[5/5] test: Explicitly test pkcs11 crypto provider

Message ID	20251219112215.103862-6-bage@debian.org
State	Accepted
Headers	show Return-Path: <swupdate+bncBCN5N5NJZ4BBB37KSTFAMGQEPOMXZWA@googlegroups.com> Sender: swupdate@googlegroups.com Received-SPF: none (google.com: bage@debian.org does not designate permitted sender hosts) client-ip=2001:41b8:202:deb::311:108; From: Bastian Germann <bage@debian.org> To: swupdate@googlegroups.com Cc: Bastian Germann <bage@debian.org>, zachar.matej@gmail.com Subject: [swupdate] [PATCH 5/5] test: Explicitly test pkcs11 crypto provider Date: Fri, 19 Dec 2025 12:22:00 +0100 Message-ID: <20251219112215.103862-6-bage@debian.org> In-Reply-To: <20251219112215.103862-1-bage@debian.org> References: <20251219112215.103862-1-bage@debian.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com
Series	pkcs11 decrypt provider based on p11-kit \| expand [0/5] pkcs11 decrypt provider based on p11-kit [1/5] crypto: Add swupdate_pkcs11.h [2/5] Increased PKCS#11 decryption performance with p11-kit [3/5] crypto: Make the p11-kit based module a decrypt provider [4/5] crypto: Make WolfSSL decrypt provider non-PKCS#11 [5/5] test: Explicitly test pkcs11 crypto provider

Message ID

20251219112215.103862-6-bage@debian.org

State

Accepted

Headers

Sender: swupdate@googlegroups.com
Received-SPF: none (google.com: bage@debian.org does not designate permitted
 sender hosts) client-ip=2001:41b8:202:deb::311:108;
From: Bastian Germann <bage@debian.org>
To: swupdate@googlegroups.com
Cc: Bastian Germann <bage@debian.org>,
	zachar.matej@gmail.com
Subject: [swupdate] [PATCH 5/5] test: Explicitly test pkcs11 crypto provider
Date: Fri, 19 Dec 2025 12:22:00 +0100
Message-ID: <20251219112215.103862-6-bage@debian.org>
In-Reply-To: <20251219112215.103862-1-bage@debian.org>
References: <20251219112215.103862-1-bage@debian.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com

Series

pkcs11 decrypt provider based on p11-kit | expand

Using the default crypto provider does not work with the pkcs11 decryption test. Set the right provider. Signed-off-by: Bastian Germann <bage@debian.org> --- test/test_crypt_pkcs11.c | 1 + 1 file changed, 1 insertion(+)

Comments

ayoub...@googlemail.com Dec. 19, 2025, 1:39 p.m. UTC | #1

The problem is in WolfSSL :

I raised an issue a while ago but it still open:
https://github.com/wolfSSL/wolfssl/issues/8250

To reimplement the decyprtion in Swupdate to overcome WolfSSL PKS11 
decryption problem I find it a bit wild.




On Friday, December 19, 2025 at 12:22:26 PM UTC+1 Bastian Germann wrote:

> Using the default crypto provider does not work with the pkcs11
> decryption test. Set the right provider.
>
> Signed-off-by: Bastian Germann <ba...@debian.org>
> ---
> test/test_crypt_pkcs11.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/test/test_crypt_pkcs11.c b/test/test_crypt_pkcs11.c
> index 94ed92a8..f7b851ef 100644
> --- a/test/test_crypt_pkcs11.c
> +++ b/test/test_crypt_pkcs11.c
> @@ -61,6 +61,7 @@ static void test_crypt_pkcs11_256(void **state)
>
> unsigned char buffer[BUFFER_SIZE + AES_BLK_SIZE];
>
> + set_cryptolib("pkcs11");
> struct swupdate_digest *dgst = swupdate_DECRYPT_init((unsigned char *)uri, 
> 0, &iv[0], AES_CBC_256);
> assert_non_null(dgst);
>
>

Stefano Babic Jan. 11, 2026, 10:15 a.m. UTC | #2

Hi Ayoub,

On 12/19/25 14:39, 'ayoub...@googlemail.com' via swupdate wrote:
> The problem is in WolfSSL :
> 
> I raised an issue a while ago but it still open:
> https://github.com/wolfSSL/wolfssl/issues/8250
> 
> To reimplement the decyprtion in Swupdate to overcome WolfSSL PKS11 
> decryption problem I find it a bit wild.

IMHO a bad thing in the previous implementation and we had in SWUpdate 
for a very long time was that PKCS11# was bound to WolfSSL, and that 
makes no sense. We can have pkcs11# with other providers, too, and then 
I agree to remove the dependency independently from the issue you report 
above.

Best regards,
Stefano

> 
> 
> 
> 
> On Friday, December 19, 2025 at 12:22:26 PM UTC+1 Bastian Germann wrote:
> 
>     Using the default crypto provider does not work with the pkcs11
>     decryption test. Set the right provider.
> 
>     Signed-off-by: Bastian Germann <ba...@debian.org>
>     ---
>     test/test_crypt_pkcs11.c | 1 +
>     1 file changed, 1 insertion(+)
> 
>     diff --git a/test/test_crypt_pkcs11.c b/test/test_crypt_pkcs11.c
>     index 94ed92a8..f7b851ef 100644
>     --- a/test/test_crypt_pkcs11.c
>     +++ b/test/test_crypt_pkcs11.c
>     @@ -61,6 +61,7 @@ static void test_crypt_pkcs11_256(void **state)
> 
>     unsigned char buffer[BUFFER_SIZE + AES_BLK_SIZE];
> 
>     + set_cryptolib("pkcs11");
>     struct swupdate_digest *dgst = swupdate_DECRYPT_init((unsigned char
>     *)uri, 0, &iv[0], AES_CBC_256);
>     assert_non_null(dgst);
> 
> -- 
> You received this message because you are subscribed to the Google 
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to swupdate+unsubscribe@googlegroups.com 
> <mailto:swupdate+unsubscribe@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/ 
> swupdate/2198c22d-f100-4522-82ee-68ef7728d040n%40googlegroups.com 
> <https://groups.google.com/d/msgid/swupdate/2198c22d- 
> f100-4522-82ee-68ef7728d040n%40googlegroups.com? 
> utm_medium=email&utm_source=footer>.

diff --git a/test/test_crypt_pkcs11.c b/test/test_crypt_pkcs11.c
index 94ed92a8..f7b851ef 100644
--- a/test/test_crypt_pkcs11.c
+++ b/test/test_crypt_pkcs11.c
@@ -61,6 +61,7 @@  static void test_crypt_pkcs11_256(void **state)
 
 	unsigned char buffer[BUFFER_SIZE + AES_BLK_SIZE];
 
+	set_cryptolib("pkcs11");
 	struct swupdate_digest *dgst = swupdate_DECRYPT_init((unsigned char *)uri, 0, &iv[0], AES_CBC_256);
 	assert_non_null(dgst);

[5/5] test: Explicitly test pkcs11 crypto provider

Commit Message

Comments

Patch