Conversation
Collaborator
Author
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new integration test coverage for the AZIHSM OpenSSL provider, including a new C++/EVP-based test crate for session-only keys and a Rust/lit-based shell-script suite, plus CI wiring to run them.
Changes:
- Add
provider-testscrate that builds/runs C++ GoogleTest cases exercising the provider via the OpenSSL EVP API. - Add
integration-testscrate to run existing/new CLI-oriented provider tests vialitand bash scripts. - Update CI and xtask tooling to run the new integration suites; adjust RSA-PSS saltlen handling in the provider.
Reviewed changes
Copilot reviewed 60 out of 60 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| xtask/src/main.rs | Registers a new xtask command for integration tests. |
| xtask/src/integration_tests.rs | Adds an xtask to run the integration-tests crate. |
| xtask/src/coverage.rs | Updates workspace coverage invocation to exclude integration-tests. |
| provider-tests/cpp/utils/provider_ctx.hpp | RAII OpenSSL provider/libctx loader used by C++ tests. |
| provider-tests/cpp/utils/ossl_helpers.hpp | OpenSSL smart-pointer helpers for C++ tests. |
| provider-tests/cpp/utils/keygen_helpers.hpp | EC/RSA session key helper routines for C++ EVP tests. |
| provider-tests/cpp/tests.rs | Rust libtest-mimic harness to discover/run the C++ gtests. |
| provider-tests/cpp/smoke_tests.cpp | Basic provider load/name smoke tests. |
| provider-tests/cpp/rsa_session_sign_verify_tests.cpp | RSA session-key sign/verify (PKCS#1 + PSS) tests. |
| provider-tests/cpp/rsa_session_encrypt_decrypt_tests.cpp | RSA session-key OAEP encrypt/decrypt tests. |
| provider-tests/cpp/ecdh_session_keyexch_tests.cpp | ECDH session-key derive tests (buffer + file + negative). |
| provider-tests/cpp/ec_session_sign_verify_tests.cpp | EC session-key sign/verify tests across curves + negatives. |
| provider-tests/cpp/CMakeLists.txt | CMake build for the C++ gtest binary with pinned OpenSSL prefix. |
| provider-tests/build.rs | Cargo build script driving the CMake build of C++ tests. |
| provider-tests/Cargo.toml | Declares the provider-tests crate and its custom test target. |
| plugins/ossl_prov/src/azihsm_ossl_signature_rsa.c | Extends RSA-PSS saltlen handling to cover “auto”. |
| integration-tests/testfiles/rsa/verify/verify_wrong_key.sh | Adds RSA wrong-key verification negative case. |
| integration-tests/testfiles/rsa/verify/verify_negative_tampered_data.sh | Adds RSA tampered-data verification negative case. |
| integration-tests/testfiles/rsa/verify/verify.sh | RSA verify script under provider CLI tests. |
| integration-tests/testfiles/rsa/sign/sign.sh | RSA sign script under provider CLI tests. |
| integration-tests/testfiles/rsa/rsa_pss_default_padding/round_trip.sh | RSA-PSS default-padding round trip script. |
| integration-tests/testfiles/rsa/rsa-pss-specific/verify.sh | RSA-PSS specific-parameter verify script. |
| integration-tests/testfiles/rsa/rsa-pss-specific/sign.sh | RSA-PSS specific-parameter sign script. |
| integration-tests/testfiles/rsa/round_trip/round_trip.sh | RSA sign/verify round trip script. |
| integration-tests/testfiles/rsa/pkcs1_encryption/pkcs1_encryption.sh | RSA PKCS#1 encryption/decryption script. |
| integration-tests/testfiles/rsa/oneshot_verify/oneshot_verify.sh | RSA one-shot verify (pkeyutl) script. |
| integration-tests/testfiles/rsa/oneshot_sign/oneshot_sign.sh | RSA one-shot sign (pkeyutl) script. |
| integration-tests/testfiles/rsa/oneshot_round_trip/oneshot_round_trip.sh | RSA one-shot sign+verify round trip script. |
| integration-tests/testfiles/rsa/oaep_encryption/oaep_encryption.sh | RSA OAEP encryption/decryption script. |
| integration-tests/testfiles/rsa/import_key/import_key_negative_invalid_path.sh | RSA import negative test for missing input key file. |
| integration-tests/testfiles/rsa/import_key/import_key.sh | RSA import test for masked key creation/loading. |
| integration-tests/testfiles/rsa/default_padding/round_trip.sh | RSA default-padding sign/verify round trip script. |
| integration-tests/testfiles/rsa/certificate/certificate.sh | RSA certificate generation script via provider key. |
| integration-tests/testfiles/env.sh | Shared environment setup for bash-based integration scripts. |
| integration-tests/testfiles/ec/verify/verify_negative_wrong_key.sh | EC wrong-key verification negative case. |
| integration-tests/testfiles/ec/verify/verify_negative_tampered_data.sh | EC tampered-data verification negative case. |
| integration-tests/testfiles/ec/verify/verify.sh | EC verify script under provider CLI tests. |
| integration-tests/testfiles/ec/verify/oneshot_verify.sh | EC one-shot verify (pkeyutl) script. |
| integration-tests/testfiles/ec/sign/sign.sh | EC sign script under provider CLI tests. |
| integration-tests/testfiles/ec/sign/oneshot_sign.sh | EC one-shot sign (pkeyutl) script. |
| integration-tests/testfiles/ec/round_trip/round_trip_import.sh | EC import + sign/verify round trip script. |
| integration-tests/testfiles/ec/round_trip/round_trip.sh | EC sign/verify round trip script. |
| integration-tests/testfiles/ec/import_key_sec1/import_key_sec1.sh | EC SEC1 import script. |
| integration-tests/testfiles/ec/import_key/import_key_negative_invalid_path.sh | EC import negative test for missing input key file. |
| integration-tests/testfiles/ec/import_key/import_key.sh | EC import test for masked key creation/loading. |
| integration-tests/testfiles/ec/hmac/hmac.sh | ECDH→HKDF-derived HMAC compute script. |
| integration-tests/testfiles/ec/hkdf_key_derivation/hmac_key_derivation.sh | HKDF derivation for HMAC key material script. |
| integration-tests/testfiles/ec/hkdf_key_derivation/hkdf_key_derivation.sh | HKDF derivation for AES key material script. |
| integration-tests/testfiles/ec/ecdh_key_exchange/ecdh_key_exchange.sh | ECDH derive-to-file script. |
| integration-tests/testfiles/ec/ecdh_hkdf_hmac_roundtrip/ecdh_hkdf_hmac_roundtrip.sh | ECDH→HKDF→HMAC round trip script. |
| integration-tests/testfiles/ec/create_key/create_key_negative.sh | EC create-key negative (invalid curve) script. |
| integration-tests/testfiles/ec/create_key/create_key.sh | EC create-key script with session/usage variations. |
| integration-tests/testfiles/ec/certificate/certificate.sh | EC certificate generation script via provider key. |
| integration-tests/testfiles/digest/digest.sh | Digest correctness script vs default provider. |
| integration-tests/src/lib.rs | Rust test runner invoking lit across script directories/variants. |
| integration-tests/Cargo.toml | Declares the integration-tests crate and dependencies. |
| integration-tests/.gitignore | Ignores integration test artifacts produced by scripts. |
| Cargo.toml | Adds integration-tests and provider-tests to the workspace. |
| .github/workflows/rust.yml | Adds a CI job to build OpenSSL/provider and run both integration suites. |
| .cargo/audit.toml | Ignores specific RustSec advisories for test-only transitive deps. |
plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/rsa/enc_dec_tests.cpp
Show resolved
Hide resolved
plugins/ossl_prov/integration-tests/openssl-capi/cpp/utils/keygen_helpers.hpp
Show resolved
Hide resolved
plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/ec/keyexch_tests.cpp
Show resolved
Hide resolved
jenstopp
force-pushed
the
test/api-integration-test
branch
from
c068c98 to
a80f71d
Compare
plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/ec/keyexch_tests.cpp
Show resolved
Hide resolved
plugins/ossl_prov/integration-tests/openssl-cli/src/openssl_cli_tests.rs
Show resolved
Hide resolved
plugins/ossl_prov/integration-tests/openssl-capi/cpp/utils/keygen_helpers.hpp
Show resolved
Hide resolved
plugins/ossl_prov/integration-tests/openssl-capi/cpp/algo/rsa/enc_dec_tests.cpp
Show resolved
Hide resolved
plugins/ossl_prov/integration-tests/openssl-capi/cpp/capi_gtest_runner.rs
Show resolved
Hide resolved
jenstopp
force-pushed
the
test/api-integration-test
branch
from
a37f841 to
201b89b
Compare
plugins/ossl_prov/integration-tests/openssl-capi/cpp/utils/provider_ctx.hpp
Show resolved
Hide resolved
plugins/ossl_prov/integration-tests/openssl-capi/cpp/capi_gtest_runner.rs
Show resolved
Hide resolved
rajesh-gali
reviewed
Mar 10, 2026
Contributor
There was a problem hiding this comment.
I think we should move the tests to plugins/ossl_prov , as integration tests are specific to openssl provider
rajesh-gali
reviewed
Mar 10, 2026
Contributor
There was a problem hiding this comment.
Tests are covering only ECC and RSA, missing other supported cryptographic algos
rajesh-gali
requested changes
Mar 10, 2026
rajesh-gali
requested changes
Mar 10, 2026
Contributor
rajesh-gali
left a comment
rajesh-gali
left a comment
There was a problem hiding this comment.
please update readme with instructions to run the tests
rajesh-gali
reviewed
Mar 10, 2026
|
|
||
| - name: Run C API integration tests | ||
| env: | ||
| OPENSSL_DIR: /opt/openssl-3.0.3 |
Contributor
There was a problem hiding this comment.
Openssl installation instructions in readme is different than ci.
Readme : OPENSSL_VERSION=3.0.16
Installation path is : OPENSSL_DIR=/opt/openssl-static
Collaborator
Author
There was a problem hiding this comment.
Yep, README is outdated. Using 3.0.3 for quite some time now.
I added the fix in the README in #243
Add a provider-tests crate that exercises the azihsm provider through the OpenSSL EVP API (not the CLI tool), enabling testing of session-based keys that cannot be tested via the command line. Tests added: - SmokeTest: provider loads and reports correct name - EC session key sign/verify round trip (P-256, P-384, P-521) - RSA session key sign/verify (PKCS#1 v1.5 and PSS padding) - RSA session key encrypt/decrypt (OAEP) - ECDH session key derivation (to buffer and to file) - Negative tests: cross-key failures, tampered data, mismatched curves Signed-off-by: Jens Topp <jens.topp@9elements.com>
Signed-off-by: Jens Topp <jens.topp@9elements.com>
Signed-off-by: Jens Topp <jens.topp@9elements.com>
Signed-off-by: Jens Topp <jens.topp@9elements.com>
Signed-off-by: Jens Topp <jens.topp@9elements.com>
jenstopp
force-pushed
the
test/api-integration-test
branch
from
72458d6 to
63efd74
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a provider-tests crate that exercises the azihsm provider through
the OpenSSL EVP API (not the CLI tool), enabling testing of session-based
ephemeral keys that cannot be tested via the command line.
Tests added: