From 0a4d6f682f140026242d1b93f8ce816ca79f55ec Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 10 Jun 2016 15:10:23 -0400 Subject: Update unit tests to match new behavior: we no longer allow private keys to be stored as session objects, so test that doing so fails as expected, and update other tests to specify CKA_TOKEN = True. --- unit_tests.py | 66 ++++++++++++++++++++++++++--------------------------------- 1 file changed, 29 insertions(+), 37 deletions(-) diff --git a/unit_tests.py b/unit_tests.py index 3c359fb..923d108 100644 --- a/unit_tests.py +++ b/unit_tests.py @@ -231,41 +231,44 @@ class TestKeys(unittest.TestCase): self.assertEqual(p11.C_GetAttributeValue(self.session, private_handle, CKA_CLASS), {CKA_CLASS: CKO_PRIVATE_KEY}) def test_keygen_token_vs_session(self): - self.assertIsKeypair( - p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False, - CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True)) + + # XXX pkcs11.c currently generates the wrong error code if the + # user tries to generate a keypair with the private key as + # a session object. Refusing to allow this is deliberate + # (we have no way to protect such private keys), but + # returning CKR_FUNCTION_FAILED is wrong. Fixing this + # will require minor work in pkcs11.c and perhaps in libhal. + # + # For the moment, I'm just testing for the (known) wrong + # exception while I make sure that the library is in fact + # behaving as I expect it to behave. + + with self.assertRaises(CKR_FUNCTION_FAILED): + p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False, + CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, + CKA_SIGN = True, CKA_VERIFY = True) + self.assertIsKeypair( p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True, CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, CKA_SIGN = True, CKA_VERIFY = True)) + self.assertIsKeypair( p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, public_CKA_TOKEN = False, private_CKA_TOKEN = True, CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, CKA_SIGN = True, CKA_VERIFY = True)) - self.assertIsKeypair( + + with self.assertRaises(CKR_FUNCTION_FAILED): p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, public_CKA_TOKEN = True, private_CKA_TOKEN = False, CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True)) - - def test_gen_sign_verify_ecdsa_p256_sha256_token(self): - public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True, - CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True) - self.assertIsKeypair(public_key, private_key) - hamster = "Your mother was a hamster" - p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key) - sig = p11.C_Sign(self.session, hamster) - self.assertIsInstance(sig, str) - p11.C_VerifyInit(self.session, CKM_ECDSA_SHA256, public_key) - p11.C_Verify(self.session, hamster, sig) + CKA_SIGN = True, CKA_VERIFY = True) - def test_gen_sign_verify_ecdsa_p256_sha256_session(self): - public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False, + def test_gen_sign_verify_ecdsa_p256_sha256(self): + public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True) + CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True) self.assertIsKeypair(public_key, private_key) hamster = "Your mother was a hamster" p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key) @@ -278,7 +281,7 @@ class TestKeys(unittest.TestCase): #if not args.all_tests: self.skipTest("SHA-384 not available in current build") public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_ID = "EC-P384", CKA_EC_PARAMS = self.oid_p384, - CKA_SIGN = True, CKA_VERIFY = True) + CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True) self.assertIsKeypair(public_key, private_key) hamster = "Your mother was a hamster" p11.C_SignInit(self.session, CKM_ECDSA_SHA384, private_key) @@ -291,7 +294,7 @@ class TestKeys(unittest.TestCase): #if not args.all_tests: self.skipTest("SHA-512 not available in current build") public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_ID = "EC-P521", CKA_EC_PARAMS = self.oid_p521, - CKA_SIGN = True, CKA_VERIFY = True) + CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True) self.assertIsKeypair(public_key, private_key) hamster = "Your mother was a hamster" p11.C_SignInit(self.session, CKM_ECDSA_SHA512, private_key) @@ -300,7 +303,7 @@ class TestKeys(unittest.TestCase): p11.C_VerifyInit(self.session, CKM_ECDSA_SHA512, public_key) p11.C_Verify(self.session, hamster, sig) - def test_gen_sign_verify_rsa_1024_token(self): + def test_gen_sign_verify_rsa_1024(self): public_key, private_key = p11.C_GenerateKeyPair( self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024, CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True) @@ -312,23 +315,11 @@ class TestKeys(unittest.TestCase): p11.C_VerifyInit(self.session, CKM_SHA512_RSA_PKCS, public_key) p11.C_Verify(self.session, hamster, sig) - def test_gen_sign_verify_rsa_1024_session(self): - public_key, private_key = p11.C_GenerateKeyPair( - self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024, - CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = False) - self.assertIsKeypair(public_key, private_key) - hamster = "Your mother was a hamster" - p11.C_SignInit(self.session, CKM_SHA512_RSA_PKCS, private_key) - sig = p11.C_Sign(self.session, hamster) - self.assertIsInstance(sig, str) - p11.C_VerifyInit(self.session, CKM_SHA512_RSA_PKCS, public_key) - p11.C_Verify(self.session, hamster, sig) - def test_gen_sign_verify_rsa_2048(self): if not args.all_tests: self.skipTest("RSA key generation is still painfully slow") public_key, private_key = p11.C_GenerateKeyPair( self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 2048, - CKA_ID = "RSA-2048", CKA_SIGN = True, CKA_VERIFY = True) + CKA_ID = "RSA-2048", CKA_SIGN = True, CKA_VERIFY = True, CKA_TOKEN = True) self.assertIsKeypair(public_key, private_key) hamster = "Your mother was a hamster" p11.C_SignInit(self.session, CKM_SHA512_RSA_PKCS, private_key) @@ -387,6 +378,7 @@ class TestKeys(unittest.TestCase): def test_gen_sign_verify_reload_ecdsa_p256_sha256(self): public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, + public_CKA_TOKEN = False, private_CKA_TOKEN = True, CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, CKA_SIGN = True, CKA_VERIFY = True) self.assertIsKeypair(public_key, private_key) -- cgit v1.2.3