tests: Check the behavior of CKA_ALLOWED_MECHANISMS
This commit is contained in:
parent
fc4d600634
commit
83eeafca3c
|
@ -8,6 +8,8 @@ dist_noinst_SCRIPTS = test-manpage.sh \
|
|||
TESTS = \
|
||||
test-manpage.sh \
|
||||
test-pkcs11-tool-sign-verify.sh \
|
||||
test-pkcs11-tool-test.sh
|
||||
test-pkcs11-tool-test.sh \
|
||||
test-pkcs11-tool-allowed-mechanisms.sh
|
||||
XFAIL_TESTS = \
|
||||
test-pkcs11-tool-test.sh
|
||||
test-pkcs11-tool-test.sh \
|
||||
test-pkcs11-tool-allowed-mechanisms.sh
|
||||
|
|
|
@ -41,12 +41,16 @@ function generate_key() {
|
|||
rm $ID.der
|
||||
}
|
||||
|
||||
function card_setup() {
|
||||
function softhsm_initialize() {
|
||||
echo "directories.tokendir = .tokens/" > .softhsm2.conf
|
||||
mkdir ".tokens"
|
||||
export SOFTHSM2_CONF=".softhsm2.conf"
|
||||
# Init token
|
||||
softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
|
||||
}
|
||||
|
||||
function card_setup() {
|
||||
softhsm_initialize
|
||||
|
||||
# Generate 1024b RSA Key pair
|
||||
generate_key "RSA:1024" "01" "RSA_auth"
|
||||
|
@ -58,8 +62,12 @@ function card_setup() {
|
|||
generate_key "EC:secp521r1" "04" "ECC521"
|
||||
}
|
||||
|
||||
function card_cleanup() {
|
||||
function softhsm_cleanup() {
|
||||
rm .softhsm2.conf
|
||||
rm -rf ".tokens"
|
||||
}
|
||||
|
||||
function card_cleanup() {
|
||||
softhsm_cleanup
|
||||
rm 0{1,2,3,4}.pub
|
||||
}
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
#!/bin/bash
|
||||
|
||||
source common.sh
|
||||
|
||||
echo "======================================================="
|
||||
echo "Setup SoftHSM"
|
||||
echo "======================================================="
|
||||
if [[ ! -f $P11LIB ]]; then
|
||||
echo "WARNINIG: The SoftHSM is not installed. Can not run this test"
|
||||
exit 77;
|
||||
fi
|
||||
softhsm_initialize
|
||||
# XXX This is broken in currently released SoftHSM
|
||||
# P11LIB=/home/jjelen/devel/SoftHSMv2/src/lib/.libs/libsofthsm2.so
|
||||
|
||||
echo "======================================================="
|
||||
echo "Generate key-pair with CKA_ALLOWED_MECHANISMS"
|
||||
echo "======================================================="
|
||||
ID="05"
|
||||
MECHANISMS="RSA-PKCS,SHA1-RSA-PKCS,RSA-PKCS-PSS"
|
||||
# Generate key pair
|
||||
$PKCS11_TOOL --keypairgen --key-type="RSA:" --login --pin=$PIN \
|
||||
--module="$P11LIB" --label="test" --id="$ID" \
|
||||
--allowed-mechanisms="$MECHANISMS"
|
||||
assert $? "Failed to Generate RSA key pair"
|
||||
|
||||
# Check the attributes are visible
|
||||
$PKCS11_TOOL --list-objects --login --pin=$PIN \
|
||||
--module="$P11LIB" --id=$ID > objects.list
|
||||
assert $? "Failed to list objects"
|
||||
grep -q "Allowed mechanisms" objects.list
|
||||
assert $? "Allowed mechanisms not in the object list"
|
||||
grep -q "$MECHANISMS" objects.list
|
||||
assert $? "The $MECHANISMS is not in the list"
|
||||
|
||||
# Make sure we are not allowed to use forbidden mechanism
|
||||
echo "data to sign (max 100 bytes)" > data
|
||||
$PKCS11_TOOL --id $ID -s -p $PIN -m SHA256-RSA-PKCS --module $P11LIB \
|
||||
--input-file data --output-file data.sig &> sign.log
|
||||
grep -q CKR_MECHANISM_INVALID sign.log
|
||||
assert $? "It was possible to sign using non-allowed mechanism"
|
||||
rm -f data{,.sig}
|
||||
|
||||
echo "======================================================="
|
||||
echo "Cleanup"
|
||||
echo "======================================================="
|
||||
softhsm_cleanup
|
||||
|
||||
rm objects.list
|
||||
|
||||
exit $ERRORS
|
Loading…
Reference in New Issue