Add PKCS#12 test

README.md

@@ -21,8 +21,9 @@ Currently this provider fully enables quantum-safe cryptography for KEM
 key establishment in TLS1.3 including management of such keys via the
 OpenSSL (3.0) provider interface and hybrid KEM schemes. Also, QSC
 signatures including CMS and CMP functionality are available via the OpenSSL
-EVP interface. Key persistence is provided via the encode/decode
-mechanism and X.509 data structures. Starting with OpenSSL 3.2 support for 
+EVP interface. Key persistence is provided via the encode/decode mechanism,
+X.509 data structures, and PKCS#12 for bundling a private key with its
+corresponding X.509 certificate. Starting with OpenSSL 3.2 support for
 TLS1.3 signature functionality is available and final glitches for CMS
 have been resolved.
 
@@ -185,6 +186,7 @@ Contributors to the `oqsprovider` include:
 - Will Childs-Klein
 - Thomas Bailleux
 - Felipe Ventura
+- Iyán Méndez Veiga
 
 History
 -------

scripts/oqsprovider-pkcs12gen.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Use newly built oqsprovider to save PKCS#12 files from keys and
+# and certificates files generated using alg $1.
+# Assumed oqsprovider-certgen.sh to have run before for same algorithm
+
+set -e
+set -x
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <algorithmname>. Exiting."
+    exit 1
+fi
+
+echo "oqsprovider-pkcs12gen.sh commencing..."
+
+if [ -z "$OPENSSL_APP" ]; then
+    echo "OPENSSL_APP env var not set. Exiting."
+    exit 1
+fi
+
+if [ -z "$OPENSSL_MODULES" ]; then
+    echo "Warning: OPENSSL_MODULES env var not set."
+fi
+
+# Set OSX DYLD_LIBRARY_PATH if not already externally set
+if [ -z "$DYLD_LIBRARY_PATH" ]; then
+    export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH
+fi
+
+# Assumes certgen has been run before: Quick check
+if [[ -f tmp/$1_CA.crt &&  -f tmp/$1_CA.key ]]; then
+   echo "Key and certificate using $1 found."
+else
+   echo "File tmp/$1_CA.crt and/or tmp/$1_CA.key not found. Did certgen run before? Exiting."
+   exit -1
+fi
+
+echo "Generating PKCS#12 files..."
+
+# pkcs12 test:
+$OPENSSL_APP pkcs12 -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_1.p12
+
+if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_1.p12 ]; then
+    echo "PKCS#12 generation with oqsprovider enabled failed."
+    exit 1
+fi
+
+# Generate config file with oqsprovider disabled
+sed -e 's/^oqsprovider/# oqsprovider/' "$(pwd)/scripts/openssl-ca.cnf" > tmp/openssl-ca-no-oqsprovider.cnf
+
+# This print an error but OpenSSL returns 0 and .p12 file is generated correctly
+OPENSSL_CONF=tmp/openssl-ca-no-oqsprovider.cnf $OPENSSL_APP pkcs12 -provider default -provider oqsprovider -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_2.p12
+
+if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_2.p12 ]; then
+    echo "PKCS#12 generation with oqsprovider disabled failed."
+    exit 1
+fi
+
+if [ $(cat tmp/$1_srv_1.p12 | $OPENSSL_APP sha256) -neq $(cat tmp/$1_srv_2.p12 | $OPENSSL_APP sha256) ]; then
+    echo "PKCS#12 files differ when oqsprovider is enabled or not."
+    exit 1
+fi

scripts/runtests.sh

@@ -17,7 +17,7 @@ openssl2provider() {
 }
 
 localalgtest() {
-    if ! ( "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certgen.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certverify.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-cmssign.sh" "$1" >> interop.log 2>&1 &&  "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-ca.sh" "$1" >> interop.log 2>&1 ); then
+    if ! ( "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certgen.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-certverify.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-cmssign.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-ca.sh" "$1" >> interop.log 2>&1 && "${OQS_PROVIDER_TESTSCRIPTS}/oqsprovider-pkcs12gen.sh" "$1" >> interop.log 2>&1 ); then
         echo "localalgtest $1 failed. Exiting.".
         cat interop.log
         exit 1