[Cryptech-Commits] [sw/pkcs11] 01/07: Update unit tests to match new behavior: we no longer allow private keys to be stored as session objects, so test that doing so fails as expected, and update other tests to specify CKA_TOKEN = True.

git at cryptech.is git at cryptech.is
Mon Jun 13 19:47:56 UTC 2016


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository sw/pkcs11.

commit 0a4d6f682f140026242d1b93f8ce816ca79f55ec
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Fri Jun 10 15:10:23 2016 -0400

    Update unit tests to match new behavior: we no longer allow private
    keys to be stored as session objects, so test that doing so fails as
    expected, and update other tests to specify CKA_TOKEN = True.
---
 unit_tests.py | 66 ++++++++++++++++++++++++++---------------------------------
 1 file changed, 29 insertions(+), 37 deletions(-)

diff --git a/unit_tests.py b/unit_tests.py
index 3c359fb..923d108 100644
--- a/unit_tests.py
+++ b/unit_tests.py
@@ -231,41 +231,44 @@ class TestKeys(unittest.TestCase):
         self.assertEqual(p11.C_GetAttributeValue(self.session, private_handle, CKA_CLASS), {CKA_CLASS: CKO_PRIVATE_KEY})
 
     def test_keygen_token_vs_session(self):
-        self.assertIsKeypair(
-          p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False,
-                                CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
-                                CKA_SIGN = True, CKA_VERIFY = True))
+
+        # XXX pkcs11.c currently generates the wrong error code if the
+        #     user tries to generate a keypair with the private key as
+        #     a session object.  Refusing to allow this is deliberate
+        #     (we have no way to protect such private keys), but
+        #     returning CKR_FUNCTION_FAILED is wrong.  Fixing this
+        #     will require minor work in pkcs11.c and perhaps in libhal.
+        #
+        #     For the moment, I'm just testing for the (known) wrong
+        #     exception while I make sure that the library is in fact
+        #     behaving as I expect it to behave.
+
+        with self.assertRaises(CKR_FUNCTION_FAILED):
+            p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False,
+                                  CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
+                                  CKA_SIGN = True, CKA_VERIFY = True)
+
         self.assertIsKeypair(
           p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True,
                                 CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
                                 CKA_SIGN = True, CKA_VERIFY = True))
+
         self.assertIsKeypair(
             p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
                                   public_CKA_TOKEN = False, private_CKA_TOKEN = True,
                                   CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
                                   CKA_SIGN = True, CKA_VERIFY = True))
-        self.assertIsKeypair(
+
+        with self.assertRaises(CKR_FUNCTION_FAILED):
             p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
                                   public_CKA_TOKEN = True, private_CKA_TOKEN = False,
                                   CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
-                                  CKA_SIGN = True, CKA_VERIFY = True))
-
-    def test_gen_sign_verify_ecdsa_p256_sha256_token(self):
-        public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True,
-                                                        CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
-                                                        CKA_SIGN = True, CKA_VERIFY = True)
-        self.assertIsKeypair(public_key, private_key)
-        hamster = "Your mother was a hamster"
-        p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key)
-        sig = p11.C_Sign(self.session, hamster)
-        self.assertIsInstance(sig, str)
-        p11.C_VerifyInit(self.session, CKM_ECDSA_SHA256, public_key)
-        p11.C_Verify(self.session, hamster, sig)
+                                  CKA_SIGN = True, CKA_VERIFY = True)
 
-    def test_gen_sign_verify_ecdsa_p256_sha256_session(self):
-        public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False,
+    def test_gen_sign_verify_ecdsa_p256_sha256(self):
+        public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
                                                         CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
-                                                        CKA_SIGN = True, CKA_VERIFY = True)
+                                                        CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
         self.assertIsKeypair(public_key, private_key)
         hamster = "Your mother was a hamster"
         p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key)
@@ -278,7 +281,7 @@ class TestKeys(unittest.TestCase):
         #if not args.all_tests: self.skipTest("SHA-384 not available in current build")
         public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
                                                         CKA_ID = "EC-P384", CKA_EC_PARAMS = self.oid_p384,
-                                                        CKA_SIGN = True, CKA_VERIFY = True)
+                                                        CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
         self.assertIsKeypair(public_key, private_key)
         hamster = "Your mother was a hamster"
         p11.C_SignInit(self.session, CKM_ECDSA_SHA384, private_key)
@@ -291,7 +294,7 @@ class TestKeys(unittest.TestCase):
         #if not args.all_tests: self.skipTest("SHA-512 not available in current build")
         public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
                                                         CKA_ID = "EC-P521", CKA_EC_PARAMS = self.oid_p521,
-                                                        CKA_SIGN = True, CKA_VERIFY = True)
+                                                        CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
         self.assertIsKeypair(public_key, private_key)
         hamster = "Your mother was a hamster"
         p11.C_SignInit(self.session, CKM_ECDSA_SHA512, private_key)
@@ -300,7 +303,7 @@ class TestKeys(unittest.TestCase):
         p11.C_VerifyInit(self.session, CKM_ECDSA_SHA512, public_key)
         p11.C_Verify(self.session, hamster, sig)
 
-    def test_gen_sign_verify_rsa_1024_token(self):
+    def test_gen_sign_verify_rsa_1024(self):
         public_key, private_key = p11.C_GenerateKeyPair(
             self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024,
             CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
@@ -312,23 +315,11 @@ class TestKeys(unittest.TestCase):
         p11.C_VerifyInit(self.session, CKM_SHA512_RSA_PKCS, public_key)
         p11.C_Verify(self.session, hamster, sig)
 
-    def test_gen_sign_verify_rsa_1024_session(self):
-        public_key, private_key = p11.C_GenerateKeyPair(
-            self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024,
-            CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = False)
-        self.assertIsKeypair(public_key, private_key)
-        hamster = "Your mother was a hamster"
-        p11.C_SignInit(self.session, CKM_SHA512_RSA_PKCS, private_key)
-        sig = p11.C_Sign(self.session, hamster)
-        self.assertIsInstance(sig, str)
-        p11.C_VerifyInit(self.session, CKM_SHA512_RSA_PKCS, public_key)
-        p11.C_Verify(self.session, hamster, sig)
-
     def test_gen_sign_verify_rsa_2048(self):
         if not args.all_tests: self.skipTest("RSA key generation is still painfully slow")
         public_key, private_key = p11.C_GenerateKeyPair(
             self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 2048,
-            CKA_ID = "RSA-2048", CKA_SIGN = True, CKA_VERIFY = True)
+            CKA_ID = "RSA-2048", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
         self.assertIsKeypair(public_key, private_key)
         hamster = "Your mother was a hamster"
         p11.C_SignInit(self.session, CKM_SHA512_RSA_PKCS, private_key)
@@ -387,6 +378,7 @@ class TestKeys(unittest.TestCase):
 
     def test_gen_sign_verify_reload_ecdsa_p256_sha256(self):
         public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
+                                                        public_CKA_TOKEN = False, private_CKA_TOKEN = True,
                                                         CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
                                                         CKA_SIGN = True, CKA_VERIFY = True)
         self.assertIsKeypair(public_key, private_key)



More information about the Commits mailing list