@@ -373,7 +373,6 @@ _softhsm_setup() {
PKCS11_KEYURI=$(echo "$msg" | sed -n 's|^keyuri: \(.*\)|\1|p')
export PKCS11_KEYURI
- export EVMCTL_ENGINE="--engine pkcs11"
export OPENSSL_ENGINE="-engine pkcs11"
export OPENSSL_KEYFORM="-keyform engine"
else
@@ -439,11 +439,24 @@ expect_fail \
# Test signing with key described by pkcs11 URI
_softhsm_setup "${WORKDIR}"
if [ -n "${PKCS11_KEYURI}" ]; then
- expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd
- expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
+
+ # provider may not be supported or pkcs11 provider not installed
+ if evmctl --help 2>/dev/null | grep -q provider && \
+ openssl list -providers -provider pkcs11 2>/dev/null; then
+ PKCS11_PRIVKEYURI=${PKCS11_KEYURI//type=public/type=private}
+
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
+ else
+ __skip() { echo "pkcs11 test with provider is skipped since no provider support or pkcs11 not installed"; return "$SKIP"; }
+ expect_pass __skip
+ expect_pass __skip
+ fi
else
# to have a constant number of tests, skip these two tests
- __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; }
+ __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return "$SKIP"; }
expect_pass __skip
expect_pass __skip
fi
Adjust the existing pkcs11 engine test cases to pass --engine pkcs11 via an option (OPTS) to evmctl rather than using a global variable. Then duplicate the pkcs11 engine tests and pass --provider pkcs11 to run the same tests using OpenSSL provider. Also check whether evmctl was compiled with provider support and if the pkcs11 provider is installed. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- tests/functions.sh | 1 - tests/sign_verify.test | 19 ++++++++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-)