODULES}"
-    echo "OPENSSL_BIN: ${OPENSSL_BIN}"
-    echo "WOLFPROV_PATH: ${WOLFPROV_PATH}"
-    echo "WOLFPROV_CONFIG: ${WOLFPROV_CONFIG}"
-    echo "LOG_FILE: ${LOG_FILE}"
 
-    COMMON_SETUP_DONE=1
-}
+# Individual test setup (called by each test script)
+cmd_test_init() {
+    local log_file_name=$1
+    SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
+    # Set up log file
+    export LOG_FILE="${SCRIPT_DIR}/${log_file_name}"
+    touch "$LOG_FILE"
 
-# Check if default provider is in use
-# Note that this may be wolfProvider if built as replace-default
-is_default_provider() {
-    return $($OPENSSL_BIN list -providers | grep -qi "default")
+    # Redirect all output to log file
+    exec > >(tee -a "$LOG_FILE") 2>&1
+
+    # Fail flags
+    FAIL=0
+    FORCE_FAIL_PASSED=0
 }
 
 # Function to use default provider only
@@ -96,36 +109,86 @@ use_default_provider() {
     unset OPENSSL_MODULES
     unset OPENSSL_CONF
 
-    # Verify that we are using the default provider
-    if ! is_default_provider; then
-        echo "FAIL: unable to switch to default provider"
-        $OPENSSL_BIN list -providers
-        exit 1
+    # Check if wolfProvider is in replace-default mode
+    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+        echo "INFO: wolfProvider is installed in replace-default mode"
+        echo "INFO: wolfProvider IS the default provider and cannot be switched off"
+
+        # Verify that wolfProvider (as default) is active
+        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
+        if echo "$providers" | grep -q "default" && echo "$providers" | grep -qi "wolfSSL Provider"; then
+            echo "Using default provider (wolfProvider in replace-default mode)"
+        else
+            echo "FAIL: Expected wolfProvider as default, but provider list doesn't match"
+            echo "Provider list:"
+            echo "$providers"
+            exit 1
+        fi
+    else
+        # In non-replace-default mode, unsetting OPENSSL_MODULES should disable wolfProvider
+        echo "INFO: wolfProvider is installed in non-replace-default mode"
+
+        # Verify that we are using the OpenSSL default provider (not wolfProvider)
+        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
+        if echo "$providers" | grep -qi "libwolfprov"; then
+            echo "FAIL: unable to switch to default provider, wolfProvider is still active"
+            echo "Provider list:"
+            echo "$providers"
+            exit 1
+        fi
+
+        # Check if OpenSSL default provider is active
+        if echo "$providers" | grep -q "default" && echo "$providers" | grep -qi "OpenSSL Default Provider"; then
+            echo "Switched to default provider (OpenSSL)"
+        else
+            echo "FAIL: Expected OpenSSL Default Provider, but provider list doesn't match"
+            echo "Provider list:"
+            echo "$providers"
+            exit 1
+        fi
     fi
-    echo "Switched to default provider"
 }
 
-is_wolf_provider() {
-    return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider")
-}
 
 # Function to use wolf provider only
 use_wolf_provider() {
-    export OPENSSL_MODULES=$WOLFPROV_PATH
-    export OPENSSL_CONF=${WOLFPROV_CONFIG}
-
-    # Verify that we are using wolfProvider
-    if ! is_wolf_provider; then
-        echo "FAIL: unable to switch to wolfProvider"
-        $OPENSSL_BIN list -providers
-        exit 1
+    # Check if wolfProvider is in replace-default mode
+    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+        # In replace-default mode, wolfProvider is already the default
+        # No need to set OPENSSL_MODULES or OPENSSL_CONF
+        echo "INFO: wolfProvider is installed in replace-default mode"
+        echo "INFO: wolfProvider is already active as the default provider"
+
+        # Verify that wolfProvider is active
+        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
+        if echo "$providers" | grep -qi "wolfSSL Provider"; then
+            echo "Using wolfProvider (replace-default mode)"
+        else
+            echo "FAIL: wolfProvider is not active"
+            echo "Provider list:"
+            echo "$providers"
+            exit 1
+        fi
+    else
+        # In non-replace-default mode, we need to set OPENSSL_MODULES and OPENSSL_CONF
+        echo "INFO: wolfProvider is installed in non-replace-default mode"
+        export OPENSSL_MODULES=$WOLFPROV_PATH
+        export OPENSSL_CONF=${WOLFPROV_CONFIG}
+
+        # Verify that we are using wolfProvider
+        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
+        if ! echo "$providers" | grep -qi "wolfprov"; then
+            echo "FAIL: unable to switch to wolfProvider, default provider is still active"
+            echo "Provider list:"
+            echo "$providers"
+            echo "OPENSSL_MODULES: $OPENSSL_MODULES"
+            echo "OPENSSL_CONF: $OPENSSL_CONF"
+            exit 1
+        fi
+        echo "Switched to wolfProvider"
     fi
-    echo "Switched to wolfProvider"
 }
 
-is_replace_default() {
-    return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider")
-}
 
 # Helper function to handle force fail checks
 check_force_fail() {
@@ -137,6 +200,7 @@ check_force_fail() {
     fi
 }
 
+
 # Helper function to get provider name from provider arguments
 get_provider_name() {
     local provider_args=$1
diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh
index 63eec558..39e43f10 100755
--- a/scripts/cmd_test/do-cmd-tests.sh
+++ b/scripts/cmd_test/do-cmd-tests.sh
@@ -24,70 +24,217 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 REPO_ROOT="$( cd "${SCRIPT_DIR}/../.." &> /dev/null && pwd )"
 UTILS_DIR="${REPO_ROOT}/scripts"
 
+# Parse command-line arguments
+RUN_HASH=0
+RUN_AES=0
+RUN_RSA=0
+RUN_ECC=0
+RUN_REQ=0
+RUN_ALL=1
+
+show_help() {
+    cat << EOF
+Usage: $0 [OPTIONS] [TESTS]
+
+Run wolfProvider command-line tests with optional configuration flags.
+
+OPTIONS:
+    --help              Show this help message
+
+TESTS (if none specified, all tests run):
+    hash                Run hash comparison test
+    aes                 Run AES comparison test
+    rsa                 Run RSA key generation test
+    ecc                 Run ECC key generation test
+    req                 Run certificate request test
+
+ENVIRONMENT VARIABLES (env vars get detected from verify-install.sh):
+    OPENSSL_BIN         Path to OpenSSL binary (auto-detected if not set)
+    WOLFPROV_PATH       Path to wolfProvider modules directory
+    WOLFPROV_CONFIG     Path to wolfProvider config file
+    WOLFSSL_ISFIPS      Set to 1 for FIPS mode (or use --fips flag)
+    WOLFPROV_FORCE_FAIL Set to 1 for force-fail mode (or use --force-fail flag)
+
+EOF
+    exit 0
+}
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --help|-h)
+            show_help
+            ;;
+        hash)
+            RUN_HASH=1
+            RUN_ALL=0
+            shift
+            ;;
+        aes)
+            RUN_AES=1
+            RUN_ALL=0
+            shift
+            ;;
+        rsa)
+            RUN_RSA=1
+            RUN_ALL=0
+            shift
+            ;;
+        ecc)
+            RUN_ECC=1
+            RUN_ALL=0
+            shift
+            ;;
+        req)
+            RUN_REQ=1
+            RUN_ALL=0
+            shift
+            ;;
+        *)
+            echo "Unknown option: $1"
+            echo "Use --help for usage information"
+            exit 1
+            ;;
+    esac
+done
+
+# If no specific tests were requested, run all tests
+if [ $RUN_ALL -eq 1 ]; then
+    RUN_HASH=1
+    RUN_AES=1
+    RUN_RSA=1
+    RUN_ECC=1
+    RUN_REQ=1
+fi
+
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 cmd_test_env_setup
 
+echo "==========================================
+wolfProvider Command-Line Tests
+=========================================="
+echo ""
+echo "Running command-line test suite..."
+echo ""
+
+# Detect installation mode and setup environment
+cmd_test_env_setup
+
+echo ""
 echo "=== Running wolfProvider Command-Line Tests ==="
 echo "Using OPENSSL_BIN: ${OPENSSL_BIN}" 
 echo "Using WOLFPROV_PATH: ${WOLFPROV_PATH}"
 echo "Using WOLFPROV_CONFIG: ${WOLFPROV_CONFIG}"
+if [ "${WOLFSSL_ISFIPS}" = "1" ]; then
+    echo "FIPS mode: ENABLED"
+fi
+if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
+    echo "Force-fail mode: ENABLED"
+fi
+
+# Export detection variables for child scripts
+export WOLFPROV_REPLACE_DEFAULT
+export WOLFPROV_FIPS
+export WOLFPROV_INSTALLED
+export WOLFPROV_MODE_DETECTED
 
 # Ensure we can switch providers before proceeding
 use_default_provider
 use_wolf_provider
 
+# Initialize result variables
+HASH_RESULT=0
+AES_RESULT=0
+RSA_RESULT=0
+ECC_RESULT=0
+REQ_RESULT=0
+
 # Run the hash comparison test
-echo -e "\n=== Running Hash Comparison Test ==="
-"${REPO_ROOT}/scripts/cmd_test/hash-cmd-test.sh"
-HASH_RESULT=$?
+if [ $RUN_HASH -eq 1 ]; then
+    echo -e "\n=== Running Hash Comparison Test ==="
+    "${REPO_ROOT}/scripts/cmd_test/hash-cmd-test.sh"
+    HASH_RESULT=$?
+fi
 
 # Run the AES comparison test
-echo -e "\n=== Running AES Comparison Test ==="
-"${REPO_ROOT}/scripts/cmd_test/aes-cmd-test.sh"
-AES_RESULT=$?
+if [ $RUN_AES -eq 1 ]; then
+    echo -e "\n=== Running AES Comparison Test ==="
+    "${REPO_ROOT}/scripts/cmd_test/aes-cmd-test.sh"
+    AES_RESULT=$?
+fi
 
 # Run the RSA key generation test
-echo -e "\n=== Running RSA Key Generation Test ==="
-"${REPO_ROOT}/scripts/cmd_test/rsa-cmd-test.sh"
-RSA_RESULT=$?
+if [ $RUN_RSA -eq 1 ]; then
+    echo -e "\n=== Running RSA Key Generation Test ==="
+    "${REPO_ROOT}/scripts/cmd_test/rsa-cmd-test.sh"
+    RSA_RESULT=$?
+fi
 
 # Run the ECC key generation test
-echo -e "\n=== Running ECC Key Generation Test ==="
-"${REPO_ROOT}/scripts/cmd_test/ecc-cmd-test.sh"
-ECC_RESULT=$?
+if [ $RUN_ECC -eq 1 ]; then
+    echo -e "\n=== Running ECC Key Generation Test ==="
+    "${REPO_ROOT}/scripts/cmd_test/ecc-cmd-test.sh"
+    ECC_RESULT=$?
+fi
 
 # Run the Certificate Request test
-echo -e "\n=== Running Certificate Request Test ==="
-"${REPO_ROOT}/scripts/cmd_test/req-cmd-test.sh"
-REQ_RESULT=$?
+if [ $RUN_REQ -eq 1 ]; then
+    echo -e "\n=== Running Certificate Request Test ==="
+    "${REPO_ROOT}/scripts/cmd_test/req-cmd-test.sh"
+    REQ_RESULT=$?
+fi
 
 # Check results
-if [ $HASH_RESULT -eq 0 ] && [ $AES_RESULT -eq 0 ] && [ $RSA_RESULT -eq 0 ] && [ $ECC_RESULT -eq 0 ] && [ $REQ_RESULT -eq 0 ]; then
+ALL_PASSED=1
+if [ $RUN_HASH -eq 1 ] && [ $HASH_RESULT -ne 0 ]; then
+    ALL_PASSED=0
+fi
+if [ $RUN_AES -eq 1 ] && [ $AES_RESULT -ne 0 ]; then
+    ALL_PASSED=0
+fi
+if [ $RUN_RSA -eq 1 ] && [ $RSA_RESULT -ne 0 ]; then
+    ALL_PASSED=0
+fi
+if [ $RUN_ECC -eq 1 ] && [ $ECC_RESULT -ne 0 ]; then
+    ALL_PASSED=0
+fi
+if [ $RUN_REQ -eq 1 ] && [ $REQ_RESULT -ne 0 ]; then
+    ALL_PASSED=0
+fi
+
+if [ $ALL_PASSED -eq 1 ]; then
     echo -e "\n=== All Command-Line Tests Passed ==="
-    if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
-        echo "Force fail mode was enabled"
-    fi
-    if [ "${WOLFSSL_ISFIPS}" = "1" ]; then
-        echo "FIPS mode was enabled"
-    fi
-    echo "Hash Test Result: $HASH_RESULT (0=success)"
-    echo "AES Test Result: $AES_RESULT (0=success)"
-    echo "RSA Test Result: $RSA_RESULT (0=success)"
-    echo "ECC Test Result: $ECC_RESULT (0=success)"
-    echo "REQ Test Result: $REQ_RESULT (0=success)"
-    exit 0
 else
     echo -e "\n=== Command-Line Tests Failed ==="
-    if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
-        echo "Force fail mode was enabled"
-    fi
-    if [ "${WOLFSSL_ISFIPS}" = "1" ]; then
-        echo "FIPS mode was enabled"
-    fi
+fi
+
+# Print configuration
+if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
+    echo "Force fail mode was enabled"
+fi
+if [ "${WOLFSSL_ISFIPS}" = "1" ]; then
+    echo "FIPS mode was enabled"
+fi
+if [ "${WOLFPROV_REPLACE_DEFAULT}" = "1" ]; then
+    echo "Replace-default mode was enabled"
+fi
+
+# Print test results (only for tests that were run)
+echo ""
+if [ $RUN_HASH -eq 1 ]; then
     echo "Hash Test Result: $HASH_RESULT (0=success)"
+fi
+if [ $RUN_AES -eq 1 ]; then
     echo "AES Test Result: $AES_RESULT (0=success)"
+fi
+if [ $RUN_RSA -eq 1 ]; then
     echo "RSA Test Result: $RSA_RESULT (0=success)"
+fi
+if [ $RUN_ECC -eq 1 ]; then
     echo "ECC Test Result: $ECC_RESULT (0=success)"
+fi
+if [ $RUN_REQ -eq 1 ]; then
     echo "REQ Test Result: $REQ_RESULT (0=success)"
-    exit 1
 fi
+
+exit $((1 - ALL_PASSED))
diff --git a/scripts/cmd_test/ecc-cmd-test.sh b/scripts/cmd_test/ecc-cmd-test.sh
index 31182f46..7313603f 100755
--- a/scripts/cmd_test/ecc-cmd-test.sh
+++ b/scripts/cmd_test/ecc-cmd-test.sh
@@ -2,6 +2,9 @@
 # ecc-cmd-test.sh
 # ECC key generation test for wolfProvider
 #
+# NOTE: This script is designed to be called from do-cmd-tests.sh
+# Do not run this script directly - use do-cmd-tests.sh instead
+#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -22,12 +25,9 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
-cmd_test_env_setup "ecc-test.log"
+cmd_test_init "ecc-test.log"
 clean_cmd_test "ecc"
 
-# Redirect all output to log file
-exec > >(tee -a "$LOG_FILE") 2>&1
-
 # Create test data and output directories
 mkdir -p ecc_outputs
 echo "This is test data for ECC signing and verification." > ecc_outputs/test_data.txt
@@ -36,8 +36,6 @@ echo "This is test data for ECC signing and verification." > ecc_outputs/test_da
 CURVES=("prime256v1" "secp384r1" "secp521r1")
 PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
 
-echo "=== Running ECC Key Generation Tests ==="
-
 # Function to validate key
 validate_key() {
     local curve=$1
diff --git a/scripts/cmd_test/hash-cmd-test.sh b/scripts/cmd_test/hash-cmd-test.sh
index 512220e8..96b47512 100755
--- a/scripts/cmd_test/hash-cmd-test.sh
+++ b/scripts/cmd_test/hash-cmd-test.sh
@@ -2,6 +2,9 @@
 # hash-cmd-test.sh
 # Run hash command-line tests for wolfProvider
 #
+# NOTE: This script is designed to be called from do-cmd-tests.sh
+# Do not run this script directly - use do-cmd-tests.sh instead
+#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -22,12 +25,9 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
-cmd_test_env_setup "hash-test.log"
+cmd_test_init "hash-test.log"
 clean_cmd_test "hash"
 
-# Redirect all output to log file
-exec > >(tee -a "$LOG_FILE") 2>&1
-
 # Create test data and output directories
 mkdir -p hash_outputs
 echo "This is test data for hash cmd test." > hash_outputs/test_data.txt
@@ -35,8 +35,6 @@ echo "This is test data for hash cmd test." > hash_outputs/test_data.txt
 # Array of hash algorithms to test
 HASH_ALGOS=("sha1" "sha224" "sha256" "sha384" "sha512")
 
-echo "=== Running Hash Algorithm Comparisons ==="
-
 # Function to run hash test with specified provider options
 run_hash_test() {
     local algo="$1"
diff --git a/scripts/cmd_test/req-cmd-test.sh b/scripts/cmd_test/req-cmd-test.sh
index 39935884..18b03794 100755
--- a/scripts/cmd_test/req-cmd-test.sh
+++ b/scripts/cmd_test/req-cmd-test.sh
@@ -1,21 +1,39 @@
 #!/bin/bash
-# req-cmd-test.sh - Certificate request test for wolfProvider
+# req-cmd-test.sh
+# Certificate request test for wolfProvider
+#
+# NOTE: This script is designed to be called from do-cmd-tests.sh
+# Do not run this script directly - use do-cmd-tests.sh instead
+#
+# Copyright (C) 2006-2025 wolfSSL Inc.
+#
+# This file is part of wolfProvider.
+#
+# wolfProvider is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# wolfProvider is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
-cmd_test_env_setup "req-test.log"
+cmd_test_init "req-test.log"
 clean_cmd_test "req"
 
-exec > >(tee -a "$LOG_FILE") 2>&1
 mkdir -p req_outputs
 
 CURVES=("prime256v1" "secp384r1" "secp521r1") 
 HASH_ALGORITHMS=("sha256" "sha384" "sha512")
 PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
 
-echo "=== Running Certificate Request (X.509) Tests ==="
-
 # Skip tests for FIPS mode (unless force-failing)
 if [ "${WOLFSSL_ISFIPS}" = "1" ] && [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
     echo "INFO: FIPS mode detected"
diff --git a/scripts/cmd_test/rsa-cmd-test.sh b/scripts/cmd_test/rsa-cmd-test.sh
index f56a0f83..c680870a 100755
--- a/scripts/cmd_test/rsa-cmd-test.sh
+++ b/scripts/cmd_test/rsa-cmd-test.sh
@@ -2,6 +2,9 @@
 # rsa-cmd-test.sh
 # RSA and RSA-PSS key generation test for wolfProvider
 #
+# NOTE: This script is designed to be called from do-cmd-tests.sh
+# Do not run this script directly - use do-cmd-tests.sh instead
+#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -22,12 +25,9 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
-cmd_test_env_setup "rsa-test.log"
+cmd_test_init "rsa-test.log"
 clean_cmd_test "rsa"
 
-# Redirect all output to log file
-exec > >(tee -a "$LOG_FILE") 2>&1
-
 # Create test data and output directories
 mkdir -p rsa_outputs
 echo "This is test data for RSA signing and verification." > rsa_outputs/test_data.txt
@@ -40,6 +40,20 @@ PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider
 WOLFPROV_FORCE_FAIL=${WOLFPROV_FORCE_FAIL:-0}
 
 echo "=== Running RSA Key Generation Tests ==="
+OPENSSL_BIN=${OPENSSL_BIN:-openssl}
+
+rsa_check_force_fail() {
+    local openssl_providers=$($OPENSSL_BIN list -providers)
+    is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)
+    if [ $is_openssl_default_provider -eq 1 ]; then
+        # With the OpenSSL provider, don't expect failures
+        echo "OPENSSL Default provider active, no forced failures expected."
+    elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
+        echo "[PASS] Test passed when force fail was enabled"
+        FORCE_FAIL_PASSED=1
+        exit 1
+    fi
+}
 
 # Function to validate key
 validate_key() {
@@ -327,7 +341,7 @@ for key_type in "${KEY_TYPES[@]}"; do
 
             # If WPFF is set, we need to run again to actually create the 
             # key files
-            if [ $WOLFPROV_FORCE_FAIL -ne 0 ]; then
+            if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
                 WOLFPROV_FORCE_FAIL=0
                 generate_and_test_key "$key_type" "$key_size" "$test_provider"
                 WOLFPROV_FORCE_FAIL=1

From 391e8b612f118d2f719d5f99f993f3f455ef66c1 Mon Sep 17 00:00:00 2001
From: Paul Adelsbach <paul.adelsbach@wolfssl.com>
Date: Thu, 13 Nov 2025 15:21:03 -0800
Subject: [PATCH 2/3] Enforce sub-scripts are not called directly

---
 scripts/cmd_test/aes-cmd-test.sh    | 10 +++++++---
 scripts/cmd_test/clean-cmd-test.sh  |  6 ++++++
 scripts/cmd_test/cmd-test-common.sh |  6 ++++++
 scripts/cmd_test/do-cmd-tests.sh    |  3 +++
 scripts/cmd_test/ecc-cmd-test.sh    | 10 +++++++---
 scripts/cmd_test/hash-cmd-test.sh   | 10 +++++++---
 scripts/cmd_test/req-cmd-test.sh    | 10 +++++++---
 scripts/cmd_test/rsa-cmd-test.sh    |  9 ++++++---
 8 files changed, 49 insertions(+), 15 deletions(-)

diff --git a/scripts/cmd_test/aes-cmd-test.sh b/scripts/cmd_test/aes-cmd-test.sh
index bdaf51ae..6285aedc 100755
--- a/scripts/cmd_test/aes-cmd-test.sh
+++ b/scripts/cmd_test/aes-cmd-test.sh
@@ -2,9 +2,6 @@
 # aes-cmd-test.sh
 # AES encryption test for wolfProvider
 #
-# NOTE: This script is designed to be called from do-cmd-tests.sh
-# Do not run this script directly - use do-cmd-tests.sh instead
-#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -25,6 +22,13 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
+
+if [ -z "${DO_CMD_TESTS:-}" ]; then
+    echo "This script is designed to be called from do-cmd-tests.sh"
+    echo "Do not run this script directly - use do-cmd-tests.sh instead"
+    exit 1
+fi
+
 cmd_test_init "aes-test.log"
 clean_cmd_test "aes"
 
diff --git a/scripts/cmd_test/clean-cmd-test.sh b/scripts/cmd_test/clean-cmd-test.sh
index 785388a7..ea416840 100755
--- a/scripts/cmd_test/clean-cmd-test.sh
+++ b/scripts/cmd_test/clean-cmd-test.sh
@@ -17,6 +17,12 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
+if [ -z "${DO_CMD_TESTS:-}" ]; then
+    echo "This script is designed to be called from do-cmd-tests.sh"
+    echo "Do not run this script directly - use do-cmd-tests.sh instead"
+    exit 1
+fi
+
 # Function to clean up specific command test artifacts
 clean_cmd_test() {
     local test_type=$1
diff --git a/scripts/cmd_test/cmd-test-common.sh b/scripts/cmd_test/cmd-test-common.sh
index bcd6a57a..16a212c9 100644
--- a/scripts/cmd_test/cmd-test-common.sh
+++ b/scripts/cmd_test/cmd-test-common.sh
@@ -23,6 +23,12 @@ WOLFPROV_REPLACE_DEFAULT=${WOLFPROV_REPLACE_DEFAULT:-0}
 WOLFPROV_FIPS=${WOLFPROV_FIPS:-0}
 WOLFPROV_INSTALLED=${WOLFPROV_INSTALLED:-0}
 
+if [ -z "${DO_CMD_TESTS:-}" ]; then
+    echo "This script is designed to be called from do-cmd-tests.sh"
+    echo "Do not run this script directly - use do-cmd-tests.sh instead"
+    exit 1
+fi
+
 # Function to detect wolfProvider installation mode
 detect_wolfprovider_mode() {
     if [ -z "${REPO_ROOT:-}" ]; then
diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh
index 39e43f10..1660584a 100755
--- a/scripts/cmd_test/do-cmd-tests.sh
+++ b/scripts/cmd_test/do-cmd-tests.sh
@@ -24,6 +24,9 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 REPO_ROOT="$( cd "${SCRIPT_DIR}/../.." &> /dev/null && pwd )"
 UTILS_DIR="${REPO_ROOT}/scripts"
 
+# Flag to indicate that this script is being called from do-cmd-tests.sh
+export DO_CMD_TESTS=1
+
 # Parse command-line arguments
 RUN_HASH=0
 RUN_AES=0
diff --git a/scripts/cmd_test/ecc-cmd-test.sh b/scripts/cmd_test/ecc-cmd-test.sh
index 7313603f..01778719 100755
--- a/scripts/cmd_test/ecc-cmd-test.sh
+++ b/scripts/cmd_test/ecc-cmd-test.sh
@@ -2,9 +2,6 @@
 # ecc-cmd-test.sh
 # ECC key generation test for wolfProvider
 #
-# NOTE: This script is designed to be called from do-cmd-tests.sh
-# Do not run this script directly - use do-cmd-tests.sh instead
-#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -25,6 +22,13 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
+
+if [ -z "${DO_CMD_TESTS:-}" ]; then
+    echo "This script is designed to be called from do-cmd-tests.sh"
+    echo "Do not run this script directly - use do-cmd-tests.sh instead"
+    exit 1
+fi
+
 cmd_test_init "ecc-test.log"
 clean_cmd_test "ecc"
 
diff --git a/scripts/cmd_test/hash-cmd-test.sh b/scripts/cmd_test/hash-cmd-test.sh
index 96b47512..f288bd9e 100755
--- a/scripts/cmd_test/hash-cmd-test.sh
+++ b/scripts/cmd_test/hash-cmd-test.sh
@@ -2,9 +2,6 @@
 # hash-cmd-test.sh
 # Run hash command-line tests for wolfProvider
 #
-# NOTE: This script is designed to be called from do-cmd-tests.sh
-# Do not run this script directly - use do-cmd-tests.sh instead
-#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -25,6 +22,13 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
+
+if [ -z "${DO_CMD_TESTS:-}" ]; then
+    echo "This script is designed to be called from do-cmd-tests.sh"
+    echo "Do not run this script directly - use do-cmd-tests.sh instead"
+    exit 1
+fi
+
 cmd_test_init "hash-test.log"
 clean_cmd_test "hash"
 
diff --git a/scripts/cmd_test/req-cmd-test.sh b/scripts/cmd_test/req-cmd-test.sh
index 18b03794..dcb5ebe8 100755
--- a/scripts/cmd_test/req-cmd-test.sh
+++ b/scripts/cmd_test/req-cmd-test.sh
@@ -2,9 +2,6 @@
 # req-cmd-test.sh
 # Certificate request test for wolfProvider
 #
-# NOTE: This script is designed to be called from do-cmd-tests.sh
-# Do not run this script directly - use do-cmd-tests.sh instead
-#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -25,6 +22,13 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source "${SCRIPT_DIR}/cmd-test-common.sh"
 source "${SCRIPT_DIR}/clean-cmd-test.sh"
+
+if [ -z "${DO_CMD_TESTS:-}" ]; then
+    echo "This script is designed to be called from do-cmd-tests.sh"
+    echo "Do not run this script directly - use do-cmd-tests.sh instead"
+    exit 1
+fi
+
 cmd_test_init "req-test.log"
 clean_cmd_test "req"
 
diff --git a/scripts/cmd_test/rsa-cmd-test.sh b/scripts/cmd_test/rsa-cmd-test.sh
index c680870a..da9a2e05 100755
--- a/scripts/cmd_test/rsa-cmd-test.sh
+++ b/scripts/cmd_test/rsa-cmd-test.sh
@@ -2,9 +2,6 @@
 # rsa-cmd-test.sh
 # RSA and RSA-PSS key generation test for wolfProvider
 #
-# NOTE: This script is designed to be called from do-cmd-tests.sh
-# Do not run this script directly - use do-cmd-tests.sh instead
-#
 # Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfProvider.
@@ -28,6 +25,12 @@ source "${SCRIPT_DIR}/clean-cmd-test.sh"
 cmd_test_init "rsa-test.log"
 clean_cmd_test "rsa"
 
+if [ -z "${DO_CMD_TESTS:-}" ]; then
+    echo "This script is designed to be called from do-cmd-tests.sh"
+    echo "Do not run this script directly - use do-cmd-tests.sh instead"
+    exit 1
+fi
+
 # Create test data and output directories
 mkdir -p rsa_outputs
 echo "This is test data for RSA signing and verification." > rsa_outputs/test_data.txt

From dab9f79cbb3f36275c31b2adcc6b8ba997b0e7e4 Mon Sep 17 00:00:00 2001
From: Paul Adelsbach <paul.adelsbach@wolfssl.com>
Date: Thu, 13 Nov 2025 15:58:29 -0800
Subject: [PATCH 3/3] Unify script code

---
 .github/workflows/debian-package.yml |  22 +---
 .gitignore                           |   6 +-
 debian/install-wolfprov.sh           |   2 +-
 scripts/cmd_test/aes-cmd-test.sh     |  18 +--
 scripts/cmd_test/cmd-test-common.sh  | 163 +++++++++------------------
 scripts/cmd_test/do-cmd-tests.sh     |  19 +---
 scripts/cmd_test/ecc-cmd-test.sh     |  55 ++++-----
 scripts/cmd_test/hash-cmd-test.sh    |  15 +--
 scripts/cmd_test/req-cmd-test.sh     |  42 +++----
 scripts/cmd_test/rsa-cmd-test.sh     |  60 ++++------
 scripts/utils-general.sh             |  90 +++++++++------
 scripts/verify-install.sh            |  14 +--
 12 files changed, 203 insertions(+), 303 deletions(-)

diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml
index 0a13051d..4ce8508f 100644
--- a/.github/workflows/debian-package.yml
+++ b/.github/workflows/debian-package.yml
@@ -82,31 +82,11 @@ jobs:
             ${{ matrix.fips_ref == 'FIPS' && '--fips' || '' }}
 
       - name: Test OpenSSL provider functionality
+        shell: bash
         run: |
-          WOLFPROV_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
-
-          # Temporarily move wolfprovider config so we can toggle between providers
-          echo "Temporarily disabling wolfprovider for default provider tests:"
-          mkdir -p /tmp/openssl-test
-          if [ -f $WOLFPROV_CONF_FILE ]; then
-            mv $WOLFPROV_CONF_FILE $WOLFPROV_CONF_BACKUP
-            echo "   - Moved $WOLFPROV_CONF_FILE to $WOLFPROV_CONF_BACKUP"
-          else
-            echo "$WOLFPROV_CONF_FILE not found!"
-            exit 1
-          fi
-
           # Run the do-cmd-test.sh script to execute interoperability tests
           echo "Running OpenSSL provider interoperability tests..."
           OPENSSL_BIN=$(eval which openssl) ${{ matrix.force_fail }} ${{ matrix.fips_ref == 'FIPS' && 'WOLFSSL_ISFIPS=1' || '' }} ./scripts/cmd_test/do-cmd-tests.sh
-
-          # Restore wolfprovider configuration
-          echo "Restoring wolfprovider configuration:"
-          if [ -f $WOLFPROV_CONF_BACKUP ]; then
-            mv $WOLFPROV_CONF_BACKUP $WOLFPROV_CONF_FILE
-            echo "   - Restored $WOLFPROV_CONF_FILE from $WOLFPROV_CONF_BACKUP"
-          fi
-
           echo "PASS: All provider interoperability tests successful"
 
       - name: Uninstall package and verify cleanup
diff --git a/.gitignore b/.gitignore
index ab42bdd7..4d7f623e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -84,8 +84,12 @@ test/**/*.trs
 test/**/*.o
 test/**/.deps/
 test/**/.dirstamp
+aes_outputs
+ecc_outputs
+hash_outputs
 req_outputs
-scripts/cmd_test/req-test.log
+rsa_outputs
+scripts/cmd_test/*.log
 
 IDE/Android/android-ndk-r26b/
 IDE/Android/openssl-source/
diff --git a/debian/install-wolfprov.sh b/debian/install-wolfprov.sh
index bf51ddda..1aa4f53b 100755
--- a/debian/install-wolfprov.sh
+++ b/debian/install-wolfprov.sh
@@ -188,7 +188,7 @@ main() {
         exit 1
     fi
 
-    if [ -n "output_dir" ]; then
+    if [ -n "$output_dir" ]; then
         output_dir=$(realpath $output_dir)
     fi
 
diff --git a/scripts/cmd_test/aes-cmd-test.sh b/scripts/cmd_test/aes-cmd-test.sh
index 6285aedc..ef4782de 100755
--- a/scripts/cmd_test/aes-cmd-test.sh
+++ b/scripts/cmd_test/aes-cmd-test.sh
@@ -19,9 +19,9 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-source "${SCRIPT_DIR}/cmd-test-common.sh"
-source "${SCRIPT_DIR}/clean-cmd-test.sh"
+CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${CMD_TEST_DIR}/cmd-test-common.sh"
+source "${CMD_TEST_DIR}/clean-cmd-test.sh"
 
 if [ -z "${DO_CMD_TESTS:-}" ]; then
     echo "This script is designed to be called from do-cmd-tests.sh"
@@ -69,14 +69,16 @@ for key_size in "${KEY_SIZES[@]}"; do
         echo "Interop testing (encrypt with default, decrypt with wolfProvider):"
         
         # Encryption with OpenSSL default provider
-        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv -provider default \
+        use_default_provider
+        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv \
             -in aes_outputs/test_data.txt -out "$enc_file" -p; then
             echo "[FAIL] Interop AES-${key_size}-${mode}: OpenSSL encrypt failed"
             FAIL=1
         fi
         
         # Decryption with wolfProvider
-        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv -provider-path "$WOLFPROV_PATH" -provider libwolfprov \
+        use_wolf_provider
+        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv \
             -in "$enc_file" -out "$dec_file" -d -p; then
             echo "[FAIL] Interop AES-${key_size}-${mode}: wolfProvider decrypt failed"
             FAIL=1
@@ -98,14 +100,16 @@ for key_size in "${KEY_SIZES[@]}"; do
         echo "Interop testing (encrypt with wolfProvider, decrypt with default):"
         
         # Encryption with wolfProvider
-        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv -provider-path "$WOLFPROV_PATH" -provider libwolfprov \
+        use_wolf_provider
+        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv \
             -in aes_outputs/test_data.txt -out "$enc_file" -p; then
             echo "[FAIL] Interop AES-${key_size}-${mode}: wolfProvider encrypt failed"
             FAIL=1
         fi
         
         # Decryption with OpenSSL default provider
-        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv -provider default \
+        use_default_provider
+        if ! $OPENSSL_BIN enc -aes-${key_size}-${mode} -K "$key" $iv \
             -in "$enc_file" -out "$dec_file" -d -p; then
             echo "[FAIL] Interop AES-${key_size}-${mode}: OpenSSL decrypt failed"
             FAIL=1
diff --git a/scripts/cmd_test/cmd-test-common.sh b/scripts/cmd_test/cmd-test-common.sh
index 16a212c9..910eb01c 100644
--- a/scripts/cmd_test/cmd-test-common.sh
+++ b/scripts/cmd_test/cmd-test-common.sh
@@ -19,9 +19,6 @@
 
 # Global variables to store wolfProvider installation mode
 # Only initialize if not already set (allows parent script to export values)
-WOLFPROV_REPLACE_DEFAULT=${WOLFPROV_REPLACE_DEFAULT:-0}
-WOLFPROV_FIPS=${WOLFPROV_FIPS:-0}
-WOLFPROV_INSTALLED=${WOLFPROV_INSTALLED:-0}
 
 if [ -z "${DO_CMD_TESTS:-}" ]; then
     echo "This script is designed to be called from do-cmd-tests.sh"
@@ -29,77 +26,26 @@ if [ -z "${DO_CMD_TESTS:-}" ]; then
     exit 1
 fi
 
-# Function to detect wolfProvider installation mode
-detect_wolfprovider_mode() {
-    if [ -z "${REPO_ROOT:-}" ]; then
-        REPO_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )"/../.. &> /dev/null && pwd )"
-    fi
-
-    # Get OpenSSL version and initial provider info
-    local openssl_version=$(${OPENSSL_BIN} version 2>/dev/null)
-    local openssl_providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
-
-    # Detect if wolfProvider is currently active
-    if echo "$openssl_providers" | grep -qi "wolfSSL Provider"; then
-        WOLFPROV_INSTALLED=1
-        echo "Detected: wolfProvider is currently active"
-    else
-        WOLFPROV_INSTALLED=0
-        echo "Detected: wolfProvider is not currently active"
-    fi
-
-    # Detect if FIPS mode is active
-    if echo "$openssl_providers" | grep -qi "wolfSSL Provider FIPS"; then
-        WOLFPROV_FIPS=1
-        echo "Detected: wolfProvider FIPS mode"
-    else
-        WOLFPROV_FIPS=0
-        echo "Detected: wolfProvider non-FIPS mode"
-    fi
-
-    # Detect replace-default mode
-    if echo "$openssl_providers" | grep -q "default" && echo "$openssl_providers" | grep -qi "wolfSSL Provider"; then
-        WOLFPROV_REPLACE_DEFAULT=1
-        echo "Detected: wolfProvider installed in replace-default mode (provider: default)"
-    elif echo "$openssl_providers" | grep -qi "libwolfprov"; then
-        WOLFPROV_REPLACE_DEFAULT=0
-        echo "Detected: wolfProvider installed in non-replace-default mode (provider: libwolfprov)"
-    else
-        WOLFPROV_REPLACE_DEFAULT=0
-        echo "Detected: wolfProvider not in replace-default mode"
-    fi
-
-    # Print detection summary
-    echo "wolfProvider mode detection:"
-    echo "  REPLACE_DEFAULT: $WOLFPROV_REPLACE_DEFAULT"
-    echo "  FIPS: $WOLFPROV_FIPS"
-    echo "  INSTALLED: $WOLFPROV_INSTALLED"
-}
-
+CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${CMD_TEST_DIR}/../utils-general.sh"
 
 # Function to setup the environment for the command-line tests
 cmd_test_env_setup() {
-    # OPENSSL_BIN must be set by the caller
-    if [ -z "${OPENSSL_BIN:-}" ]; then
-        echo "Error: OPENSSL_BIN environment variable is not set"
-        exit 1
-    fi
+    export OPENSSL_BIN=${OPENSSL_BIN:-$(which openssl)}
+    printf "Using OPENSSL_BIN: %s\n" "$OPENSSL_BIN"
 
-    # Detect wolfProvider installation mode (only if not already detected)
-    if [ -z "${WOLFPROV_MODE_DETECTED:-}" ]; then
-        detect_wolfprovider_mode
-        export WOLFPROV_MODE_DETECTED=1
-    fi
+    OPENSSL_CONF_ORIG="${OPENSSL_CONF:-}"
+    OPENSSL_MODULES_ORIG="${OPENSSL_MODULES:-}"
 }
 
 
 # Individual test setup (called by each test script)
 cmd_test_init() {
     local log_file_name=$1
-    SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+    CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 
     # Set up log file
-    export LOG_FILE="${SCRIPT_DIR}/${log_file_name}"
+    export LOG_FILE="${CMD_TEST_DIR}/${log_file_name}"
     touch "$LOG_FILE"
 
     # Redirect all output to log file
@@ -110,24 +56,30 @@ cmd_test_init() {
     FORCE_FAIL_PASSED=0
 }
 
+
 # Function to use default provider only
 use_default_provider() {
-    unset OPENSSL_MODULES
-    unset OPENSSL_CONF
+    return 0
+
+    if [ -z "${OPENSSL_CONF_ORIG:-}" ]; then
+        export OPENSSL_CONF="/dev/null"
+        export OPENSSL_MODULES="/dev/null"
+    else
+        unset OPENSSL_CONF
+        unset OPENSSL_MODULES
+    fi
+    detect_wolfprovider_mode
 
     # Check if wolfProvider is in replace-default mode
-    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+    if [ "$is_openssl_replace_default" = "1" ]; then
         echo "INFO: wolfProvider is installed in replace-default mode"
         echo "INFO: wolfProvider IS the default provider and cannot be switched off"
 
         # Verify that wolfProvider (as default) is active
-        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
-        if echo "$providers" | grep -q "default" && echo "$providers" | grep -qi "wolfSSL Provider"; then
+		if [ "$is_wp_active" = "1" ] && [ "$is_wp_default" = "1" ]; then
             echo "Using default provider (wolfProvider in replace-default mode)"
         else
-            echo "FAIL: Expected wolfProvider as default, but provider list doesn't match"
-            echo "Provider list:"
-            echo "$providers"
+            echo "FAIL: Expected wolfProvider as default, but is_wp_active: $is_wp_active and is_wp_default: $is_wp_default"
             exit 1
         fi
     else
@@ -135,84 +87,81 @@ use_default_provider() {
         echo "INFO: wolfProvider is installed in non-replace-default mode"
 
         # Verify that we are using the OpenSSL default provider (not wolfProvider)
-        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
-        if echo "$providers" | grep -qi "libwolfprov"; then
+        if [ "$is_openssl_default_provider" != "1" ]; then
             echo "FAIL: unable to switch to default provider, wolfProvider is still active"
-            echo "Provider list:"
-            echo "$providers"
-            exit 1
-        fi
-
-        # Check if OpenSSL default provider is active
-        if echo "$providers" | grep -q "default" && echo "$providers" | grep -qi "OpenSSL Default Provider"; then
-            echo "Switched to default provider (OpenSSL)"
-        else
-            echo "FAIL: Expected OpenSSL Default Provider, but provider list doesn't match"
-            echo "Provider list:"
-            echo "$providers"
+            echo "is_openssl_default_provider: $is_openssl_default_provider"
             exit 1
         fi
+        echo "INFO: Switched to default provider (OpenSSL)"
     fi
 }
 
 
 # Function to use wolf provider only
 use_wolf_provider() {
+    return 0
+
+    if [ -z "${OPENSSL_CONF_ORIG:-}" ]; then
+        unset OPENSSL_CONF
+        unset OPENSSL_MODULES
+    else 
+        export OPENSSL_CONF="${OPENSSL_CONF_ORIG:-}"
+        export OPENSSL_MODULES="${OPENSSL_MODULES_ORIG:-}"
+    fi
+    detect_wolfprovider_mode
+
     # Check if wolfProvider is in replace-default mode
-    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+    if [ "$is_openssl_replace_default" = "1" ]; then
         # In replace-default mode, wolfProvider is already the default
         # No need to set OPENSSL_MODULES or OPENSSL_CONF
         echo "INFO: wolfProvider is installed in replace-default mode"
         echo "INFO: wolfProvider is already active as the default provider"
 
         # Verify that wolfProvider is active
-        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
-        if echo "$providers" | grep -qi "wolfSSL Provider"; then
+		if [ "$is_wp_active" = "1" ] && [ "$is_wp_default" = "1" ]; then
             echo "Using wolfProvider (replace-default mode)"
         else
             echo "FAIL: wolfProvider is not active"
-            echo "Provider list:"
-            echo "$providers"
+            echo "is_wp_active: $is_wp_active"
+            echo "is_wp_default: $is_wp_default"
             exit 1
         fi
     else
         # In non-replace-default mode, we need to set OPENSSL_MODULES and OPENSSL_CONF
         echo "INFO: wolfProvider is installed in non-replace-default mode"
-        export OPENSSL_MODULES=$WOLFPROV_PATH
-        export OPENSSL_CONF=${WOLFPROV_CONFIG}
 
         # Verify that we are using wolfProvider
-        local providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
-        if ! echo "$providers" | grep -qi "wolfprov"; then
+        if [ "$is_wp_active" != "1" ]; then
             echo "FAIL: unable to switch to wolfProvider, default provider is still active"
-            echo "Provider list:"
-            echo "$providers"
-            echo "OPENSSL_MODULES: $OPENSSL_MODULES"
-            echo "OPENSSL_CONF: $OPENSSL_CONF"
+            $OPENSSL_BIN list -providers
+            echo "is_wp_active: $is_wp_active"
+            echo "is_wp_default: $is_wp_default"
             exit 1
         fi
-        echo "Switched to wolfProvider"
+        echo "INFO: Switched to wolfProvider"
+        $OPENSSL_BIN list -providers
     fi
 }
 
 
 # Helper function to handle force fail checks
 check_force_fail() {
-    if is_default_provider && ! is_replace_default; then
+    detect_wolfprovider_mode
+    if [ "$is_openssl_default_provider" = "1" ]; then
+        # With the OpenSSL provider, don't expect failures
         echo "OPENSSL Default provider active, no forced failures expected."
-    elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
+    elif [ "$WOLFPROV_FORCE_FAIL" = "1" ]; then
         echo "[PASS] Test passed when force fail was enabled"
         FORCE_FAIL_PASSED=1
+        exit 1
     fi
 }
 
-
-# Helper function to get provider name from provider arguments
-get_provider_name() {
-    local provider_args=$1
-    if [ "$provider_args" = "-provider default" ]; then
-        echo "default"
+use_provider_by_name() {
+    local provider_name=$1
+    if [ "$provider_name" = "libwolfprov" ]; then
+        use_wolf_provider
     else
-        echo "libwolfprov"
+        use_default_provider
     fi
 }
diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh
index 1660584a..88a0a5f6 100755
--- a/scripts/cmd_test/do-cmd-tests.sh
+++ b/scripts/cmd_test/do-cmd-tests.sh
@@ -20,8 +20,8 @@
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
 # Get the directory where this script is located
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-REPO_ROOT="$( cd "${SCRIPT_DIR}/../.." &> /dev/null && pwd )"
+CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+REPO_ROOT="$( cd "${CMD_TEST_DIR}/../.." &> /dev/null && pwd )"
 UTILS_DIR="${REPO_ROOT}/scripts"
 
 # Flag to indicate that this script is being called from do-cmd-tests.sh
@@ -52,9 +52,7 @@ TESTS (if none specified, all tests run):
     req                 Run certificate request test
 
 ENVIRONMENT VARIABLES (env vars get detected from verify-install.sh):
-    OPENSSL_BIN         Path to OpenSSL binary (auto-detected if not set)
-    WOLFPROV_PATH       Path to wolfProvider modules directory
-    WOLFPROV_CONFIG     Path to wolfProvider config file
+    OPENSSL_BIN         Path to OpenSSL binary (auto-detected with which(openssl) if not set)
     WOLFSSL_ISFIPS      Set to 1 for FIPS mode (or use --fips flag)
     WOLFPROV_FORCE_FAIL Set to 1 for force-fail mode (or use --force-fail flag)
 
@@ -110,7 +108,7 @@ if [ $RUN_ALL -eq 1 ]; then
     RUN_REQ=1
 fi
 
-source "${SCRIPT_DIR}/cmd-test-common.sh"
+source "${CMD_TEST_DIR}/cmd-test-common.sh"
 cmd_test_env_setup
 
 echo "==========================================
@@ -120,14 +118,9 @@ echo ""
 echo "Running command-line test suite..."
 echo ""
 
-# Detect installation mode and setup environment
-cmd_test_env_setup
-
 echo ""
 echo "=== Running wolfProvider Command-Line Tests ==="
-echo "Using OPENSSL_BIN: ${OPENSSL_BIN}" 
-echo "Using WOLFPROV_PATH: ${WOLFPROV_PATH}"
-echo "Using WOLFPROV_CONFIG: ${WOLFPROV_CONFIG}"
+echo "Using OPENSSL_BIN: ${OPENSSL_BIN}"
 if [ "${WOLFSSL_ISFIPS}" = "1" ]; then
     echo "FIPS mode: ENABLED"
 fi
@@ -138,8 +131,6 @@ fi
 # Export detection variables for child scripts
 export WOLFPROV_REPLACE_DEFAULT
 export WOLFPROV_FIPS
-export WOLFPROV_INSTALLED
-export WOLFPROV_MODE_DETECTED
 
 # Ensure we can switch providers before proceeding
 use_default_provider
diff --git a/scripts/cmd_test/ecc-cmd-test.sh b/scripts/cmd_test/ecc-cmd-test.sh
index 01778719..cac88e53 100755
--- a/scripts/cmd_test/ecc-cmd-test.sh
+++ b/scripts/cmd_test/ecc-cmd-test.sh
@@ -19,9 +19,9 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-source "${SCRIPT_DIR}/cmd-test-common.sh"
-source "${SCRIPT_DIR}/clean-cmd-test.sh"
+CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${CMD_TEST_DIR}/cmd-test-common.sh"
+source "${CMD_TEST_DIR}/clean-cmd-test.sh"
 
 if [ -z "${DO_CMD_TESTS:-}" ]; then
     echo "This script is designed to be called from do-cmd-tests.sh"
@@ -38,13 +38,12 @@ echo "This is test data for ECC signing and verification." > ecc_outputs/test_da
 
 # Array of ECC curves and providers to test
 CURVES=("prime256v1" "secp384r1" "secp521r1")
-PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
+PROVIDER_NAMES=("libwolfprov" "default")
 
 # Function to validate key
 validate_key() {
     local curve=$1
     local key_file=${2:-"ecc_outputs/ecc_${curve}.pem"}
-    local provider_args=$3
     echo -e "\n=== Validating ECC Key (${curve}) ==="
     
     # First check if file exists
@@ -67,7 +66,7 @@ validate_key() {
     # Only try to extract public key if file exists and has content
     local pub_key_file="ecc_outputs/ecc_${curve}_pub.pem"
     if $OPENSSL_BIN pkey -in "$key_file" -pubout -out "$pub_key_file" \
-        ${provider_args} -passin pass: >/dev/null; then
+        -passin pass: >/dev/null; then
         echo "[PASS] ECC Public key extraction successful"
         check_force_fail
     else
@@ -81,11 +80,12 @@ sign_ecc() {
     local key_file=$1
     local data_file=$2
     local sig_file=$3
-    local provider_args=$4
+    local provider_name=$4
     
     echo "Signing data with ECC..."
+    use_provider_by_name "$provider_name"
     $OPENSSL_BIN pkeyutl -sign -inkey "$key_file" \
-        ${provider_args} -passin pass: \
+        -passin pass: \
         -in "$data_file" \
         -out "$sig_file"
     return $?
@@ -96,11 +96,12 @@ verify_ecc() {
     local pub_key_file=$1
     local data_file=$2
     local sig_file=$3
-    local provider_args=$4
+    local provider_name=$4
     
     echo "Verifying ECC signature..."
+    use_provider_by_name "$provider_name"
     $OPENSSL_BIN pkeyutl -verify -pubin -inkey "$pub_key_file" \
-        ${provider_args} -passin pass: \
+        -passin pass: \
         -in "$data_file" \
         -sigfile "$sig_file"
     return $?
@@ -109,10 +110,7 @@ verify_ecc() {
 # Generic function to test sign/verify interoperability using pkeyutl
 test_sign_verify_pkeyutl() {
     local curve=$1
-    local provider_args=$2
-    
-    # Get the provider name
-    provider_name=$(get_provider_name "$provider_args")
+    local provider_name=$2
     
     local key_file="ecc_outputs/ecc_${curve}.pem"
     local pub_key_file="ecc_outputs/ecc_${curve}_pub.pem"
@@ -136,10 +134,10 @@ test_sign_verify_pkeyutl() {
     use_default_provider
     echo "Test 1: Sign and verify with OpenSSL default"
     local default_sig_file="ecc_outputs/ecc_${curve}_default_sig.bin"
-    if sign_ecc "$key_file" "$data_file" "$default_sig_file" "$provider_args"; then
+    if sign_ecc "$key_file" "$data_file" "$default_sig_file"; then
         echo "[PASS] Signing with OpenSSL default successful"
         check_force_fail
-        if verify_ecc "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
+        if verify_ecc "$pub_key_file" "$data_file" "$default_sig_file"; then
             echo "[PASS] Default provider verify successful"
             check_force_fail
         else
@@ -155,10 +153,10 @@ test_sign_verify_pkeyutl() {
     use_wolf_provider
     echo "Test 2: Sign and verify with wolfProvider"
     local wolf_sig_file="ecc_outputs/ecc_${curve}_wolf_sig.bin"
-    if sign_ecc "$key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
+    if sign_ecc "$key_file" "$data_file" "$wolf_sig_file"; then
         echo "[PASS] Signing with wolfProvider successful"
         check_force_fail
-        if verify_ecc "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
+        if verify_ecc "$pub_key_file" "$data_file" "$wolf_sig_file"; then
             echo "[PASS] wolfProvider sign/verify successful"
             check_force_fail
         else
@@ -174,7 +172,7 @@ test_sign_verify_pkeyutl() {
     if [ $FAIL -eq 0 ]; then # only verify if previous tests passed
         use_wolf_provider
         echo "Test 3: Cross-provider verification (default sign, wolf verify)"
-        if verify_ecc "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
+        if verify_ecc "$pub_key_file" "$data_file" "$default_sig_file"; then
             echo "[PASS] wolfProvider can verify OpenSSL default signature"
             check_force_fail
         else
@@ -185,7 +183,7 @@ test_sign_verify_pkeyutl() {
         # Test 4: Cross-provider verification (wolf sign, default verify)
         use_default_provider
         echo "Test 4: Cross-provider verification (wolf sign, default verify)"
-        if verify_ecc "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
+        if verify_ecc "$pub_key_file" "$data_file" "$wolf_sig_file"; then
             echo "[PASS] OpenSSL default can verify wolfProvider signature"
             check_force_fail
         else
@@ -200,11 +198,8 @@ test_sign_verify_pkeyutl() {
 # Function to generate and test ECC keys
 generate_and_test_key() {
     local curve=$1
-    local provider_args=$2
+    local provider_name=$2
     local output_file="ecc_outputs/ecc_${curve}.pem"
-
-    # Get the provider name
-    provider_name=$(get_provider_name "$provider_args")
     
     echo -e "\n=== Testing ECC Key Generation (${curve}) with ${provider_name} ==="
 
@@ -213,10 +208,9 @@ generate_and_test_key() {
         rm -f "$output_file"
     fi
 
-    echo "Generating ECC key (${curve})..."
-    
+    echo "Generating ECC key with default provider (${curve})..."
+    use_provider_by_name "$provider_name"
     if $OPENSSL_BIN genpkey -algorithm EC \
-        ${provider_args} \
         -pkeyopt ec_paramgen_curve:${curve} \
         -out "$output_file" 2>/dev/null; then
         echo "[PASS] ECC key generation successful"
@@ -236,15 +230,16 @@ generate_and_test_key() {
     fi
     
     # Validate key
-    validate_key "$curve" "$output_file" "$provider_args"
+    validate_key "$curve" "$output_file"
 
     # Try to use the key with different providers
     echo -e "\n=== Testing ECC Key (${curve}) with ${provider_name} ==="
     echo "Checking if ${provider_name} can use the key..."
     
     # Try to use the key with wolfProvider (just check if it loads)
+    use_wolf_provider
     if $OPENSSL_BIN pkey -in "$output_file" -check \
-        ${provider_args} -passin pass: >/dev/null; then
+        -passin pass: >/dev/null; then
         echo "[PASS] ${provider_name} can use ECC key (${curve})"
         check_force_fail
     else
@@ -255,7 +250,7 @@ generate_and_test_key() {
 
 # Test key generation for each curve and provider
 for curve in "${CURVES[@]}"; do
-    for test_provider in "${PROVIDER_ARGS[@]}"; do
+    for test_provider in "${PROVIDER_NAMES[@]}"; do
         # Generate key with current provider
         generate_and_test_key "$curve" "$test_provider"
 
diff --git a/scripts/cmd_test/hash-cmd-test.sh b/scripts/cmd_test/hash-cmd-test.sh
index f288bd9e..0d4818a7 100755
--- a/scripts/cmd_test/hash-cmd-test.sh
+++ b/scripts/cmd_test/hash-cmd-test.sh
@@ -19,9 +19,9 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-source "${SCRIPT_DIR}/cmd-test-common.sh"
-source "${SCRIPT_DIR}/clean-cmd-test.sh"
+CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${CMD_TEST_DIR}/cmd-test-common.sh"
+source "${CMD_TEST_DIR}/clean-cmd-test.sh"
 
 if [ -z "${DO_CMD_TESTS:-}" ]; then
     echo "This script is designed to be called from do-cmd-tests.sh"
@@ -42,8 +42,7 @@ HASH_ALGOS=("sha1" "sha224" "sha256" "sha384" "sha512")
 # Function to run hash test with specified provider options
 run_hash_test() {
     local algo="$1"
-    local provider_opts="$2"
-    local output_file="$3"
+    local output_file="$2"
     
     # Run the hash algorithm with specified provider options
     if ! $OPENSSL_BIN dgst -$algo $provider_opts -out "$output_file" hash_outputs/test_data.txt; then
@@ -93,10 +92,12 @@ for algo in "${HASH_ALGOS[@]}"; do
     echo -e "\n=== Testing ${algo^^} ==="
     
     # Test with OpenSSL default provider
-    run_hash_test $algo "-provider default" "hash_outputs/openssl_${algo}.txt"
+    use_default_provider
+    run_hash_test $algo "hash_outputs/openssl_${algo}.txt"
     
     # Test with wolfProvider
-    run_hash_test $algo "-provider-path $WOLFPROV_PATH -provider libwolfprov" "hash_outputs/wolf_${algo}.txt"
+    use_wolf_provider
+    run_hash_test $algo "hash_outputs/wolf_${algo}.txt"
     
     # Compare results
     compare_hashes $algo
diff --git a/scripts/cmd_test/req-cmd-test.sh b/scripts/cmd_test/req-cmd-test.sh
index dcb5ebe8..278ecea7 100755
--- a/scripts/cmd_test/req-cmd-test.sh
+++ b/scripts/cmd_test/req-cmd-test.sh
@@ -19,9 +19,9 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-source "${SCRIPT_DIR}/cmd-test-common.sh"
-source "${SCRIPT_DIR}/clean-cmd-test.sh"
+CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${CMD_TEST_DIR}/cmd-test-common.sh"
+source "${CMD_TEST_DIR}/clean-cmd-test.sh"
 
 if [ -z "${DO_CMD_TESTS:-}" ]; then
     echo "This script is designed to be called from do-cmd-tests.sh"
@@ -36,7 +36,7 @@ mkdir -p req_outputs
 
 CURVES=("prime256v1" "secp384r1" "secp521r1") 
 HASH_ALGORITHMS=("sha256" "sha384" "sha512")
-PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
+PROVIDER_NAMES=("libwolfprov" "default")
 
 # Skip tests for FIPS mode (unless force-failing)
 if [ "${WOLFSSL_ISFIPS}" = "1" ] && [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
@@ -50,9 +50,8 @@ fi
 test_cert_creation() {
     local curve=$1
     local hash_alg=$2
-    local req_provider_args=$3
+    local req_provider_name=$3
     
-    req_provider_name=$(get_provider_name "$req_provider_args")
     local key_file="req_outputs/key_${curve}_${hash_alg}.pem"
     local cert_file="req_outputs/cert_${curve}_${hash_alg}_${req_provider_name//lib/}.pem"
     
@@ -71,14 +70,9 @@ test_cert_creation() {
     # Generate EC key with default provider
     echo "Generating EC key with curve ${curve} using default provider..."
     use_default_provider
-    if $OPENSSL_BIN ecparam -genkey -name ${curve} -out "$key_file" \
-        -provider default 2>/dev/null; then
+    if $OPENSSL_BIN ecparam -genkey -name ${curve} -out "$key_file" 2>/dev/null; then
         echo "[PASS] EC key generation successful"
-        # Don't call check_force_fail for default provider operations in force fail mode
-        # as default provider operations are expected to succeed
-        if [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
-            check_force_fail
-        fi
+        check_force_fail
     else
         echo "[FAIL] EC key generation failed"
         FAIL=1
@@ -86,21 +80,14 @@ test_cert_creation() {
     fi
     
     # Set provider for req command
-    if [[ "$req_provider_args" == *"libwolfprov"* ]]; then
-        use_wolf_provider
-    else
-        use_default_provider
-    fi
+    use_provider_by_name "$req_provider_name"
     
     # Create certificate with specified provider
     echo "Creating self-signed certificate with ${hash_alg} using ${req_provider_name}..."
     if $OPENSSL_BIN req -x509 -new -key "$key_file" -${hash_alg} -days 365 \
-        -out "$cert_file" -subj "/CN=test-${curve}-${hash_alg}" ${req_provider_args} 2>/dev/null; then
+        -out "$cert_file" -subj "/CN=test-${curve}-${hash_alg}"2>/dev/null; then
         echo "[PASS] Certificate creation successful"
-        # Only call check_force_fail for wolfProvider operations, or when not in force fail mode
-        if [[ "$req_provider_args" == *"libwolfprov"* ]] || [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
-            check_force_fail
-        fi
+        check_force_fail
     else
         echo "[FAIL] Certificate creation failed"
         FAIL=1
@@ -110,10 +97,7 @@ test_cert_creation() {
     # Check if certificate file exists and is non-empty
     if [ -s "$cert_file" ]; then
         echo "[PASS] Certificate file exists and is non-empty"
-        # Only call check_force_fail for wolfProvider operations, or when not in force fail mode
-        if [[ "$req_provider_args" == *"libwolfprov"* ]] || [ "${WOLFPROV_FORCE_FAIL}" != "1" ]; then
-            check_force_fail
-        fi
+        check_force_fail
     else
         echo "[FAIL] Certificate file does not exist or is empty"
         FAIL=1
@@ -125,8 +109,8 @@ echo "Starting certificate request tests..."
 
 for curve in "${CURVES[@]}"; do
     for hash_alg in "${HASH_ALGORITHMS[@]}"; do
-        for provider_arg in "${PROVIDER_ARGS[@]}"; do
-            test_cert_creation "$curve" "$hash_alg" "$provider_arg"
+        for provider_name in "${PROVIDER_NAMES[@]}"; do
+            test_cert_creation "$curve" "$hash_alg" "$provider_name"
         done
     done
 done
diff --git a/scripts/cmd_test/rsa-cmd-test.sh b/scripts/cmd_test/rsa-cmd-test.sh
index da9a2e05..1e811c1b 100755
--- a/scripts/cmd_test/rsa-cmd-test.sh
+++ b/scripts/cmd_test/rsa-cmd-test.sh
@@ -19,9 +19,9 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-source "${SCRIPT_DIR}/cmd-test-common.sh"
-source "${SCRIPT_DIR}/clean-cmd-test.sh"
+CMD_TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${CMD_TEST_DIR}/cmd-test-common.sh"
+source "${CMD_TEST_DIR}/clean-cmd-test.sh"
 cmd_test_init "rsa-test.log"
 clean_cmd_test "rsa"
 
@@ -38,26 +38,13 @@ echo "This is test data for RSA signing and verification." > rsa_outputs/test_da
 # Array of RSA key types, sizes, and providers to test
 KEY_TYPES=("RSA" "RSA-PSS")
 KEY_SIZES=("2048" "3072" "4096")
-PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
+PROVIDER_NAMES=("libwolfprov" "default")
 
 WOLFPROV_FORCE_FAIL=${WOLFPROV_FORCE_FAIL:-0}
 
 echo "=== Running RSA Key Generation Tests ==="
 OPENSSL_BIN=${OPENSSL_BIN:-openssl}
 
-rsa_check_force_fail() {
-    local openssl_providers=$($OPENSSL_BIN list -providers)
-    is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)
-    if [ $is_openssl_default_provider -eq 1 ]; then
-        # With the OpenSSL provider, don't expect failures
-        echo "OPENSSL Default provider active, no forced failures expected."
-    elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
-        echo "[PASS] Test passed when force fail was enabled"
-        FORCE_FAIL_PASSED=1
-        exit 1
-    fi
-}
-
 # Function to validate key
 validate_key() {
     local key_type=$1
@@ -104,7 +91,7 @@ sign_rsa_pss() {
     
     echo "Signing data with RSA-PSS..."
     $OPENSSL_BIN pkeyutl -sign -inkey "$key_file" \
-        ${provider_args} -provider default -passin pass: \
+        ${provider_args} -passin pass: \
         -rawin -digest sha256 \
         -pkeyopt rsa_padding_mode:pss \
         -pkeyopt rsa_pss_saltlen:-1 \
@@ -123,7 +110,7 @@ verify_rsa_pss() {
     
     echo "Verifying RSA-PSS signature..."
     $OPENSSL_BIN pkeyutl -verify -pubin -inkey "$pub_key_file" \
-        ${provider_args} -provider default -passin pass: \
+        ${provider_args} -passin pass: \
         -rawin -digest sha256 \
         -pkeyopt rsa_padding_mode:pss \
         -pkeyopt rsa_pss_saltlen:-1 \
@@ -167,14 +154,11 @@ verify_rsa() {
 test_sign_verify_pkeyutl() {
     local key_type=$1
     local key_size=$2
-    local provider_args=$3
+    local provider_name=$3
     local sign_func=$4
     local verify_func=$5
 
-    # Get the provider name
-    provider_name=$(get_provider_name "$provider_args")
-
-    echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl Using ${provider_name} ==="
+    echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl ==="
     
     # Handle different key naming conventions
     local key_prefix="${key_type}"
@@ -202,10 +186,10 @@ test_sign_verify_pkeyutl() {
     use_default_provider
     echo "Test 1: Sign and verify with OpenSSL default (${key_type})"
     local default_sig_file="rsa_outputs/${key_prefix}_${key_size}_default_sig.bin"
-    if $sign_func "$key_file" "$data_file" "$default_sig_file" "$provider_args"; then
+    if $sign_func "$key_file" "$data_file" "$default_sig_file"; then
         echo "[PASS] Signing with OpenSSL default successful"
         check_force_fail
-        if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
+        if $verify_func "$pub_key_file" "$data_file" "$default_sig_file"; then
             echo "[PASS] Default provider verify successful"
             check_force_fail
         else
@@ -221,10 +205,10 @@ test_sign_verify_pkeyutl() {
     use_wolf_provider
     echo "Test 2: Sign and verify with wolfProvider (${key_type})"
     local wolf_sig_file="rsa_outputs/${key_prefix}_${key_size}_wolf_sig.bin"
-    if $sign_func "$key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
+    if $sign_func "$key_file" "$data_file" "$wolf_sig_file"; then
         echo "[PASS] Signing with wolfProvider successful"
         check_force_fail
-        if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
+        if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file"; then
             echo "[PASS] wolfProvider sign/verify successful"
             check_force_fail
         else
@@ -240,7 +224,7 @@ test_sign_verify_pkeyutl() {
     if [ $FAIL -eq 0 ]; then # only verify if previous tests passed
         echo "Test 3: Cross-provider verification (default sign, wolf verify)"
         use_wolf_provider
-        if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
+        if $verify_func "$pub_key_file" "$data_file" "$default_sig_file"; then
             echo "[PASS] wolfProvider can verify OpenSSL default signature"
             check_force_fail
         else
@@ -250,7 +234,7 @@ test_sign_verify_pkeyutl() {
 
         use_default_provider
         echo "Test 4: Cross-provider verification (wolf sign, default verify)"
-        if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
+        if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file"; then
             echo "[PASS] OpenSSL default can verify wolfProvider signature"
             check_force_fail
         else
@@ -264,12 +248,9 @@ test_sign_verify_pkeyutl() {
 generate_and_test_key() {
     local key_type=$1
     local key_size=$2
-    local provider_args=$3
+    local provider_name=$3
     local output_file="rsa_outputs/${key_type}_${key_size}.pem"
 
-    # Get the provider name
-    provider_name=$(get_provider_name "$provider_args")
-
     echo -e "\n=== Testing ${key_type} Key Generation (${key_size}) with ${provider_name} ==="
 
     if [ -f "$output_file" ]; then
@@ -278,10 +259,10 @@ generate_and_test_key() {
     fi
 
     echo "Generating ${key_type} key (${key_size})..."
+    use_provider_by_name "$provider_name"
     if [ "$key_type" = "RSA-PSS" ]; then
         # For RSA-PSS, specify all parameters
         if $OPENSSL_BIN genpkey -algorithm RSA-PSS \
-            ${provider_args} \
             -pkeyopt rsa_keygen_bits:${key_size} \
             -pkeyopt rsa_pss_keygen_md:sha256 \
             -pkeyopt rsa_pss_keygen_mgf1_md:sha256 \
@@ -296,7 +277,6 @@ generate_and_test_key() {
     else
         # Regular RSA key generation
         if $OPENSSL_BIN genpkey -algorithm RSA \
-            ${provider_args} \
             -pkeyopt rsa_keygen_bits:${key_size} \
             -out "$output_file" 2>/dev/null; then
             echo "[PASS] RSA key generation successful"
@@ -317,16 +297,16 @@ generate_and_test_key() {
     fi
     
     # Validate key
-    validate_key "$key_type" "$key_size" "$output_file" "$provider_args"
+    validate_key "$key_type" "$key_size" "$output_file"
 
     # Try to use the key with different providers
     echo -e "\n=== Testing ${key_type} Key (${key_size}) with ${provider_name} ==="
     echo "Checking if ${provider_name} can use the key..."
     
     # Try to use the key with wolfProvider (just check if it loads)
-    # Use -noout to avoid encoder lookup which we don't support with selection mask 133 (0x85)
+    use_wolf_provider
     if $OPENSSL_BIN pkey -in "$output_file" -check -noout \
-        ${provider_args} -passin pass: ; then
+        -passin pass: >/dev/null; then
         echo "[PASS] ${provider_name} can use ${key_type} key (${key_size})"
         check_force_fail
     else
@@ -338,7 +318,7 @@ generate_and_test_key() {
 # Test key generation and sign/verify for each type, size, and provider
 for key_type in "${KEY_TYPES[@]}"; do
     for key_size in "${KEY_SIZES[@]}"; do
-        for test_provider in "${PROVIDER_ARGS[@]}"; do
+        for test_provider in "${PROVIDER_NAMES[@]}"; do
             # Generate key with current provider
             generate_and_test_key "$key_type" "$key_size" "$test_provider"
 
diff --git a/scripts/utils-general.sh b/scripts/utils-general.sh
index 86c14c17..92fdea5e 100644
--- a/scripts/utils-general.sh
+++ b/scripts/utils-general.sh
@@ -24,43 +24,61 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once
     }
     trap do_trap INT TERM
 
-    export UTILS_GENERAL_LOADED=yes
-fi
+    UTILS_GENERAL_LOADED=yes
 
-# Usage: check_git_match <target_ref> [<repo_dir>]
-check_git_match() {
-    local target_ref="$1"
-    local repo_dir="${2:-.}"
+    # Usage: check_git_match <target_ref> [<repo_dir>]
+    check_git_match() {
+        local target_ref="$1"
+        local repo_dir="${2:-.}"
 
-    pushd "$repo_dir" > /dev/null || return 2
+        pushd "$repo_dir" > /dev/null || return 2
 
-    local current_tag current_branch current_commit_long current_commit_short
-    current_tag=$(git describe --tags --exact-match 2>/dev/null || true)
-    current_branch=$(git symbolic-ref --short HEAD 2>/dev/null || true)
-    current_commit_long=$(git rev-parse HEAD 2>/dev/null || true)
-    current_commit_short=$(git rev-parse --short HEAD 2>/dev/null || true)
+        local current_tag current_branch current_commit_long current_commit_short
+        current_tag=$(git describe --tags --exact-match 2>/dev/null || true)
+        current_branch=$(git symbolic-ref --short HEAD 2>/dev/null || true)
+        current_commit_long=$(git rev-parse HEAD 2>/dev/null || true)
+        current_commit_short=$(git rev-parse --short HEAD 2>/dev/null || true)
 
-    if [[ -n "$current_tag" && "$target_ref" == "$current_tag" ]]; then
-        echo "match: tag ($current_tag)"
-        popd > /dev/null
-        return 0
-    elif [[ -n "$current_branch" && "$target_ref" == "$current_branch" ]]; then
-        echo "match: branch ($current_branch)"
-        popd > /dev/null
-        return 0
-    elif [[ -n "$current_commit_long" && "$target_ref" == "$current_commit_long" ]]; then
-        echo "match: commit (long $current_commit_long)"
-        popd > /dev/null
-        return 0
-    elif [[ -n "$current_commit_short" && "$target_ref" == "$current_commit_short" ]]; then
-        echo "match: commit (short $current_commit_short)"
-        popd > /dev/null
-        return 0
-    else
-        echo "no match found for $target_ref"
-        printf "Version inconsistency. Please fix ${repo_dir}\n"
-        printf "(expected: ${target_ref}, got: ${current_tag} ${current_branch} ${current_commit_long} ${current_commit_short})\n"
-        popd > /dev/null
-        exit 1
-    fi
-}
+        if [[ -n "$current_tag" && "$target_ref" == "$current_tag" ]]; then
+            echo "match: tag ($current_tag)"
+            popd > /dev/null
+            return 0
+        elif [[ -n "$current_branch" && "$target_ref" == "$current_branch" ]]; then
+            echo "match: branch ($current_branch)"
+            popd > /dev/null
+            return 0
+        elif [[ -n "$current_commit_long" && "$target_ref" == "$current_commit_long" ]]; then
+            echo "match: commit (long $current_commit_long)"
+            popd > /dev/null
+            return 0
+        elif [[ -n "$current_commit_short" && "$target_ref" == "$current_commit_short" ]]; then
+            echo "match: commit (short $current_commit_short)"
+            popd > /dev/null
+            return 0
+        else
+            echo "no match found for $target_ref"
+            printf "Version inconsistency. Please fix ${repo_dir}\n"
+            printf "(expected: ${target_ref}, got: ${current_tag} ${current_branch} ${current_commit_long} ${current_commit_short})\n"
+            popd > /dev/null
+            exit 1
+        fi
+    }
+
+    export is_openssl_replace_default=${is_openssl_replace_default:-0}
+    export is_openssl_default_provider=${is_openssl_default_provider:-0}
+    export is_wp_active=${is_wp_active:-0}
+    export is_wp_default=${is_wp_default:-0}
+    export is_wp_fips=${is_wp_fips:-0}
+
+    # Function to detect wolfProvider installation mode
+    detect_wolfprovider_mode() {
+        local openssl_version=$(${OPENSSL_BIN} version 2>/dev/null)
+        local openssl_providers=$(${OPENSSL_BIN} list -providers 2>/dev/null)
+
+        is_openssl_replace_default=$(echo "$openssl_version" | grep -qi "wolfProvider-replace-default" && echo 1 || echo 0)
+        is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)
+        is_wp_active=$(echo "$openssl_providers" | grep -qi "wolfSSL Provider" && echo 1 || echo 0)
+        is_wp_default=$(echo "$openssl_providers" | grep -q -Pzo 'Providers:\s*\n\s*default\s*\n\s*name:\s*wolfSSL Provider' && echo 1 || echo 0)
+        is_wp_fips=$(echo "$openssl_providers" | grep -qi "wolfSSL Provider FIPS" && echo 1 || echo 0)
+    }
+fi
\ No newline at end of file
diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh
index aee5b664..23d37fb9 100755
--- a/scripts/verify-install.sh
+++ b/scripts/verify-install.sh
@@ -73,9 +73,8 @@ if ! command -v $OPENSSL_BIN >/dev/null 2>&1; then
     handle_error "$OPENSSL_BIN not found"
 fi
 
-openssl_version=$($OPENSSL_BIN version 2> /dev/null)
-openssl_providers=$($OPENSSL_BIN list -providers 2> /dev/null)
-dpkg_output=$(dpkg -l 2> /dev/null | grep wolf)
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+source "${SCRIPT_DIR}/utils-general.sh"
 
 handle_error() {
     local message="$1"
@@ -200,13 +199,8 @@ verify_wolfprovider() {
     local replace_default="$2"
     local no_wp="$3"
 
-    is_openssl_replace_default=$(echo "$openssl_version" | grep -qi "wolfProvider-replace-default" && echo 1 || echo 0)
-    is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)
-
-    is_wp_active=$(echo "$openssl_providers" | grep -qi "wolfSSL Provider" && echo 1 || echo 0)
-    is_wp_default=$(echo "$openssl_providers" | grep -q -Pzo 'Providers:\s*\n\s*default\s*\n\s*name:\s*wolfSSL Provider' && echo 1 || echo 0)
-    is_wp_fips=$(echo "$openssl_providers" | grep -qi "wolfSSL Provider FIPS" && echo 1 || echo 0)
-
+    detect_wolfprovider_mode
+    dpkg_output=$(dpkg -l 2> /dev/null | grep wolf)
     is_wolfssl_installed=$(echo "$dpkg_output" | grep -Eq '^ii\s+libwolfssl\s' && echo 1 || echo 0)
     is_wolfssl_fips=$(echo "$dpkg_output" | grep -E '^ii\s+libwolfssl\s' | grep -qi "fips" && echo 1 || echo 0)