blob: be6ac1da393f4e2b0da061d7fa4a38626a4e872f [file] [log] [blame]
check_encryption() {
diff -b tmp.txt recover.txt || exit 1
rm -f recover.txt
}
echo "This is a message to encrypt" > tmp.txt
# simple encryption to public key using PKCS1.5 padding
openssl rsautl -encrypt -pubin -inkey key-nopass.pub -in tmp.txt -out tmp.msg || exit 1
# simple decrypt random password (token always requires 4+ digit pin)
openssl rsautl -decrypt -engine pkcs11 -keyform engine -inkey 'pkcs11:manufacturer=openssl-pkcs11-export;token=key-nopass;object=key-nopass' -passin pass:random -in tmp.msg -out recover.txt || exit 1
check_encryption
# encrypt to password requiring public key
openssl rsautl -encrypt -pubin -inkey key-pass.pub -in tmp.txt -out tmp.msg || exit 1
# check fail decrypt with wrong password
openssl rsautl -decrypt -engine pkcs11 -keyform engine -inkey 'pkcs11:manufacturer=openssl-pkcs11-export;token=key-pass;object=key-pass' -passin pass:random -in tmp.msg -out recover.txt && exit 1
# check correct decryption with correct password
openssl rsautl -decrypt -engine pkcs11 -keyform engine -inkey 'pkcs11:manufacturer=openssl-pkcs11-export;token=key-pass;object=key-pass' -passin pass:Passw0rd -in tmp.msg -out recover.txt || exit 1
check_encryption
##
# OAEP
##
for hash in sha1 sha224 sha256 sha384 sha512; do
echo "OAEP hash ${hash}"
openssl pkeyutl -encrypt -inkey key-pass.pub -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:${hash} -pkeyopt rsa_mgf1_md:${hash} -in tmp.txt -out tmp.msg || exit 1
openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey 'pkcs11:manufacturer=openssl-pkcs11-export;token=key-pass;object=key-pass' -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:${hash} -pkeyopt rsa_mgf1_md:${hash} -in tmp.msg -out recover.txt -passin pass:Passw0rd || exit 1
check_encryption
done