From 20112f4244f696cdcc55b78ca913c221f9720e58 Mon Sep 17 00:00:00 2001
From: Mika Tammi <mika.tammi@unikie.com>
Date: Tue, 31 Oct 2023 15:49:54 +0200
Subject: [PATCH] squash! Initial pkcs11-tool tests for OP-TEE

* Test RSA 2048 and EC secp256r1 key usage

Signed-off-by: Mika Tammi <mika.tammi@unikie.com>
---
 .../test-suites/optee/pkcs11-tool.robot       | 49 +++++++++++++++++--
 1 file changed, 46 insertions(+), 3 deletions(-)

diff --git a/Robot-Framework/test-suites/optee/pkcs11-tool.robot b/Robot-Framework/test-suites/optee/pkcs11-tool.robot
index dbcd261..5344ddd 100644
--- a/Robot-Framework/test-suites/optee/pkcs11-tool.robot
+++ b/Robot-Framework/test-suites/optee/pkcs11-tool.robot
@@ -18,7 +18,10 @@ Basic pkcs11-tool-optee test
     ${tool}=    Set Variable    "pkcs11-tool-optee"
     List all key slots    ${tool}
     Initialize slot    ${tool}
-    List all key slots    ${tool}
+    Test Public Key usage    ${tool}    keyid=1    keylabel=rsakey0    mechanism=SHA256-RSA-PKCS-PSS
+    Test Public Key usage    ${tool}    keyid=2    keylabel=eckey0    mechanism=ECDSA-SHA256
+    List key slots    ${tool}
+    List objects    ${tool}
 
 Check caml-crush service is running
     [Documentation]  Checks if the systemd service for caml-crush is running
@@ -35,11 +38,14 @@ Basic pkcs11-tool-caml-crush test
     ${tool}=    Set Variable    "pkcs11-tool-caml-crush-optee"
     List all key slots    ${tool}
     Initialize slot    ${tool}
-    List all key slots    ${tool}
+    Test Public Key usage    ${tool}    keyid=1    keylabel=rsakey0    mechanism=SHA256-RSA-PKCS-PSS
+    Test Public Key usage    ${tool}    keyid=2    keylabel=eckey0    mechanism=ECDSA-SHA256
+    List key slots    ${tool}
+    List objects    ${tool}
 
 *** Keywords ***
 
-List all key slots
+List key slots
     [Documentation]    List all key slots
     [Arguments]        ${tool}
 
@@ -47,6 +53,14 @@ List all key slots
     ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
     Should Be Equal As Integers    ${rc}    0
 
+List objects
+    [Documentation]    List all key slots
+    [Arguments]        ${tool}
+
+    ${cmd}=    Set Variable    ${tool} --list-objects
+    ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
+    Should Be Equal As Integers    ${rc}    0
+
 Initialize slot
     [Documentation]    Initialize Key Slot
     [Arguments]        ${tool}
@@ -62,3 +76,32 @@ Initialize slot
     ${cmd}=    Set Variable    ${tool} --token-label mytoken --pin 0000 --keygen --key-type AES:16 --id 0 --label mykey0
     ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
     Should Be Equal As Integers    ${rc}    0
+
+    ${cmd}=    Set Variable    ${tool} --token-label mytoken --pin 0000 --keypairgen --key-type RSA:2048 --id 1 --label rsakey0
+    ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
+    Should Be Equal As Integers    ${rc}    0
+
+    ${cmd}=    Set Variable    ${tool} --token-label mytoken --pin 0000 --keypairgen --key-type EC:secp256r1 --id 2 --label eckey0
+    ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
+    Should Be Equal As Integers    ${rc}    0
+
+Test Public Key usage
+    [Documentation]    Test Public Key usage
+    [Arguments]        ${tool}    ${keyid}    ${keylabel}    ${mechanism}
+
+    ${content_file}=    Set Variable    /tmp/pkcs11test_content
+    ${signature_file}=    Set Variable    /tmp/pkcs11test_signature
+
+    ${cmd}=    Set Variable    dd if=/dev/random of=${content_file} count=1 bs=32
+    ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
+    Should Be Equal As Integers    ${rc}    0
+
+    ${cmd}=    Set Variable    ${tool} --token-label mytoken --pin 0000 --id ${keyid} --label ${keylabel} --sign -m ${mechanism} --input-file ${content_file} --output-file ${signature_file}
+    ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
+    Should Be Equal As Integers    ${rc}    0
+
+    ${cmd}=    Set Variable    ${tool} --token-label mytoken --pin 0000 --id ${keyid} --label ${keylabel} --verify -m ${mechanism} --signature-file ${signature_file} --input-file ${content_file}
+    ${stdout}    ${stderr}    ${rc}=    Execute Command    ${cmd}    sudo=True    sudo_password=${PASSWORD}    return_stdout=True    return_stderr=True    return_rc=True
+    Should Be Equal As Integers    ${rc}    0
+    Should Contain    ${stdout}    Signature is valid
+    Should Not Contain    ${stdout}    Invalid signature