CK_RV do_GetInfo(void)
{
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_INFO info;
// Do some setup and login to the token
testcase_begin("C_GetInfo function check");
testcase_rw_session();
testcase_user_login();
testcase_new_assertion();
rc = funcs->C_GetInfo(&info);
if (rc != CKR_OK){
testcase_fail("C_GetInfo() rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
testcase_pass("Library info successfully sourced");
testcase_cleanup:
testcase_user_logout();
if ((funcs->C_CloseSession(session)) != CKR_OK)
testcase_error("C_CloseSession() failed.");
return rc;
}
void
test_cloning_with_log_message(gchar *msg)
{
LogMessage *original_log_message, *log_message, *cloned_log_message;
regex_t bad_hostname;
GSockAddr *addr = g_sockaddr_inet_new("10.10.10.10", 1010);
LogPathOptions path_options = LOG_PATH_OPTIONS_INIT;
testcase_begin("Testing log message cloning; msg='%s'", msg);
parse_options.flags = LP_SYSLOG_PROTOCOL;
parse_options.bad_hostname = &bad_hostname;
original_log_message = log_msg_new(msg, strlen(msg), addr, &parse_options);
log_message = log_msg_new(msg, strlen(msg), addr, &parse_options);
log_msg_set_tag_by_name(log_message, "newtag");
path_options.ack_needed = FALSE;
cloned_log_message = log_msg_clone_cow(log_message, &path_options);
assert_log_messages_equal(cloned_log_message, original_log_message);
set_new_log_message_attributes(cloned_log_message);
assert_log_messages_equal(log_message, original_log_message);
assert_new_log_message_attributes(cloned_log_message);
assert_log_message_has_tag(cloned_log_message, "newtag");
log_msg_unref(cloned_log_message);
log_msg_unref(log_message);
log_msg_unref(original_log_message);
testcase_end();
}
static void
test_type_hint_parse(void)
{
TypeHint t;
GError *e = NULL;
testcase_begin("Testing type hint parsing");
assert_type_hint(NULL, TYPE_HINT_STRING);
assert_type_hint("string", TYPE_HINT_STRING);
assert_type_hint("literal", TYPE_HINT_LITERAL);
assert_type_hint("boolean", TYPE_HINT_BOOLEAN);
assert_type_hint("int", TYPE_HINT_INT32);
assert_type_hint("int32", TYPE_HINT_INT32);
assert_type_hint("int64", TYPE_HINT_INT64);
assert_type_hint("datetime", TYPE_HINT_DATETIME);
assert_type_hint("default", TYPE_HINT_DEFAULT);
assert_false(type_hint_parse("invalid-hint", &t, &e),
"Parsing an invalid hint results in an error.");
assert_error(e, TYPE_HINTING_INVALID_TYPE, "invalid-hint");
testcase_end();
}
CK_RV do_GetMechanismInfo(void)
{
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_SLOT_ID slot_id = SLOT_ID;
CK_MECHANISM_INFO info;
CK_ULONG i, count;
CK_MECHANISM_TYPE *mech_list = NULL;
testcase_begin("testing C_GetMechanismInfo");
testcase_rw_session();
testcase_user_login();
testcase_new_assertion();
rc = funcs->C_GetMechanismList(slot_id, NULL, &count);
if (rc != CKR_OK) {
testcase_error("C_GetMechanismList #1 rc=%s", p11_get_ckr(rc));
return rc;
}
mech_list = (CK_MECHANISM_TYPE *)malloc(count * sizeof(CK_MECHANISM_TYPE));
if (!mech_list) {
rc = CKR_HOST_MEMORY;
goto testcase_cleanup;
}
rc = funcs->C_GetMechanismList(slot_id, mech_list, &count);
if (rc != CKR_OK) {
testcase_error("C_GetMechanismList #2 rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
for (i = 0; i < count; i++) {
rc = funcs->C_GetMechanismInfo(slot_id, mech_list[i], &info);
if (rc != CKR_OK)
break;
}
if (rc != CKR_OK)
testcase_fail("C_GetMechanismInfo rc=%s", p11_get_ckr(rc));
else
testcase_pass("C_GetMechanismInfo was successful.");
testcase_cleanup:
if (mech_list)
free(mech_list);
testcase_user_logout();
if ((funcs->C_CloseSession(session)) != CKR_OK)
testcase_error("C_CloseSessions rc=%s", p11_get_ckr(rc));
return rc;
}
static void
test_pipe_init_success (void)
{
testcase_begin ("A pipe that always succeeds, results in a startable tree");
assert_almighty_always_pipe (TRUE, TRUE, TRUE, TRUE, TRUE);
testcase_end ();
}
static void
test_pipe_init_fail (void)
{
testcase_begin ("A pipe that always fails, results in an unstartable tree");
assert_almighty_always_pipe (FALSE, FALSE, TRUE, TRUE, FALSE);
testcase_end ();
}
static gboolean
_execute(const gchar *testcase, Checks checks, const gchar *user_data)
{
gboolean uri_init_ok = _after_test();
testcase_begin("%s(%s, %s)", __FUNCTION__, testcase, user_data);
if (!checks(user_data))
_tests_failed = 1;
reset_grabbed_messages();
testcase_end();
_free_test();
_before_test();
return uri_init_ok;
}
CK_RV do_GetSlotInfo(void)
{
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_SLOT_ID slot_id = SLOT_ID;
CK_SLOT_INFO info;
testcase_begin("testing C_GetSlotInfo");
testcase_rw_session();
testcase_user_login();
/* Test expected values */
testcase_new_assertion();
rc = funcs->C_GetSlotInfo(slot_id, &info);
if (rc != CKR_OK) {
testcase_fail("C_GetSlotInfo() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
} else
testcase_pass("Slot info of in-use slot received successfully");
/* Test for invalid slot */
testcase_new_assertion();
rc = funcs->C_GetSlotInfo(999, &info);
if (rc != CKR_SLOT_ID_INVALID) {
testcase_fail("C_GetSlotInfo returned %s instead of"
" CKR_SLOT_ID_INVALID.", p11_get_ckr(rc));
rc = CKR_FUNCTION_FAILED; // dont confuse loop in main
goto testcase_cleanup;
} else {
testcase_pass("C_GetSlotInfo correctly returned "
"CKR_SLOT_ID_INVALID.");
rc = 0; // don't confuse loop in main
}
testcase_cleanup:
testcase_user_logout();
if ((funcs->C_CloseSession(session)) != CKR_OK)
testcase_error("C_CloseSessions failed.");
return rc;
}
static void
test_type_cast(void)
{
GError *error = NULL;
gboolean ob;
gint32 i32;
gint64 i64;
guint64 dt;
testcase_begin("Testing type casting");
/* Boolean */
assert_bool_cast("True", TRUE);
assert_bool_cast("true", TRUE);
assert_bool_cast("1", TRUE);
assert_bool_cast("totally true", TRUE);
assert_bool_cast("False", FALSE);
assert_bool_cast("false", FALSE);
assert_bool_cast("0", FALSE);
assert_bool_cast("fatally false", FALSE);
assert_type_cast_fail(boolean, "booyah", &ob);
/* int32 */
assert_int_cast("12345", 32, 12345);
assert_type_cast_fail(int32, "12345a", &i32);
/* int64 */
assert_int_cast("12345", 64, 12345);
assert_type_cast_fail(int64, "12345a", &i64);
/* datetime */
assert_type_cast(datetime_int, "12345", &dt);
assert_guint64(dt, 12345000, "Casting '12345' to datetime works");
assert_type_cast(datetime_int, "12345.5", &dt);
assert_guint64(dt, 12345500, "Casting '12345.5' to datetime works");
assert_type_cast(datetime_int, "12345.54", &dt);
assert_guint64(dt, 12345540, "Casting '12345.54' to datetime works");
assert_type_cast(datetime_int, "12345.543", &dt);
assert_guint64(dt, 12345543, "Casting '12345.543' to datetime works");
assert_type_cast(datetime_int, "12345.54321", &dt);
assert_guint64(dt, 12345543, "Casting '12345.54321' to datetime works");
assert_type_cast_fail(datetime_int, "invalid", &dt);
testcase_end();
}
void
test_kmsg_device_parsing(void)
{
gchar msg_subsys[] = "6,202,98513;pci_root PNP0A08:00: host bridge window [io 0x0000-0x0cf7]\n" \
" SUBSYSTEM=acpi\n" \
" DEVICE=+acpi:PNP0A08:00\n";
gchar msg_block[] = "6,202,98513;Fake message\n" \
" DEVICE=b12:1\n";
gchar msg_char[] = "6,202,98513;Fake message\n" \
" DEVICE=c3:4\n";
gchar msg_netdev[] = "6,202,98513;Fake message\n" \
" DEVICE=n8\n";
gchar msg_unknown[] = "6,202,98513;Fake message\n" \
" DEVICE=w12345\n";
LogMessage *parsed_message;
testcase_begin("Testing /dev/kmsg DEVICE= parsing");
parsed_message = kmsg_parse_message(msg_subsys);
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.type", "acpi");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.name", "PNP0A08:00");
log_msg_unref(parsed_message);
parsed_message = kmsg_parse_message(msg_block);
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.type", "block");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.major", "12");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.minor", "1");
log_msg_unref(parsed_message);
parsed_message = kmsg_parse_message(msg_char);
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.type", "char");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.major", "3");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.minor", "4");
log_msg_unref(parsed_message);
parsed_message = kmsg_parse_message(msg_netdev);
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.type", "netdev");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.index", "8");
log_msg_unref(parsed_message);
parsed_message = kmsg_parse_message(msg_unknown);
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.type", "<unknown>");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.name", "w12345");
log_msg_unref(parsed_message);
testcase_end();
}
void
test_kmsg_with_extra_fields(void)
{
gchar msg[] = "5,2,0,some extra field,3,4,5;And this is the real message\n";
LogMessage *parsed_message;
testcase_begin("Testing /dev/kmsg parsing, with extra fields; msg='%s'", msg);
parsed_message = kmsg_parse_message(msg);
assert_guint16(parsed_message->pri, 5, "Unexpected message priority");
assert_log_message_value(parsed_message, LM_V_MSGID, "2");
assert_log_message_value(parsed_message, LM_V_MESSAGE, "And this is the real message");
log_msg_unref(parsed_message);
testcase_end();
}
void
test_kmsg_single_line(void)
{
gchar msg[] = "5,2,1;Linux version 3.5-trunk-amd64 (Debian 3.5.2-1~experimental.1) ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-1) ) #1 SMP Mon Aug 20 04:17:46 UTC 2012\n";
LogMessage *parsed_message;
testcase_begin("Testing single-line /dev/kmsg parsing; msg='%s'", msg);
parsed_message = kmsg_parse_message(msg);
assert_guint16(parsed_message->pri, 5, "Unexpected message priority");
assert_log_message_value(parsed_message, LM_V_MSGID, "2");
msg[sizeof(msg) - 2] = '\0';
assert_log_message_value(parsed_message, LM_V_MESSAGE, msg + 6);
assert_log_kmsg_value(parsed_message, ".linux.timestamp", "1");
log_msg_unref(parsed_message);
testcase_end();
}
CK_RV do_InitToken(void)
{
CK_BYTE label[32];
int len;
CK_CHAR so_pin[PKCS11_MAX_PIN_LEN];
CK_RV rc = 0;
testcase_begin("testing C_InitToken");
memcpy(label, "L13 ", 32);
for (len = 0; len < 31;len++) {
if (label[len] == '\0') {
label[len] = ' ';
break;
}
}
testcase_new_assertion();
/* test with invalid SO PIN */
rc = funcs->C_InitToken(SLOT_ID, NULL, strlen((char *)so_pin), label);
if (rc != CKR_ARGUMENTS_BAD) {
testcase_fail("C_InitToken returned %s instead of "
"CKR_ARGUMENTS_BAD", p11_get_ckr(rc));
goto testcase_cleanup;
} else
testcase_pass("C_InitToken correctly return CKR_ARGUMENS_BAD.");
/* test with invalid slot id */
testcase_new_assertion();
rc = funcs->C_InitToken(99, so_pin, strlen((char *)so_pin), label);
if (rc != CKR_SLOT_ID_INVALID) {
testcase_fail("C_InitToken returned %s instead of "
"CKR_SLOT_ID_INVALID.", p11_get_ckr(rc));
rc = CKR_FUNCTION_FAILED;
} else {
testcase_pass("C_InitToken correctly returned CKR_SLOT_ID_INVALID.");
rc = CKR_OK;
}
testcase_cleanup:
return rc;
}
CK_RV do_GetTokenInfo(void)
{
CK_FLAGS flags;
CK_SESSION_HANDLE session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_SLOT_ID slot_id = SLOT_ID;
CK_TOKEN_INFO info;
testcase_begin("testing C_GetTokenInfo()");
testcase_rw_session();
testcase_user_login();
testcase_new_assertion();
rc = funcs->C_GetTokenInfo(slot_id, &info);
if (rc != CKR_OK) {
testcase_fail("C_GetTokenInfo rc=%s", p11_get_ckr(rc));
return rc;
} else
testcase_pass("C_GetTokenInfo returned successfully");
/* Test with an invalid slot id */
testcase_new_assertion();
rc = funcs->C_GetTokenInfo(999, &info);
if (rc != CKR_SLOT_ID_INVALID) {
testcase_fail("C_GetTokenInfo() rc = %s", p11_get_ckr(rc));
goto testcase_cleanup;
}
testcase_pass("C_GetTokenInfo returned error when given invalid slot.");
testcase_cleanup:
testcase_user_logout();
if ((funcs->C_CloseSession(session)) != CKR_OK)
testcase_error("C_CloseSessions failed.");
return rc;
}
static void
test_template_on_error(void)
{
testcase_begin("Testing LogTemplate on-error parsing");
assert_on_error_parse("drop-message", ON_ERROR_DROP_MESSAGE);
assert_on_error_parse("silently-drop-message",
ON_ERROR_DROP_MESSAGE | ON_ERROR_SILENT);
assert_on_error_parse("drop-property", ON_ERROR_DROP_PROPERTY);
assert_on_error_parse("silently-drop-property",
ON_ERROR_DROP_PROPERTY | ON_ERROR_SILENT);
assert_on_error_parse("fallback-to-string", ON_ERROR_FALLBACK_TO_STRING);
assert_on_error_parse("silently-fallback-to-string",
ON_ERROR_FALLBACK_TO_STRING | ON_ERROR_SILENT);
assert_on_error_parse_fails("do-what-i-mean");
testcase_end();
}
static void
test_pipe_init_multi_success (void)
{
CfgTree tree;
testcase_begin ("A pipe of all good nodes will start & stop properly");
cfg_tree_init_instance (&tree, NULL);
create_and_attach_almighty_pipe (&tree, TRUE);
create_and_attach_almighty_pipe (&tree, TRUE);
create_and_attach_almighty_pipe (&tree, TRUE);
assert_true (cfg_tree_start (&tree),
"Starting a tree of all-good nodes works");
assert_true (cfg_tree_stop (&tree),
"Stopping a tree of all-good nodes works");
cfg_tree_free_instance (&tree);
testcase_end ();
}
void
test_kmsg_multi_line(void)
{
gchar msg[] = "6,202,98513;pci_root PNP0A08:00: host bridge window [io 0x0000-0x0cf7]\n" \
" SUBSYSTEM=acpi\n" \
" DEVICE=+acpi:PNP0A08:00\n";
LogMessage *parsed_message;
testcase_begin("Testing multi-line /dev/kmsg parsing; msg='%s'", msg);
parsed_message = kmsg_parse_message(msg);
assert_guint16(parsed_message->pri, 6, "Unexpected message priority");
assert_log_message_value(parsed_message, LM_V_MSGID, "202");
assert_log_message_value(parsed_message, LM_V_MESSAGE, "pci_root PNP0A08:00: host bridge window [io 0x0000-0x0cf7]");
assert_log_kmsg_value(parsed_message, ".linux.SUBSYSTEM", "acpi");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.type", "acpi");
assert_log_kmsg_value(parsed_message, ".linux.DEVICE.name", "PNP0A08:00");
log_msg_unref(parsed_message);
testcase_end();
}
static void
test_pipe_init_multi_with_bad_node (void)
{
AlmightyAlwaysPipe *pipe1, *pipe2, *pipe3;
CfgTree tree;
testcase_begin ("A pipe of some bad nodes will not start, but cleans up nicely.");
cfg_tree_init_instance (&tree, NULL);
pipe1 = create_and_attach_almighty_pipe (&tree, TRUE);
pipe2 = create_and_attach_almighty_pipe (&tree, FALSE);
pipe3 = create_and_attach_almighty_pipe (&tree, TRUE);
assert_false (cfg_tree_start (&tree),
"Starting a tree of all-good nodes works");
assert_true (cfg_tree_stop (&tree),
"Stopping a tree of all-good nodes works");
assert_true (pipe1->init_called,
"The initializer of the first good pipe is called");
assert_true (pipe2->init_called,
"The initializer of the bad pipe is called");
assert_false (pipe3->init_called,
"The initializer of the second good pipe is NOT called");
assert_true (pipe1->deinit_called,
"The deinitializer of the first good pipe is called");
assert_false (pipe2->deinit_called,
"The deinitializer of the bad pipe is NOT called");
assert_false (pipe3->deinit_called,
"The deinitializer of the second good pipe is NOT called");
cfg_tree_free_instance (&tree);
testcase_end ();
}
/** Tests triple DES multipart decryption with published test vectors **/
CK_RV do_DecryptUpdateDES3(struct published_test_suite_info *tsuite) {
int i; // test vector index
CK_BYTE expected[BIG_REQUEST];
CK_BYTE cipher[BIG_REQUEST];
CK_BYTE plaintext[BIG_REQUEST];
CK_ULONG expected_len, p_len, cipher_len, k;
CK_SLOT_ID slot_id = SLOT_ID;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_SESSION_HANDLE session;
CK_MECHANISM mech;
CK_OBJECT_HANDLE h_key;
CK_RV rc;
CK_FLAGS flags;
/** begin testsuite **/
testsuite_begin("%s Decryption.", tsuite->name);
testcase_rw_session();
testcase_user_login();
/** skip test if the slot does not support this mechanism **/
if (! mech_supported(slot_id, tsuite->mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %s (%u)",
(unsigned int) slot_id,
mech_to_str(tsuite->mechanism),
(unsigned int) tsuite->mechanism);
goto testcase_cleanup;
}
/** iterate over test vectors **/
for (i = 0; i < tsuite->tvcount; i++){
/** begin test **/
testcase_begin("%s Decryption with test vector %d.", tsuite->name, i);
rc = CKR_OK; // set rc
/** clear buffers **/
memset(expected, 0, sizeof(expected));
memset(cipher, 0, sizeof(cipher));
memset(plaintext, 0, sizeof(plaintext));
p_len = sizeof(plaintext);
/** get plaintext (expected results) **/
expected_len = tsuite->tv[i].plen;
memcpy(expected, tsuite->tv[i].plaintext, expected_len);
/** get ciphertext **/
cipher_len = k = tsuite->tv[i].clen;
memcpy(cipher, tsuite->tv[i].ciphertext, cipher_len);
/** get mech **/
mech.mechanism = tsuite->mechanism;
mech.ulParameterLen = tsuite->tv[i].ivlen;
mech.pParameter = tsuite->tv[i].iv;
/** create key handle. **/
rc = create_DES3Key(session,
tsuite->tv[i].key,
tsuite->tv[i].klen,
&h_key);
if (rc != CKR_OK) {
testcase_error("C_CreateObject rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
/** initialize multipart (in-place) decryption **/
rc = funcs->C_DecryptInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit rc=%s", p11_get_ckr(rc));
goto error;
}
/* do multipart encryption
* for chunks, -1 is NULL, and 0 is empty string,
* and a value > 0 is amount of data from test vector's
* plaintext data. The is way we test input in various sizes.
*/
if (tsuite->tv[i].num_chunks) {
int j;
CK_ULONG outlen, len;
CK_BYTE *data_chunk = NULL;
k = 0;
p_len = 0;
outlen = sizeof(plaintext);
for (j = 0; j < tsuite->tv[i].num_chunks; j++) {
if (tsuite->tv[i].chunks[j] == -1) {
len = 0;
data_chunk = NULL;
} else if (tsuite->tv[i].chunks[j] == 0) {
len = 0;
data_chunk = (CK_BYTE *)"";
} else {
len = tsuite->tv[i].chunks[j];
data_chunk = cipher + k;
}
rc = funcs->C_DecryptUpdate(session, data_chunk,
len,
&plaintext[p_len],
&outlen);
if (rc != CKR_OK) {
testcase_error("C_DecryptUpdate rc=%s",
p11_get_ckr(rc));
goto error;
}
k += len;
p_len += outlen;
outlen = sizeof(plaintext) - p_len;
}
} else {
p_len = sizeof(plaintext);
rc = funcs->C_DecryptUpdate(session, cipher, cipher_len,
plaintext, &p_len);
if (rc != CKR_OK) {
testcase_error("C_DecryptUpdate rc=%s",
p11_get_ckr(rc));
goto error;
}
}
k = sizeof(plaintext) - p_len;
rc = funcs->C_DecryptFinal(session, &plaintext[p_len], &k);
if (rc != CKR_OK) {
testcase_error("C_DecryptFinal rc=%s", p11_get_ckr(rc));
goto error;
}
/** compare decryption results with expected results. **/
testcase_new_assertion();
if (p_len != expected_len) {
testcase_fail("decrypted multipart data length does "
"not match test vector's decrypted data "
"length.\nexpected length=%ld, but "
"found length=%ld\n", expected_len,p_len);
}
else if (memcmp(plaintext, expected, expected_len)) {
testcase_fail("decrypted multipart data does not "
"match test vector's decrypted data.\n");
}
else {
testcase_pass("%s Multipart Decryption with test "
"vector %d passed.", tsuite->name, i);
}
/** clean up **/
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject rc=%s.", p11_get_ckr(rc));
goto testcase_cleanup;
}
}
goto testcase_cleanup;
error:
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc));
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
/** Tests triple DES decryption with published test vectors. **/
CK_RV do_DecryptDES3(struct published_test_suite_info *tsuite)
{
int i; // test vector index
CK_BYTE expected[BIG_REQUEST]; // decrypted data
CK_BYTE actual[BIG_REQUEST]; // decryption buffer
CK_ULONG expected_len, actual_len;
CK_SLOT_ID slot_id = SLOT_ID;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_SESSION_HANDLE session;
CK_MECHANISM mech;
CK_OBJECT_HANDLE h_key;
CK_RV rc;
CK_FLAGS flags;
/** begin testsuite **/
testsuite_begin("%s Decryption.", tsuite->name);
testcase_rw_session();
testcase_user_login();
/** skip test if the slot does not support this mechanism **/
if (! mech_supported(slot_id, tsuite->mechanism)){
testsuite_skip( tsuite->tvcount,
"Slot %u doesn't support %s (%u)",
(unsigned int) slot_id,
mech_to_str(tsuite->mechanism),
(unsigned int)tsuite->mechanism );
goto testcase_cleanup;
}
/** iterate over test vectors **/
for (i = 0; i < tsuite->tvcount; i++){
/** begin test **/
testcase_begin( "%s Decryption with test vector %d.",
tsuite->name, i );
rc = CKR_OK; // set rc
/** clear buffers **/
memset(expected, 0, sizeof(expected));
memset(actual, 0, sizeof(actual));
/** get plaintext (expected result) **/
expected_len = tsuite->tv[i].plen;
memcpy(expected, tsuite->tv[i].plaintext, expected_len);
/** get ciphertext **/
actual_len = tsuite->tv[i].clen;
memcpy(actual, tsuite->tv[i].ciphertext, actual_len);
/** get mechanism **/
mech.mechanism = tsuite->mechanism;
mech.ulParameterLen = tsuite->tv[i].ivlen;
mech.pParameter = tsuite->tv[i].iv;
/** create key handle. **/
rc = create_DES3Key( session,
tsuite->tv[i].key,
tsuite->tv[i].klen,
&h_key);
if (rc != CKR_OK) {
testcase_error("C_CreateObject rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
/** initialize single (in-place) decryption **/
rc = funcs->C_DecryptInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit rc=%s", p11_get_ckr(rc));
goto error;
}
/** do single (in-place) decryption **/
rc = funcs->C_Decrypt( session,
actual,
actual_len,
actual,
&actual_len );
if (rc != CKR_OK){
testcase_error("C_Decrypt rc=%s", p11_get_ckr(rc));
goto error;
}
/** compare decryption results with expected results. **/
testcase_new_assertion();
if (actual_len != expected_len) {
testcase_fail("decrypted data length does not match "
"test vector's decrypted data length.\nexpected length="
"%ld, but found length=%ld\n",
expected_len, actual_len );
}
else if (memcmp(actual, expected, expected_len)) {
testcase_fail( "decrypted data does not match test "
"vector's decrypted data.\n" );
}
else {
testcase_pass( "%s Decryption with test vector %d "
"passed.", tsuite->name, i );
}
/** clean up **/
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK) {
testcase_error( "C_DestroyObject rc=%s.",
p11_get_ckr(rc) );
goto testcase_cleanup;
}
}
goto testcase_cleanup;
error:
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc));
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
CK_RV do_DecryptUpdateAES(struct published_test_suite_info *tsuite)
{
int i;
CK_BYTE actual[BIG_REQUEST]; // decryption buffer
CK_BYTE expected[BIG_REQUEST]; // decrypted data
CK_ULONG actual_len, expected_len, original_len, k;
CK_ULONG user_pin_len;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_SESSION_HANDLE session;
CK_MECHANISM mech;
CK_OBJECT_HANDLE h_key;
CK_RV rc;
CK_FLAGS flags;
CK_SLOT_ID slot_id = SLOT_ID;
testsuite_begin("%s Multipart Decryption.", tsuite->name);
testcase_rw_session();
testcase_user_login();
/** skip tests if the slot doesn't support this mechanism **/
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(tsuite->tvcount,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int)tsuite->mech.mechanism);
goto testcase_cleanup;
}
for (i = 0; i < tsuite->tvcount; i++) {
testcase_begin("%s Multipart Decryption with published test "
"vector %d.", tsuite->name, i);
/** create key handle **/
rc = create_AESKey(session,
tsuite->tv[i].key,
tsuite->tv[i].klen,
&h_key);
if (rc != CKR_OK) {
testcase_error("C_CreateObject rc=%s", p11_get_ckr(rc));
goto error;
}
/** get mech **/
mech = tsuite->mech;
/** clear buffers **/
memset(expected, 0, sizeof(expected));
memset(actual, 0, sizeof(actual));
/** get plaintext (expected results) **/
expected_len = tsuite->tv[i].plen;
memcpy(expected, tsuite->tv[i].plaintext, expected_len);
/** get plaintext **/
original_len = tsuite->tv[i].clen;
actual_len = original_len;
memcpy(actual, tsuite->tv[i].ciphertext, actual_len);
/** multipart (in-place) decryption **/
rc = funcs->C_DecryptInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit rc=%s", p11_get_ckr(rc));
goto error;
}
k = original_len;
actual_len = 0;
while (actual_len < original_len) {
rc = funcs->C_DecryptUpdate(session,
&actual[actual_len],
AES_BLOCK_SIZE,
&actual[actual_len],
&k);
if (rc != CKR_OK) {
testcase_error("C_DecryptUpdate rc=%s",
p11_get_ckr(rc));
goto error;
}
actual_len += k;
k = original_len - k;
}
/** according to pkcs11 spec,
nothing should be returned in final. **/
rc = funcs->C_DecryptFinal(session, &actual[actual_len], &k);
if (rc != CKR_OK) {
testcase_error("C_EncryptFinal rc=%s", p11_get_ckr(rc));
goto error;
}
/** compare decryption results with expected results. **/
testcase_new_assertion();
if (actual_len != expected_len) {
testcase_fail("decrypted multipart data length does "
"not match test vector's decrypted data "
"length.\n\nexpected length=%ld, but found "
"length=%ld\n", expected_len, actual_len);
}
else if (memcmp(actual, expected, expected_len)) {
testcase_fail("decrypted multipart data does not match"
" test vector's decrypted data.\n");
}
else {
testcase_pass("%s Multipart Decryption with test "
"vector %d passed.", tsuite->name, i);
}
}
/** clean up **/
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
goto testcase_cleanup;
error:
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc));
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
CK_RV do_EncryptDecryptAES(struct generated_test_suite_info *tsuite)
{
int i;
CK_BYTE original[BIG_REQUEST];
CK_BYTE crypt[BIG_REQUEST + AES_BLOCK_SIZE];
CK_BYTE decrypt[BIG_REQUEST + AES_BLOCK_SIZE];
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG j;
CK_ULONG user_pin_len;
CK_ULONG orig_len, crypt_len, decrypt_len;
CK_SESSION_HANDLE session;
CK_MECHANISM mechkey, mech;
CK_OBJECT_HANDLE h_key;
CK_FLAGS flags;
CK_RV rc = 0;
CK_SLOT_ID slot_id = SLOT_ID;
testsuite_begin("%s Encryption/Decryption.",tsuite->name);
testcase_rw_session();
testcase_user_login();
/** skip tests if the slot doesn't support this mechanism **/
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testsuite_skip(3,
"Slot %u doesn't support %u",
(unsigned int) slot_id,
(unsigned int) tsuite->mech.mechanism);
goto testcase_cleanup;
}
/** iterate over test key sizes **/
for (i = 0; i < 3; i++) {
testcase_begin("%s Encryption/Decryption with key len=%ld.",
tsuite->name, key_lens[i]);
/** generate key **/
mechkey = aes_keygen;
rc = generate_AESKey(session, key_lens[i], &mechkey, &h_key);
if (rc != CKR_OK) {
testcase_error("C_GenerateKey rc=%s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
/** clear buffers **/
memset(original,0,sizeof(original));
memset(crypt,0,sizeof(crypt));
memset(decrypt,0,sizeof(decrypt));
/** generate data **/
orig_len = sizeof(original);
for (j=0; j < orig_len; j++)
original[j] = j % 255;
/** set crypto mech **/
mech = tsuite->mech;
/** single encryption **/
rc = funcs->C_EncryptInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_EncryptInit rc=%s",
p11_get_ckr(rc));
goto error;
}
crypt_len = sizeof(crypt);
rc = funcs->C_Encrypt(session,
original,
orig_len,
crypt,
&crypt_len);
if (rc != CKR_OK) {
testcase_error("C_Encrypt rc=%s",
p11_get_ckr(rc));
goto error;
}
/** single decryption **/
rc = funcs->C_DecryptInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit rc=%s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
decrypt_len = sizeof(decrypt);
rc = funcs->C_Decrypt(session,
crypt,
crypt_len,
decrypt,
&decrypt_len);
if (rc != CKR_OK) {
testcase_error("C_Decrypt rc=%s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
/** compare actual results with expected results **/
testcase_new_assertion();
if (decrypt_len != orig_len) {
testcase_fail("decrypted data length does not "
"match original data length.\nexpected " "length=%ld, but found length=%ld\n",
orig_len, decrypt_len);
}
else if (memcmp(decrypt, original, orig_len)){
testcase_fail("decrypted data does not match "
"original data");
}
else {
testcase_pass("%s Encryption/Decryption with "
"key length %ld passed.", tsuite->name, key_lens[i]);
}
}
/** clean up **/
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc));
}
goto testcase_cleanup;
error:
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject rc=%s.", p11_get_ckr(rc));
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
/** Tests signature verification with published test vectors. **/
CK_RV do_SignVerify_HMAC(struct HMAC_TEST_SUITE_INFO *tsuite) {
int i;
CK_MECHANISM mech;
CK_BYTE key[MAX_KEY_SIZE];
CK_ULONG key_len;
CK_BYTE data[MAX_DATA_SIZE];
CK_ULONG data_len;
CK_BYTE actual[MAX_HASH_SIZE];
CK_ULONG actual_len;
CK_BYTE expected[MAX_HASH_SIZE];
CK_ULONG expected_len;
CK_SESSION_HANDLE session;
CK_SLOT_ID slot_id = SLOT_ID;
CK_ULONG flags;
CK_RV rc;
CK_OBJECT_HANDLE h_key;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
/** begin testsuite **/
testsuite_begin("%s Sign Verify.", tsuite->name);
testcase_rw_session();
testcase_user_login();
rc = CKR_OK; // set rc
/** skip test if mech is not supported with this slot **/
if (! mech_supported(SLOT_ID, tsuite->mech.mechanism)) {
testsuite_skip(tsuite->tvcount,
"mechanism %s is not supported with slot %ld",
tsuite->name, slot_id);
goto testcase_cleanup;
}
/** iterate over test vectors **/
for(i = 0; i < tsuite->tvcount; i++) {
/** begin test **/
testcase_begin("Sign Verify %s with test vector %d.",
tsuite->name, i);
/** clear buffers **/
memset(key, 0, sizeof(key));
memset(data, 0, sizeof(data));
memset(actual, 0, sizeof(actual));
memset(expected, 0, sizeof(expected));
/** get test vector info **/
key_len = tsuite->tv[i].key_len;
data_len = tsuite->tv[i].data_len;
actual_len = sizeof(actual);
expected_len = tsuite->tv[i].hash_len;
memcpy(key, tsuite->tv[i].key, key_len);
memcpy(data, tsuite->tv[i].data, data_len);
memcpy(expected, tsuite->tv[i].result, expected_len);
/** get mechanism **/
mech = tsuite->mech;
/** create key object **/
rc = create_GenericSecretKey(session, key, key_len, &h_key);
if(rc != CKR_OK) {
testcase_error("create_GenericSecretKey rc=%s",
p11_get_ckr(rc));
goto error;
}
/** initialize signing **/
rc = funcs->C_SignInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_SignInit rc=%s", p11_get_ckr(rc));
goto error;
}
/** do signing **/
rc = funcs->C_Sign(session,
data,
data_len,
actual,
&actual_len);
if (rc != CKR_OK) {
testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
goto error;
}
/** initilaize verification **/
rc = funcs->C_VerifyInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_VerifyInit rc=%s", p11_get_ckr(rc));
goto error;
}
/** do verification **/
rc = funcs->C_Verify(session,
data,
data_len,
actual,
actual_len);
if (rc != CKR_OK) {
testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
goto error;
}
/** compare sign/verify results with expected results **/
testcase_new_assertion();
if(actual_len != expected_len) {
testcase_fail("hashed data length does not match test "
"vector's hashed data length\nexpected length="
"%ld, found length=%ld",
expected_len, actual_len);
}
else if(memcmp(actual, expected, expected_len)) {
testcase_fail("hashed data does not match test "
"vector's hashed data");
}
else {
testcase_pass("%s Sign Verify with test vector %d "
"passed.", tsuite->name, i);
}
/** clean up **/
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject rc=%s.",
p11_get_ckr(rc));
goto testcase_cleanup;
}
}
goto testcase_cleanup;
error:
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc));
}
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
/** Tests multipart message digest with published test vectors. **/
CK_RV do_DigestUpdate(struct digest_test_suite_info *tsuite)
{
int i;
CK_BYTE data[MAX_DATA_SIZE];
CK_ULONG data_len;
CK_BYTE actual[MAX_HASH_SIZE];
CK_ULONG actual_len;
CK_BYTE expected[MAX_HASH_SIZE];
CK_ULONG expected_len;
CK_MECHANISM mech;
CK_SESSION_HANDLE session;
CK_SLOT_ID slot_id = SLOT_ID;
CK_ULONG flags;
CK_RV rc;
/** begin test **/
testsuite_begin("Starting %s Multipart Digest.", tsuite->name);
testcase_rw_session();
/** skip test if mech is not supported with this slot **/
if (! mech_supported(slot_id, tsuite->mech.mechanism)) {
testsuite_skip(tsuite->tvcount,
"mechanism %s is not supported with slot %ld",
tsuite->name, slot_id);
goto testcase_cleanup;
}
/** iterate over test vectors **/
for(i = 0; i < tsuite->tvcount; i++) {
/** begin test **/
testcase_begin("Starting %s Multipart Digest with test vector %d.",
tsuite->name, i);
rc = CKR_OK; // set rc
/** clear buffers **/
memset(data, 0, sizeof(data));
memset(actual, 0, sizeof(actual));
memset(expected, 0, sizeof(expected));
/** get test vector info **/
data_len = tsuite->tv[i].data_len;
expected_len = tsuite->tv[i].hash_len;
memcpy(data, tsuite->tv[i].data, data_len);
memcpy(expected, tsuite->tv[i].hash, expected_len);
/** get mechanism **/
mech = tsuite->mech;
/** initialize multipart digest **/
rc = funcs->C_DigestInit(session, &mech);
if (rc != CKR_OK) {
testcase_error("C_DigestInit rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
actual_len = sizeof(actual);
/** do multipart digest **/
if (data_len > 0) {
rc = funcs->C_DigestUpdate(session, &data[0], data_len);
if (rc != CKR_OK) {
testcase_error("C_DigestUpdate rc=%s",
p11_get_ckr(rc));
goto testcase_cleanup;
}
}
/** finalize multipart digest **/
rc = funcs->C_DigestFinal(session, actual, &actual_len);
if (rc != CKR_OK) {
testcase_error("C_DigestFinal rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
/** compare multipart digest results with expected results **/
testcase_new_assertion();
if (actual_len != expected_len) {
testcase_fail("hashed multipart data length does not "
"match test vector's hashed data length.\n");
}
else if (memcmp(actual, expected, expected_len)) {
testcase_fail("hashed multipart data does not match "
"test vector's hashed data.\n");
}
else {
testcase_pass("%s Multipart Digest with test vector "
"%d passed.", tsuite->name, i);
}
}
testcase_cleanup:
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
/* API Routines exercised that take /var/lock/LCK..opencryptoki spinlock.
* C_OpenSession
* C_CloseSession
*
* API routines exercised that result in stdll taking
* /var/lock/opencryptoki_stdll spinlock.
* C_FindObjectsInit
* C_FindObjects
* C_CreateObject
*
* 1) Create 3 certificates as PUBLIC token objects
* 2) Search for a particular CKA_ID. Verify that this works.
* 3) Do FindObjects with a NULL template. Verify that all 3 token objects
* are found.
* 4) Search for a particular CKA_ID. Verify it works.
* 5) Search for a non-existant CKA_ID. Verify it returns nothing.
* 6) Close all sessions. Then create a new session.
* 7) Search for a particular CKA_ID. Verify it works.
* 8) Search for a non-existant CKA_ID. Verify it returns nothing.
* 9) Destroy all 3 token objects
*/
CK_RV do_CreateTokenObjects(void)
{
int i, got_it = 0;
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE h_session;
CK_RV rc = 0, loc_rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_BYTE true = TRUE;
CK_BYTE false = FALSE;
CK_OBJECT_HANDLE h_cert1;
CK_OBJECT_CLASS cert1_class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE cert1_type = CKC_X_509;
CK_BYTE cert1_subject[] = "Certificate subject #1";
CK_BYTE cert1_id[] = "Certificate ID #1";
CK_BYTE cert1_value[] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
CK_ATTRIBUTE cert1_attribs[] =
{
{CKA_CLASS, &cert1_class, sizeof(cert1_class) },
{CKA_TOKEN, &true, sizeof(true) },
{CKA_CERTIFICATE_TYPE, &cert1_type, sizeof(cert1_type) },
{CKA_SUBJECT, &cert1_subject, sizeof(cert1_subject) },
{CKA_ID, &cert1_id, sizeof(cert1_id) },
{CKA_VALUE, &cert1_value, sizeof(cert1_value) },
{CKA_PRIVATE, &false, sizeof(false) }
};
CK_OBJECT_HANDLE h_cert2;
CK_OBJECT_CLASS cert2_class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE cert2_type = CKC_X_509;
CK_BYTE cert2_subject[] = "Certificate subject #2";
CK_BYTE cert2_id[] = "Certificate ID #2";
CK_BYTE cert2_value[] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
CK_ATTRIBUTE cert2_attribs[] =
{
{CKA_CLASS, &cert2_class, sizeof(cert2_class) },
{CKA_TOKEN, &true, sizeof(true) },
{CKA_CERTIFICATE_TYPE, &cert2_type, sizeof(cert2_type) },
{CKA_SUBJECT, &cert2_subject, sizeof(cert2_subject) },
{CKA_ID, &cert2_id, sizeof(cert2_id) },
{CKA_VALUE, &cert2_value, sizeof(cert2_value) },
{CKA_PRIVATE, &false, sizeof(false) }
};
CK_OBJECT_HANDLE h_cert3;
CK_OBJECT_CLASS cert3_class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE cert3_type = CKC_X_509;
CK_BYTE cert3_subject[] = "Certificate subject #3";
CK_BYTE cert3_id[] = "Certificate ID #3";
CK_BYTE cert3_value[] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
CK_ATTRIBUTE cert3_attribs[] =
{
{CKA_CLASS, &cert3_class, sizeof(cert3_class) },
{CKA_TOKEN, &true, sizeof(true) },
{CKA_CERTIFICATE_TYPE, &cert3_type, sizeof(cert3_type) },
{CKA_SUBJECT, &cert3_subject, sizeof(cert3_subject) },
{CKA_ID, &cert3_id, sizeof(cert3_id) },
{CKA_VALUE, &cert3_value, sizeof(cert3_value) },
{CKA_PRIVATE, &false, sizeof(false) }
};
CK_BYTE find1_id[] = "Certificate ID #2";
CK_ATTRIBUTE find1_attribs[] =
{
{CKA_ID, &find1_id, sizeof(find1_id)}
};
CK_BYTE find2_id[] = "Certificate ID #123456";
CK_ATTRIBUTE find2_attribs[] =
{
{CKA_ID, &find2_id, sizeof(find2_id)}
};
CK_OBJECT_HANDLE obj_list[10];
CK_ULONG find_count;
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
slot_id = SLOT_ID;
/* create a USER R/W session */
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
return rc;
}
/* create the token objects */
rc = funcs->C_CreateObject(h_session, cert1_attribs, 7, &h_cert1);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_CreateObject(h_session, cert2_attribs, 7, &h_cert2);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
goto destroy_1;
}
rc = funcs->C_CreateObject(h_session, cert3_attribs, 7, &h_cert3);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
goto destroy_2;
}
/* now, search for the 2nd object */
rc = funcs->C_FindObjectsInit(h_session, find1_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
goto destroy;
}
rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count);
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto destroy;
}
/* step through list and find 2nd object's handle */
for (i=0; i<find_count; i++) {
if (obj_list[i] == h_cert2)
got_it++;
}
if (got_it == 0) {
testcase_fail("could not find 2nd object's handle");
rc = -1;
goto destroy;
}
rc = funcs->C_FindObjectsFinal(h_session);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
goto destroy;
}
/* now, search for a non-existant attribute */
rc = funcs->C_FindObjectsInit(h_session, find2_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
goto destroy;
}
rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count);
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto destroy;
}
if (find_count != 0) {
testcase_fail("found %ld objects when none where expected", find_count);
rc = -1;
goto destroy;
}
rc = funcs->C_FindObjectsFinal(h_session);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
goto destroy;
}
/* done...close all sessions and open a new one */
rc = funcs->C_CloseAllSessions( slot_id );
if (rc != CKR_OK) {
testcase_fail("C_CloseAllSessions() rc = %s", p11_get_ckr(rc));
goto destroy;
}
/* create a USER R/W session */
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
goto destroy;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
goto destroy;
}
/* now, search for the 2nd object */
rc = funcs->C_FindObjectsInit(h_session, find1_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
goto destroy;
}
rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count);
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto destroy;
}
/* step through list and find 2nd object's handle */
for (i=0; i<find_count; i++) {
if (obj_list[i] == h_cert2)
got_it++;
}
if (got_it == 0) {
testcase_fail("could not find 2nd object's handle in new session");
rc = -1;
goto destroy;
}
rc = funcs->C_FindObjectsFinal(h_session);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
goto destroy;
}
/* now, search for a non-existant attribute */
rc = funcs->C_FindObjectsInit(h_session, find2_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
goto destroy;
}
rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count);
if (rc != CKR_OK) {
testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
goto destroy;
}
if (find_count != 0) {
testcase_fail("found %ld objects when none where expected", find_count);
rc = -1;
goto destroy;
}
rc = funcs->C_FindObjectsFinal(h_session);
if (rc != CKR_OK) {
testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
goto destroy;
}
testcase_pass("Looks okay...");
/* Destroy the created objects, don't clobber the rc */
destroy:
loc_rc = funcs->C_DestroyObject(h_session, h_cert3);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
destroy_2:
loc_rc = funcs->C_DestroyObject(h_session, h_cert2);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
destroy_1:
loc_rc = funcs->C_DestroyObject(h_session, h_cert1);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
/* done...close the session */
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK)
testcase_error("C_CloseAllSessions() loc_rc = %s", p11_get_ckr(loc_rc));
return rc;
}
/* API Routines exercised that take /var/lock/LCK..opencryptoki spinlock.
* C_OpenSession
* C_CloseSession
*
* API routines exercised that result in stdll taking
* /var/lock/opencryptoki_stdll spinlock.
* C_CreateObject
* C_GetAttributeValue
* C_SetAttributeValue
*
* 1) create a certificate object with no CKA_SERIAL_NUMBER or CKA_ISSUER
* 2) add CKA_SERIAL_NUMBER and CKA_ISSUER and modify CKA_ID.
* verify this works.
* 3) try to modify CKA_VALUE and CKA_ID in a single call to
* C_SetAttributeValue. verify that this fails correctly and that
* the object is not modified.
*/
CK_RV do_SetAttributeValues(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE h_session;
CK_RV rc = 0, loc_rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_BYTE true = TRUE;
CK_OBJECT_HANDLE h_cert;
CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
CK_BYTE cert_subject[] = "Certificate subject";
CK_BYTE cert_id[] = "Certificate ID";
CK_BYTE cert_value[] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
CK_ATTRIBUTE cert_attribs[] =
{
{CKA_CLASS, &cert_class, sizeof(cert_class) },
{CKA_TOKEN, &true, sizeof(true) },
{CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type) },
{CKA_SUBJECT, &cert_subject, sizeof(cert_subject) },
{CKA_ID, &cert_id, sizeof(cert_id) },
{CKA_VALUE, &cert_value, sizeof(cert_value) }
};
CK_BYTE cert_id2[] = "New ID";
CK_BYTE cert_issuer[] = "Certificate Issuer";
CK_BYTE cert_ser_no[] = "Serial Number: 12345";
CK_ATTRIBUTE update_attr[] =
{
{CKA_SERIAL_NUMBER, &cert_ser_no, sizeof(cert_ser_no) },
{CKA_ISSUER, &cert_issuer, sizeof(cert_issuer) },
{CKA_ID, &cert_id2, sizeof(cert_id2) }
};
CK_BYTE cert_value2[] = "Invalid Value";
CK_BYTE cert_id3[] = "ID #3";
CK_ATTRIBUTE invalid_attr[] =
{
{CKA_VALUE, &cert_value2, sizeof(cert_value2) },
{CKA_ID, &cert_id3, sizeof(cert_id3) }
};
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
slot_id = SLOT_ID;
/* create a USER R/W session */
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
return rc;
}
/* create the object */
rc = funcs->C_CreateObject(h_session, cert_attribs, 6, &h_cert);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
/* Add CKA_SERIAL_NUMBER and CKA_ISSUER and change the
* existing CKA_ID
*/
rc = funcs->C_SetAttributeValue(h_session, h_cert, update_attr, 3);
if (rc != CKR_OK) {
testcase_fail("C_SetAttributeValue() rc = %s", p11_get_ckr(rc));
goto done;
}
else {
CK_BYTE buf1[100];
CK_BYTE buf2[100];
CK_BYTE buf3[100];
CK_ATTRIBUTE check1[] =
{
{CKA_ISSUER, &buf1, sizeof(buf1)},
{CKA_SERIAL_NUMBER, &buf2, sizeof(buf2)},
{CKA_ID, &buf3, sizeof(buf3)}
};
rc = funcs->C_GetAttributeValue(h_session, h_cert, (CK_ATTRIBUTE *)&check1, 3);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc = %s", p11_get_ckr(rc));
goto done;
}
if (memcmp(check1[0].pValue, cert_issuer, check1[0].ulValueLen) != 0) {
testcase_fail("CKA_ISSUER mismatch");
rc = -1;
goto done;
}
if (memcmp(check1[1].pValue, cert_ser_no, check1[1].ulValueLen) != 0) {
testcase_fail("CKA_SERIAL_NUMBER mismatch");
return -1;
}
if (memcmp(check1[2].pValue, cert_id2, check1[2].ulValueLen) != 0) {
testcase_fail("CKA_ID mismatch");
rc = -1;
goto done;
}
}
/* the next template tries to update a CK_ID (valid) and
* CKA_VALUE (read-only). the entire operation should fail -- no
* attributes should get modified
*/
rc = funcs->C_SetAttributeValue(h_session, h_cert, invalid_attr, 2);
if (rc != CKR_ATTRIBUTE_READ_ONLY) {
testcase_fail("C_SetAttributeValue() rc = %s (expected CKR_ATTRIBUTE_READ_ONLY)", p11_get_ckr(rc));
goto done;
}
else {
CK_BYTE buf1[100];
CK_ATTRIBUTE check1[] =
{
{CKA_ID, &buf1, sizeof(buf1)}
};
rc = funcs->C_GetAttributeValue(h_session, h_cert, check1, 1);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc = %s", p11_get_ckr(rc));
goto done;
}
if (memcmp(check1[0].pValue, cert_id2, check1[0].ulValueLen) != 0) {
testcase_fail("CKA_ID mismatch");
rc = -1;
goto done;
}
}
testcase_pass("Looks okay...");
done:
/* now destroy the objects but don't clobber rc */
loc_rc = funcs->C_DestroyObject(h_session, h_cert);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
/* done...close the session */
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK)
testcase_error("C_CloseAllSessions() loc_rc = %s", p11_get_ckr(loc_rc));
return rc;
}
/* API Routines exercised that take /var/lock/LCK..opencryptoki spinlock.
* C_OpenSession
* C_CloseSession
*
* API Routines exercised that cause stdll to take /var/lock/opencryptoki_stdll
* spinlock.
* C_CreateObject
* C_Login
*
* 1) create a data object
* 2) create a certificate
* 3) create a key object
*/
CK_RV do_CreateSessionObject(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE h_session;
CK_RV rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_BYTE true = TRUE;
CK_BYTE false = FALSE;
CK_OBJECT_HANDLE h_data;
CK_OBJECT_CLASS data_class = CKO_DATA;
CK_BYTE data_application[] = "Test Application";
CK_BYTE data_value[] = "1234567890abcedfghijklmnopqrstuvwxyz";
CK_ATTRIBUTE data_attribs[] =
{
{CKA_CLASS, &data_class, sizeof(data_class) },
{CKA_TOKEN, &false, sizeof(false) },
{CKA_APPLICATION, &data_application, sizeof(data_application) },
{CKA_VALUE, &data_value, sizeof(data_value) }
};
CK_OBJECT_HANDLE h_cert;
CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
CK_BYTE cert_subject[] = "Certificate subject";
CK_BYTE cert_id[] = "Certificate ID";
CK_BYTE cert_value[] = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz";
CK_ATTRIBUTE cert_attribs[] =
{
{CKA_CLASS, &cert_class, sizeof(cert_class) },
{CKA_TOKEN, &false, sizeof(false) },
{CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type) },
{CKA_SUBJECT, &cert_subject, sizeof(cert_subject) },
{CKA_ID, &cert_id, sizeof(cert_id) },
{CKA_VALUE, &cert_value, sizeof(cert_value) }
};
CK_OBJECT_HANDLE h_key;
CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
CK_KEY_TYPE key_type = CKK_RSA;
CK_BYTE key_modulus[] = "1234567890987654321";
CK_BYTE key_exponent[] = "123";
CK_ATTRIBUTE key_attribs[] =
{
{CKA_CLASS, &key_class, sizeof(key_class) },
{CKA_KEY_TYPE, &key_type, sizeof(key_type) },
{CKA_WRAP, &true, sizeof(true) },
{CKA_MODULUS, &key_modulus, sizeof(key_modulus) },
{CKA_PUBLIC_EXPONENT, &key_exponent, sizeof(key_exponent) }
};
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
slot_id = SLOT_ID;
// create a USER R/W session
//
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
return rc;
}
//
// now, create the objects
//
rc = funcs->C_CreateObject(h_session, data_attribs, 4, &h_data);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_CreateObject(h_session, cert_attribs, 6, &h_cert);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_CreateObject(h_session, key_attribs, 5, &h_key);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
// done...close the session and verify the object is deleted
//
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_fail("C_CloseAllSessions() rc=%s", p11_get_ckr(rc));
return rc;
}
testcase_pass("looks okay...");
return rc;
}
/** Tests triple DES encryption & decryption using generated keys **/
CK_RV do_EncryptDecryptDES3(struct generated_test_suite_info *tsuite) {
int j;
CK_BYTE original[BIG_REQUEST];
CK_BYTE crypt[BIG_REQUEST + DES3_BLOCK_SIZE];
CK_BYTE decrypt[BIG_REQUEST + DES3_BLOCK_SIZE];
CK_ULONG crypt_len, decrypt_len, original_len;
CK_SLOT_ID slot_id = SLOT_ID;
CK_SESSION_HANDLE session;
CK_MECHANISM mech, mechkey;
CK_OBJECT_HANDLE h_key;
CK_FLAGS flags;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc;
/** begin test **/
testcase_begin("%s Encryption/Decryption tests with key generation.",
tsuite->name);
testcase_rw_session();
testcase_user_login();
/** skip test if the slot does not support this mechanism **/
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testcase_skip("Slot %u doesn't support %s (%u)",
(unsigned int) slot_id,
mech_to_str(tsuite->mech.mechanism),
(unsigned int)tsuite->mech.mechanism);
goto testcase_cleanup;
}
/** clear buffers **/
memset(original,0,sizeof(original));
memset(crypt,0,sizeof(crypt));
memset(decrypt,0,sizeof(decrypt));
/** generate test data **/
original_len = sizeof(original);
crypt_len = sizeof(crypt);
decrypt_len = sizeof(decrypt);
for (j=0; j < original_len; j++)
original[j] = j % 255;
/** set mechanism for key gen **/
mechkey = des3_keygen;
/** generate key **/
rc = funcs->C_GenerateKey(session, &mechkey, NULL, 0, &h_key);
if (rc != CKR_OK) {
testcase_error("C_GenerateKey rc=%s", p11_get_ckr(rc));
goto error;
}
/** set mech for crypto **/
mech = tsuite->mech;
/** initialize single encryption **/
rc = funcs->C_EncryptInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_EncryptInit rc=%s", p11_get_ckr(rc));
goto error;
}
/** do single encryption **/
rc = funcs->C_Encrypt(session, original, original_len, crypt, &crypt_len);
if (rc != CKR_OK) {
testcase_error("C_Encrypt rc=%s", p11_get_ckr(rc));
goto error;
}
/** initialize single decryption **/
rc = funcs->C_DecryptInit(session, &mech, h_key);
if (rc != CKR_OK) {
testcase_error("C_DecryptInit rc=%s", p11_get_ckr(rc));
goto error;
}
/** do single decryption **/
rc = funcs->C_Decrypt(session, crypt, crypt_len, decrypt, &decrypt_len);
if (rc != CKR_OK) {
testcase_error("C_Decrypt rc=%s", p11_get_ckr(rc));
goto error;
}
/** compare encryption/decryption results with expected results. **/
testcase_new_assertion();
if (decrypt_len != original_len) {
testcase_fail("decrypted data length does not match original data "
"length.\nexpected length=%ld, but found length=%ld\n",
original_len, decrypt_len);
}
else if(memcmp(decrypt, original, original_len)){
testcase_fail("decrypted data does not match original data");
}
else {
testcase_pass("%s Encryption/Decryption test passed.", tsuite->name);
}
/** clean up **/
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK) {
testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc));
}
goto testcase_cleanup;
error:
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject rc=%s.", p11_get_ckr(rc));
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
/** Tests triple DES multipart encryption & multipart decryption using generated keys. **/
CK_RV do_EncryptDecryptUpdateDES3(struct generated_test_suite_info *tsuite) {
int i,j,k;
CK_BYTE original[BIG_REQUEST];
CK_BYTE crypt[BIG_REQUEST + DES3_BLOCK_SIZE];
CK_BYTE decrypt[BIG_REQUEST + DES3_BLOCK_SIZE];
CK_ULONG crypt_len, decrypt_len, original_len, tmp;
CK_SLOT_ID slot_id = SLOT_ID;
CK_SESSION_HANDLE session;
CK_MECHANISM mech, mechkey;
CK_OBJECT_HANDLE h_key;
CK_FLAGS flags;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_RV rc;
/** begin test **/
testcase_begin("%s Multipart Encryption/Decryption tests with key generation.", tsuite->name);
testcase_rw_session();
testcase_user_login();
/** skip test if the slot does not support this mechanism **/
if (! mech_supported(slot_id, tsuite->mech.mechanism)){
testcase_skip("Slot %u doesn't support %s (%u)",
(unsigned int) slot_id,
mech_to_str(tsuite->mech.mechanism),
(unsigned int) tsuite->mech.mechanism);
goto testcase_cleanup;
}
/** clear buffers **/
memset(original,0,sizeof(original));
memset(crypt,0,sizeof(crypt));
memset(decrypt,0,sizeof(decrypt));
/** generate test data **/
original_len = sizeof(original);
crypt_len = sizeof(crypt);
decrypt_len = sizeof(decrypt);
for (j=0; j < original_len; j++)
original[j] = j % 255;
/** set mechanism for key gen **/
mechkey = des3_keygen;
/** generate key **/
rc = funcs->C_GenerateKey( session, &mechkey, NULL, 0, &h_key );
if (rc != CKR_OK) {
testcase_error("C_GenerateKey rc=%s", p11_get_ckr(rc));
goto error;
}
/** set mech for crypto **/
mech = tsuite->mech;
/** initialize multipart encryption **/
rc = funcs->C_EncryptInit( session, &mech, h_key );
if (rc != CKR_OK) {
testcase_error("C_EncryptInit rc=%s", p11_get_ckr(rc));
goto error;
}
/* do multipart (in-place) encryption for all mechs but CBC_PAD since
* it pads and pkcs padding can make it unclear about what is
* output at what stage. (See pkcs11v2.20 Section 11.2)
*/
if (mech.mechanism != CKM_DES3_CBC_PAD) {
memcpy(crypt, original, original_len);
k = 0;
while (k < original_len) {
rc = funcs->C_EncryptUpdate(session, &crypt[k],
DES3_BLOCK_SIZE,
&crypt[k], &crypt_len);
if (rc != CKR_OK) {
testcase_error("C_EncryptUpdate rc=%s",
p11_get_ckr(rc));
goto error;
}
k += crypt_len; // encrypted amount
crypt_len = sizeof(crypt) - k; // space in out buf
}
} else {
i = k = 0; // i indexes source buffer
// k indexes destination buffer
tmp = 0;
while (i < original_len) {
tmp = crypt_len - k; // room is left in mpcrypt
rc = funcs->C_EncryptUpdate(session, &original[i],
DES3_BLOCK_SIZE, &crypt[k],
&tmp);
if (rc != CKR_OK) {
testcase_error("C_EncryptUpdate rc=%s",
p11_get_ckr(rc));
goto error;
}
k += tmp;
i += DES3_BLOCK_SIZE;
}
crypt_len -= k;
}
rc = funcs->C_EncryptFinal(session, &crypt[k], &crypt_len);
if (rc != CKR_OK) {
testcase_error("C_EncryptFinal rc=%s", p11_get_ckr(rc));
goto error;
}
crypt_len += k;
/** initialize multipart decryption **/
rc = funcs->C_DecryptInit( session, &mech, h_key );
if (rc != CKR_OK) {
testcase_error("C_DecryptInit rc=%s", p11_get_ckr(rc));
goto error;
}
/* do multipart (in-place) encryption for all mechs but CBC_PAD since
* it pads and pkcs padding can make it unclear about what is
* output at what stage. (See pkcs11v2.20 Section 11.2)
*/
if (mech.mechanism != CKM_DES3_CBC_PAD) {
memcpy(decrypt, crypt, crypt_len);
decrypt_len = crypt_len;
k = 0;
while (k < crypt_len) {
rc = funcs->C_DecryptUpdate(session, &decrypt[k],
DES3_BLOCK_SIZE,
&decrypt[k], &decrypt_len);
if (rc != CKR_OK) {
testcase_error("C_DecryptUpdate rc=%s",
p11_get_ckr(rc));
goto error;
}
k += decrypt_len;
decrypt_len = crypt_len - k;
}
} else {
i = k = 0;
while (i < crypt_len) {
tmp = decrypt_len - k; // room left in mpdecrypt
rc = funcs->C_DecryptUpdate(session, &crypt[i],
DES3_BLOCK_SIZE,
&decrypt[k], &tmp);
if (rc != CKR_OK) {
testcase_error("C_DecryptUpdate rc=%s",
p11_get_ckr(rc));
goto error;
}
k += tmp;
i += DES3_BLOCK_SIZE;
}
decrypt_len = sizeof(decrypt) - k;
}
rc = funcs->C_DecryptFinal(session, &decrypt[k], &decrypt_len);
if (rc != CKR_OK) {
testcase_error("C_DecryptFinal rc=%s", p11_get_ckr(rc));
goto error;
}
decrypt_len += k;
/** compare multipart encryption/decryption results with expected results. **/
testcase_new_assertion();
if (decrypt_len != original_len) {
testcase_fail("decrypted multipart data length does not match "
"original data length.\nexpected length=%ld, but "
"found length=%ld\n", original_len, decrypt_len);
}
else if(memcmp(decrypt, original, original_len)){
testcase_fail("decrypted multipart data does not match "
"original data");
}
else {
testcase_pass("%s Multipart Encryption/Decryption test passed.",
tsuite->name);
}
error:
rc = funcs->C_DestroyObject(session, h_key);
if (rc != CKR_OK)
testcase_error("C_DestroyObject rc=%s.", p11_get_ckr(rc));
testcase_cleanup:
testcase_user_logout();
rc = funcs->C_CloseAllSessions(slot_id);
if (rc != CKR_OK) {
testcase_error("C_CloseAllSessions rc=%s", p11_get_ckr(rc));
}
return rc;
}
/* API Routines exercised that take /var/lock/LCK..opencryptoki spinlock.
* C_OpenSession
* C_CloseSession
*
* API routines exercised that result in stdll taking
* /var/lock/opencryptoki_stdll spinlock.
* C_CreateObject
* C_CopyObject
* C_DestroyObject
* C_GetAttributeValue
* C_GetObjectSize
*
* 1) create a data object with no CKA_APPLICATION attribute
* 2) create a copy of the object specifying the CKA_APPLICATION attribute
* 3) extract the CK_VALUE attribute from the copy. Ensure matches the original
* 4) extract the CKA_APPLICATION attribute from the original. ensure empty.
* 5) extract the CKA_APPLICATION attribute from the copy. ensure is correct.
* 6) attempt to extract CK_PRIME from the original. ensure fails correctly.
* 7) attempt to extract CK_PRIME from a non-existant object. ensure fails
* correctly.
* 8) get the size of the original object and copied objects
* 9) destroy the original object. ensure this succeeds.
* A) destroy a non-existant object. ensure this fails correctly.
* B) get the size of the original object. ensure this fails correctly.
*/
CK_RV do_CopyObject(void)
{
CK_SLOT_ID slot_id;
CK_FLAGS flags;
CK_SESSION_HANDLE h_session;
CK_RV rc = 0, loc_rc = 0;
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_ULONG obj_size;
CK_BYTE true = TRUE;
CK_OBJECT_HANDLE h_data;
CK_OBJECT_CLASS data_class = CKO_DATA;
CK_BYTE data_application[] = "Test Application";
CK_BYTE data_value[] = "1234567890abcedfghijklmnopqrstuvwxyz";
CK_ATTRIBUTE data_attribs[] =
{
{CKA_CLASS, &data_class, sizeof(data_class) },
{CKA_TOKEN, &true, sizeof(true) },
{CKA_VALUE, &data_value, sizeof(data_value) }
};
CK_OBJECT_HANDLE h_copy;
CK_ATTRIBUTE copy_attribs[] =
{
{CKA_APPLICATION, &data_application, sizeof(data_application) }
};
CK_BYTE buf1[100];
CK_ATTRIBUTE verify_attribs[] =
{
{CKA_APPLICATION, &buf1, sizeof(buf1) }
};
CK_BYTE buf2[100];
CK_ATTRIBUTE prime_attribs[] =
{
{CKA_PRIME, &buf2, sizeof(buf2) }
};
testcase_begin("starting...");
if (get_user_pin(user_pin))
return CKR_FUNCTION_FAILED;
user_pin_len = (CK_ULONG)strlen((char *)user_pin);
slot_id = SLOT_ID;
/* create a USER R/W session */
flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
rc = funcs->C_OpenSession(slot_id, flags, NULL, NULL, &h_session);
if (rc != CKR_OK) {
testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
return rc;
}
rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
if (rc != CKR_OK) {
testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
return rc;
}
/* create the object */
rc = funcs->C_CreateObject(h_session, data_attribs, 3, &h_data);
if (rc != CKR_OK) {
testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
return rc;
}
/* create the copy */
rc = funcs->C_CopyObject(h_session, h_data, copy_attribs, 1, &h_copy);
if (rc != CKR_OK) {
testcase_fail("C_CopyObject() rc = %s", p11_get_ckr(rc));
goto destroy_1;
}
/* now, try to extract the CKA_APPLICATION attribute from the original
* this will pull in the token's default value for CKA_APPLICATION which
*/
verify_attribs[0].ulValueLen = sizeof(buf1);
rc = funcs->C_GetAttributeValue(h_session, h_data, verify_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc=%s", p11_get_ckr(rc));
goto destroy;
}
/* now, try to extract the CKA_APPLICATION attribute from the copy */
verify_attribs[0].ulValueLen = sizeof(buf1);
rc = funcs->C_GetAttributeValue(h_session, h_copy, verify_attribs, 1);
if (rc != CKR_OK) {
testcase_fail("C_GetAttributeValue() rc=%s", p11_get_ckr(rc));
goto destroy;
}
if (memcmp(&data_application, verify_attribs[0].pValue, sizeof(data_application)) != 0) {
testcase_fail("extracted attribute doesn't match");
rc = -1;
goto destroy;
}
/* now, try to extract CKA_PRIME from the original.
* this should not exist
*/
prime_attribs[0].ulValueLen = sizeof(buf2);
rc = funcs->C_GetAttributeValue(h_session, h_data, prime_attribs, 1);
if (rc != CKR_ATTRIBUTE_TYPE_INVALID) {
testcase_fail("C_GetAttributeValue() rc = %s (expected CKR_ATTRIBUTE_TYPE_INVALID)", p11_get_ckr(rc));
goto destroy;
}
/* now, try to extract CKA_PRIME from a bogus object handle.
* this should not exist
*/
rc = funcs->C_GetAttributeValue(h_session, 98765, prime_attribs, 1);
if (rc != CKR_OBJECT_HANDLE_INVALID) {
testcase_fail("C_GetAttributeValue() rc = %s (expected CKR_OBJECT_HANDLE_INVALID)", p11_get_ckr(rc));
goto destroy;
}
/* now, get the size of the original object */
rc = funcs->C_GetObjectSize(h_session, h_data, &obj_size);
if (rc != CKR_OK) {
testcase_fail("C_GetObjectSize() rc = %s", p11_get_ckr(rc));
goto destroy;
}
testcase_pass("Looks okay...");
destroy:
/* now, destroy the original object and the copy */
loc_rc = funcs->C_DestroyObject(h_session, h_copy);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
destroy_1:
loc_rc = funcs->C_DestroyObject(h_session, h_data);
if (loc_rc != CKR_OK)
testcase_error("C_DestroyObject() loc_rc = %s", p11_get_ckr(loc_rc));
loc_rc = funcs->C_CloseAllSessions(slot_id);
if (loc_rc != CKR_OK)
testcase_error("C_CloseAllSessions() loc_rc=%s", p11_get_ckr(loc_rc));
return rc;
}
