Sundry fixes

src/keymgmt.c

@@ -690,7 +690,8 @@ static void *p11prov_rsa_new(void *provctx)
     }
 
     return p11prov_obj_new(provctx, CK_UNAVAILABLE_INFORMATION,
-                           CK_INVALID_HANDLE, CK_UNAVAILABLE_INFORMATION);
+                           CK_P11PROV_IMPORTED_HANDLE,
+                           CK_UNAVAILABLE_INFORMATION);
 }
 
 static void p11prov_rsa_free(void *key)

src/objects.c

@@ -3292,6 +3292,8 @@ static CK_RV p11prov_obj_store_public_key(P11PROV_OBJ *key)
 {
     int rv;
 
+    P11PROV_debug("Store imported public key=%p", key);
+
     if (key->class != CKO_PUBLIC_KEY) {
         P11PROV_raise(key->ctx, CKR_OBJECT_HANDLE_INVALID, "Invalid key type");
         return CKR_OBJECT_HANDLE_INVALID;
@@ -3313,6 +3315,12 @@ static CK_RV p11prov_obj_store_public_key(P11PROV_OBJ *key)
         rv = CKR_GENERAL_ERROR;
     }
 
+    if (rv == CKR_OK) {
+        /* this is a real object now, add it to the pool, but do not
+         * fail if the operation goes haywire for some reason */
+        (void)obj_add_to_pool(key);
+    }
+
     return rv;
 }
 

tests/timported

@@ -7,7 +7,7 @@ source "${TESTSSRCDIR}/helpers.sh"
 
 title PARA "Test imported key in token session"
 
-title LINE "Generate keypair in files"
+title LINE "Generate EC keypair in files"
 # older versions of openssl don't support -outpubkey ...
 #ossl 'genpkey -algorithm EC -out ${TMPPDIR}/file.ec.key.pem
 #              -pkeyopt ec_paramgen_curve:P-256
@@ -19,24 +19,50 @@ ossl 'genpkey -algorithm EC -out ${TMPPDIR}/file.ec.key.pem
 ossl 'pkey -in ${TMPPDIR}/file.ec.key.pem
            -pubout -out ${TMPPDIR}/file.ec.pub.key.pem'
 
+title LINE "Generate RSA keypair in files"
+# older versions of openssl don't support -outpubkey ...
+# .. so we'll use two steps
+ossl 'genpkey -algorithm RSA -out ${TMPPDIR}/file.rsa.key.pem
+              -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3'
+ossl 'pkey -in ${TMPPDIR}/file.rsa.key.pem
+           -pubout -out ${TMPPDIR}/file.rsa.pub.key.pem'
+
 #After key generation force all operations to happen on the token
 ORIG_OPENSSL_CONF=${OPENSSL_CONF}
 sed -e "s/#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
     "${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken"
 OPENSSL_CONF=${OPENSSL_CONF}.forcetoken
 
-title LINE "Test Signing with private key imported from file"
+title LINE "Test Signing with private EC key imported from file"
 ossl 'pkeyutl -sign
               -inkey ${TMPPDIR}/file.ec.key.pem
               -in ${TMPPDIR}/sha256.bin
               -out ${TMPPDIR}/file.ec.sig.bin'
 
-title LINE "Test Verifying with public key imported from file"
+title LINE "Test Verifying with public EC key imported from file"
 ossl 'pkeyutl -verify -pubin
               -inkey ${TMPPDIR}/file.ec.pub.key.pem
               -sigfile ${TMPPDIR}/file.ec.sig.bin
               -in ${TMPPDIR}/sha256.bin'
 
+#After key generation force all operations to happen on the token
+ORIG_OPENSSL_CONF=${OPENSSL_CONF}
+sed -e "s/#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
+    "${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken"
+OPENSSL_CONF=${OPENSSL_CONF}.forcetoken
+
+title LINE "Test Signing with private RSA key imported from file"
+ossl 'pkeyutl -sign
+              -inkey ${TMPPDIR}/file.rsa.key.pem
+              -in ${TMPPDIR}/sha256.bin
+              -out ${TMPPDIR}/file.rsa.sig.bin'
+
+title LINE "Test Verifying with public RSA key imported from file"
+ossl 'pkeyutl -verify -pubin
+              -inkey ${TMPPDIR}/file.rsa.pub.key.pem
+              -sigfile ${TMPPDIR}/file.rsa.sig.bin
+              -in ${TMPPDIR}/sha256.bin'
+
 OPENSSL_CONF=${ORIG_OPENSSL_CONF}
 
 exit 0

tests/ttls

@@ -42,20 +42,29 @@ run_test() {
         set timeout 60;
         expect {
             \"ACCEPT\" {};
-            default {exit 1;};
+            default {
+                send \" NO ACCEPT \n\";
+                exit 1;
+            };
         }
         set server_ready [open \"${TMPPDIR}/s_server_ready\" w+];
         puts \$server_ready \"READY\n\";
         close \$server_ready;
         expect {
             \"END SSL SESSION PARAMETERS\" {};
-            default {exit 1;};
+            default {
+                send \" NO SESSION PARAMETERS \n\";
+                exit 1;
+            };
         }
         send \" TLS SUCCESSFUL \n\"
         send \"Q\n\"
         expect {
             eof {exit 0;};
-            default {exit 1;};
+            default {
+                send \" NO EOF \n\";
+                exit 1;
+            };
         }" > "${TMPPDIR}/s_server_output" &
     SERVER_PID=$!
 
@@ -65,11 +74,17 @@ run_test() {
         set timeout 60;
         expect {
             \" TLS SUCCESSFUL \" {};
-            default {exit 1;};
+            default {
+                send \" NO TLS SUCCESSFUL MESSAGE \n\";
+                exit 1;
+            };
         }
         expect {
             eof {exit 0;};
-            default {exit 1;};
+            default {
+                send \" NO EOF \n\";
+                exit 1;
+            };
         }"
 
     wait_for_server_at_exit $SERVER_PID

tests/util.c

@@ -53,7 +53,8 @@ EVP_PKEY *load_key(const char *uri)
         exit(EXIT_FAILURE);
     }
 
-    if (strncmp(uri, "pkcs11:", 7) && strstr(uri, "type=private") == NULL) {
+    if ((strncmp(uri, "pkcs11:", 7) == 0)
+        && strstr(uri, "type=private") == NULL) {
         /* This is a workaround for OpenSSL < 3.2.0 where the code fails
          * to correctly source public keys unless explicitly requested
          * via an expect hint */