Merge pull request #320 from padelsbach/wp-cmd-test-updates

ColtonWilley · web-flow · commit 823dab8df492 · 2025-11-12T14:19:41.000-08:00
Update command line tests for WPFF
diff --git a/scripts/cmd_test/cmd-test-common.sh b/scripts/cmd_test/cmd-test-common.sh
@@ -17,22 +17,54 @@
 # You should have received a copy of the GNU General Public License
 # along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
 
+COMMON_SETUP_DONE=0
+
 cmd_test_env_setup() {
+    # Fail flags
+    FAIL=0
+    FORCE_FAIL_PASSED=0
+
+    if [ $COMMON_SETUP_DONE -ne 0 ]; then
+        echo "Setup already completed, skipping."
+        return
+    fi
+
     local log_file_name=$1
     SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
     # Set up environment
     export LOG_FILE="${SCRIPT_DIR}/${log_file_name}"
     touch "$LOG_FILE"
 
-    # OPENSSL_BIN must be set by the caller
+    # If OPENSSL_BIN is not set, assume we are using a local build
     if [ -z "${OPENSSL_BIN:-}" ]; then
-        echo "Error: OPENSSL_BIN environment variable is not set" | tee -a "$LOG_FILE"
-        exit 1
-    fi
+        echo "OPENSSL_BIN not set, assuming local build"
+        # Check if the install directories exist
+        if [ ! -d "${REPO_ROOT}/openssl-install" ] || 
+        [ ! -d "${REPO_ROOT}/wolfssl-install" ]; then
+            echo "[FAIL] OpenSSL or wolfSSL install directories not found"
+            echo "Please set OPENSSL_BIN or run build-wolfprovider.sh first"
+            exit 1
+        fi
 
-    # Fail flags
-    FAIL=0
-    FORCE_FAIL_PASSED=0
+        # Setup the environment for a local build
+        source "${REPO_ROOT}/scripts/env-setup"
+    else
+        echo "Using user-provided OPENSSL_BIN: ${OPENSSL_BIN}"
+        # We are using a user-provided OpenSSL binary, manually set the test
+        # environment variables rather than using env-setup.
+        # Find the location of the wolfProvider modules
+        if [ -z "${WOLFPROV_PATH:-}" ]; then
+            export WOLFPROV_PATH=$(find /usr/lib /usr/local/lib -type d -name ossl-modules 2>/dev/null | head -n 1)
+        fi
+        # Set the path to the wolfProvider config file
+        if [ -z "${WOLFPROV_CONFIG:-}" ]; then
+            if [ "${WOLFSSL_ISFIPS:-0}" = "1" ]; then
+                export WOLFPROV_CONFIG="${REPO_ROOT}/provider-fips.conf"
+            else
+                export WOLFPROV_CONFIG="${REPO_ROOT}/provider.conf"
+            fi  
+        fi
+    fi
 
     # Get the force fail parameter
     if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
@@ -46,6 +78,17 @@ cmd_test_env_setup() {
     echo "Environment variables:"
     echo "OPENSSL_MODULES: ${OPENSSL_MODULES}"
     echo "OPENSSL_BIN: ${OPENSSL_BIN}"
+    echo "WOLFPROV_PATH: ${WOLFPROV_PATH}"
+    echo "WOLFPROV_CONFIG: ${WOLFPROV_CONFIG}"
+    echo "LOG_FILE: ${LOG_FILE}"
+
+    COMMON_SETUP_DONE=1
+}
+
+# Check if default provider is in use
+# Note that this may be wolfProvider if built as replace-default
+is_default_provider() {
+    return $($OPENSSL_BIN list -providers | grep -qi "default")
 }
 
 # Function to use default provider only
@@ -54,29 +97,41 @@ use_default_provider() {
     unset OPENSSL_CONF
 
     # Verify that we are using the default provider
-    if ${OPENSSL_BIN} list -providers | grep -q "wolfprov"; then
-        echo "FAIL: unable to switch to default provider, wolfProvider is still active"
+    if ! is_default_provider; then
+        echo "FAIL: unable to switch to default provider"
+        $OPENSSL_BIN list -providers
         exit 1
     fi
     echo "Switched to default provider"
 }
 
+is_wolf_provider() {
+    return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider")
+}
+
 # Function to use wolf provider only
 use_wolf_provider() {
     export OPENSSL_MODULES=$WOLFPROV_PATH
     export OPENSSL_CONF=${WOLFPROV_CONFIG}
 
     # Verify that we are using wolfProvider
-    if ! ${OPENSSL_BIN} list -providers | grep -q "wolfprov"; then
-        echo "FAIL: unable to switch to wolfProvider, default provider is still active"
+    if ! is_wolf_provider; then
+        echo "FAIL: unable to switch to wolfProvider"
+        $OPENSSL_BIN list -providers
         exit 1
     fi
     echo "Switched to wolfProvider"
 }
 
+is_replace_default() {
+    return $($OPENSSL_BIN list -providers | grep -qi "wolfSSL Provider")
+}
+
 # Helper function to handle force fail checks
 check_force_fail() {
-    if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
+    if is_default_provider && ! is_replace_default; then
+        echo "OPENSSL Default provider active, no forced failures expected."
+    elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
         echo "[PASS] Test passed when force fail was enabled"
         FORCE_FAIL_PASSED=1
     fi
diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh
@@ -25,35 +25,7 @@ REPO_ROOT="$( cd "${SCRIPT_DIR}/../.." &> /dev/null && pwd )"
 UTILS_DIR="${REPO_ROOT}/scripts"
 
 source "${SCRIPT_DIR}/cmd-test-common.sh"
-
-# If OPENSSL_BIN is not set, assume we are using a local build
-if [ -z "${OPENSSL_BIN:-}" ]; then
-    # Check if the install directories exist
-    if [ ! -d "${REPO_ROOT}/openssl-install" ] || 
-       [ ! -d "${REPO_ROOT}/wolfssl-install" ]; then
-        echo "[FAIL] OpenSSL or wolfSSL install directories not found"
-        echo "Please set OPENSSL_BIN or run build-wolfprovider.sh first"
-        exit 1
-    fi
-
-    # Setup the environment for a local build
-    source "${REPO_ROOT}/scripts/env-setup"
-else
-    # We are using a user-provided OpenSSL binary, manually set the test
-    # environment variables rather than using env-setup.
-    # Find the location of the wolfProvider modules
-    if [ -z "${WOLFPROV_PATH:-}" ]; then
-        export WOLFPROV_PATH=$(find /usr/lib /usr/local/lib -type d -name ossl-modules 2>/dev/null | head -n 1)
-    fi
-    # Set the path to the wolfProvider config file
-    if [ -z "${WOLFPROV_CONFIG:-}" ]; then
-        if [ "${WOLFSSL_ISFIPS:-0}" = "1" ]; then
-            export WOLFPROV_CONFIG="${REPO_ROOT}/provider-fips.conf"
-        else
-            export WOLFPROV_CONFIG="${REPO_ROOT}/provider.conf"
-        fi  
-    fi
-fi
+cmd_test_env_setup
 
 echo "=== Running wolfProvider Command-Line Tests ==="
 echo "Using OPENSSL_BIN: ${OPENSSL_BIN}" 
diff --git a/scripts/cmd_test/ecc-cmd-test.sh b/scripts/cmd_test/ecc-cmd-test.sh
@@ -117,6 +117,18 @@ test_sign_verify_pkeyutl() {
     local data_file="ecc_outputs/test_data.txt"
     
     echo -e "\n=== Testing ECC (${curve}) Sign/Verify with pkeyutl Using ${provider_name} ==="
+
+    if [ ! -f "$key_file" ] || [ ! -f "$pub_key_file" ]; then
+        echo "[FAIL] Key files for ECC (${curve}) not found, cannot run sign/verify tests"
+        FAIL=1
+        exit 1
+    fi
+
+    if [ ! -f "$data_file" ]; then
+        echo "[FAIL] Test data file not found, cannot run sign/verify tests"
+        FAIL=1
+        exit 1
+    fi
     
     # Test 1: Sign and verify with OpenSSL default
     use_default_provider
@@ -193,6 +205,12 @@ generate_and_test_key() {
     provider_name=$(get_provider_name "$provider_args")
     
     echo -e "\n=== Testing ECC Key Generation (${curve}) with ${provider_name} ==="
+
+    if [ -f "$output_file" ]; then
+        echo "ECC key file $output_file already exists, removing it."
+        rm -f "$output_file"
+    fi
+
     echo "Generating ECC key (${curve})..."
     
     if $OPENSSL_BIN genpkey -algorithm EC \
@@ -239,6 +257,14 @@ for curve in "${CURVES[@]}"; do
         # Generate key with current provider
         generate_and_test_key "$curve" "$test_provider"
 
+        # If WPFF is set, we need to run again to actually create the 
+        # key files
+        if [ $WOLFPROV_FORCE_FAIL -ne 0 ]; then
+            WOLFPROV_FORCE_FAIL=0
+            generate_and_test_key "$curve" "$test_provider"
+            WOLFPROV_FORCE_FAIL=1
+        fi
+
         # Test sign/verify interoperability
         test_sign_verify_pkeyutl "$curve" "$test_provider"
     done
diff --git a/scripts/cmd_test/req-cmd-test.sh b/scripts/cmd_test/req-cmd-test.sh
@@ -35,6 +35,16 @@ test_cert_creation() {
     local cert_file="req_outputs/cert_${curve}_${hash_alg}_${req_provider_name//lib/}.pem"
     
     echo -e "\n=== Testing Certificate Creation (${curve}/${hash_alg}) - req with ${req_provider_name} ==="
+
+    if [ -f "$key_file" ]; then
+        echo "Key file $key_file already exists, removing it."
+        rm -f "$key_file"
+    fi
+
+    if [ -f "$cert_file" ]; then
+        echo "Certificate file $cert_file already exists, removing it."
+        rm -f "$cert_file"
+    fi
     
     # Generate EC key with default provider
     echo "Generating EC key with curve ${curve} using default provider..."
diff --git a/scripts/cmd_test/rsa-cmd-test.sh b/scripts/cmd_test/rsa-cmd-test.sh
@@ -37,23 +37,8 @@ KEY_TYPES=("RSA" "RSA-PSS")
 KEY_SIZES=("2048" "3072" "4096")
 PROVIDER_ARGS=("-provider-path $WOLFPROV_PATH -provider libwolfprov" "-provider default")
 
-OPENSSL_BIN=${OPENSSL_BIN:-openssl}
-
 echo "=== Running RSA Key Generation Tests ==="
 
-rsa_check_force_fail() {
-    local openssl_providers=$($OPENSSL_BIN list -providers)
-    is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)
-    if [ $is_openssl_default_provider -eq 1 ]; then
-        # With the OpenSSL provider, don't expect failures
-        echo "OPENSSL Default provider active, no forced failures expected."
-    elif [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then
-        echo "[PASS] Test passed when force fail was enabled"
-        FORCE_FAIL_PASSED=1
-        exit 1
-    fi
-}
-
 # Function to validate key
 validate_key() {
     local key_type=$1
@@ -76,15 +61,15 @@ validate_key() {
         return
     else
         echo "[PASS] ${key_type} key file exists and has content"
-        rsa_check_force_fail
+        check_force_fail
     fi
     
     # Only try to extract public key if file exists and has content
     local pub_key_file="rsa_outputs/${key_type}_${key_size}_pub.pem"
     if $OPENSSL_BIN pkey -in "$key_file" -pubout -out "$pub_key_file" \
         ${provider_args} -passin pass: >/dev/null; then
         echo "[PASS] ${key_type} Public key extraction successful"
-        rsa_check_force_fail
+        check_force_fail
     else
         echo "[FAIL] ${key_type} Public key extraction failed"
         FAIL=1
@@ -169,6 +154,8 @@ test_sign_verify_pkeyutl() {
 
     # Get the provider name
     provider_name=$(get_provider_name "$provider_args")
+
+    echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl Using ${provider_name} ==="
     
     # Handle different key naming conventions
     local key_prefix="${key_type}"
@@ -192,18 +179,16 @@ test_sign_verify_pkeyutl() {
         exit 1
     fi
     
-    echo -e "\n=== Testing ${key_type} (${key_size}) Sign/Verify with pkeyutl Using ${provider_name} ==="
-    
     # Test 1: Sign and verify with OpenSSL default
     use_default_provider
     echo "Test 1: Sign and verify with OpenSSL default (${key_type})"
     local default_sig_file="rsa_outputs/${key_prefix}_${key_size}_default_sig.bin"
     if $sign_func "$key_file" "$data_file" "$default_sig_file" "$provider_args"; then
         echo "[PASS] Signing with OpenSSL default successful"
-        rsa_check_force_fail
+        check_force_fail
         if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
             echo "[PASS] Default provider verify successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] Default provider verify failed"
             FAIL=1
@@ -219,10 +204,10 @@ test_sign_verify_pkeyutl() {
     local wolf_sig_file="rsa_outputs/${key_prefix}_${key_size}_wolf_sig.bin"
     if $sign_func "$key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
         echo "[PASS] Signing with wolfProvider successful"
-        rsa_check_force_fail
+        check_force_fail
         if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
             echo "[PASS] wolfProvider sign/verify successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] wolfProvider verify failed"
             FAIL=1
@@ -238,7 +223,7 @@ test_sign_verify_pkeyutl() {
         use_wolf_provider
         if $verify_func "$pub_key_file" "$data_file" "$default_sig_file" "$provider_args"; then
             echo "[PASS] wolfProvider can verify OpenSSL default signature"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] wolfProvider cannot verify OpenSSL default signature"
             FAIL=1
@@ -248,7 +233,7 @@ test_sign_verify_pkeyutl() {
         echo "Test 4: Cross-provider verification (wolf sign, default verify)"
         if $verify_func "$pub_key_file" "$data_file" "$wolf_sig_file" "$provider_args"; then
             echo "[PASS] OpenSSL default can verify wolfProvider signature"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] OpenSSL default cannot verify wolfProvider signature"
             FAIL=1
@@ -263,15 +248,16 @@ generate_and_test_key() {
     local provider_args=$3
     local output_file="rsa_outputs/${key_type}_${key_size}.pem"
 
+    # Get the provider name
+    provider_name=$(get_provider_name "$provider_args")
+
+    echo -e "\n=== Testing ${key_type} Key Generation (${key_size}) with ${provider_name} ==="
+
     if [ -f "$output_file" ]; then
         echo "Output file $output_file already exists, removing it."
         rm -f "$output_file"
     fi
 
-    # Get the provider name
-    provider_name=$(get_provider_name "$provider_args")
-    
-    echo -e "\n=== Testing ${key_type} Key Generation (${key_size}) with ${provider_name} ==="
     echo "Generating ${key_type} key (${key_size})..."
     if [ "$key_type" = "RSA-PSS" ]; then
         # For RSA-PSS, specify all parameters
@@ -283,7 +269,7 @@ generate_and_test_key() {
             -pkeyopt rsa_pss_keygen_saltlen:-1 \
             -out "$output_file" 2>/dev/null; then
             echo "[PASS] RSA-PSS key generation successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] RSA-PSS key generation failed"
             FAIL=1
@@ -295,7 +281,7 @@ generate_and_test_key() {
             -pkeyopt rsa_keygen_bits:${key_size} \
             -out "$output_file" 2>/dev/null; then
             echo "[PASS] RSA key generation successful"
-            rsa_check_force_fail
+            check_force_fail
         else
             echo "[FAIL] RSA key generation failed"
             FAIL=1
@@ -305,7 +291,7 @@ generate_and_test_key() {
     # Verify the key was generated
     if [ -s "$output_file" ]; then
         echo "[PASS] ${key_type} key (${key_size}) generation successful"
-        rsa_check_force_fail
+        check_force_fail
     else
         echo "[FAIL] ${key_type} key (${key_size}) generation failed"
         FAIL=1
@@ -322,7 +308,7 @@ generate_and_test_key() {
     if $OPENSSL_BIN pkey -in "$output_file" -check \
         ${provider_args} -passin pass: >/dev/null; then
         echo "[PASS] ${provider_name} can use ${key_type} key (${key_size})"
-        rsa_check_force_fail
+        check_force_fail
     else
         echo "[FAIL] ${provider_name} cannot use ${key_type} key (${key_size})"
         FAIL=1
diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh
@@ -249,7 +249,6 @@ verify_wolfprovider() {
         elif [ $is_wp_default -ne 1 ]; then
             handle_error "wolfProvider is not the default provider"
         fi
-
     else
         if [ $is_openssl_replace_default -eq 1 ]; then
             handle_error "OpenSSL is replace default"
