#!/bin/bash -e
# Copyright (C) 2024 Simo Sorce <simo@redhat.com>
# SPDX-License-Identifier: Apache-2.0

source "${TESTSSRCDIR}/helpers.sh"

# Run tests only if OpenSSL does have SKEY support
if [[ "${SUPPORT_SKEY}" = "0" ]]; then
    exit 77
fi

ORIG_OPENSSL_CONF=${OPENSSL_CONF}
# We need to force the provider and configure early loading otherwise no
# ciphers are loaded, and operations will fail
sed -e "s/#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
    -e "s/#pkcs11-module-load-behavior/pkcs11-module-load-behavior = early/" \
    "${OPENSSL_CONF}" > "${OPENSSL_CONF}.ciphers"
OPENSSL_CONF=${OPENSSL_CONF}.ciphers

echo "plaintext" > "${TMPPDIR}/aes128cbc.txt"

RUN_SKEYMGMT_TEST="0"
if [[ "${SUPPORT_SYMMETRIC}" = "1" ]]; then
    # shellcheck disable=SC2089 # Quoted quotes is intentional
    PROP='-propquery "provider=pkcs11"'
    RUN_SKEYMGMT_TEST="1"
else
    if [[ "${OPENSSL_WITH_27483_FIX}" = "1" ]]; then
        RUN_SKEYMGMT_TEST="1"
    fi
fi

title PARA "Test Symmetric Encryption on the token (legacy init)"
ossl 'enc -e -aes128
             -K 0102030405060708090a0b0c0d0e0f10
             -iv 100f0e0d0c0b0a090807060504030201
             -in ${TMPPDIR}/aes128cbc.txt
             -out ${TMPPDIR}/aes128cbc.txt.enc' "${PROP}"

ossl 'enc -d -aes128
             -K 0102030405060708090a0b0c0d0e0f10
             -iv 100f0e0d0c0b0a090807060504030201
             -in ${TMPPDIR}/aes128cbc.txt.enc
             -out ${TMPPDIR}/aes128cbc.txt.dec' "${PROP}"

diff "${TMPPDIR}/aes128cbc.txt" "${TMPPDIR}/aes128cbc.txt.dec"

if [[ "${RUN_SKEYMGMT_TEST}" = "1" ]]; then
title PARA "Test Symmetric Encryption on the token (skey init)"
ossl 'enc -e -aes128 -skeymgmt AES
             -skeyopt hexraw-bytes:0102030405060708090a0b0c0d0e0f10
             -iv 100f0e0d0c0b0a090807060504030201
             -in ${TMPPDIR}/aes128cbc.txt
             -out ${TMPPDIR}/aes128cbc.txt.skey.enc' "${PROP}"

ossl 'enc -d -aes128 -skeymgmt AES
             -skeyopt hexraw-bytes:0102030405060708090a0b0c0d0e0f10
             -iv 100f0e0d0c0b0a090807060504030201
             -in ${TMPPDIR}/aes128cbc.txt.skey.enc
             -out ${TMPPDIR}/aes128cbc.txt.skey.dec' "${PROP}"

diff "${TMPPDIR}/aes128cbc.txt" "${TMPPDIR}/aes128cbc.txt.skey.dec"
fi

title PARA "Test Symmetric Key Generation"
if [[ "${SUPPORT_SYMMETRIC}" = "1" ]]; then
    ossl 'skeyutl -genkey -skeymgmt AES -cipher aes128
                  -skeyopt "pkcs11_uri:pkcs11:id=%55%33\;object=SECRET-SKEY"
                  -skeyopt "pkcs11_ephemeral:0"'
    P11DEFLOGIN=("--login" "--pin=${PINVALUE}")
    ptool -O | grep SECRET-SKEY
else
    FAIL=0
    ossl 'skeyutl -genkey -skeymgmt AES -cipher aes128
                  -skeyopt "pkcs11_uri:pkcs11:id=%55%33\;object=SECRET-SKEY"
                  -skeyopt "pkcs11_ephemeral:0"' || FAIL=1
    if [ $FAIL -eq 0 ]; then
        echo "Skeyutil genkey operation should have failed"
        exit 1
    fi
fi

title PARA "Test Skey HKDF"
FAIL=0
output=$($CHECKER "${TESTBLDDIR}"/tskey-kdf 2>&1) || FAIL=1
if [ $FAIL -ne 0 ]; then
    echo
    echo "Original command output:"
    echo "$output"
    echo
    exit 1
fi

OPENSSL_CONF=${ORIG_OPENSSL_CONF}

exit 0
