From 3c65415a351e32afb49dc60a04b1d309a758275b Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 7 Feb 2023 14:39:17 +0100 Subject: [PATCH 1/5] PKCS11: Tests: Add test for meta_object --- pkcs11/tests/CMakeLists.txt | 17 ++++ pkcs11/tests/meta_object_test.c | 164 ++++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 pkcs11/tests/meta_object_test.c diff --git a/pkcs11/tests/CMakeLists.txt b/pkcs11/tests/CMakeLists.txt index 967cba30..cdf2f9ef 100644 --- a/pkcs11/tests/CMakeLists.txt +++ b/pkcs11/tests/CMakeLists.txt @@ -241,6 +241,12 @@ set ( common.c ) +set ( + SOURCE_META_OBJECT + meta_object_test.c + common.c + ) + set ( SOURCE_AES_ENCRYPT aes_encrypt_test.c @@ -256,6 +262,7 @@ set ( if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows") add_executable (aes_encrypt_test ${SOURCE_AES_ENCRYPT}) add_executable (ecdh_derive_test ${SOURCE_ECDH_DERIVE}) +add_executable (meta_object_test ${SOURCE_META_OBJECT}) target_link_libraries( aes_encrypt_test @@ -272,11 +279,21 @@ target_link_libraries ( ${LIBCRYPTO_LDFLAGS} "-ldl") +target_link_libraries( + meta_object_test + ${LIBCRYPTO_LDFLAGS} + "-ldl") + add_test ( NAME ecdh_derive_test COMMAND ${CMAKE_CURRENT_BINARY_DIR}/ecdh_derive_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} ) +add_test ( + NAME meta_object_test + COMMAND ${CMAKE_CURRENT_BINARY_DIR}/meta_object_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} + ) + if (NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) add_executable (rsa_enc_test ${SOURCE_RSA_ENC_TEST}) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c new file mode 100644 index 00000000..64a3d6e2 --- /dev/null +++ b/pkcs11/tests/meta_object_test.c @@ -0,0 +1,164 @@ +// +// Created by aveen on 2023-02-02. +// +#ifdef NDEBUG +#undef NDEBUG +#endif +#include +#include +#include + +#include "../pkcs11.h" +#include "common.h" + +CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22}; + +static CK_FUNCTION_LIST_PTR p11; +static CK_SESSION_HANDLE session; + +static void fail(const char *message) { printf("%s. FAIL!\n", message); } + +static void generate_keypair(CK_BYTE *curve, CK_ULONG curve_len, + CK_OBJECT_HANDLE_PTR publicKeyPtr, + CK_OBJECT_HANDLE_PTR privateKeyPtr, + char *label_public, char *label_private) { + CK_MECHANISM mechanism = {CKM_EC_KEY_PAIR_GEN, NULL_PTR, 0}; + + CK_BBOOL ck_true = CK_TRUE; + + CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; + CK_KEY_TYPE key_type = CKK_EC; + + CK_ATTRIBUTE publicKeyTemplate[] = + {{CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, + {CKA_VERIFY, &ck_true, sizeof(ck_true)}, + {CKA_KEY_TYPE, &key_type, sizeof(key_type)}, + {CKA_LABEL, label_public, strlen(label_public)}, + {CKA_EC_PARAMS, curve, curve_len}}; + + CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &privkey_class, + sizeof(privkey_class)}, + {CKA_LABEL, label_private, + strlen(label_private)}, + {CKA_DERIVE, &ck_true, sizeof(ck_true)}}; + + if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, + privateKeyTemplate, 3, publicKeyPtr, + privateKeyPtr)) != CKR_OK) { + fail("Failed to generate EC key pair on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void get_stored_label(CK_OBJECT_HANDLE object, char *label) { + CK_ATTRIBUTE template[] = {{CKA_LABEL, label, 255}}; + if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { + printf("Failed C_GetAttributeValue. 0x%lx\n", object); + } +} + +static void set_label(CK_OBJECT_HANDLE object, char *new_label) { + CK_ATTRIBUTE new_label_template[] = { + {CKA_LABEL, new_label, strlen(new_label)}}; + if ((p11->C_SetAttributeValue(session, object, new_label_template, 1)) != + CKR_OK) { + fail("Failed to generate EC key pair on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, + char *new_label) { + char label[255] = {0}; + get_stored_label(object, label); + if (strcmp(label, old_label) != 0) { + printf("Label does not match what's on the device. Expected: %s. Found: " + "%s. FAIL!\n", + old_label, label); + exit(EXIT_FAILURE); + } + set_label(object, new_label); + memset(label, 0, 255); + + get_stored_label(object, label); + if (strcmp(label, new_label) != 0) { + printf("Label does not match what's on the device. Expected: %s. Found: " + "%s. FAIL!\n", + new_label, label); + exit(EXIT_FAILURE); + } + + printf("Label changed on YubiHSM From '%s' to '%s'. OK!\n", old_label, + new_label); +} + +int main(int argc, char **argv) { + + if (argc != 2) { + fprintf(stderr, "usage: /path/to/yubihsm_pkcs11/module\n"); + exit(EXIT_FAILURE); + } + + void *handle = open_module(argv[1]); + p11 = get_function_list(handle); + session = open_session(p11); + print_session_state(p11, session); + + int exit_status = EXIT_SUCCESS; + + CK_OBJECT_HANDLE yh_pubkey, yh_privkey; + printf("Generating key pair with privateKey label 'label' and publicKey " + "label 'label'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label", "label"); + run_label_test(yh_privkey, "label", "new_label"); + run_label_test(yh_pubkey, "label", "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + /* + printf("Generating key pair with privateKey label 'label_private' and + publicKey label 'label_public'... \n"); generate_keypair(CURVE_PARAMS[2], + CURVE_LENS[2], &yh_pubkey, &yh_privkey, "label_public", "label_private"); + run_label_test(yh_privkey, "label_private", "new_label"); + run_label_test(yh_pubkey, "label_public", "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + */ + + printf("Generating key pair with privateKey label " + "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and publicKey " + "label 'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + run_label_test(yh_privkey, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_label_0123456789012345678901234567890123456789"); + run_label_test(yh_pubkey, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + + printf("Generating key pair with privateKey label " + "'label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and " + "publicKey label " + "'label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_private_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + run_label_test(yh_privkey, + "label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_nice_label_0123456789012345678901234567890123456789"); + run_label_test(yh_pubkey, + "label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_nice_label_0123456789012345678901234567890123456789"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + + close_session(p11, session); + close_module(handle); + return (exit_status); +} From 6b0811fc6cad1c65d4017a27665406b31cde3bbb Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 7 Feb 2023 15:21:12 +0100 Subject: [PATCH 2/5] PKCS11: Tests: Add license header --- pkcs11/tests/meta_object_test.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 64a3d6e2..c4fb53c3 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -1,6 +1,18 @@ -// -// Created by aveen on 2023-02-02. -// +/* + * Copyright 2023 Yubico AB + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ #ifdef NDEBUG #undef NDEBUG #endif From 491f552f21c7568cda92d66f681fd0032cd85240 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Sun, 19 Mar 2023 16:36:14 +0100 Subject: [PATCH 3/5] PKCS11: MetaObject: Improve meta_object test --- pkcs11/tests/meta_object_test.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index c4fb53c3..025ecadd 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -128,15 +128,15 @@ int main(int argc, char **argv) { run_label_test(yh_pubkey, "label", "new_label"); destroy_object(p11, session, yh_privkey); printf("OK!\n"); - /* - printf("Generating key pair with privateKey label 'label_private' and - publicKey label 'label_public'... \n"); generate_keypair(CURVE_PARAMS[2], - CURVE_LENS[2], &yh_pubkey, &yh_privkey, "label_public", "label_private"); - run_label_test(yh_privkey, "label_private", "new_label"); - run_label_test(yh_pubkey, "label_public", "new_label"); - destroy_object(p11, session, yh_privkey); - printf("OK!\n"); - */ + + printf("Generating key pair with privateKey label 'label_private' and " + "publicKey label 'label_public'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label_public", "label_private"); + run_label_test(yh_privkey, "label_private", "new_label"); + run_label_test(yh_pubkey, "label_public", "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); printf("Generating key pair with privateKey label " "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and publicKey " From 6db2216abf19e2f3c531dd3e7d4b9a9331bdeed6 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 21 Mar 2023 17:49:19 +0100 Subject: [PATCH 4/5] PKCS11: MetaObject: Improve meta_object test --- pkcs11/tests/meta_object_test.c | 274 +++++++++++++++++++++++++++----- 1 file changed, 231 insertions(+), 43 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 025ecadd..7039aa5c 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -16,24 +16,42 @@ #ifdef NDEBUG #undef NDEBUG #endif +#include #include #include #include +#include #include "../pkcs11.h" #include "common.h" CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22}; +CK_BYTE KEYID[2] = {0x64, 0x64}; static CK_FUNCTION_LIST_PTR p11; static CK_SESSION_HANDLE session; static void fail(const char *message) { printf("%s. FAIL!\n", message); } -static void generate_keypair(CK_BYTE *curve, CK_ULONG curve_len, - CK_OBJECT_HANDLE_PTR publicKeyPtr, - CK_OBJECT_HANDLE_PTR privateKeyPtr, - char *label_public, char *label_private) { +static void print_byte_array_no_new_line(const char *tag, uint8_t *data, + uint16_t data_len) { + printf("%s: ", tag); + for (uint16_t i = 0; i < data_len; i++) { + printf("%x ", data[i]); + } +} + +static void print_byte_array(const char *tag, uint8_t *data, + uint16_t data_len) { + print_byte_array_no_new_line(tag, data, data_len); + printf("\n"); +} + +static void generate_ec_keypair( + CK_BYTE *curve, CK_ULONG curve_len, CK_OBJECT_HANDLE_PTR publicKeyPtr, + CK_OBJECT_HANDLE_PTR privateKeyPtr, CK_BYTE *ckaid_public, + CK_ULONG ckaid_public_len, CK_BYTE *ckaid_private, CK_ULONG ckaid_private_len, + char *label_public, char *label_private) { CK_MECHANISM mechanism = {CKM_EC_KEY_PAIR_GEN, NULL_PTR, 0}; CK_BBOOL ck_true = CK_TRUE; @@ -43,43 +61,138 @@ static void generate_keypair(CK_BYTE *curve, CK_ULONG curve_len, CK_KEY_TYPE key_type = CKK_EC; CK_ATTRIBUTE publicKeyTemplate[] = - {{CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, + {{CKA_ID, ckaid_public, ckaid_public_len}, + {CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, {CKA_VERIFY, &ck_true, sizeof(ck_true)}, {CKA_KEY_TYPE, &key_type, sizeof(key_type)}, {CKA_LABEL, label_public, strlen(label_public)}, {CKA_EC_PARAMS, curve, curve_len}}; - CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &privkey_class, - sizeof(privkey_class)}, - {CKA_LABEL, label_private, - strlen(label_private)}, - {CKA_DERIVE, &ck_true, sizeof(ck_true)}}; + CK_ATTRIBUTE privateKeyTemplate[] = + {{CKA_ID, ckaid_private, ckaid_private_len}, + {CKA_CLASS, &privkey_class, sizeof(privkey_class)}, + {CKA_LABEL, label_private, strlen(label_private)}, + {CKA_DERIVE, &ck_true, sizeof(ck_true)}}; - if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, - privateKeyTemplate, 3, publicKeyPtr, + if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 6, + privateKeyTemplate, 4, publicKeyPtr, privateKeyPtr)) != CKR_OK) { fail("Failed to generate EC key pair on YubiHSM"); exit(EXIT_FAILURE); } } +static void generate_rsa_keypair( + CK_OBJECT_HANDLE_PTR publicKeyPtr, CK_OBJECT_HANDLE_PTR privateKeyPtr, + CK_BYTE *ckaid_public, CK_ULONG ckaid_public_len, CK_BYTE *ckaid_private, + CK_ULONG ckaid_private_len, char *label_public, char *label_private) { + CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0}; + + CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; + CK_KEY_TYPE key_type = CKK_RSA; + CK_BYTE e[] = {0x01, 0x00, 0x01}; + CK_ULONG key_size = 2048; + + CK_ATTRIBUTE publicKeyTemplate[] = + {{CKA_ID, ckaid_public, ckaid_public_len}, + {CKA_LABEL, label_public, strlen(label_public)}, + {CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, + {CKA_MODULUS_BITS, &key_size, sizeof(key_size)}, + {CKA_PUBLIC_EXPONENT, e, sizeof(e)}}; + + CK_ATTRIBUTE privateKeyTemplate[] = + {{CKA_ID, ckaid_private, ckaid_private_len}, + {CKA_LABEL, label_private, strlen(label_private)}, + {CKA_CLASS, &privkey_class, sizeof(privkey_class)}, + {CKA_KEY_TYPE, &key_type, sizeof(key_type)}}; + + if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, + privateKeyTemplate, 4, publicKeyPtr, + privateKeyPtr)) != CKR_OK) { + fail("Failed to generate RSA key pair on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void generate_hmac_key(CK_OBJECT_HANDLE_PTR key_handle, CK_BYTE *ckaid, + CK_ULONG ckaid_len, char *label) { + CK_MECHANISM mechanism = {CKM_GENERIC_SECRET_KEY_GEN, NULL, 0}; + + CK_OBJECT_CLASS class = CKO_SECRET_KEY; + CK_KEY_TYPE key_type = CKK_SHA_1_HMAC; + + CK_ATTRIBUTE keyTemplate[] = {{CKA_ID, ckaid, ckaid_len}, + {CKA_LABEL, label, strlen(label)}, + {CKA_CLASS, &class, sizeof(class)}, + {CKA_KEY_TYPE, &key_type, sizeof(key_type)}}; + + if ((p11->C_GenerateKey(session, &mechanism, keyTemplate, 4, key_handle)) != + CKR_OK) { + fail("Failed to generate HMAC key on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void get_stored_id(CK_OBJECT_HANDLE object, uint8_t *id) { + CK_ATTRIBUTE template[] = {{CKA_ID, id, 255}}; + if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { + printf("Failed C_GetAttributeValue CKA_ID. 0x%lx\n", object); + } +} + static void get_stored_label(CK_OBJECT_HANDLE object, char *label) { CK_ATTRIBUTE template[] = {{CKA_LABEL, label, 255}}; if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { - printf("Failed C_GetAttributeValue. 0x%lx\n", object); + printf("Failed C_GetAttributeValue CKA_LABEL. 0x%lx\n", object); + } +} + +static void set_id(CK_OBJECT_HANDLE object, uint8_t *new_id, + uint16_t new_id_len) { + CK_ATTRIBUTE template[] = {{CKA_ID, new_id, new_id_len}}; + if ((p11->C_SetAttributeValue(session, object, template, 1)) != CKR_OK) { + fail("Failed to set CKA_ID attribute"); + exit(EXIT_FAILURE); } } static void set_label(CK_OBJECT_HANDLE object, char *new_label) { - CK_ATTRIBUTE new_label_template[] = { - {CKA_LABEL, new_label, strlen(new_label)}}; - if ((p11->C_SetAttributeValue(session, object, new_label_template, 1)) != - CKR_OK) { - fail("Failed to generate EC key pair on YubiHSM"); + CK_ATTRIBUTE template[] = {{CKA_LABEL, new_label, strlen(new_label)}}; + if ((p11->C_SetAttributeValue(session, object, template, 1)) != CKR_OK) { + fail("Failed to set CKA_LABEL attribute"); exit(EXIT_FAILURE); } } +static void run_id_test(CK_OBJECT_HANDLE object, uint8_t *old_id, + uint16_t old_id_len, uint8_t *new_id, + uint16_t new_id_len) { + uint8_t id[255] = {0}; + get_stored_id(object, id); + if (memcmp(id, old_id, old_id_len) != 0) { + printf("ID does not match what's on the device.FAIL!\n"); + print_byte_array("Expected CKA_ID", old_id, old_id_len); + print_byte_array("Found CKA_ID", id, sizeof(id)); + exit(EXIT_FAILURE); + } + set_id(object, new_id, new_id_len); + memset(id, 0, 255); + + get_stored_id(object, id); + if (memcmp(id, new_id, new_id_len) != 0) { + printf("ID does not match what's on the device. FAIL!\n"); + print_byte_array("Expected CKA_ID", new_id, new_id_len); + print_byte_array("Found CKA_ID", id, sizeof(id)); + exit(EXIT_FAILURE); + } + + printf("ID changed on YubiHSM. "); + print_byte_array_no_new_line("Old CKA_ID", old_id, old_id_len); + print_byte_array_no_new_line(". New CKA_ID", new_id, new_id_len); + printf(". OK!\n"); +} + static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, char *new_label) { char label[255] = {0}; @@ -105,51 +218,69 @@ static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, new_label); } -int main(int argc, char **argv) { - - if (argc != 2) { - fprintf(stderr, "usage: /path/to/yubihsm_pkcs11/module\n"); +static void test_keypair_metadata(int is_rsa) { + CK_BYTE data[64] = {0}; + CK_ULONG data_len = sizeof(data); + if (RAND_bytes(data, data_len) <= 0) exit(EXIT_FAILURE); - } - - void *handle = open_module(argv[1]); - p11 = get_function_list(handle); - session = open_session(p11); - print_session_state(p11, session); - - int exit_status = EXIT_SUCCESS; CK_OBJECT_HANDLE yh_pubkey, yh_privkey; printf("Generating key pair with privateKey label 'label' and publicKey " "label 'label'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label", "label"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), "label", "label"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), + "label", "label"); + } run_label_test(yh_privkey, "label", "new_label"); run_label_test(yh_pubkey, "label", "new_label"); + run_id_test(yh_privkey, KEYID, sizeof(KEYID), data, 32); + run_id_test(yh_pubkey, KEYID, sizeof(KEYID), data, 32); destroy_object(p11, session, yh_privkey); printf("OK!\n"); printf("Generating key pair with privateKey label 'label_private' and " - "publicKey label 'label_public'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label_public", "label_private"); + "publicKey label 'label_public' and different CKA_ID of size 2... \n"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), data, + sizeof(KEYID), "label_public", "label_private"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), data, sizeof(KEYID), + "label_public", "label_private"); + } run_label_test(yh_privkey, "label_private", "new_label"); run_label_test(yh_pubkey, "label_public", "new_label"); + run_id_test(yh_privkey, data, sizeof(KEYID), data + 10, sizeof(KEYID)); + run_id_test(yh_pubkey, KEYID, sizeof(KEYID), data + 6, sizeof(KEYID)); destroy_object(p11, session, yh_privkey); printf("OK!\n"); printf("Generating key pair with privateKey label " "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and publicKey " - "label 'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", - "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + "label 'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and " + "similar 32 bytes CKA_ID... \n"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, data, 32, data + 32, 32, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, data, 32, data + 32, 32, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } run_label_test(yh_privkey, "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", "new_label_0123456789012345678901234567890123456789"); run_label_test(yh_pubkey, "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", "new_label"); + run_id_test(yh_privkey, data + 32, 32, data, 32); + run_id_test(yh_pubkey, data, 32, data + 6, sizeof(KEYID)); destroy_object(p11, session, yh_privkey); printf("OK!\n"); @@ -157,10 +288,21 @@ int main(int argc, char **argv) { "'label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and " "publicKey label " "'label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", - "label_private_" - "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), + "label_public_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_private_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), + "label_public_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_private_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } run_label_test(yh_privkey, "label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", "new_nice_label_0123456789012345678901234567890123456789"); @@ -169,6 +311,52 @@ int main(int argc, char **argv) { "new_nice_label_0123456789012345678901234567890123456789"); destroy_object(p11, session, yh_privkey); printf("OK!\n"); +} + +static void test_secretkey_metadata() { + CK_BYTE data[64] = {0}; + CK_ULONG data_len = sizeof(data); + if (RAND_bytes(data, data_len) <= 0) + exit(EXIT_FAILURE); + + CK_OBJECT_HANDLE yh_key; + + printf("Generating HMAC key with label 'label' and default CKA_ID... \n"); + generate_hmac_key(&yh_key, KEYID, sizeof(KEYID), "label"); + run_label_test(yh_key, "label", "new_label"); + run_id_test(yh_key, KEYID, sizeof(KEYID), data, 32); + destroy_object(p11, session, yh_key); + printf("OK!\n"); + + printf("Generating HMAC key with label " + "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and a 32 bytes " + "CKA_ID... \n"); + generate_hmac_key(&yh_key, data, 32, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + run_label_test(yh_key, "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_label_0123456789012345678901234567890123456789"); + run_id_test(yh_key, data, 32, data + 6, sizeof(KEYID)); + destroy_object(p11, session, yh_key); + printf("OK!\n"); +} + +int main(int argc, char **argv) { + + if (argc != 2) { + fprintf(stderr, "usage: /path/to/yubihsm_pkcs11/module\n"); + exit(EXIT_FAILURE); + } + + void *handle = open_module(argv[1]); + p11 = get_function_list(handle); + session = open_session(p11); + print_session_state(p11, session); + + int exit_status = EXIT_SUCCESS; + + test_keypair_metadata(0); + test_keypair_metadata(1); + test_secretkey_metadata(); close_session(p11, session); close_module(handle); From 01f08e8d62aedecb103196f0212fa8f0b2bce543 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 21 Mar 2023 18:04:53 +0100 Subject: [PATCH 5/5] PKCS11: MetaObject: Fix function declaration --- pkcs11/tests/meta_object_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 7039aa5c..02a8c0e5 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -313,7 +313,7 @@ static void test_keypair_metadata(int is_rsa) { printf("OK!\n"); } -static void test_secretkey_metadata() { +static void test_secretkey_metadata(void) { CK_BYTE data[64] = {0}; CK_ULONG data_len = sizeof(data); if (RAND_bytes(data, data_len) <= 0)