aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2016-06-10 15:10:23 -0400
committerRob Austein <sra@hactrn.net>2016-06-10 15:10:23 -0400
commit0a4d6f682f140026242d1b93f8ce816ca79f55ec (patch)
tree18593caaf272d6b2beca82295588e70315af03ed
parent079d5ffc207fc2609b9293f9efe4781bed493ee0 (diff)
Update unit tests to match new behavior: we no longer allow private
keys to be stored as session objects, so test that doing so fails as expected, and update other tests to specify CKA_TOKEN = True.
-rw-r--r--unit_tests.py66
1 files changed, 29 insertions, 37 deletions
diff --git a/unit_tests.py b/unit_tests.py
index 3c359fb..923d108 100644
--- a/unit_tests.py
+++ b/unit_tests.py
@@ -231,41 +231,44 @@ class TestKeys(unittest.TestCase):
self.assertEqual(p11.C_GetAttributeValue(self.session, private_handle, CKA_CLASS), {CKA_CLASS: CKO_PRIVATE_KEY})
def test_keygen_token_vs_session(self):
- self.assertIsKeypair(
- p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False,
- CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
- CKA_SIGN = True, CKA_VERIFY = True))
+
+ # XXX pkcs11.c currently generates the wrong error code if the
+ # user tries to generate a keypair with the private key as
+ # a session object. Refusing to allow this is deliberate
+ # (we have no way to protect such private keys), but
+ # returning CKR_FUNCTION_FAILED is wrong. Fixing this
+ # will require minor work in pkcs11.c and perhaps in libhal.
+ #
+ # For the moment, I'm just testing for the (known) wrong
+ # exception while I make sure that the library is in fact
+ # behaving as I expect it to behave.
+
+ with self.assertRaises(CKR_FUNCTION_FAILED):
+ p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False,
+ CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
+ CKA_SIGN = True, CKA_VERIFY = True)
+
self.assertIsKeypair(
p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True,
CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
CKA_SIGN = True, CKA_VERIFY = True))
+
self.assertIsKeypair(
p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
public_CKA_TOKEN = False, private_CKA_TOKEN = True,
CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
CKA_SIGN = True, CKA_VERIFY = True))
- self.assertIsKeypair(
+
+ with self.assertRaises(CKR_FUNCTION_FAILED):
p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
public_CKA_TOKEN = True, private_CKA_TOKEN = False,
CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
- CKA_SIGN = True, CKA_VERIFY = True))
-
- def test_gen_sign_verify_ecdsa_p256_sha256_token(self):
- public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True,
- CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
- CKA_SIGN = True, CKA_VERIFY = True)
- self.assertIsKeypair(public_key, private_key)
- hamster = "Your mother was a hamster"
- p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key)
- sig = p11.C_Sign(self.session, hamster)
- self.assertIsInstance(sig, str)
- p11.C_VerifyInit(self.session, CKM_ECDSA_SHA256, public_key)
- p11.C_Verify(self.session, hamster, sig)
+ CKA_SIGN = True, CKA_VERIFY = True)
- def test_gen_sign_verify_ecdsa_p256_sha256_session(self):
- public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False,
+ def test_gen_sign_verify_ecdsa_p256_sha256(self):
+ public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
- CKA_SIGN = True, CKA_VERIFY = True)
+ CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
self.assertIsKeypair(public_key, private_key)
hamster = "Your mother was a hamster"
p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key)
@@ -278,7 +281,7 @@ class TestKeys(unittest.TestCase):
#if not args.all_tests: self.skipTest("SHA-384 not available in current build")
public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
CKA_ID = "EC-P384", CKA_EC_PARAMS = self.oid_p384,
- CKA_SIGN = True, CKA_VERIFY = True)
+ CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
self.assertIsKeypair(public_key, private_key)
hamster = "Your mother was a hamster"
p11.C_SignInit(self.session, CKM_ECDSA_SHA384, private_key)
@@ -291,7 +294,7 @@ class TestKeys(unittest.TestCase):
#if not args.all_tests: self.skipTest("SHA-512 not available in current build")
public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
CKA_ID = "EC-P521", CKA_EC_PARAMS = self.oid_p521,
- CKA_SIGN = True, CKA_VERIFY = True)
+ CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
self.assertIsKeypair(public_key, private_key)
hamster = "Your mother was a hamster"
p11.C_SignInit(self.session, CKM_ECDSA_SHA512, private_key)
@@ -300,7 +303,7 @@ class TestKeys(unittest.TestCase):
p11.C_VerifyInit(self.session, CKM_ECDSA_SHA512, public_key)
p11.C_Verify(self.session, hamster, sig)
- def test_gen_sign_verify_rsa_1024_token(self):
+ def test_gen_sign_verify_rsa_1024(self):
public_key, private_key = p11.C_GenerateKeyPair(
self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024,
CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
@@ -312,23 +315,11 @@ class TestKeys(unittest.TestCase):
p11.C_VerifyInit(self.session, CKM_SHA512_RSA_PKCS, public_key)
p11.C_Verify(self.session, hamster, sig)
- def test_gen_sign_verify_rsa_1024_session(self):
- public_key, private_key = p11.C_GenerateKeyPair(
- self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024,
- CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = False)
- self.assertIsKeypair(public_key, private_key)
- hamster = "Your mother was a hamster"
- p11.C_SignInit(self.session, CKM_SHA512_RSA_PKCS, private_key)
- sig = p11.C_Sign(self.session, hamster)
- self.assertIsInstance(sig, str)
- p11.C_VerifyInit(self.session, CKM_SHA512_RSA_PKCS, public_key)
- p11.C_Verify(self.session, hamster, sig)
-
def test_gen_sign_verify_rsa_2048(self):
if not args.all_tests: self.skipTest("RSA key generation is still painfully slow")
public_key, private_key = p11.C_GenerateKeyPair(
self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 2048,
- CKA_ID = "RSA-2048", CKA_SIGN = True, CKA_VERIFY = True)
+ CKA_ID = "RSA-2048", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True)
self.assertIsKeypair(public_key, private_key)
hamster = "Your mother was a hamster"
p11.C_SignInit(self.session, CKM_SHA512_RSA_PKCS, private_key)
@@ -387,6 +378,7 @@ class TestKeys(unittest.TestCase):
def test_gen_sign_verify_reload_ecdsa_p256_sha256(self):
public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
+ public_CKA_TOKEN = False, private_CKA_TOKEN = True,
CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
CKA_SIGN = True, CKA_VERIFY = True)
self.assertIsKeypair(public_key, private_key)