diff --git a/src/pkcs11/README.md b/src/pkcs11/README.md index 413a7eb..e28b46e 100644 --- a/src/pkcs11/README.md +++ b/src/pkcs11/README.md @@ -59,6 +59,8 @@ The following table lists the required test configurations for PKCS #11 tests. T |PKCS11_TEST_LABEL_CODE_VERIFICATION_KEY |The label of the code verification key used in JITP codeverify test. | |PKCS11_TEST_LABEL_JITP_CERTIFICATE |The label of the JITP certificate used in JITP codeverify test. | |PKCS11_TEST_LABEL_ROOT_CERTIFICATE |The label of the root certificate used in JITP codeverify test. | +|PKCS11_TEST_RSA_CERTIFICATE |The certificate used to verify RSA preprovision mechanism. | +|PKCS11_TEST_RSA_CERTIFICATE_LENGTH |The certificate length used to verify RSA preprovision mechanism. | FreeRTOS libraries and reference integrations needs at least one of the key function and one of the key provisioning mechanism supported by the PKCS #11 APIs. The test must enable at least one of the following configurations: @@ -77,6 +79,7 @@ Pre-provisioned device credential test can not be enabled with other provisionin * Enable **PKCS11_TEST_PREPROVISIONED_SUPPORT** and the other provisioning mechanisms must be disabled * Only one of the key function, **PKCS11_TEST_RSA_KEY_SUPPORT** or **PKCS11_TEST_EC_KEY_SUPPORT**, enabled * Setup the pre-provisioned key labels according to your key function, including **PKCS11_TEST_LABEL_DEVICE_PRIVATE_KEY_FOR_TLS**, **PKCS11_TEST_LABEL_DEVICE_PUBLIC_KEY_FOR_TLS** and **PKCS11_TEST_LABEL_DEVICE_CERTIFICATE_FOR_TLS**. These credentials must exist in the PKCS #11 before running the test. +* **PKCS11_TEST_RSA_CERTIFICATE** and **PKCS11_TEST_RSA_CERTIFICATE_LENGTH** must be defined before running the test to verify RSA preprovision mechanism. You may need to run the test several times with different configurations if your implementation support pre-provisioned credentials and other provisioning mechanisms. diff --git a/src/pkcs11/core_pkcs11_test.c b/src/pkcs11/core_pkcs11_test.c index 71bad5a..5ee640a 100644 --- a/src/pkcs11/core_pkcs11_test.c +++ b/src/pkcs11/core_pkcs11_test.c @@ -56,14 +56,14 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/x509_crt.h" +/* Test configuration includes. */ +#include "test_param_config.h" + /* corePKCS11 test includes. */ #include "platform_function.h" #include "rsa_test_credentials.h" #include "ecdsa_test_credentials.h" -/* Test configuration includes. */ -#include "test_param_config.h" - /*-----------------------------------------------------------*/ /** @@ -140,7 +140,7 @@ /** * @brief Test RSA certificate value length. */ -#define CERTIFICATE_VALUE_LENGTH ( 949 ) +#define CERTIFICATE_VALUE_LENGTH ( RSA_TEST_VALID_CERTIFICATE_LENGTH ) /** * @brief EC point length. @@ -1635,39 +1635,37 @@ static void prvTestRsaGetAttributeValue( provisionMethod_t testProvisionMethod ) xTemplate.pValue = NULL; xTemplate.ulValueLen = 0; xResult = pxGlobalFunctionList->C_GetAttributeValue( xGlobalSession, xCertificateHandle, &xTemplate, 1 ); + TEST_ASSERT_MESSAGE( ( CKR_OK == xResult ), "Failed to get RSA certificate value length." ); TEST_ASSERT_MESSAGE( ( CERTIFICATE_VALUE_LENGTH == xTemplate.ulValueLen ), "GetAttributeValue returned incorrect length of RSA certificate value" ); /* Get the certificate value. */ xTemplate.pValue = xCertificateValue; xResult = pxGlobalFunctionList->C_GetAttributeValue( xGlobalSession, xCertificateHandle, &xTemplate, 1 ); - TEST_ASSERT_MESSAGE( ( CKR_OK == xResult ), "Failed to get RSA certificate value" ); + TEST_ASSERT_MESSAGE( ( CKR_OK == xResult ), "Failed to get RSA certificate value." ); TEST_ASSERT_MESSAGE( ( CERTIFICATE_VALUE_LENGTH == xTemplate.ulValueLen ), "GetAttributeValue returned incorrect length of RSA certificate value" ); - if( testProvisionMethod == eProvisionImportPrivateKey ) - { - /* Verify the imported certificate. */ - pucDerObject = FRTest_MemoryAlloc( sizeof( cValidRSACertificate ) ); - TEST_ASSERT_MESSAGE( pucDerObject != NULL, "Allocate memory for RSA certificate failed." ); - xDerLen = sizeof( cValidRSACertificate ); + /* Verify the imported certificate. */ + pucDerObject = FRTest_MemoryAlloc( sizeof( cValidRSACertificate ) ); + TEST_ASSERT_MESSAGE( pucDerObject != NULL, "Allocate memory for RSA certificate failed." ); + xDerLen = sizeof( cValidRSACertificate ); - lConversionReturn = convert_pem_to_der( ( const unsigned char * ) cValidRSACertificate, - sizeof( cValidRSACertificate ), - pucDerObject, - &xDerLen ); + lConversionReturn = convert_pem_to_der( ( const unsigned char * ) cValidRSACertificate, + sizeof( cValidRSACertificate ), + pucDerObject, + &xDerLen ); - if( lConversionReturn == 0 ) - { - lImportKeyCompare = memcmp( xTemplate.pValue, pucDerObject, xTemplate.ulValueLen ); - } + if( lConversionReturn == 0 ) + { + lImportKeyCompare = memcmp( xTemplate.pValue, pucDerObject, xTemplate.ulValueLen ); + } - /* Free the allocated memory and compare. */ - FRTest_MemoryFree( pucDerObject ); - pucDerObject = NULL; + /* Free the allocated memory and compare. */ + FRTest_MemoryFree( pucDerObject ); + pucDerObject = NULL; - if( ( lConversionReturn != 0 ) || ( lImportKeyCompare != 0 ) ) - { - TEST_FAIL_MESSAGE( "Compare imported RSA certificate failed." ); - } + if( ( lConversionReturn != 0 ) || ( lImportKeyCompare != 0 ) ) + { + TEST_FAIL_MESSAGE( "Compare imported RSA certificate failed." ); } /* Get the private key handle. */ @@ -1753,6 +1751,7 @@ static void prvTestRsaSign( provisionMethod_t testProvisionMethod ) if( TEST_PROTECT() ) { #if MBEDTLS_VERSION_NUMBER < 0x03000000 + { lMbedTLSResult = mbedtls_pk_parse_key( ( mbedtls_pk_context * ) &xMbedPkContext, ( const unsigned char * ) cValidRSAPrivateKey, sizeof( cValidRSAPrivateKey ), @@ -1762,9 +1761,10 @@ static void prvTestRsaSign( provisionMethod_t testProvisionMethod ) lMbedTLSResult = mbedtls_rsa_pkcs1_verify( xMbedPkContext.pk_ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 32, xHashedMessage, xSignature ); - TEST_ASSERT_MESSAGE( ( 0 == xResult ), "mbedTLS failed to verify RSA signagure." ); - + TEST_ASSERT_MESSAGE( ( 0 == xResult ), "mbedTLS failed to verify RSA signature." ); + } #else + { lMbedTLSResult = mbedtls_ctr_drbg_seed( &xDrbgContext, mbedtls_entropy_func, &xEntropyContext, NULL, 0 ); TEST_ASSERT_MESSAGE( ( 0 == lMbedTLSResult ), "Failed to initialize DRBG" ); @@ -1779,7 +1779,7 @@ static void prvTestRsaSign( provisionMethod_t testProvisionMethod ) lMbedTLSResult = mbedtls_rsa_pkcs1_verify( xMbedPkContext.pk_ctx, MBEDTLS_MD_SHA256, 32, xHashedMessage, xSignature ); TEST_ASSERT_MESSAGE( ( 0 == xResult ), "mbedTLS failed to verify RSA signagure." ); - + } #endif /* MBEDTLS_VERSION_NUMBER < 0x03000000 */ } diff --git a/src/pkcs11/dev_mode_key_provisioning/dev_mode_key_provisioning.c b/src/pkcs11/dev_mode_key_provisioning/dev_mode_key_provisioning.c index 9ac34fb..f9db9fd 100644 --- a/src/pkcs11/dev_mode_key_provisioning/dev_mode_key_provisioning.c +++ b/src/pkcs11/dev_mode_key_provisioning/dev_mode_key_provisioning.c @@ -470,7 +470,7 @@ CK_RV xProvisionPublicKey( CK_SESSION_HANDLE xSession, xPublicKeyTemplate[ 0 ].pValue = &xClass; xPublicKeyTemplate[ 1 ].pValue = &xPublicKeyType; xPublicKeyTemplate[ 2 ].pValue = &xTrue; - xPublicKeyTemplate[ 3 ].pValue = &xModulus + 1; + xPublicKeyTemplate[ 3 ].pValue = &xModulus[ 1 ]; xPublicKeyTemplate[ 4 ].pValue = &xTrue; xPublicKeyTemplate[ 5 ].pValue = xPublicExponent; diff --git a/src/pkcs11/rsa_test_credentials.h b/src/pkcs11/rsa_test_credentials.h index ff1a254..d1c6989 100644 --- a/src/pkcs11/rsa_test_credentials.h +++ b/src/pkcs11/rsa_test_credentials.h @@ -66,29 +66,36 @@ "YZ4lIW5sJLATES9+Z8nHi7yRDLw6x/kcVQIDAQAB\n" \ "-----END RSA PUBLIC KEY-----\n" - -#define RSA_TEST_VALID_CERTIFICATE \ - "-----BEGIN CERTIFICATE-----\n" \ - "MIIDsTCCApmgAwIBAgIJALg4YJlPspxyMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\n" \ - "BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTENMAsGA1UECgwE\n" \ - "QW16bjEMMAoGA1UECwwDSW9UMQ0wCwYDVQQDDARUZXN0MRUwEwYJKoZIhvcNAQkB\n" \ - "FgZub2JvZHkwHhcNMTgwNjExMTk0NjM2WhcNMjEwMzMxMTk0NjM2WjBvMQswCQYD\n" \ - "VQQGEwJVUzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUxDTALBgNVBAoM\n" \ - "BEFtem4xDDAKBgNVBAsMA0lvVDENMAsGA1UEAwwEVGVzdDEVMBMGCSqGSIb3DQEJ\n" \ - "ARYGbm9ib2R5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsIqRecRx\n" \ - "Lz3PZXzZOHF7jMlB25tfv2LDGR7nGTJiey5zxd7oswihe7+26yx8medpNvX1ym9j\n" \ - "phty+9IR053k1WGnQQ4aaDeJonqn7V50Vesw6zFx/x8LMdXFoBAkRXIL8WS5YKaf\n" \ - "C87KPnye8A0piVWUFy7+IEEaK3hQEJTzB6LC/N100XL5ykLCa4xJBOqlIvbDvJ+b\n" \ - "Kty1EBA3sStlTNuXi3nBWZbXwCB2A+ddjijFf5+gUjinr7h6e2uQeipWyiIw9NKW\n" \ - "bvq8AG1Mj4XBoFL9wP2YTf2SQAgAzx0ySPNrIYOzBNl1YZ4lIW5sJLATES9+Z8nH\n" \ - "i7yRDLw6x/kcVQIDAQABo1AwTjAdBgNVHQ4EFgQUHc4PjEL0CaxZ+1D/4VdeDjxt\n" \ - "JO8wHwYDVR0jBBgwFoAUHc4PjEL0CaxZ+1D/4VdeDjxtJO8wDAYDVR0TBAUwAwEB\n" \ - "/zANBgkqhkiG9w0BAQsFAAOCAQEAi1/okTpQuPcaQEBgepccZ/Lt/gEQNdGcbsYQ\n" \ - "3aEABNVYL8dYOW9r/8l074zD+vi9iSli/yYmwRFD0baN1FRWUqkVEIQ+3yfivOW9\n" \ - "R282NuQvEULgERC2KN7vm0vO+DF7ay58qm4PaAGHdQco1LaHKkljMPLHF841facG\n" \ - "M9KVtzFveOQKkWvb4VgOyfn7aCnEogGlWt1S0d12pBRwYjJgKrVQaGs6IiGFVtm8\n" \ - "JRLZrLL3sfgsN7L1xu//JUoTOkgxdKuYRmPuUdV2hw/VYDzcnKj7/DMXNDvgl3s7\n" \ - "5GC4F+8LFLzRrZJWs18FMLaCE+zJChw/oeSt+RS0JZDFn+uX9Q==\n" \ +#ifndef PKCS11_TEST_RSA_CERTIFICATE + #define PKCS11_TEST_RSA_CERTIFICATE \ + "-----BEGIN CERTIFICATE-----\n" \ + "MIIDsTCCApmgAwIBAgIJALg4YJlPspxyMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\n" \ + "BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTENMAsGA1UECgwE\n" \ + "QW16bjEMMAoGA1UECwwDSW9UMQ0wCwYDVQQDDARUZXN0MRUwEwYJKoZIhvcNAQkB\n" \ + "FgZub2JvZHkwHhcNMTgwNjExMTk0NjM2WhcNMjEwMzMxMTk0NjM2WjBvMQswCQYD\n" \ + "VQQGEwJVUzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUxDTALBgNVBAoM\n" \ + "BEFtem4xDDAKBgNVBAsMA0lvVDENMAsGA1UEAwwEVGVzdDEVMBMGCSqGSIb3DQEJ\n" \ + "ARYGbm9ib2R5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsIqRecRx\n" \ + "Lz3PZXzZOHF7jMlB25tfv2LDGR7nGTJiey5zxd7oswihe7+26yx8medpNvX1ym9j\n" \ + "phty+9IR053k1WGnQQ4aaDeJonqn7V50Vesw6zFx/x8LMdXFoBAkRXIL8WS5YKaf\n" \ + "C87KPnye8A0piVWUFy7+IEEaK3hQEJTzB6LC/N100XL5ykLCa4xJBOqlIvbDvJ+b\n" \ + "Kty1EBA3sStlTNuXi3nBWZbXwCB2A+ddjijFf5+gUjinr7h6e2uQeipWyiIw9NKW\n" \ + "bvq8AG1Mj4XBoFL9wP2YTf2SQAgAzx0ySPNrIYOzBNl1YZ4lIW5sJLATES9+Z8nH\n" \ + "i7yRDLw6x/kcVQIDAQABo1AwTjAdBgNVHQ4EFgQUHc4PjEL0CaxZ+1D/4VdeDjxt\n" \ + "JO8wHwYDVR0jBBgwFoAUHc4PjEL0CaxZ+1D/4VdeDjxtJO8wDAYDVR0TBAUwAwEB\n" \ + "/zANBgkqhkiG9w0BAQsFAAOCAQEAi1/okTpQuPcaQEBgepccZ/Lt/gEQNdGcbsYQ\n" \ + "3aEABNVYL8dYOW9r/8l074zD+vi9iSli/yYmwRFD0baN1FRWUqkVEIQ+3yfivOW9\n" \ + "R282NuQvEULgERC2KN7vm0vO+DF7ay58qm4PaAGHdQco1LaHKkljMPLHF841facG\n" \ + "M9KVtzFveOQKkWvb4VgOyfn7aCnEogGlWt1S0d12pBRwYjJgKrVQaGs6IiGFVtm8\n" \ + "JRLZrLL3sfgsN7L1xu//JUoTOkgxdKuYRmPuUdV2hw/VYDzcnKj7/DMXNDvgl3s7\n" \ + "5GC4F+8LFLzRrZJWs18FMLaCE+zJChw/oeSt+RS0JZDFn+uX9Q==\n" \ "-----END CERTIFICATE-----\n" +#endif +#ifndef PKCS11_TEST_RSA_CERTIFICATE_LENGTH + #define PKCS11_TEST_RSA_CERTIFICATE_LENGTH ( 949 ) +#endif + +#define RSA_TEST_VALID_CERTIFICATE PKCS11_TEST_RSA_CERTIFICATE +#define RSA_TEST_VALID_CERTIFICATE_LENGTH PKCS11_TEST_RSA_CERTIFICATE_LENGTH #endif /* ifndef RSA_TEST_CREDENTIALS_H */