From dc351207939798db86430b9e25937b4131fa0172 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Wed, 23 Sep 2020 08:31:46 +1000 Subject: [PATCH 1/2] PKCS#11: Update samples to handle no user pin and ECC type PKCS#11 devices allow generating an ECC key for Derivation or Decrypt/Sign not both at once. --- pkcs11/pkcs11_aescbc.c | 8 ++++---- pkcs11/pkcs11_aesgcm.c | 8 ++++---- pkcs11/pkcs11_ecc.c | 8 ++++---- pkcs11/pkcs11_genecc.c | 11 ++++++----- pkcs11/pkcs11_hmac.c | 8 ++++---- pkcs11/pkcs11_rand.c | 8 ++++---- pkcs11/pkcs11_rsa.c | 8 ++++---- pkcs11/pkcs11_test.c | 13 +++++++++---- pkcs11/server-tls-pkcs11-ecc.c | 8 ++++---- pkcs11/server-tls-pkcs11.c | 8 ++++---- 10 files changed, 47 insertions(+), 41 deletions(-) diff --git a/pkcs11/pkcs11_aescbc.c b/pkcs11/pkcs11_aescbc.c index 8bb599c01..41997a3ae 100644 --- a/pkcs11/pkcs11_aescbc.c +++ b/pkcs11/pkcs11_aescbc.c @@ -87,16 +87,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_aescbc \n"); + "Usage: pkcs11_aescbc [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -111,7 +111,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/pkcs11_aesgcm.c b/pkcs11/pkcs11_aesgcm.c index f31fb5af1..d2bfe2c90 100644 --- a/pkcs11/pkcs11_aesgcm.c +++ b/pkcs11/pkcs11_aesgcm.c @@ -90,16 +90,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_aesgcm \n"); + "Usage: pkcs11_aesgcm [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -114,7 +114,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/pkcs11_ecc.c b/pkcs11/pkcs11_ecc.c index f88cea9b0..1efefc27e 100644 --- a/pkcs11/pkcs11_ecc.c +++ b/pkcs11/pkcs11_ecc.c @@ -163,16 +163,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_ecc \n"); + "Usage: pkcs11_ecc [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -187,7 +187,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/pkcs11_genecc.c b/pkcs11/pkcs11_genecc.c index b8922dc08..3b9c28dc5 100644 --- a/pkcs11/pkcs11_genecc.c +++ b/pkcs11/pkcs11_genecc.c @@ -38,7 +38,8 @@ int gen_ec_keys(Pkcs11Token* token, ecc_key* key, unsigned char* id, int idLen, if (ret != 0) fprintf(stderr, "Failed to initialize EC key: %d\n", ret); if (ret == 0) { - ret = wc_ecc_make_key_ex(&rng, 32, key, ECC_CURVE_DEF); + ret = wc_ecc_make_key_ex2(&rng, 32, key, ECC_CURVE_DEF, + WC_ECC_FLAG_DEC_SIGN); if (ret != 0) fprintf(stderr, "Failed to generate EC key: %d\n", ret); } @@ -98,16 +99,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_genecc \n"); + "Usage: pkcs11_genecc [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -122,7 +123,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/pkcs11_hmac.c b/pkcs11/pkcs11_hmac.c index 1dac3c256..7a47097f4 100644 --- a/pkcs11/pkcs11_hmac.c +++ b/pkcs11/pkcs11_hmac.c @@ -75,16 +75,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_aescbc \n"); + "Usage: pkcs11_aescbc [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -99,7 +99,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/pkcs11_rand.c b/pkcs11/pkcs11_rand.c index 6cabdacd8..8b6a629e7 100644 --- a/pkcs11/pkcs11_rand.c +++ b/pkcs11/pkcs11_rand.c @@ -60,16 +60,16 @@ int main(int argc, char* argv[]) int devId = 1; WC_RNG rng; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_test \n"); + "Usage: pkcs11_test [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -84,7 +84,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/pkcs11_rsa.c b/pkcs11/pkcs11_rsa.c index 5628e7ced..7e40be7e8 100644 --- a/pkcs11/pkcs11_rsa.c +++ b/pkcs11/pkcs11_rsa.c @@ -283,16 +283,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_rsa \n"); + "Usage: pkcs11_rsa [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -307,7 +307,7 @@ int main(int argc, char* argv[]) } else { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/pkcs11_test.c b/pkcs11/pkcs11_test.c index 903e92b76..ae239e1eb 100644 --- a/pkcs11/pkcs11_test.c +++ b/pkcs11/pkcs11_test.c @@ -486,6 +486,11 @@ int ecdh_test(ecc_key* privKey, ecc_key* pubKey, int check) byte out[256/8]; word32 outSz = sizeof(out); +#if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \ + (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \ + !defined(HAVE_SELFTEST) + ret = wc_ecc_set_rng(privKey, &rng); +#endif if (ret == 0) { ret = wc_ecc_shared_secret(privKey, pubKey, out, &outSz); if (ret < 0) @@ -1119,16 +1124,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: pkcs11_test \n"); + "Usage: pkcs11_test [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -1143,7 +1148,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/server-tls-pkcs11-ecc.c b/pkcs11/server-tls-pkcs11-ecc.c index 94ddd621a..5a1322f85 100644 --- a/pkcs11/server-tls-pkcs11-ecc.c +++ b/pkcs11/server-tls-pkcs11-ecc.c @@ -229,16 +229,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: server_tls_pkcs11 \n"); + "Usage: server_tls_pkcs11 [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -253,7 +253,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; diff --git a/pkcs11/server-tls-pkcs11.c b/pkcs11/server-tls-pkcs11.c index 6b5caa2c8..0536436f4 100644 --- a/pkcs11/server-tls-pkcs11.c +++ b/pkcs11/server-tls-pkcs11.c @@ -229,16 +229,16 @@ int main(int argc, char* argv[]) int slotId; int devId = 1; - if (argc != 5) { + if (argc != 4 && argc != 5) { fprintf(stderr, - "Usage: server_tls_pkcs11 \n"); + "Usage: server_tls_pkcs11 [userpin]\n"); return 1; } library = argv[1]; slot = argv[2]; tokenName = argv[3]; - userPin = argv[4]; + userPin = (argc == 4) ? NULL : argv[4]; slotId = atoi(slot); #if defined(DEBUG_WOLFSSL) @@ -253,7 +253,7 @@ int main(int argc, char* argv[]) } if (ret == 0) { ret = wc_Pkcs11Token_Init(&token, &dev, slotId, tokenName, - (byte*)userPin, strlen(userPin)); + (byte*)userPin, userPin == NULL ? 0 : strlen(userPin)); if (ret != 0) { fprintf(stderr, "Failed to initialize PKCS#11 token\n"); ret = 2; From e617ac6cd0e31fa779ca9bb6d006a5243f7ece86 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Fri, 27 Nov 2020 08:42:50 +1000 Subject: [PATCH 2/2] Added testing of new label APIs Using a label string instead of an ID is useful for customers that name the keys rather than using devices generated ID. --- pkcs11/pkcs11_test.c | 249 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 246 insertions(+), 3 deletions(-) diff --git a/pkcs11/pkcs11_test.c b/pkcs11/pkcs11_test.c index ae239e1eb..0e656cd1e 100644 --- a/pkcs11/pkcs11_test.c +++ b/pkcs11/pkcs11_test.c @@ -340,6 +340,45 @@ int gen_rsa_key(Pkcs11Token* token, RsaKey* key, unsigned char* id, int idLen, return ret; } + +int gen_rsa_key_label(Pkcs11Token* token, RsaKey* key, char* label, int devId) +{ + int ret = 0; + CK_RV rv; + CK_ULONG bits = 2048; + CK_OBJECT_HANDLE pubKey = NULL_PTR, privKey = NULL_PTR; + CK_MECHANISM mech; + CK_ATTRIBUTE pubKeyTmpl[] = { + { CKA_MODULUS_BITS, &bits, sizeof(bits) }, + { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, + { CKA_VERIFY, &ckTrue, sizeof(ckTrue) }, + { CKA_PUBLIC_EXPONENT, &pub_exp, sizeof(pub_exp) } + }; + CK_ATTRIBUTE privKeyTmpl[] = { + {CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, + {CKA_SIGN, &ckTrue, sizeof(ckTrue) }, + {CKA_LABEL, label, XSTRLEN(label) } + }; + int privTmplCnt = 2; + + if (XSTRLEN(label) > 0) + privTmplCnt++; + if (ret == 0) { + mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; + mech.ulParameterLen = 0; + mech.pParameter = NULL; + + rv = token->func->C_GenerateKeyPair(token->handle, &mech, pubKeyTmpl, 4, + privKeyTmpl, privTmplCnt, &pubKey, &privKey); + if (rv != CKR_OK) + ret = -1; + } + + if (ret == 0) + ret = get_public_key(key, token, token->handle, pubKey); + + return ret; +} #else int gen_rsa_key(Pkcs11Token* token, RsaKey* key, unsigned char* id, int idLen, int devId) @@ -359,6 +398,24 @@ int gen_rsa_key(Pkcs11Token* token, RsaKey* key, unsigned char* id, int idLen, return ret; } + +int gen_rsa_key_label(Pkcs11Token* token, RsaKey* key, char* label, int devId) +{ + int ret; + + ret = wc_InitRsaKey_Label(key, label, NULL, devId); + if (ret != 0) { + fprintf(stderr, "Failed to initialize RSA key: %d\n", ret); + } + + if (ret == 0) { + ret = wc_MakeRsaKey(key, 2048, 0x10001, &rng); + if (ret != 0) + fprintf(stderr, "Failed to generate RSA key: %d\n", ret); + } + + return ret; +} #endif int rsaenc_test(RsaKey* key) @@ -464,6 +521,21 @@ int decode_ecc_keys(ecc_key* privKey, ecc_key* pubKey, int devId) return ret; } +int gen_ec_keys_label(Pkcs11Token* token, ecc_key* key, char* label, int devId) +{ + int ret; + + ret = wc_ecc_init_label(key, label, NULL, devId); + if (ret != 0) + fprintf(stderr, "Failed to initialize EC key: %d\n", ret); + if (ret == 0) { + ret = wc_ecc_make_key_ex(&rng, 32, key, ECC_CURVE_DEF); + if (ret != 0) + fprintf(stderr, "Failed to generate EC key: %d\n", ret); + } + return ret; +} + int gen_ec_keys(Pkcs11Token* token, ecc_key* key, unsigned char* id, int idLen, int devId) { @@ -637,6 +709,58 @@ int aesgcm_test(int devId, Pkcs11Token* token) } } + if (ret == 0) { + wc_Pkcs11Token_Open(token, 1); + /* AES256-GCM */ + if (ret == 0) + ret = wc_AesInit_Label(&aes, "myAesGcmKey", NULL, devId); + if (ret == 0) { + ret = wc_AesGcmSetKey(&aes, key, AES_256_KEY_SIZE); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_Pkcs11StoreKey(token, PKCS11_KEY_TYPE_AES_GCM, 1, + (void*)&aes); + if (ret == NOT_COMPILED_IN) + ret = 0; + if (ret != 0) + fprintf(stderr, "Store Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesGcmEncrypt(&aes, enc, data, sizeof(data), iv, + sizeof(iv), authTag, sizeof(authTag), NULL, 0); + if (ret != 0) + fprintf(stderr, "Encrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(enc, exp256, sizeof(exp256)) != 0) { + fprintf(stderr, "Encrypted data didn't match expected\n"); + ret = -1; + } + } + if (ret == 0) { + if (memcmp(authTag, expTag256, sizeof(expTag256)) != 0) { + fprintf(stderr, "Auth tag didn't match expected\n"); + ret = -1; + } + } + if (ret == 0) { + ret = wc_AesGcmDecrypt(&aes, dec, enc, sizeof(enc), iv, sizeof(iv), + authTag, sizeof(authTag), NULL, 0); + if (ret != 0) + fprintf(stderr, "Decrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(dec, data, ret) != 0) { + fprintf(stderr, "Decrypted data didn't match plaintext\n"); + ret = -1; + } + } + wc_Pkcs11Token_Close(token); + } + + if (ret == 0) { wc_Pkcs11Token_Open(token, 1); /* AES256-GCM */ @@ -754,6 +878,55 @@ int aescbc_test(int devId, Pkcs11Token* token) } } + if (ret == 0) { + wc_Pkcs11Token_Open(token, 1); + /* AES256-CBC */ + if (ret == 0) + ret = wc_AesInit_Label(&aes, "myAesCbcKey", NULL, devId); + if (ret == 0) { + ret = wc_AesSetKey(&aes, key, AES_256_KEY_SIZE, iv, AES_ENCRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_Pkcs11StoreKey(token, PKCS11_KEY_TYPE_AES_CBC, 1, + (void*)&aes); + if (ret == NOT_COMPILED_IN) + ret = 0; + if (ret != 0) + fprintf(stderr, "Store Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcEncrypt(&aes, enc, data, sizeof(data)); + if (ret != 0) + fprintf(stderr, "Encrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(enc, exp256, sizeof(exp256)) != 0) { + fprintf(stderr, "Encrypted data didn't match expected\n"); + ret = -1; + } + } + if (ret == 0) { + ret = wc_AesSetKey(&aes, key, AES_256_KEY_SIZE, iv, AES_DECRYPTION); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_AesCbcDecrypt(&aes, dec, enc, sizeof(enc)); + if (ret != 0) + fprintf(stderr, "Decrypt failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(dec, data, ret) != 0) { + fprintf(stderr, "Decrypted data didn't match plaintext\n"); + ret = -1; + } + } + wc_Pkcs11Token_Close(token); + } + + if (ret == 0) { wc_Pkcs11Token_Open(token, 1); /* AES256-CBC */ @@ -817,7 +990,7 @@ int hmac_op(unsigned char* key, int keyLen, int hashAlg, unsigned char* data, wc_Pkcs11Token_Open(token, 1); /* HMAC */ - ret = wc_HmacInit_Id(&hmac, (unsigned char*)"AES123", 6, NULL, devId); + ret = wc_HmacInit_Label(&hmac, "myHmacKey", NULL, devId); if (ret == 0) { ret = wc_HmacSetKey(&hmac, hashAlg, key, keyLen); if (ret != 0) @@ -849,6 +1022,42 @@ int hmac_op(unsigned char* key, int keyLen, int hashAlg, unsigned char* data, } wc_Pkcs11Token_Close(token); + if (ret == 0) { + wc_Pkcs11Token_Open(token, 1); + /* HMAC */ + ret = wc_HmacInit_Id(&hmac, (unsigned char*)"HMAC123", 7, NULL, devId); + if (ret == 0) { + ret = wc_HmacSetKey(&hmac, hashAlg, key, keyLen); + if (ret != 0) + fprintf(stderr, "Set Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_Pkcs11StoreKey(token, PKCS11_KEY_TYPE_HMAC, 0, + (void*)&hmac); + if (ret == NOT_COMPILED_IN) + ret = 0; + if (ret != 0) + fprintf(stderr, "Store Key failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_HmacUpdate(&hmac, data, dataLen); + if (ret != 0) + fprintf(stderr, "HMAC Update failed: %d\n", ret); + } + if (ret == 0) { + ret = wc_HmacFinal(&hmac, res); + if (ret != 0) + fprintf(stderr, "HMAC Update failed: %d\n", ret); + } + if (ret == 0) { + if (memcmp(res, exp, expLen) != 0) { + fprintf(stderr, "HMAC result didn't match expected\n"); + ret = -1; + } + } + wc_Pkcs11Token_Close(token); + } + return ret; } @@ -1009,7 +1218,23 @@ int pkcs11_test(int devId, Pkcs11Token* token) if (ret == 0) { wc_Pkcs11Token_Open(token, 1); - fprintf(stderr, "Generate RSA Key\n"); + fprintf(stderr, "Generate RSA Key - LABEL\n"); + ret = gen_rsa_key_label(token, &key, "myRsaKey", devId); + } + if (ret == 0) { + fprintf(stderr, "Encrypt/Decrypt with RSA Key\n"); + ret = rsaenc_test(&key); + } + if (ret == 0) { + fprintf(stderr, "Sign/Verify with RSA Key\n"); + ret = rsasig_test(&key); + } + wc_Pkcs11Token_Close(token); + wc_FreeRsaKey(&key); + + if (ret == 0) { + wc_Pkcs11Token_Open(token, 1); + fprintf(stderr, "Generate RSA Key - ID\n"); ret = gen_rsa_key(token, &key, (unsigned char*)"123", 3, devId); } @@ -1066,7 +1291,25 @@ int pkcs11_test(int devId, Pkcs11Token* token) if (ret == 0) { wc_Pkcs11Token_Open(token, 1); - fprintf(stderr, "Generate EC Keys\n"); + fprintf(stderr, "Generate EC Keys - LABEL\n"); + ret = gen_ec_keys_label(token, &eccPriv, "myEccKey", devId); + memcpy(&eccPub, &eccPriv, sizeof(ecc_key)); + eccPub.devId = INVALID_DEVID; + } + if (ret == 0) { + fprintf(stderr, "Derive secret with ECC Keys\n"); + ret = ecdh_test(&eccPriv, &eccPriv, 0); + } + if (ret == 0) { + fprintf(stderr, "Sign/Verify with ECC Keys\n"); + ret = ecdsa_test(&eccPriv, &eccPriv, NULL, &eccPub); + } + wc_Pkcs11Token_Close(token); + wc_ecc_free(&eccPriv); + + if (ret == 0) { + wc_Pkcs11Token_Open(token, 1); + fprintf(stderr, "Generate EC Keys - ID\n"); ret = gen_ec_keys(token, &eccPriv, (unsigned char*)"123ecc", 6, devId); memcpy(&eccPub, &eccPriv, sizeof(ecc_key));