mirror of
https://github.com/polhenarejos/pico-hsm.git
synced 2024-09-20 03:10:09 +00:00
Add signature and verification tests for RSA and ECDSA.
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
parent
37421d9aad
commit
1105a1263c
@ -4,6 +4,8 @@ ARG DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
RUN apt update && apt upgrade -y
|
||||
RUN apt install -y apt-utils
|
||||
RUN apt autoremove -y
|
||||
RUN rm -rf /var/cache/apt/archives/*
|
||||
RUN apt install -y libccid \
|
||||
libpcsclite-dev \
|
||||
git \
|
||||
@ -26,10 +28,11 @@ RUN pip3 install pytest pycvc cryptography pyscard base58
|
||||
WORKDIR /
|
||||
RUN git clone https://github.com/OpenSC/OpenSC
|
||||
WORKDIR /OpenSC
|
||||
#RUN git checkout tags/0.23.0
|
||||
RUN git checkout tags/0.22.0
|
||||
RUN ./bootstrap
|
||||
RUN ./configure --enable-openssl
|
||||
RUN make -j `nproc`
|
||||
RUN make install
|
||||
RUN make clean
|
||||
RUN ldconfig
|
||||
WORKDIR /
|
||||
|
37
tests/scripts/func.sh
Executable file
37
tests/scripts/func.sh
Executable file
@ -0,0 +1,37 @@
|
||||
#!/bin/bash
|
||||
|
||||
gen_and_check() {
|
||||
e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1)
|
||||
test $? -eq 0 || exit $?
|
||||
glabel=""
|
||||
case $1 in
|
||||
*"192"*)
|
||||
glabel="EC_POINT 192 bits"
|
||||
;;
|
||||
*"256"*)
|
||||
glabel="EC_POINT 256 bits"
|
||||
;;
|
||||
*"384"*)
|
||||
glabel="EC_POINT 384 bits"
|
||||
;;
|
||||
*"512"*)
|
||||
glabel="EC_POINT 512 bits"
|
||||
;;
|
||||
*"521"*)
|
||||
glabel="EC_POINT 528 bits"
|
||||
;;
|
||||
*"rsa"*)
|
||||
IFS=: read -r v1 bits <<< "$1"
|
||||
glabel="RSA ${bits} bits"
|
||||
;;
|
||||
esac
|
||||
grep -q "${glabel}" <<< $e || exit $?
|
||||
}
|
||||
gen_and_delete() {
|
||||
gen_and_check $1
|
||||
pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
|
||||
}
|
||||
reset() {
|
||||
python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent > /dev/null 2>&1
|
||||
test $? -eq 0 || exit $?
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
./tests/scripts/reset.sh > /dev/null 2>&1
|
||||
test $? -eq 0 || exit $?
|
||||
source ./tests/scripts/func.sh
|
||||
reset
|
||||
|
||||
# Change SO-PIN
|
||||
pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1
|
||||
|
32
tests/scripts/keygen.sh
Normal file → Executable file
32
tests/scripts/keygen.sh
Normal file → Executable file
@ -1,23 +1,17 @@
|
||||
#!/bin/bash
|
||||
|
||||
./tests/scripts/reset.sh > /dev/null 2>&1
|
||||
source ./tests/scripts/func.sh
|
||||
reset
|
||||
test $? -eq 0 || exit $?
|
||||
|
||||
gen_and_check() {
|
||||
e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1)
|
||||
test $? -eq 0 || exit $?
|
||||
grep -q "$2" <<< $e || exit $?
|
||||
pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
|
||||
}
|
||||
|
||||
gen_and_check "rsa:1024" "RSA 1024 bits" && echo -n "." || exit $?
|
||||
gen_and_check "rsa:2048" "RSA 2048 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:secp192r1" "EC_POINT 192 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:secp256r1" "EC_POINT 256 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:secp384r1" "EC_POINT 384 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:secp521r1" "EC_POINT 528 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:brainpoolP256r1" "EC_POINT 256 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:brainpoolP384r1" "EC_POINT 384 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:brainpoolP512r1" "EC_POINT 512 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:secp192k1" "EC_POINT 192 bits" && echo -n "." || exit $?
|
||||
gen_and_check "ec:secp256k1" "EC_POINT 256 bits" && echo -n "." || exit $?
|
||||
gen_and_delete "rsa:1024" && echo -n "." || exit $?
|
||||
gen_and_delete "rsa:2048" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:secp192r1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:secp256r1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:secp384r1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:secp521r1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:brainpoolP256r1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:brainpoolP384r1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:brainpoolP512r1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:secp192k1" && echo -n "." || exit $?
|
||||
gen_and_delete "ec:secp256k1" && echo -n "." || exit $?
|
||||
|
6
tests/scripts/pkcs11.sh
Normal file → Executable file
6
tests/scripts/pkcs11.sh
Normal file → Executable file
@ -1,9 +1,13 @@
|
||||
#!/bin/bash
|
||||
|
||||
echo -n "Test initialization..."
|
||||
#./tests/scripts/initialize.sh
|
||||
./tests/scripts/initialize.sh
|
||||
test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1)
|
||||
|
||||
echo -n "Test keygen..."
|
||||
./tests/scripts/keygen.sh
|
||||
test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1)
|
||||
|
||||
echo -n "Test sign and verify..."
|
||||
./tests/scripts/sign_and_verify.sh
|
||||
test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1)
|
||||
|
146
tests/scripts/sign_and_verify.sh
Executable file
146
tests/scripts/sign_and_verify.sh
Executable file
@ -0,0 +1,146 @@
|
||||
#!/bin/bash
|
||||
|
||||
source ./tests/scripts/func.sh
|
||||
reset
|
||||
test $? -eq 0 || exit $?
|
||||
|
||||
TEST_DATA="This is a test string. Be safe, be secure."
|
||||
echo ${TEST_DATA} > data
|
||||
|
||||
create_dgst() {
|
||||
openssl dgst -$1 -binary -out data.$1 data > /dev/null 2>&1
|
||||
}
|
||||
|
||||
create_dgst sha1
|
||||
create_dgst sha224
|
||||
create_dgst sha256
|
||||
create_dgst sha384
|
||||
create_dgst sha512
|
||||
|
||||
keygen_and_export() {
|
||||
gen_and_check $1
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
IFS=: read -r mk bts <<< "$1"
|
||||
openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
}
|
||||
|
||||
# $1 sign mechanism
|
||||
# $2 sign input file
|
||||
# $3 sign parameters
|
||||
# $4 vrfy input file
|
||||
# $5 vrfy parameters
|
||||
sign_and_verify() {
|
||||
pkcs11-tool --id 1 --sign --pin 648219 --mechanism $1 -i $2 -o data.sig $3 > /dev/null 2>&1
|
||||
test $? -eq 0 || exit $?
|
||||
e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in $4 -sigfile data.sig $5 2>&1)
|
||||
test $? -eq 0 || exit $?
|
||||
grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $?
|
||||
}
|
||||
|
||||
sign_and_verify_rsa_pkcs() {
|
||||
dgstl=$(awk '{print tolower($0)}' <<<$1)
|
||||
dgstu=$(awk '{print toupper($0)}' <<<$1)
|
||||
sign_and_verify "${dgstu}-RSA-PKCS" data "" data.${dgstl} "-pkeyopt digest:${dgstl}"
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
}
|
||||
|
||||
sign_and_verify_rsa_pss() {
|
||||
dgstl=$(awk '{print tolower($0)}' <<<$1)
|
||||
dgstu=$(awk '{print toupper($0)}' <<<$1)
|
||||
sign_and_verify "RSA-PKCS-PSS" data.${dgstl} "--mgf MGF1-${dgstu} --hash-algorithm ${dgstu}" data.${dgstl} "-pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:${dgstl}"
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
}
|
||||
|
||||
sign_and_verify_rsa_pss_dgst() {
|
||||
dgstl=$(awk '{print tolower($0)}' <<<$1)
|
||||
dgstu=$(awk '{print toupper($0)}' <<<$1)
|
||||
sign_and_verify "${dgstu}-RSA-PKCS-PSS" data "" data.${dgstl} "-pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:${dgstl}"
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
}
|
||||
|
||||
sign_and_verify_ec() {
|
||||
sign_and_verify ECDSA data.sha1 "--signature-format openssl" data.sha1
|
||||
sign_and_verify ECDSA data.sha224 "--signature-format openssl" data.sha224
|
||||
sign_and_verify ECDSA data.sha256 "--signature-format openssl" data.sha256
|
||||
sign_and_verify ECDSA data.sha384 "--signature-format openssl" data.sha384
|
||||
sign_and_verify ECDSA data.sha512 "--signature-format openssl" data.sha512
|
||||
}
|
||||
|
||||
sign_and_verify_ec_dgst() {
|
||||
sign_and_verify ECDSA-SHA1 data "--signature-format openssl" data.sha1
|
||||
sign_and_verify ECDSA-SHA224 data "--signature-format openssl" data.sha224
|
||||
sign_and_verify ECDSA-SHA256 data "--signature-format openssl" data.sha256
|
||||
sign_and_verify ECDSA-SHA384 data "--signature-format openssl" data.sha384
|
||||
sign_and_verify ECDSA-SHA512 data "--signature-format openssl" data.sha512
|
||||
}
|
||||
|
||||
keygen_sign_and_verify_ec() {
|
||||
keygen_and_export $1
|
||||
sign_and_verify_ec
|
||||
sign_and_verify_ec_dgst
|
||||
pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
|
||||
}
|
||||
|
||||
echo -n '+'
|
||||
|
||||
keygen_sign_and_verify_ec "ec:secp192r1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:secp256r1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:secp384r1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:secp521r1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:brainpoolP256r1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:brainpoolP384r1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:brainpoolP512r1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:secp192k1" && echo -n "+" || exit $?
|
||||
keygen_sign_and_verify_ec "ec:secp256k1" && echo -n "+" || exit $?
|
||||
|
||||
echo -n '+'
|
||||
|
||||
keygen_and_export "rsa:2048"
|
||||
|
||||
pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS -i data -o data.sig > /dev/null 2>&1
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in data -sigfile data.sig 2>&1)
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $?
|
||||
|
||||
echo -n "+"
|
||||
|
||||
sign_and_verify_rsa_pkcs sha1
|
||||
sign_and_verify_rsa_pkcs sha224
|
||||
sign_and_verify_rsa_pkcs sha256
|
||||
sign_and_verify_rsa_pkcs sha384
|
||||
sign_and_verify_rsa_pkcs sha512
|
||||
|
||||
echo -n "+"
|
||||
|
||||
cp data data_pad
|
||||
dd if=/dev/zero bs=1 count=227 >> data_pad > /dev/null 2>&1
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1
|
||||
test $? -eq 0 && echo -n "." || exit $?
|
||||
TDATA=$(tr -d '\0' < <(openssl rsautl -verify -inkey 1.pub -in data.sig -pubin -raw))
|
||||
if [[ ${TEST_DATA} != "$TDATA" ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo -n "+"
|
||||
|
||||
#sign_and_verify_rsa_pss sha1
|
||||
sign_and_verify_rsa_pss sha224
|
||||
sign_and_verify_rsa_pss sha256
|
||||
sign_and_verify_rsa_pss sha384
|
||||
sign_and_verify_rsa_pss sha512
|
||||
|
||||
echo -n "+"
|
||||
|
||||
sign_and_verify_rsa_pss_dgst sha1
|
||||
sign_and_verify_rsa_pss_dgst sha224
|
||||
sign_and_verify_rsa_pss_dgst sha256
|
||||
sign_and_verify_rsa_pss_dgst sha384
|
||||
sign_and_verify_rsa_pss_dgst sha512
|
||||
|
||||
rm -rf data* 1.*
|
||||
pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
|
@ -8,7 +8,7 @@ sleep 2
|
||||
rm -f memory.flash
|
||||
tar -xf tests/memory.tar.gz
|
||||
./build_in_docker/pico_hsm > /dev/null 2>&1 &
|
||||
pytest tests -W ignore::DeprecationWarning
|
||||
#pytest tests -W ignore::DeprecationWarning
|
||||
|
||||
chmod a+x tests/scripts/*.sh
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user