Skip to content

Fix RSA PKCS11_RSA_GetAttributeValue test #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 17, 2024
Merged

Fix RSA PKCS11_RSA_GetAttributeValue test #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7e04f36
Not checking key length for imported RSA key
chinglee-iot May 7, 2024
3e13c8c
Update pkcs11 RSA getattribute test
chinglee-iot May 7, 2024
14e4031
Update readme document for new test config
chinglee-iot May 7, 2024
7d6f7b6
Remove RSA provision check for certificate for backward compatible
chinglee-iot May 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/pkcs11/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ The following table lists the required test configurations for PKCS #11 tests. T
|PKCS11_TEST_LABEL_CODE_VERIFICATION_KEY |The label of the code verification key used in JITP codeverify test. |
|PKCS11_TEST_LABEL_JITP_CERTIFICATE |The label of the JITP certificate used in JITP codeverify test. |
|PKCS11_TEST_LABEL_ROOT_CERTIFICATE |The label of the root certificate used in JITP codeverify test. |
|PKCS11_TEST_RSA_CERTIFICATE |The certificate used to verify RSA preprovision mechanism. |
|PKCS11_TEST_RSA_CERTIFICATE_LENGTH |The certificate length used to verify RSA preprovision mechanism. |


FreeRTOS libraries and reference integrations needs at least one of the key function and one of the key provisioning mechanism supported by the PKCS #11 APIs. The test must enable at least one of the following configurations:
Expand All @@ -77,6 +79,7 @@ Pre-provisioned device credential test can not be enabled with other provisionin
* Enable **PKCS11_TEST_PREPROVISIONED_SUPPORT** and the other provisioning mechanisms must be disabled
* Only one of the key function, **PKCS11_TEST_RSA_KEY_SUPPORT** or **PKCS11_TEST_EC_KEY_SUPPORT**, enabled
* Setup the pre-provisioned key labels according to your key function, including **PKCS11_TEST_LABEL_DEVICE_PRIVATE_KEY_FOR_TLS**, **PKCS11_TEST_LABEL_DEVICE_PUBLIC_KEY_FOR_TLS** and **PKCS11_TEST_LABEL_DEVICE_CERTIFICATE_FOR_TLS**. These credentials must exist in the PKCS #11 before running the test.
* **PKCS11_TEST_RSA_CERTIFICATE** and **PKCS11_TEST_RSA_CERTIFICATE_LENGTH** must be defined before running the test to verify RSA preprovision mechanism.

You may need to run the test several times with different configurations if your implementation support pre-provisioned credentials and other provisioning mechanisms.

Expand Down
58 changes: 29 additions & 29 deletions src/pkcs11/core_pkcs11_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,14 +56,14 @@
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/x509_crt.h"

/* Test configuration includes. */
#include "test_param_config.h"

/* corePKCS11 test includes. */
#include "platform_function.h"
#include "rsa_test_credentials.h"
#include "ecdsa_test_credentials.h"

/* Test configuration includes. */
#include "test_param_config.h"

/*-----------------------------------------------------------*/

/**
Expand Down Expand Up @@ -140,7 +140,7 @@
/**
* @brief Test RSA certificate value length.
*/
#define CERTIFICATE_VALUE_LENGTH ( 949 )
#define CERTIFICATE_VALUE_LENGTH ( RSA_TEST_VALID_CERTIFICATE_LENGTH )

/**
* @brief EC point length.
Expand Down Expand Up @@ -1635,39 +1635,37 @@ static void prvTestRsaGetAttributeValue( provisionMethod_t testProvisionMethod )
xTemplate.pValue = NULL;
xTemplate.ulValueLen = 0;
xResult = pxGlobalFunctionList->C_GetAttributeValue( xGlobalSession, xCertificateHandle, &xTemplate, 1 );
TEST_ASSERT_MESSAGE( ( CKR_OK == xResult ), "Failed to get RSA certificate value length." );
TEST_ASSERT_MESSAGE( ( CERTIFICATE_VALUE_LENGTH == xTemplate.ulValueLen ), "GetAttributeValue returned incorrect length of RSA certificate value" );

/* Get the certificate value. */
xTemplate.pValue = xCertificateValue;
xResult = pxGlobalFunctionList->C_GetAttributeValue( xGlobalSession, xCertificateHandle, &xTemplate, 1 );
TEST_ASSERT_MESSAGE( ( CKR_OK == xResult ), "Failed to get RSA certificate value" );
TEST_ASSERT_MESSAGE( ( CKR_OK == xResult ), "Failed to get RSA certificate value." );
TEST_ASSERT_MESSAGE( ( CERTIFICATE_VALUE_LENGTH == xTemplate.ulValueLen ), "GetAttributeValue returned incorrect length of RSA certificate value" );

if( testProvisionMethod == eProvisionImportPrivateKey )
{
/* Verify the imported certificate. */
pucDerObject = FRTest_MemoryAlloc( sizeof( cValidRSACertificate ) );
TEST_ASSERT_MESSAGE( pucDerObject != NULL, "Allocate memory for RSA certificate failed." );
xDerLen = sizeof( cValidRSACertificate );
/* Verify the imported certificate. */
pucDerObject = FRTest_MemoryAlloc( sizeof( cValidRSACertificate ) );
TEST_ASSERT_MESSAGE( pucDerObject != NULL, "Allocate memory for RSA certificate failed." );
xDerLen = sizeof( cValidRSACertificate );

lConversionReturn = convert_pem_to_der( ( const unsigned char * ) cValidRSACertificate,
sizeof( cValidRSACertificate ),
pucDerObject,
&xDerLen );
lConversionReturn = convert_pem_to_der( ( const unsigned char * ) cValidRSACertificate,
sizeof( cValidRSACertificate ),
pucDerObject,
&xDerLen );

if( lConversionReturn == 0 )
{
lImportKeyCompare = memcmp( xTemplate.pValue, pucDerObject, xTemplate.ulValueLen );
}
if( lConversionReturn == 0 )
{
lImportKeyCompare = memcmp( xTemplate.pValue, pucDerObject, xTemplate.ulValueLen );
}

/* Free the allocated memory and compare. */
FRTest_MemoryFree( pucDerObject );
pucDerObject = NULL;
/* Free the allocated memory and compare. */
FRTest_MemoryFree( pucDerObject );
pucDerObject = NULL;

if( ( lConversionReturn != 0 ) || ( lImportKeyCompare != 0 ) )
{
TEST_FAIL_MESSAGE( "Compare imported RSA certificate failed." );
}
if( ( lConversionReturn != 0 ) || ( lImportKeyCompare != 0 ) )
{
TEST_FAIL_MESSAGE( "Compare imported RSA certificate failed." );
}

/* Get the private key handle. */
Expand Down Expand Up @@ -1753,6 +1751,7 @@ static void prvTestRsaSign( provisionMethod_t testProvisionMethod )
if( TEST_PROTECT() )
{
#if MBEDTLS_VERSION_NUMBER < 0x03000000
{
lMbedTLSResult = mbedtls_pk_parse_key( ( mbedtls_pk_context * ) &xMbedPkContext,
( const unsigned char * ) cValidRSAPrivateKey,
sizeof( cValidRSAPrivateKey ),
Expand All @@ -1762,9 +1761,10 @@ static void prvTestRsaSign( provisionMethod_t testProvisionMethod )

lMbedTLSResult = mbedtls_rsa_pkcs1_verify( xMbedPkContext.pk_ctx, NULL, NULL,
MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 32, xHashedMessage, xSignature );
TEST_ASSERT_MESSAGE( ( 0 == xResult ), "mbedTLS failed to verify RSA signagure." );

TEST_ASSERT_MESSAGE( ( 0 == xResult ), "mbedTLS failed to verify RSA signature." );
}
#else
{
lMbedTLSResult = mbedtls_ctr_drbg_seed( &xDrbgContext, mbedtls_entropy_func, &xEntropyContext, NULL, 0 );
TEST_ASSERT_MESSAGE( ( 0 == lMbedTLSResult ), "Failed to initialize DRBG" );

Expand All @@ -1779,7 +1779,7 @@ static void prvTestRsaSign( provisionMethod_t testProvisionMethod )
lMbedTLSResult = mbedtls_rsa_pkcs1_verify( xMbedPkContext.pk_ctx, MBEDTLS_MD_SHA256,
32, xHashedMessage, xSignature );
TEST_ASSERT_MESSAGE( ( 0 == xResult ), "mbedTLS failed to verify RSA signagure." );

}
#endif /* MBEDTLS_VERSION_NUMBER < 0x03000000 */
}

Expand Down
2 changes: 1 addition & 1 deletion src/pkcs11/dev_mode_key_provisioning/dev_mode_key_provisioning.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,7 +470,7 @@ CK_RV xProvisionPublicKey( CK_SESSION_HANDLE xSession,
xPublicKeyTemplate[ 0 ].pValue = &xClass;
xPublicKeyTemplate[ 1 ].pValue = &xPublicKeyType;
xPublicKeyTemplate[ 2 ].pValue = &xTrue;
xPublicKeyTemplate[ 3 ].pValue = &xModulus + 1;
xPublicKeyTemplate[ 3 ].pValue = &xModulus[ 1 ];
xPublicKeyTemplate[ 4 ].pValue = &xTrue;
xPublicKeyTemplate[ 5 ].pValue = xPublicExponent;

Expand Down
53 changes: 30 additions & 23 deletions src/pkcs11/rsa_test_credentials.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,29 +66,36 @@
"YZ4lIW5sJLATES9+Z8nHi7yRDLw6x/kcVQIDAQAB\n" \
"-----END RSA PUBLIC KEY-----\n"


#define RSA_TEST_VALID_CERTIFICATE \
"-----BEGIN CERTIFICATE-----\n" \
"MIIDsTCCApmgAwIBAgIJALg4YJlPspxyMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\n" \
"BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTENMAsGA1UECgwE\n" \
"QW16bjEMMAoGA1UECwwDSW9UMQ0wCwYDVQQDDARUZXN0MRUwEwYJKoZIhvcNAQkB\n" \
"FgZub2JvZHkwHhcNMTgwNjExMTk0NjM2WhcNMjEwMzMxMTk0NjM2WjBvMQswCQYD\n" \
"VQQGEwJVUzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUxDTALBgNVBAoM\n" \
"BEFtem4xDDAKBgNVBAsMA0lvVDENMAsGA1UEAwwEVGVzdDEVMBMGCSqGSIb3DQEJ\n" \
"ARYGbm9ib2R5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsIqRecRx\n" \
"Lz3PZXzZOHF7jMlB25tfv2LDGR7nGTJiey5zxd7oswihe7+26yx8medpNvX1ym9j\n" \
"phty+9IR053k1WGnQQ4aaDeJonqn7V50Vesw6zFx/x8LMdXFoBAkRXIL8WS5YKaf\n" \
"C87KPnye8A0piVWUFy7+IEEaK3hQEJTzB6LC/N100XL5ykLCa4xJBOqlIvbDvJ+b\n" \
"Kty1EBA3sStlTNuXi3nBWZbXwCB2A+ddjijFf5+gUjinr7h6e2uQeipWyiIw9NKW\n" \
"bvq8AG1Mj4XBoFL9wP2YTf2SQAgAzx0ySPNrIYOzBNl1YZ4lIW5sJLATES9+Z8nH\n" \
"i7yRDLw6x/kcVQIDAQABo1AwTjAdBgNVHQ4EFgQUHc4PjEL0CaxZ+1D/4VdeDjxt\n" \
"JO8wHwYDVR0jBBgwFoAUHc4PjEL0CaxZ+1D/4VdeDjxtJO8wDAYDVR0TBAUwAwEB\n" \
"/zANBgkqhkiG9w0BAQsFAAOCAQEAi1/okTpQuPcaQEBgepccZ/Lt/gEQNdGcbsYQ\n" \
"3aEABNVYL8dYOW9r/8l074zD+vi9iSli/yYmwRFD0baN1FRWUqkVEIQ+3yfivOW9\n" \
"R282NuQvEULgERC2KN7vm0vO+DF7ay58qm4PaAGHdQco1LaHKkljMPLHF841facG\n" \
"M9KVtzFveOQKkWvb4VgOyfn7aCnEogGlWt1S0d12pBRwYjJgKrVQaGs6IiGFVtm8\n" \
"JRLZrLL3sfgsN7L1xu//JUoTOkgxdKuYRmPuUdV2hw/VYDzcnKj7/DMXNDvgl3s7\n" \
"5GC4F+8LFLzRrZJWs18FMLaCE+zJChw/oeSt+RS0JZDFn+uX9Q==\n" \
#ifndef PKCS11_TEST_RSA_CERTIFICATE
#define PKCS11_TEST_RSA_CERTIFICATE \
"-----BEGIN CERTIFICATE-----\n" \
"MIIDsTCCApmgAwIBAgIJALg4YJlPspxyMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\n" \
"BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTENMAsGA1UECgwE\n" \
"QW16bjEMMAoGA1UECwwDSW9UMQ0wCwYDVQQDDARUZXN0MRUwEwYJKoZIhvcNAQkB\n" \
"FgZub2JvZHkwHhcNMTgwNjExMTk0NjM2WhcNMjEwMzMxMTk0NjM2WjBvMQswCQYD\n" \
"VQQGEwJVUzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUxDTALBgNVBAoM\n" \
"BEFtem4xDDAKBgNVBAsMA0lvVDENMAsGA1UEAwwEVGVzdDEVMBMGCSqGSIb3DQEJ\n" \
"ARYGbm9ib2R5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsIqRecRx\n" \
"Lz3PZXzZOHF7jMlB25tfv2LDGR7nGTJiey5zxd7oswihe7+26yx8medpNvX1ym9j\n" \
"phty+9IR053k1WGnQQ4aaDeJonqn7V50Vesw6zFx/x8LMdXFoBAkRXIL8WS5YKaf\n" \
"C87KPnye8A0piVWUFy7+IEEaK3hQEJTzB6LC/N100XL5ykLCa4xJBOqlIvbDvJ+b\n" \
"Kty1EBA3sStlTNuXi3nBWZbXwCB2A+ddjijFf5+gUjinr7h6e2uQeipWyiIw9NKW\n" \
"bvq8AG1Mj4XBoFL9wP2YTf2SQAgAzx0ySPNrIYOzBNl1YZ4lIW5sJLATES9+Z8nH\n" \
"i7yRDLw6x/kcVQIDAQABo1AwTjAdBgNVHQ4EFgQUHc4PjEL0CaxZ+1D/4VdeDjxt\n" \
"JO8wHwYDVR0jBBgwFoAUHc4PjEL0CaxZ+1D/4VdeDjxtJO8wDAYDVR0TBAUwAwEB\n" \
"/zANBgkqhkiG9w0BAQsFAAOCAQEAi1/okTpQuPcaQEBgepccZ/Lt/gEQNdGcbsYQ\n" \
"3aEABNVYL8dYOW9r/8l074zD+vi9iSli/yYmwRFD0baN1FRWUqkVEIQ+3yfivOW9\n" \
"R282NuQvEULgERC2KN7vm0vO+DF7ay58qm4PaAGHdQco1LaHKkljMPLHF841facG\n" \
"M9KVtzFveOQKkWvb4VgOyfn7aCnEogGlWt1S0d12pBRwYjJgKrVQaGs6IiGFVtm8\n" \
"JRLZrLL3sfgsN7L1xu//JUoTOkgxdKuYRmPuUdV2hw/VYDzcnKj7/DMXNDvgl3s7\n" \
"5GC4F+8LFLzRrZJWs18FMLaCE+zJChw/oeSt+RS0JZDFn+uX9Q==\n" \
"-----END CERTIFICATE-----\n"
#endif
#ifndef PKCS11_TEST_RSA_CERTIFICATE_LENGTH
#define PKCS11_TEST_RSA_CERTIFICATE_LENGTH ( 949 )
#endif

#define RSA_TEST_VALID_CERTIFICATE PKCS11_TEST_RSA_CERTIFICATE
#define RSA_TEST_VALID_CERTIFICATE_LENGTH PKCS11_TEST_RSA_CERTIFICATE_LENGTH

#endif /* ifndef RSA_TEST_CREDENTIALS_H */