def test_engine_pss_sign(self, tmp_path):

        e = engine.engine_init("pkcs11", [("PIN", PIN)])

        alias = RSA_PKCS11_URL

        pkey = engine.engine_load_private_key(e, alias)
        pubkey = engine.engine_load_public_key(e, alias)

        data = os.urandom(1048576)
        p = tmp_path / "test_pss_sign_data"
        p.write_bytes(data)

        for k in ("sha256:64", "sha384:-1", "sha512:-2"):
            k, pss_saltlen = k.split(":")
            pss_saltlen = int(pss_saltlen)

            sig = engine.engine_sign(
                pkey._evp_pkey,
                data,
                algorithm=k,
                padding=(engine.RSAPadding.RSA_PKCS1_PSS_PADDING, pss_saltlen),
            )
            assert len(sig) in (128, 256, 384, 512)

            p_sig = tmp_path / f"test_pss_sign_sig-{k}"
            p_sig.write_bytes(sig)

            proc = subprocess.run(
                [
                    "openssl",
                    "dgst",
                    f"-{k}",
                    "-engine",
                    "pkcs11",
                    "-keyform",
                    "engine",
                    "-verify",
                    alias,
                    "-sigopt",
                    "rsa_padding_mode:pss",
                    "-signature",
                    f"{p_sig}",
                    f"{p}"
                ]
            )

            assert proc.returncode == 0

            engine.engine_verify(
                pubkey._evp_pkey,
                sig,
                data,
                algorithm=k,
                padding=(engine.RSAPadding.RSA_PKCS1_PSS_PADDING, pss_saltlen),
            )

        engine.engine_finish(e)
    def test_engine_load(self):

        e = engine.engine_init("pkcs11", [("PIN", PIN)])
        alias = RSA_PKCS11_URL

        pkey = engine.engine_load_private_key(e, alias)
        pubkey = engine.engine_load_public_key(e, alias)

        engine.engine_finish(e)
    def test_pss_sign(self, tmp_path):

        e = engine.engine_init("pkcs11", [("PIN", PIN)])

        alias = RSA_PKCS11_URL

        pkey = engine.engine_load_private_key(e, alias)
        pubkey = engine.engine_load_public_key(e, alias)

        data = b"\x00" * 8192
        p = tmp_path / "test_pss_sign_data"
        p.write_bytes(data)

        for k in ("sha256:222", "sha256:96", "sha384:206", "sha512:64"):

            k, saltlen = k.split(":")

            padding = engine.engine_padding_pss(k, int(saltlen))
            sig = pkey.sign(data, padding, engine.engine_hashes(k))
            assert len(sig) in (128, 256, 384, 512)

            p_sig = tmp_path / "test_pss_sign_sig"
            p_sig.write_bytes(sig)

            proc = subprocess.run(
                [
                    "openssl",
                    "dgst",
                    f"-{k}",
                    "-engine",
                    "pkcs11",
                    "-keyform",
                    "engine",
                    "-verify",
                    alias,
                    "-sigopt",
                    "rsa_padding_mode:pss",
                    "-signature",
                    f"{p_sig}",
                    f"{p}",
                ]
            )

            assert proc.returncode == 0

            pubkey.verify(sig, data, padding, engine.engine_hashes(k))

        engine.engine_finish(e)
    def test_rsa_sign(self, tmp_path):

        e = engine.engine_init("pkcs11", [("PIN", PIN)])

        alias = RSA_PKCS11_URL

        pkey = engine.engine_load_private_key(e, alias)
        pubkey = engine.engine_load_public_key(e, alias)

        data = b"\x00" * 8192
        p = tmp_path / "test_sign_data"
        p.write_bytes(data)

        for k in ("sha1", "sha256", "sha384", "sha512"):

            sig = pkey.sign(
                data, engine.engine_padding_pkcs1(), engine.engine_hashes(k)
            )
            assert len(sig) in (128, 256, 384, 512)

            p_sig = tmp_path / "test_sign_sig"
            p_sig.write_bytes(sig)

            proc = subprocess.run(
                [
                    "openssl",
                    "dgst",
                    f"-{k}",
                    "-engine",
                    "pkcs11",
                    "-keyform",
                    "engine",
                    "-verify",
                    alias,
                    "-signature",
                    f"{p_sig}",
                    f"{p}",
                ]
            )

            assert proc.returncode == 0

            pubkey.verify(
                sig, data, engine.engine_padding_pkcs1(), engine.engine_hashes(k)
            )

        engine.engine_finish(e)
    def test_engine_encrypt(self, tmp_path):

        e = engine.engine_init("pkcs11", [("PIN", PIN)])

        alias = RSA_PKCS11_URL

        pkey = engine.engine_load_private_key(e, alias)
        pubkey = engine.engine_load_public_key(e, alias)

        data = os.urandom(128)
        p = tmp_path / "test_encrypt_data"
        p.write_bytes(data)

        out = engine.engine_encrypt(pubkey._evp_pkey, data, (1,))
        ciphered = tmp_path / "test_encrypt_ciphertext"
        ciphered.write_bytes(out)
        plaintext = tmp_path / "test_encrypt_plaintext"

        proc = subprocess.run(
            [
                "openssl",
                "pkeyutl",
                "-decrypt",
                "-in",
                f"{ciphered}",
                "-out",
                f"{plaintext}",
                "-engine",
                "pkcs11",
                "-keyform",
                "engine",
                "-inkey",
                RSA_PKCS11_URL,
            ]
        )

        assert proc.returncode == 0
        recover = engine.engine_decrypt(
            pkey._evp_pkey, out, (engine.RSAPadding.RSA_PKCS1_PADDING,)
        )
        assert data == recover

        out = engine.engine_encrypt(
            pubkey._evp_pkey,
            data,
            padding=(engine.RSAPadding.RSA_PKCS1_OAEP_PADDING, "sha256", "sha256"),
        )
        ciphered = tmp_path / "test_encrypt_cipheroaep"
        ciphered.write_bytes(out)
        plaintext = tmp_path / "test_encrypt_plainoaep"

        proc = subprocess.run(
            [
                "openssl",
                "pkeyutl",
                "-decrypt",
                "-in",
                f"{ciphered}",
                "-out",
                f"{plaintext}",
                "-engine",
                "pkcs11",
                "-keyform",
                "engine",
                "-pkeyopt",
                "rsa_padding_mode:oaep",
                "-pkeyopt",
                "rsa_mgf1_md:sha256",
                "-pkeyopt",
                "rsa_oaep_md:sha256",
                "-inkey",
                RSA_PKCS11_URL,
            ]
        )

        assert proc.returncode == 0
        recover = engine.engine_decrypt(
            pkey._evp_pkey,
            out,
            (engine.RSAPadding.RSA_PKCS1_OAEP_PADDING, "sha256", "sha256"),
        )
        assert data == recover

        engine.engine_finish(e)