diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5ed10a01..f2915acc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -85,7 +85,8 @@ jobs:
echo -e "::group::${{ env.bashInfo }} ${{ env.stepName }} ${{ env.bashEnd }}"
sudo apt-get install -y lcov
- CFLAGS="--coverage -Wall -Wextra -DNDEBUG"
+ # target_enable_gcov is added in each unit test already, --coverage option is not required
+ CFLAGS="-Wall -Wextra -DNDEBUG"
cmake -S test -B build/ \
-G "Unix Makefiles" \
-DCMAKE_BUILD_TYPE=Debug \
@@ -128,8 +129,8 @@ jobs:
if: steps.build-unit-tests.outcome == 'success'
with:
coverage-file: ./build/coverage.info
- line-coverage-min: 99
- branch-coverage-min: 90
+ line-coverage-min: 100
+ branch-coverage-min: 92
- name: Archive Test Results
if: steps.build-unit-tests.outcome == 'success'
diff --git a/docs/doxygen/include/size_table.md b/docs/doxygen/include/size_table.md
index 6d7063ae..d999d2b6 100644
--- a/docs/doxygen/include/size_table.md
+++ b/docs/doxygen/include/size_table.md
@@ -10,7 +10,7 @@
| core_pkcs11.c |
0.8K |
- 0.8K |
+ 0.7K |
| core_pki_utils.c |
@@ -20,11 +20,11 @@
| core_pkcs11_mbedtls.c |
9.0K |
- 7.5K |
+ 7.4K |
| Total estimates |
10.3K |
- 8.6K |
+ 8.4K |
diff --git a/source/core_pkcs11.c b/source/core_pkcs11.c
index 85198026..b07baea1 100644
--- a/source/core_pkcs11.c
+++ b/source/core_pkcs11.c
@@ -41,35 +41,6 @@
/*-----------------------------------------------------------*/
-/** @brief Open a PKCS #11 Session.
- *
- * \param[out] pxSession Pointer to the session handle to be created.
- * \param[out] xSlotId Slot ID to be used for the session.
- *
- * \return CKR_OK or PKCS #11 error code. (PKCS #11 error codes are positive).
- */
-static CK_RV prvOpenSession( CK_SESSION_HANDLE * pxSession,
- CK_SLOT_ID xSlotId )
-{
- CK_RV xResult;
- CK_FUNCTION_LIST_PTR pxFunctionList;
-
- xResult = C_GetFunctionList( &pxFunctionList );
-
- if( ( xResult == CKR_OK ) && ( pxFunctionList != NULL ) && ( pxFunctionList->C_OpenSession != NULL ) )
- {
- xResult = pxFunctionList->C_OpenSession( xSlotId,
- CKF_SERIAL_SESSION | CKF_RW_SESSION,
- NULL, /* Application defined pointer. */
- NULL, /* Callback function. */
- pxSession );
- }
-
- return xResult;
-}
-
-/*-----------------------------------------------------------*/
-
CK_RV xGetSlotList( CK_SLOT_ID ** ppxSlotId,
CK_ULONG * pxSlotCount )
{
@@ -193,26 +164,27 @@ CK_RV xInitializePkcs11Token( void )
CK_FLAGS xTokenFlags = 0;
CK_TOKEN_INFO_PTR pxTokenInfo = NULL;
- xResult = C_GetFunctionList( &pxFunctionList );
+ xResult = xInitializePKCS11();
- if( ( pxFunctionList == NULL ) || ( pxFunctionList->C_GetTokenInfo == NULL ) || ( pxFunctionList->C_InitToken == NULL ) )
+ if( ( xResult == CKR_OK ) || ( xResult == CKR_CRYPTOKI_ALREADY_INITIALIZED ) )
{
- xResult = CKR_FUNCTION_FAILED;
+ xResult = xGetSlotList( &pxSlotId, &xSlotCount );
}
if( xResult == CKR_OK )
{
- xResult = xInitializePKCS11();
- }
+ xResult = C_GetFunctionList( &pxFunctionList );
- if( ( xResult == CKR_OK ) || ( xResult == CKR_CRYPTOKI_ALREADY_INITIALIZED ) )
- {
- xResult = xGetSlotList( &pxSlotId, &xSlotCount );
+ if( xResult == CKR_OK )
+ {
+ if( ( pxFunctionList == NULL ) || ( pxFunctionList->C_GetTokenInfo == NULL ) || ( pxFunctionList->C_InitToken == NULL ) )
+ {
+ xResult = CKR_FUNCTION_FAILED;
+ }
+ }
}
- if( ( xResult == CKR_OK ) &&
- ( NULL != pxFunctionList->C_GetTokenInfo ) &&
- ( NULL != pxFunctionList->C_InitToken ) )
+ if( xResult == CKR_OK )
{
/* Check if the token requires further initialization. */
/* MISRA Ref 11.5.1 [Void pointer assignment] */
@@ -270,13 +242,21 @@ CK_RV xInitializePkcs11Session( CK_SESSION_HANDLE * pxSession )
CK_FUNCTION_LIST_PTR pxFunctionList = NULL;
CK_ULONG xSlotCount = 0;
- xResult = C_GetFunctionList( &pxFunctionList );
-
if( pxSession == NULL )
{
xResult = CKR_ARGUMENTS_BAD;
}
+ if( xResult == CKR_OK )
+ {
+ xResult = C_GetFunctionList( &pxFunctionList );
+
+ if( ( xResult == CKR_OK ) && ( pxFunctionList == NULL ) )
+ {
+ xResult = CKR_FUNCTION_FAILED;
+ }
+ }
+
/* Initialize the module. */
if( xResult == CKR_OK )
{
@@ -295,19 +275,30 @@ CK_RV xInitializePkcs11Session( CK_SESSION_HANDLE * pxSession )
}
/* Open a PKCS #11 session. */
- if( ( xResult == CKR_OK ) && ( pxSlotId != NULL ) && ( xSlotCount >= 1UL ) )
+ if( ( xResult == CKR_OK ) && ( xSlotCount >= 1UL ) )
{
/* We will take the first slot available.
* If your application has multiple slots, insert logic
* for selecting an appropriate slot here.
*/
- xResult = prvOpenSession( pxSession, pxSlotId[ 0 ] );
+ if( pxFunctionList->C_OpenSession != NULL )
+ {
+ xResult = pxFunctionList->C_OpenSession( pxSlotId[ 0 ],
+ CKF_SERIAL_SESSION | CKF_RW_SESSION,
+ NULL, /* Application defined pointer. */
+ NULL, /* Callback function. */
+ pxSession );
+ }
+ else
+ {
+ xResult = CKR_FUNCTION_FAILED;
+ }
/* Free the memory allocated by xGetSlotList. */
pkcs11configPKCS11_FREE( pxSlotId );
}
- if( ( xResult == CKR_OK ) && ( pxFunctionList != NULL ) && ( pxFunctionList->C_Login != NULL ) )
+ if( ( xResult == CKR_OK ) && ( pxFunctionList->C_Login != NULL ) )
{
xResult = pxFunctionList->C_Login( *pxSession,
CKU_USER,
diff --git a/source/portable/mbedtls/core_pkcs11_mbedtls.c b/source/portable/mbedtls/core_pkcs11_mbedtls.c
index 62b36174..663a9db6 100644
--- a/source/portable/mbedtls/core_pkcs11_mbedtls.c
+++ b/source/portable/mbedtls/core_pkcs11_mbedtls.c
@@ -762,15 +762,9 @@ static CK_RV prvRsaContextParse( const CK_ATTRIBUTE * pxAttribute,
lMbedTLSResult = mbedtls_mpi_read_binary( &pxRsaContext->DQ, pxAttribute->pValue, pxAttribute->ulValueLen );
break;
- case ( CKA_COEFFICIENT ):
- lMbedTLSResult = mbedtls_mpi_read_binary( &pxRsaContext->QP, pxAttribute->pValue, pxAttribute->ulValueLen );
- break;
-
default:
-
- /* This should never be reached, as the above types are what gets this function called.
- * Nevertheless this is an error case, and MISRA requires a default statement. */
- xResult = CKR_ATTRIBUTE_TYPE_INVALID;
+ /* This is the CKA_COEFFICIENT case. The type is checked in prvRsaKeyAttParse. */
+ lMbedTLSResult = mbedtls_mpi_read_binary( &pxRsaContext->QP, pxAttribute->pValue, pxAttribute->ulValueLen );
break;
}
@@ -3449,7 +3443,7 @@ CK_DECLARE_FUNCTION( CK_RV, C_FindObjectsInit )( CK_SESSION_HANDLE hSession,
xResult = CKR_ARGUMENTS_BAD;
}
- if( ( ulCount != 1UL ) && ( ulCount != 2UL ) )
+ if( ( ulCount < 1UL ) || ( ulCount > 2UL ) )
{
xResult = CKR_ARGUMENTS_BAD;
LogError( ( "Failed to initialize find object operation. Find objects "
diff --git a/test/pkcs11_mbedtls_utest/core_pkcs11_mbedtls_utest.c b/test/pkcs11_mbedtls_utest/core_pkcs11_mbedtls_utest.c
index 4b236b16..ae73c423 100644
--- a/test/pkcs11_mbedtls_utest/core_pkcs11_mbedtls_utest.c
+++ b/test/pkcs11_mbedtls_utest/core_pkcs11_mbedtls_utest.c
@@ -197,6 +197,7 @@ static void * pvPkcs11CallocCb( size_t nitems,
size_t size,
int numCalls )
{
+ ( void ) numCalls;
usMallocFreeCalls++;
return ( void * ) calloc( nitems, size );
}
@@ -204,6 +205,8 @@ static void * pvPkcs11CallocCb( size_t nitems,
static void vPkcs11FreeCb( void * pvPtr,
int numCalls )
{
+ ( void ) numCalls;
+
if( pvPtr != NULL )
{
usMallocFreeCalls--;
@@ -1265,6 +1268,72 @@ void test_pkcs11_C_CreateObjectECPrivKey( void )
}
}
+/*!
+ * @brief C_CreateObject Creating an EC private key with label length greater than pkcs11configMAX_LABEL_LENGTH.
+ *
+ */
+void test_pkcs11_C_CreateObjectECPrivKeyLabelTooLong( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xSession = 0;
+ CK_KEY_TYPE xPrivateKeyType = CKK_EC;
+ CK_OBJECT_CLASS xPrivateKeyClass = CKO_PRIVATE_KEY;
+ CK_BBOOL xTrue = CK_TRUE;
+ mbedtls_ecp_keypair xKeyContext = { 0 };
+ char * pucPrivLabel = pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS;
+ /* DER-encoding of an ANSI X9.62 Parameters value */
+ CK_BYTE * pxEcPrivParams = ( CK_BYTE * ) ( "\x06\x08" MBEDTLS_OID_EC_GRP_SECP256R1 );
+ CK_OBJECT_HANDLE xObject = 0;
+ const uint8_t pusEmptyPubKey[ 6 ] = { 0xa1, 0x04, 0x03, 0x02, 0x00, 0x00 };
+ uint8_t pusFakePrivateKey[ pkcs11_PRIVATE_EC_PRIME_256_DER_SIZE ] = { 0 };
+
+ ( void ) memcpy( &pusFakePrivateKey[ pkcs11_PRIVATE_EC_PRIME_256_DER_SIZE - sizeof( pusEmptyPubKey ) ], pusEmptyPubKey, sizeof( pusEmptyPubKey ) );
+
+
+ /* Private value D. */
+ CK_BYTE pxD[ EC_D_LENGTH ] = { 0 };
+
+ CK_ATTRIBUTE xPrivateKeyTemplate[] = EC_PRIV_KEY_INITIALIZER;
+
+ prvCommonInitStubs( &xSession );
+
+ if( TEST_PROTECT() )
+ {
+ mbedtls_pk_init_CMockIgnore();
+ mbedtls_calloc_Stub( pvPkcs11CallocCb );
+ PKCS11_PAL_FindObject_IgnoreAndReturn( 1 );
+ PKCS11_PAL_GetObjectValue_IgnoreAndReturn( CKR_OK );
+ mbedtls_pk_parse_key_IgnoreAndReturn( 0 );
+ PKCS11_PAL_GetObjectValueCleanup_CMockIgnore();
+ mbedtls_calloc_IgnoreAndReturn( &xKeyContext );
+ mbedtls_ecp_keypair_init_CMockIgnore();
+ mbedtls_ecp_group_init_CMockIgnore();
+ mbedtls_ecp_group_load_IgnoreAndReturn( 0 );
+ mbedtls_calloc_Stub( pvPkcs11CallocCb );
+ mbedtls_mpi_read_binary_IgnoreAndReturn( 0 );
+ mbedtls_pk_write_key_der_ExpectAnyArgsAndReturn( 6 );
+ mbedtls_pk_write_key_der_ReturnArrayThruPtr_buf( pusFakePrivateKey, sizeof( pusFakePrivateKey ) );
+ mbedtls_pk_free_CMockIgnore();
+ PKCS11_PAL_SaveObject_IgnoreAndReturn( 1 );
+ mock_osal_mutex_lock_IgnoreAndReturn( 0 );
+ mock_osal_mutex_unlock_IgnoreAndReturn( 0 );
+ mbedtls_free_Stub( vPkcs11FreeCb );
+
+ xPrivateKeyTemplate[ 2 ].ulValueLen = pkcs11configMAX_LABEL_LENGTH + 1;
+ xResult = C_CreateObject( xSession,
+ ( CK_ATTRIBUTE_PTR ) &xPrivateKeyTemplate,
+ sizeof( xPrivateKeyTemplate ) / sizeof( CK_ATTRIBUTE ),
+ &xObject );
+
+ TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
+ }
+
+ if( TEST_PROTECT() )
+ {
+ prvCommonDeinitStubs( &xSession );
+ }
+}
+
/*!
* @brief C_CreateObject fail to malloc memory when loading EC curve.
*
@@ -1276,7 +1345,6 @@ void test_pkcs11_C_CreateObjectECCurveLoadFail( void )
CK_KEY_TYPE xPrivateKeyType = CKK_EC;
CK_OBJECT_CLASS xPrivateKeyClass = CKO_PRIVATE_KEY;
CK_BBOOL xTrue = CK_TRUE;
- mbedtls_ecp_keypair xKeyContext = { 0 };
char * pucPrivLabel = pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS;
/* DER-encoding of an ANSI X9.62 Parameters value */
CK_BYTE * pxEcPrivParams = ( CK_BYTE * ) ( "\x06\x08" MBEDTLS_OID_EC_GRP_SECP256R1 );
@@ -2150,11 +2218,6 @@ void test_pkcs11_C_CreateObjectCertificateIncomplete( void )
CK_SESSION_HANDLE xSession = 0;
CK_OBJECT_HANDLE xObject = 0;
CK_OBJECT_CLASS xCertificateClass = CKO_CERTIFICATE;
- CK_CERTIFICATE_TYPE xCertificateType = CKC_X_509;
- CK_BBOOL xTokenStorage = CK_TRUE;
- CK_BYTE xSubject[] = "TestSubject";
- CK_BYTE xCert[] = "Empty Cert";
- char * pucLabel = pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS;
CK_ATTRIBUTE xCertificateTemplate[] =
{
@@ -2483,7 +2546,6 @@ void test_pkcs11_C_CreateObjectSHA256HMACKeyMissingLabel( void )
CK_OBJECT_CLASS xKeyClass = CKO_SECRET_KEY;
CK_BBOOL xTrue = CK_TRUE;
CK_OBJECT_HANDLE xObject = CK_INVALID_HANDLE;
- CK_BYTE pcLabel[] = pkcs11configLABEL_HMAC_KEY;
CK_BYTE pxKeyValue[] = "abcdabcdabcdabcdabcdabcdabcdabcd";
@@ -2849,7 +2911,6 @@ void test_pkcs11_C_CreateObjectAESCMACKeyMissingLabel( void )
CK_OBJECT_CLASS xKeyClass = CKO_SECRET_KEY;
CK_BBOOL xTrue = CK_TRUE;
CK_OBJECT_HANDLE xObject = CK_INVALID_HANDLE;
- CK_BYTE pcLabel[] = pkcs11configLABEL_CMAC_KEY;
CK_BYTE pxKeyValue[] = "abcdabcdabcdabcdabcdabcdabcdabcd";
@@ -3065,6 +3126,35 @@ void test_pkcs11_C_CreateObjectAESCMACKeyInvalidKeyType( void )
}
}
+
+/*!
+ * @brief C_CreateObject NULL phObject
+ *
+ */
+void test_pkcs11_C_CreateObjectNullObject( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xSession = 0;
+ CK_ATTRIBUTE xPrivateKeyTemplate[] = { 0 };
+
+ prvCommonInitStubs( &xSession );
+
+ if( TEST_PROTECT() )
+ {
+ xResult = C_CreateObject( xSession,
+ ( CK_ATTRIBUTE_PTR ) &xPrivateKeyTemplate,
+ sizeof( xPrivateKeyTemplate ) / sizeof( CK_ATTRIBUTE ),
+ NULL );
+
+ TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
+ }
+
+ if( TEST_PROTECT() )
+ {
+ prvCommonDeinitStubs( &xSession );
+ }
+}
+
/* ====================== TESTING C_GetAttributeValue ============================ */
/*!
@@ -3281,14 +3371,7 @@ void test_pkcs11_C_GetAttributeValueMultipleAttParsing( void )
CK_SESSION_HANDLE xSession = 0;
CK_OBJECT_HANDLE xObject = 0;
CK_ULONG ulCount = 2;
- CK_ULONG ulLength = 1;
- CK_BYTE pulKnownBuf[] = pkcs11DER_ENCODED_OID_P256;
- CK_BYTE pulBuf[ sizeof( pulKnownBuf ) ] = { 0 };
CK_BYTE ulPoint[ pkcs11EC_POINT_LENGTH ] = { 0 };
- CK_BYTE ulKnownPoint = 0x04;
- CK_BBOOL xIsPrivate = CK_FALSE;
- CK_OBJECT_CLASS xPrivateKeyClass = { 0 };
- CK_OBJECT_CLASS xKnownPrivateKeyClass = CKO_PRIVATE_KEY;
CK_ATTRIBUTE xTemplates[ 2 ] = { 0 };
prvCommonInitStubs( &xSession );
@@ -3795,6 +3878,8 @@ void test_pkcs11_C_FindObjectsInitBadArgs( void )
xResult = C_FindObjectsInit( xSession, ( CK_ATTRIBUTE_PTR ) &xFindTemplate, -1 );
TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
+ xResult = C_FindObjectsInit( xSession, ( CK_ATTRIBUTE_PTR ) &xFindTemplate, 0 );
+ TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
mbedtls_calloc_Stub( NULL );
mbedtls_calloc_ExpectAnyArgsAndReturn( NULL );
@@ -3827,9 +3912,6 @@ void test_pkcs11_C_FindObjects( void )
CK_ULONG ulCount = 1;
CK_ULONG ulFoundCount = 0;
CK_OBJECT_HANDLE xObject = 0;
- CK_BYTE pucBuf[] = { 1, 1, 1, 1 };
- CK_BYTE_PTR * ppucBufPtr = ( CK_BYTE_PTR * ) &pucBuf;
- CK_ULONG ulObjectLength = sizeof( pucBuf );
char * pucLabel = pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS;
CK_ATTRIBUTE xFindTemplate = { CKA_LABEL, pucLabel, strlen( ( const char * ) pucLabel ) };
@@ -3915,9 +3997,6 @@ void test_pkcs11_C_FindObjectsBadArgs( void )
CK_ULONG ulFoundCount = 0;
CK_OBJECT_HANDLE xObject = 0;
char * pucLabel = pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS;
- CK_BYTE pucBuf[] = { 0, 0, 0, 0 };
- CK_BYTE ** ppucBufPtr = ( CK_BYTE ** ) &pucBuf;
- CK_ULONG ulObjectLength = sizeof( pucBuf );
CK_ATTRIBUTE xFindTemplate = { CKA_LABEL, pucLabel, strlen( ( const char * ) pucLabel ) };
@@ -3966,9 +4045,12 @@ void test_pkcs11_C_FindObjectsFinal( void )
CK_OBJECT_HANDLE xObject = 0;
char * pucLabel = pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS;
- PKCS11_CertificateTemplate_t xCertificateTemplate = { { CKA_LABEL,
- pucLabel,
- strlen( ( const char * ) pucLabel ) } };
+ CK_ATTRIBUTE xCertificateTemplate =
+ {
+ CKA_LABEL,
+ pucLabel,
+ strlen( ( const char * ) pucLabel )
+ };
prvCommonInitStubs( &xSession );
@@ -4636,14 +4718,12 @@ void test_pkcs11_C_SignSHA256HMAC( void )
CK_SESSION_HANDLE xSession = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE xKey = CK_INVALID_HANDLE;
CK_MECHANISM xMechanism = { 0 };
- mbedtls_pk_context xSignAndVerifyKey;
CK_BYTE pxDummyData[ pkcs11SHA256_DIGEST_LENGTH ] = { 0xAA };
CK_ULONG ulDummyDataLen = sizeof( pxDummyData );
CK_BYTE pxDummySignature[ pkcs11SHA256_DIGEST_LENGTH ] = { 0xAA };
CK_ULONG ulDummySignatureLen = sizeof( pxDummySignature );
mbedtls_md_info_t xMdInfo = { 0 };
- xSignAndVerifyKey.pk_ctx = &xResult;
xMechanism.mechanism = CKM_SHA256_HMAC;
prvCommonInitStubs( &xSession );
@@ -4685,14 +4765,12 @@ void test_pkcs11_C_SignSHA256HMACUpdateFail( void )
CK_SESSION_HANDLE xSession = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE xKey = CK_INVALID_HANDLE;
CK_MECHANISM xMechanism = { 0 };
- mbedtls_pk_context xSignAndVerifyKey;
CK_BYTE pxDummyData[ pkcs11SHA256_DIGEST_LENGTH ] = { 0xAA };
CK_ULONG ulDummyDataLen = sizeof( pxDummyData );
CK_BYTE pxDummySignature[ pkcs11SHA256_DIGEST_LENGTH ] = { 0xAA };
CK_ULONG ulDummySignatureLen = sizeof( pxDummySignature );
mbedtls_md_info_t xMdInfo = { 0 };
- xSignAndVerifyKey.pk_ctx = &xResult;
xMechanism.mechanism = CKM_SHA256_HMAC;
prvCommonInitStubs( &xSession );
@@ -4733,15 +4811,12 @@ void test_pkcs11_C_SignAESCMAC( void )
CK_SESSION_HANDLE xSession = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE xKey = CK_INVALID_HANDLE;
CK_MECHANISM xMechanism = { 0 };
- mbedtls_pk_context xSignAndVerifyKey;
-
CK_BYTE pxDummyData[ pkcs11AES_CMAC_SIGNATURE_LENGTH ] = { 0xAA };
CK_ULONG ulDummyDataLen = sizeof( pxDummyData );
CK_BYTE pxDummySignature[ pkcs11AES_CMAC_SIGNATURE_LENGTH ] = { 0xAA };
CK_ULONG ulDummySignatureLen = sizeof( pxDummySignature );
mbedtls_cipher_info_t xCipherInfo = { 0 };
- xSignAndVerifyKey.pk_ctx = &xResult;
xMechanism.mechanism = CKM_AES_CMAC;
prvCommonInitStubs( &xSession );
@@ -4783,15 +4858,12 @@ void test_pkcs11_C_SignAESCMACUpdateFail( void )
CK_SESSION_HANDLE xSession = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE xKey = CK_INVALID_HANDLE;
CK_MECHANISM xMechanism = { 0 };
- mbedtls_pk_context xSignAndVerifyKey;
-
CK_BYTE pxDummyData[ pkcs11AES_CMAC_SIGNATURE_LENGTH ] = { 0xAA };
CK_ULONG ulDummyDataLen = sizeof( pxDummyData );
CK_BYTE pxDummySignature[ pkcs11AES_CMAC_SIGNATURE_LENGTH ] = { 0xAA };
CK_ULONG ulDummySignatureLen = sizeof( pxDummySignature );
mbedtls_cipher_info_t xCipherInfo = { 0 };
- xSignAndVerifyKey.pk_ctx = &xResult;
xMechanism.mechanism = CKM_AES_CMAC;
prvCommonInitStubs( &xSession );
@@ -5138,7 +5210,6 @@ void test_pkcs11_C_VerifyInitSHA256HMACMDLockFail( void )
CK_SESSION_HANDLE xSession = 0;
CK_OBJECT_HANDLE xObject = 0;
CK_MECHANISM xMechanism = { 0 };
- CK_BBOOL xIsPrivate = CK_FALSE;
mbedtls_md_info_t xMdInfo = { 0 };
xMechanism.mechanism = CKM_SHA256_HMAC;
@@ -5331,7 +5402,6 @@ void test_pkcs11_C_VerifyInitAESCMACCipherLockFail( void )
CK_SESSION_HANDLE xSession = 0;
CK_OBJECT_HANDLE xObject = 0;
CK_MECHANISM xMechanism = { 0 };
- CK_BBOOL xIsPrivate = CK_FALSE;
mbedtls_cipher_info_t xCipherInfo = { 0 };
xMechanism.mechanism = CKM_AES_CMAC;
@@ -5658,6 +5728,60 @@ void test_pkcs11_C_VerifyRSA( void )
}
}
+/*!
+ * @brief C_Verify public key not exist in session context.
+ *
+ */
+void test_pkcs11_C_VerifyRSANoPublicKey( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xSession = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE xObject = CK_INVALID_HANDLE;
+ CK_MECHANISM xMechanism = { 0 };
+ CK_BYTE pxDummyData[ pkcs11SHA256_DIGEST_LENGTH ] = { 0xAA };
+ CK_ULONG ulDummyDataLen = sizeof( pxDummyData );
+ CK_BYTE pxDummySignature[ pkcs11RSA_2048_SIGNATURE_LENGTH ] = { 0xAA };
+ CK_ULONG ulDummySignatureLen = sizeof( pxDummySignature );
+ mbedtls_pk_context xMbedContext = { 0 };
+ mbedtls_pk_info_t xPkInfo = { 0 };
+
+ /* These just have to be not NULL so we can hit the proper path. */
+ xMbedContext.pk_ctx = NULL;
+ xMbedContext.pk_info = &xPkInfo;
+
+ xMechanism.mechanism = CKM_RSA_X_509;
+ CK_BBOOL xIsPrivate = CK_FALSE;
+
+ prvCommonInitStubs( &xSession );
+
+ if( TEST_PROTECT() )
+ {
+ xResult = prvCreateRSAPub( &xSession, &xObject );
+ TEST_ASSERT_EQUAL( CKR_OK, xResult );
+
+ PKCS11_PAL_GetObjectValue_ExpectAnyArgsAndReturn( CKR_OK );
+ PKCS11_PAL_GetObjectValue_ReturnThruPtr_pIsPrivate( &xIsPrivate );
+ mbedtls_pk_init_StopIgnore();
+ mbedtls_pk_init_ExpectAnyArgs();
+ mbedtls_pk_init_ReturnThruPtr_ctx( &xMbedContext );
+ mbedtls_pk_parse_public_key_IgnoreAndReturn( 0 );
+ PKCS11_PAL_GetObjectValueCleanup_CMockIgnore();
+ xPkType = MBEDTLS_PK_RSA;
+ xResult = C_VerifyInit( xSession, &xMechanism, xObject );
+ TEST_ASSERT_EQUAL( CKR_OK, xResult );
+
+ mbedtls_pk_verify_IgnoreAndReturn( 0 );
+ mbedtls_pk_free_CMockIgnore();
+ xResult = C_Verify( xSession, pxDummyData, ulDummyDataLen, pxDummySignature, ulDummySignatureLen );
+ TEST_ASSERT_EQUAL( CKR_SIGNATURE_INVALID, xResult );
+ }
+
+ if( TEST_PROTECT() )
+ {
+ prvCommonDeinitStubs( &xSession );
+ }
+}
+
/*!
* @brief C_Verify RSA happy path with CKM_RSA_PKCS.
*
@@ -5909,6 +6033,53 @@ void test_pkcs11_C_VerifySHA256HMAC( void )
}
}
+/*!
+ * @brief C_Verify SHA256-HMAC invalid signature length.
+ *
+ */
+void test_pkcs11_C_VerifySHA256HMACInvalidSigLen( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xSession = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE xObject = CK_INVALID_HANDLE;
+ CK_MECHANISM xMechanism = { 0 };
+ CK_BYTE pxDummyData[ pkcs11SHA256_DIGEST_LENGTH ] = { 0xAA };
+ CK_ULONG ulDummyDataLen = sizeof( pxDummyData );
+ CK_BYTE pxDummySignature[ pkcs11SHA256_DIGEST_LENGTH ] = { 0xAA };
+ CK_ULONG ulDummySignatureLen = sizeof( pxDummySignature );
+ CK_BBOOL xIsPrivate = CK_FALSE;
+ mbedtls_md_info_t xMdInfo = { 0 };
+
+ xMechanism.mechanism = CKM_SHA256_HMAC;
+
+ prvCommonInitStubs( &xSession );
+
+ if( TEST_PROTECT() )
+ {
+ xResult = prvCreateSHA256HMAC( &xSession, &xObject );
+ TEST_ASSERT_EQUAL( CKR_OK, xResult );
+
+ PKCS11_PAL_GetObjectValue_ExpectAnyArgsAndReturn( CKR_OK );
+ PKCS11_PAL_GetObjectValue_ReturnThruPtr_pIsPrivate( &xIsPrivate );
+ mbedtls_md_init_CMockIgnore();
+ mbedtls_md_info_from_type_ExpectAnyArgsAndReturn( &xMdInfo );
+ mbedtls_md_setup_ExpectAnyArgsAndReturn( 0 );
+ mbedtls_md_hmac_starts_ExpectAnyArgsAndReturn( 0 );
+ PKCS11_PAL_GetObjectValueCleanup_CMockIgnore();
+ xResult = C_VerifyInit( xSession, &xMechanism, xObject );
+ TEST_ASSERT_EQUAL( CKR_OK, xResult );
+
+ /* Add 1 to signature length. */
+ xResult = C_Verify( xSession, pxDummyData, ulDummyDataLen, pxDummySignature, ulDummySignatureLen + 1 );
+ TEST_ASSERT_EQUAL( CKR_SIGNATURE_LEN_RANGE, xResult );
+ }
+
+ if( TEST_PROTECT() )
+ {
+ prvCommonDeinitStubs( &xSession );
+ }
+}
+
/*!
* @brief C_Verify SHA256-HMAC mbedtls_md_update fail.
*
@@ -6107,6 +6278,52 @@ void test_pkcs11_C_VerifyAESCMAC( void )
}
}
+/*!
+ * @brief C_Verify AES-CMAC invalid signature length.
+ *
+ */
+void test_pkcs11_C_VerifyAESCMACInvalidSigLength( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xSession = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE xObject = CK_INVALID_HANDLE;
+ CK_MECHANISM xMechanism = { 0 };
+ CK_BYTE pxDummyData[ pkcs11AES_CMAC_SIGNATURE_LENGTH ] = { 0xAA };
+ CK_ULONG ulDummyDataLen = sizeof( pxDummyData );
+ CK_BYTE pxDummySignature[ pkcs11AES_CMAC_SIGNATURE_LENGTH ] = { 0xAA };
+ CK_ULONG ulDummySignatureLen = sizeof( pxDummySignature );
+ CK_BBOOL xIsPrivate = CK_FALSE;
+ mbedtls_cipher_info_t xCipherInfo = { 0 };
+
+ xMechanism.mechanism = CKM_AES_CMAC;
+
+ prvCommonInitStubs( &xSession );
+
+ if( TEST_PROTECT() )
+ {
+ xResult = prvCreateAESCMAC( &xSession, &xObject );
+ TEST_ASSERT_EQUAL( CKR_OK, xResult );
+
+ PKCS11_PAL_GetObjectValue_ExpectAnyArgsAndReturn( CKR_OK );
+ PKCS11_PAL_GetObjectValue_ReturnThruPtr_pIsPrivate( &xIsPrivate );
+ mbedtls_cipher_init_CMockIgnore();
+ mbedtls_cipher_info_from_type_ExpectAnyArgsAndReturn( &xCipherInfo );
+ mbedtls_cipher_setup_ExpectAnyArgsAndReturn( 0 );
+ mbedtls_cipher_cmac_starts_ExpectAnyArgsAndReturn( 0 );
+ PKCS11_PAL_GetObjectValueCleanup_CMockIgnore();
+ xResult = C_VerifyInit( xSession, &xMechanism, xObject );
+ TEST_ASSERT_EQUAL( CKR_OK, xResult );
+
+ xResult = C_Verify( xSession, pxDummyData, ulDummyDataLen, pxDummySignature, ulDummySignatureLen + 1 );
+ TEST_ASSERT_EQUAL( CKR_SIGNATURE_LEN_RANGE, xResult );
+ }
+
+ if( TEST_PROTECT() )
+ {
+ prvCommonDeinitStubs( &xSession );
+ }
+}
+
/*!
* @brief C_Verify AES-CMAC mbedtls_cipher_update fail.
*
@@ -6639,7 +6856,6 @@ void test_pkcs11_C_GenerateKeyPairRSAGen( void )
{
CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0
};
- CK_BYTE xEcParams[] = pkcs11DER_ENCODED_OID_P256; /* prime256v1 */
CK_KEY_TYPE xKeyType = CKK_RSA;
CK_BBOOL xTrue = CK_TRUE;
diff --git a/test/wrapper_utest/core_pkcs11_utest.c b/test/wrapper_utest/core_pkcs11_utest.c
index 2a240e87..5d42db47 100644
--- a/test/wrapper_utest/core_pkcs11_utest.c
+++ b/test/wrapper_utest/core_pkcs11_utest.c
@@ -179,7 +179,7 @@ static CK_RV prvSetFunctionList( CK_FUNCTION_LIST_PTR_PTR ppxPtr )
/*!
* @brief Create a stub for the PKCS #11 function list.
*
- * Fails on the fourth call in order to create coverage for a nested branch.
+ * Fails on the third call in order to create coverage for a nested branch.
*
*/
static CK_RV prvSetFunctionList2( CK_FUNCTION_LIST_PTR_PTR ppxPtr )
@@ -189,10 +189,7 @@ static CK_RV prvSetFunctionList2( CK_FUNCTION_LIST_PTR_PTR ppxPtr )
ulCalls++;
- /* This case is specifically for the scenario in which prvOpenSession
- * receives a failure when accessing C_GetFunctionList, which would be
- * the 4th call to C_GetFunctionList in the call stack. */
- if( ulCalls == 4 )
+ if( ulCalls == 3 )
{
xResult = CKR_ARGUMENTS_BAD;
*ppxPtr = NULL;
@@ -205,6 +202,42 @@ static CK_RV prvSetFunctionList2( CK_FUNCTION_LIST_PTR_PTR ppxPtr )
return xResult;
}
+/*!
+ * @brief Create a stub for the PKCS #11 function list.
+ *
+ * Fails on the third call in order to create coverage for a nested branch.
+ *
+ */
+static CK_RV prvSetFunctionList3( CK_FUNCTION_LIST_PTR_PTR ppxPtr )
+{
+ static uint32_t ulCalls = 0;
+ CK_RV xResult = CKR_OK;
+
+ ulCalls++;
+
+ if( ulCalls == 3 )
+ {
+ /* Return CKR_OK but with NULL function list pointer here. */
+ *ppxPtr = NULL;
+ }
+ else
+ {
+ *ppxPtr = &prvP11FunctionList;
+ }
+
+ return xResult;
+}
+
+/*!
+ * @brief Return empty function list
+ *
+ */
+static CK_RV prvSetFunctionListEmpty( CK_FUNCTION_LIST_PTR_PTR ppxPtr )
+{
+ *ppxPtr = NULL;
+ return CKR_OK;
+}
+
/*!
* @brief Stub for receiving an uninitialized token.
*
@@ -346,6 +379,37 @@ void test_IotPkcs11_xInitializePkcs11BadFunctionList( void )
TEST_ASSERT_EQUAL( CKR_DEVICE_ERROR, xResult );
}
+/*!
+ * @brief xInitializePKCS11 failed due to empty function list.
+ *
+ */
+void test_IotPkcs11_xInitializePkcs11EmptyFunctionList( void )
+{
+ CK_RV xResult = CKR_OK;
+
+ C_GetFunctionList_IgnoreAndReturn( CKR_OK );
+ C_GetFunctionList_Stub( ( void * ) &prvSetFunctionListEmpty );
+ xResult = xInitializePKCS11();
+
+ TEST_ASSERT_EQUAL( CKR_DEVICE_ERROR, xResult );
+}
+
+/*!
+ * @brief xInitializePKCS11 failed due to no C_Initialize.
+ *
+ */
+void test_IotPkcs11_xInitializePkcs11NoC_Initialize( void )
+{
+ CK_RV xResult = CKR_OK;
+
+ vCommonStubs();
+ prvP11FunctionList.C_Initialize = NULL;
+ xResult = xInitializePKCS11();
+ prvP11FunctionList.C_Initialize = C_Initialize;
+
+ TEST_ASSERT_EQUAL( CKR_DEVICE_ERROR, xResult );
+}
+
/*!
* @brief xGetSlotList happy path.
*
@@ -370,6 +434,25 @@ void test_IotPkcs11_xGetSlotList( void )
vPkcs11FreeCb( pxSlotId, 1 );
}
+/*!
+ * @brief xGetSlotList host memory error.
+ *
+ */
+void test_IotPkcs11_xGetSlotListHostMemoryError( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SLOT_ID_PTR pxSlotId = NULL;
+ CK_ULONG xSlotCount = 0;
+ CK_ULONG xExpectedSlotCount = SIZE_MAX;
+
+ vCommonStubs();
+ C_GetSlotList_ExpectAnyArgsAndReturn( CKR_OK );
+ C_GetSlotList_ReturnThruPtr_pulCount( &xExpectedSlotCount );
+
+ xResult = xGetSlotList( &pxSlotId, &xSlotCount );
+ TEST_ASSERT_EQUAL( CKR_HOST_MEMORY, xResult );
+}
+
/*!
* @brief xGetSlotList failed to get function list.
*
@@ -521,6 +604,23 @@ void test_IotPkcs11_xInitializePkcs11TokenAlreadyInit( void )
TEST_ASSERT_EQUAL( CKR_OK, xResult );
}
+/*!
+ * @brief xInitializePkcs11Token xInitializePKCS11 return error.
+ *
+ */
+void test_IotPkcs11_xInitializePkcs11TokenInitFailed( void )
+{
+ CK_RV xResult = CKR_OK;
+
+ C_GetFunctionList_IgnoreAndReturn( CKR_OK );
+ C_GetFunctionList_Stub( ( void * ) &prvSetFunctionList );
+ C_Initialize_IgnoreAndReturn( CKR_GENERAL_ERROR );
+
+ xResult = xInitializePkcs11Token();
+
+ TEST_ASSERT_EQUAL( CKR_GENERAL_ERROR, xResult );
+}
+
/*!
* @brief xInitializePkcs11Token C_GetTokenInfo failure due to memory constraint.
*
@@ -586,7 +686,33 @@ void test_IotPkcs11_xInitializePkcs11TokenBadFunctionList( void )
{
CK_RV xResult = CKR_OK;
- C_GetFunctionList_IgnoreAndReturn( CKR_ARGUMENTS_BAD );
+ C_GetFunctionList_IgnoreAndReturn( CKR_OK );
+ C_GetFunctionList_Stub( ( void * ) &prvSetFunctionList2 );
+ C_Initialize_IgnoreAndReturn( CKR_OK );
+ pvPkcs11Malloc_Stub( pvPkcs11MallocCb );
+ vPkcs11Free_Stub( vPkcs11FreeCb );
+ C_GetSlotList_Stub( ( void * ) xGet1Item );
+
+ xResult = xInitializePkcs11Token();
+
+ TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
+}
+
+/*!
+ * @brief xInitializePkcs11Token failure due to bad C_GetFunctionList.
+ *
+ */
+void test_IotPkcs11_xInitializePkcs11TokenEmptyFunctionList( void )
+{
+ CK_RV xResult = CKR_OK;
+
+ C_GetFunctionList_IgnoreAndReturn( CKR_OK );
+ C_GetFunctionList_Stub( ( void * ) &prvSetFunctionList3 );
+ C_Initialize_IgnoreAndReturn( CKR_OK );
+ pvPkcs11Malloc_Stub( pvPkcs11MallocCb );
+ vPkcs11Free_Stub( vPkcs11FreeCb );
+ C_GetSlotList_Stub( ( void * ) xGet1Item );
+
xResult = xInitializePkcs11Token();
TEST_ASSERT_EQUAL( CKR_FUNCTION_FAILED, xResult );
@@ -721,6 +847,27 @@ void test_IotPkcs11_xInitializePkcs11Session( void )
TEST_ASSERT_EQUAL( CKR_OK, xResult );
}
+/*!
+ * @brief xInitializePkcs11Session C_OpenSession is not supported in the function list.
+ *
+ */
+void test_IotPkcs11_xInitializePkcs11SessionNoC_OpenSession( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xHandle = { 0 };
+
+ vCommonStubs();
+ C_GetSlotList_Stub( ( void * ) xGet1Item );
+ pvPkcs11Malloc_Stub( pvPkcs11MallocCb );
+ vPkcs11Free_Stub( vPkcs11FreeCb );
+
+ prvP11FunctionList.C_OpenSession = NULL;
+ xResult = xInitializePkcs11Session( &xHandle );
+ prvP11FunctionList.C_OpenSession = C_OpenSession;
+
+ TEST_ASSERT_EQUAL( CKR_FUNCTION_FAILED, xResult );
+}
+
/*!
* @brief xInitializePkcs11Session C_Login is a NULL function path.
*
@@ -753,7 +900,6 @@ void test_IotPkcs11_xInitializePkcs11SessionBadArgs( void )
{
CK_RV xResult = CKR_OK;
- vCommonStubs();
xResult = xInitializePkcs11Session( NULL );
TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
@@ -775,23 +921,21 @@ void test_IotPkcs11_xInitializePkcs11SessionBadFunctionList( void )
}
/*!
- * @brief xInitializePkcs11Session C_GetFunctionList failure path.
+ * @brief xInitializePkcs11Session C_GetFunctionList returns empty function list.
*
- * Fails on the second call to C_GetFunctionList.
*/
-void test_IotPkcs11_xInitializePkcs11SessionBadFunctionList2( void )
+
+void test_IotPkcs11_xInitializePkcs11SessionEmptyFunctionList( void )
{
CK_RV xResult = CKR_OK;
CK_SESSION_HANDLE xHandle = { 0 };
- C_GetFunctionList_Stub( ( void * ) &prvSetFunctionList2 );
- C_Initialize_IgnoreAndReturn( CKR_OK );
- C_GetSlotList_Stub( ( void * ) xGet1Item );
- pvPkcs11Malloc_Stub( pvPkcs11MallocCb );
- vPkcs11Free_Stub( vPkcs11FreeCb );
+ C_GetFunctionList_IgnoreAndReturn( CKR_OK );
+ C_GetFunctionList_Stub( ( void * ) &prvSetFunctionListEmpty );
+
xResult = xInitializePkcs11Session( &xHandle );
- TEST_ASSERT_EQUAL( CKR_ARGUMENTS_BAD, xResult );
+ TEST_ASSERT_EQUAL( CKR_FUNCTION_FAILED, xResult );
}
/*!
@@ -898,3 +1042,63 @@ void test_IotPkcs11_xFindObjectWithLabelAndClassBadFunctionList( void )
TEST_ASSERT_EQUAL( CKR_FUNCTION_FAILED, xResult );
}
+
+/*!
+ * @brief xFindObjectWithLabelAndClass no C_FindObjectsInit.
+ *
+ */
+void test_IotPkcs11_xFindObjectWithLabelAndClassNoC_FindObjectsInit( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xHandle = { 0 };
+ CK_OBJECT_HANDLE xPrivateKeyHandle = { 0 };
+
+ vCommonStubs();
+ prvP11FunctionList.C_FindObjectsInit = NULL;
+ xResult = xFindObjectWithLabelAndClass( xHandle,
+ pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
+ strlen( pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS ),
+ CKO_PRIVATE_KEY, &xPrivateKeyHandle );
+ prvP11FunctionList.C_FindObjectsInit = C_FindObjectsInit;
+ TEST_ASSERT_EQUAL( CKR_FUNCTION_FAILED, xResult );
+}
+
+/*!
+ * @brief xFindObjectWithLabelAndClass no C_FindObjects.
+ *
+ */
+void test_IotPkcs11_xFindObjectWithLabelAndClassNoC_FindObjects( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xHandle = { 0 };
+ CK_OBJECT_HANDLE xPrivateKeyHandle = { 0 };
+
+ vCommonStubs();
+ prvP11FunctionList.C_FindObjects = NULL;
+ xResult = xFindObjectWithLabelAndClass( xHandle,
+ pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
+ strlen( pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS ),
+ CKO_PRIVATE_KEY, &xPrivateKeyHandle );
+ prvP11FunctionList.C_FindObjects = C_FindObjects;
+ TEST_ASSERT_EQUAL( CKR_FUNCTION_FAILED, xResult );
+}
+
+/*!
+ * @brief xFindObjectWithLabelAndClass no C_FindObjectsFinal.
+ *
+ */
+void test_IotPkcs11_xFindObjectWithLabelAndClassNoC_FindObjectsFinal( void )
+{
+ CK_RV xResult = CKR_OK;
+ CK_SESSION_HANDLE xHandle = { 0 };
+ CK_OBJECT_HANDLE xPrivateKeyHandle = { 0 };
+
+ vCommonStubs();
+ prvP11FunctionList.C_FindObjectsFinal = NULL;
+ xResult = xFindObjectWithLabelAndClass( xHandle,
+ pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
+ strlen( pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS ),
+ CKO_PRIVATE_KEY, &xPrivateKeyHandle );
+ prvP11FunctionList.C_FindObjectsFinal = C_FindObjectsFinal;
+ TEST_ASSERT_EQUAL( CKR_FUNCTION_FAILED, xResult );
+}