@@ -23,6 +23,8 @@ use std::thread;
2323use cryptoki:: mechanism:: ekdf:: AesCbcDeriveParams ;
2424use testresult:: TestResult ;
2525
26+ const AES128_BLOCK_SIZE : usize = 128 / 8 ;
27+
2628#[ test]
2729#[ serial]
2830fn sign_verify ( ) -> TestResult {
@@ -228,10 +230,12 @@ fn sign_verify_multipart() -> TestResult {
228230
229231 let pub_key_template = vec ! [
230232 Attribute :: Token ( true ) ,
233+ Attribute :: Private ( false ) ,
231234 Attribute :: PublicExponent ( public_exponent) ,
232235 Attribute :: ModulusBits ( modulus_bits. into( ) ) ,
236+ Attribute :: Verify ( true ) ,
233237 ] ;
234- let priv_key_template = vec ! [ Attribute :: Token ( true ) ] ;
238+ let priv_key_template = vec ! [ Attribute :: Token ( true ) , Attribute :: Sign ( true ) ] ;
235239
236240 // Generate keypair
237241 let ( pub_key, priv_key) = session. generate_key_pair (
@@ -281,36 +285,40 @@ fn sign_verify_multipart_not_initialized() -> TestResult {
281285 let result = session. sign_update ( & data) ;
282286
283287 assert ! ( result. is_err( ) ) ;
288+ // The exact error returned is inconsistent between backends, so we only match on the function
284289 assert ! ( matches!(
285290 result. unwrap_err( ) ,
286- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: SignUpdate )
291+ Error :: Pkcs11 ( _ , Function :: SignUpdate )
287292 ) ) ;
288293
289294 // Attempt to finalize signing without an operation having been initialized
290295 let result = session. sign_final ( ) ;
291296
292297 assert ! ( result. is_err( ) ) ;
298+ // The exact error returned is inconsistent between backends, so we only match on the function
293299 assert ! ( matches!(
294300 result. unwrap_err( ) ,
295- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: SignFinal )
301+ Error :: Pkcs11 ( _ , Function :: SignFinal )
296302 ) ) ;
297303
298304 // Attempt to update verification without an operation having been initialized
299305 let result = session. verify_update ( & data) ;
300306
301307 assert ! ( result. is_err( ) ) ;
308+ // The exact error returned is inconsistent between backends, so we only match on the function
302309 assert ! ( matches!(
303310 result. unwrap_err( ) ,
304- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: VerifyUpdate )
311+ Error :: Pkcs11 ( _ , Function :: VerifyUpdate )
305312 ) ) ;
306313
307314 // Attempt to finalize verification without an operation having been initialized
308315 let result = session. verify_final ( & signature) ;
309316
310317 assert ! ( result. is_err( ) ) ;
318+ // The exact error returned is inconsistent between backends, so we only match on the function
311319 assert ! ( matches!(
312320 result. unwrap_err( ) ,
313- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: VerifyFinal )
321+ Error :: Pkcs11 ( _ , Function :: VerifyFinal )
314322 ) ) ;
315323
316324 Ok ( ( ) )
@@ -331,10 +339,12 @@ fn sign_verify_multipart_already_initialized() -> TestResult {
331339
332340 let pub_key_template = vec ! [
333341 Attribute :: Token ( true ) ,
342+ Attribute :: Private ( false ) ,
334343 Attribute :: PublicExponent ( public_exponent) ,
335344 Attribute :: ModulusBits ( modulus_bits. into( ) ) ,
345+ Attribute :: Verify ( true ) ,
336346 ] ;
337- let priv_key_template = vec ! [ Attribute :: Token ( true ) ] ;
347+ let priv_key_template = vec ! [ Attribute :: Token ( true ) , Attribute :: Sign ( true ) ] ;
338348
339349 // Generate keypair
340350 let ( pub_key, priv_key) = session. generate_key_pair (
@@ -353,8 +363,10 @@ fn sign_verify_multipart_already_initialized() -> TestResult {
353363 Error :: Pkcs11 ( RvError :: OperationActive , Function :: SignInit )
354364 ) ) ;
355365
356- // Make sure signing operation is over before trying same with verification
357- session. sign_final ( ) ?;
366+ // Make sure signing operation is over before trying same with verification.
367+ // Some backends will reset the ongoing operation after the failed 2nd call to
368+ // sign_init(), so we should not unwrap the result of this call.
369+ let _ = session. sign_final ( ) ;
358370
359371 // Initialize verification operation twice in a row
360372 session. verify_init ( & Mechanism :: Sha256RsaPkcs , pub_key) ?;
@@ -437,21 +449,26 @@ fn encrypt_decrypt_multipart() -> TestResult {
437449 // Generate key (currently SoftHSM only supports multi-part encrypt/decrypt for symmetric crypto)
438450 let template = vec ! [
439451 Attribute :: Token ( true ) ,
440- Attribute :: ValueLen ( ( 128 / 8 ) . into( ) ) ,
452+ Attribute :: Private ( false ) ,
453+ Attribute :: ValueLen ( ( AES128_BLOCK_SIZE as u64 ) . into( ) ) ,
454+ Attribute :: Encrypt ( true ) ,
455+ Attribute :: Decrypt ( true ) ,
441456 ] ;
442457 let key = session. generate_key ( & Mechanism :: AesKeyGen , & template) ?;
443458
444459 // Data to encrypt
445460 let data = vec ! [
446461 0xFF , 0x55 , 0xDD , 0x11 , 0xBB , 0x33 , 0x99 , 0x77 , 0xFF , 0x55 , 0xDD , 0x11 , 0xBB , 0x33 , 0x99 ,
447- 0x77 ,
462+ 0x77 , 0xFF , 0x55 , 0xDD , 0x11 , 0xBB , 0x33 , 0x99 , 0x77 , 0xFF , 0x55 , 0xDD , 0x11 , 0xBB , 0x33 ,
463+ 0x99 , 0x77 , 0xFF , 0x55 , 0xDD , 0x11 , 0xBB , 0x33 , 0x99 , 0x77 , 0xFF , 0x55 , 0xDD , 0x11 , 0xBB ,
464+ 0x33 , 0x99 , 0x77 ,
448465 ] ;
449466
450467 // Encrypt data in parts
451468 session. encrypt_init ( & Mechanism :: AesEcb , key) ?;
452469
453470 let mut encrypted_data = vec ! [ ] ;
454- for part in data. chunks ( 3 ) {
471+ for part in data. chunks ( AES128_BLOCK_SIZE ) {
455472 encrypted_data. extend ( session. encrypt_update ( part) ?) ;
456473 }
457474 encrypted_data. extend ( session. encrypt_final ( ) ?) ;
@@ -460,7 +477,7 @@ fn encrypt_decrypt_multipart() -> TestResult {
460477 session. decrypt_init ( & Mechanism :: AesEcb , key) ?;
461478
462479 let mut decrypted_data = vec ! [ ] ;
463- for part in encrypted_data. chunks ( 3 ) {
480+ for part in encrypted_data. chunks ( AES128_BLOCK_SIZE ) {
464481 decrypted_data. extend ( session. decrypt_update ( part) ?) ;
465482 }
466483 decrypted_data. extend ( session. decrypt_final ( ) ?) ;
@@ -492,36 +509,40 @@ fn encrypt_decrypt_multipart_not_initialized() -> TestResult {
492509 let result = session. encrypt_update ( & data) ;
493510
494511 assert ! ( result. is_err( ) ) ;
512+ // The exact error returned is inconsistent between backends, so we only match on the function
495513 assert ! ( matches!(
496514 result. unwrap_err( ) ,
497- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: EncryptUpdate )
515+ Error :: Pkcs11 ( _ , Function :: EncryptUpdate )
498516 ) ) ;
499517
500518 // Attempt to finalize encryption without an operation having been initialized
501519 let result = session. encrypt_final ( ) ;
502520
503521 assert ! ( result. is_err( ) ) ;
522+ // The exact error returned is inconsistent between backends, so we only match on the function
504523 assert ! ( matches!(
505524 result. unwrap_err( ) ,
506- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: EncryptFinal )
525+ Error :: Pkcs11 ( _ , Function :: EncryptFinal )
507526 ) ) ;
508527
509528 // Attempt to update decryption without an operation having been initialized
510529 let result = session. decrypt_update ( & data) ;
511530
512531 assert ! ( result. is_err( ) ) ;
532+ // The exact error returned is inconsistent between backends, so we only match on the function
513533 assert ! ( matches!(
514534 result. unwrap_err( ) ,
515- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: DecryptUpdate )
535+ Error :: Pkcs11 ( _ , Function :: DecryptUpdate )
516536 ) ) ;
517537
518538 // Attempt to finalize decryption without an operation having been initialized
519539 let result = session. decrypt_final ( ) ;
520540
521541 assert ! ( result. is_err( ) ) ;
542+ // The exact error returned is inconsistent between backends, so we only match on the function
522543 assert ! ( matches!(
523544 result. unwrap_err( ) ,
524- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: DecryptFinal )
545+ Error :: Pkcs11 ( _ , Function :: DecryptFinal )
525546 ) ) ;
526547
527548 Ok ( ( ) )
@@ -539,7 +560,10 @@ fn encrypt_decrypt_multipart_already_initialized() -> TestResult {
539560 // Generate key (currently SoftHSM only supports multi-part encrypt/decrypt for symmetric crypto)
540561 let template = vec ! [
541562 Attribute :: Token ( true ) ,
542- Attribute :: ValueLen ( ( 128 / 8 ) . into( ) ) ,
563+ Attribute :: Private ( false ) ,
564+ Attribute :: ValueLen ( ( AES128_BLOCK_SIZE as u64 ) . into( ) ) ,
565+ Attribute :: Encrypt ( true ) ,
566+ Attribute :: Decrypt ( true ) ,
543567 ] ;
544568 let key = session. generate_key ( & Mechanism :: AesKeyGen , & template) ?;
545569
@@ -553,8 +577,10 @@ fn encrypt_decrypt_multipart_already_initialized() -> TestResult {
553577 Error :: Pkcs11 ( RvError :: OperationActive , Function :: EncryptInit )
554578 ) ) ;
555579
556- // Make sure encryption operation is over before trying same with decryption
557- session. encrypt_final ( ) ?;
580+ // Make sure encryption operation is over before trying same with decryption.
581+ // Some backends will reset the ongoing operation after the failed 2nd call to
582+ // encrypt_init(), so we should not unwrap the result of this call.
583+ let _ = session. encrypt_final ( ) ;
558584
559585 // Initialize encryption operation twice in a row
560586 session. decrypt_init ( & Mechanism :: AesEcb , key) ?;
@@ -1646,6 +1672,11 @@ fn sha256_digest_multipart() -> TestResult {
16461672#[ test]
16471673#[ serial]
16481674fn sha256_digest_multipart_with_key ( ) -> TestResult {
1675+ // FIXME: Getting value from sensitive objects is now broken in Kryoptic: https://github.com/latchset/kryoptic/issues/193
1676+ if !is_softhsm ( ) {
1677+ return Ok ( ( ) ) ;
1678+ }
1679+
16491680 let ( pkcs11, slot) = init_pins ( ) ;
16501681
16511682 // Open a session and log in
@@ -1655,7 +1686,8 @@ fn sha256_digest_multipart_with_key() -> TestResult {
16551686 // Create a key to add to the digest
16561687 let key_template = vec ! [
16571688 Attribute :: Token ( true ) ,
1658- Attribute :: ValueLen ( ( 256 / 8 ) . into( ) ) ,
1689+ Attribute :: Private ( false ) ,
1690+ Attribute :: ValueLen ( ( AES128_BLOCK_SIZE as u64 ) . into( ) ) ,
16591691 // Key must be non-sensitive and extractable to get its bytes and digest them directly, for comparison
16601692 Attribute :: Sensitive ( false ) ,
16611693 Attribute :: Extractable ( true ) ,
@@ -1707,18 +1739,20 @@ fn sha256_digest_multipart_not_initialized() -> TestResult {
17071739 let result = session. digest_update ( & data) ;
17081740
17091741 assert ! ( result. is_err( ) ) ;
1742+ // The exact error returned is inconsistent between backends, so we only match on the function
17101743 assert ! ( matches!(
17111744 result. unwrap_err( ) ,
1712- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: DigestUpdate )
1745+ Error :: Pkcs11 ( _ , Function :: DigestUpdate )
17131746 ) ) ;
17141747
17151748 // Attempt to finalize digest without an operation having been initialized
17161749 let result = session. digest_final ( ) ;
17171750
17181751 assert ! ( result. is_err( ) ) ;
1752+ // The exact error returned is inconsistent between backends, so we only match on the function
17191753 assert ! ( matches!(
17201754 result. unwrap_err( ) ,
1721- Error :: Pkcs11 ( RvError :: OperationNotInitialized , Function :: DigestFinal )
1755+ Error :: Pkcs11 ( _ , Function :: DigestFinal )
17221756 ) ) ;
17231757
17241758 Ok ( ( ) )
0 commit comments