From 83eeafca3c17b886345b27132ca9c466eb85fd32 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 8 Mar 2019 17:54:55 +0100 Subject: [PATCH] tests: Check the behavior of CKA_ALLOWED_MECHANISMS --- tests/Makefile.am | 6 ++- tests/common.sh | 12 ++++- tests/test-pkcs11-tool-allowed-mechanisms.sh | 51 ++++++++++++++++++++ 3 files changed, 65 insertions(+), 4 deletions(-) create mode 100755 tests/test-pkcs11-tool-allowed-mechanisms.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index b319986e..d1230d93 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -8,6 +8,8 @@ dist_noinst_SCRIPTS = test-manpage.sh \ TESTS = \ test-manpage.sh \ test-pkcs11-tool-sign-verify.sh \ - test-pkcs11-tool-test.sh + test-pkcs11-tool-test.sh \ + test-pkcs11-tool-allowed-mechanisms.sh XFAIL_TESTS = \ - test-pkcs11-tool-test.sh + test-pkcs11-tool-test.sh \ + test-pkcs11-tool-allowed-mechanisms.sh diff --git a/tests/common.sh b/tests/common.sh index 3146eb2a..4fa1fba0 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -41,12 +41,16 @@ function generate_key() { rm $ID.der } -function card_setup() { +function softhsm_initialize() { echo "directories.tokendir = .tokens/" > .softhsm2.conf mkdir ".tokens" export SOFTHSM2_CONF=".softhsm2.conf" # Init token softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN" +} + +function card_setup() { + softhsm_initialize # Generate 1024b RSA Key pair generate_key "RSA:1024" "01" "RSA_auth" @@ -58,8 +62,12 @@ function card_setup() { generate_key "EC:secp521r1" "04" "ECC521" } -function card_cleanup() { +function softhsm_cleanup() { rm .softhsm2.conf rm -rf ".tokens" +} + +function card_cleanup() { + softhsm_cleanup rm 0{1,2,3,4}.pub } diff --git a/tests/test-pkcs11-tool-allowed-mechanisms.sh b/tests/test-pkcs11-tool-allowed-mechanisms.sh new file mode 100755 index 00000000..25a69235 --- /dev/null +++ b/tests/test-pkcs11-tool-allowed-mechanisms.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +source common.sh + +echo "=======================================================" +echo "Setup SoftHSM" +echo "=======================================================" +if [[ ! -f $P11LIB ]]; then + echo "WARNINIG: The SoftHSM is not installed. Can not run this test" + exit 77; +fi +softhsm_initialize +# XXX This is broken in currently released SoftHSM +# P11LIB=/home/jjelen/devel/SoftHSMv2/src/lib/.libs/libsofthsm2.so + +echo "=======================================================" +echo "Generate key-pair with CKA_ALLOWED_MECHANISMS" +echo "=======================================================" +ID="05" +MECHANISMS="RSA-PKCS,SHA1-RSA-PKCS,RSA-PKCS-PSS" +# Generate key pair +$PKCS11_TOOL --keypairgen --key-type="RSA:" --login --pin=$PIN \ + --module="$P11LIB" --label="test" --id="$ID" \ + --allowed-mechanisms="$MECHANISMS" +assert $? "Failed to Generate RSA key pair" + +# Check the attributes are visible +$PKCS11_TOOL --list-objects --login --pin=$PIN \ + --module="$P11LIB" --id=$ID > objects.list +assert $? "Failed to list objects" +grep -q "Allowed mechanisms" objects.list +assert $? "Allowed mechanisms not in the object list" +grep -q "$MECHANISMS" objects.list +assert $? "The $MECHANISMS is not in the list" + +# Make sure we are not allowed to use forbidden mechanism +echo "data to sign (max 100 bytes)" > data +$PKCS11_TOOL --id $ID -s -p $PIN -m SHA256-RSA-PKCS --module $P11LIB \ + --input-file data --output-file data.sig &> sign.log +grep -q CKR_MECHANISM_INVALID sign.log +assert $? "It was possible to sign using non-allowed mechanism" +rm -f data{,.sig} + +echo "=======================================================" +echo "Cleanup" +echo "=======================================================" +softhsm_cleanup + +rm objects.list + +exit $ERRORS