e2e_tests/sign: Fix and simplify RSA and ECDSA signing tests

 * Adapt to the fact that ECDSA signature is split and serialized.
 * Calculate hash and use the pre-computed digest for signature
   verification

Signed-off-by: Tomás González <[email protected]>

parsec-openssl-provider-shared/e2e_tests/Cargo.toml

@@ -17,6 +17,7 @@ parsec-openssl-provider = { path ="../../parsec-openssl-provider" }
 parsec-client = "0.16.0"
 sha2 = "0.10.8"
 openssl = "0.10.63"
+picky-asn1-der = "0.4.0"
 
 [build-dependencies]
 pkg-config = "0.3.18"

parsec-openssl-provider-shared/e2e_tests/tests/sign.rs

@@ -2,10 +2,17 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use e2e_tests::*;
+use openssl::md::Md;
+use openssl::md_ctx::MdCtx;
+use openssl::pkey::Private;
 use parsec_client::core::basic_client::BasicClient;
 use parsec_client::core::interface::operations::psa_algorithm::{AsymmetricSignature, Hash};
+use parsec_client::core::interface::operations::{
+    psa_hash_compare, psa_hash_compute, psa_sign_hash,
+};
 use parsec_openssl_provider::parsec_openssl2::ossl_param;
 use parsec_openssl_provider::parsec_openssl2::{openssl_returns_1, Openssl2Error};
+use parsec_openssl_provider::signature::EccSignature;
 use parsec_openssl_provider::{
     PARSEC_PROVIDER_DFLT_PROPERTIES, PARSEC_PROVIDER_ECDSA_NAME, PARSEC_PROVIDER_KEY_NAME,
     PARSEC_PROVIDER_RSA_NAME,
@@ -21,10 +28,6 @@ fn sign_verify(
     sign_algorithm: AsymmetricSignature,
     key_type: &[u8],
 ) -> Result<(), Openssl2Error> {
-    // These are a backup to be used with different modalities of EVP_PKEY_sign
-    let mut other_signature: Vec<u8> = vec![0; signature.len()];
-    let mut other_len = signature.len();
-
     let provider_path = String::from("../../target/debug/");
     let provider_name = String::from("libparsec_openssl_provider_shared");
 
@@ -33,10 +36,7 @@ fn sign_verify(
 
     let mut param = ossl_param!(PARSEC_PROVIDER_KEY_NAME, OSSL_PARAM_UTF8_PTR, key_name);
 
-    let mut hasher = Sha256::new();
-    hasher.update(b"Parsec OpenSSL Provider");
-    let hash = hasher.finalize();
-
+    let test_string: &[u8; 23] = b"Parsec OpenSSL Provider";
     unsafe {
         let mut parsec_pkey: *mut EVP_PKEY = std::ptr::null_mut();
         load_key(&lib_ctx, &mut param, &mut parsec_pkey, key_type);
@@ -47,55 +47,38 @@ fn sign_verify(
             PARSEC_PROVIDER_DFLT_PROPERTIES.as_ptr() as *const ::std::os::raw::c_char,
         );
 
-        let mut sign_len = 0;
-
-        // Initialize and perform signing operation using EVP interfaces
-        openssl_returns_1(EVP_PKEY_sign_init(evp_ctx)).unwrap();
-
-        openssl_returns_1(EVP_PKEY_sign(
-            evp_ctx,
-            std::ptr::null_mut(),
-            &mut sign_len,
-            hash.as_ptr(),
-            hash.len(),
-        ))
-        .unwrap();
-        assert_eq!(sign_len, signature.len());
-
-        openssl_returns_1(EVP_PKEY_sign(
-            evp_ctx,
-            signature.as_mut_ptr(),
-            &mut sign_len,
-            hash.as_ptr(),
-            hash.len(),
-        ))
-        .unwrap();
-
-        openssl_returns_1(EVP_PKEY_sign(
-            evp_ctx,
-            other_signature.as_mut_ptr(),
-            &mut other_len,
-            hash.as_ptr(),
-            hash.len(),
-        ))
-        .unwrap();
+        let mut mdctx = MdCtx::new().unwrap();
+        let md = Md::fetch(None, "SHA256", None).unwrap();
+        let pkey: openssl::pkey::PKey<Private> = openssl::pkey::PKey::from_ptr(parsec_pkey as _);
+        mdctx.digest_sign_init(Some(&md), &pkey).unwrap();
+
+        mdctx.digest_sign(test_string, Some(signature)).unwrap();
 
         EVP_PKEY_free(parsec_pkey);
     }
 
     let client = BasicClient::new(Some(String::from("parsec-tool"))).unwrap();
 
-    client
-        .psa_verify_hash(key_name, &hash, sign_algorithm, signature)
-        .unwrap();
-    client
-        .psa_verify_hash(
-            key_name,
-            &hash,
-            sign_algorithm,
-            other_signature.as_mut_slice(),
-        )
-        .unwrap();
+    let hash = client.psa_hash_compute(Hash::Sha256, test_string).unwrap();
+
+    if sign_algorithm.is_ecc_alg() {
+        let deserialized: EccSignature = picky_asn1_der::from_bytes(signature).unwrap();
+        let mut sign_res_a = deserialized.r.as_unsigned_bytes_be().to_vec();
+        let sign_res_b = deserialized.s.as_unsigned_bytes_be().to_vec();
+        sign_res_a.extend(sign_res_b);
+        client
+            .psa_verify_hash(
+                key_name,
+                hash.as_slice(),
+                sign_algorithm,
+                sign_res_a.as_slice(),
+            )
+            .unwrap();
+    } else {
+        client
+            .psa_verify_hash(key_name, hash.as_slice(), sign_algorithm, signature)
+            .unwrap();
+    }
     Ok(())
 }
 
@@ -105,7 +88,7 @@ fn test_signing_ecdsa() {
     let key_name = String::from("PARSEC_TEST_ECDSA_KEY");
 
     // A 256 bit ECDSA signing operation produces 64 bytes signature
-    let mut signature: [u8; 64] = [0; 64];
+    let mut signature: [u8; 128] = [0; 128];
     let sign_alg = AsymmetricSignature::Ecdsa {
         hash_alg: Hash::Sha256.into(),
     };

parsec-openssl-provider/src/lib.rs

@@ -17,7 +17,7 @@ use parsec_openssl2::types::VOID_PTR;
 use parsec_openssl2::{openssl_bindings, types};
 
 mod keymgmt;
-mod signature;
+pub mod signature;
 
 mod provider;
 use provider::*;

parsec-openssl-provider/src/signature/mod.rs

@@ -18,9 +18,9 @@ use std::ffi::CStr;
 use std::sync::{Arc, RwLock};
 
 #[derive(Serialize, Deserialize)]
-struct EccSignature {
-    r: IntegerAsn1,
-    s: IntegerAsn1,
+pub struct EccSignature {
+    pub r: IntegerAsn1,
+    pub s: IntegerAsn1,
 }
 
 struct ParsecProviderSignatureContext {

tests/ci.sh

@@ -68,7 +68,7 @@ while [ "$#" -gt 0 ]; do
     shift
 done
 
-rustup update
+# rustup update
 
 if [ "$BUILD" == "True" ]; then
     echo "OpenSSL version being used:"