diff options
author | Rob Austein <sra@hactrn.net> | 2016-06-10 23:48:01 -0400 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2016-06-10 23:48:01 -0400 |
commit | 68d2f20cda53463222f70290fda2b8d2a17fef6b (patch) | |
tree | e48bbc0810a66bca7d86057356c5996a8302de5d /unit_tests.py | |
parent | 5e349fa7c3aa2c60a457b3d799032a6fc62dc43a (diff) |
Support split keypairs, where private key is a token object and public
key is a session object. Doesn't actually save us anything, but Jakob
tells us that this makes a difference on some HSMs so we people use
this kind of setup and we need to support it.
Explicitly disallow private keys as session objects, since we have no
way to protect them. Update unit-tests now that we return the correct
error code for this case.
Diffstat (limited to 'unit_tests.py')
-rw-r--r-- | unit_tests.py | 15 |
1 files changed, 2 insertions, 13 deletions
diff --git a/unit_tests.py b/unit_tests.py index 4d09b6a..e218b42 100644 --- a/unit_tests.py +++ b/unit_tests.py @@ -234,18 +234,7 @@ class TestKeys(unittest.TestCase): def test_keygen_token_vs_session(self): - # XXX pkcs11.c currently generates the wrong error code if the - # user tries to generate a keypair with the private key as - # a session object. Refusing to allow this is deliberate - # (we have no way to protect such private keys), but - # returning CKR_FUNCTION_FAILED is wrong. Fixing this - # will require minor work in pkcs11.c and perhaps in libhal. - # - # For the moment, I'm just testing for the (known) wrong - # exception while I make sure that the library is in fact - # behaving as I expect it to behave. - - with self.assertRaises(CKR_FUNCTION_FAILED): + with self.assertRaises(CKR_TEMPLATE_INCONSISTENT): p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False, CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, CKA_SIGN = True, CKA_VERIFY = True) @@ -261,7 +250,7 @@ class TestKeys(unittest.TestCase): CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, CKA_SIGN = True, CKA_VERIFY = True)) - with self.assertRaises(CKR_FUNCTION_FAILED): + with self.assertRaises(CKR_TEMPLATE_INCONSISTENT): p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, public_CKA_TOKEN = True, private_CKA_TOKEN = False, CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, |