|
2 | 2 | // SPDX-License-Identifier: Apache-2.0 |
3 | 3 | mod common; |
4 | 4 |
|
5 | | -use crate::common::{get_firmware_version, get_pkcs11, is_kryoptic, is_softhsm, SO_PIN, USER_PIN}; |
| 5 | +use crate::common::{ |
| 6 | + get_firmware_version, get_pkcs11, is_fips, is_kryoptic, is_softhsm, SO_PIN, USER_PIN, |
| 7 | +}; |
6 | 8 | use common::init_pins; |
7 | 9 | use cryptoki::context::Function; |
8 | 10 | use cryptoki::error::{Error, RvError}; |
@@ -4040,7 +4042,6 @@ fn aes_cmac_verify_impl(key: [u8; 16], message: &[u8], expected_mac: [u8; 16]) - |
4040 | 4042 | Ok(()) |
4041 | 4043 | } |
4042 | 4044 |
|
4043 | | -/// AES-CMAC test vectors from RFC 4493 |
4044 | 4045 | #[test] |
4045 | 4046 | #[serial] |
4046 | 4047 | fn unique_id() -> TestResult { |
@@ -4118,3 +4119,85 @@ fn unique_id() -> TestResult { |
4118 | 4119 |
|
4119 | 4120 | Ok(()) |
4120 | 4121 | } |
| 4122 | + |
| 4123 | +#[test] |
| 4124 | +#[serial] |
| 4125 | +fn validation() -> TestResult { |
| 4126 | + let (pkcs11, slot) = init_pins(); |
| 4127 | + let session = pkcs11.open_rw_session(slot)?; |
| 4128 | + session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?; |
| 4129 | + |
| 4130 | + let key: [u8; 16] = [ |
| 4131 | + 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, |
| 4132 | + 0x3c, |
| 4133 | + ]; |
| 4134 | + |
| 4135 | + // Can not create object with ObjectValidationFlags |
| 4136 | + let key_template = vec![ |
| 4137 | + Attribute::Class(ObjectClass::SECRET_KEY), |
| 4138 | + Attribute::KeyType(KeyType::AES), |
| 4139 | + Attribute::Token(true), |
| 4140 | + Attribute::Sensitive(true), |
| 4141 | + Attribute::Private(true), |
| 4142 | + Attribute::Value(key.into()), |
| 4143 | + Attribute::ObjectValidationFlags(0x03.into()), |
| 4144 | + ]; |
| 4145 | + let res = session.create_object(&key_template); |
| 4146 | + assert!(res.is_err()); |
| 4147 | + assert!(matches!( |
| 4148 | + res, |
| 4149 | + Err(Error::Pkcs11( |
| 4150 | + RvError::AttributeTypeInvalid, |
| 4151 | + Function::CreateObject |
| 4152 | + )) |
| 4153 | + )); |
| 4154 | + |
| 4155 | + let generate_template = vec![ |
| 4156 | + Attribute::Token(true), |
| 4157 | + Attribute::ValueLen(32.into()), |
| 4158 | + Attribute::Encrypt(true), |
| 4159 | + ]; |
| 4160 | + |
| 4161 | + // generate a secret key |
| 4162 | + let key = session.generate_key(&Mechanism::AesKeyGen, &generate_template)?; |
| 4163 | + |
| 4164 | + // we can get the ObjectValidationFlags attribute |
| 4165 | + let attrs = session.get_attributes(key, &[AttributeType::ObjectValidationFlags])?; |
| 4166 | + if is_fips(&session) { |
| 4167 | + // Kryoptic supports the ObjectValidationFlag only if it is built as a FIPS provider |
| 4168 | + if let Attribute::ObjectValidationFlags(flag) = attrs.first().unwrap() { |
| 4169 | + assert_eq!(flag, &Ulong::new(1)); |
| 4170 | + } else { |
| 4171 | + panic!("The ObjectValidationFlags attribute was expected to be present.") |
| 4172 | + }; |
| 4173 | + } else { |
| 4174 | + assert_eq!(attrs.len(), 0); |
| 4175 | + } |
| 4176 | + |
| 4177 | + // we can not set the ObjectValidationFlags attribute |
| 4178 | + let update_template = vec![Attribute::ObjectValidationFlags(0x03.into())]; |
| 4179 | + let res = session.update_attributes(key, &update_template); |
| 4180 | + assert!(res.is_err()); |
| 4181 | + if is_softhsm() { |
| 4182 | + // SoftHSM does not support this attribute at all |
| 4183 | + assert!(matches!( |
| 4184 | + res, |
| 4185 | + Err(Error::Pkcs11( |
| 4186 | + RvError::AttributeTypeInvalid, |
| 4187 | + Function::SetAttributeValue |
| 4188 | + )) |
| 4189 | + )); |
| 4190 | + } else { |
| 4191 | + assert!(matches!( |
| 4192 | + res, |
| 4193 | + Err(Error::Pkcs11( |
| 4194 | + RvError::ActionProhibited, |
| 4195 | + Function::SetAttributeValue |
| 4196 | + )) |
| 4197 | + )); |
| 4198 | + } |
| 4199 | + |
| 4200 | + session.destroy_object(key)?; |
| 4201 | + |
| 4202 | + Ok(()) |
| 4203 | +} |
0 commit comments