[PATCH v1 ima-evm-utils 5/6] tests: Add pkcs11 test using provider

From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, roberto.sassu@huawei.com,
	Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v1 ima-evm-utils 5/6] tests: Add pkcs11 test using provider
Date: Mon,  5 Feb 2024 09:15:27 -0500	[thread overview]
Message-ID: <20240205141528.3566511-6-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20240205141528.3566511-1-stefanb@linux.ibm.com>

Adjust the existing pkcs11 engine test cases to pass --engine pkcs11 via
an option (OPTS) to evmctl rather than using a global variable. Then
duplicate the pkcs11 engine tests and pass --provider pkcs11 to run the
same tests using OpenSSL provider. Also check whether evmctl was compiled
with provider support and if the pkcs11 provider is installed.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tests/functions.sh     |  1 -
 tests/sign_verify.test | 19 ++++++++++++++++---
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/tests/functions.sh b/tests/functions.sh
index c39b894..962a436 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh
@@ -373,7 +373,6 @@ _softhsm_setup() {
     PKCS11_KEYURI=$(echo "$msg" | sed -n 's|^keyuri: \(.*\)|\1|p')
     export PKCS11_KEYURI
 
-    export EVMCTL_ENGINE="--engine pkcs11"
     export OPENSSL_ENGINE="-engine pkcs11"
     export OPENSSL_KEYFORM="-keyform engine"
   else
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 1b6cf2a..0ba7bea 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -439,11 +439,24 @@ expect_fail \
 # Test signing with key described by pkcs11 URI
 _softhsm_setup "${WORKDIR}"
 if [ -n "${PKCS11_KEYURI}" ]; then
-  expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd
-  expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd
+  expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
+  expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
+
+  # provider may not be supported or pkcs11 provider not installed
+  if evmctl --help 2>/dev/null | grep -q provider && \
+     openssl list -providers -provider pkcs11 ; then
+    PKCS11_PRIVKEYURI=${PKCS11_KEYURI//type=public/type=private}
+
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
+  else
+    __skip() { echo "pkcs11 test with provider is skipped since no provider support or pkcs11 not installed"; return "$SKIP"; }
+    expect_pass __skip
+    expect_pass __skip
+  fi
 else
   # to have a constant number of tests, skip these two tests
-  __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; }
+  __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return "$SKIP"; }
   expect_pass __skip
   expect_pass __skip
 fi
-- 
2.43.0

