History

Jakub Jelen 9858d05589 PKCS#11 testsuite (#1224 ) * Initial version of pkcs11 testsuite * Refactor test cases to several files, clean up awful and unused stuff * Static mechanism list based on the actual token offer * Get rid of magic numbers * Documentation * License update based on the original project * Verbose readme * Cleanup unused code, long lines and method order * Typo; More verbose errors * Use fallback mechanisms * Refactor object allocation and certificate search * PKCS11SPY mentioned, more TODO * add SHA mechanisms * Do not try to Finalize already finalized cryptoki * Add more flags and mechanisms * Do not list table for no results * Logical order of the tests (regression last) * read ALWAYS_AUTHENTICATE from correct place * ALWAYS_AUTHENTICATE for decryption * Test EC key length signature based on the actual key length * Shorten CKM_ list output, add keygen types detection * Skip decrypting on non-supported mechanisms * Fail hard if the C_Login fails * Reorganize local FLAGS_ constants * Test RSA Digest mechanisms * Correct mechanisms naming, typos * Do not attempt to do signature using empty keys * CKM_ECDSA_SHA1 support * Correct type cast when getting attributes * Report failures from all mechanisms * Standardize return values, eliminate complete fails, documentation interface * Wait for slot event test * Add switch to allow interaction with a card (WaitForSlotEvent) * At least try to verify using C_Verify, if it fails, fall back to openssl * Get rid of function_pointers * Get rid of additional newline * Share always_authenticate() function between the test cases * Refactor Encrypt&decrypt test to functions * Do not overwrite bits if they are not provided by CKA, indentation * Cleanup and Break to more functions Sign&Verify test * CKM_RSA_X_509 sign and verify with openssl padding * More TODO's * Proper abstracted padding with RSA_X_509 mechanism * Add ongoing tasks from different TODO list * Update instructions. Another todo * Variables naming * Increase mechanism list size, use different static buffers for flags and mechanism names * nonstandard mechanism CKM_SHA224_RSA_PKCS supported by some softotkens * Get rid of loop initial declarations * Loop initial declaration, typos, strict warnings * Move the p11test to the new folder to avoid problems with dynamically linked opensc.so * Update path in README * Possibility to validate the testsuite agains software tokens * Add possibility to select slot ID on command-line (when there are more cards present) * Clean up readme to reflect current options and TODOs * Do not attempt to use keys without advertised sign&verify bits to avoid false positives * Get and present more object attributes in readonly test; refactor table * New test checking if the set of attributes (usage flags) is reasonable * Test multipart signatures. There is not reasonable mechanism supporting multipart encryption * Use PKCS#11 encryption if possible (with openssl fallback) * Identify few more mechanisms (PSS) in the lest * Resize table to fit new mechanisms * Remove initial loop declaration from multipart test * Use pkcs11-tool instead of p11tool form most of the operations (master have most of the features) * Preparation for machine readable results * Refactor log variables out of the main context, try to export generic data * Do not write to non-existing FD if not logging * Export missing data into the log file in JSON * Store database in json * Sanity check * Avoid uninitialized structure fields using in state structure * Dump always_authenticate attribute too * Manual selection of slots with possibility to use slots without tokens * Do not free before finalizing * Proper cleanup of message in all cases * Proper allocation and deallocation of messages * Sanitize missing cases (memory leaks) * Suppressions for testing under valgrind * Better handling message_lengt during sign&verify (avoid invalid access) * Suppress another PCSC error * Do not use default PIN. Fail if none specified * Sanitize initialization. Skip incomplete key pairs * Add missing newline in errors * Fix condition for certificate search * Avoid several calls for attributes of zero length * Handle if the private key is not present on the card * Improve memory handling, silent GCC warning of 'unused' variable * Fail early with missing private key, cleanup the messages * Use correct padding for encryption * Cache if the card supports Verify/Encrypt and avoid trying over and over again * Loosen the condition for the Usage flags * OpenSSL 1.1.0 compatibility * Add missing mechanisms * Do not require certificates on the card and pass valid data for RSA_PKCS mechanisms * Add missing PIN argument in runtest.sh * Add OpenSSL < 1.1 comatible bits * Add SHA2 ECDSA mechanisms handling * Use public key from PKCS#11 if the certificate is missing (or compare it with certificate) * Avoid long definitions in OpenSSL compat layer * In older OpenSSL, the header file is ecdsa.h * Add missing config.h to apply compat OpenSSL layer * ASN1_STRING_get0_data() is also new in 1.1.0 * Return back RSA_X_509 mechanism * Drop bogus CKM_* in the definitions * Drop CKM_SHA224_RSA_PKCS as it is already in pkcs11.h * Update documentation * Use NDEBUG as intended * typos, cleanup * Typos, cleanup, update copyright * Additional check for OpenCryptoki, generate more key types on soft tokens * Prepare for RSA-PSS and RSA-OAEP * Use usage&result flags for the tests, gracefully ignore PSS&OAEP * pkcs11.h: Add missing definitions for PSS * PSS and OAEP tests readonly: Typos, reformat * Working version, memory leak * Tweak message lengths for OAEP and PSS * Skip tests that are not aplicable for tokens * configure.ac: New switch --enable-tests Do not attempt to build tests if cmocka is not available or --enable-tests is provided. It makes also more lightweight release builds out of the box (or with --disable-tests). * travis: Install cmocka if not available * Do not build tests on Windows and make dist pass * Try to install cmocka from apt and from brew * Do not require sudo (cmocka from apt and brew works)		2018-05-18 12:31:55 +02:00
..
Makefile.am	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
Makefile.mak	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
README.md	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
cert.cfg	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test.supp	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_common.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_common.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_ec_sign.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_ec_sign.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_mechs.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_mechs.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_multipart.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_multipart.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_pss_oaep.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_pss_oaep.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_readonly.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_readonly.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_usage.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_usage.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_wait.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_case_wait.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_common.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_helpers.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_helpers.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_loader.c	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
p11test_loader.h	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00
runtest.sh	PKCS#11 testsuite (#1224 )	2018-05-18 12:31:55 +02:00

README.md

Non-destructive PKCS#11 test suite (not only for readonly cards)

What are the dependencies?

In addition to the dependencies needed by OpenSC, the test suite is using cmocka unit testing framework (libcmocka-devel package in Fedora/EPEL).

How to use?

Build OpenSC from source:

git clone git@github.com:Jakuje/OpenSC.git
cd OpenSC
git checkout jjelen-testsuite		# not in master yet
./bootstrap
./configure
make -j4

Plug in the card/reader, change to test directory and run the test:

cd src/tests/p11test
./p11test -p 123456

It will run all tests on the first card found in PKCS#11 API with pin 123456 and using just built OpenSC shared library from master.

I have more slots with different cards.

Slot can be selected using -s switch on command-line.

./p11test -s 4

Slot numbers can be obtained using from pkcs11-tool -L (note that different libraries might have different numbers for the slots).

I want to test different pkcs11 library

You can specify different library or build from different branch on command-line:

./p11test -m /usr/lib64/pkcs11/libcoolkeypk11.so

or to debug PKCS#11 calls using /usr/lib64/pkcs11-spy.so:

export PKCS11SPY="../pkcs11/.libs/opensc-pkcs11.so"
./p11test -m ../pkcs11/.libs/pkcs11-spy.so

You can run the test suite also on the soft tokens. The testbench for softhsm and opencryptoki is available in the script runtest.sh.

TODO:

Test CKM_ECDSA_DERIVE mechanism(s)
Read pin from environment variable?
Keygen write tests (optional)
Reflect cmocka dependency in the configure