Port tests from 25a6aa and accept -output case-insensitively

julek-wolfssl · julek-wolfssl · commit 8295068180f9 · 2026-04-16T21:21:21.000+02:00
Port the regression and argument-handling tests added in merge 25a6aa
across the Python test suite (bench, dgst, enc, genkey-sign-ver, hash,
rsa, CRL-verify, x509-process, x509-req).

The ed25519 signature-size test exercises `-output KEYPAIR`, which the
genkey setup was comparing case-sensitively against "keypair" — the
uppercase form caused an error-path return for ed25519 and silently
worked for other algorithms only because their directiveArg was already
initialized to PRIV_AND_PUB_FILES. OpenSSL treats option values like
`-outform PEM` case-insensitively, and wolfCLU's own help text for
`-output` uses uppercase PUB/PRIV/KEYPAIR, so switch the PUB/PRIV/KEYPAIR
comparisons to XSTRNCASECMP throughout clu_genkey_setup.c.
diff --git a/src/genkey/clu_genkey_setup.c b/src/genkey/clu_genkey_setup.c
@@ -104,13 +104,13 @@ int wolfCLU_genKeySetup(int argc, char** argv)
         ret = wolfCLU_checkForArg("-output", 7, argc, argv);
         if (ret > 0) {
             if (argv[ret+1] != NULL) {
-                if (XSTRNCMP(argv[ret+1], "pub", 3) == 0)
+                if (XSTRNCASECMP(argv[ret+1], "pub", 3) == 0)
                     ret = wolfCLU_genKey_ED25519(&rng, keyOutFName, PUB_ONLY_FILE,
                                                                      formatArg);
-                else if (XSTRNCMP(argv[ret+1], "priv", 4) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "priv", 4) == 0)
                     ret = wolfCLU_genKey_ED25519(&rng, keyOutFName, PRIV_ONLY_FILE,
                                                                      formatArg);
-                else if (XSTRNCMP(argv[ret+1], "keypair", 7) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "keypair", 7) == 0)
                     ret = wolfCLU_genKey_ED25519(&rng, keyOutFName,
                                                        PRIV_AND_PUB_FILES, formatArg);
             }
@@ -141,11 +141,11 @@ int wolfCLU_genKeySetup(int argc, char** argv)
         ret = wolfCLU_checkForArg("-output", 7, argc, argv);
         if (ret > 0) {
             if (argv[ret+1] != NULL) {
-                if (XSTRNCMP(argv[ret+1], "pub", 3) == 0)
+                if (XSTRNCASECMP(argv[ret+1], "pub", 3) == 0)
                     directiveArg = PUB_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "priv", 4) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "priv", 4) == 0)
                     directiveArg = PRIV_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "keypair", 7) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "keypair", 7) == 0)
                     directiveArg = PRIV_AND_PUB_FILES;
             }
         }
@@ -196,11 +196,11 @@ int wolfCLU_genKeySetup(int argc, char** argv)
         ret = wolfCLU_checkForArg("-output", 7, argc, argv);
         if (ret > 0) {
             if (argv[ret+1] != NULL) {
-                if (XSTRNCMP(argv[ret+1], "pub", 3) == 0)
+                if (XSTRNCASECMP(argv[ret+1], "pub", 3) == 0)
                     directiveArg = PUB_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "priv", 4) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "priv", 4) == 0)
                     directiveArg = PRIV_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "keypair", 7) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "keypair", 7) == 0)
                     directiveArg = PRIV_AND_PUB_FILES;
             }
         }
@@ -320,11 +320,11 @@ int wolfCLU_genKeySetup(int argc, char** argv)
         ret = wolfCLU_checkForArg("-output", 7, argc, argv);
         if (ret > 0) {
             if (argv[ret+1] != NULL) {
-                if (XSTRNCMP(argv[ret+1], "pub", 3) == 0)
+                if (XSTRNCASECMP(argv[ret+1], "pub", 3) == 0)
                     directiveArg = PUB_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "priv", 4) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "priv", 4) == 0)
                     directiveArg = PRIV_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "keypair", 7) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "keypair", 7) == 0)
                     directiveArg = PRIV_AND_PUB_FILES;
             }
         }
@@ -386,11 +386,11 @@ int wolfCLU_genKeySetup(int argc, char** argv)
         ret = wolfCLU_checkForArg("-output", 7, argc, argv);
         if (ret > 0) {
             if (argv[ret+1] != NULL) {
-                if (XSTRNCMP(argv[ret+1], "pub", 3) == 0)
+                if (XSTRNCASECMP(argv[ret+1], "pub", 3) == 0)
                     directiveArg = PUB_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "priv", 4) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "priv", 4) == 0)
                     directiveArg = PRIV_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "keypair", 7) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "keypair", 7) == 0)
                     directiveArg = PRIV_AND_PUB_FILES;
             }
         }
@@ -430,11 +430,11 @@ int wolfCLU_genKeySetup(int argc, char** argv)
         ret = wolfCLU_checkForArg("-output", 7, argc, argv);
         if (ret > 0) {
             if (argv[ret+1] != NULL) {
-                if (XSTRNCMP(argv[ret+1], "pub", 3) == 0)
+                if (XSTRNCASECMP(argv[ret+1], "pub", 3) == 0)
                     directiveArg = PUB_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "priv", 4) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "priv", 4) == 0)
                     directiveArg = PRIV_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "keypair", 7) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "keypair", 7) == 0)
                     directiveArg = PRIV_AND_PUB_FILES;
             }
         }
@@ -590,11 +590,11 @@ int wolfCLU_genKeySetup(int argc, char** argv)
         ret = wolfCLU_checkForArg("-output", 7, argc, argv);
         if (ret > 0) {
             if (argv[ret+1] != NULL) {
-                if (XSTRNCMP(argv[ret+1], "pub", 3) == 0)
+                if (XSTRNCASECMP(argv[ret+1], "pub", 3) == 0)
                     directiveArg = PUB_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "priv", 4) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "priv", 4) == 0)
                     directiveArg = PRIV_ONLY_FILE;
-                else if (XSTRNCMP(argv[ret+1], "keypair", 7) == 0)
+                else if (XSTRNCASECMP(argv[ret+1], "keypair", 7) == 0)
                     directiveArg = PRIV_AND_PUB_FILES;
             }
         }
diff --git a/tests/bench/bench-test.py b/tests/bench/bench-test.py
@@ -23,6 +23,15 @@ def test_bench_md5(self):
         result = run_wolfssl("-bench", "md5", "-time", "1")
         self.assertEqual(result.returncode, 0, result.stderr)
 
+    def test_bench_missing_time_value(self):
+        """-time with no value must fail gracefully (no segfault)."""
+        result = run_wolfssl("-bench", "-time")
+        self.assertNotEqual(result.returncode, 0,
+                            "expected failure for missing -time value")
+        self.assertGreaterEqual(result.returncode, 0,
+                                "-bench -time crashed with signal "
+                                "{}".format(result.returncode))
+
 
 if __name__ == "__main__":
     test_main()
diff --git a/tests/dgst/dgst-test.py b/tests/dgst/dgst-test.py
@@ -74,6 +74,25 @@ def test_fail_wrong_digest(self):
                         os.path.join(CERTS_DIR, "server-key.der"))
         self.assertNotEqual(r.returncode, 0)
 
+    def test_dgst_out_roundtrip(self):
+        """dgst -out creates the signature file; -signature round-trips."""
+        sig_file = "dgst-out-test.sig"
+        self.addCleanup(lambda: os.remove(sig_file)
+                        if os.path.exists(sig_file) else None)
+        input_file = os.path.join(CERTS_DIR, "server-key.der")
+
+        r = run_wolfssl("dgst", "-sha256", "-sign",
+                        os.path.join(CERTS_DIR, "server-key.pem"),
+                        "-out", sig_file, input_file)
+        self.assertEqual(r.returncode, 0, r.stderr)
+        self.assertTrue(os.path.isfile(sig_file),
+                        "dgst -out did not create output file")
+
+        r = run_wolfssl("dgst", "-sha256", "-verify",
+                        os.path.join(CERTS_DIR, "server-keyPub.pem"),
+                        "-signature", sig_file, input_file)
+        self.assertEqual(r.returncode, 0, r.stderr)
+
 
 class DgstLargeFileTest(unittest.TestCase):
 
diff --git a/tests/encrypt/enc-test.py b/tests/encrypt/enc-test.py
@@ -130,6 +130,23 @@ def test_small_file(self):
         self.assertTrue(filecmp.cmp(small, dec, shallow=False),
                         "small file decryption mismatch")
 
+    def test_explicit_hex_key_iv(self):
+        """Regression: explicit --key/--iv hex strings must be copied correctly."""
+        src = "enc_hex_test.txt"
+        enc = "enc_hex_test.enc"
+        self._cleanup(src, enc)
+
+        with open(src, "w") as f:
+            f.write("testing explicit hex IV and key\n")
+
+        r = run_wolfssl("enc", "-aes-128-cbc", "-nosalt",
+                        "-in", src, "-out", enc,
+                        "--key", "00112233445566778899aabbccddeeff",
+                        "--iv", "00112233445566778899aabb0011aab7")
+        self.assertEqual(r.returncode, 0,
+                         "encrypt with explicit hex key/iv failed: "
+                         "{}".format(r.stderr))
+
 
 class EncInteropTest(unittest.TestCase):
     """Test interoperability with OpenSSL (skipped if openssl not available)."""
diff --git a/tests/genkey_sign_ver/genkey-sign-ver-test.py b/tests/genkey_sign_ver/genkey-sign-ver-test.py
@@ -135,6 +135,18 @@ def test_ed25519_pem(self):
     def test_ed25519_raw(self):
         self._gen_sign_verify("ed25519", "edkey", "ed-signed.sig", "raw")
 
+    def test_ed25519_signature_size(self):
+        """ED25519 signatures must be exactly 64 bytes."""
+        priv, pub = self._genkey("ed25519", "edkey-sztest", "der",
+                                 use_output_flag=True)
+        sig_file = "ed-sz-test.sig"
+        self._sign("ed25519", priv, "der", sig_file)
+
+        sig_size = os.path.getsize(sig_file)
+        self.assertEqual(sig_size, 64,
+                         "ED25519 signature size is {}, expected 64".format(
+                             sig_size))
+
 
 class EccTest(_GenkeySignVerifyBase):
 
@@ -160,6 +172,55 @@ def test_ecc_der(self):
     def test_ecc_pem(self):
         self._gen_sign_verify("ecc", "ecckey", "ecc-signed.sig", "pem")
 
+    def test_ecc_der_key_size_and_roundtrip(self):
+        """Regression: ECC DER private key must be reasonably sized, and the
+        full sign/verify round-trip must succeed on the generated keypair."""
+        priv, pub = self._genkey("ecc", "ecc-rt-test", "der",
+                                 use_output_flag=True)
+
+        key_size = os.path.getsize(priv)
+        self.assertLessEqual(key_size, 256,
+                             "ECC DER private key too large ({} bytes), "
+                             "may contain trailing garbage".format(key_size))
+
+        data_file = "ecc-rt-data.txt"
+        sig_file = "ecc-rt-test.sig"
+        self._track(data_file, sig_file)
+        with open(data_file, "w") as f:
+            f.write("ECC round trip test data\n")
+
+        r = run_wolfssl("-ecc", "-sign", "-inkey", priv, "-inform", "der",
+                        "-in", data_file, "-out", sig_file)
+        self.assertEqual(r.returncode, 0,
+                         "ECC sign round-trip failed: {}".format(r.stderr))
+
+        r = run_wolfssl("-ecc", "-verify", "-inkey", pub, "-pubin",
+                        "-inform", "der", "-sigfile", sig_file,
+                        "-in", data_file)
+        self.assertEqual(r.returncode, 0,
+                         "ECC verify round-trip failed: {}".format(r.stderr))
+
+    def test_ecc_sign_invalid_key_fails(self):
+        """Signing with an empty key file must fail gracefully."""
+        bad_key = "bad-ecc-key.der"
+        bad_sig = "bad-ecc-sign.sig"
+        self._track(bad_key, bad_sig)
+        open(bad_key, "wb").close()
+
+        r = run_wolfssl("-ecc", "-sign", "-inkey", bad_key, "-inform", "der",
+                        "-in", self.SIGN_FILE, "-out", bad_sig)
+        self.assertNotEqual(r.returncode, 0,
+                            "ECC signing with empty key should have failed")
+
+    def test_ecc_sign_missing_inkey_value(self):
+        """-inkey with no value must fail gracefully (no segfault)."""
+        r = run_wolfssl("-ecc", "-sign", "-inkey")
+        self.assertNotEqual(r.returncode, 0,
+                            "expected failure for missing -inkey value")
+        self.assertGreaterEqual(r.returncode, 0,
+                                "-inkey without value crashed with signal "
+                                "{}".format(r.returncode))
+
 
 class RsaTest(_GenkeySignVerifyBase):
 
@@ -197,6 +258,18 @@ def test_rsa_exponent_flag(self):
         self.assertEqual(r.returncode, 0,
                          f"rsa genkey with -exponent failed: {r.stderr}")
 
+    def test_rsa_sign_invalid_key_fails(self):
+        """RSA signing with an empty key file must fail gracefully."""
+        bad_key = "bad-rsa-key.der"
+        bad_sig = "bad-rsa-sign.sig"
+        self._track(bad_key, bad_sig)
+        open(bad_key, "wb").close()
+
+        r = run_wolfssl("-rsa", "-sign", "-inkey", bad_key, "-inform", "der",
+                        "-in", self.SIGN_FILE, "-out", bad_sig)
+        self.assertNotEqual(r.returncode, 0,
+                            "RSA signing with empty key should have failed")
+
 
 @unittest.skipUnless(_has_algorithm("dilithium"),
                      "dilithium not available")
@@ -252,6 +325,18 @@ def test_sign_bad_path(self):
         self.assertNotEqual(r.returncode, 0,
                             "sign to invalid path should have failed")
 
+    def test_sign_nonexistent_key_fails(self):
+        """Dilithium sign with nonexistent key file must fail gracefully."""
+        bad_sig = "bad-dil.sig"
+        self._track(bad_sig)
+        r = run_wolfssl("-dilithium", "-sign",
+                        "-inkey", os.path.join("nonexistent_dir", "key.priv"),
+                        "-inform", "der", "-in", self.SIGN_FILE,
+                        "-out", bad_sig)
+        self.assertNotEqual(r.returncode, 0,
+                            "Dilithium sign with nonexistent key should have "
+                            "failed")
+
 
 @unittest.skipUnless(_has_algorithm("xmss"), "xmss not available")
 class XmssTest(_GenkeySignVerifyBase):
@@ -264,6 +349,17 @@ def test_xmss_raw(self):
             extra_genkey_args=["-height", "10"],
             skip_priv_verify=True, use_output_flag=True)
 
+    def test_xmss_missing_height_value(self):
+        """-height with no value must fail gracefully (no crash)."""
+        self._track("xmss-bad.priv", "xmss-bad.pub")
+        r = run_wolfssl("-genkey", "xmss", "-out", "xmss-bad",
+                        "-outform", "raw", "-output", "KEYPAIR", "-height")
+        self.assertNotEqual(r.returncode, 0,
+                            "expected failure for missing -height value")
+        self.assertGreaterEqual(r.returncode, 0,
+                                "-height without value crashed with signal "
+                                "{}".format(r.returncode))
+
 
 if __name__ == "__main__":
     test_main()
diff --git a/tests/hash/hash-test.py b/tests/hash/hash-test.py
@@ -88,5 +88,18 @@ def test_sha512(self):
         self.assertEqual(r.stdout.strip(), _read_expected("sha512-expect.hex"))
 
 
+class HashArgErrorTest(unittest.TestCase):
+    """Argument-handling regression tests."""
+
+    def test_missing_in_value(self):
+        """-in with no value must fail gracefully (no segfault)."""
+        r = run_wolfssl("-hash", "sha256", "-in")
+        self.assertNotEqual(r.returncode, 0,
+                            "expected failure for missing -in value")
+        self.assertGreaterEqual(r.returncode, 0,
+                                "-in without value crashed with signal "
+                                "{}".format(r.returncode))
+
+
 if __name__ == "__main__":
     test_main()
diff --git a/tests/pkey/rsa-test.py b/tests/pkey/rsa-test.py
@@ -3,11 +3,12 @@
 
 import filecmp
 import os
+import subprocess
 import sys
 import unittest
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), ".."))
-from wolfclu_test import CERTS_DIR, run_wolfssl, test_main
+from wolfclu_test import CERTS_DIR, WOLFSSL_BIN, run_wolfssl, test_main
 
 RSA_PUBKEY_PEM = """\
 -----BEGIN PUBLIC KEY-----
@@ -138,6 +139,23 @@ def test_modulus_noout(self):
         self.assertIn("Modulus", r.stdout)
         self.assertNotIn("BEGIN", r.stdout)
 
+    def test_invalid_outform_error_message(self):
+        """Invalid -outform value must produce an outform-related error.
+
+        When the output is redirected to a file/pipe the command may also
+        emit the raw key bytes on stdout, so capture everything as bytes
+        and search the combined output for a human-readable error mention.
+        """
+        r = subprocess.run(
+            [WOLFSSL_BIN, "rsa", "-in",
+             os.path.join(CERTS_DIR, "server-key.pem"),
+             "-outform", "INVALID"],
+            capture_output=True, stdin=subprocess.DEVNULL, timeout=60)
+        combined = (r.stdout + r.stderr).lower()
+        self.assertIn(b"outform", combined,
+                      "Expected 'outform' in error output, got: {!r}".format(
+                          combined[:200]))
+
 
 if __name__ == "__main__":
     test_main()
diff --git a/tests/x509/CRL-verify-test.py b/tests/x509/CRL-verify-test.py
@@ -140,6 +140,15 @@ def test_crl_fail_no_output_file(self):
         self.assertFalse(os.path.isfile(out),
                          "output file should not be created on failure")
 
+    def test_crl_invalid_outform_error_message(self):
+        """Invalid -outform value must produce an outform-related error."""
+        r = run_wolfssl("crl", "-in", os.path.join(CERTS_DIR, "crl.pem"),
+                        "-outform", "INVALID")
+        combined = (r.stdout + r.stderr).lower()
+        self.assertIn("outform", combined,
+                      "Expected 'outform' in error output, got: {}".format(
+                          combined))
+
 
 class TestCRLText(unittest.TestCase):
     """CRL -text output tests."""
diff --git a/tests/x509/x509-process-test.py b/tests/x509/x509-process-test.py
@@ -504,5 +504,19 @@ def test_4f_nonexistent_file_pem(self):
         self.assertNotEqual(r.returncode, 0)
 
 
+class TestX509ModulusNoout(unittest.TestCase):
+    """Regression: x509 -modulus -noout must not crash."""
+
+    def test_modulus_noout(self):
+        r = run_wolfssl("x509", "-in",
+                        os.path.join(CERTS_DIR, "server-cert.pem"),
+                        "-modulus", "-noout")
+        self.assertEqual(r.returncode, 0,
+                         "x509 -modulus -noout failed: {}".format(r.stderr))
+        self.assertGreaterEqual(r.returncode, 0,
+                                "x509 -modulus -noout crashed with signal "
+                                "{}".format(r.returncode))
+
+
 if __name__ == "__main__":
     test_main()
diff --git a/tests/x509/x509-req-test.py b/tests/x509/x509-req-test.py
