From 57255634813f4a54c3f149970938952585009b4f Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 27 Oct 2023 18:38:37 +0900
Subject: [PATCH] tests: Turn tests using SoftHSM into installed-tests

This makes the unit tests self-contained so all possible code paths
are exercised without optional packages installed.  The integration
tests against SoftHSM can still run after installation, through "make
installcheck" or running the scripts manually.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 .github/actions/basic-meson/action.yaml       |   9 +
 Makefile.am                                   |   2 +
 .../{softhsm2.module => fourteen.module}      |   2 +-
 p11-kit/meson.build                           |   4 +-
 p11-kit/mock-module-ep12.c                    | 203 ++++++++++++++++++
 p11-kit/test-generate-keypair.sh              |  77 +++----
 p11-kit/test-import-public.sh                 |  79 ++-----
 p11-kit/test-lists.sh                         |  24 +++
 p11-kit/test-profiles.sh                      |  38 ++--
 p11-kit/test-softhsm2.sh                      | 180 ++++++++++++++++
 10 files changed, 481 insertions(+), 137 deletions(-)
 rename p11-kit/fixtures/package-modules/{softhsm2.module => fourteen.module} (62%)
 create mode 100644 p11-kit/mock-module-ep12.c
 create mode 100755 p11-kit/test-softhsm2.sh

diff --git a/.github/actions/basic-meson/action.yaml b/.github/actions/basic-meson/action.yaml
index 67519e99..2c300831 100644
--- a/.github/actions/basic-meson/action.yaml
+++ b/.github/actions/basic-meson/action.yaml
@@ -35,3 +35,12 @@ runs:
     - name: Install
       run: ninja -C $GITHUB_WORKSPACE/$BUILDDIR install
       shell: bash
+
+    - name: Post-install Test
+      run: |
+        for t in p11-kit/test-softhsm2.sh trust/test-extract.sh trust/test-trust.sh; do
+          abs_top_builddir=$GITHUB_WORKSPACE/$BUILDDIR abs_top_srcdir=$GITHUB_WORKSPACE P11_MODULE_PATH=$GITHUB_WORKSPACE/$BUILDDIR $t
+          ret=$?
+          test $ret -eq 0 || exit $ret
+        done
+      shell: bash
diff --git a/Makefile.am b/Makefile.am
index da5990b1..b48fee72 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -76,6 +76,8 @@ DISTCHECK_CONFIGURE_FLAGS = \
 AM_TESTS_ENVIRONMENT = \
 	abs_top_builddir="$(abs_top_builddir)"; \
 	export abs_top_builddir; \
+	abs_top_srcdir="$(abs_top_srcdir)"; \
+	export abs_top_srcdir; \
 	P11_MODULE_PATH="$(abs_top_builddir)/.libs"; \
 	export P11_MODULE_PATH;
 AM_TESTS_FD_REDIRECT = 9>&2;
diff --git a/p11-kit/fixtures/package-modules/softhsm2.module b/p11-kit/fixtures/package-modules/fourteen.module
similarity index 62%
rename from p11-kit/fixtures/package-modules/softhsm2.module
rename to p11-kit/fixtures/package-modules/fourteen.module
index d64528c8..e3fd1d4b 100644
--- a/p11-kit/fixtures/package-modules/softhsm2.module
+++ b/p11-kit/fixtures/package-modules/fourteen.module
@@ -1,4 +1,4 @@
 
-module: libsofthsm2.so
+module: mock-fourteen.so
 managed: yes
 enable-in: p11-kit-testable
diff --git a/p11-kit/meson.build b/p11-kit/meson.build
index 70583f14..4144d3b1 100644
--- a/p11-kit/meson.build
+++ b/p11-kit/meson.build
@@ -386,6 +386,7 @@ if get_option('test')
 
   p11_kit_tests_env = environment()
   p11_kit_tests_env.set('abs_top_builddir', top_build_dir)
+  p11_kit_tests_env.set('abs_top_srcdir', top_source_dir)
   p11_kit_tests_env.set('P11_MODULE_PATH', meson.current_build_dir())
 
   if host_system != 'windows'
@@ -447,7 +448,8 @@ if get_option('test')
                    'mock-ten': ['mock-module-ep8.c'],
                    'mock-eleven': ['mock-module-ep9.c'],
                    'mock-twelve': ['mock-module-ep10.c'],
-                   'mock-thirteen': ['mock-module-ep11.c']
+                   'mock-thirteen': ['mock-module-ep11.c'],
+                   'mock-fourteen': ['mock-module-ep12.c']
                  }
 
   if host_system != 'windows'
diff --git a/p11-kit/mock-module-ep12.c b/p11-kit/mock-module-ep12.c
new file mode 100644
index 00000000..ea5dafb8
--- /dev/null
+++ b/p11-kit/mock-module-ep12.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 2023, Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Zoltan Fridrich <zfridric@redhat.com>, Daiki Ueno
+ */
+
+#include "config.h"
+
+#define CRYPTOKI_EXPORTS 1
+#include "pkcs11.h"
+
+#include "attrs.h"
+#include "debug.h"
+#include "mock.h"
+
+#ifdef WITH_ASN1
+#include "persist.h"
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+static const CK_TOKEN_INFO MOCK_TOKEN_INFO = {
+	"PERSIST LABEL ONE               ",
+	"PERSIST MANUFACTURER            ",
+	"PERSIST MODEL   ",
+	"PERSIST SERIAL  ",
+	CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED,
+	1,
+	2,
+	3,
+	4,
+	5,
+	6,
+	7,
+	8,
+	9,
+	10,
+	{ 75, 175 },
+	{ 85, 185 },
+	{ '1', '9', '9', '9', '0', '5', '2', '5', '0', '9', '1', '9', '5', '9', '0', '0' }
+};
+
+static CK_RV
+override_C_GetTokenInfo (CK_SLOT_ID slot_id,
+			 CK_TOKEN_INFO_PTR info)
+{
+	return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD);
+
+	switch (slot_id) {
+	case MOCK_SLOT_ONE_ID:
+		memcpy (info, &MOCK_TOKEN_INFO, sizeof (*info));
+		return CKR_OK;
+	case MOCK_SLOT_TWO_ID:
+		return CKR_TOKEN_NOT_PRESENT;
+	default:
+		return CKR_SLOT_ID_INVALID;
+	}
+}
+
+#ifdef WITH_ASN1
+static CK_RV
+override_C_Initialize (CK_VOID_PTR init_args)
+{
+	bool ok;
+	size_t i, size = 0;
+	void *data = NULL;
+	const char *filename = "test-persist.p11-kit";
+	p11_mmap *map = NULL;
+	p11_persist *persist = NULL;
+	p11_array *objects = NULL;
+	CK_ATTRIBUTE *attrs = NULL;
+	CK_RV rv;
+
+	map = p11_mmap_open (filename, NULL, &data, &size);
+	if (map == NULL)
+		return mock_C_Initialize (init_args);
+
+	ok = p11_persist_magic (data, size);
+	return_val_if_fail (ok, CKR_GENERAL_ERROR);
+
+	persist = p11_persist_new ();
+	return_val_if_fail (persist != NULL, CKR_HOST_MEMORY);
+
+	objects = p11_array_new (NULL);
+	return_val_if_fail (objects != NULL, CKR_HOST_MEMORY);
+
+	ok = p11_persist_read (persist, filename, (const unsigned char *)data, size, objects);
+	return_val_if_fail (ok, CKR_GENERAL_ERROR);
+
+	rv = mock_C_Initialize (init_args);
+	for (i = 0; i < objects->num; ++i) {
+		attrs = p11_attrs_build (objects->elem[i], NULL);
+		mock_module_add_object (MOCK_SLOT_ONE_ID, attrs);
+		p11_attrs_free (attrs);
+	}
+
+	p11_array_free (objects);
+	p11_persist_free (persist);
+	p11_mmap_close (map);
+	return rv;
+}
+
+struct WriteData {
+	p11_persist *persist;
+	p11_buffer buf;
+};
+
+static bool
+persist_enumerator (CK_OBJECT_HANDLE handle,
+		   CK_ATTRIBUTE *attrs,
+		   void *user_data)
+{
+	struct WriteData *data = user_data;
+
+	p11_persist_write (data->persist, attrs, &data->buf);
+
+	return true;
+}
+
+static CK_RV
+override_C_Finalize (CK_VOID_PTR reserved)
+{
+	bool ok;
+	FILE *f = NULL;
+	const char *filename = "test-persist.p11-kit";
+	CK_SESSION_HANDLE session = 0;
+	struct WriteData data;
+	CK_RV rv;
+
+	ok = p11_buffer_init (&data.buf, 0);
+	return_val_if_fail (ok, CKR_HOST_MEMORY);
+
+	data.persist = p11_persist_new ();
+	return_val_if_fail (data.persist != NULL, CKR_HOST_MEMORY);
+
+	rv = mock_C_OpenSession (MOCK_SLOT_ONE_ID, CKF_SERIAL_SESSION, NULL, NULL, &session);
+	return_val_if_fail (rv == CKR_OK, CKR_GENERAL_ERROR);
+
+	mock_module_enumerate_objects (session,
+				       persist_enumerator,
+				       &data);
+
+	rv = mock_C_CloseSession (session);
+	return_val_if_fail (rv == CKR_OK, CKR_GENERAL_ERROR);
+
+	f = fopen (filename, "wb");
+	return_val_if_fail (f != NULL, CKR_HOST_MEMORY);
+	fwrite (data.buf.data, 1, data.buf.len, f);
+	fclose (f);
+
+	p11_persist_free (data.persist);
+	p11_buffer_uninit (&data.buf);
+	return mock_C_Finalize (reserved);
+}
+#endif /* WITH_ASN1 */
+
+#ifdef OS_WIN32
+__declspec(dllexport)
+#endif
+CK_RV
+C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list)
+{
+	mock_module_init ();
+#ifdef WITH_ASN1
+	mock_module.C_Initialize = override_C_Initialize;
+	mock_module.C_Finalize = override_C_Finalize;
+#endif
+	mock_module.C_GetFunctionList = C_GetFunctionList;
+	mock_module.C_GetTokenInfo = override_C_GetTokenInfo;
+	if (list == NULL)
+		return CKR_ARGUMENTS_BAD;
+	*list = &mock_module;
+	return CKR_OK;
+}
diff --git a/p11-kit/test-generate-keypair.sh b/p11-kit/test-generate-keypair.sh
index fcc56067..8371dfce 100755
--- a/p11-kit/test-generate-keypair.sh
+++ b/p11-kit/test-generate-keypair.sh
@@ -10,83 +10,60 @@ test "${abs_top_builddir+set}" = set || {
 : ${P11_MODULE_PATH="$abs_top_builddir"/.libs}
 
 setup() {
-	testdir=$PWD/test-objects-$$
+	testdir=$PWD/test-genkey-$$
 	test -d "$testdir" || mkdir "$testdir"
 	cd "$testdir"
-	mkdir tokens
-	cat > softhsm2.conf <<EOF
-directories.tokendir = $PWD/tokens/
-EOF
-	export SOFTHSM2_CONF=$PWD/softhsm2.conf
-
-	: ${SOFTHSM2_UTIL=softhsm2-util}
-	if ! "$SOFTHSM2_UTIL" --version >/dev/null; then
-		skip "softhsm2-util not found"
-		return
-	fi
-	softhsm2-util --init-token --free --label test-genkey --so-pin 12345 --pin 12345
-
-	: ${PKG_CONFIG=pkg-config}
-	if ! "$PKG_CONFIG" p11-kit-1 --exists; then
-		skip "pkgconfig(p11-kit-1) not found"
-		return
-	fi
-
-	module_path=$("$PKG_CONFIG" p11-kit-1 --variable=p11_module_path)
-	if ! test -e "$module_path/libsofthsm2.so"; then
-		skip "unable to resolve libsofthsm2.so"
-		return
-	fi
-
-	ln -sf "$module_path"/libsofthsm2.so "$P11_MODULE_PATH"
 }
 
 teardown() {
-	unset SOFTHSM2_CONF
 	rm -rf "$testdir"
 }
 
+test_generate_keypair_mock() {
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=mock --type=mock "pkcs11:token=PUBKEY%20LABEL?pin-value=booo"; then
+		assert_fail "unable to run p11-kit generate-keypair"
+	fi
+}
+
 test_generate_keypair_rsa() {
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=rsa --type=rsa --bits=2048 "pkcs11:token=test-genkey?pin-value=12345"; then
-		assert_fail "unable to run: p11-kit generate-keypair"
+	if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=rsa --type=rsa --bits=2048 "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
+		assert_fail "expected to fail: p11-kit generate-keypair"
+	fi
+	assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized"
+
+	if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=rsa --type=rsa "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
+		assert_fail "expected to fail: p11-kit generate-keypair"
 	fi
+	assert_contains err.out "no bits specified"
 }
 
 test_generate_keypair_ecdsa() {
 	for curve in secp256r1 secp384r1 secp521r1; do
-		if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-$curve" --type=ecdsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then
-			assert_fail "unable to run: p11-kit generate-keypair"
+		if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-$curve" --type=ecdsa --curve="$curve" "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
+			assert_fail "expected to fail: p11-kit generate-keypair"
 		fi
 	done
+	assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized"
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-unknown" --type=ecdsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then
+	if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-unknown" --type=ecdsa --curve=unknown "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
 		assert_fail "p11-kit generate-keypair succeeded for unknown ecdsa curve"
 	fi
+	assert_contains err.out "unknown curve name: unknown"
 }
 
 test_generate_keypair_eddsa() {
-	curves=
-	mech=$("$abs_top_builddir"/p11-kit/p11-kit-testable list-mechanisms "pkcs11:token=test-genkey" | sed -n '/CKM_EDDSA/p')
-	if test -z "$mech"; then
-		skip "no support for EdDSA"
-		return
-	fi
-	if expr "$mech" : ".*key-size=256-" > /dev/null; then
-		curve="$curve ed25519"
-	fi
-	if expr "$mech" : ".*key-size=.*-456" > /dev/null; then
-		curve="$curve ed448"
-	fi
-	for curve in $curves; do
-		if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-$curve" --type=eddsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then
+	for curve in ed25519 ed448; do
+		if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-$curve" --type=eddsa --curve="$curve" "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then
 			assert_fail "unable to run: p11-kit generate-keypair"
 		fi
 	done
+	assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized"
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then
+	if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=PUBKEY%20LABEL?pin-value=booo"; then
 		assert_fail "p11-kit generate-keypair succeeded for unknown eddsa curve"
 	fi
+	assert_contains err.out "unknown curve name: unknown"
 }
 
-run test_generate_keypair_rsa test_generate_keypair_ecdsa \
-    test_generate_keypair_ecdsa
+run test_generate_keypair_mock test_generate_keypair_rsa \
+    test_generate_keypair_ecdsa test_generate_keypair_ecdsa
diff --git a/p11-kit/test-import-public.sh b/p11-kit/test-import-public.sh
index 604f4316..1972a8ba 100755
--- a/p11-kit/test-import-public.sh
+++ b/p11-kit/test-import-public.sh
@@ -5,87 +5,34 @@ test "${abs_top_builddir+set}" = set || {
 	exit 1
 }
 
-. "$abs_top_builddir/common/test-init.sh"
+test "${abs_top_srcdir+set}" = set || {
+	echo "set abs_top_srcdir" 1>&2
+	exit 1
+}
 
-: ${P11_MODULE_PATH="$abs_top_builddir"/.libs}
+. "$abs_top_builddir/common/test-init.sh"
 
 setup() {
-	testdir=$PWD/test-objects-$$
+	testdir=$PWD/test-import-$$
 	test -d "$testdir" || mkdir "$testdir"
 	cd "$testdir"
-	mkdir tokens
-	cat > softhsm2.conf <<EOF
-directories.tokendir = $PWD/tokens/
-EOF
-	export SOFTHSM2_CONF=$PWD/softhsm2.conf
-
-	: ${SOFTHSM2_UTIL=softhsm2-util}
-	if ! "$SOFTHSM2_UTIL" --version >/dev/null; then
-		skip "softhsm2-util not found"
-		return
-	fi
-	softhsm2-util --init-token --free --label test-import-key --so-pin 12345 --pin 12345
-
-	: ${PKG_CONFIG=pkg-config}
-	if ! "$PKG_CONFIG" p11-kit-1 --exists; then
-		skip "pkgconfig(p11-kit-1) not found"
-		return
-	fi
-
-	module_path=$("$PKG_CONFIG" p11-kit-1 --variable=p11_module_path)
-	if ! test -e "$module_path/libsofthsm2.so"; then
-		skip "unable to resolve libsofthsm2.so"
-		return
-	fi
-
-	ln -sf "$module_path"/libsofthsm2.so "$P11_MODULE_PATH"
 }
 
 teardown() {
-	unset SOFTHSM2_CONF
 	rm -rf "$testdir"
 }
 
 test_import_cert() {
-	# Taken from: trust/fixtures/thawte.pem
-	cat > export.exp <<EOF
------BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
-rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
-Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
-MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
-BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
-Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
-LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
-MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
-ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
-gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
-YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
-b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
-9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
-zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
-OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
-HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
-2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
-oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
-t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
-KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
-m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
-MdRAGmI0Nj81Aa6sY6A=
------END CERTIFICATE-----
-EOF
-
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=cert "pkcs11:token=test-import-key?pin-value=12345"; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="$abs_top_srcdir"/trust/fixtures/cacert3.pem --label=cert "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
 		assert_fail "unable to run: p11-kit import-object"
 	fi
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=test-import-key;object=cert?pin-value=12345" > export.out; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=cert?pin-value=booo" > export.out; then
 		assert_fail "unable to run: p11-kit export-object"
 	fi
 
 	: ${DIFF=diff}
-	if ! ${DIFF} export.exp export.out > export.diff; then
+	if ! ${DIFF} "$abs_top_srcdir"/trust/fixtures/cacert3.pem export.out > export.diff; then
 		sed 's/^/# /' export.diff
 		assert_fail "output contains incorrect result"
 	fi
@@ -107,11 +54,11 @@ fQIDAQAB
 -----END PUBLIC KEY-----
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=rsa "pkcs11:token=test-import-key?pin-value=12345"; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=rsa "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
 		assert_fail "unable to run: p11-kit import-object"
 	fi
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=test-import-key;object=rsa?pin-value=12345" > export.out; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=rsa?pin-value=booo" > export.out; then
 		assert_fail "unable to run: p11-kit export-object"
 	fi
 
@@ -133,11 +80,11 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsaTJt0debXaW7Hpcrpn7X07SsTk9
 -----END PUBLIC KEY-----
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=ec "pkcs11:token=test-import-key?pin-value=12345"; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=ec "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then
 		assert_fail "unable to run: p11-kit import-object"
 	fi
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=test-import-key;object=ec?pin-value=12345" > export.out; then
+	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=ec?pin-value=booo" > export.out; then
 		assert_fail "unable to run: p11-kit export-object"
 	fi
 
diff --git a/p11-kit/test-lists.sh b/p11-kit/test-lists.sh
index ae2d30cc..25789e06 100755
--- a/p11-kit/test-lists.sh
+++ b/p11-kit/test-lists.sh
@@ -20,6 +20,7 @@ teardown() {
 test_list_modules() {
 	cat > list.exp <<EOF
 module: four
+    path: /home/ueno/devel/p11-kit/_build/p11-kit/mock-four.so
     uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER
     library-description: MOCK LIBRARY
     library-manufacturer: MOCK MANUFACTURER
@@ -37,6 +38,7 @@ module: four
               clock-on-token
               token-initialized
 module: eleven
+    path: /home/ueno/devel/p11-kit/_build/p11-kit/mock-eleven.so
     uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER
     library-description: MOCK LIBRARY
     library-manufacturer: MOCK MANUFACTURER
@@ -53,7 +55,26 @@ module: eleven
               user-pin-initialized
               clock-on-token
               token-initialized
+module: fourteen
+    path: /home/ueno/devel/p11-kit/_build/p11-kit/mock-fourteen.so
+    uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER
+    library-description: MOCK LIBRARY
+    library-manufacturer: MOCK MANUFACTURER
+    library-version: 45.145
+    token: PERSIST LABEL ONE
+        uri: pkcs11:model=PERSIST%20MODEL;manufacturer=PERSIST%20MANUFACTURER;serial=PERSIST%20SERIAL;token=PERSIST%20LABEL%20ONE
+        manufacturer: PERSIST MANUFACTURER
+        model: PERSIST MODEL
+        serial-number: PERSIST SERIAL
+        hardware-version: 75.175
+        firmware-version: 85.185
+        flags:
+              login-required
+              user-pin-initialized
+              clock-on-token
+              token-initialized
 module: one
+    path: /home/ueno/devel/p11-kit/_build/p11-kit/mock-one.so
     uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER
     library-description: MOCK LIBRARY
     library-manufacturer: MOCK MANUFACTURER
@@ -71,6 +92,7 @@ module: one
               clock-on-token
               token-initialized
 module: thirteen
+    path: /home/ueno/devel/p11-kit/_build/p11-kit/mock-thirteen.so
     uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER
     library-description: MOCK LIBRARY
     library-manufacturer: MOCK MANUFACTURER
@@ -88,6 +110,7 @@ module: thirteen
               clock-on-token
               token-initialized
 module: twelve
+    path: /home/ueno/devel/p11-kit/_build/p11-kit/mock-twelve.so
     uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER
     library-description: MOCK LIBRARY
     library-manufacturer: MOCK MANUFACTURER
@@ -105,6 +128,7 @@ module: twelve
               clock-on-token
               token-initialized
 module: two-duplicate
+    path: /home/ueno/devel/p11-kit/_build/p11-kit/mock-two.so
     uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER
     library-description: MOCK LIBRARY
     library-manufacturer: MOCK MANUFACTURER
diff --git a/p11-kit/test-profiles.sh b/p11-kit/test-profiles.sh
index 9c3f170d..345ae688 100755
--- a/p11-kit/test-profiles.sh
+++ b/p11-kit/test-profiles.sh
@@ -53,7 +53,7 @@ public-certificates-token
 vendor-defined
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable list-profiles -q "pkcs11:token=PROFILE%20LABEL%20ONE" > list.out; then
+	if ! p11-kit list-profiles -q "pkcs11:token=PROFILE%20LABEL%20ONE" > list.out; then
 		assert_fail "unable to run: p11-kit list-profiles"
 	fi
 
@@ -76,7 +76,7 @@ EOF
 baseline-provider
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable list-profiles -q "pkcs11:token=PROFILE%20LABEL%20ONE" > list.out; then
+	if ! p11-kit list-profiles -q "pkcs11:token=PROFILE%20LABEL%20ONE" > list.out; then
 		assert_fail "unable to run: p11-kit list-profiles"
 	fi
 
@@ -91,7 +91,7 @@ test_list_profiles_empty() {
 	cat > list.exp <<EOF
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable list-profiles -q "pkcs11:token=PROFILE%20LABEL%20ONE" > list.out; then
+	if ! p11-kit list-profiles -q "pkcs11:token=PROFILE%20LABEL%20ONE" > list.out; then
 		assert_fail "unable to run: p11-kit list-profiles"
 	fi
 
@@ -106,7 +106,7 @@ test_list_profiles_nonexistent_token() {
 	cat > list.exp <<EOF
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable list-profiles "pkcs11:token=NONEXISTENT" > list.out 2> err.out; then
+	if p11-kit list-profiles "pkcs11:token=NONEXISTENT" > list.out 2> err.out; then
 		assert_fail "expected to fail: p11-kit list-profiles"
 	fi
 
@@ -137,7 +137,7 @@ profile-id: public-certificates-token
 
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable add-profile -q --profile="public-certificates-token" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit add-profile -q --profile="public-certificates-token" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit add-profile"
 	fi
 
@@ -156,7 +156,7 @@ profile-id: public-certificates-token
 
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable add-profile -q --profile="public-certificates-token" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit add-profile -q --profile="public-certificates-token" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit add-profile"
 	fi
 
@@ -182,7 +182,7 @@ profile-id: extended-provider
 
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable add-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if p11-kit add-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "expected to fail: p11-kit add-profile"
 	fi
 
@@ -212,7 +212,7 @@ profile-id: extended-provider
 
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable add-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit add-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit add-profile"
 	fi
 
@@ -227,7 +227,7 @@ test_add_profile_nonexistent_token() {
 	cat > list.exp <<EOF
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable add-profile --profile=baseline-provider "pkcs11:token=NONEXISTENT" > list.out 2> err.out; then
+	if p11-kit add-profile --profile=baseline-provider "pkcs11:token=NONEXISTENT" > list.out 2> err.out; then
 		assert_fail "expected to fail: p11-kit add-profile"
 	fi
 
@@ -243,7 +243,7 @@ test_add_profile_no_args() {
 	cat > list.exp <<EOF
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable add-profile "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
+	if p11-kit add-profile "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
 		assert_fail "expected to fail: p11-kit add-profile"
 	fi
 
@@ -259,7 +259,7 @@ test_add_profile_duplicate_args() {
 	cat > list.exp <<EOF
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable add-profile --profile="baseline-provider" --profile="extended-provider" "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
+	if p11-kit add-profile --profile="baseline-provider" --profile="extended-provider" "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
 		assert_fail "expected to fail: p11-kit add-profile"
 	fi
 
@@ -291,7 +291,7 @@ profile-id: extended-provider
 
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile -q --profile="baseline-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit delete-profile -q --profile="baseline-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit delete-profile"
 	fi
 
@@ -313,7 +313,7 @@ EOF
 	cat > list.exp <<EOF
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit delete-profile"
 	fi
 
@@ -328,7 +328,7 @@ test_delete_profile_empty() {
 	cat > list.exp <<EOF
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit delete-profile"
 	fi
 
@@ -384,7 +384,7 @@ profile-id: baseline-provider
 
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit delete-profile"
 	fi
 
@@ -406,7 +406,7 @@ EOF
 	cat > list.exp <<EOF
 EOF
 
-	if ! "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
+	if ! p11-kit delete-profile -q --profile="extended-provider" "pkcs11:token=PROFILE%20LABEL%20ONE"; then
 		assert_fail "unable to run: p11-kit delete-profile"
 	fi
 
@@ -421,7 +421,7 @@ test_delete_profile_nonexistent_token() {
 	cat > list.exp <<EOF
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile --profile="baseline-provider" "pkcs11:token=NONEXISTENT" > list.out 2> err.out; then
+	if p11-kit delete-profile --profile="baseline-provider" "pkcs11:token=NONEXISTENT" > list.out 2> err.out; then
 		assert_fail "expected to fail: p11-kit delete-profile"
 	fi
 
@@ -437,7 +437,7 @@ test_delete_profile_no_args() {
 	cat > list.exp <<EOF
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
+	if p11-kit delete-profile "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
 		assert_fail "expected to fail: p11-kit delete-profile"
 	fi
 
@@ -453,7 +453,7 @@ test_delete_profile_duplicate_args() {
 	cat > list.exp <<EOF
 EOF
 
-	if "$abs_top_builddir"/p11-kit/p11-kit-testable delete-profile --profile="baseline-provider" --profile="extended-provider" "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
+	if p11-kit delete-profile --profile="baseline-provider" --profile="extended-provider" "pkcs11:token=pkcs11:token=PROFILE%20LABEL%20ONE" > list.out 2> err.out; then
 		assert_fail "expected to fail: p11-kit delete-profile"
 	fi
 
diff --git a/p11-kit/test-softhsm2.sh b/p11-kit/test-softhsm2.sh
new file mode 100755
index 00000000..b052e15e
--- /dev/null
+++ b/p11-kit/test-softhsm2.sh
@@ -0,0 +1,180 @@
+#!/bin/sh
+
+test "${abs_top_builddir+set}" = set || {
+	echo "set abs_top_builddir" 1>&2
+	exit 1
+}
+
+. "$abs_top_builddir/common/test-init.sh"
+
+setup() {
+	testdir=$PWD/test-objects-$$
+	test -d "$testdir" || mkdir "$testdir"
+	cd "$testdir"
+	mkdir tokens
+	cat > softhsm2.conf <<EOF
+directories.tokendir = $PWD/tokens/
+EOF
+	export SOFTHSM2_CONF=$PWD/softhsm2.conf
+
+	: ${SOFTHSM2_UTIL=softhsm2-util}
+	if ! "$SOFTHSM2_UTIL" --version >/dev/null; then
+		skip "softhsm2-util not found"
+		return
+	fi
+	softhsm2-util --init-token --free --label test-genkey --so-pin 12345 --pin 12345
+	softhsm2-util --init-token --free --label test-import-key --so-pin 12345 --pin 12345
+}
+
+teardown() {
+	unset SOFTHSM2_CONF
+	rm -rf "$testdir"
+}
+
+test_generate_keypair_rsa() {
+	if ! p11-kit generate-keypair --login --label=rsa --type=rsa --bits=2048 "pkcs11:token=test-genkey?pin-value=12345"; then
+		assert_fail "unable to run: p11-kit generate-keypair"
+	fi
+}
+
+test_generate_keypair_ecdsa() {
+	for curve in secp256r1 secp384r1 secp521r1; do
+		if ! p11-kit generate-keypair --login --label="ecdsa-$curve" --type=ecdsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then
+			assert_fail "unable to run: p11-kit generate-keypair"
+		fi
+	done
+
+	if p11-kit generate-keypair --login --label="ecdsa-unknown" --type=ecdsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then
+		assert_fail "p11-kit generate-keypair succeeded for unknown ecdsa curve"
+	fi
+}
+
+test_generate_keypair_eddsa() {
+	curves=
+	mech=$(p11-kit list-mechanisms "pkcs11:token=test-genkey" | sed -n '/CKM_EDDSA/p')
+	if test -z "$mech"; then
+		skip "no support for EdDSA"
+		return
+	fi
+	if expr "$mech" : ".*key-size=256-" > /dev/null; then
+		curve="$curve ed25519"
+	fi
+	if expr "$mech" : ".*key-size=.*-456" > /dev/null; then
+		curve="$curve ed448"
+	fi
+	for curve in $curves; do
+		if ! p11-kit generate-keypair --login --label="eddsa-$curve" --type=eddsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then
+			assert_fail "unable to run: p11-kit generate-keypair"
+		fi
+	done
+
+	if p11-kit generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then
+		assert_fail "p11-kit generate-keypair succeeded for unknown eddsa curve"
+	fi
+}
+
+test_import_cert() {
+	# Taken from: trust/fixtures/thawte.pem
+	cat > export.exp <<EOF
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
+rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
+Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
+MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
+BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
+Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
+LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
+MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
+ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
+gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
+YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
+b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
+9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
+zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
+OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
+2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
+oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
+t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
+KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
+m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
+MdRAGmI0Nj81Aa6sY6A=
+-----END CERTIFICATE-----
+EOF
+
+	if ! p11-kit import-object -q --login --file="export.exp" --label=cert "pkcs11:token=test-import-key?pin-value=12345"; then
+		assert_fail "unable to run: p11-kit import-object"
+	fi
+
+	if ! p11-kit export-object -q --login "pkcs11:token=test-import-key;object=cert?pin-value=12345" > export.out; then
+		assert_fail "unable to run: p11-kit export-object"
+	fi
+
+	: ${DIFF=diff}
+	if ! ${DIFF} export.exp export.out > export.diff; then
+		sed 's/^/# /' export.diff
+		assert_fail "output contains incorrect result"
+	fi
+}
+
+test_import_pubkey_rsa() {
+	# Generated and extracted with:
+	# p11-kit generate-keypair --type=rsa --bits=2048 --label=RSA 'pkcs11:model=SoftHSM%20v2'
+	# p11tool --export 'pkcs11:model=SoftHSM%20v2;object=RSA;type=public'
+	cat > export.exp <<EOF
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwK4hLgsRxltV0MudYWt2
+yZYWgjHh1B2G5EuJDRvjkYIGiFl6nDk9akWxawgJoVmnZg3Y0a4ogk0H8++WXOZj
+bVL1vYq9fxQm2KMNZPX0TM/efh0P8YM8lAyxiiCnCwGkffbUFqOa++4T/30FRfeX
+D1YaNYH1ZPf2CKSlm6uUIyqFOakxLcaTVj6oXif4NWtg6Edu6I1rES1sBMnsKQQE
+lLXoKLJovpzZgIeJfaxXhnQxfWFH4Ye0BAF4YtzoDXXnSfKVioiwNS06i6ZH9Ztd
+P20Te0/BDjxPMmTwml/j5NW/nM0N4tldl2HxbwgEkq+m4aVFYGrp0KOihgC5kDGO
+fQIDAQAB
+-----END PUBLIC KEY-----
+EOF
+
+	if ! p11-kit import-object -q --login --file="export.exp" --label=rsa "pkcs11:token=test-import-key?pin-value=12345"; then
+		assert_fail "unable to run: p11-kit import-object"
+	fi
+
+	if ! p11-kit export-object -q --login "pkcs11:token=test-import-key;object=rsa?pin-value=12345" > export.out; then
+		assert_fail "unable to run: p11-kit export-object"
+	fi
+
+	: ${DIFF=diff}
+	if ! ${DIFF} export.exp export.out > export.diff; then
+		sed 's/^/# /' export.diff
+		assert_fail "output contains incorrect result"
+	fi
+}
+
+test_import_pubkey_ec() {
+	# Generated and extracted with:
+	# p11-kit generate-keypair --type=ecdsa --curve=secp256r1 --label=EC 'pkcs11:model=SoftHSM%20v2'
+	# p11tool --export 'pkcs11:model=SoftHSM%20v2;object=EC;type=public'
+	cat > export.exp <<EOF
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsaTJt0debXaW7Hpcrpn7X07SsTk9
+6OKFal97R2f9wetmK/EVyZIjCsth4tvkVtvyVsawBF0A2iI7N+uZdiPshw==
+-----END PUBLIC KEY-----
+EOF
+
+	if ! p11-kit import-object -q --login --file="export.exp" --label=ec "pkcs11:token=test-import-key?pin-value=12345"; then
+		assert_fail "unable to run: p11-kit import-object"
+	fi
+
+	if ! p11-kit export-object -q --login "pkcs11:token=test-import-key;object=ec?pin-value=12345" > export.out; then
+		assert_fail "unable to run: p11-kit export-object"
+	fi
+
+	: ${DIFF=diff}
+	if ! ${DIFF} export.exp export.out > export.diff; then
+		sed 's/^/# /' export.diff
+		assert_fail "output contains incorrect result"
+	fi
+}
+
+run test_generate_keypair_rsa test_generate_keypair_ecdsa \
+    test_generate_keypair_ecdsa \
+    test_import_cert test_import_pubkey_rsa test_import_pubkey_ec