aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-03-03Doh, mutexes work better when plugged in.Rob Austein
2018-03-03Cleanup.Rob Austein
2018-03-03First cut at timing test using multiple threads.Rob Austein
At the moment this only works with a single worker thread: multiple threads get weird errors from PKCS #11. This is probably a PKCS #11 implementation issue rather than a bug in this script. So, in the spirit of test-driven development, this script is the failing test.
2017-05-20Clean up C_GetTokenInfo().Rob Austein
2017-05-20HMAC notes.Rob Austein
2017-05-20Clean up ancient cruft: p11util, SQL-based hsmbully test.Rob Austein
p11util has long since been overtaken by developments: everything it used to do is now doable on the console, and if for some reason we really needed a tool to change PINs via the RPC port, we could do it in a dozen lines of Python using the cryptech.libhal RPC API. hsmbully may still be a useful test, but all the antics with configuring SQL database and on-disk keystores is long since obsolete.
2017-05-19More access control cleanup.Rob Austein
2017-05-19Start cleaning up info functions.Rob Austein
2017-05-19Consolidate session-state-based access control.Rob Austein
2017-05-18Translate more PKCS #11 attributes into HAL_KEY_FLAG_* settings.Rob Austein
2017-05-18Clean up a few gratuitous obscurities.Rob Austein
2017-05-10Clean up default location of PKCS #11 library.Rob Austein
2017-05-09Update README.md.Rob Austein
2017-05-04Regression tests for today's C_FindObjects() bugfixes.Rob Austein
2017-05-04Doh, C_FindObjects() works better if we preserve its state across calls.Rob Austein
2017-05-04Support using C_GetFunctionList() instead of library symbols.Rob Austein
The Python ctypes library allows us direct access to the public symbols of a shared library, so we never bothered to implement support for using the dispatch vector returned by C_GetFunctionList(). Well, it turns out that there are useful debugging tools like pkcs11-spy which require the dispatch vector support, so refactor to add it.
2017-04-14Python interface API will need to be cryptech.py11 for installation.Rob Austein
2017-04-11Track API changes on sw/libhal pkcs8 branch.Rob Austein
2017-04-08Track API changes in sw/libhal pkcs8 branch.Rob Austein
2017-03-08Check for cryptech_muxd when setting LIBHAL_TARGET.Rob Austein
2017-03-03Clean up time-signature script.Rob Austein
2017-03-01Flip default connection method from "serial" to "daemon".Rob Austein
2017-03-01Test all key types by default.Rob Austein
2017-03-01Timing test script.Rob Austein
2017-01-31Be more careful with handle cleanup, to support parallel testing.Rob Austein
2016-11-22Remove SQLite3 from build, no longer needed.Rob Austein
2016-11-22Doh, C_GetAttributeValue() lost descriptor lookup during conversion from SQL.Rob Austein
Track change from hal_rpc_pkey_attribute_t to hal_pkey_attribute_t.
2016-11-21Start shaking bugs out of new pkcs11.c code. Still pretty broken.Rob Austein
2016-11-20Compiles without SQLite3. Does not run (yet).Rob Austein
2016-11-19New branch for PKCS #11 without SQLite3. Checkpoint, doesn't compile yet.Rob Austein
We're going to want this in a separate branch from ksng at least for a little while, so that we can flip back and forth easily to run the same tests. Current code doesn't even compile yet, but is far enough along to be worth backing up off-machine.
2016-11-14hal_rpc_pkey_find() -> hal_rpc_pkey_open().Rob Austein
2016-10-25Remove unused column from schema.Rob Austein
2016-10-25Track libhal HAL_DIGEST_ALGORITHM_ change.Rob Austein
2016-10-16Clean Python compiled byte code too.Rob Austein
2016-10-07Track changes to libhal RPC pkey API.Rob Austein
2016-09-09Track removal of `type` argument from hal_rpc_pkey_find().Rob Austein
2016-09-03Hack PKCS #11 to work with revised libhal pkey API.Rob Austein
2016-08-16More pkcs11test fixes: nuanced read-only, error code proliferation.Rob Austein
PKCS #11's notion of a "read-only" session is odd: read-only sessions can still create/modify/destroy objects, just not "token" objects. C_SeedRandom() has its own special "nope, didn't implement that" error code, apparently the one everything else uses wasn't good enough. C_Login() has different error codes for "you're already logged in" and "you're already logged in as somebody else".
2016-08-14First round of fixes for bugs found by Google pkcs11test.Rob Austein
Testing against https://github.com/google/pkcs11test.git found various bugs, some trivial, some more interesting, some arguably places where the specification is looser than pkcs11test. I'm still digging through the test results, but this commit fixes several of the most obvious issues.
2016-08-10Shared library symbol versioning support from Ondrej Sury (thanks!).Rob Austein
Apparently this is how the cool kids handle hiding library-internal symbols now, using objcopy is old hat. Ondrey tells us that this should work on GNU/Linux and on *BSD, which, at the moment, just leaves OSX, which we already handle with an OSX-specific kludge.
2016-08-10Allow environment (eg, Debian build) to augment CFLAGS.Rob Austein
2016-08-10Add regression test for borked or missing PKCS #1.5 DigestInfo.Rob Austein
Oleg found a cute bug where C_SignUpdate() and C_SignFinal() would generate an incorrect signature which C_VerifyUpdate() and C_VerifyFinal() would think was fine because the verification code had essentially the same bug as the signature code. None of this applied to the (much) more commonly used C_Sign() and C_Verify() functions, which is why nobody noticed until now. Bug fixed in sw/libhal commit 36dfaf0adbddbb9f1f7852911228b3ab24ba01aa but we need a regression test to make sure we don't reintroduce the bug. So we add a test which computes the signature both ways, then verifies it with PyCrypto as well as both ways with our own code. We should probably be doing more comparisons of RSA results with PyCrypto. For ECDSA with non-deterministic signatures it's a bit harder, but more checking against the Python ecdsa library would still be a good idea.
2016-07-13Add "cryptech" to public "pkcs11" names.Rob Austein
Database location environment variable is now CRYPTECH_PKCS11_DATABASE. Installed library is now libcryptech-pkcs11.{so,dylib}.
2016-07-12Light the "user PIN initialized" bit, for OpenSSL's pkcs11 engine.Rob Austein
Like several other recent commits, this just nails up some value which really should be coming from the HSM via some as-yet-unwritten RPC call, but that can wait until after the upcoming workshop.
2016-07-12Whoops, CKR_BUFFER_TOO_SMALL doesn't terminate a sign or digest operation.Rob Austein
2016-07-12Add a few missing informational functions that pkcs11-tool wanted.Rob Austein
opensc's pkcs11-tool wants to use C_GetInfo(), C_GetSlotInfo(), and C_GetMechanismList(). All are trivial functions, but we hadn't implemented any of them. As with most of the informational functions, some of the returned values are nonsense: in the long run, fixing this just means adding one or more new informational queries to the RPC protocol, but I'm not going to do that while we're in, well, not code freeze, but at least code jello. Adding C_GetMechanismList() exposed that we had never added all the SHA-224 variants to pkcs11.c: since these are just a pass-through to libhal, adding them now seems low-risk (famous last words). Closes #40.
2016-07-07Disable RPC daemon on all platforms for now.Rob Austein
2016-07-07Clean up test code that made sense on the Novena but not on the Alpha.Rob Austein
2016-06-30libhal's RPC MUX daemon doesn't work with Apple's lame sockets implementation.Rob Austein
Apple, for reasons unknown, chose not to implement SOCK_SEQPACKET. This works on Linux and *BSD, and libhal's MUX daemon uses it to avoid having to add its own framing protocol on top of SOCK_STREAM. So, at least for now, Mac OS X will not support the multiplex daemon, only direct connection to the HSM by a single client.
2016-06-28Move hal_pkey_* columns from the object table intoRob Austein
{session,token}_object tables to preserve the mapping from pkcs11 token objects to libhal pkey objects.