-
-
Notifications
You must be signed in to change notification settings - Fork 68
/
test_pkcs11.py
94 lines (72 loc) · 3.01 KB
/
test_pkcs11.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
"""
Tests for PKCS#11 functionality.
NOTE: these are not run in CI, due to lack of testing setup.
"""
import os
from io import BytesIO
import pytest
import logging
from freezegun import freeze_time
from pkcs11 import PKCS11Error
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter
from pyhanko.pdf_utils.reader import PdfFileReader
from pyhanko.sign import signers, pkcs11
from pyhanko_tests.samples import MINIMAL
from pyhanko_tests.test_signing import val_trusted, SIMPLE_ECC_V_CONTEXT
logger = logging.getLogger(__name__)
SKIP_PKCS11 = False
pkcs11_test_module = os.environ.get('PKCS11_TEST_MODULE', None)
if not pkcs11_test_module:
logger.warning("Skipping PKCS#11 tests --- no PCKS#11 module specified")
SKIP_PKCS11 = True
def _simple_sess(token='testrsa'):
return pkcs11.open_pkcs11_session(
pkcs11_test_module, user_pin='1234', token_label=token
)
default_other_certs = ('root', 'intermediate')
@pytest.mark.skipif(SKIP_PKCS11, reason="no PKCS#11 module")
@pytest.mark.parametrize('bulk_fetch,pss', [(True, True), (False, False),
(True, False), (True, True)])
@freeze_time('2020-11-01')
def test_simple_sign(bulk_fetch, pss):
w = IncrementalPdfFileWriter(BytesIO(MINIMAL))
meta = signers.PdfSignatureMetadata(field_name='Sig1')
with _simple_sess() as sess:
signer = pkcs11.PKCS11Signer(
sess, 'signer', other_certs_to_pull=default_other_certs,
bulk_fetch=bulk_fetch, prefer_pss=pss
)
out = signers.sign_pdf(w, meta, signer=signer)
r = PdfFileReader(out)
emb = r.embedded_signatures[0]
assert emb.field_name == 'Sig1'
val_trusted(emb)
@pytest.mark.skipif(SKIP_PKCS11, reason="no PKCS#11 module")
@pytest.mark.parametrize('bulk_fetch', [True, False])
@freeze_time('2020-11-01')
def test_wrong_key_label(bulk_fetch):
w = IncrementalPdfFileWriter(BytesIO(MINIMAL))
meta = signers.PdfSignatureMetadata(field_name='Sig1')
with _simple_sess() as sess:
signer = pkcs11.PKCS11Signer(
sess, 'signer', other_certs_to_pull=default_other_certs,
bulk_fetch=bulk_fetch, key_label='NoSuchKeyExists'
)
with pytest.raises(PKCS11Error, match='.*private key handle.*'):
signers.sign_pdf(w, meta, signer=signer)
@pytest.mark.xfail # fails due to lack of (proper) support in SoftHSMv2
@pytest.mark.parametrize('bulk_fetch', [True, False])
@freeze_time('2020-11-01')
def test_simple_sign_ecdsa(bulk_fetch):
w = IncrementalPdfFileWriter(BytesIO(MINIMAL))
meta = signers.PdfSignatureMetadata(field_name='Sig1', md_algorithm='sha1')
with _simple_sess(token='testecdsa') as sess:
signer = pkcs11.PKCS11Signer(
sess, 'signer', other_certs_to_pull=default_other_certs,
bulk_fetch=bulk_fetch
)
out = signers.sign_pdf(w, meta, signer=signer)
r = PdfFileReader(out)
emb = r.embedded_signatures[0]
assert emb.field_name == 'Sig1'
val_trusted(emb, vc=SIMPLE_ECC_V_CONTEXT())