Testing thigs - vesajaaskelainen/optee_os GitHub Wiki

Introduction

!!! NOTE: THIS PAGE IS NOT ABOUT UPSTREAM STATUS BUT AFTER LOTS OF CHANGES !!!

This page has details how to test things when most of the stuff for OP-TEE + PKCS#11 TA + Linux side are in place.

TEE ACL support

Testing setup with public

# Initialize device token with ACL
# WARNING! Do not normally use 'public' mode! Only for testing!
export CKTEEC_LOGIN_TYPE=public
pkcs11-tool --module /usr/lib/libckteec.so.0 --slot-index 0 --init-token --label device --so-pin ""
pkcs11-tool --module /usr/lib/libckteec.so.0 --slot-index 0 --init-pin --login --so-pin "" --new-pin public

pkcs11-tool --module /usr/lib/libckteec.so.0 --list-slots
pkcs11-tool --module /usr/lib/libckteec.so.0 --list-objects --token device --login

OpenSSL Engine

This is with libp11/openssl engine.

In common section in /etc/ssl/openssl.cnf (before any sections):

openssl_conf = openssl_init

Then in your preferred spot:

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/libckteec.so.0
init = 0

Testing signing & verifying operations

Test data file:

echo "Hello World!" > /tmp/myfile

RSA & RSA-PSS:

# Generate RSA-2048 key with label 'rsa-test-key'
pkcs11-tool --module /usr/lib/libckteec.so.0 --token-label device --login --pin "" --keypairgen --key-type RSA:2048 --label rsa-test-key

# Export RSA public key
openssl rsa -engine pkcs11 -inform engine -in "pkcs11:token=device;object=rsa-test-key;type=public" -pubout -out /tmp/rsa-test-key.pem

# Sign with engine
openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:token=device;object=rsa-test-key;type=private" -out /tmp/myfile.sig -sha256 /tmp/myfile
openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:token=device;object=rsa-test-key;type=private" -out /tmp/myfile.sig.pss -sigopt rsa_padding_mode:pss -sha256 /tmp/myfile

# Verifying with engine
openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:token=device;object=rsa-test-key;type=public" -signature /tmp/myfile.sig.pss -sigopt rsa_padding_mode:pss -sha256 /tmp/myfile

# Verifying with software
openssl dgst -verify /tmp/rsa-test-key.pem -signature /tmp/myfile.sig -sha256 /tmp/myfile
openssl dgst -verify /tmp/rsa-test-key.pem -signature /tmp/myfile.sig.pss -sigopt rsa_padding_mode:pss -sha256 /tmp/myfile

ECDSA:

# Generate ECDSA P-256 key with label 'ec-test-key'
pkcs11-tool --module /usr/lib/libckteec.so.0 --token-label device --login --pin "" --keypairgen --key-type EC:prime256v1 --label ec-test-key

# Export ECDSA public key
openssl ec -engine pkcs11 -inform engine -in "pkcs11:token=device;object=ec-test-key;type=public" -pubout -out /tmp/ec-test-key.pem

# Sign with engine
openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:token=device;object=ec-test-key;type=private" -out /tmp/myfile.sig.ec -sha256 /tmp/myfile

# Verifying with engine
openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:token=device;object=ec-test-key;type=public" -signature /tmp/myfile.sig.ec -sha256 /tmp/myfile

# Verifying with software
openssl dgst -verify /tmp/ec-test-key.pem -signature /tmp/myfile.sig.ec -sha256 /tmp/myfile