PKCS#11 testsuite (#1224)
* Initial version of pkcs11 testsuite
* Refactor test cases to several files, clean up awful and unused stuff
* Static mechanism list based on the actual token offer
* Get rid of magic numbers
* Documentation
* License update based on the original project
* Verbose readme
* Cleanup unused code, long lines and method order
* Typo; More verbose errors
* Use fallback mechanisms
* Refactor object allocation and certificate search
* PKCS11SPY mentioned, more TODO
* add SHA mechanisms
* Do not try to Finalize already finalized cryptoki
* Add more flags and mechanisms
* Do not list table for no results
* Logical order of the tests (regression last)
* read ALWAYS_AUTHENTICATE from correct place
* ALWAYS_AUTHENTICATE for decryption
* Test EC key length signature based on the actual key length
* Shorten CKM_ list output, add keygen types detection
* Skip decrypting on non-supported mechanisms
* Fail hard if the C_Login fails
* Reorganize local FLAGS_ constants
* Test RSA Digest mechanisms
* Correct mechanisms naming, typos
* Do not attempt to do signature using empty keys
* CKM_ECDSA_SHA1 support
* Correct type cast when getting attributes
* Report failures from all mechanisms
* Standardize return values, eliminate complete fails, documentation interface
* Wait for slot event test
* Add switch to allow interaction with a card (WaitForSlotEvent)
* At least try to verify using C_Verify, if it fails, fall back to openssl
* Get rid of function_pointers
* Get rid of additional newline
* Share always_authenticate() function between the test cases
* Refactor Encrypt&decrypt test to functions
* Do not overwrite bits if they are not provided by CKA, indentation
* Cleanup and Break to more functions Sign&Verify test
* CKM_RSA_X_509 sign and verify with openssl padding
* More TODO's
* Proper abstracted padding with RSA_X_509 mechanism
* Add ongoing tasks from different TODO list
* Update instructions. Another todo
* Variables naming
* Increase mechanism list size, use different static buffers for flags and mechanism names
* nonstandard mechanism CKM_SHA224_RSA_PKCS supported by some softotkens
* Get rid of loop initial declarations
* Loop initial declaration, typos, strict warnings
* Move the p11test to the new folder to avoid problems with dynamically linked opensc.so
* Update path in README
* Possibility to validate the testsuite agains software tokens
* Add possibility to select slot ID on command-line (when there are more cards present)
* Clean up readme to reflect current options and TODOs
* Do not attempt to use keys without advertised sign&verify bits to avoid false positives
* Get and present more object attributes in readonly test; refactor table
* New test checking if the set of attributes (usage flags) is reasonable
* Test multipart signatures. There is not reasonable mechanism supporting multipart encryption
* Use PKCS#11 encryption if possible (with openssl fallback)
* Identify few more mechanisms (PSS) in the lest
* Resize table to fit new mechanisms
* Remove initial loop declaration from multipart test
* Use pkcs11-tool instead of p11tool form most of the operations (master have most of the features)
* Preparation for machine readable results
* Refactor log variables out of the main context, try to export generic data
* Do not write to non-existing FD if not logging
* Export missing data into the log file in JSON
* Store database in json
* Sanity check
* Avoid uninitialized structure fields using in state structure
* Dump always_authenticate attribute too
* Manual selection of slots with possibility to use slots without tokens
* Do not free before finalizing
* Proper cleanup of message in all cases
* Proper allocation and deallocation of messages
* Sanitize missing cases (memory leaks)
* Suppressions for testing under valgrind
* Better handling message_lengt during sign&verify (avoid invalid access)
* Suppress another PCSC error
* Do not use default PIN. Fail if none specified
* Sanitize initialization. Skip incomplete key pairs
* Add missing newline in errors
* Fix condition for certificate search
* Avoid several calls for attributes of zero length
* Handle if the private key is not present on the card
* Improve memory handling, silent GCC warning of 'unused' variable
* Fail early with missing private key, cleanup the messages
* Use correct padding for encryption
* Cache if the card supports Verify/Encrypt and avoid trying over and over again
* Loosen the condition for the Usage flags
* OpenSSL 1.1.0 compatibility
* Add missing mechanisms
* Do not require certificates on the card and pass valid data for RSA_PKCS mechanisms
* Add missing PIN argument in runtest.sh
* Add OpenSSL < 1.1 comatible bits
* Add SHA2 ECDSA mechanisms handling
* Use public key from PKCS#11 if the certificate is missing (or compare it with certificate)
* Avoid long definitions in OpenSSL compat layer
* In older OpenSSL, the header file is ecdsa.h
* Add missing config.h to apply compat OpenSSL layer
* ASN1_STRING_get0_data() is also new in 1.1.0
* Return back RSA_X_509 mechanism
* Drop bogus CKM_* in the definitions
* Drop CKM_SHA224_RSA_PKCS as it is already in pkcs11.h
* Update documentation
* Use NDEBUG as intended
* typos, cleanup
* Typos, cleanup, update copyright
* Additional check for OpenCryptoki, generate more key types on soft tokens
* Prepare for RSA-PSS and RSA-OAEP
* Use usage&result flags for the tests, gracefully ignore PSS&OAEP
* pkcs11.h: Add missing definitions for PSS
* PSS and OAEP tests
readonly: Typos, reformat
* Working version, memory leak
* Tweak message lengths for OAEP and PSS
* Skip tests that are not aplicable for tokens
* configure.ac: New switch --enable-tests
Do not attempt to build tests if cmocka is not available or
--enable-tests is provided. It makes also more lightweight release
builds out of the box (or with --disable-tests).
* travis: Install cmocka if not available
* Do not build tests on Windows and make dist pass
* Try to install cmocka from apt and from brew
* Do not require sudo (cmocka from apt and brew works)
2018-05-18 10:31:55 +00:00
|
|
|
/*
|
|
|
|
* p11test_loader.c: Library loader for PKCS#11 test suite
|
|
|
|
*
|
|
|
|
* Copyright (C) 2016 Martin Strhársky <strharsky.martin@gmail.com>
|
|
|
|
* Copyright (C) 2016, 2017 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* Author: Jakub Jelen <jjelen@redhat.com>
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "p11test_loader.h"
|
|
|
|
|
2020-08-13 16:44:50 +00:00
|
|
|
void *pkcs11_so;
|
PKCS#11 testsuite (#1224)
* Initial version of pkcs11 testsuite
* Refactor test cases to several files, clean up awful and unused stuff
* Static mechanism list based on the actual token offer
* Get rid of magic numbers
* Documentation
* License update based on the original project
* Verbose readme
* Cleanup unused code, long lines and method order
* Typo; More verbose errors
* Use fallback mechanisms
* Refactor object allocation and certificate search
* PKCS11SPY mentioned, more TODO
* add SHA mechanisms
* Do not try to Finalize already finalized cryptoki
* Add more flags and mechanisms
* Do not list table for no results
* Logical order of the tests (regression last)
* read ALWAYS_AUTHENTICATE from correct place
* ALWAYS_AUTHENTICATE for decryption
* Test EC key length signature based on the actual key length
* Shorten CKM_ list output, add keygen types detection
* Skip decrypting on non-supported mechanisms
* Fail hard if the C_Login fails
* Reorganize local FLAGS_ constants
* Test RSA Digest mechanisms
* Correct mechanisms naming, typos
* Do not attempt to do signature using empty keys
* CKM_ECDSA_SHA1 support
* Correct type cast when getting attributes
* Report failures from all mechanisms
* Standardize return values, eliminate complete fails, documentation interface
* Wait for slot event test
* Add switch to allow interaction with a card (WaitForSlotEvent)
* At least try to verify using C_Verify, if it fails, fall back to openssl
* Get rid of function_pointers
* Get rid of additional newline
* Share always_authenticate() function between the test cases
* Refactor Encrypt&decrypt test to functions
* Do not overwrite bits if they are not provided by CKA, indentation
* Cleanup and Break to more functions Sign&Verify test
* CKM_RSA_X_509 sign and verify with openssl padding
* More TODO's
* Proper abstracted padding with RSA_X_509 mechanism
* Add ongoing tasks from different TODO list
* Update instructions. Another todo
* Variables naming
* Increase mechanism list size, use different static buffers for flags and mechanism names
* nonstandard mechanism CKM_SHA224_RSA_PKCS supported by some softotkens
* Get rid of loop initial declarations
* Loop initial declaration, typos, strict warnings
* Move the p11test to the new folder to avoid problems with dynamically linked opensc.so
* Update path in README
* Possibility to validate the testsuite agains software tokens
* Add possibility to select slot ID on command-line (when there are more cards present)
* Clean up readme to reflect current options and TODOs
* Do not attempt to use keys without advertised sign&verify bits to avoid false positives
* Get and present more object attributes in readonly test; refactor table
* New test checking if the set of attributes (usage flags) is reasonable
* Test multipart signatures. There is not reasonable mechanism supporting multipart encryption
* Use PKCS#11 encryption if possible (with openssl fallback)
* Identify few more mechanisms (PSS) in the lest
* Resize table to fit new mechanisms
* Remove initial loop declaration from multipart test
* Use pkcs11-tool instead of p11tool form most of the operations (master have most of the features)
* Preparation for machine readable results
* Refactor log variables out of the main context, try to export generic data
* Do not write to non-existing FD if not logging
* Export missing data into the log file in JSON
* Store database in json
* Sanity check
* Avoid uninitialized structure fields using in state structure
* Dump always_authenticate attribute too
* Manual selection of slots with possibility to use slots without tokens
* Do not free before finalizing
* Proper cleanup of message in all cases
* Proper allocation and deallocation of messages
* Sanitize missing cases (memory leaks)
* Suppressions for testing under valgrind
* Better handling message_lengt during sign&verify (avoid invalid access)
* Suppress another PCSC error
* Do not use default PIN. Fail if none specified
* Sanitize initialization. Skip incomplete key pairs
* Add missing newline in errors
* Fix condition for certificate search
* Avoid several calls for attributes of zero length
* Handle if the private key is not present on the card
* Improve memory handling, silent GCC warning of 'unused' variable
* Fail early with missing private key, cleanup the messages
* Use correct padding for encryption
* Cache if the card supports Verify/Encrypt and avoid trying over and over again
* Loosen the condition for the Usage flags
* OpenSSL 1.1.0 compatibility
* Add missing mechanisms
* Do not require certificates on the card and pass valid data for RSA_PKCS mechanisms
* Add missing PIN argument in runtest.sh
* Add OpenSSL < 1.1 comatible bits
* Add SHA2 ECDSA mechanisms handling
* Use public key from PKCS#11 if the certificate is missing (or compare it with certificate)
* Avoid long definitions in OpenSSL compat layer
* In older OpenSSL, the header file is ecdsa.h
* Add missing config.h to apply compat OpenSSL layer
* ASN1_STRING_get0_data() is also new in 1.1.0
* Return back RSA_X_509 mechanism
* Drop bogus CKM_* in the definitions
* Drop CKM_SHA224_RSA_PKCS as it is already in pkcs11.h
* Update documentation
* Use NDEBUG as intended
* typos, cleanup
* Typos, cleanup, update copyright
* Additional check for OpenCryptoki, generate more key types on soft tokens
* Prepare for RSA-PSS and RSA-OAEP
* Use usage&result flags for the tests, gracefully ignore PSS&OAEP
* pkcs11.h: Add missing definitions for PSS
* PSS and OAEP tests
readonly: Typos, reformat
* Working version, memory leak
* Tweak message lengths for OAEP and PSS
* Skip tests that are not aplicable for tokens
* configure.ac: New switch --enable-tests
Do not attempt to build tests if cmocka is not available or
--enable-tests is provided. It makes also more lightweight release
builds out of the box (or with --disable-tests).
* travis: Install cmocka if not available
* Do not build tests on Windows and make dist pass
* Try to install cmocka from apt and from brew
* Do not require sudo (cmocka from apt and brew works)
2018-05-18 10:31:55 +00:00
|
|
|
|
|
|
|
int get_slot_with_card(token_info_t * info)
|
|
|
|
{
|
|
|
|
CK_SLOT_ID_PTR slot_list;
|
|
|
|
CK_SLOT_ID slot_id;
|
|
|
|
CK_ULONG slot_count = 0;
|
|
|
|
CK_RV rv;
|
|
|
|
int error = 0;
|
|
|
|
unsigned int i;
|
|
|
|
|
|
|
|
CK_FUNCTION_LIST_PTR function_pointer = info->function_pointer;
|
|
|
|
|
|
|
|
/* Get slot list for memory allocation */
|
|
|
|
rv = function_pointer->C_GetSlotList(0, NULL_PTR, &slot_count);
|
|
|
|
|
|
|
|
if ((rv == CKR_OK) && (slot_count > 0)) {
|
|
|
|
slot_list = malloc(slot_count * sizeof (CK_SLOT_ID));
|
|
|
|
|
|
|
|
if (slot_list == NULL) {
|
|
|
|
fprintf(stderr, "System error: unable to allocate memory\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Get the slot list for processing */
|
|
|
|
rv = function_pointer->C_GetSlotList(0, slot_list, &slot_count);
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
fprintf(stderr, "GetSlotList failed: unable to get slot count.\n");
|
|
|
|
error = 1;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
fprintf(stderr, "GetSlotList failed: unable to get slot list.\n");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Find a slot capable of specified mechanism */
|
|
|
|
for (i = 0; i < slot_count; i++) {
|
|
|
|
CK_SLOT_INFO slot_info;
|
|
|
|
slot_id = slot_list[i];
|
|
|
|
|
|
|
|
rv = function_pointer->C_GetSlotInfo(slot_id, &slot_info);
|
|
|
|
if (rv != CKR_OK)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (info->slot_id == slot_id) {
|
|
|
|
if (info->slot_id == slot_list[i]) { /* explicitly specified slot */
|
|
|
|
debug_print("Manually selected slot %lu (%s a token)\n", info->slot_id,
|
|
|
|
((slot_info.flags & CKF_TOKEN_PRESENT) ? "with" : "without"));
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (slot_info.flags & CKF_TOKEN_PRESENT) {
|
|
|
|
/* first found slot if not specified */
|
|
|
|
if (info->slot_id == (unsigned long) -1) {
|
|
|
|
info->slot_id = slot_id;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
error = 1;
|
|
|
|
fprintf(stderr, "No slot with card inserted or the selected slot does not exist\n");
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
if (slot_list) {
|
|
|
|
free(slot_list);
|
|
|
|
}
|
|
|
|
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
int load_pkcs11_module(token_info_t * info, const char* path_to_pkcs11_library) {
|
|
|
|
CK_RV rv;
|
|
|
|
CK_RV (*C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR) = 0;
|
|
|
|
|
|
|
|
if(strlen(path_to_pkcs11_library) == 0) {
|
|
|
|
fprintf(stderr, "You have to specify path to PKCS#11 library.");
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pkcs11_so = dlopen(path_to_pkcs11_library, RTLD_NOW);
|
|
|
|
|
|
|
|
if (!pkcs11_so) {
|
|
|
|
fprintf(stderr, "Error loading pkcs#11 so: %s\n", dlerror());
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
C_GetFunctionList = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR)) dlsym(pkcs11_so, "C_GetFunctionList");
|
|
|
|
|
|
|
|
if (!C_GetFunctionList) {
|
|
|
|
fprintf(stderr, "Could not get function list: %s\n", dlerror());
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = C_GetFunctionList(&info->function_pointer);
|
|
|
|
if (CKR_OK != rv) {
|
|
|
|
fprintf(stderr, "C_GetFunctionList call failed: 0x%.8lX", rv);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
rv = info->function_pointer->C_Initialize(NULL_PTR);
|
|
|
|
|
|
|
|
if (rv != CKR_OK) {
|
|
|
|
fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (get_slot_with_card(info)) {
|
|
|
|
fprintf(stderr, "There is no card present in reader.\n");
|
|
|
|
info->function_pointer->C_Finalize(NULL_PTR);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
info->function_pointer->C_Finalize(NULL_PTR);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
void close_pkcs11_module() {
|
|
|
|
if(pkcs11_so)
|
|
|
|
dlclose(pkcs11_so);
|
|
|
|
}
|
|
|
|
|