/* API Routines exercised that take /var/lock/LCK..opencryptoki spinlock.
* C_OpenSession
* C_CloseSession
*
* API routines exercised that result in stdll taking
* /var/lock/opencryptoki_stdll spinlock.
* C_CreateObject
* C_GetAttributeValue
* C_SetAttributeValue
*
* 1) create a certificate object with no CKA_SERIAL_NUMBER or CKA_ISSUER
* 2) add CKA_SERIAL_NUMBER and CKA_ISSUER and modify CKA_ID.
* verify this works.
* 3) try to modify CKA_VALUE and CKA_ID in a single call to
* C_SetAttributeValue. verify that this fails correctly and that
* the object is not modified.
*/
CK_RV do_SetAttributeValues(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE h_session;
CK_RV rc = 0, loc_rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_BYTE true = TRUE;
CK_OBJECT_HANDLE h_cert;
CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
CK_BYTE cert_subject[] = "Certificate subject";
CK_BYTE cert_id[] = "Certificate ID";
CK_BYTE cert_value[] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
CK_ATTRIBUTE cert_attribs[] =
{
{CKA_CLASS, &cert_class, sizeof(cert_class) },
{CKA_TOKEN, &true, sizeof(true) },
{CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type) },
{CKA_SUBJECT, &cert_subject, sizeof(cert_subject) },
{CKA_ID, &cert_id, sizeof(cert_id) },
{CKA_VALUE, &cert_value, sizeof(cert_value) }
};
CK_BYTE cert_id2[] = "New ID";
CK_BYTE cert_issuer[] = "Certificate Issuer";
CK_BYTE cert_ser_no[] = "Serial Number: 12345";
CK_ATTRIBUTE update_attr[] =
{
{CKA_SERIAL_NUMBER, &cert_ser_no, sizeof(cert_ser_no) },
{CKA_ISSUER, &cert_issuer, sizeof(cert_issuer) },
{CKA_ID, &cert_id2, sizeof(cert_id2) }
};
CK_BYTE cert_value2[] = "Invalid Value";
CK_BYTE cert_id3[] = "ID #3";
CK_ATTRIBUTE invalid_attr[] =
{
{CKA_VALUE, &cert_value2, sizeof(cert_value2) },
{CKA_ID, &cert_id3, sizeof(cert_id3) }
};
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
slot_id = SLOT_ID;
/* create a USER R/W session */
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
return rc;
}
/* create the object */
rc = funcs->C_CreateObject(h_session, cert_attribs, 6, &h_cert);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
/* Add CKA_SERIAL_NUMBER and CKA_ISSUER and change the
* existing CKA_ID
*/
rc = funcs->C_SetAttributeValue(h_session, h_cert, update_attr, 3);
if (rc != CKR_OK) {
testcase_fail("C_SetAttributeValue() rc = %s", p11_get_ckr(rc));
goto done;
}
else {
CK_BYTE buf1[100];
CK_BYTE buf2[100];
CK_BYTE buf3[100];
CK_ATTRIBUTE check1[] =
{
{CKA_ISSUER, &buf1, sizeof(buf1)},
{CKA_SERIAL_NUMBER, &buf2, sizeof(buf2)},
{CKA_ID, &buf3, sizeof(buf3)}
};
rc = funcs->C_GetAttributeValue(h_session, h_cert, (CK_ATTRIBUTE *)&check1, 3);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc = %s", p11_get_ckr(rc));
goto done;
}
if (memcmp(check1[0].pValue, cert_issuer, check1[0].ulValueLen) != 0) {
testcase_fail("CKA_ISSUER mismatch");
rc = -1;
goto done;
}
if (memcmp(check1[1].pValue, cert_ser_no, check1[1].ulValueLen) != 0) {
testcase_fail("CKA_SERIAL_NUMBER mismatch");
return -1;
}
if (memcmp(check1[2].pValue, cert_id2, check1[2].ulValueLen) != 0) {
testcase_fail("CKA_ID mismatch");
rc = -1;
goto done;
}
}
/* the next template tries to update a CK_ID (valid) and
* CKA_VALUE (read-only). the entire operation should fail -- no
* attributes should get modified
*/
rc = funcs->C_SetAttributeValue(h_session, h_cert, invalid_attr, 2);
if (rc != CKR_ATTRIBUTE_READ_ONLY) {
testcase_fail("C_SetAttributeValue() rc = %s (expected CKR_ATTRIBUTE_READ_ONLY)", p11_get_ckr(rc));
goto done;
}
else {
CK_BYTE buf1[100];
CK_ATTRIBUTE check1[] =
{
{CKA_ID, &buf1, sizeof(buf1)}
};
rc = funcs->C_GetAttributeValue(h_session, h_cert, check1, 1);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc = %s", p11_get_ckr(rc));
goto done;
}
if (memcmp(check1[0].pValue, cert_id2, check1[0].ulValueLen) != 0) {
testcase_fail("CKA_ID mismatch");
rc = -1;
goto done;
}
}
testcase_pass("Looks okay...");
done:
/* now destroy the objects but don't clobber rc */
loc_rc = funcs->C_DestroyObject(h_session, h_cert);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
/* done...close the session */
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK)
testcase_error("C_CloseAllSessions() loc_rc = %s", p11_get_ckr(loc_rc));
return rc;
}
/* API Routines exercised that take /var/lock/LCK..opencryptoki spinlock.
* C_OpenSession
* C_CloseSession
*
* API routines exercised that result in stdll taking
* /var/lock/opencryptoki_stdll spinlock.
* C_CreateObject
* C_CopyObject
* C_DestroyObject
* C_GetAttributeValue
* C_GetObjectSize
*
* 1) create a data object with no CKA_APPLICATION attribute
* 2) create a copy of the object specifying the CKA_APPLICATION attribute
* 3) extract the CK_VALUE attribute from the copy. Ensure matches the original
* 4) extract the CKA_APPLICATION attribute from the original. ensure empty.
* 5) extract the CKA_APPLICATION attribute from the copy. ensure is correct.
* 6) attempt to extract CK_PRIME from the original. ensure fails correctly.
* 7) attempt to extract CK_PRIME from a non-existant object. ensure fails
* correctly.
* 8) get the size of the original object and copied objects
* 9) destroy the original object. ensure this succeeds.
* A) destroy a non-existant object. ensure this fails correctly.
* B) get the size of the original object. ensure this fails correctly.
*/
CK_RV do_CopyObject(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE h_session;
CK_RV rc = 0, loc_rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_ULONG obj_size;
CK_BYTE true = TRUE;
CK_OBJECT_HANDLE h_data;
CK_OBJECT_CLASS data_class = CKO_DATA;
CK_BYTE data_application[] = "Test Application";
CK_BYTE data_value[] = "1234567890abcedfghijklmnopqrstuvwxyz";
CK_ATTRIBUTE data_attribs[] =
{
{CKA_CLASS, &data_class, sizeof(data_class) },
{CKA_TOKEN, &true, sizeof(true) },
{CKA_VALUE, &data_value, sizeof(data_value) }
};
CK_OBJECT_HANDLE h_copy;
CK_ATTRIBUTE copy_attribs[] =
{
{CKA_APPLICATION, &data_application, sizeof(data_application) }
};
CK_BYTE buf1[100];
CK_ATTRIBUTE verify_attribs[] =
{
{CKA_APPLICATION, &buf1, sizeof(buf1) }
};
CK_BYTE buf2[100];
CK_ATTRIBUTE prime_attribs[] =
{
{CKA_PRIME, &buf2, sizeof(buf2) }
};
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
slot_id = SLOT_ID;
/* create a USER R/W session */
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
return rc;
}
/* create the object */
rc = funcs->C_CreateObject(h_session, data_attribs, 3, &h_data);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
/* create the copy */
rc = funcs->C_CopyObject(h_session, h_data, copy_attribs, 1, &h_copy);
if (rc != CKR_OK) {
testcase_fail("C_CopyObject() rc = %s", p11_get_ckr(rc));
goto destroy_1;
}
/* now, try to extract the CKA_APPLICATION attribute from the original
* this will pull in the token's default value for CKA_APPLICATION which
*/
verify_attribs[0].ulValueLen = sizeof(buf1);
rc = funcs->C_GetAttributeValue(h_session, h_data, verify_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc=%s", p11_get_ckr(rc));
goto destroy;
}
/* now, try to extract the CKA_APPLICATION attribute from the copy */
verify_attribs[0].ulValueLen = sizeof(buf1);
rc = funcs->C_GetAttributeValue(h_session, h_copy, verify_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc=%s", p11_get_ckr(rc));
goto destroy;
}
if (memcmp(&data_application, verify_attribs[0].pValue, sizeof(data_application)) != 0) {
testcase_fail("extracted attribute doesn't match");
rc = -1;
goto destroy;
}
/* now, try to extract CKA_PRIME from the original.
* this should not exist
*/
prime_attribs[0].ulValueLen = sizeof(buf2);
rc = funcs->C_GetAttributeValue(h_session, h_data, prime_attribs, 1);
if (rc != CKR_ATTRIBUTE_TYPE_INVALID) {
testcase_fail("C_GetAttributeValue() rc = %s (expected CKR_ATTRIBUTE_TYPE_INVALID)", p11_get_ckr(rc));
goto destroy;
}
/* now, try to extract CKA_PRIME from a bogus object handle.
* this should not exist
*/
rc = funcs->C_GetAttributeValue(h_session, 98765, prime_attribs, 1);
if (rc != CKR_OBJECT_HANDLE_INVALID) {
testcase_fail("C_GetAttributeValue() rc = %s (expected CKR_OBJECT_HANDLE_INVALID)", p11_get_ckr(rc));
goto destroy;
}
/* now, get the size of the original object */
rc = funcs->C_GetObjectSize(h_session, h_data, &obj_size);
if (rc != CKR_OK) {
testcase_fail("C_GetObjectSize() rc = %s", p11_get_ckr(rc));
goto destroy;
}
testcase_pass("Looks okay...");
destroy:
/* now, destroy the original object and the copy */
loc_rc = funcs->C_DestroyObject(h_session, h_copy);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
destroy_1:
loc_rc = funcs->C_DestroyObject(h_session, h_data);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK)
testcase_error("C_CloseAllSessions() loc_rc=%s", p11_get_ckr(loc_rc));
return rc;
}
/* API Routines exercised that take /var/lock/LCK..opencryptoki spinlock.
* C_OpenSession
* C_CloseSession
*
* API Routines exercised that cause stdll to take /var/lock/opencryptoki_stdll
* spinlock.
* C_CreateObject
* C_Login
*
* 1) create a data object
* 2) create a certificate
* 3) create a key object
*/
CK_RV do_CreateSessionObject(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE h_session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_BYTE true = TRUE;
CK_BYTE false = FALSE;
CK_OBJECT_HANDLE h_data;
CK_OBJECT_CLASS data_class = CKO_DATA;
CK_BYTE data_application[] = "Test Application";
CK_BYTE data_value[] = "1234567890abcedfghijklmnopqrstuvwxyz";
CK_ATTRIBUTE data_attribs[] =
{
{CKA_CLASS, &data_class, sizeof(data_class) },
{CKA_TOKEN, &false, sizeof(false) },
{CKA_APPLICATION, &data_application, sizeof(data_application) },
{CKA_VALUE, &data_value, sizeof(data_value) }
};
CK_OBJECT_HANDLE h_cert;
CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
CK_BYTE cert_subject[] = "Certificate subject";
CK_BYTE cert_id[] = "Certificate ID";
CK_BYTE cert_value[] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
CK_ATTRIBUTE cert_attribs[] =
{
{CKA_CLASS, &cert_class, sizeof(cert_class) },
{CKA_TOKEN, &false, sizeof(false) },
{CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type) },
{CKA_SUBJECT, &cert_subject, sizeof(cert_subject) },
{CKA_ID, &cert_id, sizeof(cert_id) },
{CKA_VALUE, &cert_value, sizeof(cert_value) }
};
CK_OBJECT_HANDLE h_key;
CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
CK_KEY_TYPE key_type = CKK_RSA;
CK_BYTE key_modulus[] = "1234567890987654321";
CK_BYTE key_exponent[] = "123";
CK_ATTRIBUTE key_attribs[] =
{
{CKA_CLASS, &key_class, sizeof(key_class) },
{CKA_KEY_TYPE, &key_type, sizeof(key_type) },
{CKA_WRAP, &true, sizeof(true) },
{CKA_MODULUS, &key_modulus, sizeof(key_modulus) },
{CKA_PUBLIC_EXPONENT, &key_exponent, sizeof(key_exponent) }
};
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
slot_id = SLOT_ID;
// create a USER R/W session
//
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
return rc;
}
//
// now, create the objects
//
rc = funcs->C_CreateObject(h_session, data_attribs, 4, &h_data);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_CreateObject(h_session, cert_attribs, 6, &h_cert);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_CreateObject(h_session, key_attribs, 5, &h_key);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
// done...close the session and verify the object is deleted
//
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_fail("C_CloseAllSessions() rc=%s", p11_get_ckr(rc));
return rc;
}
testcase_pass("looks okay...");
return rc;
}
/* This function should test:
* C_Sign, mechanism chosen by caller
*
* 1. Get message from test vector
* 2. Get expected signature from test vector
* 3. Sign message
* 4. Compare expected signature with actual signature
*
*/
CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
{
int i;
CK_BYTE message[MAX_MESSAGE_SIZE];
CK_BYTE actual[MAX_SIGNATURE_SIZE];
CK_BYTE expected[MAX_SIGNATURE_SIZE];
CK_ULONG message_len, actual_len, expected_len;
CK_MECHANISM mech;
CK_OBJECT_HANDLE priv_key;
CK_SLOT_ID slot_id = SLOT_ID;
CK_SESSION_HANDLE session;
CK_FLAGS flags;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc, loc_rc;
// begin testsuite
testsuite_begin("%s Sign. ", tsuite->name);
testcase_rw_session();
testcase_user_login();
// skip tests if the slot doesn't support this mechanism **/
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism );
goto testcase_cleanup;
}
// iterate over test vectors
for (i = 0; i < tsuite->tvcount; i++){
testcase_begin("%s Sign with test vector %d.",
tsuite->name, i);
rc = CKR_OK; // set return value
// special case for ica
// prime1, prime2, exp1, exp2, coef
// must be size mod_len/2 or smaller
// skip test if prime1, or prime2, or exp1,
// or exp2 or coef are too long
if (is_ica_token(slot_id)) {
// check sizes
if ((tsuite->tv[i].prime1_len >
(tsuite->tv[i].mod_len/2)) ||
(tsuite->tv[i].prime2_len >
(tsuite->tv[i].mod_len/2)) ||
(tsuite->tv[i].exp1_len >
(tsuite->tv[i].mod_len/2)) ||
(tsuite->tv[i].exp2_len >
(tsuite->tv[i].mod_len/2)) ||
(tsuite->tv[i].coef_len >
(tsuite->tv[i].mod_len/2))) {
testcase_skip("ICA Token cannot be used with "
"this test vector.");
continue;
}
}
// clear buffers
memset(message, 0, MAX_MESSAGE_SIZE);
memset(actual, 0, MAX_SIGNATURE_SIZE);
memset(expected, 0, MAX_SIGNATURE_SIZE);
actual_len = MAX_SIGNATURE_SIZE; // set buffer size
// get message
message_len = tsuite->tv[i].msg_len;
memcpy(message, tsuite->tv[i].msg, message_len);
// get (expected) signature
expected_len = tsuite->tv[i].sig_len;
memcpy(expected, tsuite->tv[i].sig, expected_len);
// create (private) key handle
rc = create_RSAPrivateKey(session,
tsuite->tv[i].mod,
tsuite->tv[i].pub_exp,
tsuite->tv[i].priv_exp,
tsuite->tv[i].prime1,
tsuite->tv[i].prime2,
tsuite->tv[i].exp1,
tsuite->tv[i].exp2,
tsuite->tv[i].coef,
tsuite->tv[i].mod_len,
tsuite->tv[i].pubexp_len,
tsuite->tv[i].privexp_len,
tsuite->tv[i].prime1_len,
tsuite->tv[i].prime2_len,
tsuite->tv[i].exp1_len,
tsuite->tv[i].exp2_len,
tsuite->tv[i].coef_len,
&priv_key);
if (rc != CKR_OK) {
testcase_error("create_RSAPrivateKey(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// set mechanism
mech = tsuite->mech;
// initialize signing
rc = funcs->C_SignInit(session, &mech, priv_key);
if (rc != CKR_OK) {
testcase_error("C_SignInit(), rc=%s.", p11_get_ckr(rc));
goto error;
}
// do signing
rc = funcs->C_Sign(session,
message,
message_len,
actual,
&actual_len);
if (rc != CKR_OK) {
testcase_error("C_Sign(), rc=%s.", p11_get_ckr(rc));
goto error;
}
// check results
testcase_new_assertion();
if (actual_len != expected_len) {
testcase_fail("%s Sign with test vector %d failed. "
"Expected len=%ld, found len=%ld.",
tsuite->name, i, expected_len, actual_len);
}
else if (memcmp(actual, expected, expected_len)) {
testcase_fail("%s Sign with test vector %d failed. "
"Signature data does not match test vector "
"signature.", tsuite->name, i);
}
else {
testcase_pass("C_Sign.");
}
// clean up
rc = funcs->C_DestroyObject(session, priv_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
}
goto testcase_cleanup;
error:
loc_rc = funcs->C_DestroyObject(session, priv_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject, rc=%s.", p11_get_ckr(loc_rc));
}
testcase_cleanup:
testcase_user_logout();
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK) {
testcase_error("C_CloseAllSessions, rc=%s.", p11_get_ckr(rc));
}
return rc;
}
CK_RV do_HWFeatureSearch(void)
{
unsigned int i, got_it = 0;
CK_RV rc, loc_rc;
CK_ULONG find_count;
CK_SLOT_ID slot_id;
CK_BBOOL false = FALSE;
CK_BBOOL true = TRUE;
CK_SESSION_HANDLE h_session;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
/* A counter object */
CK_OBJECT_CLASS counter1_class = CKO_HW_FEATURE;
CK_HW_FEATURE_TYPE feature1_type = CKH_MONOTONIC_COUNTER;
CK_UTF8CHAR counter1_label[] = "Monotonic counter";
CK_CHAR counter1_value[16];
CK_ATTRIBUTE counter1_template[] = {
{CKA_CLASS, &counter1_class, sizeof(counter1_class)},
{CKA_HW_FEATURE_TYPE, &feature1_type, sizeof(feature1_type)},
{CKA_LABEL, counter1_label, sizeof(counter1_label)-1},
{CKA_VALUE, counter1_value, sizeof(counter1_value)},
{CKA_RESET_ON_INIT, &true, sizeof(true)},
{CKA_HAS_RESET, &false, sizeof(false)}
};
/* A clock object */
CK_OBJECT_CLASS clock_class = CKO_HW_FEATURE;
CK_HW_FEATURE_TYPE clock_type = CKH_CLOCK;
CK_UTF8CHAR clock_label[] = "Clock";
CK_CHAR clock_value[16];
CK_ATTRIBUTE clock_template[] = {
{CKA_CLASS, &clock_class, sizeof(clock_class)},
{CKA_HW_FEATURE_TYPE, &clock_type, sizeof(clock_type)},
{CKA_LABEL, clock_label, sizeof(clock_label)-1},
{CKA_VALUE, clock_value, sizeof(clock_value)}
};
/* A data object */
CK_OBJECT_CLASS obj1_class = CKO_DATA;
CK_UTF8CHAR obj1_label[] = "Object 1";
CK_BYTE obj1_data[] = "Object 1's data";
CK_ATTRIBUTE obj1_template[] = {
{CKA_CLASS, &obj1_class, sizeof(obj1_class)},
{CKA_TOKEN, &true, sizeof(true)},
{CKA_LABEL, obj1_label, sizeof(obj1_label)-1},
{CKA_VALUE, obj1_data, sizeof(obj1_data)}
};
/* A secret key object */
CK_OBJECT_CLASS obj2_class = CKO_SECRET_KEY;
CK_KEY_TYPE obj2_type = CKK_AES;
CK_UTF8CHAR obj2_label[] = "Object 2";
CK_BYTE obj2_data[AES_KEY_SIZE_128];
CK_ATTRIBUTE obj2_template[] = {
{CKA_CLASS, &obj2_class, sizeof(obj2_class)},
{CKA_TOKEN, &true, sizeof(true)},
{CKA_KEY_TYPE, &obj2_type, sizeof(obj2_type)},
{CKA_LABEL, obj2_label, sizeof(obj2_label)-1},
{CKA_VALUE, obj2_data, sizeof(obj2_data)}
};
CK_OBJECT_HANDLE h_counter1,
h_clock,
h_obj1,
h_obj2,
obj_list[10];
CK_ATTRIBUTE find_tmpl[] = {
{CKA_CLASS, &counter1_class, sizeof(counter1_class)}
};
slot_id = SLOT_ID;
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
/* Open a session with the token */
if( (rc = funcs->C_OpenSession(slot_id,
(CKF_SERIAL_SESSION|CKF_RW_SESSION),
NULL_PTR,
NULL_PTR,
&h_session)) != CKR_OK ) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
// Login correctly
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if( rc != CKR_OK ) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
goto session_close;
}
/* Create the 3 test objects */
if( (rc = funcs->C_CreateObject(h_session, obj1_template, 4, &h_obj1)) != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
goto session_close;
}
if( (rc = funcs->C_CreateObject(h_session, obj2_template, 5, &h_obj2)) != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
goto destroy_1;
}
/* try and create a monotonic object. This should fail
* since it is a read only feature.
*/
if( (rc = funcs->C_CreateObject(h_session, counter1_template, 6, &h_counter1)) != CKR_ATTRIBUTE_READ_ONLY) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
goto destroy_2;
}
if( (rc = funcs->C_CreateObject(h_session, clock_template, 4, &h_clock)) != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
goto destroy_2;
}
/* Now find the hardware feature objects */
rc = funcs->C_FindObjectsInit(h_session, find_tmpl, 1 );
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
goto destroy;
}
rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count );
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto destroy;
}
got_it = 0;
/* Make sure we got the right ones */
for(i=0; i < find_count; i++) {
if(obj_list[i] == h_clock) {
got_it++;
}
}
if (got_it != 1) {
testcase_fail("could not find the corect object handle");
rc = -1;
goto destroy;
}
rc = funcs->C_FindObjectsFinal(h_session );
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
}
testcase_pass("Looks okay...");
destroy:
/* Destroy the created objects, don't clobber the rc */
loc_rc = funcs->C_DestroyObject(h_session, h_clock);
if( loc_rc != CKR_OK )
testcase_error("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
destroy_2:
loc_rc = funcs->C_DestroyObject(h_session, h_obj2);
if( loc_rc != CKR_OK )
testcase_error("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
destroy_1:
loc_rc = funcs->C_DestroyObject(h_session, h_obj1);
if( loc_rc != CKR_OK )
testcase_error("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
loc_rc = funcs->C_Logout(h_session);
if( loc_rc != CKR_OK )
testcase_error("C_Logout() rc = %s", p11_get_ckr(loc_rc));
session_close:
/* Close the session */
if( (loc_rc = funcs->C_CloseSession(h_session)) != CKR_OK )
testcase_error("C_CloseSession() rc = %s", p11_get_ckr(loc_rc));
return rc;
}
/* This function should test:
* RSA Key Generation, CKM_RSA_PKCS_KEY_PAIR_GEN
* RSA Encryption, mechanism chosen by caller
* RSA Decryption, mechanism chosen by caller
*
* 1. Generate RSA Key Pair
* 2. Generate plaintext
* 3. Encrypt plaintext
* 4. Decrypt encrypted data
* 5. Compare plaintext with decrypted data
*
*/
CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
{
int i, j;
CK_BYTE original[BIG_REQUEST];
CK_ULONG original_len;
CK_BYTE crypt[BIG_REQUEST];
CK_ULONG crypt_len;
CK_BYTE decrypt[BIG_REQUEST];
CK_ULONG decrypt_len;
CK_MECHANISM mech;
CK_OBJECT_HANDLE publ_key, priv_key;
CK_SLOT_ID slot_id = SLOT_ID;
CK_SESSION_HANDLE session;
CK_FLAGS flags;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc, loc_rc;
char *s;
// begin testsuite
testsuite_begin("%s Encrypt Decrypt.", tsuite->name);
testcase_rw_session();
testcase_user_login();
// skip tests if the slot doesn't support this mechanism
if (! mech_supported(slot_id, tsuite->mech.mechanism)) {
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism );
goto testcase_cleanup;
}
// iterate over test vectors
for (i = 0; i < tsuite->tvcount; i++) {
// get public exponent from test vector
if ( p11_ahex_dump(&s, tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) == NULL) {
testcase_error("p11_ahex_dump() failed");
rc = -1;
goto testcase_cleanup;
}
// begin testcase
testcase_begin("%s Encrypt and Decrypt with test vector %d."
"\npubl_exp='%s', modbits=%ld, publ_exp_len=%ld, "
"inputlen=%ld.", tsuite->name, i, s,
tsuite->tv[i].modbits,
tsuite->tv[i].publ_exp_len,
tsuite->tv[i].inputlen);
rc = CKR_OK; // set rc
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
testcase_skip("Token in slot %ld cannot be used with "
"modbits.='%ld'",
SLOT_ID,tsuite->tv[i].modbits);
continue;
}
if (is_ep11_token(slot_id)) {
if (! is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
testcase_skip("EP11 Token cannot "
"be used with publ_exp.='%s'",s);
continue;
}
}
// cca special cases:
// cca token can only use the following public exponents
// 0x03 or 0x010001 (65537)
// so skip test if invalid public exponent is used
if (is_cca_token(slot_id)) {
if (! is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ) {
testcase_skip("CCA Token cannot "
"be used with publ_exp.='%s'",s);
continue;
}
}
// tpm special cases:
// tpm token can only use public exponent 0x010001 (65537)
// so skip test if invalid public exponent is used
if (is_tpm_token(slot_id)) {
if ((! is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ) || (! is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
testcase_skip("TPM Token cannot "
"be used with publ_exp.='%s'",s);
continue;
}
}
free(s);
// clear buffers
memset(original, 0, BIG_REQUEST);
memset(crypt, 0, BIG_REQUEST);
memset(decrypt, 0, BIG_REQUEST);
// get test vector parameters
original_len = tsuite->tv[i].inputlen;
// generate key pair
rc = generate_RSA_PKCS_KeyPair(session,
tsuite->tv[i].modbits,
tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len,
&publ_key,
&priv_key);
if (rc != CKR_OK) {
testcase_error("generate_RSA_PKCS_KeyPair(), "
"rc=%s", p11_get_ckr(rc));
goto error;
}
// generate plaintext
for (j = 0; j < original_len; j++) {
original[j] = (j + 1) % 255;
}
// set cipher buffer length
crypt_len = BIG_REQUEST;
decrypt_len = BIG_REQUEST;
// get mech
mech = tsuite->mech;
// initialize (public key) encryption
rc = funcs->C_EncryptInit(session, &mech, publ_key);
if (rc != CKR_OK) {
testcase_error("C_EncryptInit, rc=%s", p11_get_ckr(rc));
}
// do (public key) encryption
rc = funcs->C_Encrypt(session,
original,
original_len,
crypt,
&crypt_len);
if (rc != CKR_OK) {
testcase_error("C_Encrypt, rc=%s", p11_get_ckr(rc));
goto error;
}
// initialize (private key) decryption
rc = funcs->C_DecryptInit(session, &mech, priv_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit, rc=%s", p11_get_ckr(rc));
goto error;
}
// do (private key) decryption
rc = funcs->C_Decrypt(session,
crypt,
crypt_len,
decrypt,
&decrypt_len);
if (rc != CKR_OK) {
testcase_error("C_Decrypt, rc=%s", p11_get_ckr(rc));
goto error;
}
// FIXME: there shouldn't be any padding here
// remove padding if mech is CKM_RSA_X_509
if (mech.mechanism == CKM_RSA_X_509) {
memmove(decrypt,
decrypt + decrypt_len - original_len,
original_len);
decrypt_len = original_len;
}
// check results
testcase_new_assertion();
if (decrypt_len != original_len) {
testcase_fail("decrypted length does not match"
"original data length.\n expected length = %ld,"
"but found length=%ld.\n",
original_len, decrypt_len);
}
else if (memcmp(decrypt, original, original_len)) {
testcase_fail("decrypted data does not match "
"original data.");
}
else {
testcase_pass("C_Encrypt and C_Decrypt.");
}
// clean up
rc = funcs->C_DestroyObject(session, publ_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
rc = funcs->C_DestroyObject(session, priv_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
}
goto testcase_cleanup;
error:
loc_rc = funcs->C_DestroyObject(session, publ_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(loc_rc));
}
loc_rc = funcs->C_DestroyObject(session, priv_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(loc_rc));
}
testcase_cleanup:
testcase_user_logout();
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK) {
testcase_error("C_CloseAllSessions, rc=%s",
p11_get_ckr(loc_rc));
}
return rc;
}
/* This function should test:
* RSA Key Generation, using CKM_PKCS_KEY_PAIR_GEN
* RSA Public-Key Wrap
* RSA Private-Key Unwrap
*
*/
CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
{
int i = 0, j = 0;
CK_OBJECT_HANDLE publ_key, priv_key, secret_key, unwrapped_key;
CK_BYTE_PTR wrapped_key = NULL;
CK_ULONG wrapped_keylen, unwrapped_keylen;
CK_MECHANISM wrap_mech, keygen_mech, mech;
CK_BYTE clear[32];
CK_BYTE cipher[32];
CK_BYTE re_cipher[32];
CK_ULONG cipher_len = 32;
CK_ULONG re_cipher_len = 32;
char *s;
CK_SESSION_HANDLE session;
CK_FLAGS flags;
CK_SLOT_ID slot_id = SLOT_ID;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc, loc_rc;
// begin test suite
testsuite_begin("%s Wrap Unwrap.", tsuite->name);
testcase_rw_session();
testcase_user_login();
// skip all tests if the slot doesn't support this mechanism
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism );
goto testcase_cleanup;
}
// skip all tests if the slot doesn't support wrapping
else if (! wrap_supported(slot_id, tsuite->mech)) {
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support key wrapping",
(unsigned int) slot_id);
goto testcase_cleanup;
}
// skip all tests if the slot doesn't support unwrapping
else if (! unwrap_supported(slot_id, tsuite->mech)) {
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support key unwrapping",
(unsigned int) slot_id);
goto testcase_cleanup;
}
for (i = 0; i < tsuite->tvcount; i++) {
// wrap templates & unwrap templates
CK_ATTRIBUTE unwrap_tmpl[] = {
{CKA_CLASS, NULL, 0},
{CKA_KEY_TYPE, NULL, 0},
{CKA_VALUE_LEN, NULL, 0}
};
CK_ULONG unwrap_tmpl_len;
// get public exponent from test vector
if ( p11_ahex_dump(&s, tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) == NULL) {
testcase_error("p11_ahex_dump() failed");
rc = -1;
goto testcase_cleanup;
}
// begin test
testcase_begin("%s Wrap Unwrap with test vector %d, "
"\npubl_exp='%s', mod_bits='%lu', keylen='%lu', "
"keytype='%s'", tsuite->name, i, s,
tsuite->tv[i].modbits,
tsuite->tv[i].keylen,
p11_get_ckm(tsuite->tv[i].keytype.mechanism));
// free memory
free(s);
// get key gen mechanism
keygen_mech = tsuite->tv[i].keytype;
// get wrapping mechanism
wrap_mech = tsuite->mech;
// skip this test if the slot doesn't support this
// keygen mechanism
if (! mech_supported(slot_id,
keygen_mech.mechanism)) {
testcase_skip();
continue;
}
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
testcase_skip("Token in slot %ld cannot be used with "
"modbits.='%ld'",
SLOT_ID,tsuite->tv[i].modbits);
continue;
}
if (is_ep11_token(slot_id)) {
if (! is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
testcase_skip("EP11 Token cannot "
"be used with publ_exp.='%s'",s);
continue;
}
}
// initialize buffer lengths
wrapped_keylen = PKCS11_MAX_PIN_LEN;
// generate RSA key pair
rc = generate_RSA_PKCS_KeyPair(session,
tsuite->tv[i].modbits,
tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len,
&publ_key,
&priv_key);
if (rc != CKR_OK) {
testcase_error("C_GenerateKeyPair() rc = %s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
// generate secret key
rc = generate_SecretKey(session,
tsuite->tv[i].keylen,
&keygen_mech,
&secret_key);
if (rc != CKR_OK) {
testcase_error("generate_SecretKey(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// extract CKA_CLASS and CKA_KEY_TYPE from generated key
// we will use this for unwrapping
// extract sizes first
rc = funcs->C_GetAttributeValue(session,
secret_key,
unwrap_tmpl,
2);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// allocate memory for extraction
unwrap_tmpl[0].pValue = calloc(sizeof(CK_BYTE),
unwrap_tmpl[0].ulValueLen);
unwrap_tmpl[1].pValue = calloc(sizeof(CK_BYTE),
unwrap_tmpl[1].ulValueLen);
if ( (unwrap_tmpl[0].pValue == NULL) ||
(unwrap_tmpl[1].pValue == NULL) ) {
testcase_error("Error allocating %lu bytes"
"for unwrap template attributes",
unwrap_tmpl[0].ulValueLen +
unwrap_tmpl[1].ulValueLen);
rc = -1;
goto error;
}
// now extract values
rc = funcs->C_GetAttributeValue(session,
secret_key,
unwrap_tmpl,
2);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// wrap key (length only)
rc = funcs->C_WrapKey(session,
&wrap_mech,
publ_key,
secret_key,
NULL,
&wrapped_keylen);
if (rc != CKR_OK) {
testcase_error("C_WrapKey(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
// allocate memory for wrapped_key
wrapped_key = calloc(sizeof(CK_BYTE), wrapped_keylen);
if (wrapped_key == NULL) {
testcase_error("Can't allocate memory "
"for %lu bytes.",
sizeof(CK_BYTE) * wrapped_keylen);
rc = -1;
goto error;
}
// wrap key
rc = funcs->C_WrapKey(session,
&wrap_mech,
publ_key,
secret_key,
wrapped_key,
&wrapped_keylen);
if (rc != CKR_OK) {
testcase_error("C_WrapKey, rc=%s", p11_get_ckr(rc));
goto error;
}
unwrapped_keylen = tsuite->tv[i].keylen;
// variable key length specific case:
// According to PKCS#11 v2.2 section 12.1.12
// CKM_RSA_X_509 does not wrap the key type, key length,
// or any other information about the key; the application
// must convey these separately, and supply them when
// unwrapping the key.
if (((keygen_mech.mechanism == CKM_AES_KEY_GEN) ||
(keygen_mech.mechanism == CKM_GENERIC_SECRET_KEY_GEN)) &&
(wrap_mech.mechanism == CKM_RSA_X_509)) {
unwrapped_keylen = tsuite->tv[i].keylen;
unwrap_tmpl[2].type = CKA_VALUE_LEN;
unwrap_tmpl[2].ulValueLen = sizeof(unwrapped_keylen);
unwrap_tmpl[2].pValue = &unwrapped_keylen;
unwrap_tmpl_len = 3;
}
else {
unwrap_tmpl_len = 2;
}
// unwrap key
rc = funcs->C_UnwrapKey(session,
&wrap_mech,
priv_key,
wrapped_key,
wrapped_keylen,
unwrap_tmpl,
unwrap_tmpl_len,
&unwrapped_key);
if (rc != CKR_OK) {
testcase_error("C_UnwrapKey, rc=%s",
p11_get_ckr(rc));
goto error;
}
testcase_new_assertion();
// encode/decode with secrect key and peer secret key
for (j = 0; j < 32; j++)
clear[j] = j;
switch (keygen_mech.mechanism) {
case CKM_AES_KEY_GEN:
mech.mechanism = CKM_AES_ECB;
break;
case CKM_GENERIC_SECRET_KEY_GEN:
case CKM_DES3_KEY_GEN:
mech.mechanism = CKM_DES3_ECB;
break;
case CKM_DES_KEY_GEN:
mech.mechanism = CKM_DES_ECB;
break;
case CKM_CDMF_KEY_GEN:
mech.mechanism = CKM_CDMF_ECB;
break;
default:
testcase_error("unknowm mech");
goto error;
}
mech.ulParameterLen = 0;
mech.pParameter = NULL;
rc = funcs->C_EncryptInit(session, &mech, secret_key);
if (rc != CKR_OK) {
testcase_error("C_EncryptInit secret_key: rc = %s",
p11_get_ckr(rc));
goto error;
}
rc = funcs->C_Encrypt(session, clear, 32, cipher, &cipher_len);
if (rc != CKR_OK) {
testcase_error("C_Encrypt secret_key: rc = %s",
p11_get_ckr(rc));
goto error;
}
rc = funcs->C_DecryptInit(session,&mech,unwrapped_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit unwrapped_key: rc = %s",
p11_get_ckr(rc));
goto error;
}
rc = funcs->C_Decrypt(session, cipher, cipher_len, re_cipher,
&re_cipher_len);
if (rc != CKR_OK) {
testcase_error("C_Decrypt unwrapped_key: rc = %s",
p11_get_ckr(rc));
testcase_fail("Unwrapped key differs in CKA_VALUE.");
goto error;
}
if (memcmp(clear, re_cipher, 32) != 0) {
testcase_fail("ERROR:data mismatch\n");
goto error;
} else
testcase_pass("C_Wrap and C_Unwrap.");
// clean up
if (wrapped_key)
free(wrapped_key);
rc = funcs->C_DestroyObject(session, secret_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_DestroyObject(session, publ_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_DestroyObject(session, priv_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
}
goto testcase_cleanup;
error:
if (wrapped_key)
free(wrapped_key);
funcs->C_DestroyObject(session, secret_key);
funcs->C_DestroyObject(session, publ_key);
funcs->C_DestroyObject(session, priv_key);
testcase_cleanup:
testcase_user_logout();
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK) {
testcase_error("C_CloseAllSessions(), rc=%s.",
p11_get_ckr(rc));
}
return rc;
}
/* This function should test:
* C_Verify, mechanism chosen by caller
*
* 1. Get message from test vector
* 2. Get signature from test vector
* 3. Verify signature
*
*/
CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
{
int i;
CK_BYTE actual[MAX_SIGNATURE_SIZE];
CK_BYTE message[MAX_MESSAGE_SIZE];
CK_ULONG message_len;
CK_BYTE signature[MAX_SIGNATURE_SIZE];
CK_ULONG signature_len;
CK_MECHANISM mech;
CK_OBJECT_HANDLE publ_key;
CK_SLOT_ID slot_id = SLOT_ID;
CK_SESSION_HANDLE session;
CK_FLAGS flags;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc, loc_rc;
// begin testsuite
testsuite_begin("%s Verify.", tsuite->name);
testcase_rw_session();
testcase_user_login();
// skip tests if the slot doesn't support this mechanism
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism );
goto testcase_cleanup;
}
// iterate over test vectors
for (i = 0; i < tsuite->tvcount; i++){
testcase_begin("%s Verify with test vector %d.",
tsuite->name, i);
rc = CKR_OK; // set return value
// clear buffers
memset(message, 0, MAX_MESSAGE_SIZE);
memset(signature, 0, MAX_SIGNATURE_SIZE);
memset(actual, 0, MAX_SIGNATURE_SIZE);
// get message
message_len = tsuite->tv[i].msg_len;
memcpy(message, tsuite->tv[i].msg, message_len);
// get signature
signature_len = tsuite->tv[i].sig_len;
memcpy(signature, tsuite->tv[i].sig, signature_len);
// create (public) key handle
rc = create_RSAPublicKey(session,
tsuite->tv[i].mod,
tsuite->tv[i].pub_exp,
tsuite->tv[i].mod_len,
tsuite->tv[i].pubexp_len,
&publ_key);
if (rc != CKR_OK) {
testcase_error("create_RSAPublicKey(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// set mechanism
mech = tsuite->mech;
// initialize verify
rc = funcs->C_VerifyInit(session, &mech, publ_key);
if (rc != CKR_OK) {
testcase_error("C_VerifyInit(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// do verify
rc = funcs->C_Verify(session,
message,
message_len,
signature,
signature_len);
// check result
testcase_new_assertion();
if (rc == CKR_OK){
testcase_pass("C_Verify.");
}
else {
testcase_fail("%s Sign Verify with test vector %d "
"failed.", tsuite->name, i);
}
// clean up
rc = funcs->C_DestroyObject(session, publ_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
}
goto testcase_cleanup;
error:
loc_rc = funcs->C_DestroyObject(session, publ_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(loc_rc));
}
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
/* This function should test:
* RSA Key Generation, usign CKM_RSA_PKCS_KEY_PAIR_GEN
* RSA Sign, mechanism chosen by caller
* RSA Verify, mechanism chosen by caller
*
* 1. Generate RSA Key Pair
* 2. Generate message
* 3. Sign message
* 4. Verify signature
*
*/
CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
{
int i; // test vector index
int j; // message byte index
CK_BYTE message[MAX_MESSAGE_SIZE];
CK_ULONG message_len;
CK_BYTE signature[MAX_SIGNATURE_SIZE];
CK_ULONG signature_len;
CK_MECHANISM mech;
CK_OBJECT_HANDLE publ_key, priv_key;
CK_SLOT_ID slot_id = SLOT_ID;
CK_SESSION_HANDLE session;
CK_FLAGS flags;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc, loc_rc;
char *s;
// begin testsuite
testsuite_begin("%s Sign Verify.", tsuite->name);
testcase_rw_session();
testcase_user_login();
// skip tests if the slot doesn't support this mechanism
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism );
goto testcase_cleanup;
}
// iterate over test vectors
for (i = 0; i < tsuite->tvcount; i++){
// get public exponent from test vector
if ( p11_ahex_dump(&s, tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) == NULL) {
testcase_error("p11_ahex_dump() failed");
rc = -1;
goto testcase_cleanup;
}
// begin test
testcase_begin("%s Sign and Verify with test vector %d, "
"\npubl_exp='%s', mod_bits='%lu', keylen='%lu'.",
tsuite->name, i, s,
tsuite->tv[i].modbits,
tsuite->tv[i].keylen);
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
testcase_skip("Token in slot %ld cannot be used with "
"modbits.='%ld'",
SLOT_ID,tsuite->tv[i].modbits);
continue;
}
if (is_ep11_token(slot_id)) {
if (! is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
testcase_skip("EP11 Token cannot "
"be used with publ_exp.='%s'",s);
continue;
}
}
if (is_cca_token(slot_id)) {
if (! is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
testcase_skip("CCA Token cannot "
"be used with publ_exp='%s'.",s);
continue;
}
}
if (is_tpm_token(slot_id)) {
if ((! is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) || (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
testcase_skip("TPM Token cannot "
"be used with publ_exp='%s'.",s);
continue;
}
}
// free memory
free(s);
rc = CKR_OK; // set rc
// clear buffers
memset(message, 0, MAX_MESSAGE_SIZE);
memset(signature, 0, MAX_SIGNATURE_SIZE);
// get test vector parameters
message_len = tsuite->tv[i].inputlen;
// generate key pair
rc = generate_RSA_PKCS_KeyPair(session,
tsuite->tv[i].modbits,
tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len,
&publ_key,
&priv_key);
if (rc != CKR_OK) {
testcase_error("generate_RSA_PKCS_KeyPair(), "
"rc=%s", p11_get_ckr(rc));
goto error;
}
// generate message
for (j = 0; j < message_len; j++) {
message[j] = (j + 1) % 255;
}
// get mech
mech = tsuite->mech;
// initialize Sign (length only)
rc = funcs->C_SignInit(session,
&mech,
priv_key);
if (rc != CKR_OK){
testcase_error("C_SignInit(), rc=%s", p11_get_ckr(rc));
goto error;
}
// set buffer size
signature_len = MAX_SIGNATURE_SIZE;
// do Sign
rc = funcs->C_Sign(session,
message,
message_len,
signature,
&signature_len);
if (rc != CKR_OK) {
testcase_error("C_Sign(), rc=%s signature len=%ld",
p11_get_ckr(rc), signature_len);
goto error;
}
// initialize Verify
rc = funcs->C_VerifyInit(session,
&mech,
publ_key);
if (rc != CKR_OK) {
testcase_error("C_VerifyInit(), rc=%s",
p11_get_ckr(rc));
}
// do Verify
rc = funcs->C_Verify(session,
message,
message_len,
signature,
signature_len);
// check results
testcase_new_assertion();
if (rc == CKR_OK) {
testcase_pass("C_Verify.");
}
else {
testcase_fail("C_Verify(), rc=%s", p11_get_ckr(rc));
}
// clean up
rc = funcs->C_DestroyObject(session, publ_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
}
rc = funcs->C_DestroyObject(session, priv_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
}
}
goto testcase_cleanup;
error:
loc_rc = funcs->C_DestroyObject(session, publ_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject, rc=%s.", p11_get_ckr(loc_rc));
}
loc_rc = funcs->C_DestroyObject(session, priv_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject, rc=%s.", p11_get_ckr(loc_rc));
}
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloesAllSessions, rc=%s", p11_get_ckr(rc));
}
return rc;
}
/* This function should test:
* RSA Key Generation, using CKM_PKCS_KEY_PAIR_GEN
* RSA Public-Key Wrap
* RSA Private-Key Unwrap
*
*/
CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
{
int i;
CK_OBJECT_HANDLE publ_key, priv_key, secret_key, unwrapped_key;
CK_BYTE_PTR wrapped_key;
CK_ULONG wrapped_keylen, unwrapped_keylen;
CK_MECHANISM wrap_mech, keygen_mech;
char *s;
CK_SESSION_HANDLE session;
CK_FLAGS flags;
CK_SLOT_ID slot_id = SLOT_ID;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc, loc_rc;
// begin test suite
testsuite_begin("%s Wrap Unwrap.", tsuite->name);
testcase_rw_session();
testcase_user_login();
// skip all tests if the slot doesn't support this mechanism
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism );
goto testcase_cleanup;
}
// skip all tests if the slot doesn't support wrapping
else if (! wrap_supported(slot_id, tsuite->mech)) {
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support key wrapping",
(unsigned int) slot_id);
goto testcase_cleanup;
}
// skip all tests if the slot doesn't support unwrapping
else if (! unwrap_supported(slot_id, tsuite->mech)) {
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support key unwrapping",
(unsigned int) slot_id);
goto testcase_cleanup;
}
for (i = 0; i < tsuite->tvcount; i++) {
// wrap templates & unwrap templates
CK_ATTRIBUTE secret_value[] = {
{CKA_VALUE, NULL, 0}
};
CK_ATTRIBUTE unwrapped_value[] = {
{CKA_VALUE, NULL, 0}
};
CK_ULONG s_valuelen = 0;
CK_ATTRIBUTE secret_value_len[] = {
{CKA_VALUE_LEN,
&s_valuelen,
sizeof(s_valuelen)}
};
CK_ULONG u_valuelen = 0;
CK_ATTRIBUTE unwrapped_value_len[] = {
{CKA_VALUE_LEN,
&u_valuelen,
sizeof(u_valuelen)}
};
CK_ATTRIBUTE unwrap_tmpl[] = {
{CKA_CLASS, NULL, 0},
{CKA_KEY_TYPE, NULL, 0},
{CKA_VALUE_LEN, NULL, 0}
};
CK_ULONG unwrap_tmpl_len;
// get public exponent from test vector
if ( p11_ahex_dump(&s, tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) == NULL) {
testcase_error("p11_ahex_dump() failed");
rc = -1;
goto testcase_cleanup;
}
// begin test
testcase_begin("%s Wrap Unwrap with test vector %d, "
"\npubl_exp='%s', mod_bits='%lu', keylen='%lu', "
"keytype='%s'", tsuite->name, i, s,
tsuite->tv[i].modbits,
tsuite->tv[i].keylen,
p11_get_ckm(tsuite->tv[i].keytype.mechanism));
// free memory
free(s);
// get key gen mechanism
keygen_mech = tsuite->tv[i].keytype;
// get wrapping mechanism
wrap_mech = tsuite->mech;
// skip this test if the slot doesn't support this
// keygen mechanism
if (! mech_supported(slot_id,
keygen_mech.mechanism)) {
testcase_skip();
continue;
}
// initialize buffer lengths
wrapped_keylen = PKCS11_MAX_PIN_LEN;
// generate RSA key pair
rc = generate_RSA_PKCS_KeyPair(session,
tsuite->tv[i].modbits,
tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len,
&publ_key,
&priv_key);
if (rc != CKR_OK) {
testcase_error("C_GenerateKeyPair() rc = %s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
// generate secret key
rc = generate_SecretKey(session,
tsuite->tv[i].keylen,
&keygen_mech,
&secret_key);
if (rc != CKR_OK) {
testcase_error("generate_SecretKey(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// extract CKA_CLASS and CKA_KEY_TYPE from generated key
// we will use this for unwrapping
// extract sizes first
rc = funcs->C_GetAttributeValue(session,
secret_key,
unwrap_tmpl,
2);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// allocate memory for extraction
unwrap_tmpl[0].pValue = calloc(sizeof(CK_BYTE),
unwrap_tmpl[0].ulValueLen);
unwrap_tmpl[1].pValue = calloc(sizeof(CK_BYTE),
unwrap_tmpl[1].ulValueLen);
if ( (unwrap_tmpl[0].pValue == NULL) ||
(unwrap_tmpl[1].pValue == NULL) ) {
testcase_error("Error allocating %lu bytes"
"for unwrap template attributes",
unwrap_tmpl[0].ulValueLen +
unwrap_tmpl[1].ulValueLen);
rc = -1;
goto error;
}
// now extract values
rc = funcs->C_GetAttributeValue(session,
secret_key,
unwrap_tmpl,
2);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// wrap key (length only)
rc = funcs->C_WrapKey(session,
&wrap_mech,
publ_key,
secret_key,
NULL,
&wrapped_keylen);
if (rc != CKR_OK) {
testcase_error("C_WrapKey(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
// allocate memory for wrapped_key
wrapped_key = calloc(sizeof(CK_BYTE), wrapped_keylen);
if (wrapped_key == NULL) {
testcase_error("Can't allocate memory "
"for %lu bytes.",
sizeof(CK_BYTE) * wrapped_keylen);
rc = -1;
goto error;
}
// wrap key
rc = funcs->C_WrapKey(session,
&wrap_mech,
publ_key,
secret_key,
wrapped_key,
&wrapped_keylen);
if (rc != CKR_OK) {
testcase_error("C_WrapKey, rc=%s", p11_get_ckr(rc));
goto error;
}
unwrapped_keylen = tsuite->tv[i].keylen;
// variable key length specific case:
// According to PKCS#11 v2.2 section 12.1.12
// CKM_RSA_X_509 does not wrap the key type, key length,
// or any other information about the key; the application
// must convey these separately, and supply them when
// unwrapping the key.
if (keygen_mech.mechanism == CKM_AES_KEY_GEN) {
unwrapped_keylen = tsuite->tv[i].keylen;
unwrap_tmpl[2].type = CKA_VALUE_LEN;
unwrap_tmpl[2].ulValueLen = sizeof(unwrapped_keylen);
unwrap_tmpl[2].pValue = &unwrapped_keylen;
unwrap_tmpl_len = 3;
}
else {
unwrap_tmpl_len = 2;
}
// unwrap key
rc = funcs->C_UnwrapKey(session,
&wrap_mech,
priv_key,
wrapped_key,
wrapped_keylen,
unwrap_tmpl,
unwrap_tmpl_len,
&unwrapped_key);
if (rc != CKR_OK) {
testcase_error("C_UnwrapKey, rc=%s",
p11_get_ckr(rc));
goto error;
}
testcase_new_assertion();
// get secret CKA_VALUE_LEN (if applicable)
// then compare to expected value
if (keygen_mech.mechanism == CKM_GENERIC_SECRET_KEY_GEN
|| keygen_mech.mechanism == CKM_RC4_KEY_GEN
|| keygen_mech.mechanism == CKM_RC5_KEY_GEN
|| keygen_mech.mechanism == CKM_AES_KEY_GEN) {
rc = funcs->C_GetAttributeValue(session,
secret_key,
secret_value_len,
1);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s",
p11_get_ckr(rc));
goto error;
}
rc = funcs->C_GetAttributeValue(session,
unwrapped_key,
unwrapped_value_len,
1);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s",
p11_get_ckr(rc));
goto error;
}
// check results
if ( * ((CK_ULONG_PTR) secret_value_len[0].pValue) !=
* ((CK_ULONG_PTR) unwrapped_value_len[0].pValue)) {
testcase_fail("CKA_VALUE_LEN value differs "
"(original %lu, unwrapped %lu)",
*((CK_ULONG_PTR) secret_value_len),
*((CK_ULONG_PTR) unwrapped_value_len));
goto error;
}
}
// get size of secret key's CKA_VALUE
rc = funcs->C_GetAttributeValue(session, secret_key,
secret_value, 1);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
// get size of unwrapped key's CKA_VALUE
rc = funcs->C_GetAttributeValue(session, unwrapped_key,
unwrapped_value, 1);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
// allocate memory for extraction
secret_value[0].pValue = calloc(sizeof(CK_BYTE),
secret_value[0].ulValueLen);
if (secret_value[0].pValue == NULL) {
testcase_error("Error allocating %lu bytes "
"for Secret Key Value.",
secret_value[0].ulValueLen);
goto error;
}
unwrapped_value[0].pValue = calloc(sizeof(CK_BYTE),
unwrapped_value[0].ulValueLen);
if (unwrapped_value[0].pValue == NULL) {
testcase_error("Error allocating %lu bytes "
"for Unwrapped Key Value.",
unwrapped_value[0].ulValueLen);
goto error;
}
// get secret CKA_VALUE
rc = funcs->C_GetAttributeValue(session,
secret_key,
secret_value,
1);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
// get unwrapped CKA_VALUE
rc = funcs->C_GetAttributeValue(session,
unwrapped_key,
unwrapped_value,
1);
if (rc != CKR_OK) {
testcase_error("C_GetAttributeValue(), rc=%s.",
p11_get_ckr(rc));
goto error;
}
// compare secret and unwrapped CKA_VALUE
if (memcmp(secret_value[0].pValue,
unwrapped_value[0].pValue,
secret_value[0].ulValueLen)) {
testcase_fail("Unwrapped key differs in CKA_VALUE.");
}
else {
testcase_pass("C_Wrap and C_Unwrap.");
}
// free memory
if (unwrap_tmpl[0].pValue) {
free(unwrap_tmpl[0].pValue);
}
if (unwrap_tmpl[1].pValue) {
free(unwrap_tmpl[1].pValue);
}
if (secret_value[0].pValue) {
free(secret_value[0].pValue);
}
if (unwrapped_value[0].pValue) {
free(unwrapped_value[0].pValue);
}
if (wrapped_key) {
free(wrapped_key);
}
// clean up
rc = funcs->C_DestroyObject(session, secret_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_DestroyObject(session, publ_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_DestroyObject(session, priv_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
}
goto testcase_cleanup;
error:
loc_rc = funcs->C_DestroyObject(session, secret_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(loc_rc));
}
loc_rc = funcs->C_DestroyObject(session, publ_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(loc_rc));
}
loc_rc = funcs->C_DestroyObject(session, priv_key);
if (loc_rc != CKR_OK) {
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(loc_rc));
}
testcase_cleanup:
testcase_user_logout();
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK) {
testcase_error("C_CloseAllSessions(), rc=%s.",
p11_get_ckr(rc));
}
return rc;
}
CK_RV do_DestroyObjects(void)
{
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_OBJECT_HANDLE keyobj[8];
CK_OBJECT_HANDLE obj_list[10];
CK_ULONG i, num_objs=0, find_count, found=0;
CK_MECHANISM mech;
CK_BBOOL true = TRUE;
CK_KEY_TYPE aes_type = CKK_AES;
CK_OBJECT_CLASS key_class = CKO_SECRET_KEY;
CK_CHAR aes_value[] = "This is a fake aes key.";
CK_CHAR test_id[5] = "abcde";
CK_ULONG aesgen_keylen = 32;
CK_ATTRIBUTE aes_tmpl[] = {
{CKA_CLASS, &key_class, sizeof(key_class)},
{CKA_KEY_TYPE, &aes_type, sizeof(aes_type)},
{CKA_ID, &test_id, sizeof(test_id)},
{CKA_VALUE, &aes_value, sizeof(aes_value)}
};
CK_ATTRIBUTE aesgen_tmpl[] = {
{CKA_CLASS, &key_class, sizeof(key_class)},
{CKA_KEY_TYPE, &aes_type, sizeof(aes_type)},
{CKA_ID, &test_id, sizeof(test_id)},
{CKA_VALUE_LEN, &aesgen_keylen, sizeof(aesgen_keylen)},
{CKA_TOKEN, &true, sizeof(true)}
};
CK_ATTRIBUTE find_tmpl[] = {
{CKA_KEY_TYPE, &aes_type, sizeof(aes_type)},
{CKA_ID, &test_id, sizeof(test_id)}
};
testcase_begin("starting...");
testcase_rw_session();
testcase_user_login();
/* Create a few session key objects */
for (i = 0; i < 4; i++) {
rc = funcs->C_CreateObject(session, aes_tmpl, 4, &keyobj[num_objs]);
if (rc != CKR_OK) {
testcase_error("C_CreateObject() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
num_objs++;
}
/* Generate a few token key objects */
mech.mechanism = CKM_AES_KEY_GEN;
mech.ulParameterLen = 0;
mech.pParameter = NULL;
for (i = 4; i < 8; i++) {
rc = funcs->C_GenerateKey(session, &mech, aesgen_tmpl, 5, &keyobj[num_objs]);
if (rc != CKR_OK) {
testcase_error("C_GenerateObject() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
num_objs++;
}
/* Now delete 2 session key objects */
rc = funcs->C_DestroyObject(session, keyobj[7]);
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
num_objs--;
rc = funcs->C_DestroyObject(session, keyobj[6]);
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
num_objs--;
/* Now see if only 2 session key objects were destroyed */
rc = funcs->C_FindObjectsInit(session, find_tmpl, 2);
if (rc != CKR_OK) {
testcase_error("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_FindObjects(session, obj_list, 10, &find_count);
if (rc != CKR_OK) {
testcase_error("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_FindObjectsFinal(session);
if (rc != CKR_OK) {
testcase_error("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
/* Testcase 1: step thru and see if objects were deleted. */
if (find_count != 6) {
testcase_fail("Did not find 6 objects!");
goto testcase_cleanup;
}
for (i = 0; i < find_count; i++) {
if ((obj_list[i] == keyobj[6]) || (obj_list[i] == keyobj[7]))
found++;
}
if (found) {
testcase_fail("Objects were not deleted.");
goto testcase_cleanup;
} else
testcase_pass("The 2 objects were successfully deleted.");
/* Testcase 2: Now make sure the other objects are still there */
for (i = 0; i < find_count; i++) {
if ((obj_list[i] == keyobj[0]) || (obj_list[i] == keyobj[1]) ||
(obj_list[i] == keyobj[2]) || (obj_list[i] == keyobj[3]) ||
(obj_list[i] == keyobj[4]) || (obj_list[i] == keyobj[5]))
found++;
}
if (found != 6) {
testcase_fail("Some Objects were not found!");
goto testcase_cleanup;
} else
testcase_pass("The other objects are intact.");
/* Testcase 3: Remove all the objects */
find_count = 0;
/* Now delete the rest of the objects */
for (i = 0; i < num_objs; i++)
funcs->C_DestroyObject(session, keyobj[i]);
/* Now see if all the objects were deleted. */
rc = funcs->C_FindObjectsInit(session, find_tmpl, 2);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_FindObjects(session, obj_list, 10, &find_count);
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_FindObjectsFinal(session);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
if (find_count) {
testcase_fail("The remaining objects were not deleted.");
goto testcase_cleanup;
} else
testcase_pass("All objects were deleted.");
testcase_cleanup:
if (num_objs) {
for (i = 0; i < num_objs; i++)
funcs->C_DestroyObject(session, keyobj[i]);
}
testcase_user_logout();
rc = funcs->C_CloseSession(session);
if (rc != CKR_OK) {
testcase_error("C_CloseSession rc=%s", p11_get_ckr(rc));
}
return rc;
}
CK_RV do_SetPIN(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_CHAR old_pin[PKCS11_MAX_PIN_LEN];
CK_CHAR new_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG old_len;
CK_ULONG new_len;
CK_RV rc;
testcase_begin("Testing C_SetPIN");
// first, try to get the user PIN
if (get_user_pin(old_pin))
return CKR_FUNCTION_FAILED;
old_len = (CK_ULONG)strlen((char *)old_pin);
memcpy(new_pin, "ABCDEF", 6);
new_len = 6;
slot_id = SLOT_ID;
/* try to call C_SetPIN from a R/O public session, it should fail.
*/
flags = CKF_SERIAL_SESSION;
testcase_new_assertion();
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
if (rc != CKR_OK) {
testcase_error("C_OpenSession #1 rc=%s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_SetPIN(session, old_pin, old_len, new_pin, new_len);
if (rc != CKR_SESSION_READ_ONLY) {
testcase_fail("C_SetPIN #1 returned %s instead of "
"CKR_SESSION_READ_ONLY.", p11_get_ckr(rc));
rc = CKR_FUNCTION_FAILED;
goto testcase_cleanup;
} else
testcase_pass("C_SetPIN successful in pubic session.");
if (funcs->C_CloseSession(session) != CKR_OK) {
testcase_error("C_CloseSession #1 failed.");
goto testcase_cleanup;
}
/* try to call C_SetPIN from a R/W public session, it should work.
*/
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
if (rc != CKR_OK) {
testcase_error("C_OpenSession #1 rc=%s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_SetPIN(session, old_pin, old_len, new_pin, new_len);
if (rc != CKR_OK) {
testcase_fail("C_SetPIN failed: rc = %s", p11_get_ckr(rc));
} else
testcase_pass("C_SetPIN successful in r/w pubic session.");
if (funcs->C_CloseSession(session) != CKR_OK) {
testcase_error("C_CloseSession #1 failed.");
goto testcase_cleanup;
}
if (rc != CKR_OK) // above C_SetPIN failed so leave
goto testcase_cleanup;
/* open a new session and try logging in with new pin */
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
if (rc != CKR_OK) {
testcase_error("C_OpenSession #1 rc=%s", p11_get_ckr(rc));
return rc;
}
testcase_new_assertion();
rc = funcs->C_Login(session, CKU_USER, new_pin, new_len);
if (rc != CKR_OK) {
testcase_fail("C_Login #1 failed: rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
} else
testcase_pass("Successfully logged in with new pin.");
/* try to call C_SetPIN from a normal user session, r/w user.
* set back to original user pin. this should work.
*/
testcase_new_assertion();
rc = funcs->C_SetPIN(session, new_pin, new_len, old_pin, old_len);
if (rc != CKR_OK)
testcase_fail("C_SetPIN #2 rc=%s", p11_get_ckr(rc));
else
testcase_pass("C_SetPIN successful.");
if ((funcs->C_Logout(session)) != CKR_OK) {
testcase_error("C_Logout #1 falied: rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
if (rc != CKR_OK) // above C_SetPIN failed.
goto testcase_cleanup;
/*
* done with user tests...now try with the SO
*/
if (get_so_pin(old_pin))
return CKR_FUNCTION_FAILED;
/* try to call C_SetPIN from a normal user session */
testcase_new_assertion();
rc = funcs->C_Login(session, CKU_SO, old_pin, old_len);
if (rc != CKR_OK) {
testcase_error("C_Login #3failed: rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_SetPIN(session, old_pin, old_len, new_pin, new_len);
if (rc != CKR_OK)
testcase_fail("C_SetPIN #4 failed: rc=%s", p11_get_ckr(rc));
else
testcase_pass("C_SetPIN successfully set SO PIN.");
if ((funcs->C_Logout(session)) != CKR_OK) {
testcase_error("C_Logout #3 failed.");
goto testcase_cleanup;
}
if (rc != CKR_OK) // above C_SetPIN failed
goto testcase_cleanup;
/* now login with new pin. should work. */
testcase_new_assertion();
rc = funcs->C_Login(session, CKU_SO, new_pin, new_len);
if (rc != CKR_OK) {
testcase_fail("C_Login #5 failed: rc=%s", p11_get_ckr(rc));
} else
testcase_pass("C_Login #5 was successful.");
/* change the PIN back to the original so the rest of this program
* doesn't break
*/
if (funcs->C_SetPIN(session, new_pin, new_len, old_pin, old_len) != CKR_OK)
testcase_error("C_SetPIN #5 failed to set back to the original "
"SO PIN, rc=%s", p11_get_ckr(rc));
if ((funcs->C_Logout(session)) != CKR_OK)
testcase_error("C_Logout #4 failed.");
testcase_cleanup:
if (funcs->C_CloseSession(session) != CKR_OK)
testcase_error("C_CloseSession #1 failed.");
return rc;
}
CK_RV do_GetSlotList(void)
{
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_BBOOL tokenPresent;
CK_SLOT_ID_PTR pSlotList = NULL;
CK_ULONG ulCount = 0;
tokenPresent = TRUE;
testcase_begin("testing C_GetSlotList");
testcase_rw_session();
testcase_user_login();
testcase_new_assertion();
/* pkcs#11v2.20, Section 11.5
* If pSlotList is NULL_PTR, then all that C_GetSlotList does is
* return (in *pulCount) the number of slots, without actually
* returning a list of slots.
*/
rc = funcs->C_GetSlotList(tokenPresent, NULL, &ulCount);
if (rc != CKR_OK) {
testcase_fail("C_GetSlotList rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
if (ulCount)
testcase_pass("C_GetSlotList received slot count.");
else
testcase_fail("C_GetSlotList did not receive slot count.");
pSlotList = (CK_SLOT_ID *)malloc(ulCount * sizeof(CK_SLOT_ID));
if (!pSlotList) {
testcase_error("malloc failed to allocate memory for list\n");
rc = CKR_HOST_MEMORY;
goto testcase_cleanup;
}
testcase_new_assertion();
/* Get the slots */
rc = funcs->C_GetSlotList(tokenPresent, pSlotList, &ulCount);
if (rc != CKR_OK) {
testcase_fail("C_GetSlotList rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
testcase_pass("Slot list returned successfully");
testcase_cleanup:
if (pSlotList)
free(pSlotList);
testcase_user_logout();
if ((funcs->C_CloseSession(session)) != CKR_OK)
testcase_error("C_CloseSession failed.");
return rc;
}
CK_RV do_InitPIN(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_CHAR so_pin[PKCS11_MAX_PIN_LEN];
CK_CHAR user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG so_pin_len;
CK_ULONG user_pin_len;
CK_RV rc;
testcase_begin("Testing C_InitPIN");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
if (get_so_pin(so_pin))
return CKR_FUNCTION_FAILED;
so_pin_len = (CK_ULONG)strlen((char *)so_pin);
slot_id = SLOT_ID;
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
// try to call C_InitPIN from a public session
testcase_new_assertion();
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &session);
if (rc != CKR_OK) {
testcase_error("C_OpenSession rc=%s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_InitPIN(session, user_pin, user_pin_len);
if (rc != CKR_USER_NOT_LOGGED_IN) {
testcase_fail("C_InitPIN returned %s instead of "
"CKR_USER_NOT_LOGGED_IN", p11_get_ckr(rc));
goto testcase_cleanup;
} else
testcase_pass("C_InitPin correctly returned CKR_USER_NOT_LOGGED_IN.");
// try to call C_InitPIN from an SO session
testcase_new_assertion();
rc = funcs->C_Login(session, CKU_SO, so_pin, so_pin_len);
if (rc != CKR_OK) {
testcase_error("C_Login #1 failed: rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_InitPIN(session, user_pin, user_pin_len);
if (rc != CKR_OK)
testcase_fail("C_InitPIN failed: rc=%s", p11_get_ckr(rc));
else
testcase_pass("C_InitPIN #1 was successful.");
if ((funcs->C_Logout(session)) != CKR_OK) {
testcase_error("C_Logout #1 failed.");
if (rc != CKR_OK)
goto testcase_cleanup;
}
// try to call C_InitPIN from a normal user session
testcase_new_assertion();
rc = funcs->C_Login( session, CKU_USER, user_pin, user_pin_len );
if (rc != CKR_OK) {
testcase_error("C_Login failed: rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
rc = funcs->C_InitPIN(session, user_pin, user_pin_len);
if (rc != CKR_USER_NOT_LOGGED_IN) {
testcase_fail("C_InitPIN returned %s instead of "
"CKR_USER_NOT_LOGGED_IN.", p11_get_ckr(rc));
rc = CKR_FUNCTION_FAILED;
} else {
testcase_pass("C_InitPIN #2 was successful.");
rc = CKR_OK;
}
if ((funcs->C_Logout(session)) != CKR_OK)
testcase_error("C_Logout #2 rc=%s", p11_get_ckr(rc));
testcase_cleanup:
if (funcs->C_CloseAllSessions(slot_id) != CKR_OK)
testcase_error("C_CloseAllSessions #1 rc=%s", p11_get_ckr(rc));
return rc;
}
CK_RV do_GetMechanismList(void)
{
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_SLOT_ID slot_id = SLOT_ID;
CK_ULONG count;
CK_MECHANISM_TYPE *mech_list = NULL;
testcase_begin("testing C_GetMechanismList");
testcase_rw_session();
testcase_user_login();
/* pkcs11v2.20, page 111
* If pMechanismList is NULL_PTR, then all that C_GetMechanismList
* does is return (in *pulCount) the number of mechanisms, without
* actually returning a list of mechanisms. The contents of
* *pulCount on entry to C_GetMechanismList has no meaning in this
* case, and the call returns the value CKR_OK.
*/
testcase_new_assertion();
rc = funcs->C_GetMechanismList(slot_id, NULL, &count);
if (rc != CKR_OK) {
testcase_fail("C_GetMechanismList 1 rc=%s",p11_get_ckr(rc));
return rc;
}
if (count)
testcase_pass("C_GetMechanismList returned mechanism count.");
else
testcase_fail("C_GetMechanismList did not not return "
"mechanism count.");
mech_list = (CK_MECHANISM_TYPE *)malloc( count * sizeof(CK_MECHANISM_TYPE) );
if (!mech_list) {
testcase_fail();
rc = CKR_HOST_MEMORY;
goto testcase_cleanup;
}
testcase_new_assertion();
rc = funcs->C_GetMechanismList(slot_id, mech_list, &count);
if (rc != CKR_OK) {
testcase_fail("C_GetMechanismList 2 rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
} else
testcase_pass("Mechanism listing from current slot");
/* Test for invalid slot */
testcase_new_assertion();
rc = funcs->C_GetMechanismList(999, NULL, &count);
if (rc != CKR_SLOT_ID_INVALID) {
testcase_fail("C_GetMechanismList() returned %s instead of"
" CKR_SLOT_ID_INVALID.", p11_get_ckr(rc));
rc = CKR_FUNCTION_FAILED;
goto testcase_cleanup;
} else {
testcase_pass("C_GetMechanismList correctly returned "
"CKR_SLOT_ID_INVALID.");
rc = CKR_OK;
}
testcase_cleanup:
if (mech_list)
free(mech_list);
testcase_user_logout();
if ((funcs->C_CloseSession(session)) != CKR_OK)
testcase_error("C_CloseSessions failed.");
return rc;
}
/* This function should test:
* RSA Key Generation, using CKM_PKCS_KEY_PAIR_GEN
* RSA Public-Key Wrap
* RSA Private-Key Unwrap
*
*/
CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
{
int i = 0, j = 0;
char *s = NULL;
CK_OBJECT_HANDLE publ_key, priv_key, secret_key, unwrapped_key;
CK_BYTE_PTR wrapped_key = NULL;
CK_ULONG wrapped_keylen, unwrapped_keylen = 0;
CK_MECHANISM wrap_mech, keygen_mech, mech;
CK_BYTE clear[32], cipher[32], re_cipher[32];
CK_ULONG cipher_len = 32, re_cipher_len = 32;
CK_RSA_PKCS_OAEP_PARAMS oaep_params;
CK_SESSION_HANDLE session;
CK_FLAGS flags;
CK_SLOT_ID slot_id = SLOT_ID;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc, loc_rc;
CK_OBJECT_CLASS key_class = CKO_SECRET_KEY;
CK_KEY_TYPE key_type;
CK_ATTRIBUTE unwrap_tmpl[] = {
{CKA_CLASS, &key_class, sizeof(CK_OBJECT_CLASS)},
{CKA_KEY_TYPE, &key_type, sizeof(CK_KEY_TYPE)},
{CKA_VALUE_LEN, &unwrapped_keylen, sizeof(CK_ULONG)}
};
CK_ULONG unwrap_tmpl_len;
// begin test suite
testsuite_begin("%s Wrap Unwrap.", tsuite->name);
testcase_rw_session();
testcase_user_login();
/* create some data */
for (j = 0; j < 32; j++)
clear[j] = j;
// skip all tests if the slot doesn't support this mechanism
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism );
goto testcase_cleanup;
}
// skip all tests if the slot doesn't support wrapping
else if (! wrap_supported(slot_id, tsuite->mech)) {
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support key wrapping",
(unsigned int) slot_id);
goto testcase_cleanup;
}
for (i = 0; i < tsuite->tvcount; i++) {
// skip if the slot doesn't support the keygen mechanism
if (!mech_supported(slot_id, tsuite->tv[i].keytype.mechanism)) {
testcase_skip("Slot %u doesn't support %u",
(unsigned int)slot_id,
(unsigned int)tsuite->tv[i].keytype.mechanism);
continue;
}
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
testcase_skip("Token in slot %ld cannot be used with "
"modbits.='%ld'",
SLOT_ID,tsuite->tv[i].modbits);
continue;
}
// get public exponent from test vector
if ( p11_ahex_dump(&s, tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) == NULL) {
testcase_error("p11_ahex_dump() failed");
rc = -1;
goto testcase_cleanup;
}
if (is_ep11_token(slot_id)) {
if (! is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
testcase_skip("EP11 Token cannot "
"be used with publ_exp.='%s'",s);
continue;
}
}
// begin test
testcase_begin("%s Wrap Unwrap with test vector %d, "
"\npubl_exp='%s', mod_bits='%lu', keylen='%lu', "
"keytype='%s'", tsuite->name, i, s,
tsuite->tv[i].modbits, tsuite->tv[i].keylen,
p11_get_ckm(tsuite->tv[i].keytype.mechanism));
// free memory
if (s)
free(s);
// get key gen mechanism
keygen_mech = tsuite->tv[i].keytype;
// get wrapping mechanism
wrap_mech = tsuite->mech;
if (wrap_mech.mechanism == CKM_RSA_PKCS_OAEP) {
oaep_params = tsuite->tv[i].oaep_params;
wrap_mech.pParameter = &oaep_params;
wrap_mech.ulParameterLen = sizeof(CK_RSA_PKCS_OAEP_PARAMS);
}
// clear out buffers
memset (cipher, 0, sizeof(cipher));
memset (re_cipher, 0, sizeof(re_cipher));
// initialize buffer lengths
wrapped_keylen = PKCS11_MAX_PIN_LEN;
// generate RSA key pair
rc = generate_RSA_PKCS_KeyPair(session, tsuite->tv[i].modbits,
tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len,
&publ_key, &priv_key);
if (rc != CKR_OK) {
testcase_error("C_GenerateKeyPair() rc = %s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
// generate secret key
rc = generate_SecretKey(session, tsuite->tv[i].keylen,
&keygen_mech, &secret_key);
if (rc != CKR_OK) {
testcase_error("generate_SecretKey(), rc=%s",
p11_get_ckr(rc));
goto error;
}
/* Testcase Goals:
* 1. Encrypt data.
* 2. Use RSA to wrap the secret key we just used to encrypt.
* 3. Use RSA to unwrap the secret key.
* 4. Decrypt with the newly unwrapped key to get original data.
*
* The first assertion will be the success of RSA to wrap and
* unwrap the secret key.
* The second assertion will be the success of the unwrapped
* key to decrypt the original text.
* Note: Generic secret keys are not used for encrypt/decrypt
* by default. So they will not be included in second
* assertion.
*/
if (keygen_mech.mechanism != CKM_GENERIC_SECRET_KEY_GEN) {
switch (keygen_mech.mechanism) {
case CKM_AES_KEY_GEN:
mech.mechanism = CKM_AES_ECB;
key_type = CKK_AES;
break;
case CKM_DES3_KEY_GEN:
mech.mechanism = CKM_DES3_ECB;
key_type = CKK_DES3;
break;
case CKM_DES_KEY_GEN:
mech.mechanism = CKM_DES_ECB;
key_type = CKK_DES;
break;
case CKM_CDMF_KEY_GEN:
mech.mechanism = CKM_CDMF_ECB;
key_type = CKK_CDMF;
break;
default:
testcase_error("unknown mech");
goto error;
}
mech.ulParameterLen = 0;
mech.pParameter = NULL;
rc = funcs->C_EncryptInit(session, &mech, secret_key);
if (rc != CKR_OK) {
testcase_error("C_EncryptInit secret_key "
": rc = %s", p11_get_ckr(rc));
goto error;
}
rc = funcs->C_Encrypt(session, clear, 32, cipher,
&cipher_len);
if (rc != CKR_OK) {
testcase_error("C_Encrypt secret_key: rc = %s",
p11_get_ckr(rc));
goto error;
}
} else
key_type = CKK_GENERIC_SECRET;
testcase_new_assertion(); /* assertion #1 */
// wrap key (length only)
rc = funcs->C_WrapKey(session, &wrap_mech, publ_key, secret_key,
NULL, &wrapped_keylen);
if (rc != CKR_OK) {
testcase_error("C_WrapKey(), rc=%s.", p11_get_ckr(rc));
goto error;
}
// allocate memory for wrapped_key
wrapped_key = calloc(sizeof(CK_BYTE), wrapped_keylen);
if (wrapped_key == NULL) {
testcase_error("Can't allocate memory for %lu bytes.",
sizeof(CK_BYTE) * wrapped_keylen);
rc = CKR_HOST_MEMORY;
goto error;
}
// wrap key
rc = funcs->C_WrapKey(session, &wrap_mech, publ_key, secret_key,
wrapped_key, &wrapped_keylen);
if (rc != CKR_OK) {
testcase_fail("C_WrapKey, rc=%s", p11_get_ckr(rc));
goto error;
}
/* variable key length specific case:
* According to PKCS#11 v2.2 section 12.1.12
* CKM_RSA_X_509 does not wrap the key type, key length,
* or any other information about the key; the application
* must convey these separately, and supply them when
* unwrapping the key.
*/
if (((keygen_mech.mechanism == CKM_AES_KEY_GEN) ||
(keygen_mech.mechanism == CKM_GENERIC_SECRET_KEY_GEN)) &&
(wrap_mech.mechanism == CKM_RSA_X_509)) {
unwrapped_keylen = tsuite->tv[i].keylen;
unwrap_tmpl_len = 3;
}
else {
unwrap_tmpl_len = 2;
}
// unwrap key
rc = funcs->C_UnwrapKey(session, &wrap_mech, priv_key,
wrapped_key, wrapped_keylen,
unwrap_tmpl, unwrap_tmpl_len,
&unwrapped_key);
if (rc != CKR_OK) {
testcase_fail("C_UnwrapKey, rc=%s",
p11_get_ckr(rc));
goto error;
} else
testcase_pass("wrapped and unwrapped key successful.");
/* now decrypt the message with the unwrapped key */
if (keygen_mech.mechanism != CKM_GENERIC_SECRET_KEY_GEN) {
rc = funcs->C_DecryptInit(session,&mech,unwrapped_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit unwrapped_key: "
" rc = %s", p11_get_ckr(rc));
goto error;
}
rc = funcs->C_Decrypt(session, cipher, cipher_len,
re_cipher, &re_cipher_len);
if (rc != CKR_OK) {
testcase_error("C_Decrypt unwrapped_key: "
"rc = %s", p11_get_ckr(rc));
goto error;
}
testcase_new_assertion();
if (memcmp(clear, re_cipher, 32) != 0) {
testcase_fail("ERROR:data mismatch\n");
goto error;
} else
testcase_pass("Decrypted data is correct.");
}
// clean up
if (wrapped_key) {
free(wrapped_key);
wrapped_key = NULL;
}
rc = funcs->C_DestroyObject(session, secret_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
rc = funcs->C_DestroyObject(session, publ_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
rc = funcs->C_DestroyObject(session, priv_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject(), rc=%s.",
p11_get_ckr(rc));
}
goto testcase_cleanup;
error:
if (wrapped_key) {
free(wrapped_key);
wrapped_key = NULL;
}
funcs->C_DestroyObject(session, secret_key);
funcs->C_DestroyObject(session, publ_key);
funcs->C_DestroyObject(session, priv_key);
testcase_cleanup:
testcase_user_logout();
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK) {
testcase_error("C_CloseAllSessions(), rc=%s.",
p11_get_ckr(rc));
}
return rc;
}
