diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2024-04-18 14:27:02 -0400 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2024-04-18 15:14:40 -0400 |
commit | b029e2eb9b78709a8a7c758bb5f255ed9382fec9 (patch) | |
tree | 67f16b4c1b7e36ea569a8f9dd9aa097838be8e9e | |
parent | 24c012620da53ba71df2f703c7cc21247db11c72 (diff) | |
download | openssl_tpm2_engine-b029e2eb9b78709a8a7c758bb5f255ed9382fec9.tar.gz |
tests: fix checks for illegal curves
The openssl check for unknown curve names simply looks for a specific
string. Old openssl printed this but didn't error, but new openssl
errors out. Update the check firstly to fail on error then check the
string.
Additionally some vTPMs have started supporting the SM2 curve. When
it works in openssl it has the problem that it's only allowed with the
SM3 hash, which won't work with any of the generic hash looping tests,
so disable testing the SM2 curve.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rwxr-xr-x | tests/create_ecc.sh | 4 | ||||
-rwxr-xr-x | tests/derive_ecc.sh | 4 | ||||
-rw-r--r-- | tests/test-common.sh | 19 | ||||
-rwxr-xr-x | tests/wrap_ecc.sh | 6 | ||||
-rwxr-xr-x | tests/wrap_generic_ecc.sh | 4 |
5 files changed, 28 insertions, 9 deletions
diff --git a/tests/create_ecc.sh b/tests/create_ecc.sh index bbb3014..5b387d8 100755 --- a/tests/create_ecc.sh +++ b/tests/create_ecc.sh @@ -1,5 +1,5 @@ #!/bin/bash - +. ../test-common.sh ## # test is @@ -7,7 +7,7 @@ # 2. Create a self signed x509 certificate # 3. verify the certificate for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then + if check_curve ${curve}; then continue fi echo "Checking curve ${curve}" diff --git a/tests/derive_ecc.sh b/tests/derive_ecc.sh index 69ec381..c53adde 100755 --- a/tests/derive_ecc.sh +++ b/tests/derive_ecc.sh @@ -1,5 +1,5 @@ #!/bin/bash - +. ../test-common.sh ## # test is to check that the key derivation works @@ -23,7 +23,7 @@ ## for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then + if check_curve ${curve}; then continue fi echo "Checking curve ${curve} explicitly named" diff --git a/tests/test-common.sh b/tests/test-common.sh new file mode 100644 index 0000000..22c9e13 --- /dev/null +++ b/tests/test-common.sh @@ -0,0 +1,19 @@ +## +# common routines to be included +## + +## +# check curve, returns 0 (success) for invalid curve so +# if check_curve; then continue works +## +check_curve() { + ## + # if openssl supports sm2, it only allows sm3 as the hash, which + # doesn't work with our generic tests, so skip it + ## + [ "${curve}" = "sm2" ] && return 0 + + name=$(openssl ecparam -name $1 2>&1) || return 0 + echo $name|egrep '(invalid|unknown) curve' && return 0 + return 1 +} diff --git a/tests/wrap_ecc.sh b/tests/wrap_ecc.sh index 63fa445..ff6d087 100755 --- a/tests/wrap_ecc.sh +++ b/tests/wrap_ecc.sh @@ -1,5 +1,5 @@ #!/bin/bash - +. ../test-common.sh ## # test is @@ -8,7 +8,7 @@ # 3. Create a self signed x509 certificate # 4. verify the certificate for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | egrep '(unknown|invalid) curve'; then + if check_curve ${curve}; then continue fi echo "Checking curve ${curve}" @@ -20,7 +20,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do exit 1 done for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then + if check_curve ${curve}; then continue fi echo "Checking curve ${curve}" diff --git a/tests/wrap_generic_ecc.sh b/tests/wrap_generic_ecc.sh index 4cc0172..e3fadf5 100755 --- a/tests/wrap_generic_ecc.sh +++ b/tests/wrap_generic_ecc.sh @@ -1,5 +1,5 @@ #!/bin/bash - +. ../test-common.sh ## # test is @@ -8,7 +8,7 @@ # 3. Create a self signed x509 certificate # 4. verify the certificate for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then + if check_curve ${curve}; then continue fi openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -out key.priv && \ |