From 33e8a7ba4b4728b694ed564090a1d3a5263862d4 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 7 Feb 2023 14:39:17 +0100 Subject: [PATCH 01/18] PKCS11: Tests: Add test for meta_object --- pkcs11/tests/CMakeLists.txt | 17 ++++ pkcs11/tests/meta_object_test.c | 164 ++++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 pkcs11/tests/meta_object_test.c diff --git a/pkcs11/tests/CMakeLists.txt b/pkcs11/tests/CMakeLists.txt index 967cba30..cdf2f9ef 100644 --- a/pkcs11/tests/CMakeLists.txt +++ b/pkcs11/tests/CMakeLists.txt @@ -241,6 +241,12 @@ set ( common.c ) +set ( + SOURCE_META_OBJECT + meta_object_test.c + common.c + ) + set ( SOURCE_AES_ENCRYPT aes_encrypt_test.c @@ -256,6 +262,7 @@ set ( if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows") add_executable (aes_encrypt_test ${SOURCE_AES_ENCRYPT}) add_executable (ecdh_derive_test ${SOURCE_ECDH_DERIVE}) +add_executable (meta_object_test ${SOURCE_META_OBJECT}) target_link_libraries( aes_encrypt_test @@ -272,11 +279,21 @@ target_link_libraries ( ${LIBCRYPTO_LDFLAGS} "-ldl") +target_link_libraries( + meta_object_test + ${LIBCRYPTO_LDFLAGS} + "-ldl") + add_test ( NAME ecdh_derive_test COMMAND ${CMAKE_CURRENT_BINARY_DIR}/ecdh_derive_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} ) +add_test ( + NAME meta_object_test + COMMAND ${CMAKE_CURRENT_BINARY_DIR}/meta_object_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} + ) + if (NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) add_executable (rsa_enc_test ${SOURCE_RSA_ENC_TEST}) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c new file mode 100644 index 00000000..64a3d6e2 --- /dev/null +++ b/pkcs11/tests/meta_object_test.c @@ -0,0 +1,164 @@ +// +// Created by aveen on 2023-02-02. +// +#ifdef NDEBUG +#undef NDEBUG +#endif +#include +#include +#include + +#include "../pkcs11.h" +#include "common.h" + +CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22}; + +static CK_FUNCTION_LIST_PTR p11; +static CK_SESSION_HANDLE session; + +static void fail(const char *message) { printf("%s. FAIL!\n", message); } + +static void generate_keypair(CK_BYTE *curve, CK_ULONG curve_len, + CK_OBJECT_HANDLE_PTR publicKeyPtr, + CK_OBJECT_HANDLE_PTR privateKeyPtr, + char *label_public, char *label_private) { + CK_MECHANISM mechanism = {CKM_EC_KEY_PAIR_GEN, NULL_PTR, 0}; + + CK_BBOOL ck_true = CK_TRUE; + + CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; + CK_KEY_TYPE key_type = CKK_EC; + + CK_ATTRIBUTE publicKeyTemplate[] = + {{CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, + {CKA_VERIFY, &ck_true, sizeof(ck_true)}, + {CKA_KEY_TYPE, &key_type, sizeof(key_type)}, + {CKA_LABEL, label_public, strlen(label_public)}, + {CKA_EC_PARAMS, curve, curve_len}}; + + CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &privkey_class, + sizeof(privkey_class)}, + {CKA_LABEL, label_private, + strlen(label_private)}, + {CKA_DERIVE, &ck_true, sizeof(ck_true)}}; + + if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, + privateKeyTemplate, 3, publicKeyPtr, + privateKeyPtr)) != CKR_OK) { + fail("Failed to generate EC key pair on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void get_stored_label(CK_OBJECT_HANDLE object, char *label) { + CK_ATTRIBUTE template[] = {{CKA_LABEL, label, 255}}; + if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { + printf("Failed C_GetAttributeValue. 0x%lx\n", object); + } +} + +static void set_label(CK_OBJECT_HANDLE object, char *new_label) { + CK_ATTRIBUTE new_label_template[] = { + {CKA_LABEL, new_label, strlen(new_label)}}; + if ((p11->C_SetAttributeValue(session, object, new_label_template, 1)) != + CKR_OK) { + fail("Failed to generate EC key pair on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, + char *new_label) { + char label[255] = {0}; + get_stored_label(object, label); + if (strcmp(label, old_label) != 0) { + printf("Label does not match what's on the device. Expected: %s. Found: " + "%s. FAIL!\n", + old_label, label); + exit(EXIT_FAILURE); + } + set_label(object, new_label); + memset(label, 0, 255); + + get_stored_label(object, label); + if (strcmp(label, new_label) != 0) { + printf("Label does not match what's on the device. Expected: %s. Found: " + "%s. FAIL!\n", + new_label, label); + exit(EXIT_FAILURE); + } + + printf("Label changed on YubiHSM From '%s' to '%s'. OK!\n", old_label, + new_label); +} + +int main(int argc, char **argv) { + + if (argc != 2) { + fprintf(stderr, "usage: /path/to/yubihsm_pkcs11/module\n"); + exit(EXIT_FAILURE); + } + + void *handle = open_module(argv[1]); + p11 = get_function_list(handle); + session = open_session(p11); + print_session_state(p11, session); + + int exit_status = EXIT_SUCCESS; + + CK_OBJECT_HANDLE yh_pubkey, yh_privkey; + printf("Generating key pair with privateKey label 'label' and publicKey " + "label 'label'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label", "label"); + run_label_test(yh_privkey, "label", "new_label"); + run_label_test(yh_pubkey, "label", "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + /* + printf("Generating key pair with privateKey label 'label_private' and + publicKey label 'label_public'... \n"); generate_keypair(CURVE_PARAMS[2], + CURVE_LENS[2], &yh_pubkey, &yh_privkey, "label_public", "label_private"); + run_label_test(yh_privkey, "label_private", "new_label"); + run_label_test(yh_pubkey, "label_public", "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + */ + + printf("Generating key pair with privateKey label " + "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and publicKey " + "label 'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + run_label_test(yh_privkey, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_label_0123456789012345678901234567890123456789"); + run_label_test(yh_pubkey, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + + printf("Generating key pair with privateKey label " + "'label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and " + "publicKey label " + "'label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_private_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + run_label_test(yh_privkey, + "label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_nice_label_0123456789012345678901234567890123456789"); + run_label_test(yh_pubkey, + "label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_nice_label_0123456789012345678901234567890123456789"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); + + close_session(p11, session); + close_module(handle); + return (exit_status); +} From 4f3d990e076c453097b4ca53db211027f2ac6ec3 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 7 Feb 2023 15:21:12 +0100 Subject: [PATCH 02/18] PKCS11: Tests: Add license header --- pkcs11/tests/meta_object_test.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 64a3d6e2..c4fb53c3 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -1,6 +1,18 @@ -// -// Created by aveen on 2023-02-02. -// +/* + * Copyright 2023 Yubico AB + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ #ifdef NDEBUG #undef NDEBUG #endif From 93513a662574ebe02ee0c1d246b98ce8e5262c4c Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Sun, 19 Mar 2023 16:36:14 +0100 Subject: [PATCH 03/18] PKCS11: MetaObject: Improve meta_object test --- pkcs11/tests/meta_object_test.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index c4fb53c3..025ecadd 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -128,15 +128,15 @@ int main(int argc, char **argv) { run_label_test(yh_pubkey, "label", "new_label"); destroy_object(p11, session, yh_privkey); printf("OK!\n"); - /* - printf("Generating key pair with privateKey label 'label_private' and - publicKey label 'label_public'... \n"); generate_keypair(CURVE_PARAMS[2], - CURVE_LENS[2], &yh_pubkey, &yh_privkey, "label_public", "label_private"); - run_label_test(yh_privkey, "label_private", "new_label"); - run_label_test(yh_pubkey, "label_public", "new_label"); - destroy_object(p11, session, yh_privkey); - printf("OK!\n"); - */ + + printf("Generating key pair with privateKey label 'label_private' and " + "publicKey label 'label_public'... \n"); + generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, + "label_public", "label_private"); + run_label_test(yh_privkey, "label_private", "new_label"); + run_label_test(yh_pubkey, "label_public", "new_label"); + destroy_object(p11, session, yh_privkey); + printf("OK!\n"); printf("Generating key pair with privateKey label " "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and publicKey " From 39468f3b30a6e849a1d5b91b3773a140df3044f2 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 21 Mar 2023 17:49:19 +0100 Subject: [PATCH 04/18] PKCS11: MetaObject: Improve meta_object test --- pkcs11/tests/meta_object_test.c | 274 +++++++++++++++++++++++++++----- 1 file changed, 231 insertions(+), 43 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 025ecadd..7039aa5c 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -16,24 +16,42 @@ #ifdef NDEBUG #undef NDEBUG #endif +#include #include #include #include +#include #include "../pkcs11.h" #include "common.h" CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22}; +CK_BYTE KEYID[2] = {0x64, 0x64}; static CK_FUNCTION_LIST_PTR p11; static CK_SESSION_HANDLE session; static void fail(const char *message) { printf("%s. FAIL!\n", message); } -static void generate_keypair(CK_BYTE *curve, CK_ULONG curve_len, - CK_OBJECT_HANDLE_PTR publicKeyPtr, - CK_OBJECT_HANDLE_PTR privateKeyPtr, - char *label_public, char *label_private) { +static void print_byte_array_no_new_line(const char *tag, uint8_t *data, + uint16_t data_len) { + printf("%s: ", tag); + for (uint16_t i = 0; i < data_len; i++) { + printf("%x ", data[i]); + } +} + +static void print_byte_array(const char *tag, uint8_t *data, + uint16_t data_len) { + print_byte_array_no_new_line(tag, data, data_len); + printf("\n"); +} + +static void generate_ec_keypair( + CK_BYTE *curve, CK_ULONG curve_len, CK_OBJECT_HANDLE_PTR publicKeyPtr, + CK_OBJECT_HANDLE_PTR privateKeyPtr, CK_BYTE *ckaid_public, + CK_ULONG ckaid_public_len, CK_BYTE *ckaid_private, CK_ULONG ckaid_private_len, + char *label_public, char *label_private) { CK_MECHANISM mechanism = {CKM_EC_KEY_PAIR_GEN, NULL_PTR, 0}; CK_BBOOL ck_true = CK_TRUE; @@ -43,43 +61,138 @@ static void generate_keypair(CK_BYTE *curve, CK_ULONG curve_len, CK_KEY_TYPE key_type = CKK_EC; CK_ATTRIBUTE publicKeyTemplate[] = - {{CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, + {{CKA_ID, ckaid_public, ckaid_public_len}, + {CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, {CKA_VERIFY, &ck_true, sizeof(ck_true)}, {CKA_KEY_TYPE, &key_type, sizeof(key_type)}, {CKA_LABEL, label_public, strlen(label_public)}, {CKA_EC_PARAMS, curve, curve_len}}; - CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &privkey_class, - sizeof(privkey_class)}, - {CKA_LABEL, label_private, - strlen(label_private)}, - {CKA_DERIVE, &ck_true, sizeof(ck_true)}}; + CK_ATTRIBUTE privateKeyTemplate[] = + {{CKA_ID, ckaid_private, ckaid_private_len}, + {CKA_CLASS, &privkey_class, sizeof(privkey_class)}, + {CKA_LABEL, label_private, strlen(label_private)}, + {CKA_DERIVE, &ck_true, sizeof(ck_true)}}; - if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, - privateKeyTemplate, 3, publicKeyPtr, + if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 6, + privateKeyTemplate, 4, publicKeyPtr, privateKeyPtr)) != CKR_OK) { fail("Failed to generate EC key pair on YubiHSM"); exit(EXIT_FAILURE); } } +static void generate_rsa_keypair( + CK_OBJECT_HANDLE_PTR publicKeyPtr, CK_OBJECT_HANDLE_PTR privateKeyPtr, + CK_BYTE *ckaid_public, CK_ULONG ckaid_public_len, CK_BYTE *ckaid_private, + CK_ULONG ckaid_private_len, char *label_public, char *label_private) { + CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0}; + + CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; + CK_KEY_TYPE key_type = CKK_RSA; + CK_BYTE e[] = {0x01, 0x00, 0x01}; + CK_ULONG key_size = 2048; + + CK_ATTRIBUTE publicKeyTemplate[] = + {{CKA_ID, ckaid_public, ckaid_public_len}, + {CKA_LABEL, label_public, strlen(label_public)}, + {CKA_CLASS, &pubkey_class, sizeof(pubkey_class)}, + {CKA_MODULUS_BITS, &key_size, sizeof(key_size)}, + {CKA_PUBLIC_EXPONENT, e, sizeof(e)}}; + + CK_ATTRIBUTE privateKeyTemplate[] = + {{CKA_ID, ckaid_private, ckaid_private_len}, + {CKA_LABEL, label_private, strlen(label_private)}, + {CKA_CLASS, &privkey_class, sizeof(privkey_class)}, + {CKA_KEY_TYPE, &key_type, sizeof(key_type)}}; + + if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, + privateKeyTemplate, 4, publicKeyPtr, + privateKeyPtr)) != CKR_OK) { + fail("Failed to generate RSA key pair on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void generate_hmac_key(CK_OBJECT_HANDLE_PTR key_handle, CK_BYTE *ckaid, + CK_ULONG ckaid_len, char *label) { + CK_MECHANISM mechanism = {CKM_GENERIC_SECRET_KEY_GEN, NULL, 0}; + + CK_OBJECT_CLASS class = CKO_SECRET_KEY; + CK_KEY_TYPE key_type = CKK_SHA_1_HMAC; + + CK_ATTRIBUTE keyTemplate[] = {{CKA_ID, ckaid, ckaid_len}, + {CKA_LABEL, label, strlen(label)}, + {CKA_CLASS, &class, sizeof(class)}, + {CKA_KEY_TYPE, &key_type, sizeof(key_type)}}; + + if ((p11->C_GenerateKey(session, &mechanism, keyTemplate, 4, key_handle)) != + CKR_OK) { + fail("Failed to generate HMAC key on YubiHSM"); + exit(EXIT_FAILURE); + } +} + +static void get_stored_id(CK_OBJECT_HANDLE object, uint8_t *id) { + CK_ATTRIBUTE template[] = {{CKA_ID, id, 255}}; + if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { + printf("Failed C_GetAttributeValue CKA_ID. 0x%lx\n", object); + } +} + static void get_stored_label(CK_OBJECT_HANDLE object, char *label) { CK_ATTRIBUTE template[] = {{CKA_LABEL, label, 255}}; if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { - printf("Failed C_GetAttributeValue. 0x%lx\n", object); + printf("Failed C_GetAttributeValue CKA_LABEL. 0x%lx\n", object); + } +} + +static void set_id(CK_OBJECT_HANDLE object, uint8_t *new_id, + uint16_t new_id_len) { + CK_ATTRIBUTE template[] = {{CKA_ID, new_id, new_id_len}}; + if ((p11->C_SetAttributeValue(session, object, template, 1)) != CKR_OK) { + fail("Failed to set CKA_ID attribute"); + exit(EXIT_FAILURE); } } static void set_label(CK_OBJECT_HANDLE object, char *new_label) { - CK_ATTRIBUTE new_label_template[] = { - {CKA_LABEL, new_label, strlen(new_label)}}; - if ((p11->C_SetAttributeValue(session, object, new_label_template, 1)) != - CKR_OK) { - fail("Failed to generate EC key pair on YubiHSM"); + CK_ATTRIBUTE template[] = {{CKA_LABEL, new_label, strlen(new_label)}}; + if ((p11->C_SetAttributeValue(session, object, template, 1)) != CKR_OK) { + fail("Failed to set CKA_LABEL attribute"); exit(EXIT_FAILURE); } } +static void run_id_test(CK_OBJECT_HANDLE object, uint8_t *old_id, + uint16_t old_id_len, uint8_t *new_id, + uint16_t new_id_len) { + uint8_t id[255] = {0}; + get_stored_id(object, id); + if (memcmp(id, old_id, old_id_len) != 0) { + printf("ID does not match what's on the device.FAIL!\n"); + print_byte_array("Expected CKA_ID", old_id, old_id_len); + print_byte_array("Found CKA_ID", id, sizeof(id)); + exit(EXIT_FAILURE); + } + set_id(object, new_id, new_id_len); + memset(id, 0, 255); + + get_stored_id(object, id); + if (memcmp(id, new_id, new_id_len) != 0) { + printf("ID does not match what's on the device. FAIL!\n"); + print_byte_array("Expected CKA_ID", new_id, new_id_len); + print_byte_array("Found CKA_ID", id, sizeof(id)); + exit(EXIT_FAILURE); + } + + printf("ID changed on YubiHSM. "); + print_byte_array_no_new_line("Old CKA_ID", old_id, old_id_len); + print_byte_array_no_new_line(". New CKA_ID", new_id, new_id_len); + printf(". OK!\n"); +} + static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, char *new_label) { char label[255] = {0}; @@ -105,51 +218,69 @@ static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, new_label); } -int main(int argc, char **argv) { - - if (argc != 2) { - fprintf(stderr, "usage: /path/to/yubihsm_pkcs11/module\n"); +static void test_keypair_metadata(int is_rsa) { + CK_BYTE data[64] = {0}; + CK_ULONG data_len = sizeof(data); + if (RAND_bytes(data, data_len) <= 0) exit(EXIT_FAILURE); - } - - void *handle = open_module(argv[1]); - p11 = get_function_list(handle); - session = open_session(p11); - print_session_state(p11, session); - - int exit_status = EXIT_SUCCESS; CK_OBJECT_HANDLE yh_pubkey, yh_privkey; printf("Generating key pair with privateKey label 'label' and publicKey " "label 'label'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label", "label"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), "label", "label"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), + "label", "label"); + } run_label_test(yh_privkey, "label", "new_label"); run_label_test(yh_pubkey, "label", "new_label"); + run_id_test(yh_privkey, KEYID, sizeof(KEYID), data, 32); + run_id_test(yh_pubkey, KEYID, sizeof(KEYID), data, 32); destroy_object(p11, session, yh_privkey); printf("OK!\n"); printf("Generating key pair with privateKey label 'label_private' and " - "publicKey label 'label_public'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label_public", "label_private"); + "publicKey label 'label_public' and different CKA_ID of size 2... \n"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), data, + sizeof(KEYID), "label_public", "label_private"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), data, sizeof(KEYID), + "label_public", "label_private"); + } run_label_test(yh_privkey, "label_private", "new_label"); run_label_test(yh_pubkey, "label_public", "new_label"); + run_id_test(yh_privkey, data, sizeof(KEYID), data + 10, sizeof(KEYID)); + run_id_test(yh_pubkey, KEYID, sizeof(KEYID), data + 6, sizeof(KEYID)); destroy_object(p11, session, yh_privkey); printf("OK!\n"); printf("Generating key pair with privateKey label " "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and publicKey " - "label 'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", - "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + "label 'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and " + "similar 32 bytes CKA_ID... \n"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, data, 32, data + 32, 32, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, data, 32, data + 32, 32, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } run_label_test(yh_privkey, "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", "new_label_0123456789012345678901234567890123456789"); run_label_test(yh_pubkey, "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", "new_label"); + run_id_test(yh_privkey, data + 32, 32, data, 32); + run_id_test(yh_pubkey, data, 32, data + 6, sizeof(KEYID)); destroy_object(p11, session, yh_privkey); printf("OK!\n"); @@ -157,10 +288,21 @@ int main(int argc, char **argv) { "'label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and " "publicKey label " "'label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00'... \n"); - generate_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, - "label_public_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", - "label_private_" - "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + if (is_rsa) { + generate_rsa_keypair(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), + "label_public_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_private_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } else { + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), + "label_public_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "label_private_" + "5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + } run_label_test(yh_privkey, "label_private_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", "new_nice_label_0123456789012345678901234567890123456789"); @@ -169,6 +311,52 @@ int main(int argc, char **argv) { "new_nice_label_0123456789012345678901234567890123456789"); destroy_object(p11, session, yh_privkey); printf("OK!\n"); +} + +static void test_secretkey_metadata() { + CK_BYTE data[64] = {0}; + CK_ULONG data_len = sizeof(data); + if (RAND_bytes(data, data_len) <= 0) + exit(EXIT_FAILURE); + + CK_OBJECT_HANDLE yh_key; + + printf("Generating HMAC key with label 'label' and default CKA_ID... \n"); + generate_hmac_key(&yh_key, KEYID, sizeof(KEYID), "label"); + run_label_test(yh_key, "label", "new_label"); + run_id_test(yh_key, KEYID, sizeof(KEYID), data, 32); + destroy_object(p11, session, yh_key); + printf("OK!\n"); + + printf("Generating HMAC key with label " + "'label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00' and a 32 bytes " + "CKA_ID... \n"); + generate_hmac_key(&yh_key, data, 32, + "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"); + run_label_test(yh_key, "label_5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + "new_label_0123456789012345678901234567890123456789"); + run_id_test(yh_key, data, 32, data + 6, sizeof(KEYID)); + destroy_object(p11, session, yh_key); + printf("OK!\n"); +} + +int main(int argc, char **argv) { + + if (argc != 2) { + fprintf(stderr, "usage: /path/to/yubihsm_pkcs11/module\n"); + exit(EXIT_FAILURE); + } + + void *handle = open_module(argv[1]); + p11 = get_function_list(handle); + session = open_session(p11); + print_session_state(p11, session); + + int exit_status = EXIT_SUCCESS; + + test_keypair_metadata(0); + test_keypair_metadata(1); + test_secretkey_metadata(); close_session(p11, session); close_module(handle); From 668876de6c197a0e7663c0863e1efed6605554f6 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 21 Mar 2023 18:04:53 +0100 Subject: [PATCH 05/18] PKCS11: MetaObject: Fix function declaration --- pkcs11/tests/meta_object_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 7039aa5c..02a8c0e5 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -313,7 +313,7 @@ static void test_keypair_metadata(int is_rsa) { printf("OK!\n"); } -static void test_secretkey_metadata() { +static void test_secretkey_metadata(void) { CK_BYTE data[64] = {0}; CK_ULONG data_len = sizeof(data); if (RAND_bytes(data, data_len) <= 0) From 2a3344274d7c4dc0b7b8fc9fc146e5edb90956ed Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Wed, 12 Apr 2023 09:34:59 +0200 Subject: [PATCH 06/18] PKCS11: Meta_object: Increase test coverage --- pkcs11/tests/CMakeLists.txt | 13 +- pkcs11/tests/meta_object_test.c | 295 ++++++++++++++++++++++++++++---- 2 files changed, 265 insertions(+), 43 deletions(-) diff --git a/pkcs11/tests/CMakeLists.txt b/pkcs11/tests/CMakeLists.txt index cdf2f9ef..e9161797 100644 --- a/pkcs11/tests/CMakeLists.txt +++ b/pkcs11/tests/CMakeLists.txt @@ -242,12 +242,12 @@ set ( ) set ( - SOURCE_META_OBJECT - meta_object_test.c - common.c + SOURCE_META_OBJECT + meta_object_test.c + common.c ) -set ( +set( SOURCE_AES_ENCRYPT aes_encrypt_test.c common.c @@ -279,9 +279,10 @@ target_link_libraries ( ${LIBCRYPTO_LDFLAGS} "-ldl") -target_link_libraries( +target_link_libraries ( meta_object_test ${LIBCRYPTO_LDFLAGS} + yubihsm "-ldl") add_test ( @@ -292,7 +293,7 @@ add_test ( add_test ( NAME meta_object_test COMMAND ${CMAKE_CURRENT_BINARY_DIR}/meta_object_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} - ) +) if (NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) add_executable (rsa_enc_test ${SOURCE_RSA_ENC_TEST}) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 02a8c0e5..e91466f4 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -16,6 +16,7 @@ #ifdef NDEBUG #undef NDEBUG #endif +#include #include #include #include @@ -24,6 +25,7 @@ #include "../pkcs11.h" #include "common.h" +#include "yubihsm.h" CK_BYTE P384_PARAMS[] = {0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22}; CK_BYTE KEYID[2] = {0x64, 0x64}; @@ -47,6 +49,33 @@ static void print_byte_array(const char *tag, uint8_t *data, printf("\n"); } +static CK_SESSION_HANDLE open_test_session(char *password) { + CK_SESSION_HANDLE tmp_session; + CK_C_INITIALIZE_ARGS initArgs; + memset(&initArgs, 0, sizeof(initArgs)); + + const char *connector_url; + connector_url = getenv("DEFAULT_CONNECTOR_URL"); + if (connector_url == NULL) { + connector_url = DEFAULT_CONNECTOR_URL; + } + char config[256]; + assert(strlen(connector_url) + strlen("connector=") < 256); + sprintf(config, "connector=%s", connector_url); + initArgs.pReserved = (void *) config; + CK_RV rv = p11->C_Initialize(&initArgs); + assert(rv == CKR_OK); + + p11->C_OpenSession(0, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, + &tmp_session); + assert(rv == CKR_OK); + + p11->C_Login(tmp_session, CKU_USER, (CK_UTF8CHAR_PTR) password, + (CK_ULONG) strlen(password)); + assert(rv == CKR_OK); + return tmp_session; +} + static void generate_ec_keypair( CK_BYTE *curve, CK_ULONG curve_len, CK_OBJECT_HANDLE_PTR publicKeyPtr, CK_OBJECT_HANDLE_PTR privateKeyPtr, CK_BYTE *ckaid_public, @@ -74,12 +103,10 @@ static void generate_ec_keypair( {CKA_LABEL, label_private, strlen(label_private)}, {CKA_DERIVE, &ck_true, sizeof(ck_true)}}; - if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 6, - privateKeyTemplate, 4, publicKeyPtr, - privateKeyPtr)) != CKR_OK) { - fail("Failed to generate EC key pair on YubiHSM"); - exit(EXIT_FAILURE); - } + CK_RV rv = + p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 6, + privateKeyTemplate, 4, publicKeyPtr, privateKeyPtr); + assert(rv == CKR_OK); } static void generate_rsa_keypair( @@ -107,12 +134,10 @@ static void generate_rsa_keypair( {CKA_CLASS, &privkey_class, sizeof(privkey_class)}, {CKA_KEY_TYPE, &key_type, sizeof(key_type)}}; - if ((p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, - privateKeyTemplate, 4, publicKeyPtr, - privateKeyPtr)) != CKR_OK) { - fail("Failed to generate RSA key pair on YubiHSM"); - exit(EXIT_FAILURE); - } + CK_RV rv = + p11->C_GenerateKeyPair(session, &mechanism, publicKeyTemplate, 5, + privateKeyTemplate, 4, publicKeyPtr, privateKeyPtr); + assert(rv == CKR_OK); } static void generate_hmac_key(CK_OBJECT_HANDLE_PTR key_handle, CK_BYTE *ckaid, @@ -127,42 +152,34 @@ static void generate_hmac_key(CK_OBJECT_HANDLE_PTR key_handle, CK_BYTE *ckaid, {CKA_CLASS, &class, sizeof(class)}, {CKA_KEY_TYPE, &key_type, sizeof(key_type)}}; - if ((p11->C_GenerateKey(session, &mechanism, keyTemplate, 4, key_handle)) != - CKR_OK) { - fail("Failed to generate HMAC key on YubiHSM"); - exit(EXIT_FAILURE); - } + CK_RV rv = + p11->C_GenerateKey(session, &mechanism, keyTemplate, 4, key_handle); + assert(rv == CKR_OK); } static void get_stored_id(CK_OBJECT_HANDLE object, uint8_t *id) { CK_ATTRIBUTE template[] = {{CKA_ID, id, 255}}; - if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { - printf("Failed C_GetAttributeValue CKA_ID. 0x%lx\n", object); - } + CK_RV rv = p11->C_GetAttributeValue(session, object, template, 1); + assert(rv == CKR_OK); } static void get_stored_label(CK_OBJECT_HANDLE object, char *label) { CK_ATTRIBUTE template[] = {{CKA_LABEL, label, 255}}; - if ((p11->C_GetAttributeValue(session, object, template, 1)) != CKR_OK) { - printf("Failed C_GetAttributeValue CKA_LABEL. 0x%lx\n", object); - } + CK_RV rv = p11->C_GetAttributeValue(session, object, template, 1); + assert(rv == CKR_OK); } static void set_id(CK_OBJECT_HANDLE object, uint8_t *new_id, uint16_t new_id_len) { CK_ATTRIBUTE template[] = {{CKA_ID, new_id, new_id_len}}; - if ((p11->C_SetAttributeValue(session, object, template, 1)) != CKR_OK) { - fail("Failed to set CKA_ID attribute"); - exit(EXIT_FAILURE); - } + CK_RV rv = p11->C_SetAttributeValue(session, object, template, 1); + assert(rv == CKR_OK); } static void set_label(CK_OBJECT_HANDLE object, char *new_label) { CK_ATTRIBUTE template[] = {{CKA_LABEL, new_label, strlen(new_label)}}; - if ((p11->C_SetAttributeValue(session, object, template, 1)) != CKR_OK) { - fail("Failed to set CKA_LABEL attribute"); - exit(EXIT_FAILURE); - } + CK_RV rv = p11->C_SetAttributeValue(session, object, template, 1); + assert(rv == CKR_OK); } static void run_id_test(CK_OBJECT_HANDLE object, uint8_t *old_id, @@ -221,8 +238,8 @@ static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, static void test_keypair_metadata(int is_rsa) { CK_BYTE data[64] = {0}; CK_ULONG data_len = sizeof(data); - if (RAND_bytes(data, data_len) <= 0) - exit(EXIT_FAILURE); + int ret = RAND_bytes(data, data_len); + assert(ret > 0); CK_OBJECT_HANDLE yh_pubkey, yh_privkey; printf("Generating key pair with privateKey label 'label' and publicKey " @@ -316,8 +333,8 @@ static void test_keypair_metadata(int is_rsa) { static void test_secretkey_metadata(void) { CK_BYTE data[64] = {0}; CK_ULONG data_len = sizeof(data); - if (RAND_bytes(data, data_len) <= 0) - exit(EXIT_FAILURE); + int ret = RAND_bytes(data, data_len); + assert(ret > 0); CK_OBJECT_HANDLE yh_key; @@ -340,6 +357,208 @@ static void test_secretkey_metadata(void) { printf("OK!\n"); } +static yh_session *get_device_session() { + yh_connector *connector = NULL; + yh_session *device_session = NULL; + + uint16_t authkey = 1; + const uint8_t password1[] = "password"; + + const char *connector_url; + + connector_url = getenv("DEFAULT_CONNECTOR_URL"); + if (connector_url == NULL) { + connector_url = DEFAULT_CONNECTOR_URL; + } + + yh_rc yrc = yh_init(); + assert(yrc == YHR_SUCCESS); + + yrc = yh_init_connector(connector_url, &connector); + assert(yrc == YHR_SUCCESS); + + yrc = yh_connect(connector, 0); + assert(yrc == YHR_SUCCESS); + + yrc = + yh_create_session_derived(connector, authkey, password1, + sizeof(password1) - 1, false, &device_session); + assert(yrc == YHR_SUCCESS); + + uint8_t session_id; + yrc = yh_get_session_id(device_session, &session_id); + assert(yrc == YHR_SUCCESS); + + return device_session; +} + +static void import_authkey(yh_session *device_session, uint16_t keyid, + char *domains_str, char *password) { + yh_capabilities capabilities = {{0}}; + yh_rc yrc = yh_string_to_capabilities("all", &capabilities); + assert(yrc == YHR_SUCCESS); + + uint16_t domains = 0; + yrc = yh_string_to_domains(domains_str, &domains); + assert(yrc == YHR_SUCCESS); + + yrc = yh_util_import_authentication_key_derived(device_session, &keyid, + "pkca11test_authkey", domains, + &capabilities, &capabilities, + (CK_UTF8CHAR_PTR) password, + strlen(password)); + assert(yrc == YHR_SUCCESS); +} + +static void test_domain() { + + char password2[] = "foobar123"; + char p11_password2[] = "0002foobar123"; + char password3[] = "foo123bar"; + char p11_password3[] = "0003foo123bar"; + char password4[] = "123foobar"; + char p11_password4[] = "0004123foobar"; + char password5[] = "foofoobar"; + char p11_password5[] = "0005foofoobar"; + + close_session(p11, session); + yh_session *device_session = get_device_session(); + + // Create authentication keys with different domains access to test with + import_authkey(device_session, 2, "3,4,5", password2); + import_authkey(device_session, 3, "5,6,7", password3); + import_authkey(device_session, 4, "7,8,9", password4); + import_authkey(device_session, 5, "1,2,3,4,5", password5); + + session = open_test_session(p11_password2); + + CK_OBJECT_HANDLE key_handle; + + // Generate key with domains: 3,4,5 + printf("Generate key with domains: 3,4,5\n"); + CK_MECHANISM mechanism = {CKM_GENERIC_SECRET_KEY_GEN, NULL, 0}; + CK_OBJECT_CLASS class = CKO_SECRET_KEY; + CK_KEY_TYPE key_type = CKK_SHA_1_HMAC; + char *label = "labellabel5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00"; + CK_ATTRIBUTE keyTemplate[] = {{CKA_LABEL, label, strlen(label)}, + {CKA_CLASS, &class, sizeof(class)}, + {CKA_KEY_TYPE, &key_type, sizeof(key_type)}}; + CK_RV rv = + p11->C_GenerateKey(session, &mechanism, keyTemplate, 3, &key_handle); + assert(rv == CKR_OK); + close_session(p11, session); + + char stored_label[255] = {0}; + CK_ATTRIBUTE get_label_template[] = {{CKA_LABEL, stored_label, 255}}; + char *new_label = "new_label"; + CK_ATTRIBUTE new_label_template[] = { + {CKA_LABEL, new_label, strlen(new_label)}}; + + // Read meta data using authkey with domains: 5,6,7 + printf("Read meta data using authkey with domains: 5,6,7. "); + session = open_test_session(p11_password3); + get_stored_label(key_handle, stored_label); + if (strcmp(stored_label, + "labellabel5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00") != 0) { + printf("Label does not match what's on the device, probably because " + "meta_object was not read. Expected: %s. Found: " + "%s. FAIL!\n", + "labellabel5fc17f953e7c97dafabe60b1d5769c2b629c9b198bf00", + stored_label); + exit(EXIT_FAILURE); + } + printf("OK!\n"); + + // Overwrite existing meta_data using authkey with domains: 5,6,7. Should fail + printf("Overwrite existing meta_data using authkey with domains: 5,6,7 " + "(Expected to fail). "); + if ((p11->C_SetAttributeValue(session, key_handle, new_label_template, 1)) != + CKR_FUNCTION_REJECTED) { + memset(stored_label, 0, 255); + get_stored_label(key_handle, stored_label); + printf("After C_SetAttribute: label: %s\n", stored_label); + if (strcmp(stored_label, new_label) == 0) { + fail("Succeeded to set CKA_LABEL attribute, which should fail due to " + "domain mismatch"); + exit(EXIT_FAILURE); + } + } + printf("OK!\n"); + close_session(p11, session); + + // Read meta_data using authkey with domains: 7,8,9. Should fail + printf( + "Read meta_data using authkey with domains: 7,8,9 (Expected to fail). "); + session = open_test_session(p11_password4); + memset(stored_label, 0, 255); + rv = p11->C_GetAttributeValue(session, key_handle, get_label_template, 1); + assert(rv == CKR_OBJECT_HANDLE_INVALID); + printf("OK!\n"); + close_session(p11, session); + + // Modify meta_object using authkey with superset domains + printf("Modify meta_object using authkey with superset domains. "); + session = open_test_session(p11_password5); + if ((p11->C_SetAttributeValue(session, key_handle, new_label_template, 1)) != + CKR_OK) { + memset(stored_label, 0, 255); + get_stored_label(key_handle, stored_label); + printf("Failed to set attribute. Stored label expected: %s. Found: %s\n", + new_label, stored_label); + exit(EXIT_FAILURE); + } + close_session(p11, session); + + // Find meta_object ObjectID + uint16_t target_id = key_handle & 0xffff; + uint8_t target_type = (key_handle >> 16); + uint8_t target_sequence = key_handle >> 24; + char metaobject_label[YH_OBJ_LABEL_LEN] = {0}; + sprintf(metaobject_label, "Meta object for 0x%02x%02x%04x", target_sequence, + target_type, target_id); + yh_object_descriptor meta_objects[10] = {0}; + size_t meta_ojbects_len = 10; + yh_capabilities capabilities = {{0}}; + yh_rc yrc = + yh_util_list_objects(device_session, 0, YH_OPAQUE, 0xffff, &capabilities, + YH_ALGO_OPAQUE_DATA, metaobject_label, meta_objects, + &meta_ojbects_len); + assert(yrc == YHR_SUCCESS); + if (meta_ojbects_len == 0) { + fail("No meta_objects were found. There should be 1"); + exit(EXIT_FAILURE); + } else if (meta_ojbects_len > 1) { + printf("There are more than 1 meta_object for the target_object. Expected: " + "1. Found: %ld\n", + meta_ojbects_len); + exit(EXIT_FAILURE); + } + + // Check meta_object domains + yrc = yh_util_get_object_info(device_session, meta_objects[0].id, YH_OPAQUE, + &meta_objects[0]); + assert(yrc == YHR_SUCCESS); + if (meta_objects[0].domains != 28) { // domains 3,4,5 + printf("Meta object was overwritten with other domains than original " + "object. Expected: 28. Found %d\n", + meta_objects[0].domains); + exit(EXIT_FAILURE); + } + printf("OK!\n"); + + // Clear the HSM after the test + yh_util_delete_object(device_session, 2, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, 3, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, 4, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, 5, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, target_id, YH_HMAC_KEY); + yh_util_delete_object(device_session, meta_objects[0].id, YH_OPAQUE); + + yh_util_close_session(device_session); + + printf("OK!\n"); +} + int main(int argc, char **argv) { if (argc != 2) { @@ -349,16 +568,18 @@ int main(int argc, char **argv) { void *handle = open_module(argv[1]); p11 = get_function_list(handle); - session = open_session(p11); + session = open_test_session("0001password"); print_session_state(p11, session); int exit_status = EXIT_SUCCESS; test_keypair_metadata(0); + printf("\n\n"); test_keypair_metadata(1); test_secretkey_metadata(); + printf("\n\n"); + test_domain(); - close_session(p11, session); close_module(handle); return (exit_status); } From cf3b2151e6b06aec8d087b0892da46a537103b79 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 7 Feb 2023 14:39:17 +0100 Subject: [PATCH 07/18] PKCS11: Tests: Add test for meta_object --- pkcs11/tests/CMakeLists.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkcs11/tests/CMakeLists.txt b/pkcs11/tests/CMakeLists.txt index e9161797..b0bf6ace 100644 --- a/pkcs11/tests/CMakeLists.txt +++ b/pkcs11/tests/CMakeLists.txt @@ -242,12 +242,12 @@ set ( ) set ( - SOURCE_META_OBJECT - meta_object_test.c - common.c + SOURCE_META_OBJECT + meta_object_test.c + common.c ) -set( +set ( SOURCE_AES_ENCRYPT aes_encrypt_test.c common.c @@ -293,7 +293,7 @@ add_test ( add_test ( NAME meta_object_test COMMAND ${CMAKE_CURRENT_BINARY_DIR}/meta_object_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} -) + ) if (NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) add_executable (rsa_enc_test ${SOURCE_RSA_ENC_TEST}) From feb67cb96824fd1b2495342aeb552be735c96ffc Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Wed, 26 Apr 2023 11:26:31 +0200 Subject: [PATCH 08/18] PKCS11: meta_object: Fix compilation error --- pkcs11/tests/meta_object_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index e91466f4..e0c3e170 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -357,7 +357,7 @@ static void test_secretkey_metadata(void) { printf("OK!\n"); } -static yh_session *get_device_session() { +static yh_session *get_device_session(void) { yh_connector *connector = NULL; yh_session *device_session = NULL; @@ -410,7 +410,7 @@ static void import_authkey(yh_session *device_session, uint16_t keyid, assert(yrc == YHR_SUCCESS); } -static void test_domain() { +static void test_domain(void) { char password2[] = "foobar123"; char p11_password2[] = "0002foobar123"; From 027c55d092e9bc1fd87814584581af44474c6578 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Wed, 26 Apr 2023 14:06:07 +0200 Subject: [PATCH 09/18] Githubactions: output content of hsm for debugging --- .github/workflows/build_and_test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index e8c50180..dd5b5c45 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -421,6 +421,8 @@ jobs: env: DOCKER_IMAGE: ${{ matrix.environment }} run: | + ./src/yubihsm-shell -p password -a list-objects [0] + if [ $DOCKER_IMAGE = "debian:11" ]; then # we skip the engine tests (for now) since it ships with a broken curl version ctest --output-on-failure -E engine From 29c1bb80bca0555cfc0b969dbea8170fb5378455 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Wed, 26 Apr 2023 14:27:17 +0200 Subject: [PATCH 10/18] Githubactions: Revert change --- .github/workflows/build_and_test.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index dd5b5c45..e8c50180 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -421,8 +421,6 @@ jobs: env: DOCKER_IMAGE: ${{ matrix.environment }} run: | - ./src/yubihsm-shell -p password -a list-objects [0] - if [ $DOCKER_IMAGE = "debian:11" ]; then # we skip the engine tests (for now) since it ships with a broken curl version ctest --output-on-failure -E engine From 6122e80b8fc34988c181b40203a094102a70bde3 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Wed, 26 Apr 2023 14:39:53 +0200 Subject: [PATCH 11/18] PKCS11: meta_objects: output more debug messages --- pkcs11/tests/meta_object_test.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index e0c3e170..be982191 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -407,6 +407,9 @@ static void import_authkey(yh_session *device_session, uint16_t keyid, &capabilities, &capabilities, (CK_UTF8CHAR_PTR) password, strlen(password)); + printf("yh_util_import_authentication_key_derived returned: %d " + " keyid: 0x%x\n", + yrc, keyid); assert(yrc == YHR_SUCCESS); } From ebef543ddaf8d678e373a7430b384284f619bc7b Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Wed, 26 Apr 2023 15:18:55 +0200 Subject: [PATCH 12/18] PKCS11: meta_objects: Change test authkey ID --- pkcs11/tests/meta_object_test.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index be982191..44090363 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -416,22 +416,22 @@ static void import_authkey(yh_session *device_session, uint16_t keyid, static void test_domain(void) { char password2[] = "foobar123"; - char p11_password2[] = "0002foobar123"; + char p11_password2[] = "000afoobar123"; char password3[] = "foo123bar"; - char p11_password3[] = "0003foo123bar"; + char p11_password3[] = "000bfoo123bar"; char password4[] = "123foobar"; - char p11_password4[] = "0004123foobar"; + char p11_password4[] = "000c123foobar"; char password5[] = "foofoobar"; - char p11_password5[] = "0005foofoobar"; + char p11_password5[] = "000dfoofoobar"; close_session(p11, session); yh_session *device_session = get_device_session(); // Create authentication keys with different domains access to test with - import_authkey(device_session, 2, "3,4,5", password2); - import_authkey(device_session, 3, "5,6,7", password3); - import_authkey(device_session, 4, "7,8,9", password4); - import_authkey(device_session, 5, "1,2,3,4,5", password5); + import_authkey(device_session, 10, "3,4,5", password2); + import_authkey(device_session, 11, "5,6,7", password3); + import_authkey(device_session, 12, "7,8,9", password4); + import_authkey(device_session, 13, "1,2,3,4,5", password5); session = open_test_session(p11_password2); @@ -550,10 +550,10 @@ static void test_domain(void) { printf("OK!\n"); // Clear the HSM after the test - yh_util_delete_object(device_session, 2, YH_AUTHENTICATION_KEY); - yh_util_delete_object(device_session, 3, YH_AUTHENTICATION_KEY); - yh_util_delete_object(device_session, 4, YH_AUTHENTICATION_KEY); - yh_util_delete_object(device_session, 5, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, 10, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, 11, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, 12, YH_AUTHENTICATION_KEY); + yh_util_delete_object(device_session, 13, YH_AUTHENTICATION_KEY); yh_util_delete_object(device_session, target_id, YH_HMAC_KEY); yh_util_delete_object(device_session, meta_objects[0].id, YH_OPAQUE); From 13ca11819eec596b11b19666c3174c130978e984 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Wed, 26 Apr 2023 16:04:29 +0200 Subject: [PATCH 13/18] PKCS11: meta_objects: Remove debug message --- pkcs11/tests/meta_object_test.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 44090363..c38a9b49 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -407,9 +407,6 @@ static void import_authkey(yh_session *device_session, uint16_t keyid, &capabilities, &capabilities, (CK_UTF8CHAR_PTR) password, strlen(password)); - printf("yh_util_import_authentication_key_derived returned: %d " - " keyid: 0x%x\n", - yrc, keyid); assert(yrc == YHR_SUCCESS); } From cfd741678172c9b11ab2bd4bab66bf38f87ffc1c Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Thu, 27 Apr 2023 10:23:53 +0200 Subject: [PATCH 14/18] PKCS11: meta_objects: Fix potential bufferoverflow --- pkcs11/tests/meta_object_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index c38a9b49..6c5d6508 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -61,7 +61,7 @@ static CK_SESSION_HANDLE open_test_session(char *password) { } char config[256]; assert(strlen(connector_url) + strlen("connector=") < 256); - sprintf(config, "connector=%s", connector_url); + snprintf(config, sizeof(config), "connector=%s", connector_url); initArgs.pReserved = (void *) config; CK_RV rv = p11->C_Initialize(&initArgs); assert(rv == CKR_OK); From 4b97d1aa76edff3eb6df4cba83fe1d54f3e1b33e Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Mon, 15 May 2023 14:00:28 +0200 Subject: [PATCH 15/18] PKCS11: Meta_object: Test: increase test coverage --- pkcs11/tests/meta_object_test.c | 325 +++++++++++++++++++++++++++++++- 1 file changed, 316 insertions(+), 9 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 6c5d6508..d38561bb 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -22,6 +22,9 @@ #include #include #include +#include +#include +#include #include "../pkcs11.h" #include "common.h" @@ -109,6 +112,92 @@ static void generate_ec_keypair( assert(rv == CKR_OK); } +static void import_ec_key(CK_OBJECT_HANDLE_PTR publicKeyPtr, + CK_OBJECT_HANDLE_PTR privateKeyPtr, + CK_BYTE *ckaid_public, CK_ULONG ckaid_public_len, + CK_BYTE *ckaid_private, CK_ULONG ckaid_private_len, + char *label_public, char *label_private) { + + int curve = NID_secp384r1; + CK_ULONG key_len = 48; + + CK_ULONG class_k = CKO_PRIVATE_KEY; + CK_ULONG class_c = CKO_CERTIFICATE; + CK_ULONG kt = CKK_EC; + CK_BYTE value_c[3100] = {0}; + CK_CHAR *pvt = malloc(48); + + CK_ATTRIBUTE privateKeyTemplate[] = + {{CKA_CLASS, &class_k, sizeof(class_k)}, + {CKA_KEY_TYPE, &kt, sizeof(kt)}, + {CKA_ID, ckaid_private, ckaid_private_len}, + {CKA_LABEL, label_private, strlen(label_private)}, + {CKA_EC_PARAMS, P384_PARAMS, sizeof(P384_PARAMS)}, + {CKA_VALUE, pvt, key_len}}; + + CK_ATTRIBUTE publicKeyTemplate[] = {{CKA_CLASS, &class_c, sizeof(class_c)}, + {CKA_ID, ckaid_public, ckaid_public_len}, + {CKA_LABEL, label_public, + strlen(label_public)}, + {CKA_VALUE, value_c, sizeof(value_c)}}; + + EVP_PKEY *evp = EVP_PKEY_new(); + + if (evp == NULL) + exit(EXIT_FAILURE); + + EC_KEY *eck = EC_KEY_new_by_curve_name(curve); + + if (eck == NULL) + exit(EXIT_FAILURE); + + assert(EC_KEY_generate_key(eck) == 1); + + const BIGNUM *bn = EC_KEY_get0_private_key(eck); + + assert(BN_bn2binpad(bn, pvt, key_len) == (int) key_len); + + if (EVP_PKEY_set1_EC_KEY(evp, eck) == 0) + exit(EXIT_FAILURE); + + X509 *cert = X509_new(); + + if (cert == NULL) + exit(EXIT_FAILURE); + + X509_set_version(cert, 2); // Version 3 + X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, + (unsigned char *) "Test Issuer", -1, -1, 0); + X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, + (unsigned char *) "Test Subject", -1, -1, 0); + ASN1_INTEGER_set(X509_get_serialNumber(cert), 0); + X509_gmtime_adj(X509_get_notBefore(cert), 0); + X509_gmtime_adj(X509_get_notAfter(cert), 0); + + if (X509_set_pubkey(cert, evp) == 0) + exit(EXIT_FAILURE); + + if (X509_sign(cert, evp, EVP_sha1()) == 0) + exit(EXIT_FAILURE); + + CK_ULONG cert_len; + unsigned char *p = value_c; + if ((cert_len = (CK_ULONG) i2d_X509(cert, &p)) == 0 || + cert_len > sizeof(value_c)) + exit(EXIT_FAILURE); + + publicKeyTemplate[2].ulValueLen = cert_len; + + assert(p11->C_CreateObject(session, privateKeyTemplate, 6, privateKeyPtr) == + CKR_OK); + assert(p11->C_CreateObject(session, publicKeyTemplate, 4, publicKeyPtr) == + CKR_OK); + + free(pvt); + X509_free(cert); + EVP_PKEY_free(evp); +} + static void generate_rsa_keypair( CK_OBJECT_HANDLE_PTR publicKeyPtr, CK_OBJECT_HANDLE_PTR privateKeyPtr, CK_BYTE *ckaid_public, CK_ULONG ckaid_public_len, CK_BYTE *ckaid_private, @@ -140,6 +229,166 @@ static void generate_rsa_keypair( assert(rv == CKR_OK); } +static void import_rsa_key(CK_OBJECT_HANDLE_PTR publicKeyPtr, + CK_OBJECT_HANDLE_PTR privateKeyPtr, + CK_BYTE *ckaid_public, CK_ULONG ckaid_public_len, + CK_BYTE *ckaid_private, CK_ULONG ckaid_private_len, + char *label_public, char *label_private) { + + /* + CK_BYTE e[] = {0x01, 0x00, 0x01}; + CK_BYTE *p, *q, *dp, *dq, *qinv; + int keylen = 2048; + int len = keylen / 16; + p = malloc(len); + q = malloc(len); + dp = malloc(len); + dq = malloc(len); + qinv = malloc(len); + + EVP_PKEY *evp = EVP_PKEY_new(); + RSA *rsak = RSA_new(); + BIGNUM *e_bn; + CK_ULONG class_k = CKO_PRIVATE_KEY; + CK_ULONG kt = CKK_RSA; + const BIGNUM *bp, *bq, *biqmp, *bdmp1, *bdmq1; + + // unsigned char *px; + CK_BBOOL dec_capability = CK_TRUE; + + CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &class_k, sizeof(class_k)}, + {CKA_KEY_TYPE, &kt, sizeof(kt)}, + {CKA_ID, ckaid, ckaid_len}, + {CKA_LABEL, label, strlen(label)}, + {CKA_PUBLIC_EXPONENT, e, sizeof(e)}, + {CKA_PRIME_1, p, len}, + {CKA_PRIME_2, q, len}, + {CKA_EXPONENT_1, dp, len}, + {CKA_EXPONENT_2, dq, len}, + {CKA_COEFFICIENT, qinv, len}}; + e_bn = BN_bin2bn(e, 3, NULL); + if (e_bn == NULL) + exit(EXIT_FAILURE); + + assert(RSA_generate_key_ex(rsak, keylen, e_bn, NULL) == 1); + + RSA_get0_factors(rsak, &bp, &bq); + RSA_get0_crt_params(rsak, &bdmp1, &bdmq1, &biqmp); + BN_bn2binpad(bp, p, len); + BN_bn2binpad(bq, q, len); + BN_bn2binpad(bdmp1, dp, len); + BN_bn2binpad(bdmq1, dq, len); + BN_bn2binpad(biqmp, qinv, len); + + if (EVP_PKEY_set1_RSA(evp, rsak) == 0) + exit(EXIT_FAILURE); + + assert(p11->C_CreateObject(session, privateKeyTemplate, 9, keyid) == + CKR_OK); + + BN_free(e_bn); + free(p); + free(q); + free(dp); + free(dq); + free(qinv); + */ + + int keylen = 2048; + int len = keylen / 16; + CK_BYTE *p = malloc(len); + CK_BYTE *q = malloc(len); + CK_BYTE *dp = malloc(len); + CK_BYTE *dq = malloc(len); + CK_BYTE *qinv = malloc(len); + + CK_BYTE e[] = {0x01, 0x00, 0x01}; + CK_ULONG class_k = CKO_PRIVATE_KEY; + CK_ULONG class_c = CKO_CERTIFICATE; + CK_ULONG kt = CKK_RSA; + CK_BYTE value_c[3100] = {0}; + + CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &class_k, sizeof(class_k)}, + {CKA_KEY_TYPE, &kt, sizeof(kt)}, + {CKA_ID, ckaid_private, + ckaid_private_len}, + {CKA_LABEL, label_private, + strlen(label_private)}, + {CKA_PUBLIC_EXPONENT, e, sizeof(e)}, + {CKA_PRIME_1, p, len}, + {CKA_PRIME_2, q, len}, + {CKA_EXPONENT_1, dp, len}, + {CKA_EXPONENT_2, dq, len}, + {CKA_COEFFICIENT, qinv, len}}; + + CK_ATTRIBUTE publicKeyTemplate[] = {{CKA_CLASS, &class_c, sizeof(class_c)}, + {CKA_ID, ckaid_public, ckaid_public_len}, + {CKA_LABEL, label_public, + strlen(label_public)}, + {CKA_VALUE, value_c, sizeof(value_c)}}; + + EVP_PKEY *evp = EVP_PKEY_new(); + RSA *rsak = RSA_new(); + + BIGNUM *e_bn = BN_bin2bn(e, 3, NULL); + if (e_bn == NULL) + exit(EXIT_FAILURE); + + assert(RSA_generate_key_ex(rsak, keylen, e_bn, NULL) == 1); + const BIGNUM *bp, *bq, *biqmp, *bdmp1, *bdmq1; + RSA_get0_factors(rsak, &bp, &bq); + RSA_get0_crt_params(rsak, &bdmp1, &bdmq1, &biqmp); + assert(BN_bn2binpad(bp, p, len) == len); + assert(BN_bn2binpad(bq, q, len) == len); + assert(BN_bn2binpad(bdmp1, dp, len) == len); + assert(BN_bn2binpad(bdmq1, dq, len) == len); + assert(BN_bn2binpad(biqmp, qinv, len) == len); + + if (EVP_PKEY_set1_RSA(evp, rsak) == 0) + exit(EXIT_FAILURE); + + X509 *cert = X509_new(); + + if (cert == NULL) + exit(EXIT_FAILURE); + + X509_set_version(cert, 2); // Version 3 + X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, + (unsigned char *) "Test Issuer", -1, -1, 0); + X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, + (unsigned char *) "Test Subject", -1, -1, 0); + ASN1_INTEGER_set(X509_get_serialNumber(cert), 0); + X509_gmtime_adj(X509_get_notBefore(cert), 0); + X509_gmtime_adj(X509_get_notAfter(cert), 0); + + if (X509_set_pubkey(cert, evp) == 0) + exit(EXIT_FAILURE); + + if (X509_sign(cert, evp, EVP_sha1()) == 0) + exit(EXIT_FAILURE); + + CK_ULONG cert_len; + unsigned char *px = value_c; + if ((cert_len = (CK_ULONG) i2d_X509(cert, &px)) == 0 || + cert_len > sizeof(value_c)) + exit(EXIT_FAILURE); + + publicKeyTemplate[2].ulValueLen = cert_len; + + assert(p11->C_CreateObject(session, privateKeyTemplate, 10, privateKeyPtr) == + CKR_OK); + assert(p11->C_CreateObject(session, publicKeyTemplate, 4, publicKeyPtr) == + CKR_OK); + + X509_free(cert); + BN_free(e_bn); + free(p); + free(q); + free(dp); + free(dq); + free(qinv); +} + static void generate_hmac_key(CK_OBJECT_HANDLE_PTR key_handle, CK_BYTE *ckaid, CK_ULONG ckaid_len, char *label) { CK_MECHANISM mechanism = {CKM_GENERIC_SECRET_KEY_GEN, NULL, 0}; @@ -235,23 +484,75 @@ static void run_label_test(CK_OBJECT_HANDLE object, char *old_label, new_label); } -static void test_keypair_metadata(int is_rsa) { +static void create_key(int is_rsa, int import, char *priv_label, + char *pub_label, CK_OBJECT_HANDLE_PTR yh_privkey, + CK_OBJECT_HANDLE_PTR yh_pubkey) { + if (is_rsa && !import) { + printf("Generating RSA keypair with privateKey label '%s' and publicKey " + "label '%s'...\n", + priv_label, pub_label); + generate_rsa_keypair(yh_pubkey, yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), "label", "label"); + } else if (!is_rsa && !import) { + printf("Generating EC keypair with privateKey label '%s' and publicKey " + "label '%s'...\n", + priv_label, pub_label); + generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), yh_pubkey, yh_privkey, + KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), "label", + "label"); + } else if (is_rsa && import) { + printf("Importing RSA key and cert with privateKey label '%s' and " + "publicKey label '%s'...\n", + priv_label, pub_label); + import_rsa_key(yh_pubkey, yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), "label", "label"); + } else if (!is_rsa && import) { + printf("Importing EC key and cert with privateKey label '%s' and publicKey " + "label '%s'...\n", + priv_label, pub_label); + import_ec_key(yh_pubkey, yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), "label", "label"); + } else { + printf("Unrecognized combination! Not doing any tests\n"); + return; + } +} + +static void test_keypair_metadata(int is_rsa, int import) { CK_BYTE data[64] = {0}; CK_ULONG data_len = sizeof(data); int ret = RAND_bytes(data, data_len); assert(ret > 0); CK_OBJECT_HANDLE yh_pubkey, yh_privkey; - printf("Generating key pair with privateKey label 'label' and publicKey " - "label 'label'... \n"); - if (is_rsa) { - generate_rsa_keypair(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), KEYID, - sizeof(KEYID), "label", "label"); - } else { + char *priv_label, *pub_label; + + priv_label = "label"; + pub_label = "label"; + create_key(is_rsa, import, priv_label, pub_label, &yh_privkey, &yh_pubkey); + /* + if (is_rsa && !import) { + printf("Generating RSA keypair with privateKey label '%s' and publicKey + label '%s'...\n", priv_label, pub_label); generate_rsa_keypair(&yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), "label", "label"); } + else if(!is_rsa && !import) { printf("Generating EC keypair with privateKey + label '%s' and publicKey label '%s'...\n", priv_label, pub_label); generate_ec_keypair(P384_PARAMS, sizeof(P384_PARAMS), &yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), "label", "label"); + } else if(is_rsa && import) { + printf("Importing RSA key and cert with privateKey label '%s' and publicKey + label '%s'...\n", priv_label, pub_label); import_rsa_key(&yh_pubkey, + &yh_privkey, KEYID, sizeof(KEYID), KEYID, sizeof(KEYID), "label", "label"); } + else if(!is_rsa && import) { printf("Importing EC key and cert with privateKey + label '%s' and publicKey label '%s'...\n", priv_label, pub_label); + import_ec_key(&yh_pubkey, &yh_privkey, KEYID, sizeof(KEYID), KEYID, + sizeof(KEYID), "label", "label"); + } else { + printf("Unrecognized combination! Not doing any tests\n"); + return; } + */ run_label_test(yh_privkey, "label", "new_label"); run_label_test(yh_pubkey, "label", "new_label"); run_id_test(yh_privkey, KEYID, sizeof(KEYID), data, 32); @@ -573,9 +874,15 @@ int main(int argc, char **argv) { int exit_status = EXIT_SUCCESS; - test_keypair_metadata(0); + test_keypair_metadata(0, 0); printf("\n\n"); - test_keypair_metadata(1); + test_keypair_metadata(1, 0); + printf("\n\n"); + test_keypair_metadata(0, 1); + printf("\n\n"); + test_keypair_metadata(1, 1); + printf("\n\n"); + test_secretkey_metadata(); printf("\n\n"); test_domain(); From e9d814b9996f43ca925cb4615ee3b22a8150cfdc Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 26 Sep 2023 10:52:53 +0200 Subject: [PATCH 16/18] PKCS11: Test: Fix imports --- pkcs11/tests/meta_object_test.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index d38561bb..5dcc045c 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -22,9 +22,10 @@ #include #include #include +#include #include #include -#include +#include #include "../pkcs11.h" #include "common.h" From 13f7a69701388e26687fb069b49d94b482630caf Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 26 Sep 2023 11:34:09 +0200 Subject: [PATCH 17/18] PKCS11: Test: fix parameter types --- pkcs11/tests/meta_object_test.c | 68 ++------------------------------- 1 file changed, 4 insertions(+), 64 deletions(-) diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 5dcc045c..8a53f43e 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -17,15 +17,14 @@ #undef NDEBUG #endif #include -#include #include #include #include -#include +#include #include +#include #include #include -#include #include "../pkcs11.h" #include "common.h" @@ -120,13 +119,13 @@ static void import_ec_key(CK_OBJECT_HANDLE_PTR publicKeyPtr, char *label_public, char *label_private) { int curve = NID_secp384r1; - CK_ULONG key_len = 48; + int key_len = 48; CK_ULONG class_k = CKO_PRIVATE_KEY; CK_ULONG class_c = CKO_CERTIFICATE; CK_ULONG kt = CKK_EC; CK_BYTE value_c[3100] = {0}; - CK_CHAR *pvt = malloc(48); + CK_BYTE *pvt = malloc(48); CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &class_k, sizeof(class_k)}, @@ -236,65 +235,6 @@ static void import_rsa_key(CK_OBJECT_HANDLE_PTR publicKeyPtr, CK_BYTE *ckaid_private, CK_ULONG ckaid_private_len, char *label_public, char *label_private) { - /* - CK_BYTE e[] = {0x01, 0x00, 0x01}; - CK_BYTE *p, *q, *dp, *dq, *qinv; - int keylen = 2048; - int len = keylen / 16; - p = malloc(len); - q = malloc(len); - dp = malloc(len); - dq = malloc(len); - qinv = malloc(len); - - EVP_PKEY *evp = EVP_PKEY_new(); - RSA *rsak = RSA_new(); - BIGNUM *e_bn; - CK_ULONG class_k = CKO_PRIVATE_KEY; - CK_ULONG kt = CKK_RSA; - const BIGNUM *bp, *bq, *biqmp, *bdmp1, *bdmq1; - - // unsigned char *px; - CK_BBOOL dec_capability = CK_TRUE; - - CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &class_k, sizeof(class_k)}, - {CKA_KEY_TYPE, &kt, sizeof(kt)}, - {CKA_ID, ckaid, ckaid_len}, - {CKA_LABEL, label, strlen(label)}, - {CKA_PUBLIC_EXPONENT, e, sizeof(e)}, - {CKA_PRIME_1, p, len}, - {CKA_PRIME_2, q, len}, - {CKA_EXPONENT_1, dp, len}, - {CKA_EXPONENT_2, dq, len}, - {CKA_COEFFICIENT, qinv, len}}; - e_bn = BN_bin2bn(e, 3, NULL); - if (e_bn == NULL) - exit(EXIT_FAILURE); - - assert(RSA_generate_key_ex(rsak, keylen, e_bn, NULL) == 1); - - RSA_get0_factors(rsak, &bp, &bq); - RSA_get0_crt_params(rsak, &bdmp1, &bdmq1, &biqmp); - BN_bn2binpad(bp, p, len); - BN_bn2binpad(bq, q, len); - BN_bn2binpad(bdmp1, dp, len); - BN_bn2binpad(bdmq1, dq, len); - BN_bn2binpad(biqmp, qinv, len); - - if (EVP_PKEY_set1_RSA(evp, rsak) == 0) - exit(EXIT_FAILURE); - - assert(p11->C_CreateObject(session, privateKeyTemplate, 9, keyid) == - CKR_OK); - - BN_free(e_bn); - free(p); - free(q); - free(dp); - free(dq); - free(qinv); - */ - int keylen = 2048; int len = keylen / 16; CK_BYTE *p = malloc(len); From 81b37dc4c5843fa9813765d662c4073879248c74 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Tue, 26 Sep 2023 11:45:10 +0200 Subject: [PATCH 18/18] PKCS11: Test: Skip meta_object test for OpenSSL version less than 1.1 --- pkcs11/tests/CMakeLists.txt | 22 ++++++++++------------ pkcs11/tests/meta_object_test.c | 6 ++---- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/pkcs11/tests/CMakeLists.txt b/pkcs11/tests/CMakeLists.txt index b0bf6ace..9022a860 100644 --- a/pkcs11/tests/CMakeLists.txt +++ b/pkcs11/tests/CMakeLists.txt @@ -262,7 +262,6 @@ set ( if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows") add_executable (aes_encrypt_test ${SOURCE_AES_ENCRYPT}) add_executable (ecdh_derive_test ${SOURCE_ECDH_DERIVE}) -add_executable (meta_object_test ${SOURCE_META_OBJECT}) target_link_libraries( aes_encrypt_test @@ -279,34 +278,33 @@ target_link_libraries ( ${LIBCRYPTO_LDFLAGS} "-ldl") -target_link_libraries ( - meta_object_test - ${LIBCRYPTO_LDFLAGS} - yubihsm - "-ldl") - add_test ( NAME ecdh_derive_test COMMAND ${CMAKE_CURRENT_BINARY_DIR}/ecdh_derive_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} ) -add_test ( - NAME meta_object_test - COMMAND ${CMAKE_CURRENT_BINARY_DIR}/meta_object_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} - ) - if (NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) add_executable (rsa_enc_test ${SOURCE_RSA_ENC_TEST}) + add_executable (meta_object_test ${SOURCE_META_OBJECT}) target_link_libraries ( rsa_enc_test ${LIBCRYPTO_LDFLAGS} "-ldl") + target_link_libraries ( + meta_object_test + ${LIBCRYPTO_LDFLAGS} + yubihsm + "-ldl") add_test ( NAME rsa_enc_test COMMAND ${CMAKE_CURRENT_BINARY_DIR}/rsa_enc_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} ) + add_test ( + NAME meta_object_test + COMMAND ${CMAKE_CURRENT_BINARY_DIR}/meta_object_test ${CMAKE_CURRENT_BINARY_DIR}/../yubihsm_pkcs11.${LIBEXT} + ) endif(NOT ${LIBCRYPTO_VERSION} VERSION_LESS 1.1) endif(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Windows") diff --git a/pkcs11/tests/meta_object_test.c b/pkcs11/tests/meta_object_test.c index 8a53f43e..b8897389 100644 --- a/pkcs11/tests/meta_object_test.c +++ b/pkcs11/tests/meta_object_test.c @@ -20,8 +20,6 @@ #include #include #include -#include -#include #include #include #include @@ -119,13 +117,13 @@ static void import_ec_key(CK_OBJECT_HANDLE_PTR publicKeyPtr, char *label_public, char *label_private) { int curve = NID_secp384r1; - int key_len = 48; + CK_ULONG key_len = 48; CK_ULONG class_k = CKO_PRIVATE_KEY; CK_ULONG class_c = CKO_CERTIFICATE; CK_ULONG kt = CKK_EC; CK_BYTE value_c[3100] = {0}; - CK_BYTE *pvt = malloc(48); + CK_CHAR *pvt = malloc(48); CK_ATTRIBUTE privateKeyTemplate[] = {{CKA_CLASS, &class_k, sizeof(class_k)},