From 68d2f20cda53463222f70290fda2b8d2a17fef6b Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Fri, 10 Jun 2016 23:48:01 -0400
Subject: Support split keypairs, where private key is a token object and
 public key is a session object.  Doesn't actually save us anything, but Jakob
 tells us that this makes a difference on some HSMs so we people use this kind
 of setup and we need to support it.

Explicitly disallow private keys as session objects, since we have no
way to protect them.  Update unit-tests now that we return the correct
error code for this case.
---
 unit_tests.py | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

(limited to 'unit_tests.py')

diff --git a/unit_tests.py b/unit_tests.py
index 4d09b6a..e218b42 100644
--- a/unit_tests.py
+++ b/unit_tests.py
@@ -234,18 +234,7 @@ class TestKeys(unittest.TestCase):
 
     def test_keygen_token_vs_session(self):
 
-        # XXX pkcs11.c currently generates the wrong error code if the
-        #     user tries to generate a keypair with the private key as
-        #     a session object.  Refusing to allow this is deliberate
-        #     (we have no way to protect such private keys), but
-        #     returning CKR_FUNCTION_FAILED is wrong.  Fixing this
-        #     will require minor work in pkcs11.c and perhaps in libhal.
-        #
-        #     For the moment, I'm just testing for the (known) wrong
-        #     exception while I make sure that the library is in fact
-        #     behaving as I expect it to behave.
-
-        with self.assertRaises(CKR_FUNCTION_FAILED):
+        with self.assertRaises(CKR_TEMPLATE_INCONSISTENT):
             p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False,
                                   CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
                                   CKA_SIGN = True, CKA_VERIFY = True)
@@ -261,7 +250,7 @@ class TestKeys(unittest.TestCase):
                                   CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
                                   CKA_SIGN = True, CKA_VERIFY = True))
 
-        with self.assertRaises(CKR_FUNCTION_FAILED):
+        with self.assertRaises(CKR_TEMPLATE_INCONSISTENT):
             p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN,
                                   public_CKA_TOKEN = True, private_CKA_TOKEN = False,
                                   CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256,
-- 
cgit v1.2.3