giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
opensc/src/tests/p11test/p11test_loader.c

148 lines
4.1 KiB
C
Raw Normal View History

PKCS#11 testsuite (#1224) * Initial version of pkcs11 testsuite * Refactor test cases to several files, clean up awful and unused stuff * Static mechanism list based on the actual token offer * Get rid of magic numbers * Documentation * License update based on the original project * Verbose readme * Cleanup unused code, long lines and method order * Typo; More verbose errors * Use fallback mechanisms * Refactor object allocation and certificate search * PKCS11SPY mentioned, more TODO * add SHA mechanisms * Do not try to Finalize already finalized cryptoki * Add more flags and mechanisms * Do not list table for no results * Logical order of the tests (regression last) * read ALWAYS_AUTHENTICATE from correct place * ALWAYS_AUTHENTICATE for decryption * Test EC key length signature based on the actual key length * Shorten CKM_ list output, add keygen types detection * Skip decrypting on non-supported mechanisms * Fail hard if the C_Login fails * Reorganize local FLAGS_ constants * Test RSA Digest mechanisms * Correct mechanisms naming, typos * Do not attempt to do signature using empty keys * CKM_ECDSA_SHA1 support * Correct type cast when getting attributes * Report failures from all mechanisms * Standardize return values, eliminate complete fails, documentation interface * Wait for slot event test * Add switch to allow interaction with a card (WaitForSlotEvent) * At least try to verify using C_Verify, if it fails, fall back to openssl * Get rid of function_pointers * Get rid of additional newline * Share always_authenticate() function between the test cases * Refactor Encrypt&decrypt test to functions * Do not overwrite bits if they are not provided by CKA, indentation * Cleanup and Break to more functions Sign&Verify test * CKM_RSA_X_509 sign and verify with openssl padding * More TODO's * Proper abstracted padding with RSA_X_509 mechanism * Add ongoing tasks from different TODO list * Update instructions. Another todo * Variables naming * Increase mechanism list size, use different static buffers for flags and mechanism names * nonstandard mechanism CKM_SHA224_RSA_PKCS supported by some softotkens * Get rid of loop initial declarations * Loop initial declaration, typos, strict warnings * Move the p11test to the new folder to avoid problems with dynamically linked opensc.so * Update path in README * Possibility to validate the testsuite agains software tokens * Add possibility to select slot ID on command-line (when there are more cards present) * Clean up readme to reflect current options and TODOs * Do not attempt to use keys without advertised sign&verify bits to avoid false positives * Get and present more object attributes in readonly test; refactor table * New test checking if the set of attributes (usage flags) is reasonable * Test multipart signatures. There is not reasonable mechanism supporting multipart encryption * Use PKCS#11 encryption if possible (with openssl fallback) * Identify few more mechanisms (PSS) in the lest * Resize table to fit new mechanisms * Remove initial loop declaration from multipart test * Use pkcs11-tool instead of p11tool form most of the operations (master have most of the features) * Preparation for machine readable results * Refactor log variables out of the main context, try to export generic data * Do not write to non-existing FD if not logging * Export missing data into the log file in JSON * Store database in json * Sanity check * Avoid uninitialized structure fields using in state structure * Dump always_authenticate attribute too * Manual selection of slots with possibility to use slots without tokens * Do not free before finalizing * Proper cleanup of message in all cases * Proper allocation and deallocation of messages * Sanitize missing cases (memory leaks) * Suppressions for testing under valgrind * Better handling message_lengt during sign&verify (avoid invalid access) * Suppress another PCSC error * Do not use default PIN. Fail if none specified * Sanitize initialization. Skip incomplete key pairs * Add missing newline in errors * Fix condition for certificate search * Avoid several calls for attributes of zero length * Handle if the private key is not present on the card * Improve memory handling, silent GCC warning of 'unused' variable * Fail early with missing private key, cleanup the messages * Use correct padding for encryption * Cache if the card supports Verify/Encrypt and avoid trying over and over again * Loosen the condition for the Usage flags * OpenSSL 1.1.0 compatibility * Add missing mechanisms * Do not require certificates on the card and pass valid data for RSA_PKCS mechanisms * Add missing PIN argument in runtest.sh * Add OpenSSL < 1.1 comatible bits * Add SHA2 ECDSA mechanisms handling * Use public key from PKCS#11 if the certificate is missing (or compare it with certificate) * Avoid long definitions in OpenSSL compat layer * In older OpenSSL, the header file is ecdsa.h * Add missing config.h to apply compat OpenSSL layer * ASN1_STRING_get0_data() is also new in 1.1.0 * Return back RSA_X_509 mechanism * Drop bogus CKM_* in the definitions * Drop CKM_SHA224_RSA_PKCS as it is already in pkcs11.h * Update documentation * Use NDEBUG as intended * typos, cleanup * Typos, cleanup, update copyright * Additional check for OpenCryptoki, generate more key types on soft tokens * Prepare for RSA-PSS and RSA-OAEP * Use usage&result flags for the tests, gracefully ignore PSS&OAEP * pkcs11.h: Add missing definitions for PSS * PSS and OAEP tests readonly: Typos, reformat * Working version, memory leak * Tweak message lengths for OAEP and PSS * Skip tests that are not aplicable for tokens * configure.ac: New switch --enable-tests Do not attempt to build tests if cmocka is not available or --enable-tests is provided. It makes also more lightweight release builds out of the box (or with --disable-tests). * travis: Install cmocka if not available * Do not build tests on Windows and make dist pass * Try to install cmocka from apt and from brew * Do not require sudo (cmocka from apt and brew works)
2018-05-18 10:31:55 +00:00
/*
* p11test_loader.c: Library loader for PKCS#11 test suite
*
* Copyright (C) 2016 Martin Strhársky <strharsky.martin@gmail.com>
* Copyright (C) 2016, 2017 Red Hat, Inc.
*
* Author: Jakub Jelen <jjelen@redhat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "p11test_loader.h"
p11test: Basic test for C_GetInterface API from PKCS#11 3.0
2020-08-13 16:44:50 +00:00
void *pkcs11_so;
PKCS#11 testsuite (#1224) * Initial version of pkcs11 testsuite * Refactor test cases to several files, clean up awful and unused stuff * Static mechanism list based on the actual token offer * Get rid of magic numbers * Documentation * License update based on the original project * Verbose readme * Cleanup unused code, long lines and method order * Typo; More verbose errors * Use fallback mechanisms * Refactor object allocation and certificate search * PKCS11SPY mentioned, more TODO * add SHA mechanisms * Do not try to Finalize already finalized cryptoki * Add more flags and mechanisms * Do not list table for no results * Logical order of the tests (regression last) * read ALWAYS_AUTHENTICATE from correct place * ALWAYS_AUTHENTICATE for decryption * Test EC key length signature based on the actual key length * Shorten CKM_ list output, add keygen types detection * Skip decrypting on non-supported mechanisms * Fail hard if the C_Login fails * Reorganize local FLAGS_ constants * Test RSA Digest mechanisms * Correct mechanisms naming, typos * Do not attempt to do signature using empty keys * CKM_ECDSA_SHA1 support * Correct type cast when getting attributes * Report failures from all mechanisms * Standardize return values, eliminate complete fails, documentation interface * Wait for slot event test * Add switch to allow interaction with a card (WaitForSlotEvent) * At least try to verify using C_Verify, if it fails, fall back to openssl * Get rid of function_pointers * Get rid of additional newline * Share always_authenticate() function between the test cases * Refactor Encrypt&decrypt test to functions * Do not overwrite bits if they are not provided by CKA, indentation * Cleanup and Break to more functions Sign&Verify test * CKM_RSA_X_509 sign and verify with openssl padding * More TODO's * Proper abstracted padding with RSA_X_509 mechanism * Add ongoing tasks from different TODO list * Update instructions. Another todo * Variables naming * Increase mechanism list size, use different static buffers for flags and mechanism names * nonstandard mechanism CKM_SHA224_RSA_PKCS supported by some softotkens * Get rid of loop initial declarations * Loop initial declaration, typos, strict warnings * Move the p11test to the new folder to avoid problems with dynamically linked opensc.so * Update path in README * Possibility to validate the testsuite agains software tokens * Add possibility to select slot ID on command-line (when there are more cards present) * Clean up readme to reflect current options and TODOs * Do not attempt to use keys without advertised sign&verify bits to avoid false positives * Get and present more object attributes in readonly test; refactor table * New test checking if the set of attributes (usage flags) is reasonable * Test multipart signatures. There is not reasonable mechanism supporting multipart encryption * Use PKCS#11 encryption if possible (with openssl fallback) * Identify few more mechanisms (PSS) in the lest * Resize table to fit new mechanisms * Remove initial loop declaration from multipart test * Use pkcs11-tool instead of p11tool form most of the operations (master have most of the features) * Preparation for machine readable results * Refactor log variables out of the main context, try to export generic data * Do not write to non-existing FD if not logging * Export missing data into the log file in JSON * Store database in json * Sanity check * Avoid uninitialized structure fields using in state structure * Dump always_authenticate attribute too * Manual selection of slots with possibility to use slots without tokens * Do not free before finalizing * Proper cleanup of message in all cases * Proper allocation and deallocation of messages * Sanitize missing cases (memory leaks) * Suppressions for testing under valgrind * Better handling message_lengt during sign&verify (avoid invalid access) * Suppress another PCSC error * Do not use default PIN. Fail if none specified * Sanitize initialization. Skip incomplete key pairs * Add missing newline in errors * Fix condition for certificate search * Avoid several calls for attributes of zero length * Handle if the private key is not present on the card * Improve memory handling, silent GCC warning of 'unused' variable * Fail early with missing private key, cleanup the messages * Use correct padding for encryption * Cache if the card supports Verify/Encrypt and avoid trying over and over again * Loosen the condition for the Usage flags * OpenSSL 1.1.0 compatibility * Add missing mechanisms * Do not require certificates on the card and pass valid data for RSA_PKCS mechanisms * Add missing PIN argument in runtest.sh * Add OpenSSL < 1.1 comatible bits * Add SHA2 ECDSA mechanisms handling * Use public key from PKCS#11 if the certificate is missing (or compare it with certificate) * Avoid long definitions in OpenSSL compat layer * In older OpenSSL, the header file is ecdsa.h * Add missing config.h to apply compat OpenSSL layer * ASN1_STRING_get0_data() is also new in 1.1.0 * Return back RSA_X_509 mechanism * Drop bogus CKM_* in the definitions * Drop CKM_SHA224_RSA_PKCS as it is already in pkcs11.h * Update documentation * Use NDEBUG as intended * typos, cleanup * Typos, cleanup, update copyright * Additional check for OpenCryptoki, generate more key types on soft tokens * Prepare for RSA-PSS and RSA-OAEP * Use usage&result flags for the tests, gracefully ignore PSS&OAEP * pkcs11.h: Add missing definitions for PSS * PSS and OAEP tests readonly: Typos, reformat * Working version, memory leak * Tweak message lengths for OAEP and PSS * Skip tests that are not aplicable for tokens * configure.ac: New switch --enable-tests Do not attempt to build tests if cmocka is not available or --enable-tests is provided. It makes also more lightweight release builds out of the box (or with --disable-tests). * travis: Install cmocka if not available * Do not build tests on Windows and make dist pass * Try to install cmocka from apt and from brew * Do not require sudo (cmocka from apt and brew works)
2018-05-18 10:31:55 +00:00
int get_slot_with_card(token_info_t * info)
{
CK_SLOT_ID_PTR slot_list;
CK_SLOT_ID slot_id;
CK_ULONG slot_count = 0;
CK_RV rv;
int error = 0;
unsigned int i;
CK_FUNCTION_LIST_PTR function_pointer = info->function_pointer;
/* Get slot list for memory allocation */
rv = function_pointer->C_GetSlotList(0, NULL_PTR, &slot_count);
if ((rv == CKR_OK) && (slot_count > 0)) {
slot_list = malloc(slot_count * sizeof (CK_SLOT_ID));
if (slot_list == NULL) {
fprintf(stderr, "System error: unable to allocate memory\n");
return 1;
}
/* Get the slot list for processing */
rv = function_pointer->C_GetSlotList(0, slot_list, &slot_count);
if (rv != CKR_OK) {
fprintf(stderr, "GetSlotList failed: unable to get slot count.\n");
error = 1;
goto cleanup;
}
} else {
fprintf(stderr, "GetSlotList failed: unable to get slot list.\n");
return 1;
}
/* Find a slot capable of specified mechanism */
for (i = 0; i < slot_count; i++) {
CK_SLOT_INFO slot_info;
slot_id = slot_list[i];
rv = function_pointer->C_GetSlotInfo(slot_id, &slot_info);
if (rv != CKR_OK)
continue;
if (info->slot_id == slot_id) {
if (info->slot_id == slot_list[i]) { /* explicitly specified slot */
debug_print("Manually selected slot %lu (%s a token)\n", info->slot_id,
((slot_info.flags & CKF_TOKEN_PRESENT) ? "with" : "without"));
goto cleanup;
}
}
if (slot_info.flags & CKF_TOKEN_PRESENT) {
/* first found slot if not specified */
if (info->slot_id == (unsigned long) -1) {
info->slot_id = slot_id;
goto cleanup;
}
}
}
error = 1;
fprintf(stderr, "No slot with card inserted or the selected slot does not exist\n");
cleanup:
if (slot_list) {
free(slot_list);
}
return error;
}
int load_pkcs11_module(token_info_t * info, const char* path_to_pkcs11_library) {
CK_RV rv;
CK_RV (*C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR) = 0;
if(strlen(path_to_pkcs11_library) == 0) {
fprintf(stderr, "You have to specify path to PKCS#11 library.");
return 1;
}
pkcs11_so = dlopen(path_to_pkcs11_library, RTLD_NOW);
if (!pkcs11_so) {
fprintf(stderr, "Error loading pkcs#11 so: %s\n", dlerror());
return 1;
}
C_GetFunctionList = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR)) dlsym(pkcs11_so, "C_GetFunctionList");
if (!C_GetFunctionList) {
fprintf(stderr, "Could not get function list: %s\n", dlerror());
return 1;
}
rv = C_GetFunctionList(&info->function_pointer);
if (CKR_OK != rv) {
fprintf(stderr, "C_GetFunctionList call failed: 0x%.8lX", rv);
return 1;
}
rv = info->function_pointer->C_Initialize(NULL_PTR);
if (rv != CKR_OK) {
fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
return 1;
}
if (get_slot_with_card(info)) {
fprintf(stderr, "There is no card present in reader.\n");
info->function_pointer->C_Finalize(NULL_PTR);
return 1;
}
info->function_pointer->C_Finalize(NULL_PTR);
return 0;
}
void close_pkcs11_module() {
if(pkcs11_so)
dlclose(pkcs11_so);
}