TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / 8b586af38b167e3883c0d319a4df3aeca463b95f / . / tests / suites / test_suite_pkcs11_client.function
blob: 9c16a3536ae63642ce5bd51df37bdb618cb46acd [file] [log] [blame]
Andrzej Kurek753b86c2018-01-23 08:56:17 -0500[diff] [blame]1/* BEGIN_HEADER */
2#include <string.h>
3
4#include <pkcs11.h>
5
6#include "mbedtls/pkcs11_client.h"
7
8#if defined(MBEDTLS_PK_C)
9
10#include "mbedtls/oid.h"
11#include "mbedtls/asn1write.h"
12#include "mbedtls/bignum.h"
13#include "mbedtls/rsa.h"
14#include "mbedtls/pk.h"
15
16#define ARRAY_LENGTH( a ) ( sizeof( a ) / sizeof( *( a ) ) )
17
18#define CK_ASSERT( expr ) \
19 do { \
20 CK_RV CK_ASSERT_rv = ( expr ); \
21 char CK_ASSERT_msg[sizeof( #expr ) + 20] = #expr; \
22 if( CK_ASSERT_rv != CKR_OK ) { \
23 sprintf( CK_ASSERT_msg + strlen( CK_ASSERT_msg ), \
24 " -> 0x%x", (unsigned) CK_ASSERT_rv ); \
25 test_fail( CK_ASSERT_msg, __LINE__, __FILE__ ); \
26 goto exit; \
27 } \
28 } while( 0 )
29
30#define RSA_KEY_SIZE_BITS 512
31#define RSA_KEY_SIZE_BYTES ( ( RSA_KEY_SIZE_BITS + 7 ) / 8 )
32#define ECP_GROUP_ID MBEDTLS_ECP_DP_SECP256R1
33#define ECP_GROUP_NAME( id ) #id
34
35//static CK_BBOOL ck_false = CK_FALSE;
36static CK_BBOOL ck_true = CK_TRUE;
37
38static int pkcs11_token_label_is( const CK_TOKEN_INFO *info, const char *label )
39{
40 size_t n = strlen( label );
41 if( n > sizeof( info->label ) )
42 return( 0 );
43 if( memcmp( info->label, label, n ) )
44 return( 0 );
45 for( ; n < sizeof( info->label ); n++ )
46 {
47 if( info->label[n] != ' ' )
48 return( 0 );
49 }
50 return( 1 );
51}
52
53static int pkcs11_get_slot_id( const char *label, CK_SLOT_ID *slot )
54{
55 CK_SLOT_ID *slots = NULL;
56 CK_ULONG count;
57 CK_ULONG i;
58 CK_TOKEN_INFO info;
59 int found = 0;
60 CK_ASSERT( C_GetSlotList( CK_TRUE, NULL_PTR, &count ) );
61 slots = mbedtls_calloc( sizeof( *slots ), count );
62 TEST_ASSERT( slots != NULL );
63 CK_ASSERT( C_GetSlotList( CK_TRUE, slots, &count ) );
64 for( i = 0; i < count; i++ )
65 {
66 CK_ASSERT( C_GetTokenInfo( slots[i], &info ) );
67 if( pkcs11_token_label_is( &info, label ) )
68 {
69 *slot = slots[i];
70 found = 1;
71 break;
72 }
73 }
74 if( !found )
75 mbedtls_fprintf( stdout, "No token found with label %s\n", label );
76exit:
77 mbedtls_free( slots );
78 return( found );
79}
80
81static CK_OBJECT_HANDLE pkcs11_init( void )
82{
83 CK_SESSION_HANDLE hSession;
84 CK_SLOT_ID slot;
85 unsigned char user_pin[4] = "0000";
86 CK_ASSERT( C_Initialize( NULL_PTR ) );
87 TEST_ASSERT( pkcs11_get_slot_id( "scratch", &slot ) );
88 CK_ASSERT( C_OpenSession( slot,
89 CKF_RW_SESSION | CKF_SERIAL_SESSION,
90 NULL_PTR, NULL_PTR,
91 &hSession ) );
92 CK_ASSERT( C_Login( hSession, CKU_USER, user_pin, sizeof( user_pin ) ) );
93 return( hSession );
94exit:
95 return( CK_INVALID_HANDLE );
96}
97
98static CK_RV pkcs11_generate_key( mbedtls_pk_type_t key_type,
99 CK_SESSION_HANDLE hSession,
100 CK_OBJECT_HANDLE *phPublicKey,
101 CK_OBJECT_HANDLE *phPrivateKey )
102{
103 CK_MECHANISM mechanism = {0, NULL_PTR, 0};
104 CK_ATTRIBUTE public_attributes[] = {
105 {0, 0, 0},
106 {CKA_ENCRYPT, &ck_true, sizeof( ck_true )},
107 {CKA_VERIFY, &ck_true, sizeof( ck_true )},
108 };
109 CK_ATTRIBUTE private_attributes[] = {
110 {CKA_DECRYPT, &ck_true, sizeof( ck_true )},
111 {CKA_SIGN, &ck_true, sizeof( ck_true )},
112 };
113 CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS;
114 unsigned char ecParams[16];
115 size_t ecParams_length;
116
117 switch( key_type )
118 {
119#if defined(MBEDTLS_RSA_C)
120 case MBEDTLS_PK_RSA:
121 mechanism.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
122 public_attributes[0].type = CKA_MODULUS_BITS;
123 public_attributes[0].pValue = &ck_rsa_key_size;
124 public_attributes[0].ulValueLen = sizeof( ck_rsa_key_size );
125 break;
126#endif /* MBEDTLS_RSA_C */
127 default:
128 test_fail( "Unsupported key type in test data", __LINE__, __FILE__ );
129 break;
130 }
131
132 return( C_GenerateKeyPair( hSession,
133 &mechanism,
134 public_attributes,
135 ARRAY_LENGTH( public_attributes ),
136 private_attributes,
137 ARRAY_LENGTH( private_attributes ),
138 phPublicKey, phPrivateKey ) );
139exit:
140 /* Shouldn't happen except if there's a test error (e.g. trying to
141 use a curve that isn't compiled in). */
142 return( -1 );
143}
144
145
146#endif /* MBEDTLS_PK_C */
147
148/* END_HEADER */
149
150/* BEGIN_DEPENDENCIES
151 * depends_on:MBEDTLS_PKCS11_CLIENT_C
152 * END_DEPENDENCIES
153 */
154
155/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
156void pk_generate_sign( int key_type )
157{
158 mbedtls_pk_context pkcs11_ctx;
159 mbedtls_pk_context transparent_ctx;
160 CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
161 CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
162 CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
163 unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
164 unsigned char sig_buffer[RSA_KEY_SIZE_BYTES];
165 size_t sig_length = sizeof( sig_buffer );
166
167 mbedtls_pk_init( &pkcs11_ctx );
168 mbedtls_pk_init( &transparent_ctx );
169
170 /* Initialize cryptoki and generate a key in the token */
171 hSession = pkcs11_init( );
172 TEST_ASSERT( hSession != CK_INVALID_HANDLE );
173
174 CK_ASSERT( pkcs11_generate_key( key_type,
175 hSession,
176 &hPublicKey, &hPrivateKey ) );
177 TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
178 TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
179
180 /* Prepare the mbed TLS contexts */
181 TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx,
182 mbedtls_pk_info_from_type( key_type ) ) == 0 );
183 TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
184 hSession,
185 hPublicKey,
186 hPrivateKey ) == 0 );
187
188 /* Retrieve the public key from the token */
189 switch( key_type )
190 {
191#if defined(MBEDTLS_RSA_C)
192 case MBEDTLS_PK_RSA:
193 {
194 unsigned char n_buffer[RSA_KEY_SIZE_BYTES];
195 unsigned char e_buffer[RSA_KEY_SIZE_BYTES];
196 CK_ATTRIBUTE public_attributes[] = {
197 {CKA_MODULUS, n_buffer, sizeof( n_buffer )},
198 {CKA_PUBLIC_EXPONENT, e_buffer, sizeof( e_buffer )},
199 };
200 CK_ULONG *n_length = &public_attributes[0].ulValueLen;
201 CK_ULONG *e_length = &public_attributes[1].ulValueLen;
202 mbedtls_rsa_context *rsa_ctx = mbedtls_pk_rsa( transparent_ctx );
203
204 CK_ASSERT( C_GetAttributeValue( hSession, hPublicKey,
205 public_attributes, ARRAY_LENGTH( public_attributes ) ) );
206 TEST_ASSERT( mbedtls_mpi_read_binary( &rsa_ctx->N,
207 n_buffer, *n_length ) == 0 );
208 TEST_ASSERT( mbedtls_mpi_read_binary( &rsa_ctx->E,
209 e_buffer, *e_length ) == 0 );
210 rsa_ctx->len = mbedtls_mpi_size( &rsa_ctx->N );
211 }
212 break;
213#endif /* MBEDTLS_RSA_C */
214
215 default:
216 TEST_ASSERT( !"Unsupported key type in test data" );
217 break;
218 }
219
220 /* Sign with the token and verify in software */
221 TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
222 hash_value, 32,
223 sig_buffer, &sig_length,
224 NULL, NULL ) == 0 );
225 TEST_ASSERT( mbedtls_pk_verify( &transparent_ctx, MBEDTLS_MD_SHA256,
226 hash_value, 32,
227 sig_buffer, sig_length ) == 0 );
228
229exit:
230 if( hPublicKey != CK_INVALID_HANDLE )
231 C_DestroyObject( hSession, hPublicKey );
232 if( hPrivateKey != CK_INVALID_HANDLE )
233 C_DestroyObject( hSession, hPrivateKey );
234 C_CloseSession( hSession );
235 C_Finalize( NULL_PTR );
236 mbedtls_pk_free( &pkcs11_ctx );
237 mbedtls_pk_free( &transparent_ctx );
238}
239/* END_CASE */
240
241/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
242void pk_import_sign( char *file )
243{
244 mbedtls_pk_context pkcs11_ctx;
245 mbedtls_pk_context transparent_ctx;
246 CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
247 CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
248 CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
249 unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
250 unsigned char sig_buffer[4096];
251 size_t sig_length = sizeof( sig_buffer );
252
253 mbedtls_pk_init( &pkcs11_ctx );
254 mbedtls_pk_init( &transparent_ctx );
255
256 /* Read a transparent key */
257 TEST_ASSERT( mbedtls_pk_parse_keyfile( &transparent_ctx, file, NULL ) == 0 );
258
259 /* Initialize cryptoki and import the key into the token */
260 hSession = pkcs11_init( );
261 TEST_ASSERT( hSession != CK_INVALID_HANDLE );
262
263 TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
264 MBEDTLS_PK_FLAG_SIGN |
265 MBEDTLS_PK_FLAG_VERIFY,
266 hSession,
267 &hPublicKey,
268 &hPrivateKey ) == 0 );
269 TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
270 TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
271 TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
272 hSession,
273 hPublicKey,
274 hPrivateKey ) == 0 );
275
276 /* Sign with the token and verify in software */
277 TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
278 TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
279 hash_value, 32,
280 sig_buffer, &sig_length,
281 NULL, NULL ) == 0 );
282 TEST_ASSERT( mbedtls_pk_verify( &transparent_ctx, MBEDTLS_MD_SHA256,
283 hash_value, 32,
284 sig_buffer, sig_length ) == 0 );
285
286exit:
287 if( hPublicKey != CK_INVALID_HANDLE )
288 C_DestroyObject( hSession, hPublicKey );
289 if( hPrivateKey != CK_INVALID_HANDLE )
290 C_DestroyObject( hSession, hPrivateKey );
291 C_CloseSession( hSession );
292 C_Finalize( NULL_PTR );
293 mbedtls_pk_free( &pkcs11_ctx );
294 mbedtls_pk_free( &transparent_ctx );
295}
296/* END_CASE */