Log of Meson test suite run on 2025-02-20T13:55:16.907410

Inherited environment: SHELL=/bin/bash __INTERNAL_RPM_ASSERTED_PACKAGES=' pkcs11-provider' __INTERNAL_PERSISTENT_DATA=/var/tmp/beakerlib-1763197003/PersistentData __INTERNAL_PHASES_FAILED=0 BEAKERLIB_LIBRARY_PATH=/mnt/tests/CoreOS/pkcs11-provider/Sanity/self-test MAKE_TERMOUT=/dev/pts/1 __INTERNAL_BEAKERLIB_JOURNAL=/var/tmp/beakerlib-1763197003/journal.xml __INTERNAL_TEST_RESULTS=/var/tmp/beakerlib-1763197003/TestResults __INTERNAL_CLEANUP_BUFF=/var/tmp/beakerlib-1763197003/clbuff __INTERNAL_METAFILE_INDENT_LEVEL=2 GPG_TTY=/dev/pts/1 __INTERNAL_PHASES_SKIPPED=0 PWD=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0 LOGNAME=root BEAKERLIB_COMMAND_REPORT_RESULT=/usr/bin/1minutetip-report XDG_SESSION_TYPE=tty BEAKERLIB_DIR=/var/tmp/beakerlib-1763197003 __INTERNAL_TEST_STATE=1 REBOOTCOUNT=0 MOTD_SHOWN=pam HOME=/root __INTERNAL_PHASE_STATUSES=/var/tmp/beakerlib-1763197003/PHASE_STATUSES LANG=en_US.UTF-8 LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.7z=01;31:*.ace=01;31:*.alz=01;31:*.apk=01;31:*.arc=01;31:*.arj=01;31:*.bz=01;31:*.bz2=01;31:*.cab=01;31:*.cpio=01;31:*.crate=01;31:*.deb=01;31:*.drpm=01;31:*.dwm=01;31:*.dz=01;31:*.ear=01;31:*.egg=01;31:*.esd=01;31:*.gz=01;31:*.jar=01;31:*.lha=01;31:*.lrz=01;31:*.lz=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.lzo=01;31:*.pyz=01;31:*.rar=01;31:*.rpm=01;31:*.rz=01;31:*.sar=01;31:*.swm=01;31:*.t7z=01;31:*.tar=01;31:*.taz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tgz=01;31:*.tlz=01;31:*.txz=01;31:*.tz=01;31:*.tzo=01;31:*.tzst=01;31:*.udeb=01;31:*.war=01;31:*.whl=01;31:*.wim=01;31:*.xz=01;31:*.z=01;31:*.zip=01;31:*.zoo=01;31:*.zst=01;31:*.avif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:*~=00;90:*#=00;90:*.bak=00;90:*.crdownload=00;90:*.dpkg-dist=00;90:*.dpkg-new=00;90:*.dpkg-old=00;90:*.dpkg-tmp=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:*.swp=00;90:*.tmp=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:' __INTERNAL_PERSISTENT_TMP=/var/tmp TESTID=1763197003 SSH_CONNECTION='10.44.32.91 45858 10.0.184.72 22' __INTERNAL_CLEANUP_FINAL=/var/tmp/beakerlib-1763197003/cleanup.sh MFLAGS='' POSIXFIXED=NO __INTERNAL_DEFAULT_SUBMIT_LOG=__INTERNAL_FileSubmit MAKEFLAGS='' XDG_SESSION_CLASS=user SELINUX_ROLE_REQUESTED='' TERM=tmux-256color LESSOPEN='||/usr/bin/lesspipe.sh %s' USER=root MAKE_TERMERR=/dev/pts/1 __INTERNAL_DEFAULT_REPORT_RESULT=/bin/true TESTVERSION=1.0 __INTERNAL_ASSERT_STATUSES=/var/tmp/beakerlib-1763197003/ASSERT_STATUSES SELINUX_USE_CURRENT_RANGE='' __INTERNAL_PHASE_OPEN=1 SHLVL=3 __INTERNAL_STARTTIME=1740069983 __INTERNAL_BEAKERLIB_JOURNAL_COLORED=/var/tmp/beakerlib-1763197003/journal_colored.txt MAKELEVEL=1 __INTERNAL_ENDTIME='' SYSTEMD_PAGER='' XDG_SESSION_ID=1 __INTERNAL_BEAKERLIB_JOURNAL_TXT=/var/tmp/beakerlib-1763197003/journal.txt XDG_RUNTIME_DIR=/run/user/0 PS1='TEST> ' BEAKERLIB=/usr/share/beakerlib SSH_CLIENT='10.44.32.91 45858 22' DEBUGINFOD_IMA_CERT_PATH=/etc/keys/ima: PATH=/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin SELINUX_LEVEL_REQUESTED='' KRYOPTIC=/tmp/kryoptic DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/0/bus __INTERNAL_PHASES_PASSED=1 __INTERNAL_BEAKERLIB_METAFILE=/var/tmp/beakerlib-1763197003/journal.meta SSH_TTY=/dev/pts/0 __INTERNAL_JOURNAL_OPEN=1 __INTERNAL_PHASES_WORST_RESULT=PASS TEST=/CoreOS/pkcs11-provider/Sanity/self-test OLDPWD=/mnt/tests/CoreOS/pkcs11-provider/Sanity/self-test _=/usr/bin/meson 

==================================== 1/92 ====================================
test:         pkcs11-provider:softokn / setup
start time:   18:55:16
duration:     3.12s
result:       exit status 0
command:      MALLOC_PERTURB_=80 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 LIBSPATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TESTSSRCDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests SHARED_EXT=.so SOFTOKNPATH=/usr/lib64 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 P11KITCLIENTPATH=/usr/lib64/pkcs11/p11-kit-client.so /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/setup.sh softokn
----------------------------------- stdout -----------------------------------
########################################
## Setup NSS Softokn

Creating new NSS Database
Creating new Self Sign CA
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Key pair generated:
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0000;object=caCert;type=private
Public Key Object; RSA 0 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0000;object=caCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 02
	Validity:
		Not Before: Thu Feb 20 18:55:17 UTC 2025
		Not After: Fri Feb 20 18:55:17 UTC 2026
	Subject: CN=Issuer
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:db:41:0c:68:5b:fa:bd:2c:dd:22:ec:77:20:fc:5e
			41:a8:30:78:10:36:0d:04:6a:48:06:c6:08:d0:5d:53
			bd:38:e1:55:09:c4:03:9f:3f:22:22:14:ce:1d:7c:e1
			d3:45:e9:77:19:0e:85:0e:6e:f5:01:b8:19:01:e5:00
			d4:57:ce:02:eb:ea:a1:cc:2c:2a:90:d8:12:46:5d:cf
			cc:1b:3b:a8:14:ed:27:bb:8e:47:79:f2:8b:1c:86:74
			ff:0f:2f:4f:57:07:1b:fc:3c:45:3d:09:b0:8a:14:01
			e4:3c:36:22:ad:8d:4f:8f:70:38:e0:7a:7c:e8:91:e1
			b6:26:d0:83:32:f6:3f:84:25:a0:53:83:f5:83:3a:bf
			ff:ba:0a:2a:40:c5:c4:e0:ba:43:f6:7f:be:20:a4:fa
			26:74:30:af:60:83:4a:65:3c:2a:1c:c9:86:e7:68:02
			af:69:68:62:21:8b:8d:84:09:a3:f6:f5:8a:c1:4b:94
			fd:2e:9c:41:a0:73:a2:b5:e8:b1:fe:b4:b3:71:fd:6c
			dc:40:2a:97:d0:96:4e:f7:48:36:ea:b0:c5:1a:5a:5f
			05:83:63:59:5c:c2:25:9e:5f:07:51:ec:55:3d:ed:4f
			4f:a8:7d:65:60:7f:27:58:5d:e0:42:79:1e:2c:c1:3b
			91
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			b0e630fc41fe652bc4e595242b8e78e7f4f12ea5
Other Information:
	Public Key ID:
		sha1:b0e630fc41fe652bc4e595242b8e78e7f4f12ea5
		sha256:9c5558c4c6a386b3f7d71739627f779c2ed71f961921490afc9f9b3dcf825838
	Public Key PIN:
		pin-sha256:nFVYxMajhrP31xc5Yn93nC7XH5YZIUkK/J+bPc+CWDg=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0000;object=caCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%00?pin-value=fo0m4nchU
pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
pkcs11:id=%00%00
pkcs11:type=public;id=%00%00
pkcs11:type=private;id=%00%00
pkcs11:type=cert;object=caCert

Key pair generated:
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0001;object=testCert;type=private
Public Key Object; RSA 0 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0001;object=testCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0001;object=testCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%01?pin-value=fo0m4nchU
pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
pkcs11:id=%00%01
pkcs11:type=public;id=%00%01
pkcs11:type=private;id=%00%01
pkcs11:type=cert;object=testCert

Key pair generated:
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      sign, derive
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0002;object=ecCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104fdbf026a024cbb850b6993d43ce79f11235ed8c843443fb9b795329b8908153aa3d551252e8d426bb02480e54ff2d41088b8974cfb484e3acc2f9a7d5efaa455
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      verify, derive
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0002;object=ecCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0002;object=ecCert;type=cert
Key pair generated:
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      sign, derive
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0003;object=ecPeerCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104980af109ae83947dd33d7c487e69e8ebb210b917f603272a013e22b3f153325f50c534bd98e557ec94901217ded24c36363bc6bbae610e88343e81fa9c61c64d
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      verify, derive
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0003;object=ecPeerCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 05
	Validity:
		Not Before: Thu Feb 20 18:55:18 UTC 2025
		Not After: Fri Feb 20 18:55:18 UTC 2026
	Subject: CN=My Peer EC Cert
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			00:98:0a:f1:09:ae:83:94:7d:d3:3d:7c:48:7e:69:e8
			eb:b2:10:b9:17:f6:03:27:2a:01:3e:22:b3:f1:53:32
			5f
		Y:
			50:c5:34:bd:98:e5:57:ec:94:90:12:17:de:d2:4c:36
			36:3b:c6:bb:ae:61:0e:88:34:3e:81:fa:9c:61:c6:4d
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			f6fc0cbb81d0fa51d9244c619727921e604ee52e
Other Information:
	Public Key ID:
		sha1:f6fc0cbb81d0fa51d9244c619727921e604ee52e
		sha256:f1c4e5b39f441d3cc339b6cd9f7e9b5d98f884952ca4858b8d97f0f8419b64e3
	Public Key PIN:
		pin-sha256:8cTls59EHTzDObbNn36bXZj4hJUspIWLjZfw+EGbZOM=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0003;object=ecPeerCert;type=cert
EC PKCS11 URIS
pkcs11:id=%00%02?pin-value=fo0m4nchU
pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
pkcs11:id=%00%02
pkcs11:type=public;id=%00%02
pkcs11:type=private;id=%00%02
pkcs11:type=cert;object=ecCert
pkcs11:id=%00%03?pin-value=fo0m4nchU
pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
pkcs11:id=%00%03
pkcs11:type=public;id=%00%03
pkcs11:type=private;id=%00%03
pkcs11:type=cert;object=ecPeerCert


## generate RSA key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0005;object=testCert2;type=private
Public Key Object; RSA 0 bits
  label:      testCert2
  ID:         0005
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0005;object=testCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0005;object=testCert2;type=cert
RSA2 PKCS11 URIS
pkcs11:id=%00%05?pin-value=fo0m4nchU
pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
pkcs11:id=%00%05
pkcs11:type=private;id=%00%05
pkcs11:type=cert;object=testCert2


## generate EC key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      sign, derive
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0006;object=ecCert2;type=private
Public Key Object; EC  EC_POINT 384 bits
  EC_POINT:   046104d1c4b43f1132584aa1137a4bec469db4dccfd4de9801f5d8d944048233b68c642563c1a6630057ff7f53f38943483a8ae6590facde97e350b0d7f3a144dbfbf593869a091507de7692ea69271ee11a2f348caabcfc2dd4faa75d2df978faebfe
  EC_PARAMS:  06052b81040022 (OID 1.3.132.0.34)
  label:      ecCert2
  ID:         0006
  Usage:      verify, derive
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0006;object=ecCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0006;object=ecCert2;type=cert
EC2 PKCS11 URIS
pkcs11:id=%00%06?pin-value=fo0m4nchU
pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
pkcs11:id=%00%06
pkcs11:type=private;id=%00%06
pkcs11:type=cert;object=ecCert2


## explicit EC unsupported

## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate
Key pair generated:
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      sign, derive
  Access:     always authenticate, sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0008;object=ecCert3;type=private
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   0481850401d901df31cbf0376fcb617ecd049355a407fb590c3f24e60ac397e62cd9907a9f82a87ec0ba43f2403344f0f57fb680caef6fa71fca8a6d887c51de39e6d623a11a017122442c676d11d3f5fd62e913b3e8c6a675c1fa560dd29d257b41e2c9441baab7abe0a47888fa9bfa361f59da2af72f3ba3be0734bd6893bd68bb905420a0a7a9
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      verify, derive
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0008;object=ecCert3;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0008;object=ecCert3;type=cert
EC3 PKCS11 URIS
pkcs11:id=%00%08?pin-value=fo0m4nchU
pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
pkcs11:id=%00%08
pkcs11:type=public;id=%00%08
pkcs11:type=private;id=%00%08
pkcs11:type=cert;object=ecCert3


## Show contents of softokn token
 ----------------------------------------------------------------------------------------------------
Public Key Object; RSA 0 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0000;object=caCert;type=public
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0000;object=caCert;type=cert
Public Key Object; RSA 0 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0001;object=testCert;type=public
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0001;object=testCert;type=cert
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104fdbf026a024cbb850b6993d43ce79f11235ed8c843443fb9b795329b8908153aa3d551252e8d426bb02480e54ff2d41088b8974cfb484e3acc2f9a7d5efaa455
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      verify, derive
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0002;object=ecCert;type=public
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0002;object=ecCert;type=cert
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104980af109ae83947dd33d7c487e69e8ebb210b917f603272a013e22b3f153325f50c534bd98e557ec94901217ded24c36363bc6bbae610e88343e81fa9c61c64d
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      verify, derive
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0003;object=ecPeerCert;type=public
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0003;object=ecPeerCert;type=cert
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0005;object=testCert2;type=cert
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0006;object=ecCert2;type=cert
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   0481850401d901df31cbf0376fcb617ecd049355a407fb590c3f24e60ac397e62cd9907a9f82a87ec0ba43f2403344f0f57fb680caef6fa71fca8a6d887c51de39e6d623a11a017122442c676d11d3f5fd62e913b3e8c6a675c1fa560dd29d257b41e2c9441baab7abe0a47888fa9bfa361f59da2af72f3ba3be0734bd6893bd68bb905420a0a7a9
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      verify, derive
  Access:     none
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0008;object=ecCert3;type=public
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0008;object=ecCert3;type=cert
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0000;object=caCert;type=private
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0001;object=testCert;type=private
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      sign, derive
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0002;object=ecCert;type=private
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      sign, derive
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0003;object=ecPeerCert;type=private
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0005;object=testCert2;type=private
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      sign, derive
  Access:     sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0006;object=ecCert2;type=private
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      sign, derive
  Access:     always authenticate, sensitive, always sensitive, extractable
  uri:        pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%0008;object=ecCert3;type=private
Object 1, type 3461563223
 ----------------------------------------------------------------------------------------------------

## Output configurations
Generate openssl config file
Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testvars

                                      ##
########################################

----------------------------------- stderr -----------------------------------
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh
++ : /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests
++ helper_emit=1
++ sed --version
++ grep -q 'GNU sed'
++ sed_inplace=('-i')
++ export sed_inplace
+ '[' 1 -ne 1 ']'
+ TOKENTYPE=softokn
+ SUPPORT_ED25519=1
+ SUPPORT_ED448=1
+ SUPPORT_RSA_PKCS1_ENCRYPTION=1
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=1
+ SUPPORT_TLSFUZZER=1
+ SUPPORT_ALLOWED_MECHANISMS=0
++ opensc-tool -i
++ grep OpenSC
++ sed -e 's/OpenSC 0\.\([0-9]*\).*/\1/'
+ OPENSC_VERSION=26
+ [[ 26 -le 25 ]]
+ PINVALUE=12345678
+ [[ '' = \1 ]]
++ cat /proc/sys/crypto/fips_enabled
+ [[ 1 = \1 ]]
+ SUPPORT_ED25519=0
+ SUPPORT_ED448=0
+ SUPPORT_RSA_PKCS1_ENCRYPTION=0
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=0
+ SUPPORT_TLSFUZZER=0
+ TOKENOPTIONS='pkcs11-module-assume-fips = true'
+ PINVALUE=fo0m4nchU
+ TMPPDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn
+ TOKDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/tokens
+ '[' -d /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn ']'
+ rm -fr /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/tokens
+ PINFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
+ echo fo0m4nchU
+ export GNUTLS_PIN=fo0m4nchU
+ GNUTLS_PIN=fo0m4nchU
+ '[' softokn == softhsm ']'
+ '[' softokn == softokn ']'
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/softokn-init.sh
++ title SECTION 'Setup NSS Softokn'
++ case "$1" in
++ shift 1
++ echo '########################################'
++ echo '## Setup NSS Softokn'
++ echo ''
++ command -v certutil
++ title LINE 'Creating new NSS Database'
++ case "$1" in
++ shift 1
++ echo 'Creating new NSS Database'
++ certutil -N -d /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/tokens -f /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt
++ export P11LIB=/usr/lib64/libsoftokn3.so
++ P11LIB=/usr/lib64/libsoftokn3.so
++ export NSS_LIB_PARAMS=configDir=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/tokens
++ NSS_LIB_PARAMS=configDir=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/tokens
++ export 'TOKENLABEL=NSS FIPS 140-2 Certificate DB'
++ TOKENLABEL='NSS FIPS 140-2 Certificate DB'
++ export TOKENLABELURI=NSS%20FIPS%20140-2%20Certificate%20DB
++ TOKENLABELURI=NSS%20FIPS%20140-2%20Certificate%20DB
++ export 'TOKENOPTIONS=pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-operation-state no-allowed-mechanisms'
++ TOKENOPTIONS='pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-operation-state no-allowed-mechanisms'
++ export 'TOKENCONFIGVARS=export NSS_LIB_PARAMS=configDir=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/tokens'
++ TOKENCONFIGVARS='export NSS_LIB_PARAMS=configDir=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/tokens'
++ export TESTPORT=30000
++ TESTPORT=30000
++ export SUPPORT_ED25519=0
++ SUPPORT_ED25519=0
++ export SUPPORT_ED448=0
++ SUPPORT_ED448=0
+ SEEDFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/noisefile.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/noisefile.bin bs=2048 count=1
+ RAND64FILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/64krandom.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/64krandom.bin bs=2048 count=32
++ uname
+ '[' Linux == Darwin ']'
++ type -p certtool
+ certtool=/usr/bin/certtool
+ '[' -z /usr/bin/certtool ']'
+ P11DEFARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}")
+ cat
+ SERIAL=1
+ title LINE 'Creating new Self Sign CA'
+ case "$1" in
+ shift 1
+ echo 'Creating new Self Sign CA'
+ KEYID=0000
+ URIKEYID=%00%00
+ CACRTN=caCert
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --keypairgen --key-type=RSA:2048 --label=caCert --id=0000
+ crt_selfsign caCert Issuer 0000
+ LABEL=caCert
+ CN=Issuer
+ KEYID=0000
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = Issuer|g' -e 's|serial = .*|serial = 2|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cacert.cfg --provider=/usr/lib64/libsoftokn3.so --load-privkey 'pkcs11:object=caCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private' --load-pubkey 'pkcs11:object=caCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=public' --outder
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt --type=cert --id=0000 --label=caCert
+ CACRT_PEM=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem
+ CACRT=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt
+ openssl x509 -inform DER -in /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt -outform PEM -out /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem
+ CABASEURIWITHPINVALUE='pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ CABASEURIWITHPINSOURCE='pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ CABASEURI=pkcs11:id=%00%00
+ CAPUBURI='pkcs11:type=public;id=%00%00'
+ CAPRIURI='pkcs11:type=private;id=%00%00'
+ CACRTURI='pkcs11:type=cert;object=caCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ echo pkcs11:id=%00%00
+ echo 'pkcs11:type=public;id=%00%00'
+ echo 'pkcs11:type=private;id=%00%00'
+ echo 'pkcs11:type=cert;object=caCert'
+ echo ''
+ cat /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cacert.cfg
+ echo 'organization = "PKCS11 Provider"'
+ sed -e '/^cert_signing_key$/d' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg
+ KEYID=0001
+ URIKEYID=%00%01
+ TSTCRTN=testCert
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --keypairgen --key-type=RSA:2048 --label=testCert --id=0001
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

+ ca_sign testCert 'My Test Cert' 0001
+ LABEL=testCert
+ CN='My Test Cert'
+ KEYID=0001
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert|g' -e 's|serial = .*|serial = 3|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg --provider=/usr/lib64/libsoftokn3.so --load-privkey 'pkcs11:object=testCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private' --load-pubkey 'pkcs11:object=testCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private'
Generating a signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 03
	Validity:
		Not Before: Thu Feb 20 18:55:17 UTC 2025
		Not After: Fri Feb 20 18:55:17 UTC 2026
	Subject: CN=My Test Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:bb:a4:13:a3:97:7f:64:99:a7:bc:dc:22:26:e2:30
			63:6e:0f:45:e2:3a:b0:4d:13:f8:8c:9a:69:f8:86:05
			35:ec:bf:ea:60:13:48:ac:ae:68:bd:5f:43:b1:e3:70
			f2:e8:04:00:34:44:c7:9c:63:1b:67:ca:cc:89:98:f5
			7a:44:a1:51:7e:13:6b:76:c6:d9:83:22:6d:c9:cf:78
			fd:dd:c6:65:68:2a:f6:7e:d4:15:e8:00:b3:88:18:06
			f6:2f:b0:ca:92:d8:d8:17:9e:31:0e:d4:61:74:64:24
			6e:af:30:ec:01:0a:8d:5d:f2:8a:06:bf:eb:f1:58:23
			0e:4d:e3:bb:e6:c4:51:14:28:20:21:19:88:3c:1d:d9
			c8:36:df:3a:2c:aa:3a:94:91:46:0f:68:e5:df:cb:0d
			57:a3:5b:06:0b:1c:e3:3d:14:cd:a4:2b:7b:5d:4b:b8
			b9:a3:76:9e:91:ba:94:aa:69:5a:bc:a5:2a:ef:b3:f2
			b0:ce:fc:19:58:39:24:2d:fa:68:3c:ed:45:c6:8c:a6
			c3:b7:14:63:42:3a:cd:03:68:f8:cc:7d:cd:47:dc:0e
			81:69:29:e8:af:66:50:21:8b:49:b9:29:c7:e5:68:4f
			82:ec:b8:c6:37:b8:ae:80:da:7b:86:f8:a1:81:57:10
			8b
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			d3d5cdfdb25dfd869c0c1a598dd52a42a1194010
		Authority Key Identifier (not critical):
			b0e630fc41fe652bc4e595242b8e78e7f4f12ea5
Other Information:
	Public Key ID:
		sha1:d3d5cdfdb25dfd869c0c1a598dd52a42a1194010
		sha256:68c185230fc7bbb2903fe8c5fa156c0581c35a1e47d26e51cb14f24214317d85
	Public Key PIN:
		pin-sha256:aMGFIw/Hu7KQP+jF+hVsBYHDWh5H0m5RyxTyQhQxfYU=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testCert.crt --type=cert --id=0001 --label=testCert
+ BASEURIWITHPINVALUE='pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ BASEURIWITHPINSOURCE='pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ BASEURI=pkcs11:id=%00%01
+ PUBURI='pkcs11:type=public;id=%00%01'
+ PRIURI='pkcs11:type=private;id=%00%01'
+ CRTURI='pkcs11:type=cert;object=testCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ echo pkcs11:id=%00%01
+ echo 'pkcs11:type=public;id=%00%01'
+ echo 'pkcs11:type=private;id=%00%01'
+ echo 'pkcs11:type=cert;object=testCert'
+ echo ''
+ KEYID=0002
+ URIKEYID=%00%02
+ ECCRTN=ecCert
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --keypairgen --key-type=EC:secp256r1 --label=ecCert --id=0002
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

+ ca_sign ecCert 'My EC Cert' 0002
+ LABEL=ecCert
+ CN='My EC Cert'
+ KEYID=0002
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert|g' -e 's|serial = .*|serial = 4|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg --provider=/usr/lib64/libsoftokn3.so --load-privkey 'pkcs11:object=ecCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private' --load-pubkey 'pkcs11:object=ecCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:18 2026
CA expiration time: Fri Feb 20 13:55:17 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 04
	Validity:
		Not Before: Thu Feb 20 18:55:18 UTC 2025
		Not After: Fri Feb 20 18:55:18 UTC 2026
	Subject: CN=My EC Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			00:fd:bf:02:6a:02:4c:bb:85:0b:69:93:d4:3c:e7:9f
			11:23:5e:d8:c8:43:44:3f:b9:b7:95:32:9b:89:08:15
			3a
		Y:
			00:a3:d5:51:25:2e:8d:42:6b:b0:24:80:e5:4f:f2:d4
			10:88:b8:97:4c:fb:48:4e:3a:cc:2f:9a:7d:5e:fa:a4
			55
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			ac75094cc6c5e43e6df551e1be39a6bd9a73a6bf
		Authority Key Identifier (not critical):
			b0e630fc41fe652bc4e595242b8e78e7f4f12ea5
Other Information:
	Public Key ID:
		sha1:ac75094cc6c5e43e6df551e1be39a6bd9a73a6bf
		sha256:b2a81f2ce8ded64dee7a9aab57c1e677c79d2d13222402eb76ca7fdf2a8140ee
	Public Key PIN:
		pin-sha256:sqgfLOje1k3uepqrV8Hmd8edLRMiJALrdsp/3yqBQO4=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecCert.crt --type=cert --id=0002 --label=ecCert
+ ECBASEURIWITHPINVALUE='pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ ECBASEURIWITHPINSOURCE='pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ ECBASEURI=pkcs11:id=%00%02
+ ECPUBURI='pkcs11:type=public;id=%00%02'
+ ECPRIURI='pkcs11:type=private;id=%00%02'
+ ECCRTURI='pkcs11:type=cert;object=ecCert'
+ KEYID=0003
+ URIKEYID=%00%03
+ ECPEERCRTN=ecPeerCert
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --keypairgen --key-type=EC:secp256r1 --label=ecPeerCert --id=0003
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

+ crt_selfsign ecPeerCert 'My Peer EC Cert' 0003
+ LABEL=ecPeerCert
+ CN='My Peer EC Cert'
+ KEYID=0003
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Peer EC Cert|g' -e 's|serial = .*|serial = 5|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecPeerCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cacert.cfg --provider=/usr/lib64/libsoftokn3.so --load-privkey 'pkcs11:object=ecPeerCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private' --load-pubkey 'pkcs11:object=ecPeerCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=public' --outder
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecPeerCert.crt --type=cert --id=0003 --label=ecPeerCert
+ ECPEERBASEURIWITHPINVALUE='pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ ECPEERBASEURIWITHPINSOURCE='pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ ECPEERBASEURI=pkcs11:id=%00%03
+ ECPEERPUBURI='pkcs11:type=public;id=%00%03'
+ ECPEERPRIURI='pkcs11:type=private;id=%00%03'
+ ECPEERCRTURI='pkcs11:type=cert;object=ecPeerCert'
+ title LINE 'EC PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC PKCS11 URIS'
+ echo 'pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ echo pkcs11:id=%00%02
+ echo 'pkcs11:type=public;id=%00%02'
+ echo 'pkcs11:type=private;id=%00%02'
+ echo 'pkcs11:type=cert;object=ecCert'
+ echo 'pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ echo pkcs11:id=%00%03
+ echo 'pkcs11:type=public;id=%00%03'
+ echo 'pkcs11:type=private;id=%00%03'
+ echo 'pkcs11:type=cert;object=ecPeerCert'
+ echo ''
+ '[' 0 -eq 1 ']'
+ '[' 0 -eq 1 ']'
+ title PARA 'generate RSA key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate RSA key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0005
+ URIKEYID=%00%05
+ TSTCRTN=testCert2
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --keypairgen --key-type=RSA:2048 --label=testCert2 --id=0005
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

+ ca_sign testCert2 'My Test Cert 2' 0005
+ LABEL=testCert2
+ CN='My Test Cert 2'
+ KEYID=0005
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert 2|g' -e 's|serial = .*|serial = 6|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg --provider=/usr/lib64/libsoftokn3.so --load-privkey 'pkcs11:object=testCert2;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private' --load-pubkey 'pkcs11:object=testCert2;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:18 2026
CA expiration time: Fri Feb 20 13:55:17 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 06
	Validity:
		Not Before: Thu Feb 20 18:55:18 UTC 2025
		Not After: Fri Feb 20 18:55:18 UTC 2026
	Subject: CN=My Test Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:d1:77:8a:51:89:47:98:8e:9c:bd:00:f2:c6:99:e4
			65:a8:8f:aa:76:62:c5:02:69:3e:c0:d2:d0:47:05:be
			8e:52:60:c9:f5:81:2b:81:f6:29:47:55:28:0d:0f:de
			5b:a8:75:b1:41:9e:a9:27:a7:f2:60:9b:0a:7d:34:a1
			b2:58:48:43:e4:8b:42:94:1d:b7:76:46:5b:1b:87:e6
			ee:9f:b7:6e:22:c6:98:eb:da:6e:3a:c4:8a:2e:7d:f0
			e3:ec:b2:be:1c:80:ec:b2:81:e4:6e:96:97:17:a7:a6
			35:3d:82:00:24:c2:6a:3f:a6:36:77:ed:85:04:65:d4
			1e:44:eb:01:de:de:a2:9c:60:73:82:1d:ae:da:ad:e1
			db:76:17:70:fb:b2:80:e4:99:8f:75:6d:be:0b:c7:bd
			3a:7e:6f:f7:a3:9b:f8:47:76:33:6c:da:1c:81:d0:e5
			eb:ca:cd:11:fd:60:7d:4f:58:50:63:bf:81:fb:8e:b0
			11:1a:ad:04:7e:84:94:c3:1e:c8:5c:7e:ef:6a:0e:95
			11:c1:04:eb:24:12:99:31:1f:75:a3:97:67:3e:d7:70
			f3:67:4c:4b:48:d6:f2:35:7f:d3:87:3d:15:73:bb:13
			61:d4:f8:7e:51:e2:9a:8c:4d:2b:0e:48:3a:d0:33:27
			e1
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			12aa40a2c7e212a0d1e8859aa1c588f7b42c373d
		Authority Key Identifier (not critical):
			b0e630fc41fe652bc4e595242b8e78e7f4f12ea5
Other Information:
	Public Key ID:
		sha1:12aa40a2c7e212a0d1e8859aa1c588f7b42c373d
		sha256:704d3c810ea1e2a15eee7f2933e619bbc02518138fc6d93c0b7ae8a515fc2464
	Public Key PIN:
		pin-sha256:cE08gQ6h4qFe7n8pM+YZu8AlGBOPxtk8C3ropRX8JGQ=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testCert2.crt --type=cert --id=0005 --label=testCert2
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --delete-object --type pubkey --id 0005
+ BASE2URIWITHPINVALUE='pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ BASE2URIWITHPINSOURCE='pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ BASE2URI=pkcs11:id=%00%05
+ PRI2URI='pkcs11:type=private;id=%00%05'
+ CRT2URI='pkcs11:type=cert;object=testCert2'
+ title LINE 'RSA2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ echo pkcs11:id=%00%05
+ echo 'pkcs11:type=private;id=%00%05'
+ echo 'pkcs11:type=cert;object=testCert2'
+ echo ''
+ title PARA 'generate EC key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0006
+ URIKEYID=%00%06
+ TSTCRTN=ecCert2
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --keypairgen --key-type=EC:secp384r1 --label=ecCert2 --id=0006
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

+ ca_sign ecCert2 'My EC Cert 2' 0006
+ LABEL=ecCert2
+ CN='My EC Cert 2'
+ KEYID=0006
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 2|g' -e 's|serial = .*|serial = 7|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg --provider=/usr/lib64/libsoftokn3.so --load-privkey 'pkcs11:object=ecCert2;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private' --load-pubkey 'pkcs11:object=ecCert2;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:19 2026
CA expiration time: Fri Feb 20 13:55:17 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 07
	Validity:
		Not Before: Thu Feb 20 18:55:19 UTC 2025
		Not After: Fri Feb 20 18:55:19 UTC 2026
	Subject: CN=My EC Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Ultra (384 bits)
		Curve:	SECP384R1
		X:
			00:d1:c4:b4:3f:11:32:58:4a:a1:13:7a:4b:ec:46:9d
			b4:dc:cf:d4:de:98:01:f5:d8:d9:44:04:82:33:b6:8c
			64:25:63:c1:a6:63:00:57:ff:7f:53:f3:89:43:48:3a
			8a
		Y:
			00:e6:59:0f:ac:de:97:e3:50:b0:d7:f3:a1:44:db:fb
			f5:93:86:9a:09:15:07:de:76:92:ea:69:27:1e:e1:1a
			2f:34:8c:aa:bc:fc:2d:d4:fa:a7:5d:2d:f9:78:fa:eb
			fe
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			693cb75bb9406dda3c60e8140f8b67db9a99a110
		Authority Key Identifier (not critical):
			b0e630fc41fe652bc4e595242b8e78e7f4f12ea5
Other Information:
	Public Key ID:
		sha1:693cb75bb9406dda3c60e8140f8b67db9a99a110
		sha256:bc5dbf5e393bc2437c1f69a82572535095d8c134084225551d03e569beee0a0e
	Public Key PIN:
		pin-sha256:vF2/Xjk7wkN8H2moJXJTUJXYwTQIQiVVHQPlab7uCg4=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecCert2.crt --type=cert --id=0006 --label=ecCert2
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --delete-object --type pubkey --id 0006
+ ECBASE2URIWITHPINVALUE='pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ ECBASE2URIWITHPINSOURCE='pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ ECBASE2URI=pkcs11:id=%00%06
+ ECPRI2URI='pkcs11:type=private;id=%00%06'
+ ECCRT2URI='pkcs11:type=cert;object=ecCert2'
+ title LINE 'EC2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ echo pkcs11:id=%00%06
+ echo 'pkcs11:type=private;id=%00%06'
+ echo 'pkcs11:type=cert;object=ecCert2'
+ echo ''
+ '[' -z '' ']'
+ title PARA 'explicit EC unsupported'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## explicit EC unsupported'
+ '[' -f '' ']'
+ title PARA 'generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ '[' -f '' ']'
+ KEYID=0008
+ URIKEYID=%00%08
+ TSTCRTN=ecCert3
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --keypairgen --key-type=EC:secp521r1 --label=ecCert3 --id=0008 --always-auth
+ ca_sign ecCert3 'My EC Cert 3' 0008
+ LABEL=ecCert3
+ CN='My EC Cert 3'
+ KEYID=0008
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 3|g' -e 's|serial = .*|serial = 8|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecCert3.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/cert.cfg --provider=/usr/lib64/libsoftokn3.so --load-privkey 'pkcs11:object=ecCert3;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private' --load-pubkey 'pkcs11:object=ecCert3;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=NSS%20FIPS%20140-2%20Certificate%20DB;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:19 2026
CA expiration time: Fri Feb 20 13:55:17 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 08
	Validity:
		Not Before: Thu Feb 20 18:55:19 UTC 2025
		Not After: Fri Feb 20 18:55:19 UTC 2026
	Subject: CN=My EC Cert 3,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Future (528 bits)
		Curve:	SECP521R1
		X:
			01:d9:01:df:31:cb:f0:37:6f:cb:61:7e:cd:04:93:55
			a4:07:fb:59:0c:3f:24:e6:0a:c3:97:e6:2c:d9:90:7a
			9f:82:a8:7e:c0:ba:43:f2:40:33:44:f0:f5:7f:b6:80
			ca:ef:6f:a7:1f:ca:8a:6d:88:7c:51:de:39:e6:d6:23
			a1:1a
		Y:
			01:71:22:44:2c:67:6d:11:d3:f5:fd:62:e9:13:b3:e8
			c6:a6:75:c1:fa:56:0d:d2:9d:25:7b:41:e2:c9:44:1b
			aa:b7:ab:e0:a4:78:88:fa:9b:fa:36:1f:59:da:2a:f7
			2f:3b:a3:be:07:34:bd:68:93:bd:68:bb:90:54:20:a0
			a7:a9
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			d5d4ae5e06c68a9da8552d1133ace2da451009c2
		Authority Key Identifier (not critical):
			b0e630fc41fe652bc4e595242b8e78e7f4f12ea5
Other Information:
	Public Key ID:
		sha1:d5d4ae5e06c68a9da8552d1133ace2da451009c2
		sha256:9410a492e115fb177083674b90f650d84ae618eb5737712e570110b6776b12ee
	Public Key PIN:
		pin-sha256:lBCkkuEV+xdwg2dLkPZQ2ErmGOtXN3EuVwEQtndrEu4=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/ecCert3.crt --type=cert --id=0008 --label=ecCert3
+ ECBASE3URIWITHPINVALUE='pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ ECBASE3URIWITHPINSOURCE='pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ ECBASE3URI=pkcs11:id=%00%08
+ ECPUB3URI='pkcs11:type=public;id=%00%08'
+ ECPRI3URI='pkcs11:type=private;id=%00%08'
+ ECCRT3URI='pkcs11:type=cert;object=ecCert3'
+ title LINE 'EC3 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC3 PKCS11 URIS'
+ echo 'pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt'
+ echo pkcs11:id=%00%08
+ echo 'pkcs11:type=public;id=%00%08'
+ echo 'pkcs11:type=private;id=%00%08'
+ echo 'pkcs11:type=cert;object=ecCert3'
+ echo ''
+ '[' 0 -eq 1 ']'
+ title PARA 'Show contents of softokn token'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Show contents of softokn token'
+ '[' -f '' ']'
+ echo ' ----------------------------------------------------------------------------------------------------'
+ pkcs11-tool --module=/usr/lib64/libsoftokn3.so --login --pin=fo0m4nchU '--token-label=NSS FIPS 140-2 Certificate DB' -O
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

+ echo ' ----------------------------------------------------------------------------------------------------'
+ title PARA 'Output configurations'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Output configurations'
+ '[' -f '' ']'
+ OPENSSL_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/openssl.cnf
+ title LINE 'Generate openssl config file'
+ case "$1" in
+ shift 1
+ echo 'Generate openssl config file'
+ sed -e 's|@libtoollibs@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src|g' -e 's|@testsblddir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests|g' -e 's|@testsdir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn|g' -e 's|@SHARED_EXT@|.so|g' -e 's|@PINFILE@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/pinfile.txt|g' -e 's|##TOKENOPTIONS|pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-operation-state no-allowed-mechanisms|g' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/openssl.cnf.in
+ title LINE 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testvars'
+ case "$1" in
+ shift 1
+ echo 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testvars'
+ cat
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ cat
+ gen_unsetvars
+ grep '^export' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/testvars
+ sed -e s/export/unset/ -e 's/=.*$//'
+ title ENDSECTION
+ case "$1" in
+ echo ''
+ echo '                                      ##'
+ echo '########################################'
+ echo ''
==============================================================================

==================================== 2/92 ====================================
test:         pkcs11-provider:softhsm / setup
start time:   18:55:20
duration:     3.18s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 LIBSPATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=36 TESTSSRCDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests SHARED_EXT=.so SOFTOKNPATH=/usr/lib64 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 P11KITCLIENTPATH=/usr/lib64/pkcs11/p11-kit-client.so /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/setup.sh softhsm
----------------------------------- stdout -----------------------------------
########################################
## Searching for SoftHSM PKCS#11 library

Using softhsm path /usr/lib64/pkcs11/libsofthsm2.so
########################################
## Set up testing system

Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 519424734
Creating new Self Sign CA
Key pair generated:
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0000;object=caCert;type=private
Public Key Object; RSA 2048 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0000;object=caCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 02
	Validity:
		Not Before: Thu Feb 20 18:55:20 UTC 2025
		Not After: Fri Feb 20 18:55:20 UTC 2026
	Subject: CN=Issuer
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:bd:40:9e:25:2c:b2:b8:ce:a5:0a:ac:1e:fa:ed:dc
			49:bc:4a:46:d3:65:45:85:54:33:40:9a:f0:35:a5:f9
			0e:d4:34:9a:8e:67:de:8b:9e:9e:4f:2b:6d:ba:ef:db
			21:b3:44:92:11:14:ad:2e:f7:dc:81:8a:4d:05:ca:86
			f7:1a:cb:57:de:1e:30:6b:f9:af:86:5f:fe:f7:2c:4c
			4c:e8:ba:10:fa:aa:0a:df:49:09:0c:a3:cb:ec:ae:59
			6a:55:d3:fd:43:a2:7d:77:e8:92:dd:ce:b7:e5:e6:64
			32:b1:80:04:90:c9:75:44:83:6f:4a:12:e9:16:8f:fa
			10:5b:32:bb:9b:79:99:08:06:47:57:dc:24:3d:36:45
			b0:c6:bc:81:3f:22:5e:3d:b7:b7:92:42:19:ed:73:b2
			e7:e1:3a:38:78:53:ed:f0:61:b3:ca:9d:85:62:1c:4d
			7b:0c:11:d0:31:b2:f3:8a:e1:41:60:66:ac:4c:ce:ce
			0b:e1:e0:e7:fa:9d:65:91:0a:ef:53:dd:51:54:9e:85
			b6:4c:fa:3c:ff:49:7a:71:27:56:f8:47:cd:8a:18:77
			3f:0e:70:ea:b2:94:08:a1:1c:2b:a6:10:29:a3:1b:94
			00:7c:a4:bc:88:5c:3c:fd:58:d7:ac:2a:98:14:c3:58
			d1
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:c9b09109af3f21ac6724faa2dd43744ea85331f6
		sha256:9bc09c4c7cbd8976c6df084a5606890004d1da4a88b2f9a380a14563fb4e91eb
	Public Key PIN:
		pin-sha256:m8CcTHy9iXbG3whKVgaJAATR2kqIsvmjgKFFY/tOkes=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0000;object=caCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%00?pin-value=fo0m4nchU
pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%00
pkcs11:type=public;id=%00%00
pkcs11:type=private;id=%00%00
pkcs11:type=cert;object=caCert

Key pair generated:
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0001;object=testCert;type=private
Public Key Object; RSA 2048 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0001;object=testCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0001;object=testCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%01?pin-value=fo0m4nchU
pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%01
pkcs11:type=public;id=%00%01
pkcs11:type=private;id=%00%01
pkcs11:type=cert;object=testCert

Key pair generated:
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0002;object=ecCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104dfc0259c4c2e301fa2df8ce07471d8ce55813c2d3c1439c0bbeafe859924120c3d9f54d9027b3f44b3ff12e89c466ac08396320029ee64e8b56fd863351726d8
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      encrypt, verify, verifyRecover, wrap, derive
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0002;object=ecCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0002;object=ecCert;type=cert
Key pair generated:
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0003;object=ecPeerCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   0441041ff0bc2a4e5a9b2932f81ce067dd9ec351e6f5d707b6b3819fe0612e500b7fb38e8603213a9ca5571b9641381460b64e39c42efe5c46e4867df3b303f14e596c
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      encrypt, verify, verifyRecover, wrap, derive
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0003;object=ecPeerCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 05
	Validity:
		Not Before: Thu Feb 20 18:55:21 UTC 2025
		Not After: Fri Feb 20 18:55:21 UTC 2026
	Subject: CN=My Peer EC Cert
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			1f:f0:bc:2a:4e:5a:9b:29:32:f8:1c:e0:67:dd:9e:c3
			51:e6:f5:d7:07:b6:b3:81:9f:e0:61:2e:50:0b:7f:b3
		Y:
			00:8e:86:03:21:3a:9c:a5:57:1b:96:41:38:14:60:b6
			4e:39:c4:2e:fe:5c:46:e4:86:7d:f3:b3:03:f1:4e:59
			6c
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			46d9b89c0a1f6eb0eb6880bd3372ccad2d18d2b5
Other Information:
	Public Key ID:
		sha1:46d9b89c0a1f6eb0eb6880bd3372ccad2d18d2b5
		sha256:a264191a492e0473ec992231a19be9cb41f3e1ad1647c2a44094a66b262d86cf
	Public Key PIN:
		pin-sha256:omQZGkkuBHPsmSIxoZvpy0Hz4a0WR8KkQJSmayYths8=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0003;object=ecPeerCert;type=cert
EC PKCS11 URIS
pkcs11:id=%00%02?pin-value=fo0m4nchU
pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%02
pkcs11:type=public;id=%00%02
pkcs11:type=private;id=%00%02
pkcs11:type=cert;object=ecCert
pkcs11:id=%00%03?pin-value=fo0m4nchU
pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%03
pkcs11:type=public;id=%00%03
pkcs11:type=private;id=%00%03
pkcs11:type=cert;object=ecPeerCert


## generate RSA key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0005;object=testCert2;type=private
Public Key Object; RSA 2048 bits
  label:      testCert2
  ID:         0005
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0005;object=testCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0005;object=testCert2;type=cert
RSA2 PKCS11 URIS
pkcs11:id=%00%05?pin-value=fo0m4nchU
pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%05
pkcs11:type=private;id=%00%05
pkcs11:type=cert;object=testCert2


## generate EC key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0006;object=ecCert2;type=private
Public Key Object; EC  EC_POINT 384 bits
  EC_POINT:   0461043b00a926df30a63d16391c81c439ed7ad0973b2164eebf1dca215a9b454e8932c4bdcba8926d20ef6a6cd14e1a2e4989f58aaa046c36e9517ba0fca27e56c71b36cf7ef4d4555b8eb89fddfb9ec82f18822daae955fe1f5f31d64840321bc6f0
  EC_PARAMS:  06052b81040022 (OID 1.3.132.0.34)
  label:      ecCert2
  ID:         0006
  Usage:      encrypt, verify, verifyRecover, wrap, derive
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0006;object=ecCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0006;object=ecCert2;type=cert
EC2 PKCS11 URIS
pkcs11:id=%00%06?pin-value=fo0m4nchU
pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%06
pkcs11:type=private;id=%00%06
pkcs11:type=cert;object=ecCert2


## explicit EC unsupported

## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate
Key pair generated:
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0008;object=ecCert3;type=private
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   048185040108146f36419ca1a560e8d03e33fde940c3a4385b0a61e8fb950d7e365d9c90b20ed606c4cab777efc570d961a6315a7bd49e0384b5b940b647ca12d2d407ab9143008f456f689ec74ada19a19d6d188400d09a85a514c27cbc8995b8b8e25e82603f5b6cfaf9a25b8b0374a90e3122b4b233ece93b8c689227edf78ddf796270fc2e39
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      encrypt, verify, verifyRecover, wrap, derive
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0008;object=ecCert3;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0008;object=ecCert3;type=cert
EC3 PKCS11 URIS
pkcs11:id=%00%08?pin-value=fo0m4nchU
pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%08
pkcs11:type=public;id=%00%08
pkcs11:type=private;id=%00%08
pkcs11:type=cert;object=ecCert3

Key pair generated:
Private Key Object; RSA 
  label:      testRsaPssCert
  ID:         0010
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0010;object=testRsaPssCert;type=private
Public Key Object; RSA 2048 bits
  label:      testRsaPssCert
  ID:         0010
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0010;object=testRsaPssCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testRsaPssCert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss Cert
  serial:     09
  ID:         0010
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0010;object=testRsaPssCert;type=cert
RSA-PSS PKCS11 URIS
pkcs11:id=%00%10?pin-value=fo0m4nchU
pkcs11:id=%00%10?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%10
pkcs11:type=public;id=%00%10
pkcs11:type=private;id=%00%10
pkcs11:type=cert;object=testRsaPssCert

Key pair generated:
Private Key Object; RSA 
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: SHA256-RSA-PKCS-PSS
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0011;object=testRsaPss2Cert;type=private
Public Key Object; RSA 3092 bits
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0011;object=testRsaPss2Cert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testRsaPss2Cert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss2 Cert
  serial:     0A
  ID:         0011
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0011;object=testRsaPss2Cert;type=cert
RSA-PSS 2 PKCS11 URIS
pkcs11:id=%00%11?pin-value=fo0m4nchU
pkcs11:id=%00%11?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
pkcs11:id=%00%11
pkcs11:type=public;id=%00%11
pkcs11:type=private;id=%00%11
pkcs11:type=cert;object=testRsaPss2Cert


## Show contents of softhsm token
 ----------------------------------------------------------------------------------------------------
Public Key Object; RSA 3092 bits
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0011;object=testRsaPss2Cert;type=public
Private Key Object; RSA 
  label:      testRsaPssCert
  ID:         0010
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0010;object=testRsaPssCert;type=private
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0005;object=testCert2;type=cert
Public Key Object; RSA 2048 bits
  label:      testRsaPssCert
  ID:         0010
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0010;object=testRsaPssCert;type=public
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   048185040108146f36419ca1a560e8d03e33fde940c3a4385b0a61e8fb950d7e365d9c90b20ed606c4cab777efc570d961a6315a7bd49e0384b5b940b647ca12d2d407ab9143008f456f689ec74ada19a19d6d188400d09a85a514c27cbc8995b8b8e25e82603f5b6cfaf9a25b8b0374a90e3122b4b233ece93b8c689227edf78ddf796270fc2e39
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      encrypt, verify, verifyRecover, wrap, derive
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0008;object=ecCert3;type=public
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0001;object=testCert;type=private
Certificate Object; type = X.509 cert
  label:      testRsaPssCert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss Cert
  serial:     09
  ID:         0010
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0010;object=testRsaPssCert;type=cert
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0008;object=ecCert3;type=private
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0005;object=testCert2;type=private
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0003;object=ecPeerCert;type=cert
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0003;object=ecPeerCert;type=private
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0002;object=ecCert;type=cert
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0001;object=testCert;type=cert
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0006;object=ecCert2;type=cert
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   0441041ff0bc2a4e5a9b2932f81ce067dd9ec351e6f5d707b6b3819fe0612e500b7fb38e8603213a9ca5571b9641381460b64e39c42efe5c46e4867df3b303f14e596c
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      encrypt, verify, verifyRecover, wrap, derive
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0003;object=ecPeerCert;type=public
Public Key Object; RSA 2048 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0000;object=caCert;type=public
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0006;object=ecCert2;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104dfc0259c4c2e301fa2df8ce07471d8ce55813c2d3c1439c0bbeafe859924120c3d9f54d9027b3f44b3ff12e89c466ac08396320029ee64e8b56fd863351726d8
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      encrypt, verify, verifyRecover, wrap, derive
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0002;object=ecCert;type=public
Public Key Object; RSA 2048 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0001;object=testCert;type=public
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0008;object=ecCert3;type=cert
Private Key Object; RSA 
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: SHA256-RSA-PKCS-PSS
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0011;object=testRsaPss2Cert;type=private
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0000;object=caCert;type=private
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0000;object=caCert;type=cert
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      decrypt, sign, signRecover, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0002;object=ecCert;type=private
Certificate Object; type = X.509 cert
  label:      testRsaPss2Cert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss2 Cert
  serial:     0A
  ID:         0011
  uri:        pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%0011;object=testRsaPss2Cert;type=cert
 ----------------------------------------------------------------------------------------------------

## Output configurations
Generate openssl config file
Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testvars

                                      ##
########################################

----------------------------------- stderr -----------------------------------
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh
++ : /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests
++ helper_emit=1
++ sed --version
++ grep -q 'GNU sed'
++ sed_inplace=('-i')
++ export sed_inplace
+ '[' 1 -ne 1 ']'
+ TOKENTYPE=softhsm
+ SUPPORT_ED25519=1
+ SUPPORT_ED448=1
+ SUPPORT_RSA_PKCS1_ENCRYPTION=1
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=1
+ SUPPORT_TLSFUZZER=1
+ SUPPORT_ALLOWED_MECHANISMS=0
++ opensc-tool -i
++ grep OpenSC
++ sed -e 's/OpenSC 0\.\([0-9]*\).*/\1/'
+ OPENSC_VERSION=26
+ [[ 26 -le 25 ]]
+ PINVALUE=12345678
+ [[ '' = \1 ]]
++ cat /proc/sys/crypto/fips_enabled
+ [[ 1 = \1 ]]
+ SUPPORT_ED25519=0
+ SUPPORT_ED448=0
+ SUPPORT_RSA_PKCS1_ENCRYPTION=0
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=0
+ SUPPORT_TLSFUZZER=0
+ TOKENOPTIONS='pkcs11-module-assume-fips = true'
+ PINVALUE=fo0m4nchU
+ TMPPDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm
+ TOKDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/tokens
+ '[' -d /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm ']'
+ rm -fr /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/tokens
+ PINFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt
+ echo fo0m4nchU
+ export GNUTLS_PIN=fo0m4nchU
+ GNUTLS_PIN=fo0m4nchU
+ '[' softhsm == softhsm ']'
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/softhsm-init.sh
++ title SECTION 'Searching for SoftHSM PKCS#11 library'
++ case "$1" in
++ shift 1
++ echo '########################################'
++ echo '## Searching for SoftHSM PKCS#11 library'
++ echo ''
++ command -v softhsm2-util
+++++ type -p softhsm2-util
++++ dirname /usr/bin/softhsm2-util
+++ dirname /usr/bin
++ softhsm_prefix=/usr
++ find_softhsm /usr/lib64/softhsm/libsofthsm2.so /usr/lib/softhsm/libsofthsm2.so /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/local/lib/softhsm/libsofthsm2.so /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
++ for _lib in "$@"
++ test -f /usr/lib64/softhsm/libsofthsm2.so
++ for _lib in "$@"
++ test -f /usr/lib/softhsm/libsofthsm2.so
++ for _lib in "$@"
++ test -f /usr/lib64/pkcs11/libsofthsm2.so
++ echo 'Using softhsm path /usr/lib64/pkcs11/libsofthsm2.so'
++ P11LIB=/usr/lib64/pkcs11/libsofthsm2.so
++ return
++ export P11LIB
++ title SECTION 'Set up testing system'
++ case "$1" in
++ shift 1
++ echo '########################################'
++ echo '## Set up testing system'
++ echo ''
++ cat
++ export SOFTHSM2_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/softhsm.conf
++ SOFTHSM2_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/softhsm.conf
++ export 'TOKENLABEL=SoftHSM Token'
++ TOKENLABEL='SoftHSM Token'
++ export TOKENLABELURI=SoftHSM%20Token
++ TOKENLABELURI=SoftHSM%20Token
++ softhsm2-util --init-token --label 'SoftHSM Token' --free --pin fo0m4nchU --so-pin fo0m4nchU
++ export 'TOKENOPTIONS=pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-deinit no-operation-state'
++ TOKENOPTIONS='pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-deinit no-operation-state'
++ export 'TOKENCONFIGVARS=export SOFTHSM2_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/softhsm.conf'
++ TOKENCONFIGVARS='export SOFTHSM2_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/softhsm.conf'
++ export TESTPORT=32000
++ TESTPORT=32000
++ export SUPPORT_ALLOWED_MECHANISMS=1
++ SUPPORT_ALLOWED_MECHANISMS=1
+ SEEDFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/noisefile.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/noisefile.bin bs=2048 count=1
+ RAND64FILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/64krandom.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/64krandom.bin bs=2048 count=32
++ uname
+ '[' Linux == Darwin ']'
++ type -p certtool
+ certtool=/usr/bin/certtool
+ '[' -z /usr/bin/certtool ']'
+ P11DEFARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}")
+ cat
+ SERIAL=1
+ title LINE 'Creating new Self Sign CA'
+ case "$1" in
+ shift 1
+ echo 'Creating new Self Sign CA'
+ KEYID=0000
+ URIKEYID=%00%00
+ CACRTN=caCert
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=RSA:2048 --label=caCert --id=0000
+ crt_selfsign caCert Issuer 0000
+ LABEL=caCert
+ CN=Issuer
+ KEYID=0000
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = Issuer|g' -e 's|serial = .*|serial = 2|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cacert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=caCert;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=caCert;token=SoftHSM%20Token;type=public' --outder
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --type=cert --id=0000 --label=caCert
+ CACRT_PEM=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
+ CACRT=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt
+ openssl x509 -inform DER -in /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt -outform PEM -out /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
+ CABASEURIWITHPINVALUE='pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ CABASEURIWITHPINSOURCE='pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ CABASEURI=pkcs11:id=%00%00
+ CAPUBURI='pkcs11:type=public;id=%00%00'
+ CAPRIURI='pkcs11:type=private;id=%00%00'
+ CACRTURI='pkcs11:type=cert;object=caCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%00
+ echo 'pkcs11:type=public;id=%00%00'
+ echo 'pkcs11:type=private;id=%00%00'
+ echo 'pkcs11:type=cert;object=caCert'
+ echo ''
+ cat /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cacert.cfg
+ echo 'organization = "PKCS11 Provider"'
+ sed -e '/^cert_signing_key$/d' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ KEYID=0001
+ URIKEYID=%00%01
+ TSTCRTN=testCert
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=RSA:2048 --label=testCert --id=0001
+ ca_sign testCert 'My Test Cert' 0001
+ LABEL=testCert
+ CN='My Test Cert'
+ KEYID=0001
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert|g' -e 's|serial = .*|serial = 3|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=testCert;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=testCert;token=SoftHSM%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=SoftHSM%20Token;type=private'
Generating a signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 03
	Validity:
		Not Before: Thu Feb 20 18:55:20 UTC 2025
		Not After: Fri Feb 20 18:55:20 UTC 2026
	Subject: CN=My Test Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:b9:b7:c9:1d:51:ed:15:8f:4e:2c:f2:8f:bb:9f:bf
			51:75:d9:04:b1:70:43:cd:6c:d5:61:42:b3:bc:15:23
			26:4a:47:e0:4e:5e:23:0f:1e:d9:6c:9c:95:d3:e3:0f
			d2:1a:a4:56:49:25:88:32:24:f7:27:a8:f3:f7:e7:23
			63:fc:c9:b6:0f:6d:ee:62:9a:ed:77:ab:8d:5d:4e:70
			de:5b:50:ef:0c:2f:fe:17:55:30:6f:04:41:72:9c:80
			2e:21:4b:cc:db:14:b9:d9:21:76:e4:c0:25:be:31:cc
			7d:93:cc:7e:26:f2:c2:03:cc:d3:f6:dc:c0:e4:78:77
			74:cc:e4:44:e3:30:aa:48:b5:bc:3c:f8:a3:03:b3:a1
			5c:55:1e:e9:6f:7f:fb:64:44:09:20:2d:03:11:11:33
			e3:62:56:ea:f4:cf:42:1e:a1:8b:aa:8e:c8:c8:c1:a7
			48:45:b5:e4:b8:cd:8a:cb:47:b4:96:3a:d0:73:82:44
			ac:e6:42:4a:e4:ab:74:22:40:d7:95:d0:67:b3:64:e6
			f6:ff:63:a5:3e:38:d7:cf:b6:38:6a:5c:76:ff:5c:40
			db:83:2e:1b:5e:b7:aa:56:f3:dd:50:72:de:7d:82:dd
			77:07:66:f8:70:69:13:b3:41:02:ee:f7:82:c6:ee:55
			1d
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			19721e9de3234125644e790ce508bdf02d935a53
		Authority Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:19721e9de3234125644e790ce508bdf02d935a53
		sha256:186cfac3e72c28d2cd5ab60cde4770831c68fd75b9cd5a35a937d02e76d2e173
	Public Key PIN:
		pin-sha256:GGz6w+csKNLNWrYM3kdwgxxo/XW5zVo1qTfQLnbS4XM=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testCert.crt --type=cert --id=0001 --label=testCert
+ BASEURIWITHPINVALUE='pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ BASEURIWITHPINSOURCE='pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ BASEURI=pkcs11:id=%00%01
+ PUBURI='pkcs11:type=public;id=%00%01'
+ PRIURI='pkcs11:type=private;id=%00%01'
+ CRTURI='pkcs11:type=cert;object=testCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%01
+ echo 'pkcs11:type=public;id=%00%01'
+ echo 'pkcs11:type=private;id=%00%01'
+ echo 'pkcs11:type=cert;object=testCert'
+ echo ''
+ KEYID=0002
+ URIKEYID=%00%02
+ ECCRTN=ecCert
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=EC:secp256r1 --label=ecCert --id=0002
+ ca_sign ecCert 'My EC Cert' 0002
+ LABEL=ecCert
+ CN='My EC Cert'
+ KEYID=0002
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert|g' -e 's|serial = .*|serial = 4|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=ecCert;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert;token=SoftHSM%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=SoftHSM%20Token;type=private'
Generating a signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 04
	Validity:
		Not Before: Thu Feb 20 18:55:20 UTC 2025
		Not After: Fri Feb 20 18:55:20 UTC 2026
	Subject: CN=My EC Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			00:df:c0:25:9c:4c:2e:30:1f:a2:df:8c:e0:74:71:d8
			ce:55:81:3c:2d:3c:14:39:c0:bb:ea:fe:85:99:24:12
			0c
		Y:
			3d:9f:54:d9:02:7b:3f:44:b3:ff:12:e8:9c:46:6a:c0
			83:96:32:00:29:ee:64:e8:b5:6f:d8:63:35:17:26:d8
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			ddcbf611dd877c1e216e7859cb62588bab901065
		Authority Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:ddcbf611dd877c1e216e7859cb62588bab901065
		sha256:3b17af1a1cc76524d03b09492dacf2355b7c7cf1a56ce182139f937fb9e07aec
	Public Key PIN:
		pin-sha256:OxevGhzHZSTQOwlJLazyNVt8fPGlbOGCE5+Tf7ngeuw=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecCert.crt --type=cert --id=0002 --label=ecCert
+ ECBASEURIWITHPINVALUE='pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ ECBASEURIWITHPINSOURCE='pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ ECBASEURI=pkcs11:id=%00%02
+ ECPUBURI='pkcs11:type=public;id=%00%02'
+ ECPRIURI='pkcs11:type=private;id=%00%02'
+ ECCRTURI='pkcs11:type=cert;object=ecCert'
+ KEYID=0003
+ URIKEYID=%00%03
+ ECPEERCRTN=ecPeerCert
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=EC:secp256r1 --label=ecPeerCert --id=0003
+ crt_selfsign ecPeerCert 'My Peer EC Cert' 0003
+ LABEL=ecPeerCert
+ CN='My Peer EC Cert'
+ KEYID=0003
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Peer EC Cert|g' -e 's|serial = .*|serial = 5|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecPeerCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cacert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=ecPeerCert;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=ecPeerCert;token=SoftHSM%20Token;type=public' --outder
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecPeerCert.crt --type=cert --id=0003 --label=ecPeerCert
+ ECPEERBASEURIWITHPINVALUE='pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ ECPEERBASEURIWITHPINSOURCE='pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ ECPEERBASEURI=pkcs11:id=%00%03
+ ECPEERPUBURI='pkcs11:type=public;id=%00%03'
+ ECPEERPRIURI='pkcs11:type=private;id=%00%03'
+ ECPEERCRTURI='pkcs11:type=cert;object=ecPeerCert'
+ title LINE 'EC PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC PKCS11 URIS'
+ echo 'pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%02
+ echo 'pkcs11:type=public;id=%00%02'
+ echo 'pkcs11:type=private;id=%00%02'
+ echo 'pkcs11:type=cert;object=ecCert'
+ echo 'pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%03
+ echo 'pkcs11:type=public;id=%00%03'
+ echo 'pkcs11:type=private;id=%00%03'
+ echo 'pkcs11:type=cert;object=ecPeerCert'
+ echo ''
+ '[' 0 -eq 1 ']'
+ '[' 0 -eq 1 ']'
+ title PARA 'generate RSA key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate RSA key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0005
+ URIKEYID=%00%05
+ TSTCRTN=testCert2
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=RSA:2048 --label=testCert2 --id=0005
+ ca_sign testCert2 'My Test Cert 2' 0005
+ LABEL=testCert2
+ CN='My Test Cert 2'
+ KEYID=0005
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert 2|g' -e 's|serial = .*|serial = 6|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=testCert2;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=testCert2;token=SoftHSM%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=SoftHSM%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:21 2026
CA expiration time: Fri Feb 20 13:55:20 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 06
	Validity:
		Not Before: Thu Feb 20 18:55:21 UTC 2025
		Not After: Fri Feb 20 18:55:21 UTC 2026
	Subject: CN=My Test Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:e4:32:de:c4:15:48:26:00:04:71:f1:b0:95:8a:6a
			b2:d6:d1:b9:59:41:e0:71:ad:c5:e7:06:57:f1:30:3a
			bc:91:fb:08:4d:51:5f:c1:24:9b:d9:ae:31:1d:51:09
			e0:ef:40:4b:a9:a3:98:bd:53:70:d1:33:27:2a:dc:10
			b0:60:d0:f8:d9:ea:8e:a5:d6:8e:9f:d7:a1:f9:43:cd
			8c:d7:f2:43:14:74:da:f2:ac:a8:5d:31:58:a7:05:c0
			fe:2c:6c:16:cb:56:73:d8:fd:25:44:32:d9:c1:74:f4
			a2:cd:07:7c:32:14:70:2e:b4:8f:d3:9a:88:08:60:91
			21:a5:14:6b:22:a3:01:f0:9c:d4:01:a7:b6:eb:fb:32
			ba:8f:3a:bd:cf:4f:ac:78:60:6f:7b:e4:9c:73:9e:6d
			9c:2e:62:4c:4b:7b:d8:39:81:38:55:51:22:44:d7:22
			cd:b8:fc:c6:a2:aa:9a:39:bd:8d:63:76:0b:2e:2e:14
			46:63:3b:c0:41:35:a2:c2:5b:17:33:26:05:c6:e8:d4
			4d:47:2e:79:07:d3:3f:14:0e:13:dc:3e:01:21:30:21
			bc:d9:cb:d0:86:b4:d4:a9:0a:dc:f0:a4:c8:4c:05:24
			60:e9:b4:f7:14:a9:82:34:93:5a:92:18:15:12:f9:f0
			67
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			c2365fb51a910065d103631bd89d6ddc70a6f5cb
		Authority Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:c2365fb51a910065d103631bd89d6ddc70a6f5cb
		sha256:e2186a976d599ae1f7776e46e4ddebbd4d443641de5e160cdaf4d36079a5164e
	Public Key PIN:
		pin-sha256:4hhql21ZmuH3d25G5N3rvU1ENkHeXhYM2vTTYHmlFk4=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testCert2.crt --type=cert --id=0005 --label=testCert2
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --delete-object --type pubkey --id 0005
+ BASE2URIWITHPINVALUE='pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ BASE2URIWITHPINSOURCE='pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ BASE2URI=pkcs11:id=%00%05
+ PRI2URI='pkcs11:type=private;id=%00%05'
+ CRT2URI='pkcs11:type=cert;object=testCert2'
+ title LINE 'RSA2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%05
+ echo 'pkcs11:type=private;id=%00%05'
+ echo 'pkcs11:type=cert;object=testCert2'
+ echo ''
+ title PARA 'generate EC key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0006
+ URIKEYID=%00%06
+ TSTCRTN=ecCert2
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=EC:secp384r1 --label=ecCert2 --id=0006
+ ca_sign ecCert2 'My EC Cert 2' 0006
+ LABEL=ecCert2
+ CN='My EC Cert 2'
+ KEYID=0006
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 2|g' -e 's|serial = .*|serial = 7|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=ecCert2;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert2;token=SoftHSM%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=SoftHSM%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:21 2026
CA expiration time: Fri Feb 20 13:55:20 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 07
	Validity:
		Not Before: Thu Feb 20 18:55:21 UTC 2025
		Not After: Fri Feb 20 18:55:21 UTC 2026
	Subject: CN=My EC Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Ultra (384 bits)
		Curve:	SECP384R1
		X:
			3b:00:a9:26:df:30:a6:3d:16:39:1c:81:c4:39:ed:7a
			d0:97:3b:21:64:ee:bf:1d:ca:21:5a:9b:45:4e:89:32
			c4:bd:cb:a8:92:6d:20:ef:6a:6c:d1:4e:1a:2e:49:89
		Y:
			00:f5:8a:aa:04:6c:36:e9:51:7b:a0:fc:a2:7e:56:c7
			1b:36:cf:7e:f4:d4:55:5b:8e:b8:9f:dd:fb:9e:c8:2f
			18:82:2d:aa:e9:55:fe:1f:5f:31:d6:48:40:32:1b:c6
			f0
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			4e63a85c976ccca03ac49b3282bdca7c29970beb
		Authority Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:4e63a85c976ccca03ac49b3282bdca7c29970beb
		sha256:69990f14986c99b946c13c4754ce2b7046f1e5724fb8fd25a6429d37019a9708
	Public Key PIN:
		pin-sha256:aZkPFJhsmblGwTxHVM4rcEbx5XJPuP0lpkKdNwGalwg=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecCert2.crt --type=cert --id=0006 --label=ecCert2
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --delete-object --type pubkey --id 0006
+ ECBASE2URIWITHPINVALUE='pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ ECBASE2URIWITHPINSOURCE='pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ ECBASE2URI=pkcs11:id=%00%06
+ ECPRI2URI='pkcs11:type=private;id=%00%06'
+ ECCRT2URI='pkcs11:type=cert;object=ecCert2'
+ title LINE 'EC2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%06
+ echo 'pkcs11:type=private;id=%00%06'
+ echo 'pkcs11:type=cert;object=ecCert2'
+ echo ''
+ '[' -z '' ']'
+ title PARA 'explicit EC unsupported'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## explicit EC unsupported'
+ '[' -f '' ']'
+ title PARA 'generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ '[' -f '' ']'
+ KEYID=0008
+ URIKEYID=%00%08
+ TSTCRTN=ecCert3
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=EC:secp521r1 --label=ecCert3 --id=0008 --always-auth
+ ca_sign ecCert3 'My EC Cert 3' 0008
+ LABEL=ecCert3
+ CN='My EC Cert 3'
+ KEYID=0008
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 3|g' -e 's|serial = .*|serial = 8|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecCert3.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=ecCert3;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert3;token=SoftHSM%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=SoftHSM%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:21 2026
CA expiration time: Fri Feb 20 13:55:20 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 08
	Validity:
		Not Before: Thu Feb 20 18:55:21 UTC 2025
		Not After: Fri Feb 20 18:55:21 UTC 2026
	Subject: CN=My EC Cert 3,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Future (528 bits)
		Curve:	SECP521R1
		X:
			01:08:14:6f:36:41:9c:a1:a5:60:e8:d0:3e:33:fd:e9
			40:c3:a4:38:5b:0a:61:e8:fb:95:0d:7e:36:5d:9c:90
			b2:0e:d6:06:c4:ca:b7:77:ef:c5:70:d9:61:a6:31:5a
			7b:d4:9e:03:84:b5:b9:40:b6:47:ca:12:d2:d4:07:ab
			91:43
		Y:
			00:8f:45:6f:68:9e:c7:4a:da:19:a1:9d:6d:18:84:00
			d0:9a:85:a5:14:c2:7c:bc:89:95:b8:b8:e2:5e:82:60
			3f:5b:6c:fa:f9:a2:5b:8b:03:74:a9:0e:31:22:b4:b2
			33:ec:e9:3b:8c:68:92:27:ed:f7:8d:df:79:62:70:fc
			2e:39
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			707d9a5404730255da32398a371090108895a1a4
		Authority Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:707d9a5404730255da32398a371090108895a1a4
		sha256:c474ea336bdc5a051aefa3944e2d4c70de72acff11a2e7142435c0ac4078f7c2
	Public Key PIN:
		pin-sha256:xHTqM2vcWgUa76OUTi1McN5yrP8RoucUJDXArEB498I=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/ecCert3.crt --type=cert --id=0008 --label=ecCert3
+ ECBASE3URIWITHPINVALUE='pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ ECBASE3URIWITHPINSOURCE='pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ ECBASE3URI=pkcs11:id=%00%08
+ ECPUB3URI='pkcs11:type=public;id=%00%08'
+ ECPRI3URI='pkcs11:type=private;id=%00%08'
+ ECCRT3URI='pkcs11:type=cert;object=ecCert3'
+ title LINE 'EC3 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC3 PKCS11 URIS'
+ echo 'pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%08
+ echo 'pkcs11:type=public;id=%00%08'
+ echo 'pkcs11:type=private;id=%00%08'
+ echo 'pkcs11:type=cert;object=ecCert3'
+ echo ''
+ '[' 1 -eq 1 ']'
+ KEYID=0010
+ URIKEYID=%00%10
+ TSTCRTN=testRsaPssCert
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=RSA:2048 --label=testRsaPssCert --id=0010 --allowed-mechanisms RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS
+ ca_sign testRsaPssCert 'My RsaPss Cert' 0010 --sign-params=RSA-PSS
+ LABEL=testRsaPssCert
+ CN='My RsaPss Cert'
+ KEYID=0010
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My RsaPss Cert|g' -e 's|serial = .*|serial = 9|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testRsaPssCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=testRsaPssCert;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=testRsaPssCert;token=SoftHSM%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=SoftHSM%20Token;type=private' --sign-params=RSA-PSS
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:22 2026
CA expiration time: Fri Feb 20 13:55:20 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 09
	Validity:
		Not Before: Thu Feb 20 18:55:22 UTC 2025
		Not After: Fri Feb 20 18:55:22 UTC 2026
	Subject: CN=My RsaPss Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:c6:f2:c0:e8:a2:6a:fb:bf:9b:fe:02:5c:94:b1:51
			81:ea:56:85:3e:3a:1a:8f:01:c0:3c:2e:93:b7:38:5d
			37:ba:1c:7a:07:a3:44:90:f6:14:35:4f:31:0f:9c:f3
			ef:a9:df:61:31:3a:ea:3d:fa:66:ae:95:e8:de:0a:da
			ab:65:59:58:0c:95:ef:97:a0:68:1a:50:57:f5:66:dc
			53:24:bd:9b:c3:b0:e5:89:f0:80:a4:13:9c:3b:3f:eb
			d3:a3:a5:e6:ae:eb:2d:09:66:bc:b8:5a:1f:96:80:bd
			87:a9:04:16:53:fb:ab:b0:1b:f2:36:9f:b9:c7:7d:54
			97:e1:40:a3:a3:85:d0:5c:ab:9b:35:82:74:80:c1:f0
			4f:2c:f5:0a:d8:3c:71:95:78:de:66:8e:f2:be:61:34
			b4:92:5f:84:2b:81:5f:20:04:cd:67:10:a7:68:f1:ca
			05:16:e0:64:91:6b:84:4b:c0:f2:58:1a:a1:39:9a:fd
			3a:83:c1:41:58:0b:e0:28:e3:b9:05:b5:f4:a2:97:28
			9e:f1:ad:eb:6f:16:77:9e:9e:de:86:01:f1:c4:b3:b9
			f1:b4:ac:fc:ef:3f:d9:84:02:9c:a9:47:e5:9b:11:e8
			b8:1f:ca:6a:0b:ad:77:b7:e3:1d:b0:6d:2f:e8:20:84
			a3
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			fddea4ee1cf21a82cf8c6ea1737397cd3b57795c
		Authority Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:fddea4ee1cf21a82cf8c6ea1737397cd3b57795c
		sha256:97cd77cdf66036ef9b68def09df5f734ef35256292f8307033027a37952c2690
	Public Key PIN:
		pin-sha256:l813zfZgNu+baN7wnfX3NO81JWKS+DBwMwJ6N5UsJpA=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testRsaPssCert.crt --type=cert --id=0010 --label=testRsaPssCert
+ RSAPSSBASEURIWITHPINVALUE='pkcs11:id=%00%10?pin-value=fo0m4nchU'
+ RSAPSSBASEURIWITHPINSOURCE='pkcs11:id=%00%10?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ RSAPSSBASEURI=pkcs11:id=%00%10
+ RSAPSSPUBURI='pkcs11:type=public;id=%00%10'
+ RSAPSSPRIURI='pkcs11:type=private;id=%00%10'
+ RSAPSSCRTURI='pkcs11:type=cert;object=testRsaPssCert'
+ title LINE 'RSA-PSS PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA-PSS PKCS11 URIS'
+ echo 'pkcs11:id=%00%10?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%10?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%10
+ echo 'pkcs11:type=public;id=%00%10'
+ echo 'pkcs11:type=private;id=%00%10'
+ echo 'pkcs11:type=cert;object=testRsaPssCert'
+ echo ''
+ KEYID=0011
+ URIKEYID=%00%11
+ TSTCRTN=testRsaPss2Cert
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --keypairgen --key-type=RSA:3092 --label=testRsaPss2Cert --id=0011 --allowed-mechanisms SHA256-RSA-PKCS-PSS
+ ca_sign testRsaPss2Cert 'My RsaPss2 Cert' 0011 --sign-params=RSA-PSS --hash=SHA256
+ LABEL=testRsaPss2Cert
+ CN='My RsaPss2 Cert'
+ KEYID=0011
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My RsaPss2 Cert|g' -e 's|serial = .*|serial = 10|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testRsaPss2Cert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/cert.cfg --provider=/usr/lib64/pkcs11/libsofthsm2.so --load-privkey 'pkcs11:object=testRsaPss2Cert;token=SoftHSM%20Token;type=private' --load-pubkey 'pkcs11:object=testRsaPss2Cert;token=SoftHSM%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=SoftHSM%20Token;type=private' --sign-params=RSA-PSS --hash=SHA256
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:23 2026
CA expiration time: Fri Feb 20 13:55:20 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 0a
	Validity:
		Not Before: Thu Feb 20 18:55:23 UTC 2025
		Not After: Fri Feb 20 18:55:23 UTC 2026
	Subject: CN=My RsaPss2 Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: High (3092 bits)
		Modulus (bits 3092):
			0d:45:6f:71:42:19:08:04:14:44:f6:43:cf:3f:70:99
			bb:92:d3:3f:42:a2:63:16:1b:13:b7:fd:0d:1c:e7:f1
			a3:e3:03:99:86:b8:ee:96:92:23:dd:fc:64:d9:aa:ed
			5b:9f:51:4e:95:e9:ec:62:ac:cc:19:3a:73:6c:18:cd
			48:55:45:3c:9e:a2:19:62:b5:46:f5:1d:fa:9e:dc:b2
			ad:aa:4b:d5:c9:8a:b6:c3:6c:19:6b:97:47:b3:0b:5d
			75:0b:d5:fc:eb:26:2d:c0:54:b5:64:a5:17:6c:bf:11
			dd:d4:55:24:74:0e:73:b7:06:55:03:90:b7:73:8a:51
			86:6f:79:5a:0d:77:f0:eb:72:eb:67:61:05:e6:d2:f8
			c7:c0:84:df:de:37:a8:bf:d5:d8:16:f7:ad:bf:d6:0a
			0f:2b:9d:4a:d1:cd:35:c9:b0:39:65:5a:9c:6b:6b:a1
			8c:14:68:b5:01:56:a2:15:77:f9:c5:a2:4a:f5:53:f5
			28:a6:17:23:1b:f7:e6:60:81:02:d8:ae:f5:4e:b6:91
			56:70:d1:f7:af:a2:13:0f:0f:af:bc:84:e5:ed:90:64
			8c:d2:03:6e:4e:c0:5f:d7:cf:e9:e1:d8:69:64:fb:5d
			27:72:5c:10:18:cf:16:15:83:18:e9:7e:6e:56:76:b9
			59:10:a8:ce:93:69:96:4d:45:60:7d:c4:a9:c9:9b:ef
			a5:2b:a3:1a:cd:c0:56:e1:fe:38:dc:08:91:a4:e7:cc
			7d:9d:e8:34:a1:2d:f7:e1:96:f3:9e:2f:e7:50:b1:82
			c4:8f:6b:2a:ae:e5:4d:46:42:09:04:16:1f:ac:fc:c7
			0c:0e:0e:4d:42:22:0c:a1:a5:4e:bf:8d:f1:64:f8:2b
			bf:f1:5a:97:58:20:c1:a0:62:2b:fb:20:60:fe:78:64
			93:1d:3d:ef:27:5d:71:40:52:64:c4:47:a4:19:67:e0
			36:6a:95:56:08:d8:de:33:fb:92:aa:5a:5e:cd:c2:e7
			63:db:21
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			ecfb85cf77dd34599594d545772830c2e1aa444b
		Authority Key Identifier (not critical):
			c9b09109af3f21ac6724faa2dd43744ea85331f6
Other Information:
	Public Key ID:
		sha1:ecfb85cf77dd34599594d545772830c2e1aa444b
		sha256:599d8569c35083608420b44307236d0c8657c837efef5c07f13bdfa88f851f8c
	Public Key PIN:
		pin-sha256:WZ2FacNQg2CEILRDByNtDIZXyDfv71wH8TvfqI+FH4w=



Signing certificate...
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testRsaPss2Cert.crt --type=cert --id=0011 --label=testRsaPss2Cert
+ RSAPSS2BASEURIWITHPINVALUE='pkcs11:id=%00%11?pin-value=fo0m4nchU'
+ RSAPSS2BASEURIWITHPINSOURCE='pkcs11:id=%00%11?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ RSAPSS2BASEURI=pkcs11:id=%00%11
+ RSAPSS2PUBURI='pkcs11:type=public;id=%00%11'
+ RSAPSS2PRIURI='pkcs11:type=private;id=%00%11'
+ RSAPSS2CRTURI='pkcs11:type=cert;object=testRsaPss2Cert'
+ title LINE 'RSA-PSS 2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA-PSS 2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%11?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%11?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt'
+ echo pkcs11:id=%00%11
+ echo 'pkcs11:type=public;id=%00%11'
+ echo 'pkcs11:type=private;id=%00%11'
+ echo 'pkcs11:type=cert;object=testRsaPss2Cert'
+ echo ''
+ title PARA 'Show contents of softhsm token'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Show contents of softhsm token'
+ '[' -f '' ']'
+ echo ' ----------------------------------------------------------------------------------------------------'
+ pkcs11-tool --module=/usr/lib64/pkcs11/libsofthsm2.so --login --pin=fo0m4nchU '--token-label=SoftHSM Token' -O
+ echo ' ----------------------------------------------------------------------------------------------------'
+ title PARA 'Output configurations'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Output configurations'
+ '[' -f '' ']'
+ OPENSSL_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
+ title LINE 'Generate openssl config file'
+ case "$1" in
+ shift 1
+ echo 'Generate openssl config file'
+ sed -e 's|@libtoollibs@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src|g' -e 's|@testsblddir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests|g' -e 's|@testsdir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm|g' -e 's|@SHARED_EXT@|.so|g' -e 's|@PINFILE@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/pinfile.txt|g' -e 's|##TOKENOPTIONS|pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-deinit no-operation-state|g' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/openssl.cnf.in
+ title LINE 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testvars'
+ case "$1" in
+ shift 1
+ echo 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testvars'
+ cat
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n pkcs11:id=%00%10 ']'
+ cat
+ cat
+ gen_unsetvars
+ sed -e s/export/unset/ -e 's/=.*$//'
+ grep '^export' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/testvars
+ title ENDSECTION
+ case "$1" in
+ echo ''
+ echo '                                      ##'
+ echo '########################################'
+ echo ''
==============================================================================

==================================== 3/92 ====================================
test:         pkcs11-provider:kryoptic / setup
start time:   18:55:23
duration:     2.82s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 LIBSPATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TESTSSRCDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests SHARED_EXT=.so SOFTOKNPATH=/usr/lib64 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 P11KITCLIENTPATH=/usr/lib64/pkcs11/p11-kit-client.so MALLOC_PERTURB_=141 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/setup.sh kryoptic
----------------------------------- stdout -----------------------------------
########################################
## Searching for Kryoptic module

Using kryoptic path /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so
Creating Kyroptic database
Using slot 0 with a present token (0x0)
Token successfully initialized
Using slot 0 with a present token (0x0)
User PIN successfully initialized
Creating new Self Sign CA
Key pair generated:
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  2d7dc4a2-1cb0-4a1e-b758-9e65301c5db8
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0000;object=caCert;type=private
Public Key Object; RSA 2048 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  2e8ede36-eba7-4449-9b70-33a6cb7a84d6
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0000;object=caCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 02
	Validity:
		Not Before: Thu Feb 20 18:55:23 UTC 2025
		Not After: Fri Feb 20 18:55:23 UTC 2026
	Subject: CN=Issuer
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:c4:d3:18:6d:8c:11:63:03:9d:bb:4d:4d:d2:e2:b5
			3d:ad:52:5f:ea:6b:89:82:e2:d8:1d:2b:cb:f3:6d:d7
			da:f1:a7:af:55:80:2c:4a:7c:54:b0:e5:ed:87:3f:40
			90:86:fe:40:c5:56:3f:fb:9a:7b:23:c2:4b:98:14:ff
			f8:d6:5f:fc:d3:b7:90:a4:57:00:50:63:b6:16:70:ad
			48:0c:5a:9e:e8:ef:a5:93:63:46:f7:21:8c:79:c2:d6
			e5:d4:5b:57:ef:21:43:df:5b:ba:74:a1:a2:1b:09:71
			5b:b6:5e:a4:ab:94:12:a6:bf:8f:b4:7b:50:7a:a3:37
			aa:f2:47:48:71:0f:57:8a:38:a3:46:9b:8e:7b:76:52
			cb:aa:0b:ad:81:01:30:ea:4c:8b:d9:16:8e:f2:d3:0a
			7e:cc:3d:ac:16:65:21:8c:0f:ce:6b:47:c2:f6:1c:24
			fc:2c:e8:f4:2c:d7:7e:2e:af:bd:9a:31:78:c4:05:01
			ec:61:7a:3c:b2:de:a3:a0:e8:66:48:28:9b:12:a1:8c
			40:e1:62:e2:6b:36:c4:f7:9f:8f:8d:7d:8d:5c:b4:72
			85:4c:50:ac:1f:7c:a2:b9:7b:9d:9f:36:47:d4:e6:e5
			36:e6:6d:4b:a7:f0:7c:0b:c6:c2:41:b2:d1:7d:5a:6c
			89
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:37967366db74720bc470170c21612725e7d9e62d
		sha256:e1aabd65fc17c4f409331cec074d8d9d112ff4a8cfd0a7431ee3251d6f875ec3
	Public Key PIN:
		pin-sha256:4aq9ZfwXxPQJMxzsB02NnREv9KjP0KdDHuMlHW+HXsM=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  Unique ID:  66027176-69ba-49d4-85ef-5d997254d559
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0000;object=caCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%00?pin-value=fo0m4nchU
pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%00
pkcs11:type=public;id=%00%00
pkcs11:type=private;id=%00%00
pkcs11:type=cert;object=caCert

Key pair generated:
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  15a8e5de-264a-4db9-867c-656f8a9a35d9
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0001;object=testCert;type=private
Public Key Object; RSA 2048 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  ad36f169-fe78-425b-9cd1-b11ebec79888
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0001;object=testCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  Unique ID:  102a5112-7016-4eae-8981-45cf1cd19202
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0001;object=testCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%01?pin-value=fo0m4nchU
pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%01
pkcs11:type=public;id=%00%01
pkcs11:type=private;id=%00%01
pkcs11:type=cert;object=testCert

Key pair generated:
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  1342a4dc-40ee-4a9b-8ba9-38da189fc467
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0002;object=ecCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104c0ae8aa9b9a444f457cd51944086d62717e7919ce09c311fdedc3d3aba3e2e97da7d507fbfba5b135f5858c748b9e9112bf6054fbb64650b3ebfb4b141d77f10
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      verify, derive
  Access:     local
  Unique ID:  af572277-adc2-4776-9e59-00d44323c25b
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0002;object=ecCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  Unique ID:  9ed547eb-be0a-428c-817f-4a17dd66ba90
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0002;object=ecCert;type=cert
Key pair generated:
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  06fc61d4-5e52-4d40-80c8-78a165db99a6
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0003;object=ecPeerCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104c129cb339d98ab67711c9366c663971662ef55a7672946fe3a1d977418a8048d13cfb8139e4b645972e0d94f77b7a9955681996294a491ae430105b844af0283
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      verify, derive
  Access:     local
  Unique ID:  dd0a6788-e49b-423a-bf51-9bc8f91bd78e
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0003;object=ecPeerCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 05
	Validity:
		Not Before: Thu Feb 20 18:55:24 UTC 2025
		Not After: Fri Feb 20 18:55:24 UTC 2026
	Subject: CN=My Peer EC Cert
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			00:c1:29:cb:33:9d:98:ab:67:71:1c:93:66:c6:63:97
			16:62:ef:55:a7:67:29:46:fe:3a:1d:97:74:18:a8:04
			8d
		Y:
			13:cf:b8:13:9e:4b:64:59:72:e0:d9:4f:77:b7:a9:95
			56:81:99:62:94:a4:91:ae:43:01:05:b8:44:af:02:83
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			c0432105463251a46abbb8e79d204f4fa1d5de17
Other Information:
	Public Key ID:
		sha1:c0432105463251a46abbb8e79d204f4fa1d5de17
		sha256:df996b6aa80b1715615c5344e1aca4bf57ba15b02d93dba0af3d521062989738
	Public Key PIN:
		pin-sha256:35lraqgLFxVhXFNE4aykv1e6FbAtk9ugrz1SEGKYlzg=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  Unique ID:  f1db7300-61e6-457c-9409-3af5e2b6f4a1
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0003;object=ecPeerCert;type=cert
EC PKCS11 URIS
pkcs11:id=%00%02?pin-value=fo0m4nchU
pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%02
pkcs11:type=public;id=%00%02
pkcs11:type=private;id=%00%02
pkcs11:type=cert;object=ecCert
pkcs11:id=%00%03?pin-value=fo0m4nchU
pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%03
pkcs11:type=public;id=%00%03
pkcs11:type=private;id=%00%03
pkcs11:type=cert;object=ecPeerCert


## generate RSA key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  b4a43fb7-cf05-4153-8036-0b0c91aa170f
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0005;object=testCert2;type=private
Public Key Object; RSA 2048 bits
  label:      testCert2
  ID:         0005
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  045476e2-53b0-4ef3-894d-d2d29f7468ff
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0005;object=testCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  Unique ID:  8966eb4c-1bdf-4c4c-bfc8-80d8b4c55142
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0005;object=testCert2;type=cert
RSA2 PKCS11 URIS
pkcs11:id=%00%05?pin-value=fo0m4nchU
pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%05
pkcs11:type=private;id=%00%05
pkcs11:type=cert;object=testCert2


## generate EC key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  431997b3-4d77-4dfe-8e5d-0e11ee2de691
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0006;object=ecCert2;type=private
Public Key Object; EC  EC_POINT 384 bits
  EC_POINT:   0461046a3c4ed4dbcb484915329c474c2d256f672126e6cb3f23447c55c07baaa708459491e93a45d1a948608b538546a4e2f8f35b33d47cc809ce1a430c05655b2292c27609d2d38ab951bb4fbe031f4a06446c7cf412a80b359f14a8e8895794127c
  EC_PARAMS:  06052b81040022 (OID 1.3.132.0.34)
  label:      ecCert2
  ID:         0006
  Usage:      verify, derive
  Access:     local
  Unique ID:  41119add-eb0e-44b5-a54d-b99e6a9b1e71
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0006;object=ecCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  Unique ID:  1e15abfb-1601-4844-9837-0a07fcc46941
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0006;object=ecCert2;type=cert
EC2 PKCS11 URIS
pkcs11:id=%00%06?pin-value=fo0m4nchU
pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%06
pkcs11:type=private;id=%00%06
pkcs11:type=cert;object=ecCert2


## explicit EC unsupported

## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate
Key pair generated:
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      sign, derive
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
  Unique ID:  70bcf1de-2979-4578-8b2d-ecea1c00ea1a
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0008;object=ecCert3;type=private
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   0481850400d0ca71925e85cd601ba3b8c21b3cfe7c2bae5282c05ac15fea23d1285ebb66dfd07a1bb75bee19b64aea62dcd7e8102ab3c598fdd13b3b94d21a13e7b061b1768201d78c634901823c6986250b11e417da554f38842f3989363f52f99183245956b01d2fa000af400cc1512497b948e3b55b1a1030f00619f1b00330b60b0724f9803e
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      verify, derive
  Access:     local
  Unique ID:  50b0c8c5-0ea7-47e2-bc41-50b78cb1af24
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0008;object=ecCert3;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  Unique ID:  74b056b2-0cc2-47ca-af79-eb9c441bf7aa
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0008;object=ecCert3;type=cert
EC3 PKCS11 URIS
pkcs11:id=%00%08?pin-value=fo0m4nchU
pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%08
pkcs11:type=public;id=%00%08
pkcs11:type=private;id=%00%08
pkcs11:type=cert;object=ecCert3

Key pair generated:
Private Key Object; RSA 
  label:      testRsaPssCert
  ID:         0010
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS
  Unique ID:  5391f423-ba99-40ee-aa8d-469d50e24a6a
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0010;object=testRsaPssCert;type=private
Public Key Object; RSA 2048 bits
  label:      testRsaPssCert
  ID:         0010
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  e874450d-150b-499e-8b8b-76326245b35e
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0010;object=testRsaPssCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testRsaPssCert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss Cert
  serial:     09
  ID:         0010
  Unique ID:  e091c4e6-4238-44a3-8ecc-96760e6f5a5b
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0010;object=testRsaPssCert;type=cert
RSA-PSS PKCS11 URIS
pkcs11:id=%00%10?pin-value=fo0m4nchU
pkcs11:id=%00%10?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%10
pkcs11:type=public;id=%00%10
pkcs11:type=private;id=%00%10
pkcs11:type=cert;object=testRsaPssCert

Key pair generated:
Private Key Object; RSA 
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: SHA256-RSA-PKCS-PSS
  Unique ID:  656b8f72-0989-402e-9497-cefb8e2b0662
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0011;object=testRsaPss2Cert;type=private
Public Key Object; RSA 3092 bits
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  26b2eaff-b38e-44a3-a0e0-f7bbc97cb371
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0011;object=testRsaPss2Cert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testRsaPss2Cert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss2 Cert
  serial:     0A
  ID:         0011
  Unique ID:  d8bc710e-51b5-4650-8f6d-4cf68fda9ca9
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0011;object=testRsaPss2Cert;type=cert
RSA-PSS 2 PKCS11 URIS
pkcs11:id=%00%11?pin-value=fo0m4nchU
pkcs11:id=%00%11?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
pkcs11:id=%00%11
pkcs11:type=public;id=%00%11
pkcs11:type=private;id=%00%11
pkcs11:type=cert;object=testRsaPss2Cert


## Show contents of kryoptic token
 ----------------------------------------------------------------------------------------------------
Public Key Object; RSA 2048 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  2e8ede36-eba7-4449-9b70-33a6cb7a84d6
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0000;object=caCert;type=public
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  2d7dc4a2-1cb0-4a1e-b758-9e65301c5db8
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0000;object=caCert;type=private
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  Unique ID:  66027176-69ba-49d4-85ef-5d997254d559
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0000;object=caCert;type=cert
Public Key Object; RSA 2048 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  ad36f169-fe78-425b-9cd1-b11ebec79888
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0001;object=testCert;type=public
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  15a8e5de-264a-4db9-867c-656f8a9a35d9
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0001;object=testCert;type=private
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  Unique ID:  102a5112-7016-4eae-8981-45cf1cd19202
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0001;object=testCert;type=cert
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104c0ae8aa9b9a444f457cd51944086d62717e7919ce09c311fdedc3d3aba3e2e97da7d507fbfba5b135f5858c748b9e9112bf6054fbb64650b3ebfb4b141d77f10
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      verify, derive
  Access:     local
  Unique ID:  af572277-adc2-4776-9e59-00d44323c25b
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0002;object=ecCert;type=public
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  1342a4dc-40ee-4a9b-8ba9-38da189fc467
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0002;object=ecCert;type=private
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  Unique ID:  9ed547eb-be0a-428c-817f-4a17dd66ba90
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0002;object=ecCert;type=cert
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104c129cb339d98ab67711c9366c663971662ef55a7672946fe3a1d977418a8048d13cfb8139e4b645972e0d94f77b7a9955681996294a491ae430105b844af0283
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      verify, derive
  Access:     local
  Unique ID:  dd0a6788-e49b-423a-bf51-9bc8f91bd78e
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0003;object=ecPeerCert;type=public
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  06fc61d4-5e52-4d40-80c8-78a165db99a6
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0003;object=ecPeerCert;type=private
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  Unique ID:  f1db7300-61e6-457c-9409-3af5e2b6f4a1
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0003;object=ecPeerCert;type=cert
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  b4a43fb7-cf05-4153-8036-0b0c91aa170f
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0005;object=testCert2;type=private
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  Unique ID:  8966eb4c-1bdf-4c4c-bfc8-80d8b4c55142
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0005;object=testCert2;type=cert
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  Unique ID:  431997b3-4d77-4dfe-8e5d-0e11ee2de691
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0006;object=ecCert2;type=private
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  Unique ID:  1e15abfb-1601-4844-9837-0a07fcc46941
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0006;object=ecCert2;type=cert
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   0481850400d0ca71925e85cd601ba3b8c21b3cfe7c2bae5282c05ac15fea23d1285ebb66dfd07a1bb75bee19b64aea62dcd7e8102ab3c598fdd13b3b94d21a13e7b061b1768201d78c634901823c6986250b11e417da554f38842f3989363f52f99183245956b01d2fa000af400cc1512497b948e3b55b1a1030f00619f1b00330b60b0724f9803e
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      verify, derive
  Access:     local
  Unique ID:  50b0c8c5-0ea7-47e2-bc41-50b78cb1af24
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0008;object=ecCert3;type=public
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      sign, derive
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
  Unique ID:  70bcf1de-2979-4578-8b2d-ecea1c00ea1a
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0008;object=ecCert3;type=private
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  Unique ID:  74b056b2-0cc2-47ca-af79-eb9c441bf7aa
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0008;object=ecCert3;type=cert
Public Key Object; RSA 2048 bits
  label:      testRsaPssCert
  ID:         0010
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  e874450d-150b-499e-8b8b-76326245b35e
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0010;object=testRsaPssCert;type=public
Private Key Object; RSA 
  label:      testRsaPssCert
  ID:         0010
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS
  Unique ID:  5391f423-ba99-40ee-aa8d-469d50e24a6a
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0010;object=testRsaPssCert;type=private
Certificate Object; type = X.509 cert
  label:      testRsaPssCert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss Cert
  serial:     09
  ID:         0010
  Unique ID:  e091c4e6-4238-44a3-8ecc-96760e6f5a5b
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0010;object=testRsaPssCert;type=cert
Public Key Object; RSA 3092 bits
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      encrypt, verify
  Access:     local
  Unique ID:  26b2eaff-b38e-44a3-a0e0-f7bbc97cb371
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0011;object=testRsaPss2Cert;type=public
Private Key Object; RSA 
  label:      testRsaPss2Cert
  ID:         0011
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: SHA256-RSA-PKCS-PSS
  Unique ID:  656b8f72-0989-402e-9497-cefb8e2b0662
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0011;object=testRsaPss2Cert;type=private
Certificate Object; type = X.509 cert
  label:      testRsaPss2Cert
  subject:    DN: O=PKCS11 Provider, CN=My RsaPss2 Cert
  serial:     0A
  ID:         0011
  Unique ID:  d8bc710e-51b5-4650-8f6d-4cf68fda9ca9
  uri:        pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token;id=%0011;object=testRsaPss2Cert;type=cert
 ----------------------------------------------------------------------------------------------------

## Output configurations
Generate openssl config file
Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testvars

                                      ##
########################################

----------------------------------- stderr -----------------------------------
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh
++ : /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests
++ helper_emit=1
++ sed --version
++ grep -q 'GNU sed'
++ sed_inplace=('-i')
++ export sed_inplace
+ '[' 1 -ne 1 ']'
+ TOKENTYPE=kryoptic
+ SUPPORT_ED25519=1
+ SUPPORT_ED448=1
+ SUPPORT_RSA_PKCS1_ENCRYPTION=1
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=1
+ SUPPORT_TLSFUZZER=1
+ SUPPORT_ALLOWED_MECHANISMS=0
++ opensc-tool -i
++ grep OpenSC
++ sed -e 's/OpenSC 0\.\([0-9]*\).*/\1/'
+ OPENSC_VERSION=26
+ [[ 26 -le 25 ]]
+ PINVALUE=12345678
+ [[ '' = \1 ]]
++ cat /proc/sys/crypto/fips_enabled
+ [[ 1 = \1 ]]
+ SUPPORT_ED25519=0
+ SUPPORT_ED448=0
+ SUPPORT_RSA_PKCS1_ENCRYPTION=0
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=0
+ SUPPORT_TLSFUZZER=0
+ TOKENOPTIONS='pkcs11-module-assume-fips = true'
+ PINVALUE=fo0m4nchU
+ TMPPDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic
+ TOKDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/tokens
+ '[' -d /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic ']'
+ rm -fr /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/tokens
+ PINFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt
+ echo fo0m4nchU
+ export GNUTLS_PIN=fo0m4nchU
+ GNUTLS_PIN=fo0m4nchU
+ '[' kryoptic == softhsm ']'
+ '[' kryoptic == softokn ']'
+ '[' kryoptic == kryoptic ']'
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/kryoptic-init.sh
++ title SECTION 'Searching for Kryoptic module'
++ case "$1" in
++ shift 1
++ echo '########################################'
++ echo '## Searching for Kryoptic module'
++ echo ''
++ find_kryoptic /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so /tmp/kryoptic/target/release/libkryoptic_pkcs11.so /usr/local/lib/kryoptic/libkryoptic_pkcs11so /usr/lib64/pkcs11/libkryoptic_pkcs11.so /usr/lib/pkcs11/libkryoptic_pkcs11.so /usr/lib/x86_64-linux-gnu/kryoptic/libkryoptic_pkcs11.so
++ for _lib in "$@"
++ test -f /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so
++ echo 'Using kryoptic path /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so'
++ P11LIB=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so
++ return
++ title LINE 'Creating Kyroptic database'
++ case "$1" in
++ shift 1
++ echo 'Creating Kyroptic database'
++ export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/tokens/kryoptic.sql
++ KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/tokens/kryoptic.sql
++ export 'TOKENLABEL=Kryoptic Token'
++ TOKENLABEL='Kryoptic Token'
++ export TOKENLABELURI=Kryoptic%20Token
++ TOKENLABELURI=Kryoptic%20Token
++ pkcs11-tool --module /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --init-token --label 'Kryoptic Token' --so-pin fo0m4nchU
++ pkcs11-tool --module /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --so-pin fo0m4nchU --login --login-type so --init-pin --pin fo0m4nchU
++ export 'TOKENCONFIGVARS=export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/tokens/kryoptic.sql'
++ TOKENCONFIGVARS='export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/tokens/kryoptic.sql'
++ export TESTPORT=34000
++ TESTPORT=34000
++ export KRYOPTIC_EC_POINT_ENCODING=DER
++ KRYOPTIC_EC_POINT_ENCODING=DER
++ export SUPPORT_ALLOWED_MECHANISMS=1
++ SUPPORT_ALLOWED_MECHANISMS=1
+ SEEDFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/noisefile.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/noisefile.bin bs=2048 count=1
+ RAND64FILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/64krandom.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/64krandom.bin bs=2048 count=32
++ uname
+ '[' Linux == Darwin ']'
++ type -p certtool
+ certtool=/usr/bin/certtool
+ '[' -z /usr/bin/certtool ']'
+ P11DEFARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}")
+ cat
+ SERIAL=1
+ title LINE 'Creating new Self Sign CA'
+ case "$1" in
+ shift 1
+ echo 'Creating new Self Sign CA'
+ KEYID=0000
+ URIKEYID=%00%00
+ CACRTN=caCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=RSA:2048 --label=caCert --id=0000
+ crt_selfsign caCert Issuer 0000
+ LABEL=caCert
+ CN=Issuer
+ KEYID=0000
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = Issuer|g' -e 's|serial = .*|serial = 2|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cacert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=caCert;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=caCert;token=Kryoptic%20Token;type=public' --outder
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --type=cert --id=0000 --label=caCert
+ CACRT_PEM=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
+ CACRT=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt
+ openssl x509 -inform DER -in /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt -outform PEM -out /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
+ CABASEURIWITHPINVALUE='pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ CABASEURIWITHPINSOURCE='pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ CABASEURI=pkcs11:id=%00%00
+ CAPUBURI='pkcs11:type=public;id=%00%00'
+ CAPRIURI='pkcs11:type=private;id=%00%00'
+ CACRTURI='pkcs11:type=cert;object=caCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%00
+ echo 'pkcs11:type=public;id=%00%00'
+ echo 'pkcs11:type=private;id=%00%00'
+ echo 'pkcs11:type=cert;object=caCert'
+ echo ''
+ cat /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cacert.cfg
+ echo 'organization = "PKCS11 Provider"'
+ sed -e '/^cert_signing_key$/d' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ KEYID=0001
+ URIKEYID=%00%01
+ TSTCRTN=testCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=RSA:2048 --label=testCert --id=0001
+ ca_sign testCert 'My Test Cert' 0001
+ LABEL=testCert
+ CN='My Test Cert'
+ KEYID=0001
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert|g' -e 's|serial = .*|serial = 3|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=testCert;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=testCert;token=Kryoptic%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Token;type=private'
Generating a signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 03
	Validity:
		Not Before: Thu Feb 20 18:55:23 UTC 2025
		Not After: Fri Feb 20 18:55:23 UTC 2026
	Subject: CN=My Test Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:9a:3d:52:c8:cb:a3:14:eb:03:ef:91:06:1f:83:0f
			73:59:10:2a:b8:1f:5b:2b:d6:c3:0b:55:28:92:67:18
			f9:36:b1:62:a9:33:57:8a:b2:26:a6:d6:36:c2:98:6c
			b5:21:77:3c:9e:6b:f0:14:69:83:a0:ea:58:dc:6f:2d
			14:b1:40:c5:2a:44:a8:f1:85:6d:9f:b0:cf:79:0e:91
			47:a8:74:ef:d8:b3:9d:21:d9:c9:ff:6c:50:f1:17:68
			62:12:1c:73:7a:9e:0a:67:69:6c:4a:13:51:6e:47:41
			c2:7f:00:bc:a7:fd:64:22:7b:ca:a9:e8:dd:95:83:6f
			4a:71:63:1c:de:92:a7:f6:0c:11:52:fd:8d:7a:10:8d
			26:c5:59:a4:3e:34:c4:8f:ce:45:89:6c:41:4b:67:93
			b3:c6:0d:d1:40:27:be:84:67:90:00:03:46:e9:65:3f
			fb:e0:8e:5d:30:aa:bf:a4:b1:a9:e8:89:c6:43:94:e7
			b3:27:63:4e:03:cc:06:14:95:41:fa:da:3a:a6:d3:35
			0d:95:a3:34:40:6a:05:df:34:ef:db:59:2f:9a:01:e0
			07:91:f1:53:6c:b4:11:31:b9:a0:74:9c:f2:39:59:61
			5c:a2:70:b0:77:bd:8b:0b:db:b2:ba:ab:bc:40:89:8d
			63
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			b82d0391d65a6af040f9b0ba2722dce34d5a25d6
		Authority Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:b82d0391d65a6af040f9b0ba2722dce34d5a25d6
		sha256:5cc18f178cdfba68b7a76383c67b78cb42916af4eb1a227cdac6e7a5ad72cf04
	Public Key PIN:
		pin-sha256:XMGPF4zfumi3p2ODxnt4y0KRavTrGiJ82sbnpa1yzwQ=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testCert.crt --type=cert --id=0001 --label=testCert
+ BASEURIWITHPINVALUE='pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ BASEURIWITHPINSOURCE='pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ BASEURI=pkcs11:id=%00%01
+ PUBURI='pkcs11:type=public;id=%00%01'
+ PRIURI='pkcs11:type=private;id=%00%01'
+ CRTURI='pkcs11:type=cert;object=testCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%01
+ echo 'pkcs11:type=public;id=%00%01'
+ echo 'pkcs11:type=private;id=%00%01'
+ echo 'pkcs11:type=cert;object=testCert'
+ echo ''
+ KEYID=0002
+ URIKEYID=%00%02
+ ECCRTN=ecCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=EC:secp256r1 --label=ecCert --id=0002
+ ca_sign ecCert 'My EC Cert' 0002
+ LABEL=ecCert
+ CN='My EC Cert'
+ KEYID=0002
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert|g' -e 's|serial = .*|serial = 4|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecCert;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert;token=Kryoptic%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:24 2026
CA expiration time: Fri Feb 20 13:55:23 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 04
	Validity:
		Not Before: Thu Feb 20 18:55:24 UTC 2025
		Not After: Fri Feb 20 18:55:24 UTC 2026
	Subject: CN=My EC Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			00:c0:ae:8a:a9:b9:a4:44:f4:57:cd:51:94:40:86:d6
			27:17:e7:91:9c:e0:9c:31:1f:de:dc:3d:3a:ba:3e:2e
			97
		Y:
			00:da:7d:50:7f:bf:ba:5b:13:5f:58:58:c7:48:b9:e9
			11:2b:f6:05:4f:bb:64:65:0b:3e:bf:b4:b1:41:d7:7f
			10
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			71ae65152afbda5fe35d44610e50f09def8c6134
		Authority Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:71ae65152afbda5fe35d44610e50f09def8c6134
		sha256:a8e37c34ff6bf698043b088d75383ef057258a632bd29359a5a86c47322100d5
	Public Key PIN:
		pin-sha256:qON8NP9r9pgEOwiNdTg+8FclimMr0pNZpahsRzIhANU=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecCert.crt --type=cert --id=0002 --label=ecCert
+ ECBASEURIWITHPINVALUE='pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ ECBASEURIWITHPINSOURCE='pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ ECBASEURI=pkcs11:id=%00%02
+ ECPUBURI='pkcs11:type=public;id=%00%02'
+ ECPRIURI='pkcs11:type=private;id=%00%02'
+ ECCRTURI='pkcs11:type=cert;object=ecCert'
+ KEYID=0003
+ URIKEYID=%00%03
+ ECPEERCRTN=ecPeerCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=EC:secp256r1 --label=ecPeerCert --id=0003
+ crt_selfsign ecPeerCert 'My Peer EC Cert' 0003
+ LABEL=ecPeerCert
+ CN='My Peer EC Cert'
+ KEYID=0003
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Peer EC Cert|g' -e 's|serial = .*|serial = 5|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecPeerCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cacert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecPeerCert;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=ecPeerCert;token=Kryoptic%20Token;type=public' --outder
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecPeerCert.crt --type=cert --id=0003 --label=ecPeerCert
+ ECPEERBASEURIWITHPINVALUE='pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ ECPEERBASEURIWITHPINSOURCE='pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ ECPEERBASEURI=pkcs11:id=%00%03
+ ECPEERPUBURI='pkcs11:type=public;id=%00%03'
+ ECPEERPRIURI='pkcs11:type=private;id=%00%03'
+ ECPEERCRTURI='pkcs11:type=cert;object=ecPeerCert'
+ title LINE 'EC PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC PKCS11 URIS'
+ echo 'pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%02
+ echo 'pkcs11:type=public;id=%00%02'
+ echo 'pkcs11:type=private;id=%00%02'
+ echo 'pkcs11:type=cert;object=ecCert'
+ echo 'pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%03
+ echo 'pkcs11:type=public;id=%00%03'
+ echo 'pkcs11:type=private;id=%00%03'
+ echo 'pkcs11:type=cert;object=ecPeerCert'
+ echo ''
+ '[' 0 -eq 1 ']'
+ '[' 0 -eq 1 ']'
+ title PARA 'generate RSA key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate RSA key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0005
+ URIKEYID=%00%05
+ TSTCRTN=testCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=RSA:2048 --label=testCert2 --id=0005
+ ca_sign testCert2 'My Test Cert 2' 0005
+ LABEL=testCert2
+ CN='My Test Cert 2'
+ KEYID=0005
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert 2|g' -e 's|serial = .*|serial = 6|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=testCert2;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=testCert2;token=Kryoptic%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:24 2026
CA expiration time: Fri Feb 20 13:55:23 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 06
	Validity:
		Not Before: Thu Feb 20 18:55:24 UTC 2025
		Not After: Fri Feb 20 18:55:24 UTC 2026
	Subject: CN=My Test Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:e4:9d:49:6c:0c:87:87:3a:a1:e4:d3:b8:70:b4:27
			9a:83:ab:db:4a:07:4e:e9:f1:01:fd:11:2d:8d:9e:57
			e1:f3:23:f4:1e:da:e7:da:23:7c:4e:cc:12:80:5b:41
			43:14:65:74:dd:2d:51:9a:5c:df:ea:83:6e:85:fe:54
			33:78:35:7a:57:af:5e:23:60:a9:87:90:8b:13:c9:79
			62:e4:4b:04:b8:e4:e8:34:af:7c:16:c3:85:3b:b7:39
			75:2c:65:a4:8a:78:4c:1d:ad:7e:88:c2:a2:35:3c:96
			03:26:cc:4a:19:e4:57:d8:26:96:53:a2:6f:c4:ac:49
			09:dd:8c:6c:c5:d9:a4:21:89:bb:72:dc:6f:52:1b:b9
			26:11:68:b0:52:0b:08:d2:a5:f6:51:0c:de:45:4f:60
			95:e8:ad:5e:21:e2:24:3f:da:b5:cd:04:76:c5:51:41
			bd:2a:7c:fd:ca:82:c4:25:fc:cd:c4:82:80:16:64:f5
			80:38:ae:36:11:f0:cf:6f:07:5d:96:57:a2:86:fd:97
			e7:9d:95:4e:76:8e:e2:b1:d9:d1:31:39:cc:70:93:77
			6e:b2:ae:d1:39:52:78:74:9c:34:ae:a2:48:4e:dd:ed
			5e:79:c3:12:02:05:e1:da:c6:9d:87:94:4c:25:5d:89
			7d
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			07feb28cf5395420af78f879737c4f9ddbeef232
		Authority Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:07feb28cf5395420af78f879737c4f9ddbeef232
		sha256:a5b900957d42bac7dec710fe54dd89fb32b88d60b1e119146198c5aa3b5c895f
	Public Key PIN:
		pin-sha256:pbkAlX1CusfexxD+VN2J+zK4jWCx4RkUYZjFqjtciV8=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testCert2.crt --type=cert --id=0005 --label=testCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --delete-object --type pubkey --id 0005
+ BASE2URIWITHPINVALUE='pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ BASE2URIWITHPINSOURCE='pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ BASE2URI=pkcs11:id=%00%05
+ PRI2URI='pkcs11:type=private;id=%00%05'
+ CRT2URI='pkcs11:type=cert;object=testCert2'
+ title LINE 'RSA2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%05
+ echo 'pkcs11:type=private;id=%00%05'
+ echo 'pkcs11:type=cert;object=testCert2'
+ echo ''
+ title PARA 'generate EC key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0006
+ URIKEYID=%00%06
+ TSTCRTN=ecCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=EC:secp384r1 --label=ecCert2 --id=0006
+ ca_sign ecCert2 'My EC Cert 2' 0006
+ LABEL=ecCert2
+ CN='My EC Cert 2'
+ KEYID=0006
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 2|g' -e 's|serial = .*|serial = 7|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecCert2;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert2;token=Kryoptic%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:24 2026
CA expiration time: Fri Feb 20 13:55:23 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 07
	Validity:
		Not Before: Thu Feb 20 18:55:24 UTC 2025
		Not After: Fri Feb 20 18:55:24 UTC 2026
	Subject: CN=My EC Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Ultra (384 bits)
		Curve:	SECP384R1
		X:
			6a:3c:4e:d4:db:cb:48:49:15:32:9c:47:4c:2d:25:6f
			67:21:26:e6:cb:3f:23:44:7c:55:c0:7b:aa:a7:08:45
			94:91:e9:3a:45:d1:a9:48:60:8b:53:85:46:a4:e2:f8
		Y:
			00:f3:5b:33:d4:7c:c8:09:ce:1a:43:0c:05:65:5b:22
			92:c2:76:09:d2:d3:8a:b9:51:bb:4f:be:03:1f:4a:06
			44:6c:7c:f4:12:a8:0b:35:9f:14:a8:e8:89:57:94:12
			7c
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			42771afc1c41e913d8daebbd5dc5d0f9cb036e44
		Authority Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:42771afc1c41e913d8daebbd5dc5d0f9cb036e44
		sha256:348645e58da00554cdd9f9618a5c9124e565ea6600b00c49df30cb0ec8f3fc5d
	Public Key PIN:
		pin-sha256:NIZF5Y2gBVTN2flhilyRJOVl6mYAsAxJ3zDLDsjz/F0=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecCert2.crt --type=cert --id=0006 --label=ecCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --delete-object --type pubkey --id 0006
+ ECBASE2URIWITHPINVALUE='pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ ECBASE2URIWITHPINSOURCE='pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ ECBASE2URI=pkcs11:id=%00%06
+ ECPRI2URI='pkcs11:type=private;id=%00%06'
+ ECCRT2URI='pkcs11:type=cert;object=ecCert2'
+ title LINE 'EC2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%06
+ echo 'pkcs11:type=private;id=%00%06'
+ echo 'pkcs11:type=cert;object=ecCert2'
+ echo ''
+ '[' -z '' ']'
+ title PARA 'explicit EC unsupported'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## explicit EC unsupported'
+ '[' -f '' ']'
+ title PARA 'generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ '[' -f '' ']'
+ KEYID=0008
+ URIKEYID=%00%08
+ TSTCRTN=ecCert3
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=EC:secp521r1 --label=ecCert3 --id=0008 --always-auth
+ ca_sign ecCert3 'My EC Cert 3' 0008
+ LABEL=ecCert3
+ CN='My EC Cert 3'
+ KEYID=0008
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 3|g' -e 's|serial = .*|serial = 8|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecCert3.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecCert3;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert3;token=Kryoptic%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:25 2026
CA expiration time: Fri Feb 20 13:55:23 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 08
	Validity:
		Not Before: Thu Feb 20 18:55:25 UTC 2025
		Not After: Fri Feb 20 18:55:25 UTC 2026
	Subject: CN=My EC Cert 3,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Future (528 bits)
		Curve:	SECP521R1
		X:
			00:d0:ca:71:92:5e:85:cd:60:1b:a3:b8:c2:1b:3c:fe
			7c:2b:ae:52:82:c0:5a:c1:5f:ea:23:d1:28:5e:bb:66
			df:d0:7a:1b:b7:5b:ee:19:b6:4a:ea:62:dc:d7:e8:10
			2a:b3:c5:98:fd:d1:3b:3b:94:d2:1a:13:e7:b0:61:b1
			76:82
		Y:
			01:d7:8c:63:49:01:82:3c:69:86:25:0b:11:e4:17:da
			55:4f:38:84:2f:39:89:36:3f:52:f9:91:83:24:59:56
			b0:1d:2f:a0:00:af:40:0c:c1:51:24:97:b9:48:e3:b5
			5b:1a:10:30:f0:06:19:f1:b0:03:30:b6:0b:07:24:f9
			80:3e
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			bc69aba61ebc402a03e579ecb4b2da9b0fb9fd09
		Authority Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:bc69aba61ebc402a03e579ecb4b2da9b0fb9fd09
		sha256:86e659e12cf3cca949708792aeb457e28a3ccab4bd891cf9679189306c250641
	Public Key PIN:
		pin-sha256:huZZ4SzzzKlJcIeSrrRX4oo8yrS9iRz5Z5GJMGwlBkE=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/ecCert3.crt --type=cert --id=0008 --label=ecCert3
+ ECBASE3URIWITHPINVALUE='pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ ECBASE3URIWITHPINSOURCE='pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ ECBASE3URI=pkcs11:id=%00%08
+ ECPUB3URI='pkcs11:type=public;id=%00%08'
+ ECPRI3URI='pkcs11:type=private;id=%00%08'
+ ECCRT3URI='pkcs11:type=cert;object=ecCert3'
+ title LINE 'EC3 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC3 PKCS11 URIS'
+ echo 'pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%08
+ echo 'pkcs11:type=public;id=%00%08'
+ echo 'pkcs11:type=private;id=%00%08'
+ echo 'pkcs11:type=cert;object=ecCert3'
+ echo ''
+ '[' 1 -eq 1 ']'
+ KEYID=0010
+ URIKEYID=%00%10
+ TSTCRTN=testRsaPssCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=RSA:2048 --label=testRsaPssCert --id=0010 --allowed-mechanisms RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS
+ ca_sign testRsaPssCert 'My RsaPss Cert' 0010 --sign-params=RSA-PSS
+ LABEL=testRsaPssCert
+ CN='My RsaPss Cert'
+ KEYID=0010
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My RsaPss Cert|g' -e 's|serial = .*|serial = 9|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testRsaPssCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=testRsaPssCert;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=testRsaPssCert;token=Kryoptic%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Token;type=private' --sign-params=RSA-PSS
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:25 2026
CA expiration time: Fri Feb 20 13:55:23 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 09
	Validity:
		Not Before: Thu Feb 20 18:55:25 UTC 2025
		Not After: Fri Feb 20 18:55:25 UTC 2026
	Subject: CN=My RsaPss Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:c7:be:5b:2f:e3:88:48:16:be:dd:d6:63:52:fa:cd
			0b:44:2c:9c:ec:1f:e1:cc:eb:43:ff:c3:6b:43:cd:cf
			f8:a9:13:3c:2d:7f:4a:20:27:72:b0:d0:59:f3:46:d0
			65:66:90:8b:f4:b6:57:f2:8e:dd:4f:32:05:72:d0:4a
			ec:a5:21:a8:fa:2c:b9:94:84:ea:b7:00:34:10:a7:ba
			93:36:b5:73:73:31:98:a1:6e:f9:e1:7d:61:66:60:f9
			c3:97:0e:52:12:34:29:4a:48:31:9b:c7:61:98:78:9e
			f2:76:e1:5f:2a:8f:1a:3f:e8:09:ae:73:13:da:68:2b
			c7:05:b8:c6:21:35:47:2a:49:63:d4:db:59:ca:a4:9b
			24:be:b1:c3:5e:83:04:f4:46:e6:cb:7e:da:46:93:b4
			32:de:88:07:30:34:23:69:56:b5:0b:69:18:4d:5e:31
			83:9a:2b:61:88:73:77:16:2b:fd:24:b1:a8:bc:61:4f
			53:14:74:7a:c9:3b:1f:9f:68:79:4b:56:5f:c5:9f:b4
			a3:f3:c7:d9:b7:b4:58:5f:e7:cb:af:8c:83:5e:c1:0e
			45:61:a7:39:7a:94:e8:96:bb:8d:9f:0f:40:9c:08:c0
			75:52:7b:6a:e5:eb:fc:d4:18:40:c7:17:86:d5:7c:c7
			9d
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			28544cccc6c2d12dc454a3a1b9ee6bbfae111b0c
		Authority Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:28544cccc6c2d12dc454a3a1b9ee6bbfae111b0c
		sha256:7f7b29c399b0a8e1b830aaeade5d5dd3b96876c5d83f8f9e09485a1faaf64c6d
	Public Key PIN:
		pin-sha256:f3spw5mwqOG4MKrq3l1d07lodsXYP4+eCUhaH6r2TG0=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testRsaPssCert.crt --type=cert --id=0010 --label=testRsaPssCert
+ RSAPSSBASEURIWITHPINVALUE='pkcs11:id=%00%10?pin-value=fo0m4nchU'
+ RSAPSSBASEURIWITHPINSOURCE='pkcs11:id=%00%10?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ RSAPSSBASEURI=pkcs11:id=%00%10
+ RSAPSSPUBURI='pkcs11:type=public;id=%00%10'
+ RSAPSSPRIURI='pkcs11:type=private;id=%00%10'
+ RSAPSSCRTURI='pkcs11:type=cert;object=testRsaPssCert'
+ title LINE 'RSA-PSS PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA-PSS PKCS11 URIS'
+ echo 'pkcs11:id=%00%10?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%10?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%10
+ echo 'pkcs11:type=public;id=%00%10'
+ echo 'pkcs11:type=private;id=%00%10'
+ echo 'pkcs11:type=cert;object=testRsaPssCert'
+ echo ''
+ KEYID=0011
+ URIKEYID=%00%11
+ TSTCRTN=testRsaPss2Cert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --keypairgen --key-type=RSA:3092 --label=testRsaPss2Cert --id=0011 --allowed-mechanisms SHA256-RSA-PKCS-PSS
+ ca_sign testRsaPss2Cert 'My RsaPss2 Cert' 0011 --sign-params=RSA-PSS --hash=SHA256
+ LABEL=testRsaPss2Cert
+ CN='My RsaPss2 Cert'
+ KEYID=0011
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My RsaPss2 Cert|g' -e 's|serial = .*|serial = 10|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testRsaPss2Cert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=testRsaPss2Cert;token=Kryoptic%20Token;type=private' --load-pubkey 'pkcs11:object=testRsaPss2Cert;token=Kryoptic%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Token;type=private' --sign-params=RSA-PSS --hash=SHA256
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:25 2026
CA expiration time: Fri Feb 20 13:55:23 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 0a
	Validity:
		Not Before: Thu Feb 20 18:55:25 UTC 2025
		Not After: Fri Feb 20 18:55:25 UTC 2026
	Subject: CN=My RsaPss2 Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: High (3092 bits)
		Modulus (bits 3092):
			0c:03:86:4f:5d:08:3c:b4:a5:a2:81:60:ca:a1:18:d3
			8e:a2:ca:79:04:93:ee:3b:48:93:e1:4c:b6:ab:bc:95
			4e:c8:12:05:0e:f6:4b:4f:0f:3d:dc:2c:e2:fb:66:c5
			ec:ba:77:0b:8d:90:dc:c3:0a:49:f5:34:a6:57:5d:87
			81:24:91:1c:8a:93:54:01:f2:73:d4:45:d4:25:59:dd
			d0:54:46:3a:55:33:9b:c9:cf:a3:4f:5c:48:ae:ce:2f
			f2:46:04:2f:ee:02:f2:e9:ab:d2:c2:c5:4b:e6:72:ed
			06:b6:51:3e:03:82:9d:a0:ae:43:15:62:c7:3a:9f:07
			38:ce:68:25:52:f6:3c:ad:12:cd:a0:52:03:36:5d:26
			aa:11:49:70:7a:48:65:33:a9:20:3e:ce:cc:1d:2b:86
			1c:b1:a4:2e:e5:ac:63:f2:eb:92:f6:e3:5f:59:8c:b8
			0d:9a:fd:fc:0b:0d:5c:aa:18:c8:fc:5b:6e:a7:58:a8
			89:15:f2:5f:77:f1:89:af:76:d7:a1:8d:e0:53:29:64
			28:fc:fa:6f:6f:0d:b7:ce:3d:47:6d:e1:39:e6:9b:68
			40:4d:14:31:4e:93:09:40:72:56:50:27:79:f7:ca:95
			43:18:88:be:ec:14:fa:90:70:42:78:d7:19:f8:69:66
			4b:65:d7:35:9e:0e:c5:d5:11:eb:6c:2b:33:c9:f2:21
			17:1e:5a:a4:e2:e3:19:47:34:87:64:67:5c:71:ac:95
			32:d9:ab:e9:65:89:37:02:9c:37:6e:83:c0:0a:6f:a3
			83:e9:e2:36:e6:3e:9b:f0:37:c7:6d:09:96:8d:6d:2d
			bc:f2:71:3f:78:f2:14:e8:8c:1f:5c:40:4b:6f:8d:85
			ce:a3:9d:2c:be:48:c3:43:75:1d:33:7b:34:22:3d:18
			d7:3e:33:85:74:62:5b:0d:aa:59:14:08:4a:db:4c:42
			a3:4f:cd:ad:21:da:fe:f9:3f:e5:77:fe:93:6b:15:a3
			08:fc:99
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			c88daccad2be7660fe02b11804469d192301919e
		Authority Key Identifier (not critical):
			37967366db74720bc470170c21612725e7d9e62d
Other Information:
	Public Key ID:
		sha1:c88daccad2be7660fe02b11804469d192301919e
		sha256:ec5f309c21e3586c5cea58a561d364bedc2a4d8bc0f7bd47444b9b5480bcc806
	Public Key PIN:
		pin-sha256:7F8wnCHjWGxc6lilYdNkvtwqTYvA971HREubVIC8yAY=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testRsaPss2Cert.crt --type=cert --id=0011 --label=testRsaPss2Cert
+ RSAPSS2BASEURIWITHPINVALUE='pkcs11:id=%00%11?pin-value=fo0m4nchU'
+ RSAPSS2BASEURIWITHPINSOURCE='pkcs11:id=%00%11?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ RSAPSS2BASEURI=pkcs11:id=%00%11
+ RSAPSS2PUBURI='pkcs11:type=public;id=%00%11'
+ RSAPSS2PRIURI='pkcs11:type=private;id=%00%11'
+ RSAPSS2CRTURI='pkcs11:type=cert;object=testRsaPss2Cert'
+ title LINE 'RSA-PSS 2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA-PSS 2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%11?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%11?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt'
+ echo pkcs11:id=%00%11
+ echo 'pkcs11:type=public;id=%00%11'
+ echo 'pkcs11:type=private;id=%00%11'
+ echo 'pkcs11:type=cert;object=testRsaPss2Cert'
+ echo ''
+ title PARA 'Show contents of kryoptic token'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Show contents of kryoptic token'
+ '[' -f '' ']'
+ echo ' ----------------------------------------------------------------------------------------------------'
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Token' -O
+ echo ' ----------------------------------------------------------------------------------------------------'
+ title PARA 'Output configurations'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Output configurations'
+ '[' -f '' ']'
+ OPENSSL_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
+ title LINE 'Generate openssl config file'
+ case "$1" in
+ shift 1
+ echo 'Generate openssl config file'
+ sed -e 's|@libtoollibs@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src|g' -e 's|@testsblddir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests|g' -e 's|@testsdir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic|g' -e 's|@SHARED_EXT@|.so|g' -e 's|@PINFILE@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/pinfile.txt|g' -e 's|##TOKENOPTIONS|pkcs11-module-assume-fips = true|g' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/openssl.cnf.in
+ title LINE 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testvars'
+ case "$1" in
+ shift 1
+ echo 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testvars'
+ cat
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n pkcs11:id=%00%10 ']'
+ cat
+ cat
+ gen_unsetvars
+ grep '^export' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/testvars
+ sed -e s/export/unset/ -e 's/=.*$//'
+ title ENDSECTION
+ case "$1" in
+ echo ''
+ echo '                                      ##'
+ echo '########################################'
+ echo ''
==============================================================================

==================================== 4/92 ====================================
test:         pkcs11-provider:kryoptic.nss / setup
start time:   18:55:26
duration:     6.18s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 LIBSPATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src MALLOC_PERTURB_=220 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TESTSSRCDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests SHARED_EXT=.so SOFTOKNPATH=/usr/lib64 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 P11KITCLIENTPATH=/usr/lib64/pkcs11/p11-kit-client.so /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/setup.sh kryoptic.nss
----------------------------------- stdout -----------------------------------
########################################
## Searching for Kryoptic module

Using kryoptic path /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so
Creating Kyroptic database
Using slot 0 with a present token (0x2a)
Token successfully initialized
Using slot 0 with a present token (0x2a)
User PIN successfully initialized
Creating new Self Sign CA
Key pair generated:
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0000;object=caCert;type=private
Public Key Object; RSA 2048 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0000;object=caCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 02
	Validity:
		Not Before: Thu Feb 20 18:55:26 UTC 2025
		Not After: Fri Feb 20 18:55:26 UTC 2026
	Subject: CN=Issuer
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:e5:15:c3:97:fd:30:18:45:f7:6f:c7:75:17:c0:c2
			eb:67:c9:cb:65:58:29:17:16:2c:55:18:49:8b:c4:e1
			e7:11:a5:48:df:96:a1:4b:f3:0d:bf:51:81:1d:80:8e
			fe:d5:4b:6a:89:6d:07:a8:84:5d:71:6f:ed:a9:83:84
			95:a8:e2:b3:5b:58:fc:24:1a:3d:4c:5e:04:94:c0:02
			ae:6f:c4:6d:db:55:91:16:60:42:a3:0c:ed:f3:44:7a
			07:9e:d6:58:50:1c:8a:80:19:49:e6:6d:4e:2a:84:35
			46:f7:77:20:7b:9b:dc:7b:47:cf:5e:0d:75:1a:9c:b8
			e9:40:64:e9:9b:89:c7:36:3e:3a:07:71:ec:17:0e:45
			44:23:27:3f:ba:09:55:91:d5:f2:a1:41:a7:91:62:c4
			40:e9:36:1f:32:ae:43:e2:79:69:ba:10:30:1f:fe:3d
			a7:fa:d1:b2:a1:08:f5:da:a9:38:f9:ab:93:6a:96:d2
			68:1f:9b:21:57:38:f7:c5:a8:ad:8d:0f:85:bc:cd:0a
			58:32:5b:61:1e:f0:45:9c:3d:44:8c:83:4d:de:34:42
			92:4c:0d:f7:d9:bb:d4:ea:5f:f0:33:7f:90:b2:ff:5d
			b0:f7:20:48:a2:e6:b1:8b:bd:b0:08:e1:e7:a8:b1:17
			8b
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			05a2e333f7d8dedeb749fc62b31bfddd21b4f5a5
Other Information:
	Public Key ID:
		sha1:05a2e333f7d8dedeb749fc62b31bfddd21b4f5a5
		sha256:27e4b3b067df6c06066caf54a97e2ff9b0a3c589a63f76c63041f69fb5aae126
	Public Key PIN:
		pin-sha256:J+SzsGffbAYGbK9UqX4v+bCjxYmmP3bGMEH2n7Wq4SY=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0000;object=caCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%00?pin-value=fo0m4nchU
pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
pkcs11:id=%00%00
pkcs11:type=public;id=%00%00
pkcs11:type=private;id=%00%00
pkcs11:type=cert;object=caCert

Key pair generated:
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0001;object=testCert;type=private
Public Key Object; RSA 2048 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0001;object=testCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0001;object=testCert;type=cert
RSA PKCS11 URIS
pkcs11:id=%00%01?pin-value=fo0m4nchU
pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
pkcs11:id=%00%01
pkcs11:type=public;id=%00%01
pkcs11:type=private;id=%00%01
pkcs11:type=cert;object=testCert

Key pair generated:
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0002;object=ecCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104d5af22f8f68ecccc74a4ea73e4eb38fb54f3ae8c977bad88085ae66037890f9537617c9579762649f5beaf34e41838ed980254ab823e80f87d8ad905fbd3db00
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0002;object=ecCert;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0002;object=ecCert;type=cert
Key pair generated:
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0003;object=ecPeerCert;type=private
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104aff73b5d9bb4b20cc83f4408f0c49f347ef77c5e09ef2e27f3a9ae92ecc5d048858ad362a16ba2b6dbac9e914acc4a9026e4e572d848d05b0620cff6ffbf1fa2
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0003;object=ecPeerCert;type=public
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 05
	Validity:
		Not Before: Thu Feb 20 18:55:29 UTC 2025
		Not After: Fri Feb 20 18:55:29 UTC 2026
	Subject: CN=My Peer EC Cert
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			00:af:f7:3b:5d:9b:b4:b2:0c:c8:3f:44:08:f0:c4:9f
			34:7e:f7:7c:5e:09:ef:2e:27:f3:a9:ae:92:ec:c5:d0
			48
		Y:
			00:85:8a:d3:62:a1:6b:a2:b6:db:ac:9e:91:4a:cc:4a
			90:26:e4:e5:72:d8:48:d0:5b:06:20:cf:f6:ff:bf:1f
			a2
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Certificate signing.
		Subject Key Identifier (not critical):
			f5d3e2d2ab36a00746a296421fa718f1548b806c
Other Information:
	Public Key ID:
		sha1:f5d3e2d2ab36a00746a296421fa718f1548b806c
		sha256:e17a909e10438f2e231af94669b9afa54a477f6733717aa3c30461edf7437383
	Public Key PIN:
		pin-sha256:4XqQnhBDjy4jGvlGabmvpUpHf2czcXqjwwRh7fdDc4M=



Signing certificate...
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0003;object=ecPeerCert;type=cert
EC PKCS11 URIS
pkcs11:id=%00%02?pin-value=fo0m4nchU
pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
pkcs11:id=%00%02
pkcs11:type=public;id=%00%02
pkcs11:type=private;id=%00%02
pkcs11:type=cert;object=ecCert
pkcs11:id=%00%03?pin-value=fo0m4nchU
pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
pkcs11:id=%00%03
pkcs11:type=public;id=%00%03
pkcs11:type=private;id=%00%03
pkcs11:type=cert;object=ecPeerCert


## generate RSA key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0005;object=testCert2;type=private
Public Key Object; RSA 2048 bits
  label:      testCert2
  ID:         0005
  Usage:      encrypt, verify
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0005;object=testCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0005;object=testCert2;type=cert
RSA2 PKCS11 URIS
pkcs11:id=%00%05?pin-value=fo0m4nchU
pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
pkcs11:id=%00%05
pkcs11:type=private;id=%00%05
pkcs11:type=cert;object=testCert2


## generate EC key pair, self-signed certificate, remove public key
Key pair generated:
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0006;object=ecCert2;type=private
Public Key Object; EC  EC_POINT 384 bits
  EC_POINT:   046104fd50ed2016e98d7cbb113fdf7fbd8b8212911b459c1a69c3a5ba0c6dbebc12816f9c52da5e81c6d94f53dabf9b2f9a84c97684c7e997a533bbaf6dfb2f825f6ac97673d0a6ef49a9b8a2f5d56692682ca17b4d04f0289a3f3bc5ea0326845abc
  EC_PARAMS:  06052b81040022 (OID 1.3.132.0.34)
  label:      ecCert2
  ID:         0006
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0006;object=ecCert2;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0006;object=ecCert2;type=cert
EC2 PKCS11 URIS
pkcs11:id=%00%06?pin-value=fo0m4nchU
pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
pkcs11:id=%00%06
pkcs11:type=private;id=%00%06
pkcs11:type=cert;object=ecCert2


## explicit EC unsupported

## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate
Key pair generated:
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      sign, derive
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0008;object=ecCert3;type=private
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   0481850400136b67db5e1efde010bd041f02f9a3ed172384bf92f1dd00476d367969842c83c3ba4a4614eca34f1479285cd52811401b8ccbb1fec7058c4609b9b340e3d951b300b15182cc1492c98bd9db6df845bce76d7655f2638de427e151f1abbfd63fdb9493818f18df5acbc3b010a60bcdc25556f1faee65b0b9486f89f11d8aa9f76e9e83
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0008;object=ecCert3;type=public
Created certificate:
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0008;object=ecCert3;type=cert
EC3 PKCS11 URIS
pkcs11:id=%00%08?pin-value=fo0m4nchU
pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
pkcs11:id=%00%08
pkcs11:type=public;id=%00%08
pkcs11:type=private;id=%00%08
pkcs11:type=cert;object=ecCert3


## Show contents of kryoptic.nss token
 ----------------------------------------------------------------------------------------------------
Public Key Object; RSA 2048 bits
  label:      caCert
  ID:         0000
  Usage:      encrypt, verify
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0000;object=caCert;type=public
Certificate Object; type = X.509 cert
  label:      caCert
  subject:    DN: CN=Issuer
  serial:     02
  ID:         0000
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0000;object=caCert;type=cert
Public Key Object; RSA 2048 bits
  label:      testCert
  ID:         0001
  Usage:      encrypt, verify
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0001;object=testCert;type=public
Certificate Object; type = X.509 cert
  label:      testCert
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert
  serial:     03
  ID:         0001
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0001;object=testCert;type=cert
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104d5af22f8f68ecccc74a4ea73e4eb38fb54f3ae8c977bad88085ae66037890f9537617c9579762649f5beaf34e41838ed980254ab823e80f87d8ad905fbd3db00
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecCert
  ID:         0002
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0002;object=ecCert;type=public
Certificate Object; type = X.509 cert
  label:      ecCert
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert
  serial:     04
  ID:         0002
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0002;object=ecCert;type=cert
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104aff73b5d9bb4b20cc83f4408f0c49f347ef77c5e09ef2e27f3a9ae92ecc5d048858ad362a16ba2b6dbac9e914acc4a9026e4e572d848d05b0620cff6ffbf1fa2
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      ecPeerCert
  ID:         0003
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0003;object=ecPeerCert;type=public
Certificate Object; type = X.509 cert
  label:      ecPeerCert
  subject:    DN: CN=My Peer EC Cert
  serial:     05
  ID:         0003
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0003;object=ecPeerCert;type=cert
Public Key Object; RSA 2048 bits
  label:      testCert2
  ID:         0005
  Usage:      encrypt, verify
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0005;object=testCert2;type=public
Certificate Object; type = X.509 cert
  label:      testCert2
  subject:    DN: O=PKCS11 Provider, CN=My Test Cert 2
  serial:     06
  ID:         0005
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0005;object=testCert2;type=cert
Public Key Object; EC  EC_POINT 384 bits
  EC_POINT:   046104fd50ed2016e98d7cbb113fdf7fbd8b8212911b459c1a69c3a5ba0c6dbebc12816f9c52da5e81c6d94f53dabf9b2f9a84c97684c7e997a533bbaf6dfb2f825f6ac97673d0a6ef49a9b8a2f5d56692682ca17b4d04f0289a3f3bc5ea0326845abc
  EC_PARAMS:  06052b81040022 (OID 1.3.132.0.34)
  label:      ecCert2
  ID:         0006
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0006;object=ecCert2;type=public
Certificate Object; type = X.509 cert
  label:      ecCert2
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 2
  serial:     07
  ID:         0006
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0006;object=ecCert2;type=cert
Public Key Object; EC  EC_POINT 528 bits
  EC_POINT:   0481850400136b67db5e1efde010bd041f02f9a3ed172384bf92f1dd00476d367969842c83c3ba4a4614eca34f1479285cd52811401b8ccbb1fec7058c4609b9b340e3d951b300b15182cc1492c98bd9db6df845bce76d7655f2638de427e151f1abbfd63fdb9493818f18df5acbc3b010a60bcdc25556f1faee65b0b9486f89f11d8aa9f76e9e83
  EC_PARAMS:  06052b81040023 (OID 1.3.132.0.35)
  label:      ecCert3
  ID:         0008
  Usage:      verify, derive
  Access:     local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0008;object=ecCert3;type=public
Certificate Object; type = X.509 cert
  label:      ecCert3
  subject:    DN: O=PKCS11 Provider, CN=My EC Cert 3
  serial:     08
  ID:         0008
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0008;object=ecCert3;type=cert
Private Key Object; RSA 
  label:      caCert
  ID:         0000
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0000;object=caCert;type=private
Private Key Object; RSA 
  label:      testCert
  ID:         0001
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0001;object=testCert;type=private
Private Key Object; EC
  label:      ecCert
  ID:         0002
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0002;object=ecCert;type=private
Private Key Object; EC
  label:      ecPeerCert
  ID:         0003
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0003;object=ecPeerCert;type=private
Private Key Object; RSA 
  label:      testCert2
  ID:         0005
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0005;object=testCert2;type=private
Private Key Object; EC
  label:      ecCert2
  ID:         0006
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0006;object=ecCert2;type=private
Private Key Object; EC
  label:      ecCert3
  ID:         0008
  Usage:      sign, derive
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
  uri:        pkcs11:model=;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Soft%20Token;id=%0008;object=ecCert3;type=private
 ----------------------------------------------------------------------------------------------------

## Output configurations
Generate openssl config file
Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testvars

                                      ##
########################################

----------------------------------- stderr -----------------------------------
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh
++ : /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests
++ helper_emit=1
++ sed --version
++ grep -q 'GNU sed'
++ sed_inplace=('-i')
++ export sed_inplace
+ '[' 1 -ne 1 ']'
+ TOKENTYPE=kryoptic.nss
+ SUPPORT_ED25519=1
+ SUPPORT_ED448=1
+ SUPPORT_RSA_PKCS1_ENCRYPTION=1
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=1
+ SUPPORT_TLSFUZZER=1
+ SUPPORT_ALLOWED_MECHANISMS=0
++ opensc-tool -i
++ grep OpenSC
++ sed -e 's/OpenSC 0\.\([0-9]*\).*/\1/'
+ OPENSC_VERSION=26
+ [[ 26 -le 25 ]]
+ PINVALUE=12345678
+ [[ '' = \1 ]]
++ cat /proc/sys/crypto/fips_enabled
+ [[ 1 = \1 ]]
+ SUPPORT_ED25519=0
+ SUPPORT_ED448=0
+ SUPPORT_RSA_PKCS1_ENCRYPTION=0
+ SUPPORT_RSA_KEYGEN_PUBLIC_EXPONENT=0
+ SUPPORT_TLSFUZZER=0
+ TOKENOPTIONS='pkcs11-module-assume-fips = true'
+ PINVALUE=fo0m4nchU
+ TMPPDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss
+ TOKDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/tokens
+ '[' -d /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss ']'
+ rm -fr /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss
+ mkdir /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/tokens
+ PINFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt
+ echo fo0m4nchU
+ export GNUTLS_PIN=fo0m4nchU
+ GNUTLS_PIN=fo0m4nchU
+ '[' kryoptic.nss == softhsm ']'
+ '[' kryoptic.nss == softokn ']'
+ '[' kryoptic.nss == kryoptic ']'
+ '[' kryoptic.nss == kryoptic.nss ']'
+ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/kryoptic.nss-init.sh
++ export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/kryoptic.conf
++ KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/kryoptic.conf
++ cat
++ export 'TOKENLABEL=Kryoptic Soft Token'
++ TOKENLABEL='Kryoptic Soft Token'
++ export TOKENLABELURI=Kryoptic%20Soft%20Token
++ TOKENLABELURI=Kryoptic%20Soft%20Token
++ source /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/kryoptic-init.sh
+++ title SECTION 'Searching for Kryoptic module'
+++ case "$1" in
+++ shift 1
+++ echo '########################################'
+++ echo '## Searching for Kryoptic module'
+++ echo ''
+++ find_kryoptic /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so /tmp/kryoptic/target/release/libkryoptic_pkcs11.so /usr/local/lib/kryoptic/libkryoptic_pkcs11so /usr/lib64/pkcs11/libkryoptic_pkcs11.so /usr/lib/pkcs11/libkryoptic_pkcs11.so /usr/lib/x86_64-linux-gnu/kryoptic/libkryoptic_pkcs11.so
+++ for _lib in "$@"
+++ test -f /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so
+++ echo 'Using kryoptic path /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so'
+++ P11LIB=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so
+++ return
+++ title LINE 'Creating Kyroptic database'
+++ case "$1" in
+++ shift 1
+++ echo 'Creating Kyroptic database'
+++ export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/kryoptic.conf
+++ KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/kryoptic.conf
+++ export 'TOKENLABEL=Kryoptic Soft Token'
+++ TOKENLABEL='Kryoptic Soft Token'
+++ export TOKENLABELURI=Kryoptic%20Soft%20Token
+++ TOKENLABELURI=Kryoptic%20Soft%20Token
+++ pkcs11-tool --module /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --init-token --label 'Kryoptic Soft Token' --so-pin fo0m4nchU
+++ pkcs11-tool --module /tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --so-pin fo0m4nchU --login --login-type so --init-pin --pin fo0m4nchU
+++ export 'TOKENCONFIGVARS=export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/tokens/kryoptic.sql'
+++ TOKENCONFIGVARS='export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/tokens/kryoptic.sql'
+++ export TESTPORT=34000
+++ TESTPORT=34000
+++ export KRYOPTIC_EC_POINT_ENCODING=DER
+++ KRYOPTIC_EC_POINT_ENCODING=DER
+++ export SUPPORT_ALLOWED_MECHANISMS=1
+++ SUPPORT_ALLOWED_MECHANISMS=1
++ export 'TOKENCONFIGVARS=export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/kryoptic.conf'
++ TOKENCONFIGVARS='export KRYOPTIC_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/kryoptic.conf'
++ export 'TOKENOPTIONS=pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-allowed-mechanisms'
++ TOKENOPTIONS='pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-allowed-mechanisms'
++ export TESTPORT=36000
++ TESTPORT=36000
++ export SUPPORT_ALLOWED_MECHANISMS=0
++ SUPPORT_ALLOWED_MECHANISMS=0
+ SEEDFILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/noisefile.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/noisefile.bin bs=2048 count=1
+ RAND64FILE=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/64krandom.bin
+ dd if=/dev/urandom of=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/64krandom.bin bs=2048 count=32
++ uname
+ '[' Linux == Darwin ']'
++ type -p certtool
+ certtool=/usr/bin/certtool
+ '[' -z /usr/bin/certtool ']'
+ P11DEFARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}")
+ cat
+ SERIAL=1
+ title LINE 'Creating new Self Sign CA'
+ case "$1" in
+ shift 1
+ echo 'Creating new Self Sign CA'
+ KEYID=0000
+ URIKEYID=%00%00
+ CACRTN=caCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --keypairgen --key-type=RSA:2048 --label=caCert --id=0000
+ crt_selfsign caCert Issuer 0000
+ LABEL=caCert
+ CN=Issuer
+ KEYID=0000
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = Issuer|g' -e 's|serial = .*|serial = 2|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cacert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=caCert;token=Kryoptic%20Soft%20Token;type=private' --load-pubkey 'pkcs11:object=caCert;token=Kryoptic%20Soft%20Token;type=public' --outder
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt --type=cert --id=0000 --label=caCert
+ CACRT_PEM=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem
+ CACRT=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt
+ openssl x509 -inform DER -in /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt -outform PEM -out /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem
+ CABASEURIWITHPINVALUE='pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ CABASEURIWITHPINSOURCE='pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ CABASEURI=pkcs11:id=%00%00
+ CAPUBURI='pkcs11:type=public;id=%00%00'
+ CAPRIURI='pkcs11:type=private;id=%00%00'
+ CACRTURI='pkcs11:type=cert;object=caCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%00?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%00?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ echo pkcs11:id=%00%00
+ echo 'pkcs11:type=public;id=%00%00'
+ echo 'pkcs11:type=private;id=%00%00'
+ echo 'pkcs11:type=cert;object=caCert'
+ echo ''
+ cat /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cacert.cfg
+ echo 'organization = "PKCS11 Provider"'
+ sed -e '/^cert_signing_key$/d' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg
+ KEYID=0001
+ URIKEYID=%00%01
+ TSTCRTN=testCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --keypairgen --key-type=RSA:2048 --label=testCert --id=0001
+ ca_sign testCert 'My Test Cert' 0001
+ LABEL=testCert
+ CN='My Test Cert'
+ KEYID=0001
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert|g' -e 's|serial = .*|serial = 3|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=testCert;token=Kryoptic%20Soft%20Token;type=private' --load-pubkey 'pkcs11:object=testCert;token=Kryoptic%20Soft%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Soft%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:28 2026
CA expiration time: Fri Feb 20 13:55:26 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 03
	Validity:
		Not Before: Thu Feb 20 18:55:28 UTC 2025
		Not After: Fri Feb 20 18:55:28 UTC 2026
	Subject: CN=My Test Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:cb:ec:3d:66:23:30:ec:66:d9:b5:ff:2e:99:4f:72
			d4:f4:a0:83:a3:7e:8d:1d:fd:be:5d:1b:48:75:8c:a3
			9e:b1:dc:28:1c:c3:b5:fb:9c:4c:2d:7c:85:78:c8:e2
			20:38:13:8d:59:63:55:1b:ba:b9:7f:7d:c4:57:01:8b
			a5:b8:b1:ad:52:7f:8a:20:7f:2f:f4:34:30:a0:3c:06
			a5:dc:f5:5d:c0:33:5c:1a:48:ef:e0:17:7c:7d:f2:8b
			a0:ce:82:9a:ca:dc:bd:0a:8c:53:28:a7:2e:16:15:b7
			aa:ba:0d:bc:eb:2d:2b:39:3b:05:34:d1:b7:f8:44:f3
			3f:35:ab:b2:f2:7f:15:e0:d9:f6:cc:5c:46:a1:df:e8
			c0:b8:5d:04:e9:8e:a9:b0:23:ff:26:22:0e:ad:07:96
			5a:51:2e:4f:5e:98:9e:36:d5:db:f2:71:b6:1d:32:67
			f5:ca:78:f9:25:b8:ad:4c:1d:05:b8:d0:d2:f2:11:c1
			12:e6:e5:ad:48:74:f6:04:73:44:e9:73:26:34:0e:5a
			d7:33:82:36:cc:50:0b:39:89:40:ba:43:83:2b:4d:d5
			a4:44:71:d3:bf:d9:20:ab:f7:55:d6:d4:2e:b7:ec:20
			15:67:bc:2c:5d:ca:e6:05:fe:01:76:2a:1c:40:5a:f8
			11
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			9fc3e2dbe89b79b961d6bbb9c896e780be26a482
		Authority Key Identifier (not critical):
			05a2e333f7d8dedeb749fc62b31bfddd21b4f5a5
Other Information:
	Public Key ID:
		sha1:9fc3e2dbe89b79b961d6bbb9c896e780be26a482
		sha256:b52bd1d37e72e2da0bd1d0d69fbadb3d16551f0e06611a112036a5d9dd62d9c6
	Public Key PIN:
		pin-sha256:tSvR035y4toL0dDWn7rbPRZVHw4GYRoRIDal2d1i2cY=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testCert.crt --type=cert --id=0001 --label=testCert
+ BASEURIWITHPINVALUE='pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ BASEURIWITHPINSOURCE='pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ BASEURI=pkcs11:id=%00%01
+ PUBURI='pkcs11:type=public;id=%00%01'
+ PRIURI='pkcs11:type=private;id=%00%01'
+ CRTURI='pkcs11:type=cert;object=testCert'
+ title LINE 'RSA PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA PKCS11 URIS'
+ echo 'pkcs11:id=%00%01?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%01?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ echo pkcs11:id=%00%01
+ echo 'pkcs11:type=public;id=%00%01'
+ echo 'pkcs11:type=private;id=%00%01'
+ echo 'pkcs11:type=cert;object=testCert'
+ echo ''
+ KEYID=0002
+ URIKEYID=%00%02
+ ECCRTN=ecCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --keypairgen --key-type=EC:secp256r1 --label=ecCert --id=0002
+ ca_sign ecCert 'My EC Cert' 0002
+ LABEL=ecCert
+ CN='My EC Cert'
+ KEYID=0002
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert|g' -e 's|serial = .*|serial = 4|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecCert;token=Kryoptic%20Soft%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert;token=Kryoptic%20Soft%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Soft%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:28 2026
CA expiration time: Fri Feb 20 13:55:26 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 04
	Validity:
		Not Before: Thu Feb 20 18:55:28 UTC 2025
		Not After: Fri Feb 20 18:55:28 UTC 2026
	Subject: CN=My EC Cert,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: High (256 bits)
		Curve:	SECP256R1
		X:
			00:d5:af:22:f8:f6:8e:cc:cc:74:a4:ea:73:e4:eb:38
			fb:54:f3:ae:8c:97:7b:ad:88:08:5a:e6:60:37:89:0f
			95
		Y:
			37:61:7c:95:79:76:26:49:f5:be:af:34:e4:18:38:ed
			98:02:54:ab:82:3e:80:f8:7d:8a:d9:05:fb:d3:db:00
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			05a68c207afb038ff8131431b5b0b94b576fbc3f
		Authority Key Identifier (not critical):
			05a2e333f7d8dedeb749fc62b31bfddd21b4f5a5
Other Information:
	Public Key ID:
		sha1:05a68c207afb038ff8131431b5b0b94b576fbc3f
		sha256:7ec4075e902cdc37c18e6a2ebb3d13764c956cc7441fdbc8a78b4f30b7deb63f
	Public Key PIN:
		pin-sha256:fsQHXpAs3DfBjmouuz0TdkyVbMdEH9vIp4tPMLfetj8=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecCert.crt --type=cert --id=0002 --label=ecCert
+ ECBASEURIWITHPINVALUE='pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ ECBASEURIWITHPINSOURCE='pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ ECBASEURI=pkcs11:id=%00%02
+ ECPUBURI='pkcs11:type=public;id=%00%02'
+ ECPRIURI='pkcs11:type=private;id=%00%02'
+ ECCRTURI='pkcs11:type=cert;object=ecCert'
+ KEYID=0003
+ URIKEYID=%00%03
+ ECPEERCRTN=ecPeerCert
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --keypairgen --key-type=EC:secp256r1 --label=ecPeerCert --id=0003
+ crt_selfsign ecPeerCert 'My Peer EC Cert' 0003
+ LABEL=ecPeerCert
+ CN='My Peer EC Cert'
+ KEYID=0003
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Peer EC Cert|g' -e 's|serial = .*|serial = 5|g' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cacert.cfg
+ /usr/bin/certtool --generate-self-signed --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecPeerCert.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cacert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecPeerCert;token=Kryoptic%20Soft%20Token;type=private' --load-pubkey 'pkcs11:object=ecPeerCert;token=Kryoptic%20Soft%20Token;type=public' --outder
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecPeerCert.crt --type=cert --id=0003 --label=ecPeerCert
+ ECPEERBASEURIWITHPINVALUE='pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ ECPEERBASEURIWITHPINSOURCE='pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ ECPEERBASEURI=pkcs11:id=%00%03
+ ECPEERPUBURI='pkcs11:type=public;id=%00%03'
+ ECPEERPRIURI='pkcs11:type=private;id=%00%03'
+ ECPEERCRTURI='pkcs11:type=cert;object=ecPeerCert'
+ title LINE 'EC PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC PKCS11 URIS'
+ echo 'pkcs11:id=%00%02?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%02?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ echo pkcs11:id=%00%02
+ echo 'pkcs11:type=public;id=%00%02'
+ echo 'pkcs11:type=private;id=%00%02'
+ echo 'pkcs11:type=cert;object=ecCert'
+ echo 'pkcs11:id=%00%03?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%03?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ echo pkcs11:id=%00%03
+ echo 'pkcs11:type=public;id=%00%03'
+ echo 'pkcs11:type=private;id=%00%03'
+ echo 'pkcs11:type=cert;object=ecPeerCert'
+ echo ''
+ '[' 0 -eq 1 ']'
+ '[' 0 -eq 1 ']'
+ title PARA 'generate RSA key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate RSA key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0005
+ URIKEYID=%00%05
+ TSTCRTN=testCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --keypairgen --key-type=RSA:2048 --label=testCert2 --id=0005
+ ca_sign testCert2 'My Test Cert 2' 0005
+ LABEL=testCert2
+ CN='My Test Cert 2'
+ KEYID=0005
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My Test Cert 2|g' -e 's|serial = .*|serial = 6|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=testCert2;token=Kryoptic%20Soft%20Token;type=private' --load-pubkey 'pkcs11:object=testCert2;token=Kryoptic%20Soft%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Soft%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:30 2026
CA expiration time: Fri Feb 20 13:55:26 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 06
	Validity:
		Not Before: Thu Feb 20 18:55:30 UTC 2025
		Not After: Fri Feb 20 18:55:30 UTC 2026
	Subject: CN=My Test Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: Medium (2048 bits)
		Modulus (bits 2048):
			00:9a:20:22:90:fe:c6:7b:d0:33:e2:25:c9:d3:30:72
			c5:15:21:66:d9:2c:45:63:b0:c2:f4:a6:51:d9:c5:cd
			1d:4e:69:c6:74:b9:2f:32:71:d9:1c:b0:11:29:1d:8f
			ef:7a:d2:de:e6:bc:ab:1c:66:63:33:a9:1d:28:9c:6d
			86:f3:a7:9e:44:fd:88:10:65:6e:02:7a:ee:46:6b:58
			d3:db:50:06:bf:90:1b:34:51:12:9b:81:f9:00:d3:7f
			56:a9:a3:93:6a:42:cc:29:b7:16:58:04:f8:58:f1:54
			85:ad:5f:b9:50:93:0d:48:e4:27:87:6b:78:48:24:be
			4a:ec:41:13:ef:8b:70:58:9a:d8:6a:4f:7b:f3:c6:32
			a9:6e:a8:76:3a:ce:be:8c:e7:46:c9:06:4d:98:bc:bf
			09:d0:38:e5:1a:70:0f:8a:73:ad:58:83:8e:a1:6f:dc
			55:7f:80:8a:28:a2:12:ec:63:b0:0d:32:d5:99:07:27
			91:f0:1d:5b:ee:0f:6d:30:32:2a:f3:5f:0e:71:88:22
			f0:21:83:87:f9:fd:e2:19:e4:ef:29:ab:34:ae:a5:ff
			ca:f4:50:86:06:a0:73:4e:06:90:39:cf:ee:6a:e4:88
			27:d4:59:05:a3:a3:35:cb:03:f7:28:a5:68:b2:f7:7c
			6b
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
			Key encipherment.
		Subject Key Identifier (not critical):
			99e2227e26b09ce44aee959a2d968df89201f5fa
		Authority Key Identifier (not critical):
			05a2e333f7d8dedeb749fc62b31bfddd21b4f5a5
Other Information:
	Public Key ID:
		sha1:99e2227e26b09ce44aee959a2d968df89201f5fa
		sha256:56c99a9bba72c392520bedf12dd86a6ecbb72a1628d2ecae8d17500b58b20302
	Public Key PIN:
		pin-sha256:Vsmam7pyw5JSC+3xLdhqbsu3KhYo0uyujRdQC1iyAwI=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testCert2.crt --type=cert --id=0005 --label=testCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --delete-object --type pubkey --id 0005
+ BASE2URIWITHPINVALUE='pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ BASE2URIWITHPINSOURCE='pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ BASE2URI=pkcs11:id=%00%05
+ PRI2URI='pkcs11:type=private;id=%00%05'
+ CRT2URI='pkcs11:type=cert;object=testCert2'
+ title LINE 'RSA2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'RSA2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%05?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%05?pin-source=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ echo pkcs11:id=%00%05
+ echo 'pkcs11:type=private;id=%00%05'
+ echo 'pkcs11:type=cert;object=testCert2'
+ echo ''
+ title PARA 'generate EC key pair, self-signed certificate, remove public key'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair, self-signed certificate, remove public key'
+ '[' -f '' ']'
+ KEYID=0006
+ URIKEYID=%00%06
+ TSTCRTN=ecCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --keypairgen --key-type=EC:secp384r1 --label=ecCert2 --id=0006
+ ca_sign ecCert2 'My EC Cert 2' 0006
+ LABEL=ecCert2
+ CN='My EC Cert 2'
+ KEYID=0006
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 2|g' -e 's|serial = .*|serial = 7|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecCert2.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecCert2;token=Kryoptic%20Soft%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert2;token=Kryoptic%20Soft%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Soft%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:31 2026
CA expiration time: Fri Feb 20 13:55:26 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 07
	Validity:
		Not Before: Thu Feb 20 18:55:31 UTC 2025
		Not After: Fri Feb 20 18:55:31 UTC 2026
	Subject: CN=My EC Cert 2,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Ultra (384 bits)
		Curve:	SECP384R1
		X:
			00:fd:50:ed:20:16:e9:8d:7c:bb:11:3f:df:7f:bd:8b
			82:12:91:1b:45:9c:1a:69:c3:a5:ba:0c:6d:be:bc:12
			81:6f:9c:52:da:5e:81:c6:d9:4f:53:da:bf:9b:2f:9a
			84
		Y:
			00:c9:76:84:c7:e9:97:a5:33:bb:af:6d:fb:2f:82:5f
			6a:c9:76:73:d0:a6:ef:49:a9:b8:a2:f5:d5:66:92:68
			2c:a1:7b:4d:04:f0:28:9a:3f:3b:c5:ea:03:26:84:5a
			bc
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			3ab51625ae2225673ec78996a501011fe3f3d51c
		Authority Key Identifier (not critical):
			05a2e333f7d8dedeb749fc62b31bfddd21b4f5a5
Other Information:
	Public Key ID:
		sha1:3ab51625ae2225673ec78996a501011fe3f3d51c
		sha256:3068b3df2e6c18f8de1c1a3b335bfd479b23262ff77795320e783915c09d0821
	Public Key PIN:
		pin-sha256:MGiz3y5sGPjeHBo7M1v9R5sjJi/3d5UyDng5FcCdCCE=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecCert2.crt --type=cert --id=0006 --label=ecCert2
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --delete-object --type pubkey --id 0006
+ ECBASE2URIWITHPINVALUE='pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ ECBASE2URIWITHPINSOURCE='pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ ECBASE2URI=pkcs11:id=%00%06
+ ECPRI2URI='pkcs11:type=private;id=%00%06'
+ ECCRT2URI='pkcs11:type=cert;object=ecCert2'
+ title LINE 'EC2 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC2 PKCS11 URIS'
+ echo 'pkcs11:id=%00%06?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%06?pin-source=file/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ echo pkcs11:id=%00%06
+ echo 'pkcs11:type=private;id=%00%06'
+ echo 'pkcs11:type=cert;object=ecCert2'
+ echo ''
+ '[' -z '' ']'
+ title PARA 'explicit EC unsupported'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## explicit EC unsupported'
+ '[' -f '' ']'
+ title PARA 'generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate'
+ '[' -f '' ']'
+ KEYID=0008
+ URIKEYID=%00%08
+ TSTCRTN=ecCert3
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --keypairgen --key-type=EC:secp521r1 --label=ecCert3 --id=0008 --always-auth
+ ca_sign ecCert3 'My EC Cert 3' 0008
+ LABEL=ecCert3
+ CN='My EC Cert 3'
+ KEYID=0008
+ shift 3
+ (( SERIAL+=1 ))
+ sed -e 's|cn = .*|cn = My EC Cert 3|g' -e 's|serial = .*|serial = 8|g' -e '/^ca$/d' -i /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg
+ /usr/bin/certtool --generate-certificate --outfile=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecCert3.crt --template=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/cert.cfg --provider=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --load-privkey 'pkcs11:object=ecCert3;token=Kryoptic%20Soft%20Token;type=private' --load-pubkey 'pkcs11:object=ecCert3;token=Kryoptic%20Soft%20Token;type=public' --outder --load-ca-certificate /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.crt --inder '--load-ca-privkey=pkcs11:object=caCert;token=Kryoptic%20Soft%20Token;type=private'
Generating a signed certificate...

Expiration time: Fri Feb 20 13:55:31 2026
CA expiration time: Fri Feb 20 13:55:26 2026
Warning: The time set exceeds the CA's expiration time
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 08
	Validity:
		Not Before: Thu Feb 20 18:55:31 UTC 2025
		Not After: Fri Feb 20 18:55:31 UTC 2026
	Subject: CN=My EC Cert 3,O=PKCS11 Provider
	Subject Public Key Algorithm: EC/ECDSA
	Algorithm Security Level: Future (528 bits)
		Curve:	SECP521R1
		X:
			13:6b:67:db:5e:1e:fd:e0:10:bd:04:1f:02:f9:a3:ed
			17:23:84:bf:92:f1:dd:00:47:6d:36:79:69:84:2c:83
			c3:ba:4a:46:14:ec:a3:4f:14:79:28:5c:d5:28:11:40
			1b:8c:cb:b1:fe:c7:05:8c:46:09:b9:b3:40:e3:d9:51
			b3
		Y:
			00:b1:51:82:cc:14:92:c9:8b:d9:db:6d:f8:45:bc:e7
			6d:76:55:f2:63:8d:e4:27:e1:51:f1:ab:bf:d6:3f:db
			94:93:81:8f:18:df:5a:cb:c3:b0:10:a6:0b:cd:c2:55
			56:f1:fa:ee:65:b0:b9:48:6f:89:f1:1d:8a:a9:f7:6e
			9e:83
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: testcert@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			20d052e5415cb6118f0103b8efebe63cfd2564c0
		Authority Key Identifier (not critical):
			05a2e333f7d8dedeb749fc62b31bfddd21b4f5a5
Other Information:
	Public Key ID:
		sha1:20d052e5415cb6118f0103b8efebe63cfd2564c0
		sha256:36b4de5d987fef8e4b5f889fafe110ac0bcbc60cc9fb004599af5501abe50b8b
	Public Key PIN:
		pin-sha256:NrTeXZh/745LX4ifr+EQrAvLxgzJ+wBFma9VAavlC4s=



Signing certificate...
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' --write-object /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/ecCert3.crt --type=cert --id=0008 --label=ecCert3
+ ECBASE3URIWITHPINVALUE='pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ ECBASE3URIWITHPINSOURCE='pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ ECBASE3URI=pkcs11:id=%00%08
+ ECPUB3URI='pkcs11:type=public;id=%00%08'
+ ECPRI3URI='pkcs11:type=private;id=%00%08'
+ ECCRT3URI='pkcs11:type=cert;object=ecCert3'
+ title LINE 'EC3 PKCS11 URIS'
+ case "$1" in
+ shift 1
+ echo 'EC3 PKCS11 URIS'
+ echo 'pkcs11:id=%00%08?pin-value=fo0m4nchU'
+ echo 'pkcs11:id=%00%08?pin-source=file:/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt'
+ echo pkcs11:id=%00%08
+ echo 'pkcs11:type=public;id=%00%08'
+ echo 'pkcs11:type=private;id=%00%08'
+ echo 'pkcs11:type=cert;object=ecCert3'
+ echo ''
+ '[' 0 -eq 1 ']'
+ title PARA 'Show contents of kryoptic.nss token'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Show contents of kryoptic.nss token'
+ '[' -f '' ']'
+ echo ' ----------------------------------------------------------------------------------------------------'
+ pkcs11-tool --module=/tmp/kryoptic/target/debug/libkryoptic_pkcs11.so --login --pin=fo0m4nchU '--token-label=Kryoptic Soft Token' -O
+ echo ' ----------------------------------------------------------------------------------------------------'
+ title PARA 'Output configurations'
+ case "$1" in
+ shift 1
+ echo ''
+ echo '## Output configurations'
+ '[' -f '' ']'
+ OPENSSL_CONF=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/openssl.cnf
+ title LINE 'Generate openssl config file'
+ case "$1" in
+ shift 1
+ echo 'Generate openssl config file'
+ sed -e 's|@libtoollibs@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/src|g' -e 's|@testsblddir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests|g' -e 's|@testsdir@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss|g' -e 's|@SHARED_EXT@|.so|g' -e 's|@PINFILE@|/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/pinfile.txt|g' -e 's|##TOKENOPTIONS|pkcs11-module-assume-fips = true\npkcs11-module-quirks = no-allowed-mechanisms|g' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/openssl.cnf.in
+ title LINE 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testvars'
+ case "$1" in
+ shift 1
+ echo 'Export test variables to /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testvars'
+ cat
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' -n '' ']'
+ cat
+ gen_unsetvars
+ grep '^export' /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/testvars
+ sed -e s/export/unset/ -e 's/=.*$//'
+ title ENDSECTION
+ case "$1" in
+ echo ''
+ echo '                                      ##'
+ echo '########################################'
+ echo ''
==============================================================================

==================================== 5/92 ====================================
test:         pkcs11-provider:softokn / basic
start time:   18:55:32
duration:     4.47s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=191 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper basic-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tbasic

## Raw Sign check error
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:none
              -in ${TMPPDIR}/64Brandom.bin
              -out ${TMPPDIR}/raw-sig.bin
Public Key operation error
80F243C1697F0000:error:0200007A:rsa routines:p11prov_sig_operate:data too small for key size:../src/signature.c:971:


## Sign and Verify with provided Hash and RSA
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## Sign and Verify with provided Hash and RSA with DigestInfo struct
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}" -pkeyopt digest:sha256
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}" -pkeyopt digest:sha256
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## Test Disallow Public Export
 openssl pkey -in $PUBURI -pubin -pubout -text

## Test CSR generation from RSA private keys
 openssl 
req -new -batch -key "${PRIURI}" -out ${TMPPDIR}/rsa_csr.pem

 openssl 
req -in ${TMPPDIR}/rsa_csr.pem -verify -noout
Certificate request self-signature verify OK

## Test fetching public keys without PIN in config files
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/rsa.pub.nopin.pem

 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ec.pub.nopin.pem


## Test fetching public keys with a PIN in URI
 openssl pkey -in $BASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripin.pem

 openssl pkey -in $ECBASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripin.pem


## Test fetching public keys with a PIN source in URI
 openssl pkey -in $BASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripinsource.pem

 openssl pkey -in $ECBASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripinsource.pem


## Test prompting without PIN in config files

## Test EVP_PKEY_eq on public RSA key both on token

## Test EVP_PKEY_eq on public EC key both on token

## Test EVP_PKEY_eq on public RSA key via import

## Match private RSA key against public key

## Match private RSA key against public key (commutativity)

## Test EVP_PKEY_eq on public EC key via import

## Match private EC key against public key

## Match private EC key against public key (commutativity)

## Test EVP_PKEY_eq with key exporting disabled

## Test RSA key

## Test EC key

## Test PIN caching
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 3 - NSS FIPS 140-2 User Private Key Services):"
Returning: fo0m4nchU
Child Done
ALL A-OK!
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 3 - NSS FIPS 140-2 User Private Key Services):"
Returning: fo0m4nchU
Child Done
ALL A-OK!

## Test interactive Login on key without ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test interactive Login repeated for operation on key with ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test Key generation
Performed tests: 4
==============================================================================

==================================== 6/92 ====================================
test:         pkcs11-provider:softhsm / basic
start time:   18:55:36
duration:     4.75s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=176 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper basic-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tbasic

## Raw Sign check error
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:none
              -in ${TMPPDIR}/64Brandom.bin
              -out ${TMPPDIR}/raw-sig.bin
Public Key operation error
8012510FE37F0000:error:0200007A:rsa routines:p11prov_sig_operate:data too small for key size:../src/signature.c:971:


## Sign and Verify with provided Hash and RSA
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## Sign and Verify with provided Hash and RSA with DigestInfo struct
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}" -pkeyopt digest:sha256
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}" -pkeyopt digest:sha256
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## Test Disallow Public Export
 openssl pkey -in $PUBURI -pubin -pubout -text

## Test CSR generation from RSA private keys
 openssl 
req -new -batch -key "${PRIURI}" -out ${TMPPDIR}/rsa_csr.pem

 openssl 
req -in ${TMPPDIR}/rsa_csr.pem -verify -noout
Certificate request self-signature verify OK

## Test fetching public keys without PIN in config files
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/rsa.pub.nopin.pem

 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ec.pub.nopin.pem


## Test fetching public keys with a PIN in URI
 openssl pkey -in $BASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripin.pem

 openssl pkey -in $ECBASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripin.pem


## Test fetching public keys with a PIN source in URI
 openssl pkey -in $BASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripinsource.pem

 openssl pkey -in $ECBASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripinsource.pem


## Test prompting without PIN in config files

## Test EVP_PKEY_eq on public RSA key both on token

## Test EVP_PKEY_eq on public EC key both on token

## Test EVP_PKEY_eq on public RSA key via import

## Match private RSA key against public key

## Match private RSA key against public key (commutativity)

## Test EVP_PKEY_eq on public EC key via import

## Match private EC key against public key

## Match private EC key against public key (commutativity)

## Test EVP_PKEY_eq with key exporting disabled

## Test RSA key

## Test EC key

## Test PIN caching
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 519424734 - SoftHSM slot ID 0x1ef5cade):"
Returning: fo0m4nchU
Child Done
ALL A-OK!
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 519424734 - SoftHSM slot ID 0x1ef5cade):"
Returning: fo0m4nchU
Child Done
ALL A-OK!

## Test interactive Login on key without ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test interactive Login repeated for operation on key with ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test Key generation
Performed tests: 4
==============================================================================

==================================== 7/92 ====================================
test:         pkcs11-provider:kryoptic / basic
start time:   18:55:41
duration:     4.40s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=98 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper basic-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tbasic

## Raw Sign check error
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:none
              -in ${TMPPDIR}/64Brandom.bin
              -out ${TMPPDIR}/raw-sig.bin
Public Key operation error
80427921837F0000:error:0200007A:rsa routines:p11prov_sig_operate:data too small for key size:../src/signature.c:971:


## Sign and Verify with provided Hash and RSA
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## Sign and Verify with provided Hash and RSA with DigestInfo struct
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}" -pkeyopt digest:sha256
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}" -pkeyopt digest:sha256
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## Test Disallow Public Export
 openssl pkey -in $PUBURI -pubin -pubout -text

## Test CSR generation from RSA private keys
 openssl 
req -new -batch -key "${PRIURI}" -out ${TMPPDIR}/rsa_csr.pem

 openssl 
req -in ${TMPPDIR}/rsa_csr.pem -verify -noout
Certificate request self-signature verify OK

## Test fetching public keys without PIN in config files
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/rsa.pub.nopin.pem

 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ec.pub.nopin.pem


## Test fetching public keys with a PIN in URI
 openssl pkey -in $BASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripin.pem

 openssl pkey -in $ECBASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripin.pem


## Test fetching public keys with a PIN source in URI
 openssl pkey -in $BASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripinsource.pem

 openssl pkey -in $ECBASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripinsource.pem


## Test prompting without PIN in config files

## Test EVP_PKEY_eq on public RSA key both on token

## Test EVP_PKEY_eq on public EC key both on token

## Test EVP_PKEY_eq on public RSA key via import

## Match private RSA key against public key

## Match private RSA key against public key (commutativity)

## Test EVP_PKEY_eq on public EC key via import

## Match private EC key against public key

## Match private EC key against public key (commutativity)

## Test EVP_PKEY_eq with key exporting disabled

## Test RSA key

## Test EC key

## Test PIN caching
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 0 - Kryoptic Slot):"
Returning: fo0m4nchU
Child Done
ALL A-OK!
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 0 - Kryoptic Slot):"
Returning: fo0m4nchU
Child Done
ALL A-OK!

## Test interactive Login on key without ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test interactive Login repeated for operation on key with ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test Key generation
Performed tests: 4
==============================================================================

==================================== 8/92 ====================================
test:         pkcs11-provider:kryoptic.nss / basic
start time:   18:55:45
duration:     9.74s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=190 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper basic-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tbasic

## Raw Sign check error
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:none
              -in ${TMPPDIR}/64Brandom.bin
              -out ${TMPPDIR}/raw-sig.bin
Public Key operation error
80624CB3FF7E0000:error:0200007A:rsa routines:p11prov_sig_operate:data too small for key size:../src/signature.c:971:


## Sign and Verify with provided Hash and RSA
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## Sign and Verify with provided Hash and RSA with DigestInfo struct
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${PRIURI}" -pkeyopt digest:sha256
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-sig.bin

 openssl 
pkeyutl -verify -inkey "${PUBURI}" -pkeyopt digest:sha256
                -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-sig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## Test Disallow Public Export
 openssl pkey -in $PUBURI -pubin -pubout -text

## Test CSR generation from RSA private keys
 openssl 
req -new -batch -key "${PRIURI}" -out ${TMPPDIR}/rsa_csr.pem

 openssl 
req -in ${TMPPDIR}/rsa_csr.pem -verify -noout
Certificate request self-signature verify OK

## Test fetching public keys without PIN in config files
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/rsa.pub.nopin.pem

 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ec.pub.nopin.pem


## Test fetching public keys with a PIN in URI
 openssl pkey -in $BASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripin.pem

 openssl pkey -in $ECBASEURIWITHPINVALUE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripin.pem


## Test fetching public keys with a PIN source in URI
 openssl pkey -in $BASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/rsa.pub.uripinsource.pem

 openssl pkey -in $ECBASEURIWITHPINSOURCE -pubin -pubout -out ${TMPPDIR}/ec.pub.uripinsource.pem


## Test prompting without PIN in config files

## Test EVP_PKEY_eq on public RSA key both on token

## Test EVP_PKEY_eq on public EC key both on token

## Test EVP_PKEY_eq on public RSA key via import

## Match private RSA key against public key

## Match private RSA key against public key (commutativity)

## Test EVP_PKEY_eq on public EC key via import

## Match private EC key against public key

## Match private EC key against public key (commutativity)

## Test EVP_PKEY_eq with key exporting disabled

## Test RSA key

## Test EC key

## Test PIN caching
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 42 - Kryoptic Soft Token):"
Returning: fo0m4nchU
Child Done
ALL A-OK!
Prompt: "Enter pass phrase for PKCS#11 Token (Slot 42 - Kryoptic Soft Token):"
Returning: fo0m4nchU
Child Done
ALL A-OK!

## Test interactive Login on key without ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test interactive Login repeated for operation on key with ALWAYS AUTHENTICATE
expect: spawn id exp3 not open
    while executing
"expect "ALL A-OK""

## Test Key generation
Performed tests: 4
==============================================================================

==================================== 9/92 ====================================
test:         pkcs11-provider:softokn / pubkey
start time:   18:55:55
duration:     0.76s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=35 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pubkey-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tpubkey

## Export RSA Public key to a file
 openssl pkey -in $BASEURI -pubin -pubout -out ${TMPPDIR}/baseout.pub

Export Public key to a file (pub-uri)
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/pubout.pub

Print Public key from private
 openssl pkey -in $PRIURI -pubout -text

## Export Public check error
 openssl pkey -in pkcs11:id=%de%ad -pubin
           -pubout -out ${TMPPDIR}/pubout-invlid.pub
Could not find private key of Public Key from pkcs11:id=%de%ad


## Export EC Public key to a file
 openssl pkey -in $ECBASEURI -pubin -pubout -out ${TMPPDIR}/baseecout.pub

Export EC Public key to a file (pub-uri)
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/pubecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Check we can get RSA public keys from certificate objects
Export Public key to a file (priv-uri)
 openssl pkey -in $PRI2URI -pubout -out ${TMPPDIR}/priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $BASE2URI -pubout -out ${TMPPDIR}/base-cert.pub


## Check we can get EC public keys from certificate objects
Export Public EC key to a file (priv-uri)
 openssl pkey -in $ECPRI2URI -pubout -out ${TMPPDIR}/ec-priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $ECBASE2URI -pubout -out ${TMPPDIR}/ec-base-cert.pub

==============================================================================

=================================== 10/92 ====================================
test:         pkcs11-provider:softhsm / pubkey
start time:   18:55:56
duration:     0.64s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=53 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pubkey-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tpubkey

## Export RSA Public key to a file
 openssl pkey -in $BASEURI -pubin -pubout -out ${TMPPDIR}/baseout.pub

Export Public key to a file (pub-uri)
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/pubout.pub

Print Public key from private
 openssl pkey -in $PRIURI -pubout -text

## Export Public check error
 openssl pkey -in pkcs11:id=%de%ad -pubin
           -pubout -out ${TMPPDIR}/pubout-invlid.pub
Could not find private key of Public Key from pkcs11:id=%de%ad


## Export EC Public key to a file
 openssl pkey -in $ECBASEURI -pubin -pubout -out ${TMPPDIR}/baseecout.pub

Export EC Public key to a file (pub-uri)
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/pubecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Check we can get RSA public keys from certificate objects
Export Public key to a file (priv-uri)
 openssl pkey -in $PRI2URI -pubout -out ${TMPPDIR}/priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $BASE2URI -pubout -out ${TMPPDIR}/base-cert.pub


## Check we can get EC public keys from certificate objects
Export Public EC key to a file (priv-uri)
 openssl pkey -in $ECPRI2URI -pubout -out ${TMPPDIR}/ec-priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $ECBASE2URI -pubout -out ${TMPPDIR}/ec-base-cert.pub

==============================================================================

=================================== 11/92 ====================================
test:         pkcs11-provider:kryoptic / pubkey
start time:   18:55:56
duration:     0.45s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=1 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pubkey-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tpubkey

## Export RSA Public key to a file
 openssl pkey -in $BASEURI -pubin -pubout -out ${TMPPDIR}/baseout.pub

Export Public key to a file (pub-uri)
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/pubout.pub

Print Public key from private
 openssl pkey -in $PRIURI -pubout -text

## Export Public check error
 openssl pkey -in pkcs11:id=%de%ad -pubin
           -pubout -out ${TMPPDIR}/pubout-invlid.pub
Could not find private key of Public Key from pkcs11:id=%de%ad


## Export EC Public key to a file
 openssl pkey -in $ECBASEURI -pubin -pubout -out ${TMPPDIR}/baseecout.pub

Export EC Public key to a file (pub-uri)
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/pubecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Check we can get RSA public keys from certificate objects
Export Public key to a file (priv-uri)
 openssl pkey -in $PRI2URI -pubout -out ${TMPPDIR}/priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $BASE2URI -pubout -out ${TMPPDIR}/base-cert.pub


## Check we can get EC public keys from certificate objects
Export Public EC key to a file (priv-uri)
 openssl pkey -in $ECPRI2URI -pubout -out ${TMPPDIR}/ec-priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $ECBASE2URI -pubout -out ${TMPPDIR}/ec-base-cert.pub

==============================================================================

=================================== 12/92 ====================================
test:         pkcs11-provider:kryoptic.nss / pubkey
start time:   18:55:57
duration:     1.01s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=95 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pubkey-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tpubkey

## Export RSA Public key to a file
 openssl pkey -in $BASEURI -pubin -pubout -out ${TMPPDIR}/baseout.pub

Export Public key to a file (pub-uri)
 openssl pkey -in $PUBURI -pubin -pubout -out ${TMPPDIR}/pubout.pub

Print Public key from private
 openssl pkey -in $PRIURI -pubout -text

## Export Public check error
 openssl pkey -in pkcs11:id=%de%ad -pubin
           -pubout -out ${TMPPDIR}/pubout-invlid.pub
Could not find private key of Public Key from pkcs11:id=%de%ad


## Export EC Public key to a file
 openssl pkey -in $ECBASEURI -pubin -pubout -out ${TMPPDIR}/baseecout.pub

Export EC Public key to a file (pub-uri)
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/pubecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Check we can get RSA public keys from certificate objects
Export Public key to a file (priv-uri)
 openssl pkey -in $PRI2URI -pubout -out ${TMPPDIR}/priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $BASE2URI -pubout -out ${TMPPDIR}/base-cert.pub


## Check we can get EC public keys from certificate objects
Export Public EC key to a file (priv-uri)
 openssl pkey -in $ECPRI2URI -pubout -out ${TMPPDIR}/ec-priv-cert.pub

Export Public key to a file (base-uri)
 openssl pkey -in $ECBASE2URI -pubout -out ${TMPPDIR}/ec-base-cert.pub

==============================================================================

=================================== 13/92 ====================================
test:         pkcs11-provider:softokn / certs
start time:   18:55:58
duration:     0.53s
result:       exit status 0
command:      MALLOC_PERTURB_=206 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper certs-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tcerts

## Check we can fetch certifiatce objects
 openssl 
x509 -in ${CRTURI} -subject -out ${TMPPDIR}/crt-subj.txt

 openssl 
x509 -in ${ECCRTURI} -subject -out ${TMPPDIR}/eccrt-subj.txt


## Use storeutl command to match specific certs via params
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate

## Test fetching certificate without PIN in config files
 openssl x509 -in $CRTURI -subject -out ${TMPPDIR}/crt-subj-nopin.txt


## Test fetching certificate via STORE api
Cert load successfully
==============================================================================

=================================== 14/92 ====================================
test:         pkcs11-provider:softhsm / certs
start time:   18:55:58
duration:     0.46s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=76 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper certs-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tcerts

## Check we can fetch certifiatce objects
 openssl 
x509 -in ${CRTURI} -subject -out ${TMPPDIR}/crt-subj.txt

 openssl 
x509 -in ${ECCRTURI} -subject -out ${TMPPDIR}/eccrt-subj.txt


## Use storeutl command to match specific certs via params
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate

## Test fetching certificate without PIN in config files
 openssl x509 -in $CRTURI -subject -out ${TMPPDIR}/crt-subj-nopin.txt


## Test fetching certificate via STORE api
Cert load successfully
==============================================================================

=================================== 15/92 ====================================
test:         pkcs11-provider:kryoptic / certs
start time:   18:55:59
duration:     0.37s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=32 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper certs-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tcerts

## Check we can fetch certifiatce objects
 openssl 
x509 -in ${CRTURI} -subject -out ${TMPPDIR}/crt-subj.txt

 openssl 
x509 -in ${ECCRTURI} -subject -out ${TMPPDIR}/eccrt-subj.txt


## Use storeutl command to match specific certs via params
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate

## Test fetching certificate without PIN in config files
 openssl x509 -in $CRTURI -subject -out ${TMPPDIR}/crt-subj-nopin.txt


## Test fetching certificate via STORE api
Cert load successfully
==============================================================================

=================================== 16/92 ====================================
test:         pkcs11-provider:kryoptic.nss / certs
start time:   18:55:59
duration:     0.29s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=136 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper certs-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tcerts

## Check we can fetch certifiatce objects
 openssl 
x509 -in ${CRTURI} -subject -out ${TMPPDIR}/crt-subj.txt

 openssl 
x509 -in ${ECCRTURI} -subject -out ${TMPPDIR}/eccrt-subj.txt


## Use storeutl command to match specific certs via params
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate
 openssl 
storeutl -certs -subject "${subj}"
                -out ${TMPPDIR}/storeutl-crt-subj.txt
                pkcs11:type=cert
0: Certificate

## Test fetching certificate without PIN in config files
 openssl x509 -in $CRTURI -subject -out ${TMPPDIR}/crt-subj-nopin.txt


## Test fetching certificate via STORE api
Cert load successfully
==============================================================================

=================================== 17/92 ====================================
test:         pkcs11-provider:softokn / ecc
start time:   18:56:00
duration:     1.24s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=29 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecc-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecc

## Export EC Public key to a file
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Sign and Verify with provided Hash and EC
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-ecsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${TMPPDIR}/ecout.pub" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha512-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-512-ecdgstsig.bin
Signature Verified Successfully

## Test CSR generation from private ECC keys
 openssl 
req -new -batch -key "${ECPRIURI}" -out ${TMPPDIR}/ecdsa_csr.pem

 openssl 
req -in ${TMPPDIR}/ecdsa_csr.pem -verify -noout
Certificate request self-signature verify OK
==============================================================================

=================================== 18/92 ====================================
test:         pkcs11-provider:softhsm / ecc
start time:   18:56:01
duration:     0.93s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=25 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecc-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecc

## Export EC Public key to a file
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Sign and Verify with provided Hash and EC
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-ecsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${TMPPDIR}/ecout.pub" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha512-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-512-ecdgstsig.bin
Signature Verified Successfully

## Test CSR generation from private ECC keys
 openssl 
req -new -batch -key "${ECPRIURI}" -out ${TMPPDIR}/ecdsa_csr.pem

 openssl 
req -in ${TMPPDIR}/ecdsa_csr.pem -verify -noout
Certificate request self-signature verify OK
==============================================================================

=================================== 19/92 ====================================
test:         pkcs11-provider:kryoptic / ecc
start time:   18:56:02
duration:     0.79s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=48 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecc-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecc

## Export EC Public key to a file
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Sign and Verify with provided Hash and EC
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-ecsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${TMPPDIR}/ecout.pub" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha512-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-512-ecdgstsig.bin
Signature Verified Successfully

## Test CSR generation from private ECC keys
 openssl 
req -new -batch -key "${ECPRIURI}" -out ${TMPPDIR}/ecdsa_csr.pem

 openssl 
req -in ${TMPPDIR}/ecdsa_csr.pem -verify -noout
Certificate request self-signature verify OK
==============================================================================

=================================== 20/92 ====================================
test:         pkcs11-provider:kryoptic.nss / ecc
start time:   18:56:03
duration:     1.40s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=98 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecc-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecc

## Export EC Public key to a file
 openssl pkey -in $ECPUBURI -pubin -pubout -out ${TMPPDIR}/ecout.pub

Print EC Public key from private
 openssl pkey -in $ECPRIURI -pubout -text

## Sign and Verify with provided Hash and EC
 openssl dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}

 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/sha256-ecsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully
 openssl 
pkeyutl -verify -inkey "${TMPPDIR}/ecout.pub" -pubin
                -in ${TMPPDIR}/sha256.bin
                -sigfile ${TMPPDIR}/sha256-ecsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha512-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-256)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-256
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-256-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-256
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-256-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-384)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-384
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-384-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-384
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-384-ecdgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with ECC (SHA3-512)
 openssl 
pkeyutl -sign -inkey "${ECBASEURI}"
              -digest sha3-512
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha3-512-ecdgstsig.bin

 openssl 
pkeyutl -verify -inkey "${ECBASEURI}" -pubin
                -digest sha3-512
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha3-512-ecdgstsig.bin
Signature Verified Successfully

## Test CSR generation from private ECC keys
 openssl 
req -new -batch -key "${ECPRIURI}" -out ${TMPPDIR}/ecdsa_csr.pem

 openssl 
req -in ${TMPPDIR}/ecdsa_csr.pem -verify -noout
Certificate request self-signature verify OK
==============================================================================

=================================== 21/92 ====================================
test:         pkcs11-provider:softhsm / edwards
start time:   18:56:04
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=50 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper edwards-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tedwards
==============================================================================

=================================== 22/92 ====================================
test:         pkcs11-provider:kryoptic / edwards
start time:   18:56:04
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=66 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper edwards-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tedwards
==============================================================================

=================================== 23/92 ====================================
test:         pkcs11-provider:kryoptic.nss / edwards
start time:   18:56:04
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=92 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper edwards-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tedwards
==============================================================================

=================================== 24/92 ====================================
test:         pkcs11-provider:softokn / ecdh
start time:   18:56:04
duration:     0.08s
result:       exit status 1
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=224 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecdh-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecdh

## ECDH Exchange
 openssl 
pkeyutl -derive -inkey ${ECBASEURI}
                -peerkey ${ECPEERPUBURI}
                -out ${TMPPDIR}/secret.ecdh.bin
Key derivation failed
==============================================================================

=================================== 25/92 ====================================
test:         pkcs11-provider:kryoptic / ecdh
start time:   18:56:04
duration:     0.15s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=237 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecdh-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecdh

## ECDH Exchange
 openssl 
pkeyutl -derive -inkey ${ECBASEURI}
                -peerkey ${ECPEERPUBURI}
                -out ${TMPPDIR}/secret.ecdh.bin


## ECDH Exchange forcing PKCS11 Provider

## ECDH Exchange forced: public key in file
 openssl 
pkeyutl -derive -inkey ${ECBASEURI}
                -peerkey ${TESTSSRCDIR}/testp256.pub.pem
                -out ${TMPPDIR}/forced.pub.ecdh.bin


## ECDH Exchange forced: private key in file
 openssl 
pkeyutl -derive -inkey ${TESTSSRCDIR}/testp256.pri.pem
                -peerkey ${ECPEERPUBURI}
                -out ${TMPPDIR}/forced.pri.ecdh.bin


## ECDH Exchange forced: both key in file
 openssl 
pkeyutl -derive -inkey ${TESTSSRCDIR}/testp256.pri.pem
                -peerkey ${TESTSSRCDIR}/testp256.pub.pem
                -out ${TMPPDIR}/forced.both.ecdh.bin

==============================================================================

=================================== 26/92 ====================================
test:         pkcs11-provider:kryoptic.nss / ecdh
start time:   18:56:04
duration:     0.28s
result:       exit status 0
command:      MALLOC_PERTURB_=6 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecdh-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecdh

## ECDH Exchange
 openssl 
pkeyutl -derive -inkey ${ECBASEURI}
                -peerkey ${ECPEERPUBURI}
                -out ${TMPPDIR}/secret.ecdh.bin


## ECDH Exchange forcing PKCS11 Provider

## ECDH Exchange forced: public key in file
 openssl 
pkeyutl -derive -inkey ${ECBASEURI}
                -peerkey ${TESTSSRCDIR}/testp256.pub.pem
                -out ${TMPPDIR}/forced.pub.ecdh.bin


## ECDH Exchange forced: private key in file
 openssl 
pkeyutl -derive -inkey ${TESTSSRCDIR}/testp256.pri.pem
                -peerkey ${ECPEERPUBURI}
                -out ${TMPPDIR}/forced.pri.ecdh.bin


## ECDH Exchange forced: both key in file
 openssl 
pkeyutl -derive -inkey ${TESTSSRCDIR}/testp256.pri.pem
                -peerkey ${TESTSSRCDIR}/testp256.pub.pem
                -out ${TMPPDIR}/forced.both.ecdh.bin

==============================================================================

=================================== 27/92 ====================================
test:         pkcs11-provider:softokn / democa
start time:   18:56:05
duration:     2.06s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=1 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper democa-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdemoca

## Set up demoCA

## Generating CA cert if needed
 openssl req -batch -noenc -x509 -new -key ${PRIURI} -out ${DEMOCA}/cacert.pem


## Generating a new CSR with key in file
 openssl 
req -batch -noenc -newkey rsa:2048
    -subj "/CN=testing-csr-signing/O=PKCS11 Provider/C=US"
    -keyout ${DEMOCA}/cert.key -out ${DEMOCA}/cert.csr
.+...+.......+......+.....+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+...+..+....+...+........+...+.+...+..+.+...+.........+....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+...............+...........+.+......+..+...+.........+.+..+................+...........+...+.+...........+.........+.........+...+.......+...........+.+......+..+......................+.....+.+...+.........+..+...+.+...............+..+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
......+..+...+......................+.....+...+.+.....+......+...+.+..+.......+..+..........+...+..+......+...+.........+.+..+.......+.....+...+...................+......+..+.+...........+.+..+.+.....+.+.....+......+....+...........+.......+......+......+.....+...+...+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..............+....+..+.+...+.........+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+.+........+......+.+...+..+....+......+.......................+......+.+.....+...............+.......+...+........+.+...+......+...........+.+..+...+....+...+..+...+.......+......+..................+......+.....+....+..+.......+...+........+....+..+....+............+.........+.....+...+...+.......+...+.....+...+....+.....+...............+.+.........+...........+....+...+........+......+.+..+...+..........+.....+....+.........+.........+..+.+.........+.....+.........+.+........+...+...................+........+.......+......+.....+.......+...........+....+...+..+.+......+.....+...+......+...................+..+.+..+......+...............+.+...........+...+.+.........+.........+..+.+...+..+....+...........+...+.+...+...+.....+.......+.....+.......+......+...+.....+.+..............+..........+..+.......+...+..+..........+............+...+.....+......+.+........+.+............+..............+...+.......+.....+.+...+.....+.......+...........................+......+..+....+......+...+....................+.......+............+......+.....+......+......+....+........+.+.........+.....+.+..+...+.+.....+..........+.....+...+...+..........+..+..........+...............+..+.+..............+...+.+.....+.......+..+......+....+...+..+.+...........+...+.............+.........+.....+.........+......+.+.....+.......+..................+.....+....+.....+.+.........+......+.....+.......+...+.....+...+....+...........+....+..+...+.......+........+.......+........+.+.........+..+...+.............+..+.+.........+........+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----


## Signing the new certificate
 openssl 
ca -batch -in ${DEMOCA}/cert.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-csr-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:05 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing RSA key in token
 openssl 
req -batch -noenc -new -key ${PRIURI}
    -subj "/CN=testing-rsa-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-rsa.csr


## Signing the new RSA key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-rsa.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsa-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:06 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing EC key in token
 openssl 
req -batch -noenc -new -key ${ECPRIURI}
    -subj "/CN=testing-ec-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-ec.csr


## Signing the new EC key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-ec.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-ec-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:06 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Set up OCSP
 openssl 
req -batch -noenc -new -subj "/CN=OCSP/O=PKCS11 Provider/C=US"
    -key ${PRIURI} -out ${DEMOCA}/ocspSigning.csr

 openssl 
ca -batch -keyfile ${PRIURI} -cert ${DEMOCA}/cacert.pem
   -in ${DEMOCA}/ocspSigning.csr -out ${DEMOCA}/ocspSigning.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'OCSP'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:06 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Run OCSP
ACCEPT 0.0.0.0:12345 PID=10188
ocsp: waiting for OCSP client connections...
 openssl 
ocsp -CAfile ${DEMOCA}/cacert.pem -issuer ${DEMOCA}/cacert.pem
     -cert ${DEMOCA}/cert.pem -resp_text -noverify
     -url http://127.0.0.1:${PORT}
ocsp: received request, 1st line: POST / HTTP/1.0
ocsp: sending response, 1st line: HTTP/1.0 200 OK
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
          Issuer Key Hash: 72B2C4CCA9E740714C38E28CFE64CA083A50C94B
          Serial Number: 03
    Request Extensions:
        OCSP Nonce: 
            0410824D28F39BFDC151218F047D6291B000
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = PKCS11 Provider, CN = OCSP
    Produced At: Feb 20 18:56:07 2025 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
      Issuer Key Hash: 72B2C4CCA9E740714C38E28CFE64CA083A50C94B
      Serial Number: 03
    Cert Status: good
    This Update: Feb 20 18:56:07 2025 GMT

    Response Extensions:
        OCSP Nonce: 
            0410824D28F39BFDC151218F047D6291B000
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        50:c5:97:ae:33:67:3a:10:64:23:ca:75:4a:80:18:65:76:b4:
        c9:52:ac:57:0f:cc:c2:4b:81:fd:3d:17:d6:d7:f9:2a:92:19:
        3e:64:5e:5f:3c:88:25:63:46:5c:c7:31:c0:27:6f:76:3c:39:
        3f:7c:7a:91:00:d3:58:df:ba:22:11:a3:80:77:2b:33:ef:07:
        a4:26:50:f2:60:1c:43:9e:5e:0a:66:23:ca:ab:05:5e:d9:e2:
        c4:3a:27:66:43:55:f7:28:01:84:c8:b0:4d:ff:6e:3b:ae:59:
        6f:fb:a2:1b:c0:8a:51:90:ac:f1:0d:5c:de:b7:53:55:26:7b:
        9e:9b:30:97:09:c0:3f:2f:60:06:02:74:58:a2:4b:fb:cb:45:
        de:a2:80:54:4a:b7:5c:4d:e6:4c:eb:37:6e:7f:34:a3:90:19:
        11:d7:04:f4:e2:89:94:e3:b3:6a:5c:3b:77:9e:51:36:c8:dd:
        55:ae:4b:63:74:ec:bf:61:4a:e5:47:d6:14:a8:c3:c2:90:5a:
        6b:72:d8:23:dc:a5:e2:07:a9:c9:77:cb:3a:cc:8a:c1:a2:fe:
        ae:2b:7a:2f:59:dc:48:f6:f1:50:3f:97:c0:63:2c:a1:9b:d0:
        74:19:1b:11:93:de:16:4b:a7:d4:d5:97:02:5e:4d:35:9d:67:
        e4:eb:df:ca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
        Validity
            Not Before: Feb 20 18:56:06 2025 GMT
            Not After : Feb 20 18:56:06 2026 GMT
        Subject: C=US, O=PKCS11 Provider, CN=OCSP
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bb:a4:13:a3:97:7f:64:99:a7:bc:dc:22:26:e2:
                    30:63:6e:0f:45:e2:3a:b0:4d:13:f8:8c:9a:69:f8:
                    86:05:35:ec:bf:ea:60:13:48:ac:ae:68:bd:5f:43:
                    b1:e3:70:f2:e8:04:00:34:44:c7:9c:63:1b:67:ca:
                    cc:89:98:f5:7a:44:a1:51:7e:13:6b:76:c6:d9:83:
                    22:6d:c9:cf:78:fd:dd:c6:65:68:2a:f6:7e:d4:15:
                    e8:00:b3:88:18:06:f6:2f:b0:ca:92:d8:d8:17:9e:
                    31:0e:d4:61:74:64:24:6e:af:30:ec:01:0a:8d:5d:
                    f2:8a:06:bf:eb:f1:58:23:0e:4d:e3:bb:e6:c4:51:
                    14:28:20:21:19:88:3c:1d:d9:c8:36:df:3a:2c:aa:
                    3a:94:91:46:0f:68:e5:df:cb:0d:57:a3:5b:06:0b:
                    1c:e3:3d:14:cd:a4:2b:7b:5d:4b:b8:b9:a3:76:9e:
                    91:ba:94:aa:69:5a:bc:a5:2a:ef:b3:f2:b0:ce:fc:
                    19:58:39:24:2d:fa:68:3c:ed:45:c6:8c:a6:c3:b7:
                    14:63:42:3a:cd:03:68:f8:cc:7d:cd:47:dc:0e:81:
                    69:29:e8:af:66:50:21:8b:49:b9:29:c7:e5:68:4f:
                    82:ec:b8:c6:37:b8:ae:80:da:7b:86:f8:a1:81:57:
                    10:8b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Key Identifier: 
                72:B2:C4:CC:A9:E7:40:71:4C:38:E2:8C:FE:64:CA:08:3A:50:C9:4B
            X509v3 Authority Key Identifier: 
                72:B2:C4:CC:A9:E7:40:71:4C:38:E2:8C:FE:64:CA:08:3A:50:C9:4B
   
## Kill any remaining children and wait for them
kill: sending signal to 10188 failed: No such process
/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh: line 71: 10188 Killed                  $CHECKER openssl ocsp -index "${DEMOCA}/index.txt" -rsigner "${DEMOCA}/ocspSigning.pem" -rkey "${PRIURI}" -CA "${DEMOCA}/cacert.pem" -rmd sha256 -port "${PORT}" -text
==============================================================================

=================================== 28/92 ====================================
test:         pkcs11-provider:softhsm / democa
start time:   18:56:07
duration:     1.60s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=49 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper democa-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdemoca

## Set up demoCA

## Generating CA cert if needed
 openssl req -batch -noenc -x509 -new -key ${PRIURI} -out ${DEMOCA}/cacert.pem


## Generating a new CSR with key in file
 openssl 
req -batch -noenc -newkey rsa:2048
    -subj "/CN=testing-csr-signing/O=PKCS11 Provider/C=US"
    -keyout ${DEMOCA}/cert.key -out ${DEMOCA}/cert.csr
..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+.....+...............+.+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+......+.......+.....+.......+............+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+......+...+...+.........+...+.+............+..+...+...+......+.+...+......+.....+......+....+...+..+.........+............+............+...+............+.+..+....+...+...+...+..+.......+...+........+.+.....+.+...+..............+.............+...+..............+...+.......+...........+....+............+...+...+........+......+.+.....+....+......+.....+.............+.....+..........+.........+..+....+...............+......+..............+.........+.+..+....+...+...........+.+...+..+.........+.......+.................+......+.........+...+...+....+..+.+..+......+.+.........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----


## Signing the new certificate
 openssl 
ca -batch -in ${DEMOCA}/cert.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-csr-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:07 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing RSA key in token
 openssl 
req -batch -noenc -new -key ${PRIURI}
    -subj "/CN=testing-rsa-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-rsa.csr


## Signing the new RSA key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-rsa.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsa-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:07 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing EC key in token
 openssl 
req -batch -noenc -new -key ${ECPRIURI}
    -subj "/CN=testing-ec-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-ec.csr


## Signing the new EC key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-ec.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-ec-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:07 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing RSA-PSS key in token
 openssl 
    req -batch -noenc -new -key ${RSAPSSPRIURI} -sigopt rsa_padding_mode:pss
        -subj "/CN=testing-rsapss-signing/O=PKCS11 Provider/C=US"
        -sigopt rsa_padding_mode:pss
        -out ${DEMOCA}/cert-rsa-pss.csr


## Signing the new RSA-PSS key certificate
 openssl 
    ca -batch -in ${DEMOCA}/cert-rsa-pss.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsapss-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:07 2026 GMT (365 days)

Write out database with 1 new entries
Database updated

 openssl x509 -text -in ${DEMOCA}/cert.pem

## Generating a new CSR with existing SHA256 restricted RSA-PSS key in token
 openssl 
    req -batch -noenc -new -key ${RSAPSS2PRIURI} -sigopt rsa_padding_mode:pss
        -subj "/CN=testing-rsapss-sha2-signing/O=PKCS11 Provider/C=US"
        -out ${DEMOCA}/cert-rsa-pss2.csr
        -sigopt rsa_padding_mode:pss
        -sigopt digest:sha256


## Signing the new SHA256 restricted RSA-PSS key certificate
 openssl 
    ca -batch -in ${DEMOCA}/cert-rsa-pss2.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsapss-sha2-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:07 2026 GMT (365 days)

Write out database with 1 new entries
Database updated

 openssl x509 -text -in ${DEMOCA}/cert.pem

## Generating a new CSR with existing RSA-PSS key in token
 openssl 
    req -batch -noenc -new -key ${RSAPSS2PRIURI} -sigopt rsa_padding_mode:pss
        -subj "/CN=testing-rsapss-signing/O=PKCS11 Provider/C=US"
        -out ${DEMOCA}/cert-rsa-pss2.csr
        -sigopt rsa_padding_mode:pss
        -sigopt digest:sha256
        -sigopt rsa_pss_saltlen:-2


## Signing the new RSA-PSS key certificate
 openssl 
    ca -batch -in ${DEMOCA}/cert-rsa-pss.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsapss-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:08 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Set up OCSP
 openssl 
req -batch -noenc -new -subj "/CN=OCSP/O=PKCS11 Provider/C=US"
    -key ${PRIURI} -out ${DEMOCA}/ocspSigning.csr

 openssl 
ca -batch -keyfile ${PRIURI} -cert ${DEMOCA}/cacert.pem
   -in ${DEMOCA}/ocspSigning.csr -out ${DEMOCA}/ocspSigning.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'OCSP'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:08 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Run OCSP
ACCEPT 0.0.0.0:12345 PID=10246
ocsp: waiting for OCSP client connections...
 openssl 
ocsp -CAfile ${DEMOCA}/cacert.pem -issuer ${DEMOCA}/cacert.pem
     -cert ${DEMOCA}/cert.pem -resp_text -noverify
     -url http://127.0.0.1:${PORT}
ocsp: received request, 1st line: POST / HTTP/1.0
ocsp: sending response, 1st line: HTTP/1.0 200 OK
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
          Issuer Key Hash: E4E4AD68EA14A6713EC9602855E1D501AA0B93B0
          Serial Number: 06
    Request Extensions:
        OCSP Nonce: 
            0410FFC2C40CD7BA79C00425362C35F4C712
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = PKCS11 Provider, CN = OCSP
    Produced At: Feb 20 18:56:08 2025 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
      Issuer Key Hash: E4E4AD68EA14A6713EC9602855E1D501AA0B93B0
      Serial Number: 06
    Cert Status: good
    This Update: Feb 20 18:56:08 2025 GMT

    Response Extensions:
        OCSP Nonce: 
            0410FFC2C40CD7BA79C00425362C35F4C712
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        b9:68:b6:bd:57:56:a8:d9:12:a0:16:2d:34:c7:6a:23:60:21:
        c2:43:0b:81:9b:8b:22:fd:45:9b:1f:8b:38:17:ed:72:45:83:
        b0:7e:91:02:31:8c:98:d5:31:f9:47:67:f2:98:fa:51:11:bc:
        dc:89:d5:41:76:e9:67:75:08:0d:e6:1d:57:75:ff:7d:fb:4e:
        b3:2b:a7:13:22:ae:86:5c:1e:a9:8a:40:e5:88:06:2d:4e:4e:
        45:1d:c8:d3:2e:6e:8c:68:4b:38:fd:59:5d:dd:d4:df:7c:6b:
        95:e4:2f:8c:12:da:b4:1b:d2:03:78:7c:71:ff:df:59:2e:77:
        3f:39:d7:bb:64:39:3c:c0:90:15:3e:7d:69:77:3c:2e:6f:08:
        b1:99:93:90:dd:61:00:05:0d:37:6c:5d:cd:2b:5c:b3:a0:7c:
        d3:6a:45:13:34:88:7c:5b:29:15:c1:9c:a4:14:d4:36:d5:80:
        dc:f4:1b:b0:4e:91:1b:2a:c2:65:fe:d6:f4:65:74:ae:9d:3a:
        95:94:5a:bb:2c:d7:30:31:bb:d5:f7:a3:f5:f3:76:ef:f2:90:
        a5:3a:9e:a1:76:32:49:16:9d:cc:c9:c7:79:b9:4f:35:5f:23:
        f5:6e:2c:a6:6b:7a:f7:5b:01:1e:ed:04:09:21:b8:49:f7:6b:
        fb:23:06:63
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
        Validity
            Not Before: Feb 20 18:56:08 2025 GMT
            Not After : Feb 20 18:56:08 2026 GMT
        Subject: C=US, O=PKCS11 Provider, CN=OCSP
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:b7:c9:1d:51:ed:15:8f:4e:2c:f2:8f:bb:9f:
                    bf:51:75:d9:04:b1:70:43:cd:6c:d5:61:42:b3:bc:
                    15:23:26:4a:47:e0:4e:5e:23:0f:1e:d9:6c:9c:95:
                    d3:e3:0f:d2:1a:a4:56:49:25:88:32:24:f7:27:a8:
                    f3:f7:e7:23:63:fc:c9:b6:0f:6d:ee:62:9a:ed:77:
                    ab:8d:5d:4e:70:de:5b:50:ef:0c:2f:fe:17:55:30:
                    6f:04:41:72:9c:80:2e:21:4b:cc:db:14:b9:d9:21:
                    76:e4:c0:25:be:31:cc:7d:93:cc:7e:26:f2:c2:03:
                    cc:d3:f6:dc:c0:e4:78:77:74:cc:e4:44:e3:30:aa:
                    48:b5:bc:3c:f8:a3:03:b3:a1:5c:55:1e:e9:6f:7f:
                    fb:64:44:09:20:2d:03:11:11:33:e3:62:56:ea:f4:
                    cf:42:1e:a1:8b:aa:8e:c8:c8:c1:a7:48:45:b5:e4:
                    b8:cd:8a:cb:47:b4:96:3a:d0:73:82:44:ac:e6:42:
                    4a:e4:ab:74:22:40:d7:95:d0:67:b3:64:e6:f6:ff:
                    63:a5:3e:38:d7:cf:b6:38:6a:5c:76:ff:5c:40:db:
                    83:2e:1b:5e:b7:aa:56:f3:dd:50:72:de:7d:82:dd:
                    77:07:66:f8:70:69:13:b3:41:02:ee:f7:82:c6:ee:
                    55:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Key Identifier: 
                E4:E4:AD:68:EA:14:A6:71:3E:C9:60:28:55:E1:D5:01:AA:0B:93:B0
            X509v3 Authority Key Identifier: 
                E4:E4:AD:68:EA:14:A6:71:3E:C9:60:28:55:E1:D5:01:AA:0B:93:B0
   
## Kill any remaining children and wait for them
kill: sending signal to 10246 failed: No such process
/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh: line 71: 10246 Killed                  $CHECKER openssl ocsp -index "${DEMOCA}/index.txt" -rsigner "${DEMOCA}/ocspSigning.pem" -rkey "${PRIURI}" -CA "${DEMOCA}/cacert.pem" -rmd sha256 -port "${PORT}" -text
==============================================================================

=================================== 29/92 ====================================
test:         pkcs11-provider:kryoptic / democa
start time:   18:56:08
duration:     1.78s
result:       exit status 0
command:      MALLOC_PERTURB_=206 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper democa-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdemoca

## Set up demoCA

## Generating CA cert if needed
 openssl req -batch -noenc -x509 -new -key ${PRIURI} -out ${DEMOCA}/cacert.pem


## Generating a new CSR with key in file
 openssl 
req -batch -noenc -newkey rsa:2048
    -subj "/CN=testing-csr-signing/O=PKCS11 Provider/C=US"
    -keyout ${DEMOCA}/cert.key -out ${DEMOCA}/cert.csr
.....+..........+...+........+...............+...+....+..+....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+..........+...+..+...+...+.+..............+.......+..+......+.......+........+.+...+..+.+...+..+.............+..............+...+...+.+.........+..+.......+.....+.+.....+.......+.....+....+...........+...+....+......+...........+.+...+.........+..+........................+..........+......+......+............+..+.+..+...+.........+.........+....+...............+........+....+...+.....+.+.........+...+...+.....+......+....+..+...+..............................+......+.+..............+...+.............+..+...+...+................+..................+..+...+.............+...+.....+..........+......+...+..+....+......+...+...+.....+...+....+..+.+..+...............+......+.......+....................+...+....+..+...+...+....+.........+..+............+...+.............+......+......+..+.+.........+..+.+.....+.........+.+..............+....+......+...+..+...+.+............+............+.....+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+.+........+....+....................+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.....+.......+.....+.+......+.....+...+.+.........+..+.+........+.+.....+.........+......+.............+.....+.+.....+.......+...+..+.......+..+.+.........+.....+.............+...........+.......+........+.........+.+..+.........+...+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+...........+.......+.....+.......+......+..............+...+...+.......+............+.....+.+...........+....+.....+.+......+.....+..........+...+..+.......+.....+.+..+............................+...........+.+...............+..+......+.........+......+............+...+....+.....+.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----


## Signing the new certificate
 openssl 
ca -batch -in ${DEMOCA}/cert.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-csr-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:09 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing RSA key in token
 openssl 
req -batch -noenc -new -key ${PRIURI}
    -subj "/CN=testing-rsa-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-rsa.csr


## Signing the new RSA key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-rsa.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsa-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:09 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing EC key in token
 openssl 
req -batch -noenc -new -key ${ECPRIURI}
    -subj "/CN=testing-ec-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-ec.csr


## Signing the new EC key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-ec.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-ec-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:09 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing RSA-PSS key in token
 openssl 
    req -batch -noenc -new -key ${RSAPSSPRIURI} -sigopt rsa_padding_mode:pss
        -subj "/CN=testing-rsapss-signing/O=PKCS11 Provider/C=US"
        -sigopt rsa_padding_mode:pss
        -out ${DEMOCA}/cert-rsa-pss.csr


## Signing the new RSA-PSS key certificate
 openssl 
    ca -batch -in ${DEMOCA}/cert-rsa-pss.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsapss-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:09 2026 GMT (365 days)

Write out database with 1 new entries
Database updated

 openssl x509 -text -in ${DEMOCA}/cert.pem

## Generating a new CSR with existing SHA256 restricted RSA-PSS key in token
 openssl 
    req -batch -noenc -new -key ${RSAPSS2PRIURI} -sigopt rsa_padding_mode:pss
        -subj "/CN=testing-rsapss-sha2-signing/O=PKCS11 Provider/C=US"
        -out ${DEMOCA}/cert-rsa-pss2.csr
        -sigopt rsa_padding_mode:pss
        -sigopt digest:sha256


## Signing the new SHA256 restricted RSA-PSS key certificate
 openssl 
    ca -batch -in ${DEMOCA}/cert-rsa-pss2.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsapss-sha2-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:09 2026 GMT (365 days)

Write out database with 1 new entries
Database updated

 openssl x509 -text -in ${DEMOCA}/cert.pem

## Generating a new CSR with existing RSA-PSS key in token
 openssl 
    req -batch -noenc -new -key ${RSAPSS2PRIURI} -sigopt rsa_padding_mode:pss
        -subj "/CN=testing-rsapss-signing/O=PKCS11 Provider/C=US"
        -out ${DEMOCA}/cert-rsa-pss2.csr
        -sigopt rsa_padding_mode:pss
        -sigopt digest:sha256
        -sigopt rsa_pss_saltlen:-2


## Signing the new RSA-PSS key certificate
 openssl 
    ca -batch -in ${DEMOCA}/cert-rsa-pss.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsapss-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:09 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Set up OCSP
 openssl 
req -batch -noenc -new -subj "/CN=OCSP/O=PKCS11 Provider/C=US"
    -key ${PRIURI} -out ${DEMOCA}/ocspSigning.csr

 openssl 
ca -batch -keyfile ${PRIURI} -cert ${DEMOCA}/cacert.pem
   -in ${DEMOCA}/ocspSigning.csr -out ${DEMOCA}/ocspSigning.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'OCSP'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:09 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Run OCSP
ACCEPT 0.0.0.0:12345 PID=10304
ocsp: waiting for OCSP client connections...
 openssl 
ocsp -CAfile ${DEMOCA}/cacert.pem -issuer ${DEMOCA}/cacert.pem
     -cert ${DEMOCA}/cert.pem -resp_text -noverify
     -url http://127.0.0.1:${PORT}
ocsp: received request, 1st line: POST / HTTP/1.0
ocsp: sending response, 1st line: HTTP/1.0 200 OK
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
          Issuer Key Hash: 9F4E792AD4A29AF2571F8669C25C1016388981C9
          Serial Number: 06
    Request Extensions:
        OCSP Nonce: 
            04103BA9300E0A5A612B2125038AA87E307A
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = PKCS11 Provider, CN = OCSP
    Produced At: Feb 20 18:56:10 2025 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
      Issuer Key Hash: 9F4E792AD4A29AF2571F8669C25C1016388981C9
      Serial Number: 06
    Cert Status: good
    This Update: Feb 20 18:56:10 2025 GMT

    Response Extensions:
        OCSP Nonce: 
            04103BA9300E0A5A612B2125038AA87E307A
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        7c:d4:b1:b3:64:7b:23:7d:2b:67:c7:a6:16:dc:f9:a0:83:b1:
        52:d5:b3:0a:1c:02:72:a3:46:e4:62:db:e8:23:ed:c1:b2:9d:
        cf:9a:cc:24:10:97:a3:d0:b1:58:45:97:15:58:8e:ff:4b:7a:
        c6:3b:ba:5a:64:20:69:d0:d6:3d:f2:33:97:80:8b:61:c8:30:
        45:43:1e:01:2a:29:71:fe:52:f9:97:e8:88:e5:03:a1:ad:5a:
        09:f7:83:ba:4e:42:a3:e4:1c:f1:b3:72:e4:ab:fd:b6:d5:95:
        22:86:73:6c:3c:3b:f8:9a:e1:97:32:3b:81:14:0b:2f:87:69:
        b7:3d:6d:ab:ff:81:b3:21:3a:74:34:07:f4:dc:5f:82:33:b0:
        47:a1:51:39:23:5f:b6:68:e7:44:9f:7f:41:33:d5:63:bd:83:
        fd:6c:82:59:63:20:c6:e8:e1:c2:f2:3d:66:7a:24:5f:1c:7b:
        aa:21:0b:36:02:ad:c2:ed:aa:b1:0e:da:d7:ca:b6:2a:71:71:
        6d:6c:ec:83:44:e3:25:94:42:4b:ba:6e:82:ab:8b:10:25:d3:
        ea:25:50:7d:0e:b1:cb:cc:07:66:24:a3:74:06:9b:c4:b3:7d:
        96:3c:55:68:12:a5:c2:c7:dd:7a:2d:ef:36:c7:25:0e:53:50:
        ca:7a:4b:c6
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
        Validity
            Not Before: Feb 20 18:56:09 2025 GMT
            Not After : Feb 20 18:56:09 2026 GMT
        Subject: C=US, O=PKCS11 Provider, CN=OCSP
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9a:3d:52:c8:cb:a3:14:eb:03:ef:91:06:1f:83:
                    0f:73:59:10:2a:b8:1f:5b:2b:d6:c3:0b:55:28:92:
                    67:18:f9:36:b1:62:a9:33:57:8a:b2:26:a6:d6:36:
                    c2:98:6c:b5:21:77:3c:9e:6b:f0:14:69:83:a0:ea:
                    58:dc:6f:2d:14:b1:40:c5:2a:44:a8:f1:85:6d:9f:
                    b0:cf:79:0e:91:47:a8:74:ef:d8:b3:9d:21:d9:c9:
                    ff:6c:50:f1:17:68:62:12:1c:73:7a:9e:0a:67:69:
                    6c:4a:13:51:6e:47:41:c2:7f:00:bc:a7:fd:64:22:
                    7b:ca:a9:e8:dd:95:83:6f:4a:71:63:1c:de:92:a7:
                    f6:0c:11:52:fd:8d:7a:10:8d:26:c5:59:a4:3e:34:
                    c4:8f:ce:45:89:6c:41:4b:67:93:b3:c6:0d:d1:40:
                    27:be:84:67:90:00:03:46:e9:65:3f:fb:e0:8e:5d:
                    30:aa:bf:a4:b1:a9:e8:89:c6:43:94:e7:b3:27:63:
                    4e:03:cc:06:14:95:41:fa:da:3a:a6:d3:35:0d:95:
                    a3:34:40:6a:05:df:34:ef:db:59:2f:9a:01:e0:07:
                    91:f1:53:6c:b4:11:31:b9:a0:74:9c:f2:39:59:61:
                    5c:a2:70:b0:77:bd:8b:0b:db:b2:ba:ab:bc:40:89:
                    8d:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Key Identifier: 
                9F:4E:79:2A:D4:A2:9A:F2:57:1F:86:69:C2:5C:10:16:38:89:81:C9
            X509v3 Authority Key Identifier: 
                9F:4E:79:2A:D4:A2:9A:F2:57:1F:86:69:C2:5C:10:16:38:89:81:C9
   
## Kill any remaining children and wait for them
kill: sending signal to 10304 failed: No such process
/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh: line 71: 10304 Killed                  $CHECKER openssl ocsp -index "${DEMOCA}/index.txt" -rsigner "${DEMOCA}/ocspSigning.pem" -rkey "${PRIURI}" -CA "${DEMOCA}/cacert.pem" -rmd sha256 -port "${PORT}" -text
==============================================================================

=================================== 30/92 ====================================
test:         pkcs11-provider:kryoptic.nss / democa
start time:   18:56:10
duration:     3.90s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=72 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper democa-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdemoca

## Set up demoCA

## Generating CA cert if needed
 openssl req -batch -noenc -x509 -new -key ${PRIURI} -out ${DEMOCA}/cacert.pem


## Generating a new CSR with key in file
 openssl 
req -batch -noenc -newkey rsa:2048
    -subj "/CN=testing-csr-signing/O=PKCS11 Provider/C=US"
    -keyout ${DEMOCA}/cert.key -out ${DEMOCA}/cert.csr
.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+......+.+......+........+......+......+.......+.....+.+......+......+..+.......+...+......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......................+....+..........................................+........+.+..+.......+......+..+...+.+.....+....+.....+.+.....+....+.....+....+..+...+.......+.....+.........+.....................+....+......+...+.....+.......+......+..+......+.+........+...+...+....+...+..+......+...............+......+.+..................+.....+....+.....+.+.....+....+..+....+.....+......+......+....+......+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----


## Signing the new certificate
 openssl 
ca -batch -in ${DEMOCA}/cert.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-csr-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:11 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing RSA key in token
 openssl 
req -batch -noenc -new -key ${PRIURI}
    -subj "/CN=testing-rsa-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-rsa.csr


## Signing the new RSA key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-rsa.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-rsa-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:12 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Generating a new CSR with existing EC key in token
 openssl 
req -batch -noenc -new -key ${ECPRIURI}
    -subj "/CN=testing-ec-signing/O=PKCS11 Provider/C=US"
    -out ${DEMOCA}/cert-ec.csr


## Signing the new EC key certificate
 openssl 
ca -batch -in ${DEMOCA}/cert-ec.csr -keyfile ${PRIURI} -out ${DEMOCA}/cert.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testing-ec-signing'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:12 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Set up OCSP
 openssl 
req -batch -noenc -new -subj "/CN=OCSP/O=PKCS11 Provider/C=US"
    -key ${PRIURI} -out ${DEMOCA}/ocspSigning.csr

 openssl 
ca -batch -keyfile ${PRIURI} -cert ${DEMOCA}/cacert.pem
   -in ${DEMOCA}/ocspSigning.csr -out ${DEMOCA}/ocspSigning.pem
Using configuration from /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'OCSP'
organizationName      :ASN.1 12:'PKCS11 Provider'
countryName           :PRINTABLE:'US'
Certificate is to be certified until Feb 20 18:56:13 2026 GMT (365 days)

Write out database with 1 new entries
Database updated


## Run OCSP
ACCEPT 0.0.0.0:12345 PID=10344
ocsp: waiting for OCSP client connections...
 openssl 
ocsp -CAfile ${DEMOCA}/cacert.pem -issuer ${DEMOCA}/cacert.pem
     -cert ${DEMOCA}/cert.pem -resp_text -noverify
     -url http://127.0.0.1:${PORT}
ocsp: received request, 1st line: POST / HTTP/1.0
ocsp: sending response, 1st line: HTTP/1.0 200 OK
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
          Issuer Key Hash: 90C44710A86812A3615A8CB406123668CADDB136
          Serial Number: 03
    Request Extensions:
        OCSP Nonce: 
            04104EFA3C48AC5F8EC326A661381C2C93DD
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = PKCS11 Provider, CN = OCSP
    Produced At: Feb 20 18:56:14 2025 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 810C6D581B88B8245F66B67E49B738D99BD5F7BB
      Issuer Key Hash: 90C44710A86812A3615A8CB406123668CADDB136
      Serial Number: 03
    Cert Status: good
    This Update: Feb 20 18:56:14 2025 GMT

    Response Extensions:
        OCSP Nonce: 
            04104EFA3C48AC5F8EC326A661381C2C93DD
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        a3:3b:d8:12:9f:8b:a6:47:de:67:ca:1f:af:90:d4:3b:cc:78:
        cb:20:c3:89:5f:e6:8a:ac:16:dd:95:c0:08:fa:86:4a:66:68:
        a7:8e:19:6e:d0:6d:5e:55:f0:0c:42:51:8f:c4:b6:47:39:64:
        f9:26:15:f3:e8:7a:0a:57:53:d4:27:32:61:d8:11:21:3d:b3:
        e7:63:5a:8d:f1:a2:1b:c9:1f:e5:a8:8e:1e:b5:30:ec:41:10:
        33:7b:0a:e6:40:7b:32:c3:34:dc:89:94:3d:bd:e3:80:b3:ff:
        63:5e:a5:ee:9f:63:c8:2b:41:a6:b1:d6:71:55:79:e6:c8:ff:
        7d:c7:ad:1b:fd:2d:cb:5d:d0:21:5c:f9:06:42:75:d6:14:99:
        63:20:2a:e3:1c:ce:02:3b:94:ca:fd:18:36:fc:99:c0:6b:18:
        55:59:9d:c5:71:86:a4:c4:e6:fa:1e:2c:25:89:8d:a8:c4:22:
        ac:ab:e0:46:a4:a5:d8:dd:43:be:bd:77:d4:53:84:5a:97:a7:
        58:56:fb:a4:ec:7f:67:ae:62:43:e8:3b:a5:a0:b9:ba:c1:8a:
        3e:3b:64:cb:cc:5e:dd:0d:6d:fa:3c:fd:c8:2e:f2:df:78:24:
        99:5a:bd:31:90:68:46:51:c3:41:08:f0:1b:3d:d7:4d:e3:df:
        6b:d9:d0:eb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
        Validity
            Not Before: Feb 20 18:56:13 2025 GMT
            Not After : Feb 20 18:56:13 2026 GMT
        Subject: C=US, O=PKCS11 Provider, CN=OCSP
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:ec:3d:66:23:30:ec:66:d9:b5:ff:2e:99:4f:
                    72:d4:f4:a0:83:a3:7e:8d:1d:fd:be:5d:1b:48:75:
                    8c:a3:9e:b1:dc:28:1c:c3:b5:fb:9c:4c:2d:7c:85:
                    78:c8:e2:20:38:13:8d:59:63:55:1b:ba:b9:7f:7d:
                    c4:57:01:8b:a5:b8:b1:ad:52:7f:8a:20:7f:2f:f4:
                    34:30:a0:3c:06:a5:dc:f5:5d:c0:33:5c:1a:48:ef:
                    e0:17:7c:7d:f2:8b:a0:ce:82:9a:ca:dc:bd:0a:8c:
                    53:28:a7:2e:16:15:b7:aa:ba:0d:bc:eb:2d:2b:39:
                    3b:05:34:d1:b7:f8:44:f3:3f:35:ab:b2:f2:7f:15:
                    e0:d9:f6:cc:5c:46:a1:df:e8:c0:b8:5d:04:e9:8e:
                    a9:b0:23:ff:26:22:0e:ad:07:96:5a:51:2e:4f:5e:
                    98:9e:36:d5:db:f2:71:b6:1d:32:67:f5:ca:78:f9:
                    25:b8:ad:4c:1d:05:b8:d0:d2:f2:11:c1:12:e6:e5:
                    ad:48:74:f6:04:73:44:e9:73:26:34:0e:5a:d7:33:
                    82:36:cc:50:0b:39:89:40:ba:43:83:2b:4d:d5:a4:
                    44:71:d3:bf:d9:20:ab:f7:55:d6:d4:2e:b7:ec:20:
                    15:67:bc:2c:5d:ca:e6:05:fe:01:76:2a:1c:40:5a:
                    f8:11
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Key Identifier: 
                90:C4:47:10:A8:68:12:A3:61:5A:8C:B4:06:12:36:68:CA:DD:B1:36
            X509v3 Authority Key Identifier: 
                90:C4:47:10:A8:68:12:A3:61:5A:8C:B4:06:12:36:68:CA:DD:B1:36
   
## Kill any remaining children and wait for them
kill: sending signal to 10344 failed: No such process
/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/helpers.sh: line 71: 10344 Killed                  $CHECKER openssl ocsp -index "${DEMOCA}/index.txt" -rsigner "${DEMOCA}/ocspSigning.pem" -rkey "${PRIURI}" -CA "${DEMOCA}/cacert.pem" -rmd sha256 -port "${PORT}" -text
==============================================================================

=================================== 31/92 ====================================
test:         pkcs11-provider:softokn / digest
start time:   18:56:14
duration:     0.14s
result:       exit status 0
command:      MALLOC_PERTURB_=63 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper digest-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdigest

## Test Digests support
sha512-224: Unsupported by pkcs11 token
sha512-256: Unsupported by pkcs11 token
PASSED

## Test Digests Blocked
No digest available for testing pkcs11 provider
Digest operations failed as expected
==============================================================================

=================================== 32/92 ====================================
test:         pkcs11-provider:softhsm / digest
start time:   18:56:14
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=176 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper digest-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdigest

## Test Digests support
sha512-224: Unsupported by pkcs11 token
sha512-256: Unsupported by pkcs11 token
sha3-224: Unsupported by pkcs11 token
sha3-256: Unsupported by pkcs11 token
sha3-384: Unsupported by pkcs11 token
sha3-512: Unsupported by pkcs11 token
PASSED

## Test Digests Blocked
No digest available for testing pkcs11 provider
Digest operations failed as expected
==============================================================================

=================================== 33/92 ====================================
test:         pkcs11-provider:kryoptic / digest
start time:   18:56:14
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=114 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper digest-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdigest

## Test Digests support
sha512-224: Unsupported by pkcs11 token
sha512-256: Unsupported by pkcs11 token
PASSED

## Test Digests Blocked
No digest available for testing pkcs11 provider
Digest operations failed as expected
==============================================================================

=================================== 34/92 ====================================
test:         pkcs11-provider:kryoptic.nss / digest
start time:   18:56:14
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=129 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper digest-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tdigest

## Test Digests support
sha512-224: Unsupported by pkcs11 token
sha512-256: Unsupported by pkcs11 token
PASSED

## Test Digests Blocked
No digest available for testing pkcs11 provider
Digest operations failed as expected
==============================================================================

=================================== 35/92 ====================================
test:         pkcs11-provider:softokn / fork
start time:   18:56:14
duration:     0.37s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=140 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper fork-softokn.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tfork
Child Done
Child Done
ALL A-OK!
==============================================================================

=================================== 36/92 ====================================
test:         pkcs11-provider:softhsm / fork
start time:   18:56:15
duration:     1.11s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=191 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper fork-softhsm.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tfork
Child Done
Child Done
ALL A-OK!
==============================================================================

=================================== 37/92 ====================================
test:         pkcs11-provider:kryoptic / fork
start time:   18:56:16
duration:     1.16s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=157 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper fork-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tfork
Child Done
Child Done
ALL A-OK!
==============================================================================

=================================== 38/92 ====================================
test:         pkcs11-provider:kryoptic.nss / fork
start time:   18:56:17
duration:     2.01s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=4 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper fork-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tfork
Child Done
Child Done
ALL A-OK!
==============================================================================

=================================== 39/92 ====================================
test:         pkcs11-provider:softokn / oaepsha2
start time:   18:56:19
duration:     0.20s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=243 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper oaepsha2-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/toaepsha2

## Encrypt and decrypt with RSA OAEP
 openssl 
pkeyutl -encrypt -inkey "${BASEURI}"
                 -pubin
                 -pkeyopt pad-mode:oaep
                 -pkeyopt digest:sha256
                 -pkeyopt mgf1-digest:sha256
                 -in ${SECRETFILE}
                 -out ${SECRETFILE}.enc

 openssl 
pkeyutl -decrypt -inkey "${PRIURI}"
                 -pkeyopt pad-mode:oaep
                 -pkeyopt digest:sha256
                 -pkeyopt mgf1-digest:sha256
                 -in ${SECRETFILE}.enc
                 -out ${SECRETFILE}.dec

==============================================================================

=================================== 40/92 ====================================
test:         pkcs11-provider:kryoptic / oaepsha2
start time:   18:56:19
duration:     0.09s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=218 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper oaepsha2-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/toaepsha2

## Encrypt and decrypt with RSA OAEP
 openssl 
pkeyutl -encrypt -inkey "${BASEURI}"
                 -pubin
                 -pkeyopt pad-mode:oaep
                 -pkeyopt digest:sha256
                 -pkeyopt mgf1-digest:sha256
                 -in ${SECRETFILE}
                 -out ${SECRETFILE}.enc

 openssl 
pkeyutl -decrypt -inkey "${PRIURI}"
                 -pkeyopt pad-mode:oaep
                 -pkeyopt digest:sha256
                 -pkeyopt mgf1-digest:sha256
                 -in ${SECRETFILE}.enc
                 -out ${SECRETFILE}.dec

==============================================================================

=================================== 41/92 ====================================
test:         pkcs11-provider:kryoptic.nss / oaepsha2
start time:   18:56:19
duration:     0.43s
result:       exit status 0
command:      MALLOC_PERTURB_=30 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper oaepsha2-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/toaepsha2

## Encrypt and decrypt with RSA OAEP
 openssl 
pkeyutl -encrypt -inkey "${BASEURI}"
                 -pubin
                 -pkeyopt pad-mode:oaep
                 -pkeyopt digest:sha256
                 -pkeyopt mgf1-digest:sha256
                 -in ${SECRETFILE}
                 -out ${SECRETFILE}.enc

 openssl 
pkeyutl -decrypt -inkey "${PRIURI}"
                 -pkeyopt pad-mode:oaep
                 -pkeyopt digest:sha256
                 -pkeyopt mgf1-digest:sha256
                 -in ${SECRETFILE}.enc
                 -out ${SECRETFILE}.dec

==============================================================================

=================================== 42/92 ====================================
test:         pkcs11-provider:softokn / hkdf
start time:   18:56:20
duration:     0.08s
result:       exit status 1
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=121 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper hkdf-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/thkdf

## HKDF Derivation
 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt hexsalt:${HKDF_HEX_SALT}
                -pkeyopt hexinfo:${HKDF_HEX_INFO}
                -out ${TMPPDIR}/hkdf1-out-pkcs11.bin
                -propquery provider=pkcs11
pkeyutl: Can't set parameter "hexkey:ffeeddccbbaa":
==============================================================================

=================================== 43/92 ====================================
test:         pkcs11-provider:kryoptic / hkdf
start time:   18:56:20
duration:     0.13s
result:       exit status 0
command:      MALLOC_PERTURB_=147 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper hkdf-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/thkdf

## HKDF Derivation
 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt hexsalt:${HKDF_HEX_SALT}
                -pkeyopt hexinfo:${HKDF_HEX_INFO}
                -out ${TMPPDIR}/hkdf1-out-pkcs11.bin
                -propquery provider=pkcs11

 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt hexsalt:${HKDF_HEX_SALT}
                -pkeyopt hexinfo:${HKDF_HEX_INFO}
                -out ${TMPPDIR}/hkdf1-out.bin

 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt salt:"${HKDF_SALT}"
                -pkeyopt info:"${HKDF_INFO}"
                -out ${TMPPDIR}/hkdf2-out-pkcs11.bin
                -propquery provider=pkcs11

 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt salt:"${HKDF_SALT}"
                -pkeyopt info:"${HKDF_INFO}"
                -out ${TMPPDIR}/hkdf2-out.bin

==============================================================================

=================================== 44/92 ====================================
test:         pkcs11-provider:kryoptic.nss / hkdf
start time:   18:56:20
duration:     0.12s
result:       exit status 0
command:      MALLOC_PERTURB_=134 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper hkdf-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/thkdf

## HKDF Derivation
 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt hexsalt:${HKDF_HEX_SALT}
                -pkeyopt hexinfo:${HKDF_HEX_INFO}
                -out ${TMPPDIR}/hkdf1-out-pkcs11.bin
                -propquery provider=pkcs11

 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt hexsalt:${HKDF_HEX_SALT}
                -pkeyopt hexinfo:${HKDF_HEX_INFO}
                -out ${TMPPDIR}/hkdf1-out.bin

 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt salt:"${HKDF_SALT}"
                -pkeyopt info:"${HKDF_INFO}"
                -out ${TMPPDIR}/hkdf2-out-pkcs11.bin
                -propquery provider=pkcs11

 openssl 
pkeyutl -derive -kdf HKDF -kdflen 48
                -pkeyopt md:SHA256
                -pkeyopt mode:EXTRACT_AND_EXPAND
                -pkeyopt hexkey:${HKDF_HEX_SECRET}
                -pkeyopt salt:"${HKDF_SALT}"
                -pkeyopt info:"${HKDF_INFO}"
                -out ${TMPPDIR}/hkdf2-out.bin

==============================================================================

=================================== 45/92 ====================================
test:         pkcs11-provider:softokn / imported
start time:   18:56:20
duration:     0.40s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=11 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper imported-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/timported

## Test imported key in token session
Generate EC keypair in files
 openssl genpkey -algorithm EC -out ${TMPPDIR}/file.ec.key.pem
              -pkeyopt ec_paramgen_curve:P-256

 openssl pkey -in ${TMPPDIR}/file.ec.key.pem
           -pubout -out ${TMPPDIR}/file.ec.pub.key.pem

Generate RSA keypair in files
 openssl genpkey -algorithm RSA -out ${TMPPDIR}/file.rsa.key.pem
              -pkeyopt rsa_keygen_bits:2048 ${OPTS}
..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+.....+.......+......+.....+....+......+.........+...........................+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+..............+...+...............+....+...+..+.+............+.....+................+.........+...+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+......+.....+.+...+....................+............+....+.....+.+...+...........+.+..............+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..............+.+............+..+.........+......+.........+....+..+.+.....+............+...+....+...+...+.....+...+.+...+..+...+................+..+...+.+......+............+...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 openssl pkey -in ${TMPPDIR}/file.rsa.key.pem
           -pubout -out ${TMPPDIR}/file.rsa.pub.key.pem

Test Signing with private EC key imported from file
 openssl pkeyutl -sign
              -inkey ${TMPPDIR}/file.ec.key.pem
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/file.ec.sig.bin

Test Verifying with public EC key imported from file
 openssl pkeyutl -verify -pubin
              -inkey ${TMPPDIR}/file.ec.pub.key.pem
              -sigfile ${TMPPDIR}/file.ec.sig.bin
              -in ${TMPPDIR}/sha256.bin
Signature Verified Successfully
Test Signing with private RSA key imported from file
 openssl pkeyutl -sign
              -inkey ${TMPPDIR}/file.rsa.key.pem
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/file.rsa.sig.bin

Test Verifying with public RSA key imported from file
 openssl pkeyutl -verify -pubin
              -inkey ${TMPPDIR}/file.rsa.pub.key.pem
              -sigfile ${TMPPDIR}/file.rsa.sig.bin
              -in ${TMPPDIR}/sha256.bin
Signature Verified Successfully
==============================================================================

=================================== 46/92 ====================================
test:         pkcs11-provider:kryoptic / imported
start time:   18:56:20
duration:     0.43s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=140 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper imported-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/timported

## Test imported key in token session
Generate EC keypair in files
 openssl genpkey -algorithm EC -out ${TMPPDIR}/file.ec.key.pem
              -pkeyopt ec_paramgen_curve:P-256

 openssl pkey -in ${TMPPDIR}/file.ec.key.pem
           -pubout -out ${TMPPDIR}/file.ec.pub.key.pem

Generate RSA keypair in files
 openssl genpkey -algorithm RSA -out ${TMPPDIR}/file.rsa.key.pem
              -pkeyopt rsa_keygen_bits:2048 ${OPTS}
..........+...+..+.+.........+............+.....+....+..+...+...............+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.....+....+...+..+...+.+...........+.+..............+......+...+......+.........+....+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+...+.+...........+..........+..+.............+.........+.....+.+..+............+....+.....+................+.....+...+.+......+......+...+......+....................+....+..+.........+.+.....+....+.........+.....+..........+......+...+..+....+..+...+.......+..+...+...+....+..+.........+.......+.....+...+......+.+............+...+........+.........+...+....+...+......+..+....+...+............+.........+............+...+.....+...................+..+....+..+.......+...+..+...............+.+..+..........+..+......................+.........+..+............+......+......+..................+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+...+.....+.........+......+.......+...........+.+.........+.....+.....................+.+..+..........+...+.........+.....+.+.....+...+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....................+..........+..+...+.+.....+....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 openssl pkey -in ${TMPPDIR}/file.rsa.key.pem
           -pubout -out ${TMPPDIR}/file.rsa.pub.key.pem

Test Signing with private EC key imported from file
 openssl pkeyutl -sign
              -inkey ${TMPPDIR}/file.ec.key.pem
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/file.ec.sig.bin

Test Verifying with public EC key imported from file
 openssl pkeyutl -verify -pubin
              -inkey ${TMPPDIR}/file.ec.pub.key.pem
              -sigfile ${TMPPDIR}/file.ec.sig.bin
              -in ${TMPPDIR}/sha256.bin
Signature Verified Successfully
Test Signing with private RSA key imported from file
 openssl pkeyutl -sign
              -inkey ${TMPPDIR}/file.rsa.key.pem
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/file.rsa.sig.bin

Test Verifying with public RSA key imported from file
 openssl pkeyutl -verify -pubin
              -inkey ${TMPPDIR}/file.rsa.pub.key.pem
              -sigfile ${TMPPDIR}/file.rsa.sig.bin
              -in ${TMPPDIR}/sha256.bin
Signature Verified Successfully
==============================================================================

=================================== 47/92 ====================================
test:         pkcs11-provider:kryoptic.nss / imported
start time:   18:56:21
duration:     0.53s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=53 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper imported-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/timported

## Test imported key in token session
Generate EC keypair in files
 openssl genpkey -algorithm EC -out ${TMPPDIR}/file.ec.key.pem
              -pkeyopt ec_paramgen_curve:P-256

 openssl pkey -in ${TMPPDIR}/file.ec.key.pem
           -pubout -out ${TMPPDIR}/file.ec.pub.key.pem

Generate RSA keypair in files
 openssl genpkey -algorithm RSA -out ${TMPPDIR}/file.rsa.key.pem
              -pkeyopt rsa_keygen_bits:2048 ${OPTS}
.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.+.....+.+...........+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.....+.+..+.......+..+......+.......+........+....+...............+........+...+....+...+.....+......+......+.+...............+..+.+...........+...+.......+....................+.+.........+.........+.....+.+.....+.........+.......+.....+.........+...+..................+..........+...+......+.........+...........+....+..+......................+..+....+.....+.........+...............+..........+........+...+.+...+.....+......+.......+..+...+...+.+...+.................+......+...+....+..+...............+.............+..................+..+......+......+......+......................+...........+....+............+.....+...+.......+......+........+.+.....+.+...+.....+.+.....+................+.....+.......+...+...+.....+............+....+.........+......+...+...+...+......+...+.....+.+...........+....+.....+......+..........+..................+...+..+...+....+...........+...+.+..............+....+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+..+......+.+...........+.........+.+..+...+.........+.........+....+..+......+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 openssl pkey -in ${TMPPDIR}/file.rsa.key.pem
           -pubout -out ${TMPPDIR}/file.rsa.pub.key.pem

Test Signing with private EC key imported from file
 openssl pkeyutl -sign
              -inkey ${TMPPDIR}/file.ec.key.pem
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/file.ec.sig.bin

Test Verifying with public EC key imported from file
 openssl pkeyutl -verify -pubin
              -inkey ${TMPPDIR}/file.ec.pub.key.pem
              -sigfile ${TMPPDIR}/file.ec.sig.bin
              -in ${TMPPDIR}/sha256.bin
Signature Verified Successfully
Test Signing with private RSA key imported from file
 openssl pkeyutl -sign
              -inkey ${TMPPDIR}/file.rsa.key.pem
              -in ${TMPPDIR}/sha256.bin
              -out ${TMPPDIR}/file.rsa.sig.bin

Test Verifying with public RSA key imported from file
 openssl pkeyutl -verify -pubin
              -inkey ${TMPPDIR}/file.rsa.pub.key.pem
              -sigfile ${TMPPDIR}/file.rsa.sig.bin
              -in ${TMPPDIR}/sha256.bin
Signature Verified Successfully
==============================================================================

=================================== 48/92 ====================================
test:         pkcs11-provider:softokn / rsapss
start time:   18:56:21
duration:     0.52s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=146 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rsapss-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trsapss

## DigestSign and DigestVerify with RSA PSS
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha256
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA PSS with default params
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:pss
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/def-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
==============================================================================

=================================== 49/92 ====================================
test:         pkcs11-provider:softhsm / rsapss
start time:   18:56:22
duration:     0.27s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=11 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rsapss-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trsapss

## DigestSign and DigestVerify with RSA PSS
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha256
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA PSS with default params
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:pss
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/def-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
==============================================================================

=================================== 50/92 ====================================
test:         pkcs11-provider:kryoptic / rsapss
start time:   18:56:22
duration:     0.30s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=25 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rsapss-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trsapss

## DigestSign and DigestVerify with RSA PSS
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha256
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA PSS with default params
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:pss
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/def-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
==============================================================================

=================================== 51/92 ====================================
test:         pkcs11-provider:kryoptic.nss / rsapss
start time:   18:56:22
duration:     1.11s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=81 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rsapss-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trsapss

## DigestSign and DigestVerify with RSA PSS
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -digest sha256
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha256
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-dgstsig.bin
Signature Verified Successfully

## DigestSign and DigestVerify with RSA PSS with default params
 openssl 
pkeyutl -sign -inkey "${BASEURI}"
              -pkeyopt pad-mode:pss
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/def-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${BASEURI}" -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
Re-verify using OpenSSL default provider
 openssl 
pkeyutl -verify -inkey "${PUBURI}"
                -pubin
                -pkeyopt pad-mode:pss
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/def-dgstsig.bin
Signature Verified Successfully
==============================================================================

=================================== 52/92 ====================================
test:         pkcs11-provider:softhsm / rsapssam
start time:   18:56:23
duration:     0.19s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=107 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rsapssam-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trsapssam

## DigestSign and DigestVerify with RSA PSS (SHA256 restriction)
 openssl 
pkeyutl -sign -inkey "${RSAPSS2PRIURI}"
              -digest sha256
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha256
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-rsapps-genpkey-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${RSAPSS2PUBURI}" -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-rsapps-genpkey-dgstsig.bin
Signature Verified Successfully

## Fail DigestSign with RSA PSS because of restricted Digest
 openssl 
pkeyutl -sign -inkey "${RSAPSS2PRIURI}"
              -digest sha384
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha384
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-rsapps-genpkey-dgstsig.bin 2>&1

## Fail Signing with RSA PKCS1 mech and RSA-PSS key
 openssl 
pkeyutl -sign -inkey "${RSAPSSPRIURI}"
              -digest sha256
              -pkeyopt rsa_padding_mode:pkcs1
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-rsa-not-rsapss-sig.bin 2>&1
==============================================================================

=================================== 53/92 ====================================
test:         pkcs11-provider:kryoptic / rsapssam
start time:   18:56:24
duration:     0.17s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=48 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rsapssam-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trsapssam

## DigestSign and DigestVerify with RSA PSS (SHA256 restriction)
 openssl 
pkeyutl -sign -inkey "${RSAPSS2PRIURI}"
              -digest sha256
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha256
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha256-rsapps-genpkey-dgstsig.bin

 openssl 
pkeyutl -verify -inkey "${RSAPSS2PUBURI}" -pubin
                -digest sha256
                -pkeyopt pad-mode:pss
                -pkeyopt mgf1-digest:sha256
                -pkeyopt saltlen:digest
                -in ${RAND64FILE}
                -rawin
                -sigfile ${TMPPDIR}/sha256-rsapps-genpkey-dgstsig.bin
Signature Verified Successfully

## Fail DigestSign with RSA PSS because of restricted Digest
 openssl 
pkeyutl -sign -inkey "${RSAPSS2PRIURI}"
              -digest sha384
              -pkeyopt pad-mode:pss
              -pkeyopt mgf1-digest:sha384
              -pkeyopt saltlen:digest
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-rsapps-genpkey-dgstsig.bin 2>&1

## Fail Signing with RSA PKCS1 mech and RSA-PSS key
 openssl 
pkeyutl -sign -inkey "${RSAPSSPRIURI}"
              -digest sha256
              -pkeyopt rsa_padding_mode:pkcs1
              -in ${RAND64FILE}
              -rawin
              -out ${TMPPDIR}/sha384-rsa-not-rsapss-sig.bin 2>&1
==============================================================================

=================================== 54/92 ====================================
test:         pkcs11-provider:softokn / genkey
start time:   18:56:24
duration:     0.01s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=90 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper genkey-softokn.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tgenkey
Performed tests: 0
==============================================================================

=================================== 55/92 ====================================
test:         pkcs11-provider:softhsm / genkey
start time:   18:56:24
duration:     0.01s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=83 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper genkey-softhsm.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tgenkey
Performed tests: 0
==============================================================================

=================================== 56/92 ====================================
test:         pkcs11-provider:kryoptic / genkey
start time:   18:56:24
duration:     0.01s
result:       exit status 0
command:      MALLOC_PERTURB_=221 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper genkey-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tgenkey
Performed tests: 0
==============================================================================

=================================== 57/92 ====================================
test:         pkcs11-provider:kryoptic.nss / genkey
start time:   18:56:24
duration:     0.01s
result:       exit status 0
command:      MALLOC_PERTURB_=177 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper genkey-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tgenkey
Performed tests: 0
==============================================================================

=================================== 58/92 ====================================
test:         pkcs11-provider:softokn / pkey
start time:   18:56:24
duration:     0.33s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=51 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pkey-softokn.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tpkey
ALL A-OK!
==============================================================================

=================================== 59/92 ====================================
test:         pkcs11-provider:softhsm / pkey
start time:   18:56:24
duration:     0.11s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=29 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pkey-softhsm.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tpkey
ALL A-OK!
==============================================================================

=================================== 60/92 ====================================
test:         pkcs11-provider:kryoptic / pkey
start time:   18:56:24
duration:     0.16s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=192 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pkey-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tpkey
ALL A-OK!
==============================================================================

=================================== 61/92 ====================================
test:         pkcs11-provider:kryoptic.nss / pkey
start time:   18:56:24
duration:     0.59s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=106 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pkey-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tpkey
ALL A-OK!
==============================================================================

=================================== 62/92 ====================================
test:         pkcs11-provider:softokn / session
start time:   18:56:25
duration:     0.22s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=207 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper session-softokn.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tsession
ALL A-OK!
==============================================================================

=================================== 63/92 ====================================
test:         pkcs11-provider:softhsm / session
start time:   18:56:25
duration:     0.09s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=3 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper session-softhsm.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tsession
ALL A-OK!
==============================================================================

=================================== 64/92 ====================================
test:         pkcs11-provider:kryoptic / session
start time:   18:56:25
duration:     0.09s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=135 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper session-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tsession
ALL A-OK!
==============================================================================

=================================== 65/92 ====================================
test:         pkcs11-provider:kryoptic.nss / session
start time:   18:56:25
duration:     0.51s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=139 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper session-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/tsession
ALL A-OK!
==============================================================================

=================================== 66/92 ====================================
test:         pkcs11-provider:softokn / rand
start time:   18:56:26
duration:     0.10s
result:       exit status 0
command:      MALLOC_PERTURB_=117 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rand-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trand

## Test PKCS11 RNG
 openssl rand 1
802236ADED7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (PKCS11-RAND : 0), Properties (<null>)
802236ADED7F0000:error:12000090:random number generator:rand_new_drbg:unable to fetch drbg:crypto/rand/rand_lib.c:656:

 openssl rand 1
Ú
==============================================================================

=================================== 67/92 ====================================
test:         pkcs11-provider:softhsm / rand
start time:   18:56:26
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=121 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rand-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trand

## Test PKCS11 RNG
 openssl rand 1
8002C236787F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (PKCS11-RAND : 0), Properties (<null>)
8002C236787F0000:error:12000090:random number generator:rand_new_drbg:unable to fetch drbg:crypto/rand/rand_lib.c:656:

 openssl rand 1
W
==============================================================================

=================================== 68/92 ====================================
test:         pkcs11-provider:kryoptic / rand
start time:   18:56:26
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=118 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rand-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trand

## Test PKCS11 RNG
 openssl rand 1
8032349D887F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (PKCS11-RAND : 0), Properties (<null>)
8032349D887F0000:error:12000090:random number generator:rand_new_drbg:unable to fetch drbg:crypto/rand/rand_lib.c:656:

 openssl rand 1
é
==============================================================================

=================================== 69/92 ====================================
test:         pkcs11-provider:kryoptic.nss / rand
start time:   18:56:26
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=43 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper rand-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/trand

## Test PKCS11 RNG
 openssl rand 1
80A25609897F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (PKCS11-RAND : 0), Properties (<null>)
80A25609897F0000:error:12000090:random number generator:rand_new_drbg:unable to fetch drbg:crypto/rand/rand_lib.c:656:

 openssl rand 1
‰
==============================================================================

=================================== 70/92 ====================================
test:         pkcs11-provider:softokn / readkeys
start time:   18:56:26
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=225 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper readkeys-softokn.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/treadkeys
==============================================================================

=================================== 71/92 ====================================
test:         pkcs11-provider:softhsm / readkeys
start time:   18:56:26
duration:     0.06s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=15 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper readkeys-softhsm.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/treadkeys
==============================================================================

=================================== 72/92 ====================================
test:         pkcs11-provider:kryoptic / readkeys
start time:   18:56:26
duration:     0.07s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=36 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper readkeys-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/treadkeys
==============================================================================

=================================== 73/92 ====================================
test:         pkcs11-provider:kryoptic.nss / readkeys
start time:   18:56:27
duration:     0.08s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=83 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper readkeys-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing  /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/treadkeys
==============================================================================

=================================== 74/92 ====================================
test:         pkcs11-provider:softokn / tls
start time:   18:56:27
duration:     1.67s
result:       exit status 1
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=89 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tls-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttls

## Test SSL_CTX creation
SSL Context works!

## Test setting cert/keys on TLS Context
Cert and Key successfully set on TLS Context!

## Test setting cert/keys on TLS Context w/o pub key
Cert and Key successfully set on TLS Context!

## Test an actual TLS connection
########################################
## TLS with key in provider


## Run sanity test with default values (RSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:17 2025 GMT; NotAfter: Feb 20 18:55:17 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTE3WhcNMjYwMjIwMTg1NTE3WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALukE6OXf2SZp7zcIibiMGNuD0XiOrBNE/iM
mmn4hgU17L/qYBNIrK5ovV9DseNw8ugEADREx5xjG2fKzImY9XpEoVF+E2t2xtmD
Im3Jz3j93cZlaCr2ftQV6ACziBgG9i+wypLY2BeeMQ7UYXRkJG6vMOwBCo1d8ooG
v+vxWCMOTeO75sRRFCggIRmIPB3ZyDbfOiyqOpSRRg9o5d/LDVejWwYLHOM9FM2k
K3tdS7i5o3aekbqUqmlavKUq77PysM78GVg5JC36aDztRcaMpsO3FGNCOs0DaPjM
fc1H3A6BaSnor2ZQIYtJuSnH5WhPguy4xje4roDae4b4oYFXEIsCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBTT1c39sl39hpwMGlmN1SpCoRlAEDAf
BgNVHSMEGDAWgBSw5jD8Qf5lK8TllSQrjnjn9PEupTANBgkqhkiG9w0BAQsFAAOC
AQEAJA4+Xprh0tT3oN+Q+70dQHiBZ+A6w8PkLlM7P+Gn/UTNaQ0dMUbt+s9QlHIX
yPk9mgtTTPgrzNYqNTkXzuYpVV/6nDETRIH66SGceOVeH6Xe0jfTCEafrpeK3Ouo
QfDMHXiOUteeoVKDmqWhZB1J8leP419gAP6L15AKktZB3xejCH0JmZd1SCwomSW5
o9F0P1kssi7GjjYKhgON4JQsr7l+zSFvbSGT5ZYZmwcQiwMq6I27BKqghevrMbnX
+WkpD5QnqQOY/BmJl2l70zz6rnr1PLO5O4Sr4m0oQ5yHRgP/G8wY+qkw/9CYH98U
PyI/N7hSsysylid/N9k2/K5q3g==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 63D98A58B5086B16A1C54D00E17B1399A85128EF5DFC528C730FF7436C2E6AB2
    Session-ID-ctx: 
    Resumption PSK: 5EE22D77A80D8BB8612FE230B1613F80D7975175EA43FF5348A8148F21EA4074023DEFD990248DD46E320BEE92C8C471
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 c0 d5 70 f8 7e e8 20-9e 65 f4 87 94 a2 a0 90   6..p.~. .e......
    0010 - d7 b5 3a 02 1a bc 06 b3-b0 e2 4f af 5a 6c 29 f0   ..:.......O.Zl).
    0020 - 6c 33 33 bd 69 0c 34 6b-f0 40 e1 77 f3 cc 39 bd   l33.i.4k.@.w..9.
    0030 - 10 fc 0f bc 3a 47 93 7c-40 5a a8 ae 21 f3 50 b7   ....:G.|@Z..!.P.
    0040 - 92 d1 85 2c b5 f1 88 7a-de 5f 3f 38 b8 ce 40 a2   ...,...z._?8..@.
    0050 - fb f4 ed b1 aa 6b ca 12-af 1e 2a e5 af d1 14 2d   .....k....*....-
    0060 - 16 b7 f1 36 8e 1f f7 df-0f 4e 44 da 97 f9 b7 1e   ...6.....ND.....
    0070 - 6a b7 57 de 94 95 39 7a-25 b9 02 54 23 f9 e8 96   j.W...9z%..T#...
    0080 - f0 14 c4 36 f8 56 b7 b5-70 ed a9 16 75 0a 60 e4   ...6.V..p...u.`.
    0090 - 99 3b ae 00 e4 20 82 a6-94 8d 16 55 0f fd c9 63   .;... .....U...c
    00a0 - ee 51 6f cc 7a 58 e3 67-91 7d ea 3d a3 ed f1 57   .Qo.zX.g.}.=...W
    00b0 - 40 d2 a6 9d 33 a1 e1 71-53 b9 e0 e1 82 ef e9 d7   @...3..qS.......
    00c0 - 8e f9 63 4a 1b 13 c7 1a-b8 fc 27 4a 55 a3 b1 f7   ..cJ......'JU...

    Start Time: 1740077787
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D8808078F41205178A07196C8B76A5B9B938BB37DB062811864E5AB3F27DEB4C
    Session-ID-ctx: 
    Resumption PSK: FAC935ECDC40F261F6936F56887977D5D06EA5A2DDF436E582A1FF03023AB5C201FAF4A025C3AE5108A8F3E8A87498BF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 c0 d5 70 f8 7e e8 20-9e 65 f4 87 94 a2 a0 90   6..p.~. .e......
    0010 - e1 7d 9b 43 ea 23 ce 8b-a1 e9 bc 0d ba 2d e9 c2   .}.C.#.......-..
    0020 - e3 3c a1 e7 72 18 e8 b2-a6 0d a8 b3 dd aa 02 95   .<..r...........
    0030 - 59 f9 09 61 dd fc 08 62-d3 df b5 7b 90 9c 9c 20   Y..a...b...{... 
    0040 - e2 f1 2a 6e 7f f4 05 64-ce 1d 0b 03 86 29 66 46   ..*n...d.....)fF
    0050 - 13 46 da b0 d9 54 06 aa-88 57 e4 ae 25 24 0f fe   .F...T...W..%$..
    0060 - 75 f9 9f 96 00 f7 e9 9e-cc 4e 61 44 72 49 d2 52   u........NaDrI.R
    0070 - b7 e7 cb fd 6a 9b 2f 97-57 1c 0d c5 3e 7d cd 0b   ....j./.W...>}..
    0080 - c6 bb c2 61 11 25 47 9c-95 8c d8 c5 31 4a 0c 8f   ...a.%G.....1J..
    0090 - 7d 83 20 61 e3 89 41 11-b3 a9 bc 69 b8 6f 90 11   }. a..A....i.o..
    00a0 - 0f 87 6a 45 73 c3 c5 28-6e cb 5b 7c fc 31 24 76   ..jEs..(n.[|.1$v
    00b0 - 86 88 3e 64 7a 1e 78 e3-9e bf ea 4f c9 bf cc 2e   ..>dz.x....O....
    00c0 - 14 d1 f8 70 e2 e3 e4 f3-01 30 e1 be b3 b1 b9 fe   ...p.....0......

    Start Time: 1740077787
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
8042B98E957F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEINSHa/Nk3ycMMPprDgorVZnOjZrBpW6xXXEE33HkCHGM
BDD6yTXs3EDyYfaTb1aIeXfV0G6lot30NuWCof8DAjq1wgH69KAlw65RCKjz6Kh0
mL+hBgIEZ7d626IEAgIcIKQGBAQBAAAArgcCBQCblO1rswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:18 2025 GMT; NotAfter: Feb 20 18:55:18 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTE4WhcNMjYwMjIwMTg1NTE4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAT9vwJqAky7hQtpk9Q8558RI17YyENEP7m3lTKbiQgVOqPV
USUujUJrsCSA5U/y1BCIuJdM+0hOOswvmn1e+qRVo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFKx1CUzGxeQ+bfVR4b45pr2ac6a/MB8GA1UdIwQYMBaAFLDm
MPxB/mUrxOWVJCuOeOf08S6lMA0GCSqGSIb3DQEBCwUAA4IBAQBGU9FKDfFLikNb
qdKMAcUVW8o5c/0RVPhQS5CQzFdtAmpCNohwh9bN+Ca/eenSgUtyYXaV+/DQugd4
5Flw09Fs7h2R9lNoYq3IfKVUWW1EOwma8D8muPwHzWSjjAYgm0+8w1wP6mqckuVl
sH0KtTpP1DvQShS3+92EXjhMECNAPLK8U2wcWFe6cP8v2r3+dRa4YkoSXbXDdg+9
564qJv468T6z1o0kSYFBKExdeMBo+J15MtTzW6onrPfsYfvsHdk4kMd/ib1qZAla
JUher3/G0fON2MA24hCOiaiMVTKUIux01buZmYJ7LPQHaIEAVaiCcc9kbTRvayn1
1HsRaXGd
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1034 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: EECBCE03DFAA2B05737BE5F791D69A1C879C052F529BC5E6DF9BA6645B16922F
    Session-ID-ctx: 
    Resumption PSK: 0FE1EBBA406491A954342664864CB1EA761BB95A2696DF773EAAEAEBE99D104E4BA01CE8A7A4DF92DA38FC58C258D6D7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f7 4c c3 9d 0b de 03 22-92 2e ab 50 20 ef 98 4c   .L....."...P ..L
    0010 - ef d6 43 2d 28 4a 09 17-76 d1 5c 47 4a 5f 72 cf   ..C-(J..v.\GJ_r.
    0020 - ec 19 53 db c8 1b 15 a3-7e c4 ed 01 4e ac ab ec   ..S.....~...N...
    0030 - b0 17 9c 9a 6f 4a 9a 08-87 a6 14 c0 6c fc 5a 77   ....oJ......l.Zw
    0040 - 55 61 44 32 3d 6a ea db-74 60 50 f6 0f a6 02 4e   UaD2=j..t`P....N
    0050 - dd 38 3e 00 60 61 6e 8f-85 69 70 27 fa a0 b9 48   .8>.`an..ip'...H
    0060 - 47 3f b9 07 7f e1 0f 33-c3 2e 04 df 90 30 70 83   G?.....3.....0p.
    0070 - 38 e7 b4 37 99 4b 51 47-bf 64 2a c9 f2 db 51 6e   8..7.KQG.d*...Qn
    0080 - 44 31 70 2d 2e 54 5c c5-98 88 be 72 56 4b 99 71   D1p-.T\....rVK.q
    0090 - 8d 07 dc e1 a9 59 5f 7c-f6 78 86 b3 9d d2 84 87   .....Y_|.x......
    00a0 - ec 1c 7c b0 bd bf 0d b6-c1 f7 26 ad c5 fe 84 30   ..|.......&....0
    00b0 - 8a 8f e7 d7 99 6f fa 90-0c 73 14 71 60 07 2b cb   .....o...s.q`.+.
    00c0 - 67 1a 28 0d 1f 75 5d f1-94 3a c6 94 7e cf e7 1e   g.(..u]..:..~...

    Start Time: 1740077787
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 94E978856797CA7BF2D3F67E59917FA6B214E473115DB5C96DE9A0132FA07497
    Session-ID-ctx: 
    Resumption PSK: EC8557E7D0556CEDC71BEAFCF67C11F5476EFDD82AD5192BF49D72EDA7FAB4E605E70927465622AF1E0CDC9889C17015
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f7 4c c3 9d 0b de 03 22-92 2e ab 50 20 ef 98 4c   .L....."...P ..L
    0010 - 72 ef df 41 0c 11 ce 9a-f6 be ea 96 76 b9 4f 7c   r..A........v.O|
    0020 - 84 31 24 ed 30 2f 77 56-ab 55 a2 35 46 d1 c2 4a   .1$.0/wV.U.5F..J
    0030 - 34 ba 30 63 d0 d9 c4 4f-99 b8 af 99 c6 32 5a b0   4.0c...O.....2Z.
    0040 - a4 97 cc 2d c4 44 3e a2-33 34 34 8d 32 ed bc e4   ...-.D>.344.2...
    0050 - 2b c3 c5 39 b7 bc d0 ca-7f 90 89 54 63 10 f5 07   +..9.......Tc...
    0060 - e8 ed 23 b7 17 38 49 7c-7c e4 65 b0 98 5d fe 65   ..#..8I||.e..].e
    0070 - 3b 8c 4e 4c 0a 06 ba c0-b7 60 4c d3 00 0f ee 13   ;.NL.....`L.....
    0080 - 95 bc ec d5 32 ed 4c 82-c9 df 5d fb 5f 44 0d 4a   ....2.L...]._D.J
    0090 - 83 00 bd 7a 60 00 41 d0-8b 16 bd aa d2 ce bc 6b   ...z`.A........k
    00a0 - a2 d4 0c 91 61 b5 dc 0a-95 95 ef 35 a2 b2 c3 07   ....a......5....
    00b0 - a8 8e ff 49 dd 2a 2b 0f-8e 52 8d 67 63 07 84 1f   ...I.*+..R.gc...
    00c0 - 12 4b 21 c6 ee f3 01 72-b0 d0 bc b9 f9 43 50 63   .K!....r.....CPc

    Start Time: 1740077787
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
806233D3617F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIP3PCwnMpuLw85lW2u6axUzCqBN3BXDr9VPBpYpAT2Od
BDDshVfn0FVs7ccb6vz2fBH1R2792CrVGSv0nXLtp/q05gXnCSdGViKvHgzcmInB
cBWhBgIEZ7d626IEAgIcIKQGBAQBAAAArgcCBQCY/DgpswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:17 2025 GMT; NotAfter: Feb 20 18:55:17 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTE3WhcNMjYwMjIwMTg1NTE3WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALukE6OXf2SZp7zcIibiMGNuD0XiOrBNE/iM
mmn4hgU17L/qYBNIrK5ovV9DseNw8ugEADREx5xjG2fKzImY9XpEoVF+E2t2xtmD
Im3Jz3j93cZlaCr2ftQV6ACziBgG9i+wypLY2BeeMQ7UYXRkJG6vMOwBCo1d8ooG
v+vxWCMOTeO75sRRFCggIRmIPB3ZyDbfOiyqOpSRRg9o5d/LDVejWwYLHOM9FM2k
K3tdS7i5o3aekbqUqmlavKUq77PysM78GVg5JC36aDztRcaMpsO3FGNCOs0DaPjM
fc1H3A6BaSnor2ZQIYtJuSnH5WhPguy4xje4roDae4b4oYFXEIsCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBTT1c39sl39hpwMGlmN1SpCoRlAEDAf
BgNVHSMEGDAWgBSw5jD8Qf5lK8TllSQrjnjn9PEupTANBgkqhkiG9w0BAQsFAAOC
AQEAJA4+Xprh0tT3oN+Q+70dQHiBZ+A6w8PkLlM7P+Gn/UTNaQ0dMUbt+s9QlHIX
yPk9mgtTTPgrzNYqNTkXzuYpVV/6nDETRIH66SGceOVeH6Xe0jfTCEafrpeK3Ouo
QfDMHXiOUteeoVKDmqWhZB1J8leP419gAP6L15AKktZB3xejCH0JmZd1SCwomSW5
o9F0P1kssi7GjjYKhgON4JQsr7l+zSFvbSGT5ZYZmwcQiwMq6I27BKqghevrMbnX
+WkpD5QnqQOY/BmJl2l70zz6rnr1PLO5O4Sr4m0oQ5yHRgP/G8wY+qkw/9CYH98U
PyI/N7hSsysylid/N9k2/K5q3g==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1509 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FC2F375FBB944F0055A3F95115DCF2402EA82F3EA89D2D3921F1DB83C56224BA
    Session-ID-ctx: 
    Master-Key: 989C687C82088CF9E23FD5788A52FD00E9C093AD131BB24C7F81BAA9CDDAF9E5FA6B4F155CA174F4CEEF7DE6E1F9E0C7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 73 40 ec f9 c6 35 38 aa-ab a9 62 16 e2 69 83 e2   s@...58...b..i..
    0010 - 2b 96 7c 7c 48 e2 70 57-2f 0c b2 ac 8c 64 38 3b   +.||H.pW/....d8;
    0020 - 4c b4 bd 47 8a 46 a9 1f-51 0e 8f 80 bc 28 80 10   L..G.F..Q....(..
    0030 - bb d2 75 f4 d0 ce 7a 32-3d ae c0 e7 f9 94 3b 42   ..u...z2=.....;B
    0040 - e2 4c 7e c3 c8 fd 69 b0-83 5c 2c 38 e8 d9 b1 04   .L~...i..\,8....
    0050 - 99 ed 58 3e 1b 9f c4 01-b2 ce 1a 1a 73 1b b4 ff   ..X>........s...
    0060 - 2e 4e 58 25 66 16 41 f9-b1 8c 2f 96 1a 5e ff c2   .NX%f.A.../..^..
    0070 - 13 d1 57 c8 bd c2 b4 5f-00 6c 61 d1 ff 0a ea 94   ..W...._.la.....
    0080 - f5 39 b2 d6 33 5a 84 0a-c9 49 d2 b7 2b b3 ed c8   .9..3Z...I..+...
    0090 - 2d 1a 22 6c 62 40 ea 08-3c 9b 4f a0 7f be 82 df   -."lb@..<.O.....
    00a0 - 2a f8 dd d5 6d 6a 2a ba-4c d8 1d 62 b5 fb 7f 66   *...mj*.L..b...f

    Start Time: 1740077787
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80129716347F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDCYnGh8ggiM+eI/1XiKUv0A6cCTrRMbskx/gbqpzdr5
5fprTxVcoXT0zu995uH54MehBgIEZ7d626IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with explicit TLS 1.3
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:17 2025 GMT; NotAfter: Feb 20 18:55:17 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTE3WhcNMjYwMjIwMTg1NTE3WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALukE6OXf2SZp7zcIibiMGNuD0XiOrBNE/iM
mmn4hgU17L/qYBNIrK5ovV9DseNw8ugEADREx5xjG2fKzImY9XpEoVF+E2t2xtmD
Im3Jz3j93cZlaCr2ftQV6ACziBgG9i+wypLY2BeeMQ7UYXRkJG6vMOwBCo1d8ooG
v+vxWCMOTeO75sRRFCggIRmIPB3ZyDbfOiyqOpSRRg9o5d/LDVejWwYLHOM9FM2k
K3tdS7i5o3aekbqUqmlavKUq77PysM78GVg5JC36aDztRcaMpsO3FGNCOs0DaPjM
fc1H3A6BaSnor2ZQIYtJuSnH5WhPguy4xje4roDae4b4oYFXEIsCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBTT1c39sl39hpwMGlmN1SpCoRlAEDAf
BgNVHSMEGDAWgBSw5jD8Qf5lK8TllSQrjnjn9PEupTANBgkqhkiG9w0BAQsFAAOC
AQEAJA4+Xprh0tT3oN+Q+70dQHiBZ+A6w8PkLlM7P+Gn/UTNaQ0dMUbt+s9QlHIX
yPk9mgtTTPgrzNYqNTkXzuYpVV/6nDETRIH66SGceOVeH6Xe0jfTCEafrpeK3Ouo
QfDMHXiOUteeoVKDmqWhZB1J8leP419gAP6L15AKktZB3xejCH0JmZd1SCwomSW5
o9F0P1kssi7GjjYKhgON4JQsr7l+zSFvbSGT5ZYZmwcQiwMq6I27BKqghevrMbnX
+WkpD5QnqQOY/BmJl2l70zz6rnr1PLO5O4Sr4m0oQ5yHRgP/G8wY+qkw/9CYH98U
PyI/N7hSsysylid/N9k2/K5q3g==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 343 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FA8D3A8BCE2CA41287C058937C1E5EB7A8E91E1C725FE06F32EF2596610875AE
    Session-ID-ctx: 
    Resumption PSK: 1755FD6ED6036D13CDDA43B1C3C69F16876330D96368BC9A60B4ABD7AF2F0A7CB100C0774CD6ACB0D06A7175FC216FFF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d3 9d 7d bf e9 01 3e 62-83 16 37 84 36 82 53 2b   ..}...>b..7.6.S+
    0010 - 6c 49 19 ca 17 5f 57 06-83 61 65 b6 67 04 28 da   lI..._W..ae.g.(.
    0020 - 08 e4 0c 9c 99 4a c5 36-dc 86 b1 45 b7 44 88 4b   .....J.6...E.D.K
    0030 - 65 bf 65 67 9f 86 9f 7a-b9 8c b6 7c 38 7a 00 ec   e.eg...z...|8z..
    0040 - fd 86 e3 bb 2d cb d6 b1-f4 16 cb ca 44 e2 39 b8   ....-.......D.9.
    0050 - 36 42 0a 8f 3d 0b a4 34-f7 91 c3 b7 ad cc 26 54   6B..=..4......&T
    0060 - ae b1 82 86 58 8c 94 56-77 26 bd 57 45 45 92 e6   ....X..Vw&.WEE..
    0070 - c2 b3 0a e5 1b 65 6e e9-d9 2b aa 37 95 bc d1 49   .....en..+.7...I
    0080 - b7 6d dc 56 cd cf 7b e7-a9 45 47 f7 23 23 fb 0b   .m.V..{..EG.##..
    0090 - 8f a5 c0 92 4d 11 ca a4-f3 90 af 90 5c 2e 71 cf   ....M.......\.q.
    00a0 - 97 97 d1 9b 43 da 72 f9-94 11 2f 55 2d bd 13 19   ....C.r.../U-...
    00b0 - 9a 70 fe c9 90 23 6a c4-8e 2a 03 6a 44 bb 2f 50   .p...#j..*.jD./P
    00c0 - b8 b6 1b 57 eb 36 59 87-12 4e 0c 73 4e 75 79 b2   ...W.6Y..N.sNuy.

    Start Time: 1740077788
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F36957CB5982860C89ABD7018BCBE7B50A8BD414F362FF74E98C59246C8EE181
    Session-ID-ctx: 
    Resumption PSK: 4309942EBC3BC2EA14CF321F5A2AC04F583BD6159273FD31BB03F3A3EEFEEA2DD18166C2910F7CE93212247A34A4A1C8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d3 9d 7d bf e9 01 3e 62-83 16 37 84 36 82 53 2b   ..}...>b..7.6.S+
    0010 - ec 9d 10 df 48 f0 4a 80-10 4e f8 99 9d 43 3b b3   ....H.J..N...C;.
    0020 - c7 03 bf a8 7d e6 6b 80-6b c3 0a 1b 43 58 93 a8   ....}.k.k...CX..
    0030 - 85 97 68 dd b1 94 58 df-75 b4 e2 ab 33 25 53 28   ..h...X.u...3%S(
    0040 - eb 78 10 f7 87 f5 5b 82-02 62 8d 6f 31 d7 a9 f2   .x....[..b.o1...
    0050 - c9 53 b7 b0 24 4f a6 81-23 ba 71 0b 11 ea af 94   .S..$O..#.q.....
    0060 - 0c f4 90 0d 68 9b 96 71-8f 3d 91 4c 81 bf 4a f3   ....h..q.=.L..J.
    0070 - b9 0e 5f ac b0 95 38 62-3d 73 82 f7 a5 67 83 02   .._...8b=s...g..
    0080 - 9b 9b c3 18 e8 0b 23 52-6d 7a 35 95 c3 84 64 2a   ......#Rmz5...d*
    0090 - 2b fa 4a 23 cd 19 1c e2-9b 22 70 e9 7e 5c 26 93   +.J#....."p.~\&.
    00a0 - c3 f5 5c 8d cb cb 60 9a-78 f9 89 d3 f3 0b 3c b3   ..\...`.x.....<.
    00b0 - be 17 22 43 0d 1e b4 1f-81 e2 75 83 61 c2 4e 0c   .."C......u.a.N.
    00c0 - aa 3c ea 26 78 e4 5b df-35 6e e8 e1 52 3c 9b 3e   .<.&x.[.5n..R<.>

    Start Time: 1740077788
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80A25B05477F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIK+W2p+EmrX8y2Y9kXHs+IWbqq5MCwj+eOXK3/sgMPz4
BDBDCZQuvDvC6hTPMh9aKsBPWDvWFZJz/TG7A/Oj7v7qLdGBZsKRD3zpMhIkejSk
ocihBgIEZ7d63KIEAgIcIKQGBAQBAAAArgYCBBthpMWzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:18 2025 GMT; NotAfter: Feb 20 18:55:18 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTE4WhcNMjYwMjIwMTg1NTE4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAT9vwJqAky7hQtpk9Q8558RI17YyENEP7m3lTKbiQgVOqPV
USUujUJrsCSA5U/y1BCIuJdM+0hOOswvmn1e+qRVo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFKx1CUzGxeQ+bfVR4b45pr2ac6a/MB8GA1UdIwQYMBaAFLDm
MPxB/mUrxOWVJCuOeOf08S6lMA0GCSqGSIb3DQEBCwUAA4IBAQBGU9FKDfFLikNb
qdKMAcUVW8o5c/0RVPhQS5CQzFdtAmpCNohwh9bN+Ca/eenSgUtyYXaV+/DQugd4
5Flw09Fs7h2R9lNoYq3IfKVUWW1EOwma8D8muPwHzWSjjAYgm0+8w1wP6mqckuVl
sH0KtTpP1DvQShS3+92EXjhMECNAPLK8U2wcWFe6cP8v2r3+dRa4YkoSXbXDdg+9
564qJv468T6z1o0kSYFBKExdeMBo+J15MtTzW6onrPfsYfvsHdk4kMd/ib1qZAla
JUher3/G0fON2MA24hCOiaiMVTKUIux01buZmYJ7LPQHaIEAVaiCcc9kbTRvayn1
1HsRaXGd
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1119 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 36F83919CA634A7B217C0ABE58FC6B3CAFA802906DF40F79F475A6C9E948E171
    Session-ID-ctx: 
    Master-Key: 75EBB194402FD7BFFD736EC74353F5993A12F5E04912A6F264C3CAFF279A47660FE0EFA74FADAB22ADE642B16D7FFAED
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 15 cf a5 93 a7 62 c0 51-ea 98 73 17 26 e4 c9 3c   .....b.Q..s.&..<
    0010 - dd 7d 4c a8 50 2c 86 ed-7c e2 fc 0f c4 40 28 b3   .}L.P,..|....@(.
    0020 - d7 ca 4e 58 5d 4a 97 73-fc 63 a8 8c bf 65 7d c5   ..NX]J.s.c...e}.
    0030 - ca ea d1 3a 9a ec 97 ac-53 cc d8 f0 6c e7 85 7c   ...:....S...l..|
    0040 - 51 dc 92 77 e1 24 80 01-ce 08 4d 83 63 cb 81 ad   Q..w.$....M.c...
    0050 - a7 40 6e 8f c4 1b 20 db-65 5c c2 c1 be 66 57 20   .@n... .e\...fW 
    0060 - ea 3b 49 17 01 f2 54 67-bd 4b b8 7a 65 94 cc d3   .;I...Tg.K.ze...
    0070 - e4 ce 39 18 f9 f5 07 69-40 9d fc 61 76 50 d9 1a   ..9....i@..avP..
    0080 - 94 18 07 70 77 88 2f 58-20 29 62 5e 3c 8d e2 71   ...pw./X )b^<..q
    0090 - b2 eb 07 31 f0 61 3e 6b-1b e0 68 82 2e 4e 1c 6f   ...1.a>k..h..N.o
    00a0 - 86 ae 98 31 1d fd f3 a7-47 82 54 22 d9 b3 d3 d1   ...1....G.T"....

    Start Time: 1740077788
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
8072FD06F47F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALALAQABDB167GUQC/Xv/1zbsdDU/WZOhL14EkSpvJkw8r/J5pH
Zg/g76dPrasireZCsW1/+u2hBgIEZ7d63KIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 and ECDH
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:18 2025 GMT; NotAfter: Feb 20 18:55:18 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTE4WhcNMjYwMjIwMTg1NTE4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAT9vwJqAky7hQtpk9Q8558RI17YyENEP7m3lTKbiQgVOqPV
USUujUJrsCSA5U/y1BCIuJdM+0hOOswvmn1e+qRVo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFKx1CUzGxeQ+bfVR4b45pr2ac6a/MB8GA1UdIwQYMBaAFLDm
MPxB/mUrxOWVJCuOeOf08S6lMA0GCSqGSIb3DQEBCwUAA4IBAQBGU9FKDfFLikNb
qdKMAcUVW8o5c/0RVPhQS5CQzFdtAmpCNohwh9bN+Ca/eenSgUtyYXaV+/DQugd4
5Flw09Fs7h2R9lNoYq3IfKVUWW1EOwma8D8muPwHzWSjjAYgm0+8w1wP6mqckuVl
sH0KtTpP1DvQShS3+92EXjhMECNAPLK8U2wcWFe6cP8v2r3+dRa4YkoSXbXDdg+9
564qJv468T6z1o0kSYFBKExdeMBo+J15MtTzW6onrPfsYfvsHdk4kMd/ib1qZAla
JUher3/G0fON2MA24hCOiaiMVTKUIux01buZmYJ7LPQHaIEAVaiCcc9kbTRvayn1
1HsRaXGd
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1119 bytes and written 252 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 055EBE7547B6B61E1BFE3067152AB6C16E495E8C6F39550B369FED677B56ECE7
    Session-ID-ctx: 
    Master-Key: 5517DAC453762EF4E7D9D129AE99BEC26F0A467E50E907DA7C1E74F34CF461130C26EBD0A24336FBED573C4E4EF3AB95
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 22 79 fc 77 55 19 22 bb-51 21 b0 3e 85 11 28 17   "y.wU.".Q!.>..(.
    0010 - f6 7d 9d ab 86 85 61 88-5c 09 95 8d fa e4 6f 25   .}....a.\.....o%
    0020 - f8 90 1d f7 5d 55 9e 7a-ab 1c 8e 2d d6 d1 7a 15   ....]U.z...-..z.
    0030 - 85 3e 02 98 f4 57 4c 67-31 d4 db 6a 15 f7 ff 33   .>...WLg1..j...3
    0040 - e1 64 3e 2e f9 22 77 80-4a 32 0f ab d8 1c 33 64   .d>.."w.J2....3d
    0050 - 10 99 d0 99 80 8a db 66-4c 85 85 27 6d ca 08 11   .......fL..'m...
    0060 - ae 3e 74 39 97 f5 a7 e7-e0 df d0 2d e1 7f 9f c2   .>t9.......-....
    0070 - 98 0e 7b 52 2c e5 22 d6-55 76 3b 71 2b 19 e0 9a   ..{R,.".Uv;q+...
    0080 - d8 00 ae 60 35 4e ef 89-ec 01 3d e4 b4 eb 26 05   ...`5N....=...&.
    0090 - 3a 52 6e 42 47 40 71 44-b0 22 22 3b 32 ab 57 44   :RnBG@qD."";2.WD
    00a0 - 39 bc 40 94 31 45 89 a3-f1 f7 8d f3 ee 8a 3c 2f   9.@.1E........</

    Start Time: 1740077788
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
8052CC819A7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAKwQABDBVF9rEU3Yu9OfZ0Smumb7CbwpGflDpB9p8HnTzTPRh
Ewwm69CiQzb77Vc8Tk7zq5WhBgIEZ7d63KIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 

Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256Q

Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.3 and specific suite
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:18 2025 GMT; NotAfter: Feb 20 18:55:18 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTE4WhcNMjYwMjIwMTg1NTE4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAT9vwJqAky7hQtpk9Q8558RI17YyENEP7m3lTKbiQgVOqPV
USUujUJrsCSA5U/y1BCIuJdM+0hOOswvmn1e+qRVo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFKx1CUzGxeQ+bfVR4b45pr2ac6a/MB8GA1UdIwQYMBaAFLDm
MPxB/mUrxOWVJCuOeOf08S6lMA0GCSqGSIb3DQEBCwUAA4IBAQBGU9FKDfFLikNb
qdKMAcUVW8o5c/0RVPhQS5CQzFdtAmpCNohwh9bN+Ca/eenSgUtyYXaV+/DQugd4
5Flw09Fs7h2R9lNoYq3IfKVUWW1EOwma8D8muPwHzWSjjAYgm0+8w1wP6mqckuVl
sH0KtTpP1DvQShS3+92EXjhMECNAPLK8U2wcWFe6cP8v2r3+dRa4YkoSXbXDdg+9
564qJv468T6z1o0kSYFBKExdeMBo+J15MtTzW6onrPfsYfvsHdk4kMd/ib1qZAla
JUher3/G0fON2MA24hCOiaiMVTKUIux01buZmYJ7LPQHaIEAVaiCcc9kbTRvayn1
1HsRaXGd
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1033 bytes and written 327 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3032D1489AAA2C90D22F69947632E3096986DCA94A271CA22D21D94B52F8A61A
    Session-ID-ctx: 
    Resumption PSK: C302A71D5C503CCAEB5144B5B8C3830C578D66A4C219935B8F504C9DB35A69DEE8A6A43DF18D8BBD65334F526E8F17AA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 33 99 0d b5 fe fc b6 81-52 be 6e cc d6 a3 81 71   3.......R.n....q
    0010 - 37 1c bc 99 ce 5e 41 54-b6 6e ee 44 74 de 9b 49   7....^AT.n.Dt..I
    0020 - cd 19 47 8a 1a 3f df 47-f4 fe e0 46 47 b8 d5 5a   ..G..?.G...FG..Z
    0030 - f1 d4 6b dc 2d de 61 54-f1 ee 44 35 4b 0d c7 ab   ..k.-.aT..D5K...
    0040 - 9d 22 5b 6c 28 76 0f 93-99 2f 97 ae 3d fa b8 d3   ."[l(v.../..=...
    0050 - 42 5d 3e 3c 4f f8 67 89-2b 05 6b 52 68 0d 20 29   B]><O.g.+.kRh. )
    0060 - b1 5a 97 bd 01 f0 fb c5-c2 98 87 fb 2d eb 5f fe   .Z..........-._.
    0070 - de 6d 99 13 03 df 75 ef-28 d9 e6 fa ef 5e 0b de   .m....u.(....^..
    0080 - ba 26 58 b4 db b8 9e 7d-9d 3b b7 cb 6b d2 3b 6e   .&X....}.;..k.;n
    0090 - 05 e1 90 78 b6 2c 16 a0-a6 b1 0b a6 e1 47 ed 26   ...x.,.......G.&
    00a0 - 6c 17 f7 1e 02 ee 5b 16-69 cc d1 a0 d3 14 54 6c   l.....[.i.....Tl
    00b0 - 9b 3b f3 9c 36 4e 3b 9a-f6 cc 91 43 0f 49 18 9a   .;..6N;....C.I..
    00c0 - 9a 71 31 65 dd 82 bf 02-cc a0 f4 15 ee 22 fe 82   .q1e........."..

    Start Time: 1740077788
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 458A81564168DD06B518879591312F4DBD7904A357EDF2CF9248683ECBD67B4B
    Session-ID-ctx: 
    Resumption PSK: 28ED8BBB63523CF05B79811BD954F43344F2DC5DEF947EEB109622BA3A6D2EC3056DF814CDE231B8B91255D46435385A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 33 99 0d b5 fe fc b6 81-52 be 6e cc d6 a3 81 71   3.......R.n....q
    0010 - c4 7a 00 6f 86 2f d2 7e-59 b8 aa 2a dd 7b 0e 2b   .z.o./.~Y..*.{.+
    0020 - 7a 5a 35 74 02 71 89 05-83 3c 81 b0 2a 9c 25 35   zZ5t.q...<..*.%5
    0030 - 5c cd b1 4a 64 a0 1e 27-fc 90 f6 14 6b 92 56 64   \..Jd..'....k.Vd
    0040 - 2b fa 80 14 33 7b 05 1d-0f 42 91 ca fe 63 71 cb   +...3{...B...cq.
    0050 - 45 d8 6d ca 1f e9 a0 3c-32 0c e0 af 6d f7 31 f8   E.m....<2...m.1.
    0060 - 25 b7 b6 7d 6e e9 d5 98-aa ae 4f c8 43 bc 91 3c   %..}n.....O.C..<
    0070 - 44 67 e9 42 18 42 53 f2-45 75 27 a3 17 25 4e d1   Dg.B.BS.Eu'..%N.
    0080 - 7d 9a 59 e6 d4 71 9b f6-10 b1 f5 a3 0e f7 56 40   }.Y..q........V@
    0090 - 63 cb bb 61 d2 b8 e5 ca-8c dd e2 ec fb 46 8a f0   c..a.........F..
    00a0 - 3d 00 6f 85 1d e7 60 54-33 78 75 6b 53 1b 15 34   =.o...`T3xukS..4
    00b0 - 0f e0 d6 e4 18 31 fb bd-52 86 23 0f 70 ce cd 5f   .....1..R.#.p.._
    00c0 - 42 bb c9 21 dd c5 35 2b-40 62 94 48 11 a0 bc 08   B..!..5+@b.H....

    Start Time: 1740077788
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80E24BD3887F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIM9R31T4BP9lWjbDnQGs25PeoKsyrcU/hm7b+gYY8Ch2
BDAo7Yu7Y1I88Ft5gRvZVPQzRPLcXe+UfusQliK6Om0uwwVt+BTN4jG4uRJV1GQ1
OFqhBgIEZ7d63KIEAgIcIKQGBAQBAAAArgcCBQCjzEGIswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

                                      ##
########################################

########################################
## Forcing the provider for all server operations


## Run sanity test with default values (RSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softokn/caCert.pem
Connecting to ::1
CONNECTED(00000004)
8052D27B567F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:909:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 7 bytes and written 291 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttls: line 28: wait: pid 10974 is not a child of this shell
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
ERROR
80B26128C77F0000:error:0A0C0103:SSL routines:ssl_derive:internal error:ssl/s3_lib.c:4901:
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
ERROR
80B26128C77F0000:error:0A0C0103:SSL routines:ssl_derive:internal error:ssl/s3_lib.c:4901:
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
==============================================================================

=================================== 75/92 ====================================
test:         pkcs11-provider:softhsm / tls
start time:   18:56:28
duration:     3.27s
result:       exit status 0
command:      MALLOC_PERTURB_=42 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tls-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttls

## Test SSL_CTX creation
SSL Context works!

## Test setting cert/keys on TLS Context
Cert and Key successfully set on TLS Context!

## Test setting cert/keys on TLS Context w/o pub key
Cert and Key successfully set on TLS Context!

## Test an actual TLS connection
########################################
## TLS with key in provider


## Run sanity test with default values (RSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALm3yR1R7RWPTizyj7ufv1F12QSxcEPNbNVh
QrO8FSMmSkfgTl4jDx7ZbJyV0+MP0hqkVkkliDIk9yeo8/fnI2P8ybYPbe5imu13
q41dTnDeW1DvDC/+F1UwbwRBcpyALiFLzNsUudkhduTAJb4xzH2TzH4m8sIDzNP2
3MDkeHd0zORE4zCqSLW8PPijA7OhXFUe6W9/+2RECSAtAxERM+NiVur0z0IeoYuq
jsjIwadIRbXkuM2Ky0e0ljrQc4JErOZCSuSrdCJA15XQZ7Nk5vb/Y6U+ONfPtjhq
XHb/XEDbgy4bXreqVvPdUHLefYLddwdm+HBpE7NBAu73gsbuVR0CAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQZch6d4yNBJWROeQzlCL3wLZNaUzAf
BgNVHSMEGDAWgBTJsJEJrz8hrGck+qLdQ3ROqFMx9jANBgkqhkiG9w0BAQsFAAOC
AQEAmZyF8A2Rz5B3r0iiQiqTzIZ9eSnUmjHiDY2OYlzCcpfh9SjL7nHAbFDVFMfF
/Fz4ChfyBaMQQX6kQdR1Qa12Cw63QyCzgCNbb+MhCrXXCz7s7r0aqBOnswPOM62B
wmPgAxXHKI/kShJbTx/UBLU/vQnU/Zq4axn4DfeBpZXgfYWVdqz7BuQl0pR9v3EB
Ip7pcBpQimiKLlMZL+p25xppQl0B3g0YvyT8T8vIJPLN6sENrNsk7jlkbcAABDmE
raNjDehuo06O0UZnFj/vhZxAxtGIg/y10adK9MWeg+Q40ut530JOJrtSIT/uogaf
O9r0K/U/hmT+tgz2yax0MBk5wg==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 34C4289018713B78BD9361A901A91AE82E2BE5AC6091A506ECF0651D1C91435A
    Session-ID-ctx: 
    Resumption PSK: 426BC1B4ECEBEA700482CC97820E56AA2FD663D430B8D4619A66B9D5DB8A0859B1BBB4DE9FB9E9E117B1D9F6FE24A18C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e3 54 eb a8 99 e9 7e c3-ce c5 46 7c 33 ea 88 73   .T....~...F|3..s
    0010 - 80 6d 86 27 de 7f 55 a9-6f 2c f7 e6 7b 28 d7 1f   .m.'..U.o,..{(..
    0020 - da 18 20 6f 06 19 51 63-22 b6 40 fe 2b bf 41 30   .. o..Qc".@.+.A0
    0030 - 8b ad 1e 68 47 5b 44 83-45 b2 06 35 f0 e5 19 40   ...hG[D.E..5...@
    0040 - 5c 59 3f 17 f2 68 b2 d7-e0 c2 ce 7f c5 c7 22 67   \Y?..h........"g
    0050 - 71 a1 19 ce 27 1d e5 74-30 e6 e4 e7 a2 f1 22 90   q...'..t0.....".
    0060 - 57 6f 6b fc f5 d0 8a a5-b5 ee d5 22 f7 59 af ba   Wok........".Y..
    0070 - 2e 83 f4 90 52 39 92 6e-01 e6 05 e1 d9 61 54 45   ....R9.n.....aTE
    0080 - 03 5d 49 49 62 dd 3f c5-66 99 a6 59 1c 3e 18 16   .]IIb.?.f..Y.>..
    0090 - 0a 80 42 e0 0d 2b ab 87-65 7b 21 04 62 e1 48 5b   ..B..+..e{!.b.H[
    00a0 - 29 d4 ab 20 5f 8d 7f f2-25 7e ae 17 1e 24 7d f7   ).. _...%~...$}.
    00b0 - 5c eb 6a 56 92 63 86 b3-05 55 41 20 a0 82 63 ef   \.jV.c...UA ..c.
    00c0 - 08 fe c6 7d 81 66 50 67-14 fe b7 0b aa ee 74 33   ...}.fPg......t3

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8E06BC5FD37A3144BC93A157B9F115F855153488E01892FCF28C79392B6BD7E2
    Session-ID-ctx: 
    Resumption PSK: 062476CE8B651344C6DBB2B255402DF75BD4CC0521CF0B36A168D7EAEB9E6DA2E6B54B86A5AC92B36AD80051EA3CBE70
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e3 54 eb a8 99 e9 7e c3-ce c5 46 7c 33 ea 88 73   .T....~...F|3..s
    0010 - f5 7a 2e 61 cb fa 67 3f-0e 85 be 4d 48 90 ee c8   .z.a..g?...MH...
    0020 - 54 13 9a 48 a6 9b bc 04-6d 35 f7 19 a6 f8 df e4   T..H....m5......
    0030 - d8 1a 3c 50 7d 31 2d d9-38 1a 3c 90 12 8d 11 d8   ..<P}1-.8.<.....
    0040 - b7 30 c7 3e f0 52 5c 9c-0f c3 71 fe 88 cc 5a aa   .0.>.R\...q...Z.
    0050 - d4 62 3b f9 dd 20 32 57-3b c8 45 35 83 b7 6a 6f   .b;.. 2W;.E5..jo
    0060 - 94 6b cf bf 1b f0 33 84-1d fe fd 8e 49 79 7e cf   .k....3.....Iy~.
    0070 - be 4d 3a c4 61 62 5c 30-7e 81 9c a8 7c a6 1d 1c   .M:.ab\0~...|...
    0080 - 7b 38 9d 52 d3 c3 ea 05-04 4b c7 46 d0 2e ce 23   {8.R.....K.F...#
    0090 - 12 11 4b fc 05 0a 1a 9c-c4 6f 5b 9b 32 a7 74 4d   ..K......o[.2.tM
    00a0 - 78 6f 59 71 44 bd c5 66-9b 1f da c4 f5 a4 b0 b5   xoYqD..f........
    00b0 - 49 5c 71 18 df 5a ff 1d-68 1d 3f ab 93 d5 95 90   I\q..Z..h.?.....
    00c0 - db c0 ab f6 cd 68 da f7-b6 59 57 7c bc 01 61 c5   .....h...YW|..a.

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80C2A2B2D97F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIAMBzRyFIlb7sh7A94oynWUlUUKtwcgt7oybQv7FozB3
BDAGJHbOi2UTRMbbsrJVQC33W9TMBSHPCzahaNfq655toua1S4alrJKzatgAUeo8
vnChBgIEZ7d63aIEAgIcIKQGBAQBAAAArgYCBDdMaBKzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (RSA-PSS)

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%10
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 2048 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:29 2025 GMT; NotAfter: Mar 22 18:56:29 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEIzCCAtugAwIBAgIUC+lHKcJT7hWYVxA/wpvw+WVa6qYwPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjI5WhcNMjUwMzIyMTg1NjI5WjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEKAoIBAQDG8sDoomr7v5v+AlyU
sVGB6laFPjoajwHAPC6TtzhdN7ocegejRJD2FDVPMQ+c8++p32ExOuo9+mauleje
CtqrZVlYDJXvl6BoGlBX9WbcUyS9m8Ow5YnwgKQTnDs/69Ojpeau6y0JZry4Wh+W
gL2HqQQWU/ursBvyNp+5x31Ul+FAo6OF0FyrmzWCdIDB8E8s9QrYPHGVeN5mjvK+
YTS0kl+EK4FfIATNZxCnaPHKBRbgZJFrhEvA8lgaoTma/TqDwUFYC+Ao47kFtfSi
lyie8a3rbxZ3np7ehgHxxLO58bSs/O8/2YQCnKlH5ZsR6LgfymoLrXe34x2wbS/o
IISjAgMBAAGjaTBnMB0GA1UdDgQWBBSwxd5+cypjB1vidWRRsxWMS2iZ2TAfBgNV
HSMEGDAWgBSwxd5+cypjB1vidWRRsxWMS2iZ2TAPBgNVHRMBAf8EBTADAQH/MAkG
A1UdEQQCMAAwCQYDVR0SBAIwADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQC
AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQEAf/kc8NUHVhHd
qZr28+nCmB4q1+gi2wPzRBmnPSA6NuwwM8jfkYpK3G0CXiut9HJhUS21ep8cBCv4
GBLEtE5M3vL02+7t1mcDiuLRTM/bQXhwY5b1LZUkskjlGpJH+lo3jFhR/RIjIlPt
Ucv/c31tsaao/FOiK/wkIEkSncLQL131Vba9e9ExPVJaMTl3CayVjMJ7ZPX/bjsF
PLG1bNHbxbDAOsV1IV7E2KYwUMRZDXbDhgYHIWCIKOqrsg3MXvTm4lVgLA/B+gwA
XLliOnKH2MuZ5t06ChLHNTD+JCzq2okzOAq0NID0nDBOBtKSb4Amo9TtXdGmQVY0
eERSEsezWA==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1652 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DEA90F80BF38371103C4A4D278282254FE320F4D9184B316BA577B50F324EEEB
    Session-ID-ctx: 
    Resumption PSK: CE9650F31D582403D46FEF6D530EE9531BEBC240C469919C37ED73EEDF090074592B2D7B7B4D05E0BC280C3C43AC5C34
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 79 b3 57 50 2e ff a1 cc-2f ec b7 9f 0e 42 de 30   y.WP..../....B.0
    0010 - b6 49 a7 68 26 57 90 3b-a7 5a 66 5c 46 cb 48 13   .I.h&W.;.Zf\F.H.
    0020 - d2 5c 29 1b b9 5e ea b6-c7 56 31 a8 cf b4 37 77   .\)..^...V1...7w
    0030 - 1e 1e c1 93 15 d0 56 24-3e ad 6c bc f6 da 50 f7   ......V$>.l...P.
    0040 - 3f 50 58 d2 d9 e1 e5 40-49 50 57 53 10 ff 11 d2   ?PX....@IPWS....
    0050 - b1 c0 8e c0 d6 04 5e 49-04 1d 99 07 67 0c 01 61   ......^I....g..a
    0060 - eb 05 a4 4b a2 7a 36 b7-64 16 1f a6 51 88 e3 67   ...K.z6.d...Q..g
    0070 - 43 bf 34 36 6d 80 cc 99-7b 89 d1 29 65 6b 49 d8   C.46m...{..)ekI.
    0080 - f7 0d 9d 55 84 ce 38 34-87 18 59 17 03 f6 53 74   ...U..84..Y...St
    0090 - 60 02 22 2c a0 ec e4 6b-0e 95 59 29 e3 77 59 8c   `.",...k..Y).wY.
    00a0 - 46 5b a2 9a 25 d7 f5 14-62 19 13 b8 e0 a4 7d 2f   F[..%...b.....}/
    00b0 - fc 75 13 ed ff 6e 0e 2c-84 0e ea 9c 4f 47 cc e9   .u...n.,....OG..
    00c0 - bd 02 e8 0f c3 70 f2 0a-42 14 b9 c7 2a 84 95 18   .....p..B...*...

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9795FC41F4C5A8C8BC3C87729199E8CB7B6F2CED523426EF7F4E873674238833
    Session-ID-ctx: 
    Resumption PSK: CD54873F2836AA3109EF4D01D0468D685F1E2393AD8300D64FE32DA5227F2C24BEC929FC5B0CB5237A17F0FF98D5305F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 79 b3 57 50 2e ff a1 cc-2f ec b7 9f 0e 42 de 30   y.WP..../....B.0
    0010 - 39 5e 0c a3 c4 9b 3b 1e-a2 2e b6 2b 0e 2b 0a 3f   9^....;....+.+.?
    0020 - 29 17 bb 52 e6 78 93 ab-03 23 b9 52 d0 e3 d3 ab   )..R.x...#.R....
    0030 - fc cf d6 a3 39 4b 66 37-b5 7d e7 65 c1 bc cb ca   ....9Kf7.}.e....
    0040 - d6 69 b7 5a 52 ed 56 55-13 2f b7 d4 97 05 b3 6f   .i.ZR.VU./.....o
    0050 - 56 e3 bc 04 c1 c8 cf 7a-e3 f1 30 60 ee 9e da 96   V......z..0`....
    0060 - d4 1d d4 e4 4f bf f2 b3-11 d0 7b 6f 35 12 c5 45   ....O.....{o5..E
    0070 - 01 e7 6c e3 08 65 69 74-0a a0 6f 5b 15 70 32 2c   ..l..eit..o[.p2,
    0080 - 56 75 9f a0 8c e9 e6 d8-04 3d f7 f9 8d 78 d9 71   Vu.......=...x.q
    0090 - 41 35 f8 06 78 f3 0c 9b-e4 57 8e cd 13 b3 b3 87   A5..x....W......
    00a0 - 53 3e 08 b5 13 53 e2 23-b0 db 63 b8 27 df ad f9   S>...S.#..c.'...
    00b0 - 53 28 66 b6 8d 92 b8 e2-3a 02 7b 13 3b e5 2b 4c   S(f.....:.{.;.+L
    00c0 - e6 d6 d1 20 5b dd 3f 37-d4 3c 33 40 56 1a 2d 7c   ... [.?7.<3@V.-|

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
803263FDF17F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%10 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/rsapss-default.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEICl7w3zyUT22i3SaQGfADTRzan3/3vDqN0ceY/qsema7
BDDNVIc/KDaqMQnvTQHQRo1oXx4jk62DANZP4y2lIn8sJL7JKfxbDLUjehfw/5jV
MF+hBgIEZ7d63aIEAgIcIKQGBAQBAAAArgYCBD9o+kmzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with RSA-PSS and SHA256

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%11
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 3092 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:29 2025 GMT; NotAfter: Mar 22 18:56:29 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKDCCA12gAwIBAgIUeNbHdP/fadRJXdRQviJ3ExCT3oIwPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjI5WhcNMjUwMzIyMTg1NjI5WjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCAaIwCwYJKoZIhvcNAQEKA4IBkQAwggGMAoIBgw1Fb3FCGQgEFET2Q88/
cJm7ktM/QqJjFhsTt/0NHOfxo+MDmYa47paSI938ZNmq7VufUU6V6exirMwZOnNs
GM1IVUU8nqIZYrVG9R36ntyyrapL1cmKtsNsGWuXR7MLXXUL1fzrJi3AVLVkpRds
vxHd1FUkdA5ztwZVA5C3c4pRhm95Wg138Oty62dhBebS+MfAhN/eN6i/1dgW962/
1goPK51K0c01ybA5ZVqca2uhjBRotQFWohV3+cWiSvVT9SimFyMb9+ZggQLYrvVO
tpFWcNH3r6ITDw+vvITl7ZBkjNIDbk7AX9fP6eHYaWT7XSdyXBAYzxYVgxjpfm5W
drlZEKjOk2mWTUVgfcSpyZvvpSujGs3AVuH+ONwIkaTnzH2d6DShLffhlvOeL+dQ
sYLEj2sqruVNRkIJBBYfrPzHDA4OTUIiDKGlTr+N8WT4K7/xWpdYIMGgYiv7IGD+
eGSTHT3vJ11xQFJkxEekGWfgNmqVVgjY3jP7kqpaXs3C52PbIQIDAQABo2kwZzAd
BgNVHQ4EFgQU/u9kmcx9NcIOGoz21Vn3kVFI3b4wHwYDVR0jBBgwFoAU/u9kmcx9
NcIOGoz21Vn3kVFI3b4wDwYDVR0TAQH/BAUwAwEB/zAJBgNVHREEAjAAMAkGA1Ud
EgQCMAAwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0B
AQgwCwYJYIZIAWUDBAIBogMCASADggGEAAv0gxLUBmUQIlu+QRSG16n76ad1PNcq
S5mvXmFx9O8OcJa7xkypa25s6ih5CUwOgsbMJxnqwg9h7wyVo8K63TKJRTTnshaW
tBfSwOhAkDZNUxo2M6uHQ9IOVpNTIA9iQ44Uz+OUDiKUkuEmNiRYNsOqcwGLZWq1
EjG7+Ni3bvxqIdFUEgpHIg2bHsJHXNJlXJZHLdoJL7AvyCLptu6TMUI45Ijsj+98
zdQN+wa7grC+0d/9bBjSddzJF6Fi/72cDB4OgeuW/u2lv+PKrUWDwybufK2NjVXf
Eof0E7PDTKlBoETo/luJe78+LBdZjCh1GxnoszI7MBBuRFePc55tc6BcTLQHDPCp
+tmoUW8A5mvSQrLTrPD41FAEmjR24/r9Y0iDc0nTWrd7R338YlutFVcw0y+KzFgU
TG461Fd7qKLkUToczXHbdQOdKSoeY/AjwzPx5Yi48i8UuerD3wRxtJzgAscc9AlV
mG8l084QFjmWlR3EqR1Ft1tCszWWAaPkYgygyQ==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2044 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 3092 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 407A088801B069F36013A5B6717C0E2E51B2AD36828E392C719A8D6278379DFF
    Session-ID-ctx: 
    Resumption PSK: 25142714D2FDEA3486967925C5717BDC02FC4F91A3586217B355C8F10E35BF0DD415DA85A890831778123FFD2A352DDE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 10 c8 df d4 2a b5 ac 95-04 79 a4 06 2a e1 98 b1   ....*....y..*...
    0010 - 11 de 18 8f 1c 13 2b 5b-04 72 00 b2 58 03 86 4b   ......+[.r..X..K
    0020 - 86 ca 62 3f 2c a6 16 30-a1 67 7a 23 c0 5c 9f f9   ..b?,..0.gz#.\..
    0030 - ab f4 bd 0d 19 9f 23 59-a8 c6 97 6a b7 69 b6 66   ......#Y...j.i.f
    0040 - 82 63 de 3d 34 54 0b 87-7e f1 08 7b 8d 3e e1 5a   .c.=4T..~..{.>.Z
    0050 - bf f6 38 e8 ee d5 2f 72-d0 70 92 2a 82 43 6b 4a   ..8.../r.p.*.CkJ
    0060 - 8d b7 83 cd c4 b2 d9 aa-29 fc dd 7b b9 38 bd 60   ........)..{.8.`
    0070 - 09 6c 2c 24 37 2d dd 76-67 fc d9 b9 de 5f ff 34   .l,$7-.vg...._.4
    0080 - ea b9 48 d7 01 bd 4b ed-17 01 d6 80 8f 6f 89 e5   ..H...K......o..
    0090 - a1 97 2c bf 58 d8 3e 94-b7 b1 80 bd 38 f7 dc 0b   ..,.X.>.....8...
    00a0 - 2c 18 85 dc 84 22 60 3c-fe 41 60 e4 bf 9d dd 7d   ,...."`<.A`....}
    00b0 - 4e 44 53 86 d0 23 05 8d-af 80 b7 1c 44 f5 78 c3   NDS..#......D.x.
    00c0 - 0f ed 77 02 f5 be fd 98-11 6f 3b 9d 5d 61 25 5e   ..w......o;.]a%^

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 01CE194B449E5F86671C4637A53966F718ED411D43FF6AE6C21C5F28A5E42866
    Session-ID-ctx: 
    Resumption PSK: 41CEE39EEB9466E25537880DE5DDF630E8A24337D5094F895F0E98C7AD07A558CCEBDC8C5FACBB043B12405320B3C16D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 10 c8 df d4 2a b5 ac 95-04 79 a4 06 2a e1 98 b1   ....*....y..*...
    0010 - a8 fb 31 64 7b d7 20 c8-cb 67 b8 82 43 74 60 a6   ..1d{. ..g..Ct`.
    0020 - 85 52 2c 96 3f c0 f5 70-9f 0e 72 df c8 73 36 88   .R,.?..p..r..s6.
    0030 - d8 6d 0d c2 da ec a3 5d-74 93 ee f3 e7 a2 f0 f8   .m.....]t.......
    0040 - c8 44 b9 be e0 5e 24 40-97 bb 2f f6 97 92 bd 27   .D...^$@../....'
    0050 - 9e 0c ea 2f 34 28 fb 35-2b 6d d5 99 f1 cf 0a e5   .../4(.5+m......
    0060 - 80 5c 84 46 98 e1 e1 8b-b3 f2 3a 43 fb 96 49 9d   .\.F......:C..I.
    0070 - 8f 05 06 0e f6 fd 7d 56-37 39 3c c1 5c f0 bc 59   ......}V79<.\..Y
    0080 - 20 2f b1 1f c6 c6 a7 ab-b1 2a f3 9f db e6 c0 18    /.......*......
    0090 - 98 f5 2b ca 83 8a 4b 04-4b ec 32 e0 f5 aa 13 eb   ..+...K.K.2.....
    00a0 - 33 36 f8 88 c9 9b ea 13-21 df 8e b4 65 75 a5 cf   36......!...eu..
    00b0 - d2 62 7e ad d7 1c 86 d7-71 27 7d 1e fa ee e0 cf   .b~.....q'}.....
    00c0 - 0a 76 6f 46 6e d8 9d 4b-c9 0b 21 3a 50 a5 a8 92   .voFn..K..!:P...

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
8082D247B67F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%11 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/rsapss-sha256.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIDU5m7Las/KjctGL+hEvWoLH40it0qFrOKkHV0z2U4pB
BDBBzuOe65Rm4lU3iA3l3fYw6KJDN9UJT4lfDpjHrQelWMzr3IxfrLsEOxJAUyCz
wW2hBgIEZ7d63aIEAgIcIKQGBAQBAAAArgcCBQCqPEN2swMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1033 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: EDD472124AF95BE7A90A35D3363783B4465FB026B1D9730D5A65E2EBE4576551
    Session-ID-ctx: 
    Resumption PSK: 80B99C5D112874A360603CF2640FC88EDF57999A70A22498CDA4E1B17F3A7011F3D90C51B379ED3B50BB7A0047596D91
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 06 f4 b7 c9 91 d3 47 62-b8 10 26 40 d2 69 dc 65   ......Gb..&@.i.e
    0010 - 54 6d f1 35 72 53 41 98-2a 63 6c ce b1 71 0f 8e   Tm.5rSA.*cl..q..
    0020 - 91 f4 a8 1d 71 1f 8d 9a-da 83 00 e4 04 3f c6 99   ....q........?..
    0030 - 13 75 72 26 15 e8 95 02-67 ed 94 8f d2 40 a1 ce   .ur&....g....@..
    0040 - 20 9e f6 f0 23 b7 c5 37-e8 4a de 04 0f cd 3c 19    ...#..7.J....<.
    0050 - 3b c7 42 9b 0f 28 15 e7-cd 06 e9 e8 69 9a 95 c0   ;.B..(......i...
    0060 - d3 01 41 92 46 94 ad f6-e6 24 80 95 87 af 47 85   ..A.F....$....G.
    0070 - b2 6d a0 e2 d2 1a e1 38-93 a1 b6 87 26 34 a4 b0   .m.....8....&4..
    0080 - 07 f1 0c 14 15 85 e3 15-ba 63 bc fd 15 00 03 cf   .........c......
    0090 - 41 fc 2a 39 9f ea c0 84-2e 58 49 d1 5b 36 2b 15   A.*9.....XI.[6+.
    00a0 - f8 be f6 5f 95 53 14 48-64 58 11 4a 35 e5 93 23   ..._.S.HdX.J5..#
    00b0 - fd 19 b5 03 54 39 8e f4-2c 7f 96 0e 8e dd 88 ac   ....T9..,.......
    00c0 - 17 c3 51 00 56 3b be 47-f2 b7 e9 46 3e eb 02 c2   ..Q.V;.G...F>...

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F526FAE94BC3FA8E0D491F9BDA1B628987B0586F5296983318E590B57C0DDCFC
    Session-ID-ctx: 
    Resumption PSK: 22A6CB968989C946D401AD3F81DDEF9989E2BCF4F182ACEEBE9AC5EE946CF972B86C7F323F573B916AB5A061FE29B104
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 06 f4 b7 c9 91 d3 47 62-b8 10 26 40 d2 69 dc 65   ......Gb..&@.i.e
    0010 - 17 2c 3d 11 23 a9 b3 1a-6c 7c 3d 77 f6 53 2b 12   .,=.#...l|=w.S+.
    0020 - f3 e0 87 40 68 7d 03 84-cf 17 ca 06 40 33 19 35   ...@h}......@3.5
    0030 - 31 6c ac 14 f9 c8 4e 9c-cf 90 ea 85 29 77 87 84   1l....N.....)w..
    0040 - be 58 12 b5 2a 1e 8e 81-9b 5d b9 5f f9 2a 56 77   .X..*....]._.*Vw
    0050 - 1c 3b c0 de 94 0c 89 ca-dc 5a d8 16 9f 41 57 2f   .;.......Z...AW/
    0060 - b0 6f 8b 38 27 7b 24 98-b5 d8 96 fd c3 d1 64 54   .o.8'{$.......dT
    0070 - 78 1e 86 cd f8 e7 5b 32-30 26 5d 0e dc d1 b4 f1   x.....[20&].....
    0080 - 51 b6 e6 52 b1 61 7c 3d-df 4e 81 15 90 82 db 2e   Q..R.a|=.N......
    0090 - db 20 36 62 79 12 57 2e-f5 f8 6a ed e9 9d 2e 32   . 6by.W...j....2
    00a0 - ea b4 67 c3 8d b3 4b 76-cf 5e 74 94 e3 14 b2 93   ..g...Kv.^t.....
    00b0 - 75 d0 db aa 0b ca 27 bf-06 61 d6 fc 38 da 71 30   u.....'..a..8.q0
    00c0 - 6c b7 70 34 2f dd a2 e6-be 93 be 8b cf 4a 6a 37   l.p4/........Jj7

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
8032F651F87F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIGNmEuUCMqvwwIF63vdVbbDqBrU3tnLmC8khGQXhMyAS
BDAipsuWiYnJRtQBrT+B3e+ZieK89PGCrO6+msXulGz5crhsfzI/VzuRarWgYf4p
sQShBgIEZ7d63aIEAgIcIKQGBAQBAAAArgcCBQC0btPxswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALm3yR1R7RWPTizyj7ufv1F12QSxcEPNbNVh
QrO8FSMmSkfgTl4jDx7ZbJyV0+MP0hqkVkkliDIk9yeo8/fnI2P8ybYPbe5imu13
q41dTnDeW1DvDC/+F1UwbwRBcpyALiFLzNsUudkhduTAJb4xzH2TzH4m8sIDzNP2
3MDkeHd0zORE4zCqSLW8PPijA7OhXFUe6W9/+2RECSAtAxERM+NiVur0z0IeoYuq
jsjIwadIRbXkuM2Ky0e0ljrQc4JErOZCSuSrdCJA15XQZ7Nk5vb/Y6U+ONfPtjhq
XHb/XEDbgy4bXreqVvPdUHLefYLddwdm+HBpE7NBAu73gsbuVR0CAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQZch6d4yNBJWROeQzlCL3wLZNaUzAf
BgNVHSMEGDAWgBTJsJEJrz8hrGck+qLdQ3ROqFMx9jANBgkqhkiG9w0BAQsFAAOC
AQEAmZyF8A2Rz5B3r0iiQiqTzIZ9eSnUmjHiDY2OYlzCcpfh9SjL7nHAbFDVFMfF
/Fz4ChfyBaMQQX6kQdR1Qa12Cw63QyCzgCNbb+MhCrXXCz7s7r0aqBOnswPOM62B
wmPgAxXHKI/kShJbTx/UBLU/vQnU/Zq4axn4DfeBpZXgfYWVdqz7BuQl0pR9v3EB
Ip7pcBpQimiKLlMZL+p25xppQl0B3g0YvyT8T8vIJPLN6sENrNsk7jlkbcAABDmE
raNjDehuo06O0UZnFj/vhZxAxtGIg/y10adK9MWeg+Q40ut530JOJrtSIT/uogaf
O9r0K/U/hmT+tgz2yax0MBk5wg==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1509 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: CA937444532F86EC2F20E0C8A8CC31FF7B2BB787510C2705128A1B6F356EFF4A
    Session-ID-ctx: 
    Master-Key: 90B803503087899336303A504A761510B4DE2A45D0E0DBC37F320829B1AAA005D9F38809F6EC00DDA20ED889F84AAE16
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 2a 90 e3 86 5b e9 c2-3d 8a 8e 76 06 4d e3 81   9*...[..=..v.M..
    0010 - 07 19 54 a7 ce 8a 0d d8-c8 23 47 d6 e8 61 07 57   ..T......#G..a.W
    0020 - f5 67 a8 35 e5 cd 1a 09-97 4c af 83 5e 3f 16 e8   .g.5.....L..^?..
    0030 - a9 29 27 1e 57 b0 68 57-3b 1a 56 30 3c 4b d6 c2   .)'.W.hW;.V0<K..
    0040 - d7 ee 70 e2 a8 ed c9 df-2f 24 3d 2a e7 73 d3 00   ..p...../$=*.s..
    0050 - af c8 d7 78 72 03 39 ab-ca 34 e5 57 6e be e0 78   ...xr.9..4.Wn..x
    0060 - 4c 11 66 a2 80 47 1b 13-38 69 4a 54 3d 1d 83 93   L.f..G..8iJT=...
    0070 - 12 98 9d 60 32 21 ca cc-49 97 92 97 34 7e 7b 75   ...`2!..I...4~{u
    0080 - a4 c1 28 a5 ee 82 fa 69-60 e7 4e fd 0e f8 92 33   ..(....i`.N....3
    0090 - df 3f cf 67 d9 33 f7 5d-1f d8 d4 f0 59 53 9a 67   .?.g.3.]....YS.g
    00a0 - 10 00 77 d7 71 41 85 bf-55 60 1d 3b 38 5a 53 f3   ..w.qA..U`.;8ZS.

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80329AD4F57F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDCQuANQMIeJkzYwOlBKdhUQtN4qRdDg28N/Mggpsaqg
BdnziAn27ADdog7YifhKrhahBgIEZ7d63aIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with explicit TLS 1.3
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALm3yR1R7RWPTizyj7ufv1F12QSxcEPNbNVh
QrO8FSMmSkfgTl4jDx7ZbJyV0+MP0hqkVkkliDIk9yeo8/fnI2P8ybYPbe5imu13
q41dTnDeW1DvDC/+F1UwbwRBcpyALiFLzNsUudkhduTAJb4xzH2TzH4m8sIDzNP2
3MDkeHd0zORE4zCqSLW8PPijA7OhXFUe6W9/+2RECSAtAxERM+NiVur0z0IeoYuq
jsjIwadIRbXkuM2Ky0e0ljrQc4JErOZCSuSrdCJA15XQZ7Nk5vb/Y6U+ONfPtjhq
XHb/XEDbgy4bXreqVvPdUHLefYLddwdm+HBpE7NBAu73gsbuVR0CAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQZch6d4yNBJWROeQzlCL3wLZNaUzAf
BgNVHSMEGDAWgBTJsJEJrz8hrGck+qLdQ3ROqFMx9jANBgkqhkiG9w0BAQsFAAOC
AQEAmZyF8A2Rz5B3r0iiQiqTzIZ9eSnUmjHiDY2OYlzCcpfh9SjL7nHAbFDVFMfF
/Fz4ChfyBaMQQX6kQdR1Qa12Cw63QyCzgCNbb+MhCrXXCz7s7r0aqBOnswPOM62B
wmPgAxXHKI/kShJbTx/UBLU/vQnU/Zq4axn4DfeBpZXgfYWVdqz7BuQl0pR9v3EB
Ip7pcBpQimiKLlMZL+p25xppQl0B3g0YvyT8T8vIJPLN6sENrNsk7jlkbcAABDmE
raNjDehuo06O0UZnFj/vhZxAxtGIg/y10adK9MWeg+Q40ut530JOJrtSIT/uogaf
O9r0K/U/hmT+tgz2yax0MBk5wg==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 343 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C48087F4B1AA57C3799C4A458F57F7FA2BB06AD7A6D256BB6CE8185AED94B314
    Session-ID-ctx: 
    Resumption PSK: C87EBDD1C9E1DFB6065CF0090C171230E40D14CC362C4A592BE1AEDF3FAE371CEB2EAD88F77546D209326F2DD9F0C3A3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 73 4a c6 78 e7 45 2e 63-aa 8f 9f 85 8a e9 cf 00   sJ.x.E.c........
    0010 - 58 b5 c1 b8 da 11 bb 44-59 4f 31 8e 09 4f 1e 7a   X......DYO1..O.z
    0020 - 50 94 2f 70 ab df 08 e6-e7 ee 5e 11 44 7d 45 96   P./p......^.D}E.
    0030 - f0 55 2f 11 2c b7 a4 7b-cf 23 f7 0c 84 f5 32 a7   .U/.,..{.#....2.
    0040 - ec da 34 25 f4 a4 89 44-4d 5f d5 76 b8 40 df 37   ..4%...DM_.v.@.7
    0050 - aa 1d 7c 5c 6e 18 85 5d-32 a8 35 6a da 78 57 e0   ..|\n..]2.5j.xW.
    0060 - 6f bb ac 77 88 81 e9 84-5e 11 b2 b7 c5 63 75 15   o..w....^....cu.
    0070 - a8 dc 85 31 46 1f 69 75-86 49 42 95 d2 b6 21 28   ...1F.iu.IB...!(
    0080 - 30 10 89 b0 2a d8 36 32-32 a5 ac 86 76 69 d7 0c   0...*.622...vi..
    0090 - 85 15 60 55 30 d9 98 96-42 84 8a 7e d7 29 a1 7d   ..`U0...B..~.).}
    00a0 - d2 18 92 1d 0e 7b c8 85-c5 96 a0 51 c3 0d 4a 52   .....{.....Q..JR
    00b0 - f2 90 70 d7 6f 50 5a 61-5a bd 80 ad 48 6c 9d 15   ..p.oPZaZ...Hl..
    00c0 - 5d a9 eb 2f 69 b8 2e d4-32 63 26 1d 24 32 c5 2c   ]../i...2c&.$2.,

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 194494B8CA567A0105170647D74A6C88FF9294932B6C6115E45538027A714E24
    Session-ID-ctx: 
    Resumption PSK: F27E22510667F725F5C4D7095DBDB8EA7EB7FC2B219A3A22D59586EE5718951C7426CB8B784875805FD28CE29AEFC6C5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 73 4a c6 78 e7 45 2e 63-aa 8f 9f 85 8a e9 cf 00   sJ.x.E.c........
    0010 - 29 46 38 35 12 d7 53 dc-32 e0 4a 33 e7 64 26 8a   )F85..S.2.J3.d&.
    0020 - e9 a8 fc 01 b7 41 ec 29-e8 ce bf 25 8a c6 cb 64   .....A.)...%...d
    0030 - 2e 7c a7 fe 3a 78 b6 73-96 67 73 4d 35 36 96 0b   .|..:x.s.gsM56..
    0040 - ba b9 00 6f 82 e0 6f d2-20 ee 61 42 87 d0 ee bd   ...o..o. .aB....
    0050 - ea 13 95 72 18 33 b5 b3-4e b6 13 25 2d 1c 8d 39   ...r.3..N..%-..9
    0060 - 50 40 17 c8 2c 3b 0a 04-e6 7f ff 30 a3 f3 48 39   P@..,;.....0..H9
    0070 - a6 a1 30 f7 68 f5 34 19-69 df a3 bf f0 ea 98 83   ..0.h.4.i.......
    0080 - b2 ac 76 5a 03 ff 06 f1-62 ac 12 e7 fd 3b 97 49   ..vZ....b....;.I
    0090 - b2 c3 10 44 5f 9b ac 58-f0 03 1d 70 a3 82 44 3e   ...D_..X...p..D>
    00a0 - 9e c4 d2 0e cf 60 ed a7-14 84 a4 1e 6e 3f 40 c1   .....`......n?@.
    00b0 - 3b 99 ea 02 cd c7 97 1c-4c 64 44 ca 64 c8 df 08   ;.......LdD.d...
    00c0 - f6 c2 9e e7 30 cc 98 7b-ed 97 2f 9a 10 5f 79 f3   ....0..{../.._y.

    Start Time: 1740077789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80D297331E7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIBjZ0PoT5ybM62Tm82IrdAF8Rj9S4gc29MCf7QuKZB8P
BDDyfiJRBmf3JfXE1wldvbjqfrf8KyGaOiLVlYbuVxiVHHQmy4t4SHWAX9KM4prv
xsWhBgIEZ7d63aIEAgIcIKQGBAQBAAAArgcCBQDhBAejswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1118 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: C84172C145E9AAC168586002AFCDA28E5EB61C6FBABBECDA419691252F0F85F0
    Session-ID-ctx: 
    Master-Key: 6788442C3C735964AF2873BE023932921224985653EDFC94C2E61B44F111432804B6250B4B16C216CC01F1C5E2A22DA3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b4 7a 0b 9a c3 d6 d7 bf-27 ac 1a 62 67 35 76 3b   .z......'..bg5v;
    0010 - 78 50 24 c7 96 c3 b5 2d-65 99 39 71 b7 56 24 83   xP$....-e.9q.V$.
    0020 - 0a ab 5e d3 93 01 e5 05-7b 84 bd 5d 58 33 52 5f   ..^.....{..]X3R_
    0030 - 28 73 ae 27 c3 09 ed 5a-9b fa 24 cb c4 0d 6d 0f   (s.'...Z..$...m.
    0040 - 21 c4 7d ef 34 d5 55 8e-1d 9e 8b 8e 0b 6d 90 aa   !.}.4.U......m..
    0050 - f6 87 74 de b2 be b7 35-15 71 a9 87 57 cf 60 65   ..t....5.q..W.`e
    0060 - 8a 60 89 2a ed a1 9a 67-35 3d 30 3d c1 de 74 7f   .`.*...g5=0=..t.
    0070 - 05 e9 f5 b0 26 98 03 20-aa 93 5a 42 54 f8 bd 44   ....&.. ..ZBT..D
    0080 - 86 9e ba ce fd 38 59 d2-de c8 25 b7 4c 86 bb e1   .....8Y...%.L...
    0090 - f9 de 6b 46 9e af 74 c2-f1 5e 84 fe 93 2a 3a 26   ..kF..t..^...*:&
    00a0 - 94 8e 4d c1 26 b7 b6 55-57 6d a1 ac 43 6a e1 3b   ..M.&..UWm..Cj.;

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80E23C7BA17F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALALAQABDBniEQsPHNZZK8oc74COTKSEiSYVlPt/JTC5htE8RFD
KAS2JQtLFsIWzAHxxeKiLaOhBgIEZ7d63qIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 and ECDH
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1120 bytes and written 252 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 70AFD025840C4DC391BD0B60CEB266CCD66C0AEBA185702438C5C08E2B0B8613
    Session-ID-ctx: 
    Master-Key: 2F592009480FDFBA4D3A673556440A1E9BB816A52CD6AFFD9C7101479DC446141B0E80769557D9E7A28BDFA7C698B904
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a2 d0 bc d6 f8 a3 1d e4-e1 7b 87 cc 4b f8 4b d5   .........{..K.K.
    0010 - c6 88 2c 69 a5 1f 1b b5-ee 83 68 ff df be fb 54   ..,i......h....T
    0020 - 72 51 0d 85 18 ab 58 75-6b e9 c8 9c 3c 4b fd ba   rQ....Xuk...<K..
    0030 - 26 a7 15 97 5f 8b fb 1f-02 5b 14 0e 21 5f 1f 17   &..._....[..!_..
    0040 - d7 26 94 ad e8 56 e5 b0-54 c2 e9 9d 13 53 bf 92   .&...V..T....S..
    0050 - 44 fe 51 9f c0 84 2d 3a-2e 32 cb 67 40 08 d2 f7   D.Q...-:.2.g@...
    0060 - f9 4b 46 27 53 59 1f 24-fc 47 00 84 54 c5 b8 20   .KF'SY.$.G..T.. 
    0070 - ec 92 52 54 d1 c5 85 16-c2 c0 29 94 5e e0 90 70   ..RT......).^..p
    0080 - 09 d5 e5 34 38 be 95 5a-b6 80 6c ce 3a bb 5e 31   ...48..Z..l.:.^1
    0090 - ee e4 e8 ad c8 31 70 63-72 0f 3b c7 cf 2f 2b d1   .....1pcr.;../+.
    00a0 - 64 35 f5 73 b4 df 7a 05-9a f5 18 3c 52 09 cf 68   d5.s..z....<R..h

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80C24B09F57F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAKwQABDAvWSAJSA/fuk06ZzVWRAoem7gWpSzWr/2ccQFHncRG
FBsOgHaVV9nnoovfp8aYuQShBgIEZ7d63qIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.3 and specific suite
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1034 bytes and written 327 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0B368AF7461F5AC963919041DC56E24A38F1EC70ACC5E840E1751668CB8C0CAF
    Session-ID-ctx: 
    Resumption PSK: 8D81BC5760C420806A6E43543502CBDF0DF8FB86CC24510C7E2F9DE96192B4976D265FB0F91E7E9CBCB26932B9ECBF40
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 88 d5 4b 20 b3 ea 1c 40-de 73 f8 3d ec 75 ec a7   ..K ...@.s.=.u..
    0010 - a2 7d 9b f0 0c bf e5 db-6d bf e6 9a 64 f5 ff 11   .}......m...d...
    0020 - 05 87 d4 3b 1f 35 74 50-6a b5 22 5e 47 a0 e1 c3   ...;.5tPj."^G...
    0030 - 40 13 97 94 76 b9 93 aa-a3 ef 6f ea 41 19 f9 07   @...v.....o.A...
    0040 - ee 2e ad 51 8b 89 54 56-68 be 92 8f f4 14 29 db   ...Q..TVh.....).
    0050 - 30 6e 7a 81 69 de 43 db-1d 3b 6b a1 55 fd 06 ce   0nz.i.C..;k.U...
    0060 - 7b 2d 42 13 0d 5f 4d 8e-0d d2 28 1b 67 c8 fc e8   {-B.._M...(.g...
    0070 - 6e 48 50 69 c8 07 f3 74-80 9c 62 dd fe 26 75 6d   nHPi...t..b..&um
    0080 - b9 d9 94 d0 34 7f 03 f9-e1 5f d4 03 8c 62 f6 93   ....4...._...b..
    0090 - 4e f6 13 99 fb 1d 0a 27-83 83 fa 34 5b 85 3d 21   N......'...4[.=!
    00a0 - d6 33 45 48 19 c6 d9 61-05 54 37 bb 1e 66 47 4d   .3EH...a.T7..fGM
    00b0 - 20 c2 66 46 8e f0 1d c7-50 12 e9 6a c7 8b 7d 05    .fF....P..j..}.
    00c0 - 52 6e e0 55 6e 51 83 06-d3 3c 7f ea a5 58 af 91   Rn.UnQ...<...X..

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4FD481D35AF6E1DB20BB3AFCBCA5D66FD427F49CDF747DCB4CD43B674182175B
    Session-ID-ctx: 
    Resumption PSK: 293016D27237AA3F0566E3FD9AD274483376B9F15A22920D436B548597AF1F5E855C428ECC3639A3CEB2A5D8E6076772
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 88 d5 4b 20 b3 ea 1c 40-de 73 f8 3d ec 75 ec a7   ..K ...@.s.=.u..
    0010 - f1 2b 60 aa b5 5b b6 9c-15 11 f7 8e c1 9a 98 bf   .+`..[..........
    0020 - 8a 66 38 d3 7a 2d 30 30-1e 56 05 34 b9 20 ed 3e   .f8.z-00.V.4. .>
    0030 - 96 ff 0b d7 1c 05 71 f6-fb a0 48 66 d4 53 1e 3c   ......q...Hf.S.<
    0040 - a9 8b 9c e9 ca df b9 95-70 be c2 2c 16 61 47 ea   ........p..,.aG.
    0050 - 91 cb 51 be 72 44 fa dd-7a 1d d4 41 6a a7 67 d7   ..Q.rD..z..Aj.g.
    0060 - e4 3a 8a 80 e9 fa f2 53-fc f9 2e 39 b0 f4 52 bf   .:.....S...9..R.
    0070 - 55 20 dc a7 c4 70 41 87-b6 95 01 c4 e6 0e 7b a5   U ...pA.......{.
    0080 - c8 0b ee 57 f3 63 8c e1-7e 94 3d 00 64 7d e7 98   ...W.c..~.=.d}..
    0090 - 47 67 ae 93 7f bd 1c a5-a0 e7 2f c5 04 ac 4f d0   Gg......../...O.
    00a0 - be eb 17 c5 bb 27 3a d8-54 80 d8 6f c2 51 2d 49   .....':.T..o.Q-I
    00b0 - 30 e0 78 c2 89 25 2c 7a-11 3f a3 f8 d0 35 10 3b   0.x..%,z.?...5.;
    00c0 - 3c bd 0a 9e c3 71 9d 54-e9 d9 ca 75 66 64 f4 af   <....q.T...ufd..

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80D272DE3B7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEINoFDIeayXSC7PKa9ftBlppjZixzorAkZ1/Hc+O/IVtx
BDApMBbScjeqPwVm4/2a0nRIM3a58Voikg1Da1SFl68fXoVcQo7MNjmjzrKl2OYH
Z3KhBgIEZ7d63qIEAgIcIKQGBAQBAAAArgYCBE95HH+zAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

                                      ##
########################################

########################################
## Forcing the provider for all server operations


## Run sanity test with default values (RSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALm3yR1R7RWPTizyj7ufv1F12QSxcEPNbNVh
QrO8FSMmSkfgTl4jDx7ZbJyV0+MP0hqkVkkliDIk9yeo8/fnI2P8ybYPbe5imu13
q41dTnDeW1DvDC/+F1UwbwRBcpyALiFLzNsUudkhduTAJb4xzH2TzH4m8sIDzNP2
3MDkeHd0zORE4zCqSLW8PPijA7OhXFUe6W9/+2RECSAtAxERM+NiVur0z0IeoYuq
jsjIwadIRbXkuM2Ky0e0ljrQc4JErOZCSuSrdCJA15XQZ7Nk5vb/Y6U+ONfPtjhq
XHb/XEDbgy4bXreqVvPdUHLefYLddwdm+HBpE7NBAu73gsbuVR0CAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQZch6d4yNBJWROeQzlCL3wLZNaUzAf
BgNVHSMEGDAWgBTJsJEJrz8hrGck+qLdQ3ROqFMx9jANBgkqhkiG9w0BAQsFAAOC
AQEAmZyF8A2Rz5B3r0iiQiqTzIZ9eSnUmjHiDY2OYlzCcpfh9SjL7nHAbFDVFMfF
/Fz4ChfyBaMQQX6kQdR1Qa12Cw63QyCzgCNbb+MhCrXXCz7s7r0aqBOnswPOM62B
wmPgAxXHKI/kShJbTx/UBLU/vQnU/Zq4axn4DfeBpZXgfYWVdqz7BuQl0pR9v3EB
Ip7pcBpQimiKLlMZL+p25xppQl0B3g0YvyT8T8vIJPLN6sENrNsk7jlkbcAABDmE
raNjDehuo06O0UZnFj/vhZxAxtGIg/y10adK9MWeg+Q40ut530JOJrtSIT/uogaf
O9r0K/U/hmT+tgz2yax0MBk5wg==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1424 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 23BA075EDD7D5BFA3B7D78E612FE3227D0DD63C71B1D17CAC88ABDDA9F4BCECF
    Session-ID-ctx: 
    Resumption PSK: 476651F8315C8D318F7D28784B5BA09AAF7EE8270EF034D4A890B580BC6CD242DE9F7A8D88DFF3774B0A517245847945
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c0 cb 8e df 51 a3 03 65-ee 2a ea 3f 07 c1 3a 13   ....Q..e.*.?..:.
    0010 - a2 d4 01 1a ac 5c 93 f9-f0 3b 3b 64 c1 d7 b2 d8   .....\...;;d....
    0020 - 57 1e 64 ef 20 34 5f 1f-61 05 63 53 f0 dd a7 c6   W.d. 4_.a.cS....
    0030 - fa 0b a2 5f d7 c5 69 29-58 5e c8 c8 d9 68 49 93   ..._..i)X^...hI.
    0040 - 59 f5 db 0c 4e 1e ad ac-36 17 6f fc 23 8e 49 54   Y...N...6.o.#.IT
    0050 - 4a e3 40 a8 71 03 6c 61-f7 6a 61 03 be f5 05 6a   J.@.q.la.ja....j
    0060 - 57 ef 47 b0 c8 f0 db dc-5d 69 0f b1 74 5f df 1b   W.G.....]i..t_..
    0070 - 8d 8a f0 c2 79 e0 fc e6-8c 91 9d 6d 62 ad d7 0f   ....y......mb...
    0080 - 11 9d ef c9 65 e1 b7 7c-fe 5d e5 cd 0d 48 ae 04   ....e..|.]...H..
    0090 - fe 2d a7 77 62 b7 52 6a-9a 59 e0 69 84 62 30 91   .-.wb.Rj.Y.i.b0.
    00a0 - be cd 1f 95 9d f6 76 5b-93 88 1b 45 47 a4 c6 6e   ......v[...EG..n
    00b0 - 32 3a 30 dc fd fa ff a7-b1 91 8b 59 53 4d 00 0c   2:0........YSM..
    00c0 - 6e 8d af 79 65 43 fb a9-ff ed 0a fd cc 37 8c 00   n..yeC.......7..

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 94D9FBE1C1E2C0247F489C81BC82565DC2382A80DD601F5831482500D06345AC
    Session-ID-ctx: 
    Resumption PSK: 4FA054CF5E2B4EE31EDF6E9514EB6BFE549CAD3EF148480161679176CAE0ACB9FE0B68FD5BD1041284AEDF54A04F24AE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c0 cb 8e df 51 a3 03 65-ee 2a ea 3f 07 c1 3a 13   ....Q..e.*.?..:.
    0010 - fa 60 8f 3a a5 6e 24 9e-65 44 cd cd d5 e4 fb 91   .`.:.n$.eD......
    0020 - ed 68 23 98 9f 71 67 ed-ce 95 9c 9a bd 8b 65 da   .h#..qg.......e.
    0030 - 2a 12 37 49 27 50 48 c1-b2 b8 81 7d 4a d3 60 d8   *.7I'PH....}J.`.
    0040 - e8 ef 50 fc 7c 6e 95 d7-11 59 c3 9e ea 7c fa 55   ..P.|n...Y...|.U
    0050 - 36 b9 c8 4b fc af 75 dc-27 be 50 fa eb cc 5b d1   6..K..u.'.P...[.
    0060 - 83 a0 86 1f a6 5f ca 10-8d 45 80 2f 6a 63 f7 f9   ....._...E./jc..
    0070 - 5a 22 dd 2c 6c 5a 1f 96-dc 59 dd f6 98 9e 54 d4   Z".,lZ...Y....T.
    0080 - 14 6a de 1f 3e 29 39 11-5b f5 82 5c a7 0d ee c0   .j..>)9.[..\....
    0090 - 82 6f 00 1c ce dd ad 18-41 ff 11 49 2f 3a 11 79   .o......A..I/:.y
    00a0 - 5d eb 04 2a 2f a5 10 db-33 e3 ba c1 42 0d df 40   ]..*/...3...B..@
    00b0 - 8e 59 f7 55 35 0f c9 e1-48 51 be 09 a4 d6 5b 27   .Y.U5...HQ....['
    00c0 - 13 b3 62 1f cf a9 15 cb-78 43 a4 ff 59 5c e0 7a   ..b.....xC..Y\.z

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
803291D41D7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEILEv0jPcU7jkTFz04QmQ52CZvMxD6qz3Kq2RUB8US8SK
BDBPoFTPXitO4x7fbpUU62v+VJytPvFISAFhZ5F2yuCsuf4LaP1b0QQShK7fVKBP
JK6hBgIEZ7d63qIEAgIcIKQGBAQBAAAArgcCBQDGGQb2swMCARc=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM TLS SUCCESSFUL 

Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192Q

Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (RSA-PSS)

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%10
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 2048 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:30 2025 GMT; NotAfter: Mar 22 18:56:30 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEIzCCAtugAwIBAgIUPnnCupE+/UN/v6odA2uOC8KbaywwPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjMwWhcNMjUwMzIyMTg1NjMwWjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEKAoIBAQDG8sDoomr7v5v+AlyU
sVGB6laFPjoajwHAPC6TtzhdN7ocegejRJD2FDVPMQ+c8++p32ExOuo9+mauleje
CtqrZVlYDJXvl6BoGlBX9WbcUyS9m8Ow5YnwgKQTnDs/69Ojpeau6y0JZry4Wh+W
gL2HqQQWU/ursBvyNp+5x31Ul+FAo6OF0FyrmzWCdIDB8E8s9QrYPHGVeN5mjvK+
YTS0kl+EK4FfIATNZxCnaPHKBRbgZJFrhEvA8lgaoTma/TqDwUFYC+Ao47kFtfSi
lyie8a3rbxZ3np7ehgHxxLO58bSs/O8/2YQCnKlH5ZsR6LgfymoLrXe34x2wbS/o
IISjAgMBAAGjaTBnMB0GA1UdDgQWBBSwxd5+cypjB1vidWRRsxWMS2iZ2TAfBgNV
HSMEGDAWgBSwxd5+cypjB1vidWRRsxWMS2iZ2TAPBgNVHRMBAf8EBTADAQH/MAkG
A1UdEQQCMAAwCQYDVR0SBAIwADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQC
AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQEAgfPsgoSaFEQa
DdKO4KPm62jFpPNi1T+GyYd6hceu+Wvh/YpQ8QusMn9su9Mj5bN4PWbnFjhmQV2t
gM7oJoPYSBwNqbqGm4/te9ZB+qTI3YRNlxcWE9OP2Ir++zBDd6mdSS+R8sBqfPRd
ePoG0naDJDHwptcKBXEprwgTsdJBdcWguLbBV9xKZuCnZLBt6jbLpI9jfvou1cC1
7LciI2NPrdHdQploMcCiOxCriZ0fEucpddqkVe8eLfA4a7xJKsN8uIZqGpc831/0
Cyl6t1/EBuFHEl+am0EMRauzqmHqxYa1FRaggBGwIx0QLxFE3oTULY8B8vbhzUXk
oUvstQxGpQ==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1652 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BC021A18D3CDB30BF5B35C4D36DBC00490C2FF5A019C3024796649FC8CB6CA16
    Session-ID-ctx: 
    Resumption PSK: DD4DEEE25312DDDE0E9CAF5C81211163F8EB321A4712F5616E00C094DB707454EE921592873B7BCE48106D3367E70823
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 34 82 bf fd 94 63 a3 02-7b 41 e7 18 a5 fa fd 45   4....c..{A.....E
    0010 - d8 7a 3e 1f 4d a0 82 85-80 9c c9 07 06 08 35 21   .z>.M.........5!
    0020 - 31 98 dc 5d f9 b7 af 38-da 2b f4 d2 0e 77 8b 37   1..]...8.+...w.7
    0030 - f7 2d 44 ca e5 de f4 05-c1 04 0e 2a c6 dc be 1d   .-D........*....
    0040 - 2c 32 d8 1d 9b cf 59 05-4e 63 04 52 8d 99 96 b9   ,2....Y.Nc.R....
    0050 - 81 98 9e d3 6b 1f 9a c7-74 07 ce 4b 88 a3 2a 6b   ....k...t..K..*k
    0060 - f0 64 80 7e 90 2c d5 46-93 a7 1c 05 ab 24 a3 e8   .d.~.,.F.....$..
    0070 - 09 30 f0 eb 3f 44 6c 76-6d ce c4 5a 75 f9 e8 27   .0..?Dlvm..Zu..'
    0080 - 9e 10 85 89 bc b2 64 60-92 46 93 05 e1 f9 2b 28   ......d`.F....+(
    0090 - 60 74 21 05 c2 7a 01 a2-f8 81 aa a0 9a 6c 23 20   `t!..z.......l# 
    00a0 - 43 56 1d 5d c8 84 c8 fa-c0 07 06 0c 99 ef 0f cf   CV.]............
    00b0 - 7b 74 0f ab 54 ce e8 72-23 17 76 9f b9 f8 bf 92   {t..T..r#.v.....
    00c0 - 8c ce d3 c9 8f 03 7f c8-57 2f d9 f2 f5 56 38 d8   ........W/...V8.

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D6E9F99048747DFBD97CD09C18B4AC72ACDE587B830D92E4526F425863931640
    Session-ID-ctx: 
    Resumption PSK: B9834E737D4FA26FDE13B3C426A17E7836B20DCFE473651D4B38ED3F88908AB8D4C2936B262F40A6A3DBACB7B6270DE3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 34 82 bf fd 94 63 a3 02-7b 41 e7 18 a5 fa fd 45   4....c..{A.....E
    0010 - 09 3e 6e ec af 5b 62 db-06 76 51 3b e6 af d6 d0   .>n..[b..vQ;....
    0020 - 43 0b f5 17 04 81 72 9e-0a 97 5a ee 7f e8 22 01   C.....r...Z...".
    0030 - cb a8 36 62 6c 36 12 2f-88 5d f7 ba 55 71 bb b9   ..6bl6./.]..Uq..
    0040 - 33 94 32 f1 39 ef 7f 34-c6 15 ee b9 91 90 45 01   3.2.9..4......E.
    0050 - 90 5c d6 0a ab a9 08 43-a9 51 5c 35 db 88 80 91   .\.....C.Q\5....
    0060 - 50 a0 79 ae e0 dc b4 80-2e e6 e6 85 29 7d a5 fc   P.y.........)}..
    0070 - fe e7 9e 90 42 c7 fe 4a-ee 2f b7 85 5b 74 91 a5   ....B..J./..[t..
    0080 - 21 0e 74 9e ea 00 bc 35-7e 26 6d f7 81 86 6d 45   !.t....5~&m...mE
    0090 - 38 3b 5d 18 de 1b 34 17-51 4f 44 de bc 98 c5 7f   8;]...4.QOD.....
    00a0 - 85 a8 93 c0 c8 09 6e e5-48 6b f9 f5 32 a5 e4 3e   ......n.Hk..2..>
    00b0 - 6c c1 d3 d6 43 ea 62 ff-32 af 3d 8a bc 87 0f cc   l...C.b.2.=.....
    00c0 - c1 07 5b d3 92 52 6d 26-2c 51 d4 5e a3 fe 50 9c   ..[..Rm&,Q.^..P.

    Start Time: 1740077790
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80428C4B1E7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%10 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/rsapss-default.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIM90NVQser7N96/+svFyBXPHwGiDOy8j+utgdi6cR6Q8
BDC5g05zfU+ib94Ts8QmoX54NrINz+RzZR1LOO0/iJCKuNTCk2smL0Cmo9ust7Yn
DeOhBgIEZ7d63qIEAgIcIKQGBAQBAAAArgcCBQDiXf9oswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with RSA-PSS and SHA256

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%11
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 3092 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:30 2025 GMT; NotAfter: Mar 22 18:56:30 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKDCCA12gAwIBAgIUZJm+bq3whYZYpf06o1b0fp2jGvcwPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjMwWhcNMjUwMzIyMTg1NjMwWjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCAaIwCwYJKoZIhvcNAQEKA4IBkQAwggGMAoIBgw1Fb3FCGQgEFET2Q88/
cJm7ktM/QqJjFhsTt/0NHOfxo+MDmYa47paSI938ZNmq7VufUU6V6exirMwZOnNs
GM1IVUU8nqIZYrVG9R36ntyyrapL1cmKtsNsGWuXR7MLXXUL1fzrJi3AVLVkpRds
vxHd1FUkdA5ztwZVA5C3c4pRhm95Wg138Oty62dhBebS+MfAhN/eN6i/1dgW962/
1goPK51K0c01ybA5ZVqca2uhjBRotQFWohV3+cWiSvVT9SimFyMb9+ZggQLYrvVO
tpFWcNH3r6ITDw+vvITl7ZBkjNIDbk7AX9fP6eHYaWT7XSdyXBAYzxYVgxjpfm5W
drlZEKjOk2mWTUVgfcSpyZvvpSujGs3AVuH+ONwIkaTnzH2d6DShLffhlvOeL+dQ
sYLEj2sqruVNRkIJBBYfrPzHDA4OTUIiDKGlTr+N8WT4K7/xWpdYIMGgYiv7IGD+
eGSTHT3vJ11xQFJkxEekGWfgNmqVVgjY3jP7kqpaXs3C52PbIQIDAQABo2kwZzAd
BgNVHQ4EFgQU/u9kmcx9NcIOGoz21Vn3kVFI3b4wHwYDVR0jBBgwFoAU/u9kmcx9
NcIOGoz21Vn3kVFI3b4wDwYDVR0TAQH/BAUwAwEB/zAJBgNVHREEAjAAMAkGA1Ud
EgQCMAAwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0B
AQgwCwYJYIZIAWUDBAIBogMCASADggGEAA0Q2phuFmhlldGA5hBOVrZMQq+FG6hP
K27t/XpDQAhzZRd342AJQ8/jwYkVfUnVrgsDl6DFLe7w+c2yB4jyqLf+G4vwq5Pt
EKmO5TVfCDkbhpyEsCjjvFxbObzsjHU2mRWDP10515N6sQC2uT2m8PSSP98+ngPY
Lk/9YtGepYEE+EuTscD1vmA4Yp+w+GXkH54p/uWimOJ8OWjr1mGITd8RI1WR0wRw
kNEKl//1lRU0GlzZXGnEEfNZMkQro0oqo6Jk2HLvwWKC7bD0UzZGJV3fX07mdWMJ
VoeHNDw1n1qEswjwZD+PN7gO7KI17Mf6XoXhHfKUuxlCZmprIPK8CZzjheX7U4PF
14sZeYo5DBA/w7koe2+JYB0wV2hOmNlpYLvUNRnxnWSTuzvb7pTIakedo22YAon3
TA8VjRzqAuPSQfaiLHjxg7tnZNhoxzuALvrEDWnbVsoKtkvXNbGxqI4EndAbzLKp
nVitDxNVpbXq5GiJ/zWWqecylvSx4Ub6qPdZ2g==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 2044 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 3092 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 96FB2CB88DB4EDE4E15455AA282DCD9851BBEDF0BE5DFFE8D20A2AFD2FDB4137
    Session-ID-ctx: 
    Resumption PSK: 18286D5CA8D26609E4A8F9267B75CF6E33772757DA7ACC99BB585428170755D0A72F4AA17C902ACB375378FEC15EDF92
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 42 57 f7 15 6e 93 5b 8a-29 32 c5 2c 9d d1 37 84   BW..n.[.)2.,..7.
    0010 - 1e fc 6b f5 ed 70 11 d1-08 c3 9a 5d 24 4a 78 e1   ..k..p.....]$Jx.
    0020 - 6b bd 27 d5 25 87 59 6c-13 40 90 46 d8 df c0 ba   k.'.%.Yl.@.F....
    0030 - e0 94 54 93 59 93 88 43-30 44 0d 14 9f dc 93 cc   ..T.Y..C0D......
    0040 - ac de d4 5c 8a bb 6b 9b-10 ae 27 14 2f d7 d7 41   ...\..k...'./..A
    0050 - da 1c df f7 6b 34 7b 81-62 d5 86 0d 51 f2 3d 71   ....k4{.b...Q.=q
    0060 - c4 71 75 db c4 e6 ed 14-4f 65 f4 3c 59 26 42 2e   .qu.....Oe.<Y&B.
    0070 - 19 aa 0b d7 fa ae 89 8f-cb d6 0d f5 dd 92 56 90   ..............V.
    0080 - e3 c8 83 94 e6 c6 4f cf-74 69 72 bf 48 3c 4a 27   ......O.tir.H<J'
    0090 - ae 6f e5 6c bd 15 81 fd-15 d1 57 43 c9 a2 7c 0b   .o.l......WC..|.
    00a0 - cf c7 24 d1 87 bf 60 01-1b 34 cf eb 3d 03 8e c0   ..$...`..4..=...
    00b0 - c6 f7 c2 26 98 99 af ea-ef 23 d8 f6 9b ec f4 19   ...&.....#......
    00c0 - c3 a5 0c 23 e2 ef 40 da-1f c5 2f 88 27 d9 dc 69   ...#..@.../.'..i

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0808E41DB62681D1217C43DAB40C1A41488BE8523A92FDC674471686B98EFC75
    Session-ID-ctx: 
    Resumption PSK: 3C69176D385DE3D41E8E741101918DC695C938E9545BFF83D264F2B736842AD5D04A4DA88C24AABC05873C68E040B7D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 42 57 f7 15 6e 93 5b 8a-29 32 c5 2c 9d d1 37 84   BW..n.[.)2.,..7.
    0010 - 49 a1 51 0f 02 87 7c 7a-ca 49 1b 9e 9c e4 05 2d   I.Q...|z.I.....-
    0020 - 8d 50 8e 08 68 02 ee 8b-9a 5e 5a 96 c8 9b 7d 72   .P..h....^Z...}r
    0030 - 7c 89 9f 8d 2e 5f ac 3a-b1 1c ee e6 72 a7 45 db   |...._.:....r.E.
    0040 - 47 36 a2 0d e8 32 b5 e1-bc f0 48 77 47 03 f3 09   G6...2....HwG...
    0050 - b0 3d eb 13 a7 3e b7 b6-6e 62 59 02 6b d6 76 8d   .=...>..nbY.k.v.
    0060 - c1 11 00 2f 82 d7 03 c3-bc 58 43 81 89 b9 c2 01   .../.....XC.....
    0070 - 3d fa 6f da 2f 6a ee 88-91 89 a8 79 10 c6 4f 39   =.o./j.....y..O9
    0080 - 31 40 99 23 46 1d 33 cf-72 0c 06 0f a0 53 fb 48   1@.#F.3.r....S.H
    0090 - 0b 02 a8 2f 37 4f de 15-51 69 54 09 be 65 37 fd   .../7O..QiT..e7.
    00a0 - 8a 37 bb a6 ad 40 9b f6-54 e7 14 86 fb 79 3c 4e   .7...@..T....y<N
    00b0 - b4 45 99 04 ae 2e 0a 3a-e4 0e a1 1e 87 09 1f 26   .E.....:.......&
    00c0 - bd fe ff 33 60 c6 1b ba-47 bc ee bd 73 4d fd c6   ...3`...G...sM..

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
805202E2CC7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%11 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/rsapss-sha256.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIHeLZFgt+LnFErTL17Jt8zoShOvsI4qTm1XSGd+9Oy3h
BDA8aRdtOF3j1B6OdBEBkY3Glck46VRb/4PSZPK3NoQq1dBKTaiMJKq8BYc8aOBA
t9WhBgIEZ7d636IEAgIcIKQGBAQBAAAArgYCBEEXFwizAwIBFw==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 TLS SUCCESSFUL 

Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (ECDSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1033 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: CF5A0626CB63A397F116E2D678D5CE1488B442BF9DEDEA77776731426D4A30BA
    Session-ID-ctx: 
    Resumption PSK: A46ADC2C14F2FDDDB178DA39D9EA77F52B56F46DB8778D09AAB769282FFBE90A3A0C01AF15771F4AEA39DE320D354D95
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 75 ef b6 7e 01 66 50 25-92 34 8e 72 d6 21 4f bf   u..~.fP%.4.r.!O.
    0010 - 31 a7 c6 19 b9 ae fd 5d-c9 5a 52 ed d6 35 37 bf   1......].ZR..57.
    0020 - 2f 23 da ea 40 0e 7f 01-9c 31 7b 6c 88 95 fa 0d   /#..@....1{l....
    0030 - 51 f8 13 ef 52 cb 11 6f-83 46 2d 7c 9f 56 98 dd   Q...R..o.F-|.V..
    0040 - fc a8 e5 a5 6b 9c 74 d4-2b 1e 68 30 69 26 77 5a   ....k.t.+.h0i&wZ
    0050 - 09 dd 7d d8 69 ce 53 20-ac 97 60 4d c3 ff 3a 29   ..}.i.S ..`M..:)
    0060 - 27 c9 df d9 e8 94 09 e9-0e 7a de 5c be 59 f9 12   '........z.\.Y..
    0070 - b7 8a f8 50 e1 6d f2 c0-44 0b dd 96 5b c3 bc 03   ...P.m..D...[...
    0080 - bd 38 85 44 3b 7c 92 d7-b8 f5 7f a7 69 f7 ae dd   .8.D;|......i...
    0090 - 2a 7b 28 6e a8 54 20 3d-ee dc 42 94 0f 21 8b b3   *{(n.T =..B..!..
    00a0 - a2 c0 19 99 fc df 33 0d-ca b8 18 02 de 1a 2c 1b   ......3.......,.
    00b0 - de 1d a9 a9 e1 73 37 24-53 08 e4 57 25 85 46 36   .....s7$S..W%.F6
    00c0 - a3 91 72 b3 78 bc 83 2c-7f ef 8b 3d f6 e4 b0 2d   ..r.x..,...=...-

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E302E919F9E9793F222ECCDCBC94B82BE0CC52FE771F466683DC495C7F0F90DB
    Session-ID-ctx: 
    Resumption PSK: AEA665B6DECE22FA5FC1D127E5ED0F5B4F8EE8B212F8EA885D1A757C880618300AA939B4217002F178EC83D6E5198BB4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 75 ef b6 7e 01 66 50 25-92 34 8e 72 d6 21 4f bf   u..~.fP%.4.r.!O.
    0010 - af 07 1e 15 fc 51 84 87-75 d0 22 90 2b 3b ac d5   .....Q..u.".+;..
    0020 - 3e 5d 94 42 7b 45 2f 8f-6d 6c 03 9f 0e 6b 7d c1   >].B{E/.ml...k}.
    0030 - db 6a dd 4e 63 fa 04 c5-6c 1e c0 87 5b 40 63 a9   .j.Nc...l...[@c.
    0040 - f0 98 34 6b b0 18 9f 19-ea c4 4b 56 c6 6f fd bb   ..4k......KV.o..
    0050 - e2 55 70 ae 6b 25 fd b7-30 63 14 c0 6f 28 46 48   .Up.k%..0c..o(FH
    0060 - 86 2c 10 21 d8 cd 80 d8-a4 ea 74 60 e2 ee ad 6b   .,.!......t`...k
    0070 - 33 f0 54 dc 04 52 8a 66-0d 6d 8f fc 1a 2c 95 12   3.T..R.f.m...,..
    0080 - 29 c1 de a1 86 9a 05 67-b7 15 3b 01 75 1a c1 68   )......g..;.u..h
    0090 - 6b d6 4a c8 db 44 5b 02-27 31 9e b1 20 18 ed bc   k.J..D[.'1.. ...
    00a0 - a4 64 31 1b 56 48 35 80-40 90 50 e8 1c 37 0b 45   .d1.VH5.@.P..7.E
    00b0 - 1a d7 92 81 c1 06 15 60-c8 7e 0f 71 1c 04 13 4a   .......`.~.q...J
    00c0 - c8 52 a5 c6 5b 17 94 e2-85 1c ee 80 78 91 3a 26   .R..[.......x.:&

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80329D70EE7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEICgad27S1zWj8O0R5zKCqqutg2uga0hRT/BchoY/i0l8
BDCupmW23s4i+l/B0Sfl7Q9bT47oshL46ohdGnV8iAYYMAqpObQhcALxeOyD1uUZ
i7ShBgIEZ7d636IEAgIcIKQGBAQBAAAArgcCBQC8T6KnswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192Q

CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALm3yR1R7RWPTizyj7ufv1F12QSxcEPNbNVh
QrO8FSMmSkfgTl4jDx7ZbJyV0+MP0hqkVkkliDIk9yeo8/fnI2P8ybYPbe5imu13
q41dTnDeW1DvDC/+F1UwbwRBcpyALiFLzNsUudkhduTAJb4xzH2TzH4m8sIDzNP2
3MDkeHd0zORE4zCqSLW8PPijA7OhXFUe6W9/+2RECSAtAxERM+NiVur0z0IeoYuq
jsjIwadIRbXkuM2Ky0e0ljrQc4JErOZCSuSrdCJA15XQZ7Nk5vb/Y6U+ONfPtjhq
XHb/XEDbgy4bXreqVvPdUHLefYLddwdm+HBpE7NBAu73gsbuVR0CAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQZch6d4yNBJWROeQzlCL3wLZNaUzAf
BgNVHSMEGDAWgBTJsJEJrz8hrGck+qLdQ3ROqFMx9jANBgkqhkiG9w0BAQsFAAOC
AQEAmZyF8A2Rz5B3r0iiQiqTzIZ9eSnUmjHiDY2OYlzCcpfh9SjL7nHAbFDVFMfF
/Fz4ChfyBaMQQX6kQdR1Qa12Cw63QyCzgCNbb+MhCrXXCz7s7r0aqBOnswPOM62B
wmPgAxXHKI/kShJbTx/UBLU/vQnU/Zq4axn4DfeBpZXgfYWVdqz7BuQl0pR9v3EB
Ip7pcBpQimiKLlMZL+p25xppQl0B3g0YvyT8T8vIJPLN6sENrNsk7jlkbcAABDmE
raNjDehuo06O0UZnFj/vhZxAxtGIg/y10adK9MWeg+Q40ut530JOJrtSIT/uogaf
O9r0K/U/hmT+tgz2yax0MBk5wg==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1509 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C301C509764A5AE523A7061D0C90361A81C11AE60105183293A2F3AB4E2F21C7
    Session-ID-ctx: 
    Master-Key: 21EB027F162CABBC14E4549549CA0D437D334E327016A8E2B581B7A4F26E6D1D285B8B60BB4DF965EC8903FE2B7ADEAC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 00 87 8a 15 3d 2c 1d 89-03 ae d8 e0 c3 7b 98 39   ....=,.......{.9
    0010 - b7 95 79 b9 47 eb 7b b3-f0 26 2d 56 58 f0 c5 3e   ..y.G.{..&-VX..>
    0020 - 29 1c 59 a6 54 e4 1e f0-75 34 13 35 13 16 7e 59   ).Y.T...u4.5..~Y
    0030 - 60 c4 06 38 d2 79 3e d6-58 9b 31 11 13 0a f4 a3   `..8.y>.X.1.....
    0040 - 98 d9 f4 08 63 aa 42 c0-52 29 df 65 39 ee 1c 5c   ....c.B.R).e9..\
    0050 - de a8 28 89 54 5b ce 11-a3 34 8d 27 25 5e 3c 36   ..(.T[...4.'%^<6
    0060 - 07 4b 58 1f cf 6d c8 35-b4 46 0d 3b 0a ec 44 4e   .KX..m.5.F.;..DN
    0070 - 0c 11 7e 5b 60 b9 61 32-9b 46 44 d6 8c ec d2 fe   ..~[`.a2.FD.....
    0080 - 94 63 4b a8 a3 96 4c 7a-b2 1c 64 8c d4 4b be 51   .cK...Lz..d..K.Q
    0090 - c8 38 58 bb 5d 7b 50 f6-3d 41 58 d5 0d f9 4f 9c   .8X.]{P.=AX...O.
    00a0 - 68 1d c4 d4 f9 1f dc 02-2f b1 2d 8b 7f 67 e3 7e   h......./.-..g.~

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80022E4AA87F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDAh6wJ/FiyrvBTkVJVJyg1DfTNOMnAWqOK1gbek8m5t
HShbi2C7Tfll7IkD/it63qyhBgIEZ7d636IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with explicit TLS 1.3
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALm3yR1R7RWPTizyj7ufv1F12QSxcEPNbNVh
QrO8FSMmSkfgTl4jDx7ZbJyV0+MP0hqkVkkliDIk9yeo8/fnI2P8ybYPbe5imu13
q41dTnDeW1DvDC/+F1UwbwRBcpyALiFLzNsUudkhduTAJb4xzH2TzH4m8sIDzNP2
3MDkeHd0zORE4zCqSLW8PPijA7OhXFUe6W9/+2RECSAtAxERM+NiVur0z0IeoYuq
jsjIwadIRbXkuM2Ky0e0ljrQc4JErOZCSuSrdCJA15XQZ7Nk5vb/Y6U+ONfPtjhq
XHb/XEDbgy4bXreqVvPdUHLefYLddwdm+HBpE7NBAu73gsbuVR0CAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQZch6d4yNBJWROeQzlCL3wLZNaUzAf
BgNVHSMEGDAWgBTJsJEJrz8hrGck+qLdQ3ROqFMx9jANBgkqhkiG9w0BAQsFAAOC
AQEAmZyF8A2Rz5B3r0iiQiqTzIZ9eSnUmjHiDY2OYlzCcpfh9SjL7nHAbFDVFMfF
/Fz4ChfyBaMQQX6kQdR1Qa12Cw63QyCzgCNbb+MhCrXXCz7s7r0aqBOnswPOM62B
wmPgAxXHKI/kShJbTx/UBLU/vQnU/Zq4axn4DfeBpZXgfYWVdqz7BuQl0pR9v3EB
Ip7pcBpQimiKLlMZL+p25xppQl0B3g0YvyT8T8vIJPLN6sENrNsk7jlkbcAABDmE
raNjDehuo06O0UZnFj/vhZxAxtGIg/y10adK9MWeg+Q40ut530JOJrtSIT/uogaf
O9r0K/U/hmT+tgz2yax0MBk5wg==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1424 bytes and written 343 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 508AA85A61AF7AFC4C0BC884F26DBC5F4D9E7301AA4216EB7FF1B3765E7E7F78
    Session-ID-ctx: 
    Resumption PSK: 251474B688B15E1760B1D1ED4C89EB2D7229D4CE5DB53CD363DC003118337F7FC568CA03CDDA758F23DEEC3D767283D8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b6 b9 ce 01 8f 1f 8b bb-14 e5 2c ee c2 71 4a 0e   ..........,..qJ.
    0010 - b5 5f 56 99 85 84 26 bf-2b f7 c8 24 2d 89 be 2b   ._V...&.+..$-..+
    0020 - ce 6e de 92 ba f3 ce 66-bf 09 f7 8d 27 06 43 6f   .n.....f....'.Co
    0030 - 8b 42 cf 31 86 cf 7d ee-97 64 8c 58 14 32 77 c7   .B.1..}..d.X.2w.
    0040 - 2f 6a 73 11 19 68 b7 fa-a9 15 07 4a 0c 84 0d 31   /js..h.....J...1
    0050 - 55 9c 39 00 3e 05 50 35-fc 4b 86 a8 0a 4b 4b ff   U.9.>.P5.K...KK.
    0060 - 61 c9 3a 3d 10 c6 e8 b9-0d 6c a0 a3 eb 3f fe 40   a.:=.....l...?.@
    0070 - d8 ae 58 31 f1 6b ca 1e-6d 19 fe 0c 1d 1b 85 ad   ..X1.k..m.......
    0080 - 74 21 bc c3 b0 1c 2e 20-4e 9b 9f f4 5d 05 00 35   t!..... N...]..5
    0090 - e4 3b 80 04 f7 8a 8f e1-36 2a 98 3f 46 86 4c d7   .;......6*.?F.L.
    00a0 - 15 ff 1a dd 6f fa fc d9-d5 38 6c 29 85 b6 91 6b   ....o....8l)...k
    00b0 - 62 25 e6 0e 0d 19 7b bf-6e 49 92 c6 72 49 c0 a0   b%....{.nI..rI..
    00c0 - bd e2 26 97 42 10 33 4c-55 f6 54 33 1b ec 9c 1e   ..&.B.3LU.T3....

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 1FF4FEC68347B05FF09B4BBF8E364BC4A7F399621472193832EF26C7A476C925
    Session-ID-ctx: 
    Resumption PSK: 800DF9C2A5C7E3EA9A125A12EBD2FF3275ECB6C4FA040C05DCD79B77F0019D0F4F3388C58997B39F613DD4F032500134
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b6 b9 ce 01 8f 1f 8b bb-14 e5 2c ee c2 71 4a 0e   ..........,..qJ.
    0010 - 96 fa 69 62 50 07 98 2d-c0 a9 b5 4d 52 af 37 6a   ..ibP..-...MR.7j
    0020 - c9 78 70 1e e6 bf a1 ff-14 a2 b9 3b 21 ae 98 40   .xp........;!..@
    0030 - ef e6 74 08 7f 60 ca 91-2a 10 a7 b2 80 3f c8 10   ..t..`..*....?..
    0040 - 4e d3 7f e0 d1 c5 93 b2-d7 27 80 56 96 32 d7 05   N........'.V.2..
    0050 - dd 39 97 f9 90 d5 d3 7a-68 df 85 55 69 cf 41 84   .9.....zh..Ui.A.
    0060 - 45 a6 15 cd 69 b1 19 98-ef 2f bc ea cb af a1 96   E...i..../......
    0070 - fa 9f 46 24 44 82 ec a0-d7 c6 4b 35 17 13 c8 33   ..F$D.....K5...3
    0080 - db 5c 32 cc cf 40 32 92-43 19 3f 0f 0a 34 11 c3   .\2..@2.C.?..4..
    0090 - d4 60 9c e7 de 97 25 73-b1 44 6d 8e 29 9c 4d 63   .`....%s.Dm.).Mc
    00a0 - 23 23 de 11 43 f0 fa f2-51 c8 3b 35 d7 0d 7f ce   ##..C...Q.;5....
    00b0 - 9a a7 fc 61 76 08 6a f8-b9 a2 ed 9a ac a2 b0 f4   ...av.j.........
    00c0 - e1 86 2b 90 df 79 56 b8-11 b0 36 99 26 f2 f5 1f   ..+..yV...6.&...

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80121947E97F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIAHDCaH13FFai9voMIAhSTlo7bq1Wf4uer61XeEeXxD2
BDCADfnCpcfj6poSWhLr0v8ydey2xPoEDAXc15t38AGdD08ziMWJl7OfYT3U8DJQ
ATShBgIEZ7d636IEAgIcIKQGBAQBAAAArgYCBC7e3ECzAwIBFw==
-----END SSL SESSION PARAMETERS-----
 TLS SUCCESSFUL 
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.Q

DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1119 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 14C49EDA785DA74FBD9C6A1E943E605945FFE81411799FE61675796FF7B5999C
    Session-ID-ctx: 
    Master-Key: 198244FB9A6FB0146913E43EE02041A2969352441355D210AD4A2DADF94EC9E265863C0E963633895EFDDDF4B951E348
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 16 46 19 91 82 ba 4c c6-9f db 0e ba 3e 6d 70 9f   .F....L.....>mp.
    0010 - 66 33 b6 62 1f 33 75 04-60 b8 8d b6 d7 1a 1f 46   f3.b.3u.`......F
    0020 - 7a f9 a3 fb ae e8 91 7b-84 ef 16 08 90 65 19 27   z......{.....e.'
    0030 - e4 87 a4 c7 bf df 5d 37-f5 40 86 74 b8 48 71 8a   ......]7.@.t.Hq.
    0040 - 18 35 f3 7e 28 62 b3 50-f7 7a 2c c8 d2 fe 28 ce   .5.~(b.P.z,...(.
    0050 - 49 36 aa ef b5 f6 85 64-38 d3 78 45 f5 d2 13 65   I6.....d8.xE...e
    0060 - 99 3c d2 1d 80 8f 27 dc-13 8d 6f 7c 33 f7 7a 38   .<....'...o|3.z8
    0070 - e7 0b 4e d7 7b 46 60 fc-48 bc 8d 6a b5 c6 16 15   ..N.{F`.H..j....
    0080 - ec b6 d6 26 a8 60 04 ca-06 c4 91 83 11 6d ca 1d   ...&.`.......m..
    0090 - a0 ec 86 2a 32 c7 49 0f-69 62 78 d8 37 66 1d 16   ...*2.I.ibx.7f..
    00a0 - 86 6d 0e b7 84 89 fb 53-b0 8e c8 8c 51 c9 ab 67   .m.....S....Q..g

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80E285E7CC7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALALAQABDAZgkT7mm+wFGkT5D7gIEGilpNSRBNV0hCtSi2t+U7J
4mWGPA6WNjOJXv3d9LlR40ihBgIEZ7d636IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 and ECDH
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1119 bytes and written 252 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 52ED662BA213514F5C5258E73E802A66AFEBD158D3FD91CF9AA30FE957818728
    Session-ID-ctx: 
    Master-Key: F3A96377C2CD01B31AB1B5C08787B7AA1181A880AD84101FDCCAF91E9C0B6CBD4BE26210A2191E9FAB89B49D994146AB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f5 36 4c 42 56 2a 45 69-39 e8 a9 5d 6b 59 8b 0c   .6LBV*Ei9..]kY..
    0010 - 4c 5a 3f 00 b5 1d ea 41-17 df 8e cd b1 2d 8f 2b   LZ?....A.....-.+
    0020 - 77 1c d8 da fe 49 35 3b-82 db df b6 62 91 35 b3   w....I5;....b.5.
    0030 - 3c 0e e2 c3 e1 38 94 dc-54 5d 09 c8 69 53 b1 7e   <....8..T]..iS.~
    0040 - 03 2b 37 14 30 f0 32 2c-10 4e 15 51 59 ad 38 34   .+7.0.2,.N.QY.84
    0050 - 3f ad db 5d f9 5e a5 fc-cc 8c 19 55 4c f0 2b ec   ?..].^.....UL.+.
    0060 - 16 be 33 f4 35 57 5d 59-5a 9a 4a 2d 62 45 a0 c4   ..3.5W]YZ.J-bE..
    0070 - f2 2e ad 2a e1 85 7e 2a-f9 15 9e f8 78 ca bc 62   ...*..~*....x..b
    0080 - 9e 96 86 49 47 8d a5 36-fb 97 5b e7 bb 02 43 c3   ...IG..6..[...C.
    0090 - c7 a2 ee d0 d5 d9 66 b6-68 c6 44 66 2f 95 b4 08   ......f.h.Df/...
    00a0 - 06 18 27 5d ac ff 32 ae-d0 4b 9f 46 e6 b4 4e 66   ..']..2..K.F..Nf

    Start Time: 1740077791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80B23D24AA7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAKwQABDDzqWN3ws0BsxqxtcCHh7eqEYGogK2EEB/cyvkenAts
vUviYhCiGR6fq4m0nZlBRquhBgIEZ7d636IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.3 and specific suite
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/softhsm/caCert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:20 2025 GMT; NotAfter: Feb 20 18:55:20 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIwWhcNMjYwMjIwMTg1NTIwWjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATfwCWcTC4wH6LfjOB0cdjOVYE8LTwUOcC76v6FmSQSDD2f
VNkCez9Es/8S6JxGasCDljIAKe5k6LVv2GM1FybYo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFN3L9hHdh3weIW54WctiWIurkBBlMB8GA1UdIwQYMBaAFMmw
kQmvPyGsZyT6ot1DdE6oUzH2MA0GCSqGSIb3DQEBCwUAA4IBAQAxD1ySabv5y+B8
csfmFpguKim52yr2IF09WaReabTXNYMB7p2Ml1kD8hX8Q9+446+5LJh+Mw6DF2ZZ
0QhI03bt24XmUI4V9vTrmZe/e1h73MF66qLZZ5Yzns6MxlrHswSki2RK4X+UskBY
iRnjgGXM87q5R+TKXByNi/E7+1xzOnXM8amOCuVz3TZCcnNYaWeRluDkt1IjXiRl
i5v1vC1YuyupQm/7oINsfD4oJTY8yr8Wa/Cz6RwwfblAMwYfmWCnXL0MB2Pr/Hxp
a1YK5JrSMkuU4w/5Mxd3gZmo9zKljF0ZP7SS8YKFex/tBRle1/msjVPwLJ8R8UqA
/ZnfWN6I
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1035 bytes and written 327 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4D782D811E4365D3551983920DC5F81F6456BBC284EC7CE18B8921FD2BB29096
    Session-ID-ctx: 
    Resumption PSK: 6B4A494A4D8F78C8DED1C16041A703F720AAFA291E060F3CC913BDE623880AEAFA7D8288A8C41847255A78E6F94C1962
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 42 79 e5 b1 81 dc c5 d4-c4 87 7a d3 72 c0 fd c8   By........z.r...
    0010 - e4 8f ab 1b 73 9a bb 01-88 41 5a 52 35 c7 f3 e1   ....s....AZR5...
    0020 - 68 27 37 e2 2e 8c 9a 23-20 24 5c 05 8e 13 04 5e   h'7....# $\....^
    0030 - d6 27 85 17 c2 5d 3e 07-38 ce 03 68 d4 15 4d 78   .'...]>.8..h..Mx
    0040 - a6 e2 60 d7 00 33 9b 62-5e 2c f9 c7 49 1c 2f 78   ..`..3.b^,..I./x
    0050 - 46 5c 58 93 d1 08 0a 15-43 74 cf e1 22 49 0b b2   F\X.....Ct.."I..
    0060 - d1 e7 a8 87 09 82 6f 6d-12 b1 10 15 43 33 42 af   ......om....C3B.
    0070 - f2 af d0 d7 43 ac ff 2d-69 42 e5 48 a0 0d be 82   ....C..-iB.H....
    0080 - 5d 73 82 9e 8d 4e b4 5d-d6 ac 5d e5 35 64 03 88   ]s...N.]..].5d..
    0090 - 1f 5b ab af 96 43 2c 5a-0d 31 4c 64 47 14 ee f1   .[...C,Z.1LdG...
    00a0 - 41 91 83 ff 5c 85 5b f4-e7 8d 23 59 69 06 f1 9f   A...\.[...#Yi...
    00b0 - 97 9b fd f9 67 b1 3e 9e-c9 ed bc e2 19 7f ef 77   ....g.>........w
    00c0 - 89 ca 6a 31 25 c7 1f 7b-17 a0 53 fd 83 72 66 3d   ..j1%..{..S..rf=

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 220DFC2F99164C2AD2E2704162338FF5E4436279FD6C96EEB8E61113B861AE87
    Session-ID-ctx: 
    Resumption PSK: FD0D56598078803384B7E09C2DBAE8AB40D4623843BCB73DED77E5F72299EAC44EDFBF1C2B3BFC9B82C080627E192EDF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 42 79 e5 b1 81 dc c5 d4-c4 87 7a d3 72 c0 fd c8   By........z.r...
    0010 - 49 bc 20 8e 90 13 65 cc-74 0f 1f 3a ed de 63 d7   I. ...e.t..:..c.
    0020 - f3 8d 86 ad 8c cd 61 84-59 6d 9e 71 e2 ff cf bf   ......a.Ym.q....
    0030 - 0d 39 db 0b 38 c9 4e 1b-ab fc 10 20 b4 6d 56 6d   .9..8.N.... .mVm
    0040 - 88 57 d3 0b 54 ca ea 63-6e e6 bb 79 91 85 24 4f   .W..T..cn..y..$O
    0050 - a5 e1 57 c2 92 ba 61 6e-48 e2 a2 eb 1b 5e 80 cf   ..W...anH....^..
    0060 - 99 d2 a4 0d 24 43 54 60-bc 9c 1c 44 50 2e a3 db   ....$CT`...DP...
    0070 - e7 f3 60 53 32 4c 1f fe-4d eb 39 aa b1 3b f8 a9   ..`S2L..M.9..;..
    0080 - 56 40 5e f5 eb 1e fd 90-1a 69 e7 9f c2 95 b7 1f   V@^......i......
    0090 - 3c 6a 36 58 67 72 2a 03-d3 74 02 ca 5f d6 c9 3f   <j6Xgr*..t.._..?
    00a0 - 00 4a 09 14 22 72 c6 4f-f1 ed 20 d9 d2 b8 48 1c   .J.."r.O.. ...H.
    00b0 - 6d b9 48 ff 84 c7 3b 84-d1 90 51 6b 10 6d 79 b7   m.H...;...Qk.my.
    00c0 - 57 88 87 39 0c 97 94 19-df dc e3 c5 41 14 43 67   W..9........A.Cg

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80020D73777F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIACYAqkQ1w9U2v8jkiWzZcWEGeXXgKARla0+W3Y/dFHE
BDD9DVZZgHiAM4S34JwtuuirQNRiOEO8tz3td+X3IpnqxE7fvxwrO/ybgsCAYn4Z
Lt+hBgIEZ7d64KIEAgIcIKQGBAQBAAAArgYCBHiaANyzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

                                      ##
########################################

Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIACYAqkQ1w9U2v8jkiWzZcWEGeXXgKARla0+W3Y/dFHE
BDD9DVZZgHiAM4S34JwtuuirQNRiOEO8tz3td+X3IpnqxE7fvxwrO/ybgsCAYn4Z
Lt+hBgIEZ7d64KIEAgIcIKQGBAQBAAAArgYCBHiaANyzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
==============================================================================

=================================== 76/92 ====================================
test:         pkcs11-provider:kryoptic / tls
start time:   18:56:32
duration:     3.28s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=94 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tls-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttls

## Test SSL_CTX creation
SSL Context works!

## Test setting cert/keys on TLS Context
Cert and Key successfully set on TLS Context!

## Test setting cert/keys on TLS Context w/o pub key
Cert and Key successfully set on TLS Context!

## Test an actual TLS connection
########################################
## TLS with key in provider


## Run sanity test with default values (RSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:23 2025 GMT; NotAfter: Feb 20 18:55:23 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIzWhcNMjYwMjIwMTg1NTIzWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJo9UsjLoxTrA++RBh+DD3NZECq4H1sr1sML
VSiSZxj5NrFiqTNXirImptY2wphstSF3PJ5r8BRpg6DqWNxvLRSxQMUqRKjxhW2f
sM95DpFHqHTv2LOdIdnJ/2xQ8RdoYhIcc3qeCmdpbEoTUW5HQcJ/ALyn/WQie8qp
6N2Vg29KcWMc3pKn9gwRUv2NehCNJsVZpD40xI/ORYlsQUtnk7PGDdFAJ76EZ5AA
A0bpZT/74I5dMKq/pLGp6InGQ5TnsydjTgPMBhSVQfraOqbTNQ2VozRAagXfNO/b
WS+aAeAHkfFTbLQRMbmgdJzyOVlhXKJwsHe9iwvbsrqrvECJjWMCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBS4LQOR1lpq8ED5sLonItzjTVol1jAf
BgNVHSMEGDAWgBQ3lnNm23RyC8RwFwwhYScl59nmLTANBgkqhkiG9w0BAQsFAAOC
AQEAbZEhJ23VxLFQO0dU8YEOl6uBPgbtfpNDzgOTfN9NPtWP2WFAYDsK0TD3f6Z6
WxVOZnt1vUEepEBeIB3U3OBHSR3Y6Ebmd36f2HzEe/JeC1xE2QoYOfeED0xMqvzk
+nyyjm4wzw6/NI8XzcrMl90o2pN66H4MfkNaDa8lMbw0dl75R9ndIgj6qAdWO1aO
NfdQRwfr/WuVmLYINCKfqbzAUcIGQa9CP280eHHpxHjFMYx8KuN12p7Z6XgerGGw
I5zfK7/sUrNaHYj4VTvKh2+HV0PnduQm0fcvdZkz07WUE0KGeRF92/iLd/jRZVK9
c01T6npGwA96fIt9JdMQNughzw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 93C288D36CC83968448B015DBD35A567875E8161C66D3EC48AA8D2B021F0D843
    Session-ID-ctx: 
    Resumption PSK: 828E722C087247EC529C1A74CC70A07CA76945E3D81EDAE4850D25A8ED424F043F415A43502BD29D8756CA5135BF06F4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - be 0c ef e5 3c 26 bb ef-33 67 87 30 57 fe a6 9b   ....<&..3g.0W...
    0010 - 82 3c 49 c9 a4 67 0d e5-e3 2e 8c b0 70 82 96 30   .<I..g......p..0
    0020 - 11 97 df 41 ae f9 90 fb-f5 78 73 6b 78 68 65 89   ...A.....xskxhe.
    0030 - 9e 54 04 54 ba 32 f7 5e-6b 22 5a 39 6b d9 90 9e   .T.T.2.^k"Z9k...
    0040 - 7f ec 39 7f e6 fa c7 61-13 48 48 3b 95 f0 08 63   ..9....a.HH;...c
    0050 - d3 f7 5b da ec bc a3 98-9c 3e b4 f7 60 d7 31 9d   ..[......>..`.1.
    0060 - 81 62 e1 b5 12 44 81 9a-55 41 58 b9 15 88 8a a8   .b...D..UAX.....
    0070 - d0 88 0d 50 56 58 05 54-c6 64 f0 36 51 80 2e 15   ...PVX.T.d.6Q...
    0080 - 49 7a 85 17 d1 78 44 37-f9 f0 81 8b a6 18 78 d9   Iz...xD7......x.
    0090 - 53 bc ca f5 64 8d e3 7a-7f eb 1a 29 ec bf 7e 92   S...d..z...)..~.
    00a0 - a5 7b 6f 3c b4 b3 a1 09-fa 06 aa c5 b7 cb e2 1e   .{o<............
    00b0 - 2e 5e c2 fe 5a 2b 64 e2-ae 2d 02 50 f5 a5 89 8f   .^..Z+d..-.P....
    00c0 - c7 8c b9 b0 e0 b1 fa 9b-04 c9 d6 89 e1 ec a9 51   ...............Q

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F355DC0C4563F3FB7A21F7AC7255C3DB8B2156B564837FFF58BA95659189DC92
    Session-ID-ctx: 
    Resumption PSK: 4EB6F4E806B3CEFE84FCB84F64798109048F2CF5468BDAFAA002106759ADDAEBBF9D0C22F7D6761815B36130A10E2873
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - be 0c ef e5 3c 26 bb ef-33 67 87 30 57 fe a6 9b   ....<&..3g.0W...
    0010 - 28 f0 b4 07 4e 3b 5f 03-6f 36 ae c9 53 a9 4a 5c   (...N;_.o6..S.J\
    0020 - 75 15 be ba 4f cc bf 6f-ef 67 10 d0 47 7e 85 5e   u...O..o.g..G~.^
    0030 - 82 75 ff 82 79 f6 b7 60-7e 67 15 52 fd f5 df 05   .u..y..`~g.R....
    0040 - ed c1 51 bf 6f e8 5a 9c-12 65 29 30 20 34 94 bd   ..Q.o.Z..e)0 4..
    0050 - 6e a0 25 02 5c 80 15 0c-f2 28 a4 83 f2 04 95 4e   n.%.\....(.....N
    0060 - 39 e7 85 d1 1a 81 dc 9c-58 4d 99 7d b3 84 79 b5   9.......XM.}..y.
    0070 - 6d 2d 36 04 bd 05 f8 e0-47 39 6d 7d 22 0c 98 de   m-6.....G9m}"...
    0080 - 9a 34 6e b6 0a a0 bd 41-4d a3 4e 10 ed 00 29 4f   .4n....AM.N...)O
    0090 - cf 8c e0 d6 7b a8 1a ed-8e b5 68 8b d5 94 be c0   ....{.....h.....
    00a0 - 8c 44 09 5f b5 0d 66 7f-9c 01 08 16 cd 74 3f 53   .D._..f......t?S
    00b0 - 0f 35 80 32 3d a7 5f 8f-3b 46 cd 74 5f 19 38 e3   .5.2=._.;F.t_.8.
    00c0 - 59 0e 88 cc 39 55 5f e6-fb 48 cf b9 77 d5 99 e5   Y...9U_..H..w...

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80E28527227F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIFaKRVz31e3a7cd4KOIDFvSL4OG+YBUhH+pVzFuLVzER
BDBOtvToBrPO/oT8uE9keYEJBI8s9UaL2vqgAhBnWa3a67+dDCL31nYYFbNhMKEO
KHOhBgIEZ7d64KIEAgIcIKQGBAQBAAAArgcCBQCirNDoswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCMQ

Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (RSA-PSS)

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%10
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 2048 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:32 2025 GMT; NotAfter: Mar 22 18:56:32 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEIzCCAtugAwIBAgIUE9uOvGmKGS/Qg35vYfeGxp8eBnQwPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjMyWhcNMjUwMzIyMTg1NjMyWjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEKAoIBAQDHvlsv44hIFr7d1mNS
+s0LRCyc7B/hzOtD/8NrQ83P+KkTPC1/SiAncrDQWfNG0GVmkIv0tlfyjt1PMgVy
0ErspSGo+iy5lITqtwA0EKe6kza1c3MxmKFu+eF9YWZg+cOXDlISNClKSDGbx2GY
eJ7yduFfKo8aP+gJrnMT2mgrxwW4xiE1RypJY9TbWcqkmyS+scNegwT0RubLftpG
k7Qy3ogHMDQjaVa1C2kYTV4xg5orYYhzdxYr/SSxqLxhT1MUdHrJOx+faHlLVl/F
n7Sj88fZt7RYX+fLr4yDXsEORWGnOXqU6Ja7jZ8PQJwIwHVSe2rl6/zUGEDHF4bV
fMedAgMBAAGjaTBnMB0GA1UdDgQWBBTdfEj3y3CjFaZUJ8hCZwa6vuLa2DAfBgNV
HSMEGDAWgBTdfEj3y3CjFaZUJ8hCZwa6vuLa2DAPBgNVHRMBAf8EBTADAQH/MAkG
A1UdEQQCMAAwCQYDVR0SBAIwADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQC
AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQEAGJaKLH3SHEFz
7ISfCwYgxJ1X8DiZqDEkiyaadiGfxbvvVvRjqOk4yPCLQXy6DRR1GLxkf9577UxS
+WGfBd9/dxmZym5F4kuvc9ZunqNjZppRRc7h20jrW5vRKMqGkyCNL6abQfQbsb11
T2tsywjEy5NPRSiHKYMYGFnXma3ixFer88HrdfyajJfsh88E0Eb+9bOqKERPgOS/
sgZL6R45faxMnqdmvhl/GNGQwkx+1a8iBCGrae6EkO/6Qz9DKrWdWof8RPAda3qF
7MphdEWuIBm0PDTc6YSsiDV0UBKPabjqUhNkZ8aq5XMR3BqdE75DV+huq90YNpDt
SpNJkNc9Yw==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1652 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2F66345C322BB6FB4A8B0D58CD5F7FEEC9F5B23BD76CC96480BC389DC5BFBAA3
    Session-ID-ctx: 
    Resumption PSK: 65CB52771AB30DF24A456B58127863DC7B3392EAC165C6107BD0FE519DD0167A6B31A075E5B98D419BBADC329392EA12
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a1 cf 95 46 12 a8 3d 1b-b9 4a 25 de 20 13 e6 25   ...F..=..J%. ..%
    0010 - 12 32 a8 f8 7b 2c 20 7c-6f 33 18 ba 69 94 ea 45   .2..{, |o3..i..E
    0020 - fc 92 11 c3 57 47 1f 89-7d 59 4c 6c 21 8d 96 c3   ....WG..}YLl!...
    0030 - 9d a4 c9 55 a4 cf ed c5-8a fc 20 aa 97 7b 0e 81   ...U...... ..{..
    0040 - 98 8a 74 3e 5a 88 7e 66-e6 63 42 7a 1d 6c 21 c2   ..t>Z.~f.cBz.l!.
    0050 - dd 5d c8 39 1c 55 13 d2-66 dd 48 75 8a bd f9 32   .].9.U..f.Hu...2
    0060 - 33 75 bc 2b c2 fb 05 f7-37 c4 b6 fb ed 75 8f 01   3u.+....7....u..
    0070 - d5 72 17 58 61 15 5e c1-c2 00 9d 0b d2 18 ca 8e   .r.Xa.^.........
    0080 - 17 7c da d1 d5 64 c5 83-1f 13 24 c1 76 4f c6 c6   .|...d....$.vO..
    0090 - 40 62 c9 6d 42 09 7a 34-a3 d7 a0 3b 49 66 8a 6c   @b.mB.z4...;If.l
    00a0 - b8 9b 35 ce f1 d4 01 f5-cc 73 6d e8 78 22 40 23   ..5......sm.x"@#
    00b0 - f9 f3 af 55 85 25 b9 b8-be 78 c0 43 05 1a 57 3b   ...U.%...x.C..W;
    00c0 - 82 a0 fc 94 d6 7f 4a 0c-d2 4a d8 ef c4 d9 4b 3f   ......J..J....K?

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 22D067A0522BB5F7AAEA4D8544BEA6C5A671719BE3BDA2A8375E7BDD51D572DB
    Session-ID-ctx: 
    Resumption PSK: 56C4F2E85CF3E59EEF52AD9922C02F711532017E0C23C4EC6F046AA3921C8E3773ABF7B41051CC44C761F8C41F48DAC9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a1 cf 95 46 12 a8 3d 1b-b9 4a 25 de 20 13 e6 25   ...F..=..J%. ..%
    0010 - f0 bd 4f e1 21 4e 69 1d-47 14 6c 5e 1e 4e 2e 52   ..O.!Ni.G.l^.N.R
    0020 - 9b f6 80 a8 85 ab 29 5b-3a 11 58 ba c7 d9 15 51   ......)[:.X....Q
    0030 - 77 06 be af 6f 3b e7 0e-6c 08 46 21 6e 3b 6a c3   w...o;..l.F!n;j.
    0040 - 63 c1 ad 7a fe 6b 03 7d-11 e5 3c 3f 98 33 53 de   c..z.k.}..<?.3S.
    0050 - 1e 76 f8 9a 43 62 94 08-86 7b e1 91 a1 58 87 c5   .v..Cb...{...X..
    0060 - fa 6d 29 c1 73 22 8f 87-d6 62 5a a7 c3 cf 2a 78   .m).s"...bZ...*x
    0070 - 37 44 18 0a 09 b6 45 49-e0 90 d2 33 e6 c8 32 94   7D....EI...3..2.
    0080 - 9c 11 9d 9c 97 10 79 e9-83 d9 94 bc 5a 6a 59 1d   ......y.....ZjY.
    0090 - 31 13 01 6f 35 ce 34 07-5b 7b 1b 25 ec a7 7b 04   1..o5.4.[{.%..{.
    00a0 - 2e a9 52 e9 c1 09 56 4f-9c e6 e5 e2 e1 ff fe 73   ..R...VO.......s
    00b0 - 74 d8 5f aa e1 21 3a de-ec ad 70 ea 4b e6 e4 b7   t._..!:...p.K...
    00c0 - cb d0 eb 72 29 5f 03 3e-5d f4 8c d7 aa 70 a9 c5   ...r)_.>]....p..

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
805203BF8C7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%10 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/rsapss-default.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEINzbSAcaDPMyQsZBvwgz0pSUlC9yaY8jxF0ER7f2aYvK
BDBWxPLoXPPlnu9SrZkiwC9xFTIBfgwjxOxvBGqjkhyON3Or97QQUcxEx2H4xB9I
2smhBgIEZ7d64KIEAgIcIKQGBAQBAAAArgcCBQDvT7hFswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with RSA-PSS and SHA256

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%11
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 3092 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:32 2025 GMT; NotAfter: Mar 22 18:56:32 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKDCCA12gAwIBAgIUXe2dL6BMbJQRlA0o0zJgiMyytrgwPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjMyWhcNMjUwMzIyMTg1NjMyWjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCAaIwCwYJKoZIhvcNAQEKA4IBkQAwggGMAoIBgwwDhk9dCDy0paKBYMqh
GNOOosp5BJPuO0iT4Uy2q7yVTsgSBQ72S08PPdws4vtmxey6dwuNkNzDCkn1NKZX
XYeBJJEcipNUAfJz1EXUJVnd0FRGOlUzm8nPo09cSK7OL/JGBC/uAvLpq9LCxUvm
cu0GtlE+A4KdoK5DFWLHOp8HOM5oJVL2PK0SzaBSAzZdJqoRSXB6SGUzqSA+zswd
K4YcsaQu5axj8uuS9uNfWYy4DZr9/AsNXKoYyPxbbqdYqIkV8l938YmvdtehjeBT
KWQo/Ppvbw23zj1HbeE55ptoQE0UMU6TCUByVlAneffKlUMYiL7sFPqQcEJ41xn4
aWZLZdc1ng7F1RHrbCszyfIhFx5apOLjGUc0h2RnXHGslTLZq+lliTcCnDdug8AK
b6OD6eI25j6b8DfHbQmWjW0tvPJxP3jyFOiMH1xAS2+Nhc6jnSy+SMNDdR0zezQi
PRjXPjOFdGJbDapZFAhK20xCo0/NrSHa/vk/5Xf+k2sVowj8mQIDAQABo2kwZzAd
BgNVHQ4EFgQUU0xZmGfw8m2/bPApTp5w6i7dGrwwHwYDVR0jBBgwFoAUU0xZmGfw
8m2/bPApTp5w6i7dGrwwDwYDVR0TAQH/BAUwAwEB/zAJBgNVHREEAjAAMAkGA1Ud
EgQCMAAwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0B
AQgwCwYJYIZIAWUDBAIBogMCASADggGEAAe6So3eiAEhFWj2EMd3KHbzYnBiqaJG
g3sfaqgE6uIEe1oSltIR+d7yfoSPNFY2MQa4mkpCBbpnV8B7pXfhAAySPyN7AUeM
JVbzc3cJDosHbFdcAUVD3N7wBs2W0LJrdbAlof9jGsj+NjZff/RegdPSoiGMupML
Eype4GQy5MSbRCl1TRuSQsSxcLuBjxvXzunm55AQJmvYl5bFTWVfyENVuZWNwPkT
K6fR/HK8xRluIk9Q2H3VV4Irz9yBh6nw2U8fcVoDFEA9uzhII9MHWgGdxWJati3H
aYoyDZsGEMcCr1ZSSCW2QYzm2CbJzWGvacF591oNra3v4k7k0sBGCxcgzjN9vKGR
Djz5tGc47pKpvjyHrFyV1Sxrpe8ml24MsbKM32bqepge5STuePR1A9avJQ+/Qzsb
7YeNsqn2/m9Ov1fRibDybZZkBluaONFoHnk4ocwgz1pktc6TV/7Yf9qYARB4K2gr
lfk6WH9B9EXPUnD/Fn3PXl4IH8/Z1FHDVoPcMA==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2044 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 3092 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: A3E3F552ED4F4B4F9CD7C7C991B26B3BFDEC49C95FD12B7F7A73C5B53F623F32
    Session-ID-ctx: 
    Resumption PSK: 29CCD1B60DB9796602B6014C88E06D0E4980C050CCB94952A07FB72A5D40F407C15A1997C5DE38B2B33587AA9CBEB1F5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ab 51 3f f0 a7 58 00 dc-2d ff 3a 23 a1 82 63 c5   .Q?..X..-.:#..c.
    0010 - 19 5d b7 1c 59 f0 4e 34-bf 5e 55 88 d5 90 2c f0   .]..Y.N4.^U...,.
    0020 - ab b8 66 f5 da 42 2f ed-79 54 26 f2 77 47 5b c7   ..f..B/.yT&.wG[.
    0030 - f0 8e 6c 72 fc f2 eb 40-d0 b3 d4 d2 ca 1b a4 88   ..lr...@........
    0040 - 4f c3 10 05 4a 4d 43 5c-3d b1 9a 86 62 d4 f5 ed   O...JMC\=...b...
    0050 - 88 0e dc d0 de e8 cd 58-d5 c0 ec 4c 8c 7a 18 d0   .......X...L.z..
    0060 - b1 7d d7 c6 0c d7 3d 1a-3b 1d 39 d7 2d ec 88 77   .}....=.;.9.-..w
    0070 - 69 31 a4 46 23 d5 c6 16-92 3b be fe d4 a5 06 95   i1.F#....;......
    0080 - 1c b2 22 93 97 3c 0b 1f-1e 31 1f 43 80 bb 47 da   .."..<...1.C..G.
    0090 - 93 cb 79 9a 47 24 89 e7-fb 36 0d 08 78 7b 7a ff   ..y.G$...6..x{z.
    00a0 - 70 52 9c 2c d5 7f 5d bf-38 b5 ae a4 a1 c9 2e 6c   pR.,..].8......l
    00b0 - 79 dc 02 e1 43 9b 05 cb-7a 72 95 80 80 41 84 32   y...C...zr...A.2
    00c0 - cb a8 8b d7 f3 fa 5e e2-be 5e 32 3b 03 ae bb 44   ......^..^2;...D

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: A5A3759335A982707D54F03D56015D620021D2705166053545109806179D1896
    Session-ID-ctx: 
    Resumption PSK: AACA37D38C1F58664FB412C5FBB832486D84E37DCAAA96A8B1D9D31AB8686B378DA981D6E928AF1E9A10C79A80D30B1E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ab 51 3f f0 a7 58 00 dc-2d ff 3a 23 a1 82 63 c5   .Q?..X..-.:#..c.
    0010 - 2b 08 d6 c7 62 da 96 db-0c 42 3f 39 85 7a 55 5f   +...b....B?9.zU_
    0020 - 56 ee 72 9b 86 d0 0a b1-4d 94 11 e6 7e 6f e1 51   V.r.....M...~o.Q
    0030 - 76 b7 03 3d 44 53 37 73-24 0d a2 40 7f 7b 77 49   v..=DS7s$..@.{wI
    0040 - 7e 8d fc e5 68 8a d5 3f-59 f1 70 1d 73 33 e2 c5   ~...h..?Y.p.s3..
    0050 - 7b f3 b4 c4 c0 d6 d9 45-48 80 a0 29 49 c7 86 20   {......EH..)I.. 
    0060 - 52 98 5e 34 88 5d 50 a6-f4 6d 94 e5 6a d0 43 25   R.^4.]P..m..j.C%
    0070 - 57 f7 ac f6 df 18 50 62-79 d4 1e 4f a2 a6 e6 03   W.....Pby..O....
    0080 - ea 70 20 b5 67 90 2a 5e-fd 5f 2d 89 25 7e d1 67   .p .g.*^._-.%~.g
    0090 - 47 2c 85 9d 64 c7 aa 8a-02 df bb a5 a4 2b fd ed   G,..d........+..
    00a0 - ef 3e 1d bb 0b 4b b6 f4-cb 9d 42 5e e5 dc c3 b3   .>...K....B^....
    00b0 - b7 cd 1f 81 24 6e 11 00-68 f2 ff bb 32 61 94 ad   ....$n..h...2a..
    00c0 - 9c 79 cf c1 ba e6 12 26-ae 7d 52 98 d4 df 61 5c   .y.....&.}R...a\

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
803265FEE17F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%11 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/rsapss-sha256.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIMLPIGtCO5DI8asZVy+uRqNe5vnC0HUptJ9ejskaHdJA
BDCqyjfTjB9YZk+0EsX7uDJIbYTjfcqqlqix2dMauGhrN42pgdbpKK8emhDHmoDT
Cx6hBgIEZ7d64KIEAgIcIKQGBAQBAAAArgcCBQDbZSF8swMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1033 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 75CB56B6F5A5DE484A0C2DB16E66F2D508F1447E0DD0D9B99BA3614B0FC4730E
    Session-ID-ctx: 
    Resumption PSK: 951C703709D451C7F8345F97292A71E9B8CEE89BC75588D891AD9D61D55EA7F7E5CD7903FAF3124EB589DA80B742F8F2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7a 45 77 b7 45 71 36 ce-2d 44 65 11 b2 eb 26 7a   zEw.Eq6.-De...&z
    0010 - e3 95 41 ed bc 5d 86 c4-8e 6c 04 04 51 a2 1f 4b   ..A..]...l..Q..K
    0020 - b6 01 ba 01 cf cf 8e 45-82 67 dd ff e2 ce 9c e8   .......E.g......
    0030 - a3 93 1c bc 59 bd d6 eb-82 d3 3e d3 ef 0e 7b 21   ....Y.....>...{!
    0040 - 0b 5c db 54 a0 e0 77 4e-4a 56 e1 c9 8b bb 31 ac   .\.T..wNJV....1.
    0050 - 50 3c 8d 0a a7 a4 22 cd-13 3c e2 cf 97 99 16 61   P<...."..<.....a
    0060 - 6a b3 bc 0d a0 f0 6b 6f-1a 85 2b 70 ac 95 92 97   j.....ko..+p....
    0070 - 0b b6 61 b4 24 24 43 0a-65 ea 94 70 30 66 e4 66   ..a.$$C.e..p0f.f
    0080 - 7e cd 03 43 e4 e3 20 2e-7a 41 90 b5 f2 df cf ec   ~..C.. .zA......
    0090 - c3 aa 00 5c dd f7 ad 8b-75 04 12 be 7e 15 1f ef   ...\....u...~...
    00a0 - a8 f6 86 24 5b 68 16 ba-b5 2c b2 80 10 40 47 7c   ...$[h...,...@G|
    00b0 - e3 10 96 a8 dc a6 f2 c5-5b ab 2f a5 fe b0 78 2c   ........[./...x,
    00c0 - 08 b0 c7 4b c4 ea e1 92-55 a3 17 fd c1 a9 ca a8   ...K....U.......

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 11467C10CB6A2CBC5AD6A2DB0F717FC8202BDB2DF204FAD7BC2340C8C77A8FEB
    Session-ID-ctx: 
    Resumption PSK: CF4F3D5A208072B44E913C9F30F1309AF650186ABDBB977CA4D03E4295AFBECFFE6683A8D66ED78E979386EC4AE7F9A7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7a 45 77 b7 45 71 36 ce-2d 44 65 11 b2 eb 26 7a   zEw.Eq6.-De...&z
    0010 - 99 c0 c4 e9 17 b4 c5 3c-95 01 b6 b2 ec 5b ba 41   .......<.....[.A
    0020 - 84 47 be f7 90 e5 84 59-d2 75 8e ed db 87 75 2f   .G.....Y.u....u/
    0030 - c5 f0 64 f9 4e 95 95 28-e5 16 00 9d 37 c3 f5 48   ..d.N..(....7..H
    0040 - 21 8b 0f 6c 49 31 4c 45-59 8a 1b b2 3a 50 bc 7c   !..lI1LEY...:P.|
    0050 - 29 59 bc 8b 81 ed 6d c3-a8 d5 ac 92 9e f0 40 33   )Y....m.......@3
    0060 - 05 af 54 4e 63 9e e6 9f-bd 7e 7c 2f e8 8a 93 86   ..TNc....~|/....
    0070 - 51 ad ee a6 56 88 f9 51-dd 18 a2 90 ce fc 82 b8   Q...V..Q........
    0080 - 74 68 8e 38 1f 9b bf fe-d4 d7 01 18 25 3a 02 eb   th.8........%:..
    0090 - 87 f3 fa c7 a6 51 0a 0e-6d e3 b6 b6 b5 47 82 2e   .....Q..m....G..
    00a0 - f5 5e 79 50 6c 45 15 da-ad d6 63 1b fe e2 5f cf   .^yPlE....c..._.
    00b0 - 36 ae 04 e4 62 0f 5f 9d-dc 6b 5d d0 5c 75 fc c2   6...b._..k].\u..
    00c0 - 73 35 2d 90 cc 2a 8c 84-f8 68 a0 d8 23 66 58 a8   s5-..*...h..#fX.

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80722144297F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIItYHRHwc4O72L9TuyWBaojnR2cZE6NwctZHF2RVz0PY
BDDPTz1aIIBytE6RPJ8w8TCa9lAYar27l3yk0D5Cla++z/5mg6jWbteOl5OG7Ern
+aehBgIEZ7d64KIEAgIcIKQGBAQBAAAArgYCBFkbaTuzAwIBFw==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 TLS SUCCESSFUL 

Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:23 2025 GMT; NotAfter: Feb 20 18:55:23 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIzWhcNMjYwMjIwMTg1NTIzWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJo9UsjLoxTrA++RBh+DD3NZECq4H1sr1sML
VSiSZxj5NrFiqTNXirImptY2wphstSF3PJ5r8BRpg6DqWNxvLRSxQMUqRKjxhW2f
sM95DpFHqHTv2LOdIdnJ/2xQ8RdoYhIcc3qeCmdpbEoTUW5HQcJ/ALyn/WQie8qp
6N2Vg29KcWMc3pKn9gwRUv2NehCNJsVZpD40xI/ORYlsQUtnk7PGDdFAJ76EZ5AA
A0bpZT/74I5dMKq/pLGp6InGQ5TnsydjTgPMBhSVQfraOqbTNQ2VozRAagXfNO/b
WS+aAeAHkfFTbLQRMbmgdJzyOVlhXKJwsHe9iwvbsrqrvECJjWMCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBS4LQOR1lpq8ED5sLonItzjTVol1jAf
BgNVHSMEGDAWgBQ3lnNm23RyC8RwFwwhYScl59nmLTANBgkqhkiG9w0BAQsFAAOC
AQEAbZEhJ23VxLFQO0dU8YEOl6uBPgbtfpNDzgOTfN9NPtWP2WFAYDsK0TD3f6Z6
WxVOZnt1vUEepEBeIB3U3OBHSR3Y6Ebmd36f2HzEe/JeC1xE2QoYOfeED0xMqvzk
+nyyjm4wzw6/NI8XzcrMl90o2pN66H4MfkNaDa8lMbw0dl75R9ndIgj6qAdWO1aO
NfdQRwfr/WuVmLYINCKfqbzAUcIGQa9CP280eHHpxHjFMYx8KuN12p7Z6XgerGGw
I5zfK7/sUrNaHYj4VTvKh2+HV0PnduQm0fcvdZkz07WUE0KGeRF92/iLd/jRZVK9
c01T6npGwA96fIt9JdMQNughzw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1509 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A3255A03AE671D28CAA833E8497C0A7E193B92530675BC2EEECF11315E3E8AFD
    Session-ID-ctx: 
    Master-Key: F53A7D884F89957C588754AD9A63CA46915C5DBCFEB3D3B7BF4C07474BAA6509AE0B5A17B38E42B27982D9D28D9160E0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 54 ea e1 a4 ea f2 df 31-8b ae e9 1e 8b 47 fe de   T......1.....G..
    0010 - 09 18 02 32 34 25 4b ad-67 e6 cc 3f b3 58 ed 22   ...24%K.g..?.X."
    0020 - e6 a7 a3 82 63 c5 d6 e1-b5 8b 19 bc ab 40 03 59   ....c........@.Y
    0030 - d9 c0 ab cd b9 63 a5 f5-6c ab c2 65 38 f9 20 d0   .....c..l..e8. .
    0040 - b3 13 b3 a3 08 55 bf 21-c5 78 97 31 1b e7 cd 96   .....U.!.x.1....
    0050 - 5f 33 3a 65 a2 c4 d9 00-72 9f 55 43 d0 d8 98 c4   _3:e....r.UC....
    0060 - db d3 82 c4 0e 9c 7d 32-18 1e f7 50 d2 1f 6a 9d   ......}2...P..j.
    0070 - 8f 7d 29 8f 58 ef dc 4e-f2 cd df cb 29 21 05 30   .}).X..N....)!.0
    0080 - 45 e2 43 8d 86 8a 83 fa-16 6b af 8a f4 3b 8e c8   E.C......k...;..
    0090 - 3d 5c f2 09 37 d8 4e 37-9a cd 6f 84 49 79 e9 ff   =\..7.N7..o.Iy..
    00a0 - 93 12 ff de f7 14 7b 6c-79 82 09 ce 63 6c 85 cc   ......{ly...cl..

    Start Time: 1740077792
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80320FD0967F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDD1On2IT4mVfFiHVK2aY8pGkVxdvP6z07e/TAdHS6pl
Ca4LWhezjkKyeYLZ0o2RYOChBgIEZ7d64KIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with explicit TLS 1.3
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:23 2025 GMT; NotAfter: Feb 20 18:55:23 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIzWhcNMjYwMjIwMTg1NTIzWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJo9UsjLoxTrA++RBh+DD3NZECq4H1sr1sML
VSiSZxj5NrFiqTNXirImptY2wphstSF3PJ5r8BRpg6DqWNxvLRSxQMUqRKjxhW2f
sM95DpFHqHTv2LOdIdnJ/2xQ8RdoYhIcc3qeCmdpbEoTUW5HQcJ/ALyn/WQie8qp
6N2Vg29KcWMc3pKn9gwRUv2NehCNJsVZpD40xI/ORYlsQUtnk7PGDdFAJ76EZ5AA
A0bpZT/74I5dMKq/pLGp6InGQ5TnsydjTgPMBhSVQfraOqbTNQ2VozRAagXfNO/b
WS+aAeAHkfFTbLQRMbmgdJzyOVlhXKJwsHe9iwvbsrqrvECJjWMCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBS4LQOR1lpq8ED5sLonItzjTVol1jAf
BgNVHSMEGDAWgBQ3lnNm23RyC8RwFwwhYScl59nmLTANBgkqhkiG9w0BAQsFAAOC
AQEAbZEhJ23VxLFQO0dU8YEOl6uBPgbtfpNDzgOTfN9NPtWP2WFAYDsK0TD3f6Z6
WxVOZnt1vUEepEBeIB3U3OBHSR3Y6Ebmd36f2HzEe/JeC1xE2QoYOfeED0xMqvzk
+nyyjm4wzw6/NI8XzcrMl90o2pN66H4MfkNaDa8lMbw0dl75R9ndIgj6qAdWO1aO
NfdQRwfr/WuVmLYINCKfqbzAUcIGQa9CP280eHHpxHjFMYx8KuN12p7Z6XgerGGw
I5zfK7/sUrNaHYj4VTvKh2+HV0PnduQm0fcvdZkz07WUE0KGeRF92/iLd/jRZVK9
c01T6npGwA96fIt9JdMQNughzw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 343 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5F6573BF5C7964795290A91D030607355F0308A05E740A4C274EB896FBC239D1
    Session-ID-ctx: 
    Resumption PSK: 87D2F42AF4BD49DEDF856B54719E00EC07AAC35B9F89A01F85D1120121FDBFE9E921B7BBAB38F7135B9593CF520FD6F5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e9 8c c5 e0 ec 83 c6 3f-ff c0 01 89 07 43 d4 19   .......?.....C..
    0010 - a1 8e 4b 21 e1 52 66 94-7b 47 5b e2 48 f7 8a a8   ..K!.Rf.{G[.H...
    0020 - 50 d7 33 fb 59 5a 58 f9-8f 83 b8 4f f5 c6 ec 6e   P.3.YZX....O...n
    0030 - 72 c6 02 12 15 9f 18 e6-4a 03 24 d5 9f 78 42 b9   r.......J.$..xB.
    0040 - 8f c7 62 71 95 ad d7 42-d3 f0 39 6e e7 37 e7 00   ..bq...B..9n.7..
    0050 - 47 cf 83 37 d9 b7 8d 70-32 fc c1 57 50 3e d0 e2   G..7...p2..WP>..
    0060 - e4 fe f9 82 ca 86 78 3b-5c 5a 5a 65 e5 dd c9 82   ......x;\ZZe....
    0070 - 32 7f 0d aa 96 ed 93 bc-f2 5a d2 3f 78 31 09 64   2........Z.?x1.d
    0080 - 31 c4 e3 e8 21 0f b6 04-0e 69 1c de d8 c2 56 e5   1...!....i....V.
    0090 - 4c b3 b4 00 ed d1 d1 5b-b5 97 d6 97 7f e8 bd 86   L......[........
    00a0 - 1e 44 f9 6b 95 11 a0 97-1a 77 7f 4b 15 fe c0 9a   .D.k.....w.K....
    00b0 - e0 1a a2 db 24 53 51 00-b3 cd 1a 25 a1 35 61 e4   ....$SQ....%.5a.
    00c0 - 33 62 7d ee 07 87 97 65-0c 0e fe 5d 21 4a ec 94   3b}....e...]!J..

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2052A5876AAD895A213C4B258DDEC3177ADC76D9346E84EBA68555C574DD6BA7
    Session-ID-ctx: 
    Resumption PSK: 1C896DA0606968F82492C8190A4FE3EA3FA8BDD662741A15536C050E6B3ACDAD70A9B18590922B90E5FD498CB3D81AA9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e9 8c c5 e0 ec 83 c6 3f-ff c0 01 89 07 43 d4 19   .......?.....C..
    0010 - a1 20 02 d3 53 34 44 4e-7d 0e a3 96 4f 80 c6 7d   . ..S4DN}...O..}
    0020 - 5e ba 63 ae a0 dd ab 96-dc 89 8d 3d 5e b7 60 76   ^.c........=^.`v
    0030 - 1a 4a 29 45 70 ee bd c8-c5 4b 88 1b f0 a1 ce ad   .J)Ep....K......
    0040 - 80 cd 08 5f 11 50 0c 0e-64 34 4a 66 57 23 e6 d1   ..._.P..d4JfW#..
    0050 - d0 30 07 54 77 d4 b0 c9-54 7d a0 20 5c b0 04 3e   .0.Tw...T}. \..>
    0060 - 68 86 a8 9b c4 59 8c f3-c4 60 64 a2 89 67 66 18   h....Y...`d..gf.
    0070 - a3 be e3 8a e2 62 89 57-70 41 98 97 ee 13 23 22   .....b.WpA....#"
    0080 - 52 01 de 01 9d 25 d4 d5-2f bf 88 32 d9 3a 13 68   R....%../..2.:.h
    0090 - 06 0b 65 9b 42 4c 95 9d-4b e2 21 a1 6d 13 3a 10   ..e.BL..K.!.m.:.
    00a0 - 18 00 84 91 c2 56 a8 ff-14 dc 02 a0 96 05 3c a0   .....V........<.
    00b0 - 1f ac ee ff 99 4e ea 63-20 59 84 56 e8 3a 80 10   .....N.c Y.V.:..
    00c0 - 05 be e0 15 f4 30 3d 81-b1 85 93 1e 96 45 35 13   .....0=......E5.

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80B212446A7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIJBX2UDudwPmmSGfvJ4Dw2SFApf3O1PDpr2YoDS8Ni6J
BDAciW2gYGlo+CSSyBkKT+PqP6i91mJ0GhVTbAUOazrNrXCpsYWQkiuQ5f1JjLPY
GqmhBgIEZ7d64aIEAgIcIKQGBAQBAAAArgYCBA/bUNqzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512Q

Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1119 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 3F9F645D2B8194DBB9B0CF993EEDBDE4486BEB4D581DBD03B61DBC3985BAD46F
    Session-ID-ctx: 
    Master-Key: AD0F38FABCA0F44420FA7DAF46BF2DB10C92FC0F93AAF4010B92549C36B211A89ACACEC76315E895706CD7634FE36E3E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f8 de 65 c8 67 a7 03 30-8d 57 ce 05 4a b3 bb 7f   ..e.g..0.W..J...
    0010 - 5b 5c 74 94 c8 bb d9 c9-2e 5d 8e a8 ef ff ec cf   [\t......]......
    0020 - 6c 73 7f 96 7c 0d fa a9-1f 40 73 a8 61 cb 55 1f   ls..|....@s.a.U.
    0030 - f7 a9 fc 09 03 cd 29 90-27 c4 5a ac b6 a4 37 81   ......).'.Z...7.
    0040 - b7 74 c8 30 2c 2b 8d 53-5e 6d ea 81 54 0a d8 e8   .t.0,+.S^m..T...
    0050 - d6 25 9b 73 16 66 16 80-5b cd 26 bb b6 c8 0e 53   .%.s.f..[.&....S
    0060 - d1 8a e3 05 27 7f e0 47-f2 2a 72 e5 be 7e 09 ad   ....'..G.*r..~..
    0070 - 98 7c b3 dc a1 3d 4e b2-1d d2 83 ba 6c 0c 0a cc   .|...=N.....l...
    0080 - 4d be ca 70 02 ba 4e 49-44 04 5c 89 dd 66 24 da   M..p..NID.\..f$.
    0090 - e9 c7 74 91 88 39 2f ca-43 e3 47 57 9f 0b 0e a2   ..t..9/.C.GW....
    00a0 - 30 cf 58 ce 33 88 97 6a-bb 75 82 16 ce d1 00 22   0.X.3..j.u....."

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80226C28EF7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALALAQABDCtDzj6vKD0RCD6fa9Gvy2xDJL8D5Oq9AELklScNrIR
qJrKzsdjFeiVcGzXY0/jbj6hBgIEZ7d64aIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 and ECDH
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1119 bytes and written 252 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 50F71A9653B1919940309E59AC15579F594BD3AE20C15AC94A7F3A30CBF58772
    Session-ID-ctx: 
    Master-Key: 0CBB35F13AA7419D97EA64FD2CFAD053F34A66AF3C1098650F8CAD4051FE7E3B12A273C25D1CB76F36E6A5277A6869F3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 9c cd c2 d4 73 68 7d 28-c2 d9 7e 39 6f ef fe ab   ....sh}(..~9o...
    0010 - 74 7c 08 e3 a8 28 48 5e-a9 43 46 6f 87 30 ae bb   t|...(H^.CFo.0..
    0020 - fd e5 a4 4b 3a bb f2 d4-db f7 fb 7f 0b 5a a0 b3   ...K:........Z..
    0030 - 4c 0f 88 89 3d 8c ac 2a-37 99 ce 8d b8 59 ee 8a   L...=..*7....Y..
    0040 - 29 a0 2b 19 45 47 81 50-db bb bd 2e a0 01 ae ef   ).+.EG.P........
    0050 - 42 5d 39 fe ce 0b a7 9b-d7 c0 49 6e d2 19 48 ed   B]9.......In..H.
    0060 - 3a 20 65 4f 3b 06 ca 07-50 94 a6 93 9d 46 88 53   : eO;...P....F.S
    0070 - ca d2 d4 9c 0f 89 d7 3e-0c 8f 1e d1 01 19 e9 dc   .......>........
    0080 - 19 fe bb 84 8a f9 7d a0-77 1c b0 d4 c6 2a e5 c5   ......}.w....*..
    0090 - 9c b2 1b 42 df b1 d0 39-77 5a f3 cb e5 0a 53 ce   ...B...9wZ....S.
    00a0 - 06 e6 56 9c d9 75 3a 81-83 98 05 46 c9 3e 93 0e   ..V..u:....F.>..

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80920BA8B57F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAKwQABDAMuzXxOqdBnZfqZP0s+tBT80pmrzwQmGUPjK1AUf5+
OxKic8JdHLdvNualJ3poafOhBgIEZ7d64aIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.3 and specific suite
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1035 bytes and written 327 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2DBC49DFDEE355AED68D92A3C87693FB035DC70FF4B78CBFCB1BCBBC51162F12
    Session-ID-ctx: 
    Resumption PSK: 852B63D1EE9D6ADD88A7407EFA62311AE246A5E69A7B77DC345D1B1787307206F0FD5CC29DBEF4356581095A8FA9CD74
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e5 57 fb 67 b6 af dc 51-bf 19 b7 ad cb 34 9f ba   .W.g...Q.....4..
    0010 - 32 82 4a fd 0e cf b8 de-c9 b5 f7 70 8b eb c1 a1   2.J........p....
    0020 - 5c 91 b1 d9 f0 8c 98 38-0e c4 4a c8 94 7f 88 30   \......8..J....0
    0030 - 5e 08 0b cd 9f 45 1b 3d-52 fc b1 18 a7 02 83 6c   ^....E.=R......l
    0040 - 11 f5 1d 44 80 67 7b 9b-a9 65 1f 23 1f d2 17 60   ...D.g{..e.#...`
    0050 - 7d 7e 86 52 33 a8 ae 38-40 c6 16 a6 f4 82 30 5b   }~.R3..8@.....0[
    0060 - 45 e9 63 39 ee 4a ea 80-fc 7e 5d 29 19 01 13 b3   E.c9.J...~])....
    0070 - a7 3f 5a aa 8e 56 8d d6-5b 64 5d 70 30 ea 58 0a   .?Z..V..[d]p0.X.
    0080 - a4 fc 9d 43 8c a6 3d 64-87 4c 08 0d 29 06 65 8f   ...C..=d.L..).e.
    0090 - 36 bb f7 8c c4 0a 9c 98-fa 5f 08 ae 7f e8 a2 13   6........_......
    00a0 - c6 e8 20 24 40 53 f8 81-b7 da 1c e0 2b 2e a1 6c   .. $@S......+..l
    00b0 - e6 b0 2c b7 ac 07 a4 c2-d3 7c 7b 6f 09 80 f2 a8   ..,......|{o....
    00c0 - f8 4f b3 2c ad 0c ab 28-d9 a8 a2 10 c7 6d e2 aa   .O.,...(.....m..

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D034D74018727C2CE791145A403F29350BCD1F85CD967614DD4C724B4FA60FD3
    Session-ID-ctx: 
    Resumption PSK: DC386CBF7F11265309D82278DF1FCACAA636B2A4163153F40FE33EC783B70DC8867C05D1D6D70B43E5D19FD14C0E4DFF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e5 57 fb 67 b6 af dc 51-bf 19 b7 ad cb 34 9f ba   .W.g...Q.....4..
    0010 - 0d b8 35 36 8b 95 ee 4a-25 6d de b3 9e e8 7b 1f   ..56...J%m....{.
    0020 - 5d 71 30 fc 37 26 98 d7-14 58 10 05 43 c7 2c 4a   ]q0.7&...X..C.,J
    0030 - 06 1b 1a 9b 6c f1 1e fd-db 0f fa cb b6 95 38 b1   ....l.........8.
    0040 - d5 39 61 b2 84 8e e8 d8-fb 53 5a cc 8a d2 39 db   .9a......SZ...9.
    0050 - 1d dd d0 e0 b1 7a e7 5a-54 65 86 76 f8 00 88 e9   .....z.ZTe.v....
    0060 - 73 bf 56 5f 78 22 0f c0-14 29 1d 93 d0 ec 1e f9   s.V_x"...)......
    0070 - 3c 2c d8 c2 84 d6 ff dc-1d 50 66 19 bd 4b 38 f6   <,.......Pf..K8.
    0080 - 1e c8 4b a7 5d 58 b1 b2-4b 20 b1 52 b9 ee ab 91   ..K.]X..K .R....
    0090 - e1 d3 4f 36 1d 6b 23 2e-70 14 cc 10 9d d7 a3 19   ..O6.k#.p.......
    00a0 - 8a 16 ac e7 d3 13 22 88-a5 2b ef 96 c8 d3 bc b1   ......"..+......
    00b0 - 21 fe fb 08 0e a2 53 c3-4c a1 6d 78 19 71 e9 1c   !.....S.L.mx.q..
    00c0 - de 85 f8 6e f8 13 07 d7-e7 eb 17 77 13 93 66 50   ...n.......w..fP

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
8082F799BB7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIL3xVToGKnWHu7D3L8xCdbGBKHT9blhAt27WX/Px+hIn
BDDcOGy/fxEmUwnYInjfH8rKpjaypBYxU/QP4z7Hg7cNyIZ8BdHW1wtD5dGf0UwO
Tf+hBgIEZ7d64aIEAgIcIKQGBAQBAAAArgcCBQCHTw/BswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

                                      ##
########################################

########################################
## Forcing the provider for all server operations


## Run sanity test with default values (RSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:23 2025 GMT; NotAfter: Feb 20 18:55:23 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIzWhcNMjYwMjIwMTg1NTIzWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJo9UsjLoxTrA++RBh+DD3NZECq4H1sr1sML
VSiSZxj5NrFiqTNXirImptY2wphstSF3PJ5r8BRpg6DqWNxvLRSxQMUqRKjxhW2f
sM95DpFHqHTv2LOdIdnJ/2xQ8RdoYhIcc3qeCmdpbEoTUW5HQcJ/ALyn/WQie8qp
6N2Vg29KcWMc3pKn9gwRUv2NehCNJsVZpD40xI/ORYlsQUtnk7PGDdFAJ76EZ5AA
A0bpZT/74I5dMKq/pLGp6InGQ5TnsydjTgPMBhSVQfraOqbTNQ2VozRAagXfNO/b
WS+aAeAHkfFTbLQRMbmgdJzyOVlhXKJwsHe9iwvbsrqrvECJjWMCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBS4LQOR1lpq8ED5sLonItzjTVol1jAf
BgNVHSMEGDAWgBQ3lnNm23RyC8RwFwwhYScl59nmLTANBgkqhkiG9w0BAQsFAAOC
AQEAbZEhJ23VxLFQO0dU8YEOl6uBPgbtfpNDzgOTfN9NPtWP2WFAYDsK0TD3f6Z6
WxVOZnt1vUEepEBeIB3U3OBHSR3Y6Ebmd36f2HzEe/JeC1xE2QoYOfeED0xMqvzk
+nyyjm4wzw6/NI8XzcrMl90o2pN66H4MfkNaDa8lMbw0dl75R9ndIgj6qAdWO1aO
NfdQRwfr/WuVmLYINCKfqbzAUcIGQa9CP280eHHpxHjFMYx8KuN12p7Z6XgerGGw
I5zfK7/sUrNaHYj4VTvKh2+HV0PnduQm0fcvdZkz07WUE0KGeRF92/iLd/jRZVK9
c01T6npGwA96fIt9JdMQNughzw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1424 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E231183CE2D7F3511542D6FA7F86E744D413618A2715E34E423767EC02A7BC01
    Session-ID-ctx: 
    Resumption PSK: EFE749AB13F9CA182AD9F502B8944DC9F394324464E1485B2E79D1694A1ED0DFDFE4E404FA31D8A0D4AF41F6FE2267A1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 65 07 e1 67 8d 9b 56 ff-b2 77 7e 48 f2 9c 8b 1d   e..g..V..w~H....
    0010 - 89 37 81 28 87 7b 9d 29-ea 95 df 33 dd db 78 81   .7.(.{.)...3..x.
    0020 - 09 1f ed 45 14 5a 84 c2-28 77 9a 98 5a 0c 46 b5   ...E.Z..(w..Z.F.
    0030 - ac 90 50 43 0f a9 8c 53-97 5a f5 5f 35 52 15 df   ..PC...S.Z._5R..
    0040 - 42 ec 17 dd 04 69 6c 5a-45 96 b9 93 7b 12 d1 15   B....ilZE...{...
    0050 - b7 de ec 83 86 d3 b9 cc-29 31 8e 97 9b 21 3a d9   ........)1...!:.
    0060 - 0e 62 98 b9 99 09 69 fe-b9 0a 5e 5d 36 45 49 f5   .b....i...^]6EI.
    0070 - f6 0c 26 b8 99 5d 57 1f-79 13 50 9a 79 f9 de 0c   ..&..]W.y.P.y...
    0080 - 3e 00 d6 2a b8 16 ff 37-6c 10 dd a7 ba e6 7a 11   >..*...7l.....z.
    0090 - 9f f9 fc 81 83 f6 be b5-3a da d1 0e 5a c6 cc ac   ........:...Z...
    00a0 - bc 65 b4 7e 18 f8 1b 71-06 6d 15 91 33 93 cb 4a   .e.~...q.m..3..J
    00b0 - c6 98 07 04 4d 9f b5 ce-b6 60 87 bc 04 80 09 5d   ....M....`.....]
    00c0 - 0d a8 22 09 33 77 ba be-43 c2 60 20 ef a9 99 4c   ..".3w..C.` ...L

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8CCBA7A241F408AED0B83E3DCA9167084699D29921A0ABF41D3950F6CC846469
    Session-ID-ctx: 
    Resumption PSK: 3AB195B0966D58CBEE4F7E3DFD4992225A039A78DD17513A5A7B5C9EB9F6AE1A16A1232FC2329CDF2CEAEF50C85328B7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 65 07 e1 67 8d 9b 56 ff-b2 77 7e 48 f2 9c 8b 1d   e..g..V..w~H....
    0010 - 9a 0c 9e 29 79 c5 3f 90-c3 ac 07 a3 f1 f5 fa ff   ...)y.?.........
    0020 - de 87 e8 20 7c 97 c2 9b-7b 4f 9a 19 c9 6e 21 b1   ... |...{O...n!.
    0030 - 01 0a 9c 32 55 53 35 e2-a7 ae ab eb b1 4c 8a 85   ...2US5......L..
    0040 - 20 21 b8 6a 77 c4 5d bb-a6 b2 13 78 b0 2a 5c e2    !.jw.]....x.*\.
    0050 - 40 b7 29 ac 5b 13 9a 05-1d 99 2e 0c 88 a8 7d df   @.).[.........}.
    0060 - b8 40 2c d5 47 83 bf 74-39 12 31 5b 5a 69 7d c4   .@,.G..t9.1[Zi}.
    0070 - 92 e2 cc 4b 90 3e b2 31-80 09 b3 43 2e 52 ab ef   ...K.>.1...C.R..
    0080 - 96 f2 c9 44 d9 66 fd ff-e5 d1 69 8c cd ec 2d 3c   ...D.f....i...-<
    0090 - 44 98 8b 9c 2c 60 f0 10-47 4f de a0 c5 c9 ae 9d   D...,`..GO......
    00a0 - 5e 9d 82 95 ab 98 5d 17-ef 31 00 17 93 57 0e d2   ^.....]..1...W..
    00b0 - 80 2d 2c db c8 a3 15 14-d9 52 e1 f4 0a a6 8f 2b   .-,......R.....+
    00c0 - 40 b3 d5 7c 9a 21 9a cf-f2 96 c4 88 2f 73 ee b6   @..|.!....../s..

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80328004147F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIL/Ukgy+mJbArJl5YdL/56f4Zs5LuMTgIXs+SlNQSUFJ
BDA6sZWwlm1Yy+5Pfj39SZIiWgOaeN0XUTpae1yeufauGhahIy/CMpzfLOrvUMhT
KLehBgIEZ7d64aIEAgIcIKQGBAQBAAAArgcCBQCEuhM9swMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (RSA-PSS)

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%10
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 2048 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:33 2025 GMT; NotAfter: Mar 22 18:56:33 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEIzCCAtugAwIBAgIUYJzUQYv7GotiWmgsAWZKvdapGk0wPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjMzWhcNMjUwMzIyMTg1NjMzWjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEKAoIBAQDHvlsv44hIFr7d1mNS
+s0LRCyc7B/hzOtD/8NrQ83P+KkTPC1/SiAncrDQWfNG0GVmkIv0tlfyjt1PMgVy
0ErspSGo+iy5lITqtwA0EKe6kza1c3MxmKFu+eF9YWZg+cOXDlISNClKSDGbx2GY
eJ7yduFfKo8aP+gJrnMT2mgrxwW4xiE1RypJY9TbWcqkmyS+scNegwT0RubLftpG
k7Qy3ogHMDQjaVa1C2kYTV4xg5orYYhzdxYr/SSxqLxhT1MUdHrJOx+faHlLVl/F
n7Sj88fZt7RYX+fLr4yDXsEORWGnOXqU6Ja7jZ8PQJwIwHVSe2rl6/zUGEDHF4bV
fMedAgMBAAGjaTBnMB0GA1UdDgQWBBTdfEj3y3CjFaZUJ8hCZwa6vuLa2DAfBgNV
HSMEGDAWgBTdfEj3y3CjFaZUJ8hCZwa6vuLa2DAPBgNVHRMBAf8EBTADAQH/MAkG
A1UdEQQCMAAwCQYDVR0SBAIwADA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQC
AaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIBIAOCAQEAFRdFHzMvKLqP
+ce9MuciqyIwwX7VkcL2wU3Qw0f571FyuEsaUBIZSu/fKafHX4VS06K1vQ9LYNUZ
09599GfRhn5OGWksnxq504N9aUyXNnE7QvRUX+ycyCI4kv9fIM30bONt8eW2ArbN
dXorczSD/UvDPPEqU2dCgg64QrF3Lwaxnd4LY5llcYp4qxSXayL1jxFXKg1KYt4Y
I55MvU6kJD3u8JJttyCYme2phWBtjVXu6sSlkLrfEB21uLvQoCKZiKDWiVZPMSrC
xtyPm9jQwtBfQEmwoIGwexxyOieHbN2dWY0UjI954o7Swht3Bfx/Sha4+sAfLz//
97IyZC0RVQ==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1652 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 489F7D214094ED9E826F04B29A9B04A305B1A85A8EA44A4D4AF87B636E57E03B
    Session-ID-ctx: 
    Resumption PSK: A6D9BAEBE1A5190DD86D0604C79AEE821A8F66E6A0E3855232300C3C1B7F480904697296BBCF5DDE23AA5C1DABE36E5C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 50 bd 41 d4 66 f6 9c-47 15 8a 32 e5 10 2b 90   6P.A.f..G..2..+.
    0010 - 35 ef dc 6d 4a 89 5c 71-42 1a dd e5 b0 68 d4 b2   5..mJ.\qB....h..
    0020 - 65 56 a7 38 e9 8a 5b 46-13 e1 c5 67 ba 2f 6c b2   eV.8..[F...g./l.
    0030 - 1e 98 4c f6 61 a4 a0 84-0b 3d 2b 33 51 e1 52 cf   ..L.a....=+3Q.R.
    0040 - 4b 70 5f 95 4a 6e ef d7-17 70 bc bd 80 1b 51 b5   Kp_.Jn...p....Q.
    0050 - aa 8e a9 0d 98 6d 2e 94-40 3c 46 b0 21 dd 02 ec   .....m..@<F.!...
    0060 - 12 1e 86 1a 64 50 14 c9-fd ea 7c 98 32 d8 73 e2   ....dP....|.2.s.
    0070 - 4e c8 49 9f 6e 8c 53 2d-53 54 ea 83 12 af f7 8a   N.I.n.S-ST......
    0080 - f1 ef d2 84 66 f1 3c 4b-63 40 32 38 7f 13 f0 56   ....f.<Kc@28...V
    0090 - ac ec 1c 7d 7e ec 73 a3-9d 90 1c 70 cc 81 69 4d   ...}~.s....p..iM
    00a0 - 2e 40 51 88 1b e8 0f 5c-3b b0 ba 68 78 26 db 44   .@Q....\;..hx&.D
    00b0 - 92 58 5a 12 22 c6 42 d8-c2 b8 50 84 b6 94 b1 b5   .XZ.".B...P.....
    00c0 - 2c 7e 34 c8 40 bc 06 50-f1 9d 97 82 cd 0c 6e bd   ,~4.@..P......n.

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C4C578E19D9709F4F276E54B2B8C70C50CC373323CAD345BBD4F69D77C79534A
    Session-ID-ctx: 
    Resumption PSK: 4A1BBBBED8161B2D558724A2E98336AE90087FC255A200249AE3CABCACEB926AD078A31B9BC804A0EE8BE1C9AE66760D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 36 50 bd 41 d4 66 f6 9c-47 15 8a 32 e5 10 2b 90   6P.A.f..G..2..+.
    0010 - 60 38 54 b8 4e dc 80 a3-28 b0 b5 78 d2 27 2b 09   `8T.N...(..x.'+.
    0020 - b1 17 67 41 23 05 76 4a-0b 65 94 95 c5 cf d2 cd   ..gA#.vJ.e......
    0030 - ed 86 8d 32 4b 73 2d dc-37 a9 18 7a 61 2d 4f 80   ...2Ks-.7..za-O.
    0040 - 3c f9 bf e4 fe b3 50 cf-76 b3 21 6c 3d 4b 1f e1   <.....P.v.!l=K..
    0050 - 05 5e 31 64 8f 40 59 5e-18 2f eb 31 93 a7 83 71   .^1d.@Y^./.1...q
    0060 - 9c ad c5 3a 19 d4 b4 c0-86 72 82 fe cc a4 d3 99   ...:.....r......
    0070 - 61 bf ab 36 97 ef 19 8a-9d 83 04 9d e4 ad 1d c3   a..6............
    0080 - f4 c8 bf 9b b3 7a d5 39-de cd d4 ce d3 94 34 3c   .....z.9......4<
    0090 - b2 b1 24 1b bf ab eb 89-1f 01 99 32 19 2d 4a 75   ..$........2.-Ju
    00a0 - 25 d3 20 86 cf 7d 84 f8-e1 5b a6 cd 8b cf d1 d1   %. ..}...[......
    00b0 - 18 96 b3 43 7b f4 a7 ac-c4 1c 42 bf 3a 1e d2 c1   ...C{.....B.:...
    00c0 - 05 e6 21 3b b2 80 cb de-c4 e6 ed 36 f6 b0 fd 76   ..!;.......6...v

    Start Time: 1740077793
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
8072AB9EB97F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%10 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/rsapss-default.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIP8n6JKrFT2X1vZ4OFEgFthatnLhUXKDDoxqqh5Kq95P
BDBKG7u+2BYbLVWHJKLpgzaukAh/wlWiACSa48q8rOuSatB4oxubyASg7ovhya5m
dg2hBgIEZ7d64aIEAgIcIKQGBAQBAAAArgcCBQDq2cmDswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with RSA-PSS and SHA256

## Generating a new selfsigned certificate for pkcs11:type=private;id=%00%11
 openssl req -batch -noenc -x509 -new -key ${KEY} ${AARGS} -out ${CERT}


spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
verify return:1
---
Certificate chain
 0 s:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   i:C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
   a:PKEY: RSASSA-PSS, 3092 (bit); sigalg: RSASSA-PSS
   v:NotBefore: Feb 20 18:56:33 2025 GMT; NotAfter: Mar 22 18:56:33 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKDCCA12gAwIBAgIUXScoug1/+ivgsY41ggwG0jKveBYwPQYJKoZIhvcNAQEK
MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC
ASAwZzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREwDwYDVQQHDAhO
ZXcgWW9yazEYMBYGA1UECgwPUEtDUzExIFByb3ZpZGVyMRgwFgYDVQQLDA9UZXN0
aW5nIEhhcm5lc3MwHhcNMjUwMjIwMTg1NjMzWhcNMjUwMzIyMTg1NjMzWjBnMQsw
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3Jr
MRgwFgYDVQQKDA9QS0NTMTEgUHJvdmlkZXIxGDAWBgNVBAsMD1Rlc3RpbmcgSGFy
bmVzczCCAaIwCwYJKoZIhvcNAQEKA4IBkQAwggGMAoIBgwwDhk9dCDy0paKBYMqh
GNOOosp5BJPuO0iT4Uy2q7yVTsgSBQ72S08PPdws4vtmxey6dwuNkNzDCkn1NKZX
XYeBJJEcipNUAfJz1EXUJVnd0FRGOlUzm8nPo09cSK7OL/JGBC/uAvLpq9LCxUvm
cu0GtlE+A4KdoK5DFWLHOp8HOM5oJVL2PK0SzaBSAzZdJqoRSXB6SGUzqSA+zswd
K4YcsaQu5axj8uuS9uNfWYy4DZr9/AsNXKoYyPxbbqdYqIkV8l938YmvdtehjeBT
KWQo/Ppvbw23zj1HbeE55ptoQE0UMU6TCUByVlAneffKlUMYiL7sFPqQcEJ41xn4
aWZLZdc1ng7F1RHrbCszyfIhFx5apOLjGUc0h2RnXHGslTLZq+lliTcCnDdug8AK
b6OD6eI25j6b8DfHbQmWjW0tvPJxP3jyFOiMH1xAS2+Nhc6jnSy+SMNDdR0zezQi
PRjXPjOFdGJbDapZFAhK20xCo0/NrSHa/vk/5Xf+k2sVowj8mQIDAQABo2kwZzAd
BgNVHQ4EFgQUU0xZmGfw8m2/bPApTp5w6i7dGrwwHwYDVR0jBBgwFoAUU0xZmGfw
8m2/bPApTp5w6i7dGrwwDwYDVR0TAQH/BAUwAwEB/zAJBgNVHREEAjAAMAkGA1Ud
EgQCMAAwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0B
AQgwCwYJYIZIAWUDBAIBogMCASADggGEAAg4ilUtof8XuB6Op4zfDrDR0E4V0o+9
UlYh5N7fY8qyVCm6SdMmY3ZSnNn/GQ6hI24uv62puZmZzs01ZYRw+wFV3XqwVAeQ
JAtkJ5NXSUoqDkionp5xCAdzLRAfFjeD49nBZWQj6/Mpg2k6bLZyhaKRbCCDlaAz
sRtA5TZW/F/b2QUH18mNWD5cCk9+ICgfTgrkp3yFjXAULVY2LNr/sV+TxFjGZU4N
YumaHc/OmWqhwrsxLYz8CL9KipcNzgKNyBDlkOmCPdTDTI2FrZyRjb46qYei+MbP
zMCL4Pw+O/pUVSh864BLhWZdJIUuUWVqsRX4U6VHYdIGCX1ucHg6OjjyWS6q/fC0
E57biSVfiRWDJEI5wV5qTGhmTdhMW+uytW1/eZCKd363VQEMYBIVU3lHslIr6kvu
V0qQKnPtcjyIth1lyod+wwaMrC2+uLwyoIvn9lApjbpTgpreyLN9l71nUt3LN3vS
Kl8FptxEn6KGeejagIkNB7Z9ltM8WG3zbA9new==
-----END CERTIFICATE-----
subject=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
issuer=C=US, ST=New York, L=New York, O=PKCS11 Provider, OU=Testing Harness
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 2044 bytes and written 371 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 3092 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5B885E04802998D7933713A5632FFA284B9401BAAE1ACA3FF098DD8FFB6E3971
    Session-ID-ctx: 
    Resumption PSK: 5EA7B1F2B05277EF5E5D6EC739EF0940BFD4849EF7CFFBC9EE38D37F0BA2D50C5242CE043E9B82C4C16C7BB13DF50A61
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 23 00 10 53 c4 54 da 15-ec b0 df bc d5 18 2d 1f   #..S.T........-.
    0010 - ca 30 3d ef fe 6d e9 e4-65 2a 08 f8 a9 73 dc aa   .0=..m..e*...s..
    0020 - 2e 30 ea a6 13 2e 6a 72-eb 14 a5 5f 52 60 cb 38   .0....jr..._R`.8
    0030 - ae e2 2e 23 eb f1 a5 9e-2c 36 4f 07 c8 1b 81 49   ...#....,6O....I
    0040 - 99 60 b9 82 32 26 6e 75-ba ed 10 3c 67 cc ed 3f   .`..2&nu...<g..?
    0050 - 25 f9 d2 d7 69 2b c7 98-c4 56 34 85 13 ff e2 38   %...i+...V4....8
    0060 - fa 91 ea 11 c8 95 5c 90-71 d1 b8 63 70 d8 40 51   ......\.q..cp.@Q
    0070 - 82 76 e9 fe d0 ed 66 a2-3d 0f 2f 02 1f 39 4c 92   .v....f.=./..9L.
    0080 - fe 81 7f d2 a7 7c c4 60-d0 5a fc 20 11 fa b8 d1   .....|.`.Z. ....
    0090 - 02 a9 52 b4 64 36 65 66-c3 71 8e 7d 3a e6 ce bf   ..R.d6ef.q.}:...
    00a0 - d2 97 3b d1 d4 70 ad a3-41 e3 0b 02 9e c6 90 00   ..;..p..A.......
    00b0 - 25 49 9a 30 f0 13 0c 3c-93 9b 17 84 a8 ab fc 5a   %I.0...<.......Z
    00c0 - 40 a9 85 8e cf 89 42 18-29 87 9b d0 74 29 8f a5   @.....B.)...t)..

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0FC4A2A4C35B5010537DB6AC30E655307FCD3791D6948512D7DC826F363F1A9F
    Session-ID-ctx: 
    Resumption PSK: 4172382301065D7C76A6B4AF2956E28E87BD8FDFC00C69EB447AAA0738225D085B9B1A519BB470DBC9423AE70DC7671E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 23 00 10 53 c4 54 da 15-ec b0 df bc d5 18 2d 1f   #..S.T........-.
    0010 - 7c 34 d4 45 15 56 27 7e-4c 66 59 83 98 e3 10 2a   |4.E.V'~LfY....*
    0020 - 98 c8 96 58 f4 95 5b c6-e7 b1 0f fd 11 07 e3 d2   ...X..[.........
    0030 - 58 c2 1f 86 0c 13 3c 54-0c 17 ec 6e b4 2d 30 44   X.....<T...n.-0D
    0040 - 47 1f 57 5c 1b 02 ee da-bb f4 be 24 c1 e9 b7 2c   G.W\.......$...,
    0050 - ee 26 d1 52 66 7d 4c 7c-b2 8c fe f8 a9 1b 53 55   .&.Rf}L|......SU
    0060 - 02 20 ac 86 e4 9d 6e 6b-1b 6a 23 22 fa ac 8c 05   . ....nk.j#"....
    0070 - 60 35 3f e1 0d ca 4a 34-ed aa 29 c5 2e 0e c9 cb   `5?...J4..).....
    0080 - e1 b6 5f 9e dc d3 65 16-3c f1 84 5f 94 7b b6 ac   .._...e.<.._.{..
    0090 - 1a 8e dc db 0f 1f e7 e3-9b 53 60 b1 6a 22 17 a0   .........S`.j"..
    00a0 - 37 cb ae e5 af 05 0e 25-9d 2f ac d7 38 22 f3 2f   7......%./..8"./
    00b0 - 31 f1 69 1a 19 f5 75 c4-f6 9e 7f a4 53 d1 90 4d   1.i...u.....S..M
    00c0 - 5b 19 ee 76 bb fb 2b 3b-62 5b b4 13 ef 10 76 0c   [..v..+;b[....v.

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80524453277F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%11 -cert /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/rsapss-sha256.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIPL9Hset2d+UTCiLoHuVMgW1lF2ubV5WXYHXpfSB2COa
BDBBcjgjAQZdfHamtK8pVuKOh72P38AMaetEeqoHOCJdCFubGlGbtHDbyUI65w3H
Zx6hBgIEZ7d64qIEAgIcIKQGBAQBAAAArgcCBQCwCxB9swMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (ECDSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1033 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4C2BF0CF09AF327B25DDC543811B7D3411A2004F5BC954BD0C785C27717713A6
    Session-ID-ctx: 
    Resumption PSK: 2D4527FF8BD83BB24E0504C140B83550C7C864E7B42ADD9FB8E90B6BB2AC0882BACE18B94035F768BDB67CD4EA188E7D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5a 82 34 ae d5 bd a5 6f-ce 19 0b e3 c1 83 c0 6d   Z.4....o.......m
    0010 - 74 28 5e d0 e7 ee 30 70-70 1d 80 c9 0d 8f 17 22   t(^...0pp......"
    0020 - a2 41 13 a3 8e 51 80 b1-08 90 b3 87 6d fb 8f 26   .A...Q......m..&
    0030 - 55 b3 e2 8f 6b af cf d5-ec 8b b0 2f 86 98 3c 91   U...k....../..<.
    0040 - 1f 46 92 6b 42 71 3a b2-cd a1 0f 42 2b b4 a7 4f   .F.kBq:....B+..O
    0050 - cd 40 4a a8 d0 aa eb 0d-21 c2 83 01 af 77 d5 cc   .@J.....!....w..
    0060 - 73 d8 50 e8 91 01 89 03-02 be 26 37 66 73 36 15   s.P.......&7fs6.
    0070 - ca 77 b8 48 df 81 e9 35-ca 0f 3d f4 cc 08 dc ba   .w.H...5..=.....
    0080 - 05 d4 a5 37 ad 13 bd 59-d0 b7 48 47 9b 52 30 8e   ...7...Y..HG.R0.
    0090 - 1e 0f 52 86 3a 8f 84 e7-d1 57 c6 02 3f 8c 0e af   ..R.:....W..?...
    00a0 - 99 36 c0 8a 75 e9 f9 f1-45 57 42 b0 98 01 3c fd   .6..u...EWB...<.
    00b0 - c6 18 e2 5c 9a 9a 17 a4-6c f7 9d a1 b7 de 71 0d   ...\....l.....q.
    00c0 - b5 a2 59 ff 59 57 c1 0a-e9 70 97 ae 5a b2 cc 38   ..Y.YW...p..Z..8

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5F17F4610C9867D32585F537299FD7BFC6FE241C2A96DFF6F5169F3130EB2691
    Session-ID-ctx: 
    Resumption PSK: C8D8EFFDAF05E3FFFE3B302B3A876734F45EACCF49838B1C95B8903956CF6F97F2FA82CC58261B5206245508A700C827
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5a 82 34 ae d5 bd a5 6f-ce 19 0b e3 c1 83 c0 6d   Z.4....o.......m
    0010 - f4 b8 bd ab eb 36 cb b1-27 4c 47 4a 0c b6 93 1a   .....6..'LGJ....
    0020 - 11 30 05 cb de e1 ad d8-25 94 62 a2 ac b8 7b 58   .0......%.b...{X
    0030 - a3 e6 2b c7 f4 31 a1 49-67 d8 9a 48 19 c3 c4 f5   ..+..1.Ig..H....
    0040 - 02 c0 d6 09 c2 56 80 bb-c1 ae 73 8b c1 5f b2 62   .....V....s.._.b
    0050 - 0f 2f 7b 68 cb 97 20 54-3e cb bc 70 8d 1d 80 20   ./{h.. T>..p... 
    0060 - 2e df da 50 87 de 41 34-d7 1d 62 21 ea eb 2d 7a   ...P..A4..b!..-z
    0070 - 44 07 48 99 be 3c 6a 77-b2 b1 ab 21 b0 91 d1 d0   D.H..<jw...!....
    0080 - 42 c2 94 97 9d 16 b3 e6-b1 4e 1d 18 a4 0d e4 18   B........N......
    0090 - de fd d0 71 37 9a af b7-e0 c6 c3 cc 52 b3 5e 79   ...q7.......R.^y
    00a0 - e7 e7 36 22 7c 6d 6c 4b-0e d4 c4 c2 cc 1f 9b 19   ..6"|mlK........
    00b0 - c0 65 ef 46 db 39 5f 67-4d 0d 72 64 f0 f4 19 a0   .e.F.9_gM.rd....
    00c0 - ba c0 e8 e2 20 9b 1e d0-bf cd 76 47 d9 f4 2d 32   .... .....vG..-2

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
802261AE7D7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIAWWV04/ToHm+kM63+BsBCmv/KyngLzJFvV56GfLLXyA
BDDI2O/9rwXj//47MCs6h2c09F6sz0mDixyVuJA5Vs9vl/L6gsxYJhtSBiRVCKcA
yCehBgIEZ7d64qIEAgIcIKQGBAQBAAAArgcCBQCd9s7MswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:23 2025 GMT; NotAfter: Feb 20 18:55:23 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIzWhcNMjYwMjIwMTg1NTIzWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJo9UsjLoxTrA++RBh+DD3NZECq4H1sr1sML
VSiSZxj5NrFiqTNXirImptY2wphstSF3PJ5r8BRpg6DqWNxvLRSxQMUqRKjxhW2f
sM95DpFHqHTv2LOdIdnJ/2xQ8RdoYhIcc3qeCmdpbEoTUW5HQcJ/ALyn/WQie8qp
6N2Vg29KcWMc3pKn9gwRUv2NehCNJsVZpD40xI/ORYlsQUtnk7PGDdFAJ76EZ5AA
A0bpZT/74I5dMKq/pLGp6InGQ5TnsydjTgPMBhSVQfraOqbTNQ2VozRAagXfNO/b
WS+aAeAHkfFTbLQRMbmgdJzyOVlhXKJwsHe9iwvbsrqrvECJjWMCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBS4LQOR1lpq8ED5sLonItzjTVol1jAf
BgNVHSMEGDAWgBQ3lnNm23RyC8RwFwwhYScl59nmLTANBgkqhkiG9w0BAQsFAAOC
AQEAbZEhJ23VxLFQO0dU8YEOl6uBPgbtfpNDzgOTfN9NPtWP2WFAYDsK0TD3f6Z6
WxVOZnt1vUEepEBeIB3U3OBHSR3Y6Ebmd36f2HzEe/JeC1xE2QoYOfeED0xMqvzk
+nyyjm4wzw6/NI8XzcrMl90o2pN66H4MfkNaDa8lMbw0dl75R9ndIgj6qAdWO1aO
NfdQRwfr/WuVmLYINCKfqbzAUcIGQa9CP280eHHpxHjFMYx8KuN12p7Z6XgerGGw
I5zfK7/sUrNaHYj4VTvKh2+HV0PnduQm0fcvdZkz07WUE0KGeRF92/iLd/jRZVK9
c01T6npGwA96fIt9JdMQNughzw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1509 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C0C152055A325DB0DB81C868630FD454B154425AF1461A50F92BBA80BD4D9BC6
    Session-ID-ctx: 
    Master-Key: 3F7E100FDA3C13AD1D3CB6F54FD6D18BF0784A0FEE1E6FBA141B1B3C126FF57D279484E0B66B0561724135BDAA7AF213
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ca a4 f4 22 c8 28 48 70-c6 20 2e 27 59 64 e4 1e   ...".(Hp. .'Yd..
    0010 - c8 bf 62 77 0f 48 08 14-26 a6 cc 84 c2 2d 5b 08   ..bw.H..&....-[.
    0020 - 22 0a 3f ec 9d 6f 64 44-4f c3 fe b2 a9 90 cd 3c   ".?..odDO......<
    0030 - 37 ec 73 80 7d 54 66 0f-3e 59 c9 1c 6a 48 6b 40   7.s.}Tf.>Y..jHk@
    0040 - ea f1 a6 a5 55 1e d4 3e-76 a4 57 2d 3e f3 c0 32   ....U..>v.W->..2
    0050 - 8e a6 2f 9d 17 53 0a 6f-7e db f1 60 94 f0 2e 56   ../..S.o~..`...V
    0060 - 62 44 59 ab c6 3f e7 02-31 fb fd 1a 97 8b c4 bb   bDY..?..1.......
    0070 - 58 25 ca 11 6d 62 fc 44-7e f8 85 bf b3 bf d0 8a   X%..mb.D~.......
    0080 - ac c3 84 59 62 34 6f 8b-65 01 cf 09 f3 dd ce e7   ...Yb4o.e.......
    0090 - 2a b5 60 2a 55 18 6d 44-38 c9 75 35 d9 9b df a6   *.`*U.mD8.u5....
    00a0 - 3e 3c ed cf 55 88 4d 23-d7 b5 bc 88 e0 05 76 39   ><..U.M#......v9

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80C26B0BA87F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDA/fhAP2jwTrR08tvVP1tGL8HhKD+4eb7oUGxs8Em/1
fSeUhOC2awVhckE1vap68hOhBgIEZ7d64qIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with explicit TLS 1.3
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:23 2025 GMT; NotAfter: Feb 20 18:55:23 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTIzWhcNMjYwMjIwMTg1NTIzWjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJo9UsjLoxTrA++RBh+DD3NZECq4H1sr1sML
VSiSZxj5NrFiqTNXirImptY2wphstSF3PJ5r8BRpg6DqWNxvLRSxQMUqRKjxhW2f
sM95DpFHqHTv2LOdIdnJ/2xQ8RdoYhIcc3qeCmdpbEoTUW5HQcJ/ALyn/WQie8qp
6N2Vg29KcWMc3pKn9gwRUv2NehCNJsVZpD40xI/ORYlsQUtnk7PGDdFAJ76EZ5AA
A0bpZT/74I5dMKq/pLGp6InGQ5TnsydjTgPMBhSVQfraOqbTNQ2VozRAagXfNO/b
WS+aAeAHkfFTbLQRMbmgdJzyOVlhXKJwsHe9iwvbsrqrvECJjWMCAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBS4LQOR1lpq8ED5sLonItzjTVol1jAf
BgNVHSMEGDAWgBQ3lnNm23RyC8RwFwwhYScl59nmLTANBgkqhkiG9w0BAQsFAAOC
AQEAbZEhJ23VxLFQO0dU8YEOl6uBPgbtfpNDzgOTfN9NPtWP2WFAYDsK0TD3f6Z6
WxVOZnt1vUEepEBeIB3U3OBHSR3Y6Ebmd36f2HzEe/JeC1xE2QoYOfeED0xMqvzk
+nyyjm4wzw6/NI8XzcrMl90o2pN66H4MfkNaDa8lMbw0dl75R9ndIgj6qAdWO1aO
NfdQRwfr/WuVmLYINCKfqbzAUcIGQa9CP280eHHpxHjFMYx8KuN12p7Z6XgerGGw
I5zfK7/sUrNaHYj4VTvKh2+HV0PnduQm0fcvdZkz07WUE0KGeRF92/iLd/jRZVK9
c01T6npGwA96fIt9JdMQNughzw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1424 bytes and written 343 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9A55B0BB95C36C78BDF2E84EBDA535C256C0732CAC86E80B9F2378AD5CCA8534
    Session-ID-ctx: 
    Resumption PSK: E6057552DDA90A7C825A48608FBEFFF1DED31EA6F00C0DF227EFBF59D08E5940282913796A71BD65C8ECBBEB4AA446D3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 57 df ec 1d 10 30 a3 73-f9 f1 31 c1 51 a2 bf f1   W....0.s..1.Q...
    0010 - 9c 00 8b 55 60 e5 5d 32-f3 87 32 be 2e 1c 32 74   ...U`.]2..2...2t
    0020 - b0 ad 89 8e dd 0f 3d fd-f7 1a cc 52 24 6e ec af   ......=....R$n..
    0030 - fa 78 db cb 89 87 db c7-1d 10 45 fe 35 fd 45 18   .x........E.5.E.
    0040 - 9a 12 25 67 1d 53 7b 13-7b 8f 21 82 d2 c4 d2 11   ..%g.S{.{.!.....
    0050 - d5 f0 7e 23 b9 2c 86 7e-d3 21 0d e3 30 bc ac 6e   ..~#.,.~.!..0..n
    0060 - 9c 83 16 e4 af 2c eb 38-0e 24 6c 46 49 eb 95 c0   .....,.8.$lFI...
    0070 - 23 8b d1 15 26 b3 5e b1-55 f2 cf 29 9d f6 e4 4c   #...&.^.U..)...L
    0080 - c9 64 9e 9d de 8d 83 44-c5 55 49 49 01 99 6c 1e   .d.....D.UII..l.
    0090 - bb 4b 1c de 75 b8 b5 f3-75 64 75 5e 54 1f f2 c5   .K..u...udu^T...
    00a0 - 1d 09 a6 9d d2 1c 8d 8b-26 ee e1 bb 50 91 f9 cc   ........&...P...
    00b0 - 50 29 2d d7 99 6f 63 0b-a4 f2 2b 80 f1 ef 72 c5   P)-..oc...+...r.
    00c0 - 0f b5 1a f5 a1 73 ce 2b-e0 ce 63 2c de cf 6c d3   .....s.+..c,..l.

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DBA9724E9A75F3342B03EDB6D100C8ABA5364F4AED270A35083F1C1BCC94AE60
    Session-ID-ctx: 
    Resumption PSK: 910679D3C81F8B7901069D86C59CCA3150AAC77EC7E9E4F9DC0D178239788CBDE89831A18738731BA90EA3A6B71A18B6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 57 df ec 1d 10 30 a3 73-f9 f1 31 c1 51 a2 bf f1   W....0.s..1.Q...
    0010 - 4f d9 9b d4 41 c7 3e 31-fa 6c 28 40 87 4e 6a b2   O...A.>1.l(@.Nj.
    0020 - 0b 4c 18 0a 5c f9 56 fd-80 00 5c 53 98 bb 95 e2   .L..\.V...\S....
    0030 - aa 67 90 1b 6a ff f9 d0-e8 07 c5 0a 5d 7c e7 1a   .g..j.......]|..
    0040 - f2 7c c1 a7 c4 a6 12 07-2b ed c0 52 ce eb 12 31   .|......+..R...1
    0050 - ea b9 1c 1b 53 44 39 0d-27 88 d9 82 ad 38 69 5a   ....SD9.'....8iZ
    0060 - b5 71 98 de 7b 3f 16 d0-0a 60 59 bd 31 fe 84 a9   .q..{?...`Y.1...
    0070 - a9 5b 59 3b bc 18 46 15-3a b3 b3 11 d8 51 e4 7e   .[Y;..F.:....Q.~
    0080 - a9 95 17 84 6e 69 84 5f-63 fb 40 a8 7f 07 2f a1   ....ni._c.@.../.
    0090 - 66 bd 86 9b 8b 31 58 1a-3a d7 7f 59 86 2d 23 27   f....1X.:..Y.-#'
    00a0 - 62 12 6a 40 50 f1 c8 2d-69 93 04 0f 98 6c 26 52   b.j@P..-i....l&R
    00b0 - 50 56 53 73 66 60 b0 6e-53 80 eb bb ae a2 ff 0d   PVSsf`.nS.......
    00c0 - 3f 06 98 8f d2 1a f8 c5-be bb 7e 87 01 2e 5f 3f   ?.........~..._?

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80B219F0A27F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIKFrdK5hHRLhwKtx6zXFNix6gMrUGp+GNlfGUawOyKtP
BDCRBnnTyB+LeQEGnYbFnMoxUKrHfsfp5PncDReCOXiMveiYMaGHOHMbqQ6jprca
GLahBgIEZ7d64qIEAgIcIKQGBAQBAAAArgYCBEoBVQqzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1118 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 078DB02E6DA0F0A7B8FD62B387B53D8B2198F0EA98A7E5791BA788E07BDF21FB
    Session-ID-ctx: 
    Master-Key: D90DB107D1D7861EFBDAE2FE00EF4798857CA56D5195EF2D0F3F1F4EB5496E0C837DA5D60EE28982E40E97FC33FF11FC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 24 bd 34 19 19 31 9d f5-c8 70 ae a1 8f 45 70 74   $.4..1...p...Ept
    0010 - 96 3d 24 d6 ec 68 0a ee-67 0e 8c fb 2b cc d4 c8   .=$..h..g...+...
    0020 - eb 19 3e 7f 98 51 0d 86-33 bd 40 61 83 10 13 fa   ..>..Q..3.@a....
    0030 - bd 61 f1 02 e6 25 d5 b1-a7 33 63 e5 86 7f d5 85   .a...%...3c.....
    0040 - 66 74 a4 20 ae 79 23 52-d0 49 60 28 dc 3b 86 90   ft. .y#R.I`(.;..
    0050 - 10 51 2a 22 ab 0c b8 0a-3a 28 86 d6 e8 61 fb 73   .Q*"....:(...a.s
    0060 - 8c 5f 65 e1 53 d4 e5 a8-2a 49 2c 4d fa aa ec 15   ._e.S...*I,M....
    0070 - 46 ed 67 c6 f7 9a 55 8c-b1 49 31 1d 41 16 a5 b9   F.g...U..I1.A...
    0080 - e1 4b 8a 73 99 8e 35 09-62 4e 7d d3 e0 1b 52 61   .K.s..5.bN}...Ra
    0090 - 02 dc 27 5f 8f ae 49 0e-91 bf 55 ae 1c fb 2c 52   ..'_..I...U...,R
    00a0 - f4 37 a9 0c 83 f7 03 1f-2f 5a 14 16 19 1a 6b 80   .7....../Z....k.

    Start Time: 1740077794
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
8072B401E37F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALALAQABDDZDbEH0deGHvva4v4A70eYhXylbVGV7y0PPx9OtUlu
DIN9pdYO4omC5A6X/DP/EfyhBgIEZ7d64qIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 and ECDH
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1119 bytes and written 252 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 84052C42B26B095565782D31B0DEBB0CCD2286093CCDD450D7BD15264491ABF3
    Session-ID-ctx: 
    Master-Key: 131016BFB3E6872C65FC3C36B93456B7360EADAFD73F4401EED35B85B6395EAC867121787D0BDCF61A2C7A295DD491BA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5e 1c ce 6e e7 46 d6 de-d5 62 69 f7 21 30 83 7b   ^..n.F...bi.!0.{
    0010 - f3 33 94 78 24 ea a8 1d-b0 6e 7a 9b 50 e5 68 35   .3.x$....nz.P.h5
    0020 - 1e 38 05 37 b4 e3 7b bf-58 e3 03 a9 5a db ec 6a   .8.7..{.X...Z..j
    0030 - 0e ba 51 b4 bf 41 12 28-84 66 60 4d fd fb 75 ca   ..Q..A.(.f`M..u.
    0040 - 97 a7 19 9a b6 af 7f 6a-82 41 40 9a e3 dd e5 0e   .......j.A@.....
    0050 - 26 8b ec 0b d2 f0 08 14-bd 2e 11 b7 2e 9b e8 5f   &.............._
    0060 - fa 31 4c c7 a5 bf 85 43-8a 24 0c 9d a8 5f 8d 93   .1L....C.$..._..
    0070 - 0d 73 ad 39 3c 5b 47 42-08 8b 44 a6 a5 b3 77 a4   .s.9<[GB..D...w.
    0080 - 71 f7 ba 1a e5 ad 8f 49-95 a9 e8 8b b6 d1 bb 88   q......I........
    0090 - 0a 25 64 08 f8 0e 8d dc-4b 74 5a 77 d3 60 60 02   .%d.....KtZw.``.
    00a0 - ff e8 52 d0 ad 10 d0 15-b0 d9 0d e1 11 f9 c4 c7   ..R.............

    Start Time: 1740077795
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80F2618D047F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAKwQABDATEBa/s+aHLGX8PDa5NFa3Ng6tr9c/RAHu01uFtjle
rIZxIXh9C9z2Gix6KV3UkbqhBgIEZ7d646IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
 TLS SUCCESSFUL 
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.3 and specific suite
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic/caCert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:24 2025 GMT; NotAfter: Feb 20 18:55:24 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI0WhcNMjYwMjIwMTg1NTI0WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATAroqpuaRE9FfNUZRAhtYnF+eRnOCcMR/e3D06uj4ul9p9
UH+/ulsTX1hYx0i56REr9gVPu2RlCz6/tLFB138Qo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFHGuZRUq+9pf411EYQ5Q8J3vjGE0MB8GA1UdIwQYMBaAFDeW
c2bbdHILxHAXDCFhJyXn2eYtMA0GCSqGSIb3DQEBCwUAA4IBAQAWNhZl8M3dynzi
vYJfW2AEFq0UAinftuM0T84uHzAtNY1nzWuaSiFGON1MD6MqHDfWdZEvWuph/v9y
J6svstWPgmFuY8UQOCOWqEloeUp7BgEFI1yLvieQfJfFJ06hj36jhNWisBIZTI52
/VJEvX//xZU7AUCftMaPEue/smQNFnGa4KXdahy6bXMvBDhedh3/Sqthz97lhM0Q
RM7128DiFzkxrPFe/54WLFi1UIDITHdDEU1tLIjIooAYrZSfZ+RRjEyY7n4+txBL
gf0p1B5fwYKSKrFA98gzFw0UrloROsYigtGaKCGMNlE9yEDsCMrBMLp2mhzJQbEz
XEU9TVim
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1035 bytes and written 327 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 36BCEEDB0EBE122A38012B944269DA5418DECDCB21FD900A3B2A3D6CF4F5EB46
    Session-ID-ctx: 
    Resumption PSK: 79E875C2C53959F710BDA2D7D27EF128731285D3938DDAA0908A1CA6F169DBB0858A3D3B599FF94EB80229B0C92C9F2A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 5f 7a 9b f0 64 a9 ea-00 75 84 93 70 18 4a bd   9_z..d...u..p.J.
    0010 - ce 6c 7f da 0b d0 bf d3-c7 5c 5b 29 a5 3f 40 dd   .l.......\[).?@.
    0020 - 0c 79 69 ba 63 16 2a 01-6d 0f 4a a4 5e 7b f7 34   .yi.c.*.m.J.^{.4
    0030 - 0c 8f 78 d3 43 b3 bf 06-6f 80 55 b7 c3 6d 6b 51   ..x.C...o.U..mkQ
    0040 - 85 af 43 d8 41 8b ae 2b-4a ea c5 0c 3f 8c f8 47   ..C.A..+J...?..G
    0050 - 9a f8 82 30 fe 80 79 e3-35 1a a1 12 48 97 30 b4   ...0..y.5...H.0.
    0060 - ba f5 5f c1 29 e5 c9 95-fe a6 1b d4 76 fb 98 f6   .._.).......v...
    0070 - 07 32 d6 44 a7 b6 e9 17-4b b0 0b ba 85 8e 76 b0   .2.D....K.....v.
    0080 - b0 74 6c 0f 73 1e c2 fa-a5 93 33 9f 33 72 72 b3   .tl.s.....3.3rr.
    0090 - 51 a8 0b 89 f3 78 f1 92-44 e5 c7 4b 90 77 30 a5   Q....x..D..K.w0.
    00a0 - 5e 94 69 2b af a2 8e dd-59 1d 68 1a d4 8a 8c 15   ^.i+....Y.h.....
    00b0 - ef 67 e9 44 d4 ff f3 7c-93 42 8e a1 d1 3a 68 96   .g.D...|.B...:h.
    00c0 - 37 8f 57 23 92 62 a7 47-69 0b 70 cb b4 bb 4d 6f   7.W#.b.Gi.p...Mo

    Start Time: 1740077795
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FC01956FFEA98C37AA3CE606E3364E0BD1DF1437FCED0698705B61EF884A0060
    Session-ID-ctx: 
    Resumption PSK: 75CF4853B4EA6CEE814D8BD2791FBC5BB5E47BD73BA574BD74ADA864149E062E15E2BDBCE280C3808CE64D9D871FE209
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 5f 7a 9b f0 64 a9 ea-00 75 84 93 70 18 4a bd   9_z..d...u..p.J.
    0010 - 3d 61 c0 cb b1 5e 6b f9-43 d0 55 83 21 bc 51 9d   =a...^k.C.U.!.Q.
    0020 - cd 35 91 eb 1a 14 42 27-4d cf 60 c3 03 8b f1 50   .5....B'M.`....P
    0030 - ef a0 9e b1 12 e2 a5 4a-9a 41 a1 23 4b c3 35 58   .......J.A.#K.5X
    0040 - bf a1 f5 a0 34 8c 7c 2f-c8 fc d0 2b f7 25 43 f1   ....4.|/...+.%C.
    0050 - 8d 5c c6 3b 6d cc 21 27-46 a6 01 63 4e 58 23 ad   .\.;m.!'F..cNX#.
    0060 - 16 2d 9e 94 df 55 4d b6-23 7a ab 09 43 07 44 78   .-...UM.#z..C.Dx
    0070 - 6f 60 14 5a 4a 61 8e 81-83 95 17 72 cb 81 b3 ff   o`.ZJa.....r....
    0080 - 78 fc 54 40 b9 c6 26 e9-1f 47 de 71 dd 61 a0 35   x.T@..&..G.q.a.5
    0090 - 11 80 75 1a 00 6b ff e8-e6 35 bd 66 0e 12 39 f6   ..u..k...5.f..9.
    00a0 - f5 93 46 30 03 22 58 60-a3 80 73 5b 41 3e 81 62   ..F0."X`..s[A>.b
    00b0 - 0a 1a fb ef cd dc e0 73-67 3c 90 bf bd 7e d5 00   .......sg<...~..
    00c0 - 0c 56 9f b9 27 ec ea 6b-f3 7e f8 5d cf ea 82 69   .V..'..k.~.]...i

    Start Time: 1740077795
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80D28B3E437F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEICpEumQsR1E3W01KV9Nu4C+8mPZBTdJzxfctR6vzSKC0
BDB1z0hTtOps7oFNi9J5H7xbteR71zuldL10rahkFJ4GLhXivbzigMOAjOZNnYcf
4gmhBgIEZ7d646IEAgIcIKQGBAQBAAAArgcCBQCSf72UswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

                                      ##
########################################

Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEICpEumQsR1E3W01KV9Nu4C+8mPZBTdJzxfctR6vzSKC0
BDB1z0hTtOps7oFNi9J5H7xbteR71zuldL10rahkFJ4GLhXivbzigMOAjOZNnYcf
4gmhBgIEZ7d646IEAgIcIKQGBAQBAAAArgcCBQCSf72UswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
==============================================================================

=================================== 77/92 ====================================
test:         pkcs11-provider:kryoptic.nss / tls
start time:   18:56:35
duration:     5.89s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=18 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tls-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttls

## Test SSL_CTX creation
SSL Context works!

## Test setting cert/keys on TLS Context
Cert and Key successfully set on TLS Context!

## Test setting cert/keys on TLS Context w/o pub key
Cert and Key successfully set on TLS Context!

## Test an actual TLS connection
########################################
## TLS with key in provider


## Run sanity test with default values (RSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMvsPWYjMOxm2bX/LplPctT0oIOjfo0d/b5d
G0h1jKOesdwoHMO1+5xMLXyFeMjiIDgTjVljVRu6uX99xFcBi6W4sa1Sf4ogfy/0
NDCgPAal3PVdwDNcGkjv4Bd8ffKLoM6CmsrcvQqMUyinLhYVt6q6DbzrLSs5OwU0
0bf4RPM/Nauy8n8V4Nn2zFxGod/owLhdBOmOqbAj/yYiDq0HllpRLk9emJ421dvy
cbYdMmf1ynj5JbitTB0FuNDS8hHBEublrUh09gRzROlzJjQOWtczgjbMUAs5iUC6
Q4MrTdWkRHHTv9kgq/dV1tQut+wgFWe8LF3K5gX+AXYqHEBa+BECAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSfw+Lb6Jt5uWHWu7nIlueAviakgjAf
BgNVHSMEGDAWgBQFouMz99je3rdJ/GKzG/3dIbT1pTANBgkqhkiG9w0BAQsFAAOC
AQEAM1yxb/vYB88e59/QR5vDOBrwQL9otng9i2zBkKrvmcricIyf92N6GuQRfAwt
AkxNefg6Jid5I6sx503o89wLcap5eB4TO2m2p3CSEtfPDWTnmXx58PDyNSoY8kb1
Lpwev6PqB60ubjCCK3ZuRblkPrD3nJ70Gonk7xngm90JTWSZycmEynhTxVNFpXae
IPyCLBLe6K+WhQGCR7OfpXJY6XzUYn6Zayxvcn6ZW/BHVQ4V4RmdWBkYMt6lA+uT
02wuiq5bezR8aOGkcTQs1Mdvvzpa458CyNvg35F9oTSj2PXECONnYpwPlra7T6ei
2FM+KrFrIkKeiXNRbwb9oxl+Xw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6EC690BC29504B46B8F5A8F1E73AE625F067910CC9FC9E15636E0572DDE28503
    Session-ID-ctx: 
    Resumption PSK: 157D73DB2775F3C0A6FBF72B6C28DA79EE66F9E8454E9B6D7EDE15213D82CF033A83F86F13EC9ACCEAF0F3044C219023
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c8 10 dc 37 d4 72 81 da-e2 22 8c fc d2 cc 0d c4   ...7.r..."......
    0010 - ae 9e f9 38 2a 59 77 72-f6 45 26 60 29 e6 6a 7d   ...8*Ywr.E&`).j}
    0020 - ef b2 95 df 97 6a 78 05-bd 85 e0 6e 45 b4 5b dc   .....jx....nE.[.
    0030 - 19 20 d9 a7 08 dc a4 e8-e5 56 6b e9 a7 ac d1 c3   . .......Vk.....
    0040 - 0f d9 4e 6c 24 79 9c 78-a6 d9 19 fa 83 f6 f3 dd   ..Nl$y.x........
    0050 - 58 d9 81 91 a2 09 58 10-9f 05 13 3c 50 14 08 fb   X.....X....<P...
    0060 - ac 00 9f 00 f9 c7 48 db-80 94 80 90 2f f3 d4 20   ......H...../.. 
    0070 - 2c e0 ba 61 26 11 c6 4e-1c b2 71 f3 02 17 42 6b   ,..a&..N..q...Bk
    0080 - c4 5a e3 7f 1d fa e0 df-08 3d 84 b8 8d 48 72 d2   .Z.......=...Hr.
    0090 - 5f 6a bd 7a 18 fe 3e 2f-5c d6 e0 96 77 42 2a d5   _j.z..>/\...wB*.
    00a0 - 68 92 09 72 27 d9 ec 3d-28 96 df 4a 80 da f9 d0   h..r'..=(..J....
    00b0 - f1 97 81 d9 74 17 9e c4-f7 28 c1 83 c4 c0 2d cb   ....t....(....-.
    00c0 - 8e 43 bd 0b d7 1a 5d 5d-30 cf 14 e0 31 1e f9 47   .C....]]0...1..G

    Start Time: 1740077796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: A3ACACDD2B45314F635F284CAB15F0779EA4BBA28F150B1DC3F57740B88B5C4D
    Session-ID-ctx: 
    Resumption PSK: C6D01AFF1C0D83BA183D781E625F7FE90AF03534414A9E5184D8E36DF68F6B16F9E01B4294F2D0CF5D754A942352FC30
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c8 10 dc 37 d4 72 81 da-e2 22 8c fc d2 cc 0d c4   ...7.r..."......
    0010 - 6c 3d 2e 42 be ca 25 33-8b 8e 55 1e 38 fb 0a bf   l=.B..%3..U.8...
    0020 - 37 ed 3c 83 78 ad 55 35-aa c6 ef ba 27 58 c7 7d   7.<.x.U5....'X.}
    0030 - e1 96 28 5a 9e 38 70 f9-e2 fe 04 68 77 d1 6b cc   ..(Z.8p....hw.k.
    0040 - 80 bc 96 c2 37 67 65 97-fc d7 13 d6 50 91 a3 ac   ....7ge.....P...
    0050 - ad d5 8a dd 1b ab e7 dd-a0 9f 39 0f f9 46 64 57   ..........9..FdW
    0060 - 17 50 3b 9a f4 c8 7f 01-30 cc d2 a8 db d9 fb b5   .P;.....0.......
    0070 - 26 65 93 fa b7 d0 72 32-35 f4 60 e5 cb 5c 2b ad   &e....r25.`..\+.
    0080 - 04 ec 61 15 06 e3 86 83-0e ad 3e e7 9a 89 57 dc   ..a.......>...W.
    0090 - 91 50 af 77 59 4c 65 0b-cc 7f 52 33 4c 55 5a 82   .P.wYLe...R3LUZ.
    00a0 - 73 cb d9 f8 a6 8e 3c 88-0f a4 36 3d cd d7 c0 80   s.....<...6=....
    00b0 - 26 61 aa 6e 4a 42 0b fb-46 48 40 52 20 57 c8 6d   &a.nJB..FH@R W.m
    00c0 - be 55 76 6a 1b d4 53 97-bd 36 c7 2a 8c 1f d5 be   .Uvj..S..6.*....

    Start Time: 1740077796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80423F426D7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIAZzX7GiTtAnHt6qULCgsPEqK6ihMbfH8NRtYwEXoKjH
BDDG0Br/HA2Duhg9eB5iX3/pCvA1NEFKnlGE2ONt9o9rFvngG0KU8tDPXXVKlCNS
/DChBgIEZ7d65KIEAgIcIKQGBAQBAAAArgYCBDJBhRizAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1033 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4B86BCE161E755119C0DBEDF6AFC456B03CA1C8636552F9F551188272F2CD8F3
    Session-ID-ctx: 
    Resumption PSK: E09DE784FAE2691C5C3254BB54861B3DA171EB0FBE4F06942AA31A255194A2758D1A0657BFBE4FAA18EEF3C741DC09D0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 81 09 46 97 15 dd 32-c6 44 46 67 44 aa 9c 3e   @..F...2.DFgD..>
    0010 - d0 4c 71 4f 31 b8 f9 cf-00 a8 ac f9 a1 e3 cc 6d   .LqO1..........m
    0020 - a8 e1 ad cf d2 5b 19 b5-09 3a 4f dd 8c 00 11 fe   .....[...:O.....
    0030 - fc f6 6e 1d c4 84 45 43-00 ea dc a9 15 23 75 c7   ..n...EC.....#u.
    0040 - 36 5f ac 05 1b 5c f1 4a-51 e6 63 61 8d ae 97 89   6_...\.JQ.ca....
    0050 - 8b 27 ae 96 a0 d3 fd c1-96 48 d8 39 cb bd 64 a0   .'.......H.9..d.
    0060 - 2a 69 bc 99 88 0f eb 74-ca 3e b0 f2 5c 01 57 f8   *i.....t.>..\.W.
    0070 - 04 95 54 03 cc 6b 16 3b-c8 63 a8 7c 5d ce be 36   ..T..k.;.c.|]..6
    0080 - 71 3f 48 ea 4c 26 0b bd-1a 57 35 8a b4 78 22 55   q?H.L&...W5..x"U
    0090 - 04 f5 7f 25 1c 2e 45 d6-b4 96 ec 41 c3 fa 75 73   ...%..E....A..us
    00a0 - e4 f8 a5 cb 3b f6 ff ad-1a ed f3 68 e8 e1 9d 45   ....;......h...E
    00b0 - 30 1c 30 ab 1e 66 4f 36-6d db c8 66 86 74 da d7   0.0..fO6m..f.t..
    00c0 - 54 ac 29 38 1e e9 85 8d-ff 10 f0 21 d7 32 ed 77   T.)8.......!.2.w

    Start Time: 1740077796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 95EA56D67560820984D6D1A064BEF3D517FF49480E517C38C5152F602B68E704
    Session-ID-ctx: 
    Resumption PSK: E79996B8187D7D87E99BE3C4B301160195A1C9DCB03C1F1295C9FF670000BDEE710CFBDF5557740227D9A68554FB8358
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 40 81 09 46 97 15 dd 32-c6 44 46 67 44 aa 9c 3e   @..F...2.DFgD..>
    0010 - c6 fc 82 86 c0 29 e2 20-df fc d2 26 ab c5 6f 18   .....). ...&..o.
    0020 - b4 5c 07 cb 7a 6b 0f 00-13 bc 93 3b d7 0e a3 a4   .\..zk.....;....
    0030 - bc c4 1d 4a 65 50 67 a5-b7 d4 c9 e6 cc c2 00 e1   ...JePg.........
    0040 - e2 77 25 d1 e5 28 38 06-65 61 60 08 62 bb 18 d2   .w%..(8.ea`.b...
    0050 - ba 52 67 4c 78 d1 70 a6-81 03 6d b2 59 60 1b ff   .RgLx.p...m.Y`..
    0060 - e5 4a 79 87 0a 1b 2e ef-8a 11 c8 4a 18 b9 b5 23   .Jy........J...#
    0070 - ca fd 10 aa e0 5c 35 14-1f 74 85 94 cc c2 6e 27   .....\5..t....n'
    0080 - 8e 7d 0f 7d 55 0f d0 f0-aa d2 64 2a ad d0 d7 99   .}.}U.....d*....
    0090 - cc f5 5f 7e b2 02 9b ef-2a c2 5e b2 77 d7 bb ea   .._~....*.^.w...
    00a0 - e3 84 97 28 2c e5 13 06-26 78 ec 20 39 f2 59 bc   ...(,...&x. 9.Y.
    00b0 - 75 23 b9 7c c2 36 37 67-a6 9c 21 69 e3 63 32 0e   u#.|.67g..!i.c2.
    00c0 - 70 a5 4a 59 39 6a 8c f0-4a 57 64 cb 58 83 ca f4   p.JY9j..JWd.X...

    Start Time: 1740077796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80B2033B2B7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIEEpSoYK9Msgzq8MM74ESU5mqbdDJNBAWyb1ZtKLR+Us
BDDnmZa4GH19h+mb48SzARYBlaHJ3LA8HxKVyf9nAAC97nEM+99VV3QCJ9mmhVT7
g1ihBgIEZ7d65KIEAgIcIKQGBAQBAAAArgYCBGJNlaOzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMvsPWYjMOxm2bX/LplPctT0oIOjfo0d/b5d
G0h1jKOesdwoHMO1+5xMLXyFeMjiIDgTjVljVRu6uX99xFcBi6W4sa1Sf4ogfy/0
NDCgPAal3PVdwDNcGkjv4Bd8ffKLoM6CmsrcvQqMUyinLhYVt6q6DbzrLSs5OwU0
0bf4RPM/Nauy8n8V4Nn2zFxGod/owLhdBOmOqbAj/yYiDq0HllpRLk9emJ421dvy
cbYdMmf1ynj5JbitTB0FuNDS8hHBEublrUh09gRzROlzJjQOWtczgjbMUAs5iUC6
Q4MrTdWkRHHTv9kgq/dV1tQut+wgFWe8LF3K5gX+AXYqHEBa+BECAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSfw+Lb6Jt5uWHWu7nIlueAviakgjAf
BgNVHSMEGDAWgBQFouMz99je3rdJ/GKzG/3dIbT1pTANBgkqhkiG9w0BAQsFAAOC
AQEAM1yxb/vYB88e59/QR5vDOBrwQL9otng9i2zBkKrvmcricIyf92N6GuQRfAwt
AkxNefg6Jid5I6sx503o89wLcap5eB4TO2m2p3CSEtfPDWTnmXx58PDyNSoY8kb1
Lpwev6PqB60ubjCCK3ZuRblkPrD3nJ70Gonk7xngm90JTWSZycmEynhTxVNFpXae
IPyCLBLe6K+WhQGCR7OfpXJY6XzUYn6Zayxvcn6ZW/BHVQ4V4RmdWBkYMt6lA+uT
02wuiq5bezR8aOGkcTQs1Mdvvzpa458CyNvg35F9oTSj2PXECONnYpwPlra7T6ei
2FM+KrFrIkKeiXNRbwb9oxl+Xw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1509 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4B529D2757D7765B6F465B724FFB65CC74AD17019C52984627EE1AE8711D3CCE
    Session-ID-ctx: 
    Master-Key: 2E5A4E37A11B24841269255C2AE6CB6B369106DD627E8088C7822BA974224530245D0953B27BC046448980E0224E0C88
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 0f 64 a7 68 c5 05 65 16-10 ab e3 0c d5 ce a6 24   .d.h..e........$
    0010 - bc 05 6c 36 17 92 41 06-e2 8e 98 d2 b4 24 90 55   ..l6..A......$.U
    0020 - 48 c4 f7 c2 fd 22 c9 5a-20 e6 f2 b4 1c 9f 3a a5   H....".Z .....:.
    0030 - 8c e8 da 5e 44 d0 c2 05-70 7e b8 a5 60 39 ad 3b   ...^D...p~..`9.;
    0040 - 4d f5 ba c2 52 d7 ce 78-8a 0b 42 93 b0 0b d5 da   M...R..x..B.....
    0050 - a8 cf 66 1a 67 86 1e ba-3f 72 ef 63 52 32 41 4d   ..f.g...?r.cR2AM
    0060 - 9b 6b 55 13 c7 6b 24 6d-08 4e 59 72 d4 40 da a5   .kU..k$m.NYr.@..
    0070 - a9 b1 63 78 de f0 eb da-33 66 b6 d2 d0 ee ad 0c   ..cx....3f......
    0080 - a5 81 df 58 10 ed dd 22-93 d0 a5 d8 fe da cf dc   ...X..."........
    0090 - c1 d1 cd 7d 87 02 9b 65-5e 8a 1c 06 e1 a3 e3 cf   ...}...e^.......
    00a0 - 5a a6 f4 e1 a1 e6 ea 6c-62 13 93 15 72 7d c5 5b   Z......lb...r}.[

    Start Time: 1740077796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80523000CA7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDAuWk43oRskhBJpJVwq5strNpEG3WJ+gIjHgiupdCJF
MCRdCVOye8BGRImA4CJODIihBgIEZ7d65KIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with explicit TLS 1.3
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMvsPWYjMOxm2bX/LplPctT0oIOjfo0d/b5d
G0h1jKOesdwoHMO1+5xMLXyFeMjiIDgTjVljVRu6uX99xFcBi6W4sa1Sf4ogfy/0
NDCgPAal3PVdwDNcGkjv4Bd8ffKLoM6CmsrcvQqMUyinLhYVt6q6DbzrLSs5OwU0
0bf4RPM/Nauy8n8V4Nn2zFxGod/owLhdBOmOqbAj/yYiDq0HllpRLk9emJ421dvy
cbYdMmf1ynj5JbitTB0FuNDS8hHBEublrUh09gRzROlzJjQOWtczgjbMUAs5iUC6
Q4MrTdWkRHHTv9kgq/dV1tQut+wgFWe8LF3K5gX+AXYqHEBa+BECAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSfw+Lb6Jt5uWHWu7nIlueAviakgjAf
BgNVHSMEGDAWgBQFouMz99je3rdJ/GKzG/3dIbT1pTANBgkqhkiG9w0BAQsFAAOC
AQEAM1yxb/vYB88e59/QR5vDOBrwQL9otng9i2zBkKrvmcricIyf92N6GuQRfAwt
AkxNefg6Jid5I6sx503o89wLcap5eB4TO2m2p3CSEtfPDWTnmXx58PDyNSoY8kb1
Lpwev6PqB60ubjCCK3ZuRblkPrD3nJ70Gonk7xngm90JTWSZycmEynhTxVNFpXae
IPyCLBLe6K+WhQGCR7OfpXJY6XzUYn6Zayxvcn6ZW/BHVQ4V4RmdWBkYMt6lA+uT
02wuiq5bezR8aOGkcTQs1Mdvvzpa458CyNvg35F9oTSj2PXECONnYpwPlra7T6ei
2FM+KrFrIkKeiXNRbwb9oxl+Xw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1424 bytes and written 343 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F307AF178C6C75BD9DFD08D7A8ABC25EE964F3290B35EF8F7D799F80C6270A74
    Session-ID-ctx: 
    Resumption PSK: 839224F041120910B228378B30F090FA45E1464085532E3994FC5824F8CFDC4B071452768F917C58AEDA4043E76975F7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - de cc cd 1c 13 1c 03 8e-c9 e0 98 bd 2f 08 56 a3   ............/.V.
    0010 - 2e 06 1a 6f 89 ea e9 18-ad 03 94 ed 62 32 b6 bf   ...o........b2..
    0020 - a0 9c 76 76 4f a9 5d 0d-f2 78 46 7a d6 3c 22 6b   ..vvO.]..xFz.<"k
    0030 - 20 b8 6b ff 86 99 38 08-64 f1 63 cf c2 ed fd 2d    .k...8.d.c....-
    0040 - 60 98 a8 82 55 8a 25 8d-3f 24 35 49 e9 d7 5f 4e   `...U.%.?$5I.._N
    0050 - b0 ac 21 37 d9 33 13 3b-a0 b2 8b 27 52 7c fe 85   ..!7.3.;...'R|..
    0060 - 6f f8 d5 85 42 a2 eb 0a-57 ea be 6e 0c bc 1e 8c   o...B...W..n....
    0070 - e1 75 47 8b 00 6c a7 99-7a 69 1c 8e 1d 3e 38 31   .uG..l..zi...>81
    0080 - 14 25 2c cd 25 fc 47 38-0d d1 8f ba 8a cc 4c ee   .%,.%.G8......L.
    0090 - 9b f2 66 81 61 26 ac 10-66 9f de c6 59 84 00 69   ..f.a&..f...Y..i
    00a0 - 2f 6d 47 61 a0 53 46 72-f3 99 b0 bb 67 f7 ea 42   /mGa.SFr....g..B
    00b0 - 9b f9 0f cb 19 e5 3b c7-66 eb 3b 99 89 bd e2 18   ......;.f.;.....
    00c0 - b8 56 84 f8 f0 4e f0 c9-fd 11 82 3c 49 56 4a 01   .V...N.....<IVJ.

    Start Time: 1740077797
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 74CA5976612052DB8FA319335FCE27D6B1EF6FEE369CA3051F639D38A896E07F
    Session-ID-ctx: 
    Resumption PSK: 019EB883B8D5E250F7BF4DD6317656C3AC43C13B1672C6F7BA573EBD1202E86FA699320471C406ADF97EE5D85B0859E2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - de cc cd 1c 13 1c 03 8e-c9 e0 98 bd 2f 08 56 a3   ............/.V.
    0010 - 6d 74 04 68 26 7a 91 28-97 76 8f 05 4f bc e6 f0   mt.h&z.(.v..O...
    0020 - f5 9c 64 2b 94 35 82 a0-b4 75 8c e6 2c d3 46 32   ..d+.5...u..,.F2
    0030 - 6e b0 e9 72 0d 47 09 0d-6f dc cd 33 66 60 11 18   n..r.G..o..3f`..
    0040 - ca 89 8a b1 6b b5 89 d0-e1 9a 48 26 37 a2 0b 36   ....k.....H&7..6
    0050 - f4 b8 c6 b2 62 19 90 b0-34 f1 f8 c0 fe 29 b2 6a   ....b...4....).j
    0060 - cc 52 f3 f8 fa 4a 80 c5-97 b9 4a 18 ae bc 34 a1   .R...J....J...4.
    0070 - 2d 6d e0 d4 27 1f 60 d7-c8 8b 35 0b 83 00 bf 0a   -m..'.`...5.....
    0080 - d7 79 a7 9e 51 df c2 de-d7 2d 91 cd 65 f0 c4 52   .y..Q....-..e..R
    0090 - 2a f5 96 dd df cb 52 5c-e7 4e 2a be ae e3 ed 56   *.....R\.N*....V
    00a0 - e1 22 de 74 5b 1f 4f 64-b6 60 c8 86 98 2f 75 9d   .".t[.Od.`.../u.
    00b0 - 27 90 03 58 d9 0e 86 ec-ba 50 33 27 98 06 cd 61   '..X.....P3'...a
    00c0 - fb 3f 96 73 68 63 47 73-ec 1b 6a ec 40 d4 56 f0   .?.shcGs..j.@.V.

    Start Time: 1740077797
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80820B79CE7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIJDSImiIFazI662dSgNUXy+phCdv8k7w13+S2l+qaLtx
BDABnriDuNXiUPe/TdYxdlbDrEPBOxZyxve6Vz69EgLob6aZMgRxxAat+X7l2FsI
WeKhBgIEZ7d65aIEAgIcIKQGBAQBAAAArgYCBEW910uzAwIBFw==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 TLS SUCCESSFUL 

Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Q
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1118 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 6DEBA8290639C0274A1EC6CD9B0677BA04A07DEB2CDEBDE8BF2180FF3E7AF07E
    Session-ID-ctx: 
    Master-Key: 20642552D54ED3C1C89DC688CD3FD47A0C6D1FD8C6142BEC95AD65C33AB8B9CC4F32AF306FD30FFC2DEFDFCFC79C751A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e5 6f e4 79 13 9b 48 6a-9a 64 e0 44 7d 84 6e 8c   .o.y..Hj.d.D}.n.
    0010 - d9 93 77 d0 34 b3 5f cd-74 98 69 e3 a8 ca 8a bb   ..w.4._.t.i.....
    0020 - 8b 55 bc 66 12 f5 43 11-38 ed 02 b8 17 6f d5 bd   .U.f..C.8....o..
    0030 - ef c6 f7 9d c3 a5 2b 59-a2 0e 1a 68 7f c2 8a 5e   ......+Y...h...^
    0040 - cd ca 9c 02 57 a1 02 1a-56 13 fb a4 b2 4d 85 03   ....W...V....M..
    0050 - bf 2f f9 e1 0c d9 66 c0-5d 70 10 1a f5 7b 20 42   ./....f.]p...{ B
    0060 - 91 7d da d5 42 93 20 ba-2e d2 b1 a6 28 0f 7d de   .}..B. .....(.}.
    0070 - 1b fd e3 0b a5 2e a7 7a-2d cd 35 71 85 5a 2e d4   .......z-.5q.Z..
    0080 - cf 94 d6 f9 7a 2e 42 83-75 bb e7 83 8e 33 9a 0b   ....z.B.u....3..
    0090 - d7 be 05 01 26 aa dd f9-95 75 11 ed fd c5 5b ea   ....&....u....[.
    00a0 - 87 6b 1c 80 36 a9 ba 3a-55 f1 07 a2 e5 b0 3c cf   .k..6..:U.....<.

    Start Time: 1740077797
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
8042D8D3D57F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALALAQABDAgZCVS1U7TwcidxojNP9R6DG0f2MYUK+yVrWXDOri5
zE8yrzBv0w/8Le/fz8ecdRqhBgIEZ7d65aIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 and ECDH
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1120 bytes and written 252 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 14B02148CFAB8F32D2499CF6C543DF054D2D7421364FFE4312D42534924BE437
    Session-ID-ctx: 
    Master-Key: 1C290FCA1E275CAF0263F69C783BD86FBAB3ACA8ED86BD287A2D8E2782979926D14CE56238332D226F1576CDB0C7A9A8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ae 5c ae ca 70 64 78 25-1a 7c 71 fb 36 b4 ef d4   .\..pdx%.|q.6...
    0010 - 6e 1f b1 2b 44 13 a2 ee-c0 00 8f 8b 2e 70 bb 41   n..+D........p.A
    0020 - 81 e4 91 69 24 d8 23 dd-4f c1 b6 ac 49 25 d2 09   ...i$.#.O...I%..
    0030 - da 94 4a 19 eb ba 3a aa-45 9e 9f 95 35 c0 05 cc   ..J...:.E...5...
    0040 - 48 57 40 8f 07 89 86 6f-b6 cf 2c 2f ab 51 ab 98   HW@....o..,/.Q..
    0050 - c1 f2 0f bc 00 85 50 df-03 87 fc c7 94 26 53 4e   ......P......&SN
    0060 - 3d b4 60 ef 20 b0 f3 62-34 2f db a9 e9 05 d0 54   =.`. ..b4/.....T
    0070 - 63 39 99 11 d5 9d c9 72-d1 6e e5 e4 8e 0d 1e ef   c9.....r.n......
    0080 - 0d 3f 0b f0 4c bd da c9-25 23 9b 8d 17 66 cd 33   .?..L...%#...f.3
    0090 - cf 6d 96 51 f3 d2 4b 1c-06 d1 0e 02 84 78 ec ec   .m.Q..K......x..
    00a0 - 45 de 2a 67 4f d9 1a 35-ee a0 f6 19 6b 13 9e 79   E.*gO..5....k..y

    Start Time: 1740077797
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80D28D6FA67F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAKwQABDAcKQ/KHidcrwJj9px4O9hvurOsqO2GvSh6LY4ngpeZ
JtFM5WI4My0ibxV2zbDHqaihBgIEZ7d65aIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.3 and specific suite
spawn openssl s_client -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1034 bytes and written 327 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5797078F81E7DB8C97ECAD90FCB52796F9142A20EBD75720DB05052305FF57F5
    Session-ID-ctx: 
    Resumption PSK: 5E691CDCB6DA6756218580699174D7A4077BD3D5B8BF79536D3FBE49DBB5DDCBB82639174DEB0E34CD84D045BBE4ECE7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 29 6b 00 dd 38 4f 7b 3d-5b 70 56 fe 3c e5 98 50   )k..8O{=[pV.<..P
    0010 - 0f 78 4a eb d5 24 c0 cc-9e f9 0a a1 0a f0 66 c7   .xJ..$........f.
    0020 - af 7e b5 96 69 ac 35 66-8c c6 3b f5 ce e3 8e 4b   .~..i.5f..;....K
    0030 - c8 9a e4 bb 11 50 31 d9-71 51 27 da 23 e6 3e 97   .....P1.qQ'.#.>.
    0040 - 52 8c 74 19 d8 f3 fc 5e-ef e5 f0 74 84 c1 21 b0   R.t....^...t..!.
    0050 - 71 84 a3 35 ce b6 37 40-7b 0c 69 76 d4 ec bd be   q..5..7@{.iv....
    0060 - b9 17 e6 51 a5 1b ea 5d-a3 fe d5 31 25 78 58 c1   ...Q...]...1%xX.
    0070 - 0e 54 1f 78 8e 94 7f 6d-04 1f 1c 4f b3 92 32 71   .T.x...m...O..2q
    0080 - 48 a1 fc 23 66 4d 21 1a-3c 71 db 97 ef 67 58 ae   H..#fM!.<q...gX.
    0090 - c3 94 b6 b5 15 d4 d6 8c-32 4e b6 56 d3 e6 62 76   ........2N.V..bv
    00a0 - 9a cf 66 a7 35 b4 f9 78-62 c3 d5 3c 7b c6 fd e5   ..f.5..xb..<{...
    00b0 - 07 b4 0d 37 56 d5 f2 bf-37 64 c9 92 00 72 d7 a1   ...7V...7d...r..
    00c0 - 5d ad 28 61 fb 05 9a 2c-3b 00 f6 3f c9 c0 93 97   ].(a...,;..?....

    Start Time: 1740077797
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 1A578586680ED32E43D97815DAE22A1192B69D78418EEF2D6A5CECE431472EEE
    Session-ID-ctx: 
    Resumption PSK: 3BCC6033F89A8A4810F978D5AAAD6447ABCF25A732F1C5F153A916C5AC4609FCD1D553D990AD5C4128E8A5221D5027EB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 29 6b 00 dd 38 4f 7b 3d-5b 70 56 fe 3c e5 98 50   )k..8O{=[pV.<..P
    0010 - 2e f5 44 e8 ba e9 9f 21-99 e6 ac aa fb dc 27 f8   ..D....!......'.
    0020 - 20 75 c3 6b 0d 29 da b2-09 f9 56 fd 47 9c 35 ba    u.k.)....V.G.5.
    0030 - 2d 86 d4 3c 26 ef 7a 84-d1 a8 3b 47 17 af 09 ae   -..<&.z...;G....
    0040 - 08 1d 8a c2 08 9b ad ca-89 b5 9f 44 b2 99 98 65   ...........D...e
    0050 - b6 76 33 2f b2 63 80 ff-2f 86 ea 1d 15 99 8a fe   .v3/.c../.......
    0060 - 5d 70 ef cc 8e 2d 1c b7-03 8a 2f ef 23 45 53 71   ]p...-..../.#ESq
    0070 - 40 13 d2 50 f5 87 7a 7c-7c c6 bb c5 03 71 c4 f3   @..P..z||....q..
    0080 - 43 8c 88 77 d3 2f 1d 07-bf 0d 0d af 40 e5 d5 f6   C..w./......@...
    0090 - 4a f2 6c 68 47 d7 f5 a0-59 7d 5e 37 bb 3f 8f 8b   J.lhG...Y}^7.?..
    00a0 - 68 94 a6 70 61 47 21 c0-fd 83 c5 46 55 5d 71 90   h..paG!....FU]q.
    00b0 - 3b 5a d2 c4 df d8 28 ac-7d ed 6c 58 eb 88 e5 11   ;Z....(.}.lX....
    00c0 - 5f c5 c8 43 d7 db 86 cb-4d 50 bb d9 f0 c3 67 5c   _..C....MP....g\

    Start Time: 1740077797
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80A29876F37F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIFEmarX7YFOZL9MdO4DdczV6J2UjW8BpPs1V/l40Zcc0
BDA7zGAz+JqKSBD5eNWqrWRHq88lpzLxxfFTqRbFrEYJ/NHVU9mQrVxBKOilIh1Q
J+uhBgIEZ7d65aIEAgIcIKQGBAQBAAAArgcCBQC9zgwXswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 

Shared ciphers:TLS_AES_256_GCM_SHA384Q

Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

                                      ##
########################################

########################################
## Forcing the provider for all server operations


## Run sanity test with default values (RSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMvsPWYjMOxm2bX/LplPctT0oIOjfo0d/b5d
G0h1jKOesdwoHMO1+5xMLXyFeMjiIDgTjVljVRu6uX99xFcBi6W4sa1Sf4ogfy/0
NDCgPAal3PVdwDNcGkjv4Bd8ffKLoM6CmsrcvQqMUyinLhYVt6q6DbzrLSs5OwU0
0bf4RPM/Nauy8n8V4Nn2zFxGod/owLhdBOmOqbAj/yYiDq0HllpRLk9emJ421dvy
cbYdMmf1ynj5JbitTB0FuNDS8hHBEublrUh09gRzROlzJjQOWtczgjbMUAs5iUC6
Q4MrTdWkRHHTv9kgq/dV1tQut+wgFWe8LF3K5gX+AXYqHEBa+BECAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSfw+Lb6Jt5uWHWu7nIlueAviakgjAf
BgNVHSMEGDAWgBQFouMz99je3rdJ/GKzG/3dIbT1pTANBgkqhkiG9w0BAQsFAAOC
AQEAM1yxb/vYB88e59/QR5vDOBrwQL9otng9i2zBkKrvmcricIyf92N6GuQRfAwt
AkxNefg6Jid5I6sx503o89wLcap5eB4TO2m2p3CSEtfPDWTnmXx58PDyNSoY8kb1
Lpwev6PqB60ubjCCK3ZuRblkPrD3nJ70Gonk7xngm90JTWSZycmEynhTxVNFpXae
IPyCLBLe6K+WhQGCR7OfpXJY6XzUYn6Zayxvcn6ZW/BHVQ4V4RmdWBkYMt6lA+uT
02wuiq5bezR8aOGkcTQs1Mdvvzpa458CyNvg35F9oTSj2PXECONnYpwPlra7T6ei
2FM+KrFrIkKeiXNRbwb9oxl+Xw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1424 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BD958E68A63DBFEA71501D434BC7A5999F70745A1CA2CC297C947D5B5AE2B41C
    Session-ID-ctx: 
    Resumption PSK: DD47A4A76C302E890FA88016110FDFD740527241043479B3B1ED49A8FE8ADB52CCDFAEABA54E6C50229EB2B935FDE41B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e5 f5 9a bb 02 c6 85 6f-a5 c3 7d 7d 76 bb 6a 68   .......o..}}v.jh
    0010 - 9c 96 1c 82 eb 3e 9e 80-63 fe 65 b0 66 ed ee 0e   .....>..c.e.f...
    0020 - ac ab af 84 f1 47 ac ed-f4 df e5 46 bf f6 08 a9   .....G.....F....
    0030 - d2 da 09 94 0e 50 8e 2f-ff e6 34 72 62 89 fc 16   .....P./..4rb...
    0040 - 7e 1c a4 21 0d 4a ad 60-89 ed 0e f2 01 76 e3 98   ~..!.J.`.....v..
    0050 - 0b 4f 67 a5 19 98 1c 14-a5 f0 9f 0c 2b 91 25 ce   .Og.........+.%.
    0060 - 27 6c 1c f9 e8 83 df 1b-a1 9f 1c ca b3 84 74 3d   'l............t=
    0070 - 13 80 83 fd 6d 59 5d 6d-9d e1 f4 d9 d4 99 53 36   ....mY]m......S6
    0080 - 51 51 90 a8 be 7f ce 2c-b9 0f cd d1 eb 67 82 f6   QQ.....,.....g..
    0090 - ac 55 51 ee dc 18 a1 40-c0 20 c3 5f 40 dd c9 42   .UQ....@. ._@..B
    00a0 - 16 22 a8 2c 3c 3d ee fb-82 0d df f5 4a 8e da 0c   .".,<=......J...
    00b0 - 91 67 ff e7 22 9f 86 ab-f5 77 3b db 3d 4e e6 60   .g.."....w;.=N.`
    00c0 - a2 50 af c3 c6 d2 a3 47-82 48 b8 bf a6 df cf f0   .P.....G.H......

    Start Time: 1740077798
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 787D858B553EC0B1AC57F768C67B39F8785B1886A8777B0C21029CC49A832966
    Session-ID-ctx: 
    Resumption PSK: 308BF8C3D5DB84892BD03724FECF721F421C89ACED321BB80CC29F9EC5B1015DC3D10E69366802E7CF6BD1E07EE2CFD9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - e5 f5 9a bb 02 c6 85 6f-a5 c3 7d 7d 76 bb 6a 68   .......o..}}v.jh
    0010 - 36 7e 67 32 b4 8b 3d 27-71 e4 59 73 a4 69 82 65   6~g2..='q.Ys.i.e
    0020 - ae bd 6f bf dd 9f 7b 72-20 29 99 35 2b ad 56 ff   ..o...{r ).5+.V.
    0030 - 54 27 97 8e 89 37 c0 54-dd dd 44 82 dd 41 35 4f   T'...7.T..D..A5O
    0040 - e4 de bf e4 6a 63 f2 20-0b fa a8 f0 26 b0 41 9b   ....jc. ....&.A.
    0050 - 11 1d 74 96 11 e9 9d 09-ca 7b 44 07 6d 29 2e 86   ..t......{D.m)..
    0060 - 9b d3 cd da a8 b9 3f 10-af 24 ba 5d a0 e2 10 26   ......?..$.]...&
    0070 - 34 58 b5 fb fe 5a 31 a6-41 b5 5c dd f6 6f fe bd   4X...Z1.A.\..o..
    0080 - 95 59 26 c9 94 6c 49 84-9c 5f be 3a 95 07 43 1d   .Y&..lI.._.:..C.
    0090 - 29 7a e8 56 4a 16 11 12-7b cc e5 f5 57 5a 6c e7   )z.VJ...{...WZl.
    00a0 - a8 1d e5 cf da bf f4 6d-2d 7d 78 8e 07 d6 a3 3d   .......m-}x....=
    00b0 - d4 e2 94 d3 71 f7 b5 02-0c 92 e3 51 25 b2 b1 20   ....q......Q%.. 
    00c0 - ed 4c fe a2 c3 50 ae fb-ea a9 91 6b b5 3e 53 94   .L...P.....k.>S.

    Start Time: 1740077798
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80C2B0E3ED7F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEIDDmhjl4S5sYYFLUeCel4MBAcY6tQpUSWrFjhEmm7RtZ
BDAwi/jD1duEiSvQNyT+z3IfQhyJrO0yG7gMwp+exbEBXcPRDmk2aALnz2vR4H7i
z9mhBgIEZ7d65qIEAgIcIKQGBAQBAAAArgcCBQDbgUNkswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run sanity test with default values (ECDSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1034 bytes and written 371 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B7C526C9D48029176418536EE851B42710D490E325F13D725052816D8F7212EF
    Session-ID-ctx: 
    Resumption PSK: AF1C0EAB00D93873AF8273C5AC46CA9318380FFE43BEC6689F8A75A3474BED49F4CF19099BB1A171A5C5F4EF5646A9A0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 59 97 9e 72 53 ca 70 3a-cb 69 a6 26 14 29 ec 62   Y..rS.p:.i.&.).b
    0010 - 3e 52 de 86 5f 15 a1 90-b7 9e da 4f a8 09 c6 7c   >R.._......O...|
    0020 - 92 e4 f8 e7 c8 14 cc 0c-ec 47 8f 3d 17 b6 7e 3f   .........G.=..~?
    0030 - 49 12 13 53 bb 32 1e b7-7d f5 f9 46 cd 97 74 ae   I..S.2..}..F..t.
    0040 - e3 8a b6 b6 a8 00 f0 b3-9b 5f d3 8b df f1 82 fa   ........._......
    0050 - b4 82 73 12 aa f4 0d 46-98 f0 45 85 a8 9f 70 0f   ..s....F..E...p.
    0060 - ff 0b 0b 10 b1 e0 f7 db-b6 28 5b cd 68 c3 b3 de   .........([.h...
    0070 - 1e c2 0f ba 32 82 fb 82-72 14 27 1f 71 3c d0 8c   ....2...r.'.q<..
    0080 - da 0e 20 51 a5 ac 9b 4f-68 ae f1 87 5d 09 e7 ca   .. Q...Oh...]...
    0090 - be eb a9 50 55 ff 5f ce-1c 1b 8a e0 1f bf f2 4b   ...PU._........K
    00a0 - 18 8f b2 a9 cd cf dd 5f-ad f9 f6 1d da f6 e5 e6   ......._........
    00b0 - 49 eb 68 30 a4 ff b9 6c-1f 6c bf e1 19 0c 7b c5   I.h0...l.l....{.
    00c0 - 7e c5 41 59 bb c8 b5 1b-02 73 fc d2 24 37 75 69   ~.AY.....s..$7ui

    Start Time: 1740077798
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 09A2BE97A72E924AB5F9F866960ACC037AEAAE96F378253C042769C6F5C1C564
    Session-ID-ctx: 
    Resumption PSK: 1E112B4D7A1984E7F8405F28BDE0904C52EC0D2C19D193499F359FDE7E58D00DB30CBA900B198F0B73E69FB385794550
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 59 97 9e 72 53 ca 70 3a-cb 69 a6 26 14 29 ec 62   Y..rS.p:.i.&.).b
    0010 - ac 29 c7 1b b0 2c 6c 9e-f4 b6 3f 14 20 dd d3 d8   .)...,l...?. ...
    0020 - e5 05 b0 4a 3a ab b2 8d-85 8a db 97 e4 c3 88 88   ...J:...........
    0030 - 47 2f ed f6 60 de c1 0a-9b 6f ae 57 73 56 a5 9d   G/..`....o.WsV..
    0040 - 06 1f ec 17 51 df 34 cf-58 b5 46 dc d7 89 84 67   ....Q.4.X.F....g
    0050 - 6c 7a ff 8d d2 8a 9c 61-cb cf 15 ff 72 4f ed 47   lz.....a....rO.G
    0060 - 95 a8 7b 50 64 49 38 6e-cc 80 69 1f 03 27 2c ec   ..{PdI8n..i..',.
    0070 - 65 7d 88 4f 8a e0 16 f9-47 73 7f 2b ba 44 6d a9   e}.O....Gs.+.Dm.
    0080 - 30 36 ce 12 a2 38 4d 61-9e df 9e c7 68 96 03 6b   06...8Ma....h..k
    0090 - e2 99 eb de a3 87 e6 7f-1d 1b 34 49 0b 28 ea df   ..........4I.(..
    00a0 - 6b e8 a3 55 a4 f2 d2 ea-c6 3c 6d 04 e3 68 69 07   k..U.....<m..hi.
    00b0 - 6c d4 7d b7 69 4e fb 0e-ed be 18 d4 e1 7d f4 39   l.}.iN.......}.9
    00c0 - 8b c8 57 c1 e1 4c ad 9c-8a 02 94 fb 6e f4 c5 b0   ..W..L......n...

    Start Time: 1740077798
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80F2E0E6B27F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIGBDRGlU07ggMcn3ZtOcHWzJTnw3vE8i365dukU1eD61
BDAeEStNehmE5/hAXyi94JBMUuwNLBnRk0mfNZ/efljQDbMMupALGY8Lc+afs4V5
RVChBgIEZ7d65qIEAgIcIKQGBAQBAAAArgYCBFc5p6izAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMvsPWYjMOxm2bX/LplPctT0oIOjfo0d/b5d
G0h1jKOesdwoHMO1+5xMLXyFeMjiIDgTjVljVRu6uX99xFcBi6W4sa1Sf4ogfy/0
NDCgPAal3PVdwDNcGkjv4Bd8ffKLoM6CmsrcvQqMUyinLhYVt6q6DbzrLSs5OwU0
0bf4RPM/Nauy8n8V4Nn2zFxGod/owLhdBOmOqbAj/yYiDq0HllpRLk9emJ421dvy
cbYdMmf1ynj5JbitTB0FuNDS8hHBEublrUh09gRzROlzJjQOWtczgjbMUAs5iUC6
Q4MrTdWkRHHTv9kgq/dV1tQut+wgFWe8LF3K5gX+AXYqHEBa+BECAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSfw+Lb6Jt5uWHWu7nIlueAviakgjAf
BgNVHSMEGDAWgBQFouMz99je3rdJ/GKzG/3dIbT1pTANBgkqhkiG9w0BAQsFAAOC
AQEAM1yxb/vYB88e59/QR5vDOBrwQL9otng9i2zBkKrvmcricIyf92N6GuQRfAwt
AkxNefg6Jid5I6sx503o89wLcap5eB4TO2m2p3CSEtfPDWTnmXx58PDyNSoY8kb1
Lpwev6PqB60ubjCCK3ZuRblkPrD3nJ70Gonk7xngm90JTWSZycmEynhTxVNFpXae
IPyCLBLe6K+WhQGCR7OfpXJY6XzUYn6Zayxvcn6ZW/BHVQ4V4RmdWBkYMt6lA+uT
02wuiq5bezR8aOGkcTQs1Mdvvzpa458CyNvg35F9oTSj2PXECONnYpwPlra7T6ei
2FM+KrFrIkKeiXNRbwb9oxl+Xw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1509 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 375F578CC33A7BE3AC21826E60924F8528442AC9898D365D41B8701A908850DD
    Session-ID-ctx: 
    Master-Key: 303D272A670305CC43B3FE485D23A092B64E333C9BCB3969173FBFD0A774E7616C7786913AAD253DFABD3323F23927CA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 3a b9 f0 4a a3 a0 57 3b-59 ef 9c cd 16 b5 5b e0   :..J..W;Y.....[.
    0010 - 43 91 18 b1 61 df 7e bf-1e 78 38 bc d8 b9 f0 7c   C...a.~..x8....|
    0020 - cb 28 70 d5 31 f6 9a 5b-c6 2e eb 75 ae ce 34 38   .(p.1..[...u..48
    0030 - 9f 89 d6 03 df bd 6a 2e-e6 cd db a7 4a 66 48 2c   ......j.....JfH,
    0040 - 41 db 12 a8 a1 6e fa ea-64 bf 43 73 d9 82 a5 88   A....n..d.Cs....
    0050 - 39 51 62 45 86 24 65 da-45 38 92 7d 2c c0 44 c1   9QbE.$e.E8.},.D.
    0060 - 09 6f 2b a7 ea c3 68 c6-1f f8 db 83 9f 39 b0 8d   .o+...h......9..
    0070 - ef 03 ab ef 36 73 2e dc-a3 67 17 c5 36 78 06 26   ....6s...g..6x.&
    0080 - fc fb 53 e3 82 7e cf 8b-51 9f 26 49 e1 08 e5 55   ..S..~..Q.&I...U
    0090 - 27 e9 a1 36 77 f8 ae 1f-76 40 5c 3d 90 a2 94 2f   '..6w...v@\=.../
    00a0 - ec 26 2b 68 64 d6 23 f3-03 cb 1b df 3c 12 50 b3   .&+hd.#.....<.P.

    Start Time: 1740077799
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
8052E0B4C07F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDAwPScqZwMFzEOz/khdI6CStk4zPJvLOWkXP7/Qp3Tn
YWx3hpE6rSU9+r0zI/I5J8qhBgIEZ7d65qIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCMQ

Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with explicit TLS 1.3
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_3
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My Test Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My Test Cert
   i:CN=Issuer
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAxMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxFTATBgNVBAMTDE15IFRlc3QgQ2VydDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMvsPWYjMOxm2bX/LplPctT0oIOjfo0d/b5d
G0h1jKOesdwoHMO1+5xMLXyFeMjiIDgTjVljVRu6uX99xFcBi6W4sa1Sf4ogfy/0
NDCgPAal3PVdwDNcGkjv4Bd8ffKLoM6CmsrcvQqMUyinLhYVt6q6DbzrLSs5OwU0
0bf4RPM/Nauy8n8V4Nn2zFxGod/owLhdBOmOqbAj/yYiDq0HllpRLk9emJ421dvy
cbYdMmf1ynj5JbitTB0FuNDS8hHBEublrUh09gRzROlzJjQOWtczgjbMUAs5iUC6
Q4MrTdWkRHHTv9kgq/dV1tQut+wgFWe8LF3K5gX+AXYqHEBa+BECAwEAAaOBgTB/
MAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUdGVzdGNlcnRAZXhhbXBsZS5vcmcw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSfw+Lb6Jt5uWHWu7nIlueAviakgjAf
BgNVHSMEGDAWgBQFouMz99je3rdJ/GKzG/3dIbT1pTANBgkqhkiG9w0BAQsFAAOC
AQEAM1yxb/vYB88e59/QR5vDOBrwQL9otng9i2zBkKrvmcricIyf92N6GuQRfAwt
AkxNefg6Jid5I6sx503o89wLcap5eB4TO2m2p3CSEtfPDWTnmXx58PDyNSoY8kb1
Lpwev6PqB60ubjCCK3ZuRblkPrD3nJ70Gonk7xngm90JTWSZycmEynhTxVNFpXae
IPyCLBLe6K+WhQGCR7OfpXJY6XzUYn6Zayxvcn6ZW/BHVQ4V4RmdWBkYMt6lA+uT
02wuiq5bezR8aOGkcTQs1Mdvvzpa458CyNvg35F9oTSj2PXECONnYpwPlra7T6ei
2FM+KrFrIkKeiXNRbwb9oxl+Xw==
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My Test Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1424 bytes and written 343 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F12DE00FEDA19FEABB98F2EBACE53972DDB3C8FA013E6042BABFFA23E7857A31
    Session-ID-ctx: 
    Resumption PSK: 93BDD77DCC3610E9DD9502504084CBC214FC374445E61D2BEF501804AA86A9B078CB6FE22D84FD2C3958247DA4BED01D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 2d 99 32 27 ef b6 81 97-4b 80 97 04 94 ce 4b e2   -.2'....K.....K.
    0010 - 27 da 1c fd b6 06 2c 47-36 d4 17 2f 79 da 2c 29   '.....,G6../y.,)
    0020 - a2 a1 8c 9e 8b 97 96 42-90 30 f1 0f e1 f1 91 ce   .......B.0......
    0030 - 19 7b 85 7a a3 43 a9 60-d2 7e e9 d4 4d f9 d7 e4   .{.z.C.`.~..M...
    0040 - b8 3e 63 b4 47 cb 94 b2-cb f4 c5 50 d4 92 41 8d   .>c.G......P..A.
    0050 - cd fc 22 67 73 a9 1e cc-5c 7f 2a 44 7c 8e 03 25   .."gs...\.*D|..%
    0060 - f7 27 f5 66 6d e8 cc e9-98 ee 0a 35 f2 ee 31 9b   .'.fm......5..1.
    0070 - 4e 51 d6 49 be 7a 37 fb-99 ec 3f 6e 4c da 26 e2   NQ.I.z7...?nL.&.
    0080 - 0e d0 08 97 9f 1f 10 34-e3 c3 7c 5e 32 78 d1 f6   .......4..|^2x..
    0090 - 32 c9 0b a3 87 01 20 c9-ec 1b f0 28 c6 74 ba c1   2..... ....(.t..
    00a0 - 9b 18 dd 04 65 55 26 63-8c b7 85 74 64 b0 6b a1   ....eU&c...td.k.
    00b0 - 7a d2 a4 68 dd 3f be 2c-1f 20 91 8f d9 cd 70 6b   z..h.?.,. ....pk
    00c0 - 31 49 20 bb c3 f7 5d e7-98 e3 0a 0b 0c 7a a1 de   1I ...]......z..

    Start Time: 1740077800
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: EC7DA489BF97FB3F3FC9C0AC31662FDFAA39D73DF24AFF48B67269BDFBD359FD
    Session-ID-ctx: 
    Resumption PSK: C7897F2B71A0C6A1B2DEAAD9A4C56C71070A215DED1C84C0074C481B3080B81E1E102DF874BA2EDDA883C302F9378FD0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 2d 99 32 27 ef b6 81 97-4b 80 97 04 94 ce 4b e2   -.2'....K.....K.
    0010 - dc 22 73 6f 14 26 82 9f-5c 23 7c cc d1 7b 32 d5   ."so.&..\#|..{2.
    0020 - 73 30 b9 f3 42 48 a0 a1-81 e7 d8 e2 01 20 43 bd   s0..BH....... C.
    0030 - e2 6b 98 29 90 6f 80 e5-e9 5e d9 8a b2 47 1e 4b   .k.).o...^...G.K
    0040 - 37 bf bd 0b 12 68 19 db-d8 39 84 e5 1b c0 76 c1   7....h...9....v.
    0050 - 00 e0 44 9e 79 be 2f 1b-1a 6d 3a 5a 5a 27 62 44   ..D.y./..m:ZZ'bD
    0060 - da 49 cd 16 bc 8e 66 08-25 8e 54 a9 60 13 fa ad   .I....f.%.T.`...
    0070 - 50 f1 fc e3 da df 46 41-ad 25 0e 9c 4c 8f 11 5b   P.....FA.%..L..[
    0080 - bb 47 56 c9 95 52 87 e4-d6 cf 1f cd a1 86 15 de   .GV..R..........
    0090 - 09 cf 57 a0 d2 85 85 9e-35 9d 75 40 37 9d 91 c8   ..W.....5.u@7...
    00a0 - 39 11 57 27 d9 af d0 e9-ab 94 03 48 e2 ce f1 63   9.W'.......H...c
    00b0 - e6 1f 46 d4 69 bd 04 5c-fd 7e db c8 eb c9 f6 89   ..F.i..\.~......
    00c0 - 07 91 8c 67 37 7c 07 d9-a3 06 dc c1 6c ac 67 9e   ...g7|......l.g.

    Start Time: 1740077800
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
8012A299267F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%01 -cert pkcs11:type=cert;object=testCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEICWXZC9o/TQ9JoT1D3wLf62kW3UYIrvoyl3Gd0OB8tjU
BDDHiX8rcaDGobLeqtmkxWxxBwohXe0chMAHTEgbMIC4Hh4QLfh0ui7dqIPDAvk3
j9ChBgIEZ7d66KIEAgIcIKQGBAQBAAAArgcCBQDWW/hlswMCARc=
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Shared groups: secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 (ECDSA)
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_2
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1120 bytes and written 274 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 433AF14986016C26C026491FF9A6D9D7C6DEBF530838C781DF7D03EB40B38578
    Session-ID-ctx: 
    Master-Key: 1254A00D02034D2BD497E4B6714D0DF1C711EB77411FC16C61940B782ACC340142DA6E44D79CF3DAF972FD8E1541922B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - df cc 09 ab bb 8e e6 3f-6c eb e3 76 96 ea 3d b3   .......?l..v..=.
    0010 - 4a b2 74 e0 6d cc ca 4d-33 4a 11 fb 25 ba de d8   J.t.m..M3J..%...
    0020 - 15 d1 77 bb 00 c1 e4 ed-5c 2d dc a7 fe 62 eb 1d   ..w.....\-...b..
    0030 - 2c 4c 84 80 a6 3d 88 43-3f 6b 54 f8 f9 55 0a a4   ,L...=.C?kT..U..
    0040 - 12 27 0e 30 39 cd f9 93-ed f5 a4 83 54 c9 91 ef   .'.09.......T...
    0050 - 4e ea c5 f7 69 aa 43 20-28 49 a1 ce bd ec 36 5a   N...i.C (I....6Z
    0060 - 48 1f 40 6f 5e 94 3e a6-af 12 b6 e2 e9 10 8f 0f   H.@o^.>.........
    0070 - 72 ab f2 84 48 d3 d6 13-da d9 ca 04 c3 b8 da de   r...H...........
    0080 - ef 79 22 26 ef 10 7c c4-ee ce 9d 69 96 bb 7e 65   .y"&..|....i..~e
    0090 - 72 1c 05 20 b4 be 6e 62-5a b6 84 55 44 48 7f 48   r.. ..nbZ..UDH.H
    00a0 - 06 16 b2 4e 47 7b 37 b1-74 82 1f 3f 4f 14 15 aa   ...NG{7.t..?O...

    Start Time: 1740077800
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80229E42157F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert -tls1_2
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALALAQABDASVKANAgNNK9SX5LZxTQ3xxxHrd0EfwWxhlAt4Ksw0
AULabkTXnPPa+XL9jhVBkiuhBgIEZ7d66KIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1:secp521r1:secp384r1
Shared groups: secp256r1:secp521r1:secp384r1
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.2 and ECDH
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1120 bytes and written 252 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 5EC5935487C71B58B0A2CCD91BFE200E2DB99686756E27DD3325F0C251EB4E59
    Session-ID-ctx: 
    Master-Key: AB460319C7F52127F5D71BBAB145EAF44DF417FED93F5494C8ED07C6C191822194E7802F4C0221762C48E6E6A65F1387
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 21 9f 30 75 7b ce cd 00-0a 5a 7b 88 fb 33 a9 87   !.0u{....Z{..3..
    0010 - 12 d1 49 b1 5d da eb 4e-1e c7 af 70 ad 26 d2 29   ..I.]..N...p.&.)
    0020 - 8a 9f 9a db e2 60 78 08-43 98 08 68 ef 0e 24 cb   .....`x.C..h..$.
    0030 - 0f 3c a2 28 20 e1 73 10-41 5f b0 0f 28 1a 9a 2a   .<.( .s.A_..(..*
    0040 - 1f d8 dc b5 e1 88 7c 5e-bf 13 e5 d2 bc d8 d5 b1   ......|^........
    0050 - 67 6b a1 c3 93 ce 20 20-4c c0 01 35 06 cd c6 88   gk....  L..5....
    0060 - 14 83 a8 ad bb 80 d5 fc-19 fb 85 b8 ad cb a5 b1   ................
    0070 - 2d 25 54 13 aa 1f 40 4f-36 93 92 81 50 0a e1 28   -%T...@O6...P..(
    0080 - 1e 25 97 7e 28 8d 5b e6-f1 90 eb 1b 02 25 af 96   .%.~(.[......%..
    0090 - 4a 9f bb 6e b9 99 71 1f-8a ac 25 12 46 0d a4 ab   J..n..q...%.F...
    00a0 - 70 aa f8 8d 0f bb 3b 24-b3 18 82 3a 08 60 05 1d   p.....;$...:.`..

    Start Time: 1740077800
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
 TLS SUCCESSFUL 
80B2EEC7487F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAKwQABDCrRgMZx/UhJ/XXG7qxRer0TfQX/tk/VJTI7QfGwZGC
IZTngC9MAiF2LEjm5qZfE4ehBgIEZ7d66KIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
Fw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:ECDHE-ECDSA-AES128-GCM-SHA256
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is ECDHE-ECDSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

## Run test with TLS 1.3 and specific suite
spawn openssl s_client -propquery ?provider=pkcs11 -connect localhost:23456 -CAfile /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests/kryoptic.nss/caCert.pem -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1
Connecting to ::1
CONNECTED(00000004)
Can't use SSL_get_servername
depth=1 CN=Issuer
verify return:1
depth=0 O=PKCS11 Provider, CN=My EC Cert
verify return:1
---
Certificate chain
 0 s:O=PKCS11 Provider, CN=My EC Cert
   i:CN=Issuer
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 18:55:28 2025 GMT; NotAfter: Feb 20 18:55:28 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICcjCCAVqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZJc3N1
ZXIwHhcNMjUwMjIwMTg1NTI4WhcNMjYwMjIwMTg1NTI4WjAvMRgwFgYDVQQKEw9Q
S0NTMTEgUHJvdmlkZXIxEzARBgNVBAMTCk15IEVDIENlcnQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATVryL49o7MzHSk6nPk6zj7VPOujJd7rYgIWuZgN4kPlTdh
fJV5diZJ9b6vNOQYOO2YAlSrgj6A+H2K2QX709sAo4GBMH8wDAYDVR0TAQH/BAIw
ADAfBgNVHREEGDAWgRR0ZXN0Y2VydEBleGFtcGxlLm9yZzAOBgNVHQ8BAf8EBAMC
B4AwHQYDVR0OBBYEFAWmjCB6+wOP+BMUMbWwuUtXb7w/MB8GA1UdIwQYMBaAFAWi
4zP32N7et0n8YrMb/d0htPWlMA0GCSqGSIb3DQEBCwUAA4IBAQAQJtTFPpSIRLnm
/s6NwEQIXw7nWNBXnWaUlsqBoJ19e+1dVyq0FcI8GsHs/YLvEX+a14NtFxL4uc7e
Hw8xFfKkaO92QikGkmO7rd8qm+a14oiiPdGw84j8OEiyPmN9QH2Ewfdp+RMKqFYg
XyN4ugseF1SL2aXeTXd3TSz5IvDQhNQCW+8fjQ1GD5pjtAjRH/OK3w/9RIm56iRH
P7KpCpuAp/YESOndF6dIGyyLToflPW2i1NMFoqlG80Uub/AY0SID1735+Y6dPR3b
dUA00cZBXZTs4l6jQUa4+nJpaqB5FOgdnw2qir4x/hoWkGPpJ4V5bhZiTFDHTrJS
MQb/82eR
-----END CERTIFICATE-----
subject=O=PKCS11 Provider, CN=My EC Cert
issuer=CN=Issuer
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, ?, 0 bits
---
SSL handshake has read 1032 bytes and written 327 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2EBBA85E8285C31043EE20A43C8EF33BC9CF310C9C2D00901E6DE714A10AB861
    Session-ID-ctx: 
    Resumption PSK: 7D750A0329693B6DEB6F6113480A1DB0CEF89C648EA663BAC0B54BCE459EDA376E489815BF181744D68088F73C5E2AE0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ae 21 b8 1e 5c 98 37 f0-87 e7 51 94 c0 fc 58 84   .!..\.7...Q...X.
    0010 - af 65 79 7c 95 9e 55 2b-cb 4f 78 d5 f2 da a0 94   .ey|..U+.Ox.....
    0020 - b3 3b 4f c4 10 6d 38 9f-bb 39 2c 85 07 7f a2 2a   .;O..m8..9,....*
    0030 - 6b f7 5e 9b a2 a1 a9 35-ed f7 c6 e2 2e 88 58 56   k.^....5......XV
    0040 - 36 e3 37 75 bd 29 3a bb-74 9f a2 f2 d1 d5 8c 56   6.7u.):.t......V
    0050 - f3 81 3d db 7f 40 fc 9d-41 df 56 5d ab d8 f9 bc   ..=..@..A.V]....
    0060 - 1c 5e ce bc 5b a2 54 c5-30 0e 5c 29 d1 21 7c 9b   .^..[.T.0.\).!|.
    0070 - b9 8b 4c dd dd 3b d3 8a-9c 17 bb 97 5a 7e b7 dc   ..L..;......Z~..
    0080 - 10 43 bc 4a c3 5c 7d b5-bf 86 5b 03 b9 b5 9d 54   .C.J.\}...[....T
    0090 - 69 7e ec ab ff 03 26 7e-64 cd c3 1d ac 28 7d ae   i~....&~d....(}.
    00a0 - eb 01 9d ef 4d 3e da ce-5a ae 45 2c d8 8f 9c fa   ....M>..Z.E,....
    00b0 - a6 6a 7c 63 16 c0 20 51-e5 dc 1b ed 54 b4 70 d2   .j|c.. Q....T.p.
    00c0 - 88 eb e1 2d 80 fb 45 ea-91 ee 04 2d 70 9d d8 fd   ...-..E....-p...

    Start Time: 1740077801
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 22052F7E1273A4B53331D93527457E2C04CEDFB824F07AAFE3816C72D1F727B6
    Session-ID-ctx: 
    Resumption PSK: 4D88CB778AC91D3B3856E1ACCD87CC0FA6E24611F8C812C53FE4693539EEAB172948F07B0063871E32D548841637D818
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ae 21 b8 1e 5c 98 37 f0-87 e7 51 94 c0 fc 58 84   .!..\.7...Q...X.
    0010 - 6b 1a c4 35 4b ba 5d 24-8a 7f 7e c0 a9 0d b1 27   k..5K.]$..~....'
    0020 - fa 3d 80 03 89 6d 30 d4-3a 5d 80 91 9d 54 fa 0a   .=...m0.:]...T..
    0030 - c6 d5 1e 59 73 c5 f9 8a-9f 07 1d 3d 4a 66 42 db   ...Ys......=JfB.
    0040 - b8 dc 9b 1e d7 47 65 30-a8 23 df 73 7b 38 25 e6   .....Ge0.#.s{8%.
    0050 - be 57 0a b8 79 ec 21 8e-87 ab a0 0f ed 80 12 a3   .W..y.!.........
    0060 - 95 35 2d 92 c3 06 84 40-36 9b 4b 2a e5 b6 63 51   .5-....@6.K*..cQ
    0070 - c9 fc a2 0f 82 1e 9c 2f-7e 86 11 8b 8e fe 6e ff   ......./~.....n.
    0080 - 35 be d6 ea 9e db df a4-f5 ce 6e 90 e4 ff 1a 36   5.........n....6
    0090 - d2 62 5f 44 74 39 a9 24-f5 41 21 6d 4d 5a 0e d8   .b_Dt9.$.A!mMZ..
    00a0 - 63 5f 68 96 ed 8b 74 30-35 b6 9f 6f b3 3e 5f 62   c_h...t05..o.>_b
    00b0 - bf 19 e0 f6 8a 6c 80 04-e4 11 d8 da 72 6b c3 8d   .....l......rk..
    00c0 - aa 03 fc 7d 35 50 71 47-15 4a 47 67 da d6 e9 40   ...}5PqG.JGg...@

    Start Time: 1740077801
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
 TLS SUCCESSFUL 
80C2110E657F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIGSMB1U64EN0IkGauWLdKlVjofvye9snuf6QgJUj5nvk
BDBNiMt3iskdOzhW4azNh8wPpuJGEfjIEsU/5Gk1Oe6rFylI8HsAY4ceMtVIhBY3
2BihBgIEZ7d66aIEAgIcIKQGBAQBAAAArgYCBGF+aCmzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

                                      ##
########################################

Server output:
spawn openssl s_server -propquery ?provider=pkcs11 -accept 23456 -naccept 1 -key pkcs11:type=private;id=%00%02 -cert pkcs11:type=cert;object=ecCert
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIGSMB1U64EN0IkGauWLdKlVjofvye9snuf6QgJUj5nvk
BDBNiMt3iskdOzhW4azNh8wPpuJGEfjIEsU/5Gk1Oe6rFylI8HsAY4ceMtVIhBY3
2BihBgIEZ7d66aIEAgIcIKQGBAQBAAAArgYCBGF+aCmzAwIBFw==
-----END SSL SESSION PARAMETERS----- TLS SUCCESSFUL 
Q

Shared ciphers:TLS_AES_256_GCM_SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Supported groups: secp256r1
Shared groups: secp256r1
CIPHER is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
DONE
shutdown accept socket
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   1 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   1 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
==============================================================================

=================================== 78/92 ====================================
test:         pkcs11-provider:softokn / tlsfuzzer
start time:   18:56:41
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=58 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tlsfuzzer-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttlsfuzzer
TLS fuzzer is not available -- skipping
==============================================================================

=================================== 79/92 ====================================
test:         pkcs11-provider:softhsm / tlsfuzzer
start time:   18:56:41
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests MALLOC_PERTURB_=12 UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tlsfuzzer-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttlsfuzzer
TLS fuzzer is not available -- skipping
==============================================================================

=================================== 80/92 ====================================
test:         pkcs11-provider:kryoptic / tlsfuzzer
start time:   18:56:41
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=81 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tlsfuzzer-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttlsfuzzer
TLS fuzzer is not available -- skipping
==============================================================================

=================================== 81/92 ====================================
test:         pkcs11-provider:kryoptic.nss / tlsfuzzer
start time:   18:56:41
duration:     0.02s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=101 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper tlsfuzzer-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/ttlsfuzzer
TLS fuzzer is not available -- skipping
==============================================================================

=================================== 82/92 ====================================
test:         pkcs11-provider:softokn / uri
start time:   18:56:41
duration:     2.41s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=208 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper uri-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/turi

## Check that storeutl returns URIs
 openssl storeutl -text pkcs11:

## Check returned URIs work to find objects
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%00%00;object=caCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%00%01;object=testCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%00%02;object=ecCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%00%03;object=ecPeerCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%00%05;object=testCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%00%06;object=ecCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%00%08;object=ecCert3;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%60%4E%40%79%0E%DD%B0%33%12%B8%59%B3%35%58%D5%08;object=Test-RSA-gen-604e4079;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%C0%CE%00%B5%9D%0F%CF%6E%DD%2E%D3%C7%F3%70%4A%4B;object=Test-RSA-PSS-gen-c0ce00b5;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%27%2B%56%62%BA%80%D6%A2%E3%18%DD%2E%72%1B%4D%D9;object=Test-EC-gen-272b5662;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%F8%9E%0D%A1%3E%2C%AC%4C%74%B7%0F%8B%83%34%EB%A8;object=Test-RSA-Key-Usage-f89e0da1;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%04%E6%EE%1E%03%97%30%19%51%BA%42%E4%48%61%86%8B;object=Fork-Test;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%51%2F%C6%60%73%EC%3E%C1%D2%36%B8%E7%A8%FC%55%4A;object=Pkey%20sigver%20Test;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%F3%4F%49%97%F8%62%4F%1D%16%59%7B%F2%02%5F%C2%4D;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20FIPS%20140-2%20Certificate%20DB;id=%99%96%A5%D3%A9%14%08%8F%D7%E9%3E%4C%65%FD%45%09;type=private
 openssl storeutl -text "$uri"

## Check each URI component is tested
$cmp=pkcs11:model=NSS%203
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=manufacturer=Mozilla%20Foundation
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=serial=0000000000000000
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=token=NSS%20FIPS%20140-2%20Certificate%20DB
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=id=%00%00
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=object=caCert
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=type=private
 openssl storeutl -text "pkcs11:${cmp}"
==============================================================================

=================================== 83/92 ====================================
test:         pkcs11-provider:softhsm / uri
start time:   18:56:43
duration:     2.27s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=43 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper uri-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/turi

## Check that storeutl returns URIs
 openssl storeutl -text pkcs11:

## Check returned URIs work to find objects
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%6E%91%39%91%4B%23%A5%25%5D%8A%4F%71%49%BE%16%56;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%D3%BB%13%1A%B6%14%17%85%A9%45%2D%CA%8D%65%50%75;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%10;object=testRsaPssCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%3B%93%8A%A2%C3%13%48%CF%31%20%0E%6B%E9%98%2B%1F;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%90%DF%85%14%29%C0%62%43%F7%0E%44%87%B5%8D%BD%54;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%F5%BE%D4%32%38%54%3A%B1%98%3F%B4%A7%44%D7%D2%02;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%01;object=testCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%7E%B0%7F%05%EB%05%9D%78%46%A6%FB%49%81%73%46%0D;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%08;object=ecCert3;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%14%37%99%21%3D%1E%E2%A2%3E%CA%74%21%B5%64%A2%35;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%05;object=testCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%93%67%CD%40%5C%CD%F3%4C%3C%C8%8E%A5%61%9F%60%CF;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%03;object=ecPeerCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%C8%B5%B8%92%5A%C6%D4%54%7F%A7%F7%04%2E%8A%1F%73;object=Test-EC-gen-c8b5b892;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%7D%65%7C%EA%C7%BF%5B%AA%D0%A9%7F%26%51%C6%04%A3;object=Test-RSA-Key-Usage-7d657cea;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%C7%4B%CC%00%34%8A%70%44%37%55%59%AF%CF%27%C5%DD;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%9D%F2%93%1D%65%E0%21%69%CA%55%E6%D1%72%33%94%95;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%06;object=ecCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%EC%FE%5A%8E%52%45%CC%8A%06%8E%21%7F%14%A8%FF%CB;object=Test-RSA-PSS-gen-ecfe5a8e;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%77%B7%68%89%00%B7%2A%CF%36%34%C6%A1%28%65%7E%7F;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%9B%B2%CE%99%E4%35%DF%9C%85%E7%5E%A6%68%E2%E8%47;object=Test-RSA-gen-9bb2ce99;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%8A%BC%F0%83%99%0B%89%9C%DF%C5%6E%5A%93%FE%52%5E;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%11;object=testRsaPss2Cert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%62%69%20%6D%EE%B5%35%F0%A2%24%76%35%6B%10%6B%CF;object=Fork-Test;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%00;object=caCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%CC%4C%12%F2%1E%1B%42%EB%18%E1%5D%D3%00%36%4A%AA;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%22%63%2A%7F%C9%D8%F6%74%39%59%11%E6%7B%07%77%8F;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%81%8C%7F%AD%9F%4D%A2%6E%5A%14%52%68%FC%F1%BF%64;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%84%3A%D7%D0%4E%9A%FE%BB%95%D1%B0%C9%FD%46%3B%23;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%FB%74%1C%2D%AD%D1%DB%76%15%67%93%1C%A4%F4%0C%10;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%3B%E8%B4%EE%24%EF%79%E7%DD%73%56%41%CD%CE%1C%8F;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%00%02;object=ecCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=4095f2741ef5cade;token=SoftHSM%20Token;id=%39%40%44%12%98%96%59%52%B0%CD%E4%8C%0A%26%C4%2E;object=Pkey%20sigver%20Test;type=private
 openssl storeutl -text "$uri"

## Check each URI component is tested
$cmp=pkcs11:model=SoftHSM%20v2
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=manufacturer=SoftHSM%20project
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=serial=4095f2741ef5cade
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=token=SoftHSM%20Token
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=id=%6E%91%39%91%4B%23%A5%25%5D%8A%4F%71%49%BE%16%56
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=type=private
 openssl storeutl -text "pkcs11:${cmp}"
==============================================================================

=================================== 84/92 ====================================
test:         pkcs11-provider:kryoptic / uri
start time:   18:56:45
duration:     2.26s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 MALLOC_PERTURB_=43 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper uri-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/turi

## Check that storeutl returns URIs
 openssl storeutl -text pkcs11:

## Check returned URIs work to find objects
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%00;object=caCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%01;object=testCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%02;object=ecCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%03;object=ecPeerCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%05;object=testCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%06;object=ecCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%08;object=ecCert3;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%10;object=testRsaPssCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%00%11;object=testRsaPss2Cert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%61%DC%80%14%41%B3%64%69%2C%DC%83%A0%D2%76%AD%03;object=Test-RSA-gen-61dc8014;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%29%CE%BB%C0%2F%75%DE%FE%43%64%D0%21%2D%95%FA%1D;object=Test-RSA-PSS-gen-29cebbc0;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%24%56%AE%EE%C3%86%D9%EE%BF%76%82%95%C1%8D%1E%AF;object=Test-EC-gen-2456aeee;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%04%E9%EC%13%D4%4A%C3%15%04%5B%1A%0D%16%41%30%A3;object=Test-RSA-Key-Usage-04e9ec13;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%5C%3F%85%E7%1B%57%74%E3%A3%FD%14%2A%B8%F4%89%57;object=Fork-Test;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%A2%19%84%15%B8%A3%C8%7E%50%FF%90%28%F6%02%B0%31;object=Pkey%20sigver%20Test;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%7A%21%A3%C9%B5%A8%DF%AD%71%66%EA%5E%08%43%6D%03;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%78%2D%92%76%1A%88%B8%19%74%78%EE%BC%03%BA%B0%39;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%57%D2%33%8A%52%10%9C%37%3B%FE%29%E3%49%76%E4%97;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%0F%B4%CF%6B%80%66%3C%01%27%75%59%11%B2%32%24%95;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%49%E3%A7%91%27%FD%B3%01%79%7D%14%36%06%D4%71%F4;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%C3%F8%52%A5%03%F9%85%6B%19%49%3E%F6%9C%D7%CD%D1;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%27%DA%FA%DA%7B%EB%7D%5D%C6%9F%BB%46%90%4E%14%16;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%AE%27%79%3D%94%E0%D6%7A%92%D4%D0%77%B9%7C%68%A8;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%E6%C7%9F%93%26%93%E8%E1%4F%43%80%62%E2%19%96%D7;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%77%E9%4C%67%3B%80%45%F0%6D%EC%64%59%C2%86%3A%DD;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%B7%45%7A%8E%6F%31%A0%2B%02%E8%16%6E%8A%51%A4%AF;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%7E%8B%F8%08%26%85%6A%6C%61%D4%F6%AF%06%93%1D%1F;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%0E%D8%18%F3%D9%8F%0E%AC%39%5D%E9%7C%F0%7E%63%5D;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%79%75%19%AD%EF%49%25%65%88%D5%46%B0%62%96%E9%29;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%26%93%3F%E9%60%61%D8%58%A2%31%53%F4%3B%2E%56%71;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%56%52%8E%1E%94%3D%48%AC%B9%94%3B%CD%C2%CB%AE%7B;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%26%07%DA%55%CB%21%64%78%46%F7%E1%E2%D9%1E%98%05;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token;id=%9D%B5%63%2B%CF%CE%D9%35%35%57%AE%E3%0B%16%BC%7B;type=private
 openssl storeutl -text "$uri"

## Check each URI component is tested
$cmp=pkcs11:model=v1
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=manufacturer=Kryoptic%20Project
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=token=Kryoptic%20Token
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=id=%00%00
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=object=caCert
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=type=private
 openssl storeutl -text "pkcs11:${cmp}"
==============================================================================

=================================== 85/92 ====================================
test:         pkcs11-provider:kryoptic.nss / uri
start time:   18:56:48
duration:     7.71s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=61 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper uri-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/turi

## Check that storeutl returns URIs
 openssl storeutl -text pkcs11:

## Check returned URIs work to find objects
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%00%00;object=caCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%00%01;object=testCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%00%02;object=ecCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%00%03;object=ecPeerCert;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%00%05;object=testCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%00%06;object=ecCert2;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%00%08;object=ecCert3;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%5E%AF%66%F9%8E%DA%74%0E%8C%8F%10%D2%1C%6B%F9%AD;object=Test-RSA-gen-5eaf66f9;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%E3%3B%8A%D4%74%12%D2%60%14%5E%42%33%B7%1A%97%F7;object=Test-RSA-PSS-gen-e33b8ad4;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%7D%1B%0C%6F%D9%E1%C6%CB%60%B9%5F%3B%B9%FC%5D%E8;object=Test-EC-gen-7d1b0c6f;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%5A%3E%E0%EE%D5%4A%A8%EE%D2%D3%A0%4B%8F%9F%69%FF;object=Test-RSA-Key-Usage-5a3ee0ee;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%5D%1C%54%46%CF%40%D9%45%51%F4%76%53%A5%E1%CD%C7;object=Fork-Test;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%A9%A2%F0%80%30%98%7D%8C%4B%A7%F7%1B%C3%31%6B%35;object=Pkey%20sigver%20Test;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%65%D1%33%1D%DD%C5%63%B1%E3%82%AA%71%89%27%1E%20;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%2B%80%AE%F5%B4%CB%97%A9%5E%2B%29%A7%88%A8%95%84;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%A3%11%36%CD%0F%0E%3C%71%CB%AA%43%D8%59%59%54%03;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%0B%9B%BC%BA%F8%74%51%14%FB%99%11%CC%7A%E6%6E%48;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%BF%29%D4%06%CA%97%2A%83%FC%AF%7E%56%8F%6D%98%91;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%F4%2F%4C%52%D2%05%56%70%23%3B%93%C2%E4%E7%0D%41;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%41%C5%FC%70%69%74%4F%5C%92%88%79%D0%DD%7F%C9%42;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%B9%75%4A%63%B5%73%AE%0D%27%D8%D8%67%4A%53%AA%4D;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%FD%3F%A2%0B%B1%7F%BC%8C%3E%07%78%6E%AB%F6%0C%49;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%42%E1%C6%D4%41%EE%F5%FB%12%19%E9%75%E2%03%28%47;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%F2%C6%29%73%1F%EC%E9%55%91%C6%74%D2%90%B7%71%05;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%36%2B%8A%C7%6F%D5%5F%64%B8%7F%16%0F%88%39%D5%97;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%19%BC%D2%E8%4C%7F%5A%E1%4E%DE%E4%CC%30%00%98%62;type=private
 openssl storeutl -text "$uri"
$uri=pkcs11:manufacturer=Kryoptic%20Project;token=Kryoptic%20Soft%20Token;id=%D4%FB%3C%62%6F%9F%AB%1A%47%C2%06%3D%87%1D%19%52;type=private
 openssl storeutl -text "$uri"

## Check each URI component is tested
$cmp=pkcs11:manufacturer=Kryoptic%20Project
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=token=Kryoptic%20Soft%20Token
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=id=%00%00
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=object=caCert
 openssl storeutl -text "pkcs11:${cmp}"
$cmp=type=private
 openssl storeutl -text "pkcs11:${cmp}"
==============================================================================

=================================== 86/92 ====================================
test:         pkcs11-provider:softhsm / ecxc
start time:   18:56:55
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MALLOC_PERTURB_=164 MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecxc-softhsm.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecxc
==============================================================================

=================================== 87/92 ====================================
test:         pkcs11-provider:kryoptic / ecxc
start time:   18:56:55
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=115 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecxc-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecxc
==============================================================================

=================================== 88/92 ====================================
test:         pkcs11-provider:kryoptic.nss / ecxc
start time:   18:56:55
duration:     0.01s
result:       exit status 77
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=106 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper ecxc-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tecxc
==============================================================================

=================================== 89/92 ====================================
test:         pkcs11-provider:softokn / cms
start time:   18:56:55
duration:     0.15s
result:       exit status 4
command:      MALLOC_PERTURB_=108 TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper cms-softokn.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tcms

## Encrypt CMS with EC
 openssl 
cms -encrypt -in "${MESSAGEFILE}"
             -out "${TMPPDIR}/cms-message.ec.enc"
             -aes-256-cbc
             -recip ${ECCRTURI}
             -binary


## Decrypt CMS with EC
 openssl 
cms -decrypt -in "${TMPPDIR}/cms-message.ec.enc"
             -out "${TMPPDIR}/cms-message.ec.dec"
             -inkey ${ECPRIURI}
             -recip ${ECCRTURI}
             -binary
Error decrypting CMS using private key
==============================================================================

=================================== 90/92 ====================================
test:         pkcs11-provider:kryoptic / cms
start time:   18:56:56
duration:     0.11s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=44 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper cms-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tcms

## Encrypt CMS with EC
 openssl 
cms -encrypt -in "${MESSAGEFILE}"
             -out "${TMPPDIR}/cms-message.ec.enc"
             -aes-256-cbc
             -recip ${ECCRTURI}
             -binary


## Decrypt CMS with EC
 openssl 
cms -decrypt -in "${TMPPDIR}/cms-message.ec.enc"
             -out "${TMPPDIR}/cms-message.ec.dec"
             -inkey ${ECPRIURI}
             -recip ${ECCRTURI}
             -binary

==============================================================================

=================================== 91/92 ====================================
test:         pkcs11-provider:kryoptic.nss / cms
start time:   18:56:56
duration:     0.18s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=159 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper cms-kryoptic.nss.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tcms

## Encrypt CMS with EC
 openssl 
cms -encrypt -in "${MESSAGEFILE}"
             -out "${TMPPDIR}/cms-message.ec.enc"
             -aes-256-cbc
             -recip ${ECCRTURI}
             -binary


## Decrypt CMS with EC
 openssl 
cms -decrypt -in "${TMPPDIR}/cms-message.ec.enc"
             -out "${TMPPDIR}/cms-message.ec.dec"
             -inkey ${ECPRIURI}
             -recip ${ECCRTURI}
             -binary

==============================================================================

=================================== 92/92 ====================================
test:         pkcs11-provider:kryoptic / pinlock
start time:   18:56:56
duration:     0.72s
result:       exit status 0
command:      TESTBLDDIR=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/builddir/tests UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1 TEST_PATH=/tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1 MALLOC_PERTURB_=150 /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/test-wrapper pinlock-kryoptic.t
----------------------------------- stdout -----------------------------------
Executing /tmp/tmp.ytmOHcVd0e/BUILD/pkcs11-provider-1.0/tests/tpinlock

## Test PIN lock prevention
  token flags        : login required, rng, token initialized, PIN initialized
Login attempt: 1
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 2
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 3
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 4
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 5
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 6
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 7
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 8
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
Login attempt: 9
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
Cryptoki version 3.0
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
  token flags        : login required, rng, token initialized, final user PIN try, PIN initialized
  token flags        : login required, rng, token initialized, final user PIN try, PIN initialized
Try op with bad pin and fail
 openssl 
pkeyutl -sign -inkey "${BADPINURI}"
    -in ${TMPPDIR}/sha256.bin
    -out ${TMPPDIR}/pinlock-sig.bin
Could not find private key from pkcs11:type=private;id=%00%01?pin-value=bad
pkeyutl: Error initializing context

Try op with good pin and fail
 openssl 
pkeyutl -sign -inkey "${GOODPINURI}"
    -in ${TMPPDIR}/sha256.bin
    -out ${TMPPDIR}/pinlock-sig.bin
Could not find private key from pkcs11:type=private;id=%00%01?pin-value=fo0m4nchU
pkeyutl: Error initializing context

Available slots:
Slot 0 (0x0): Kryoptic Slot
  token label        : Kryoptic Token
  token manufacturer : Kryoptic Project
  token model        : v1
  token flags        : login required, rng, token initialized, final user PIN try, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 
  pin min/max        : 8/0
  uri                : pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=;token=Kryoptic%20Token
Try op with good pin and succeed
 openssl 
pkeyutl -sign -inkey "${GOODPINURI}"
    -in ${TMPPDIR}/sha256.bin
    -out ${TMPPDIR}/pinlock-sig.bin

==============================================================================


Summary of Failures:

24/92 pkcs11-provider:softokn / ecdh           FAIL            0.08s   exit status 1
42/92 pkcs11-provider:softokn / hkdf           FAIL            0.08s   exit status 1
74/92 pkcs11-provider:softokn / tls            FAIL            1.67s   exit status 1
89/92 pkcs11-provider:softokn / cms            FAIL            0.15s   exit status 4

Ok:                 78  
Expected Fail:      0   
Fail:               4   
Unexpected Pass:    0   
Skipped:            10  
Timeout:            0