Skip to content

Commit

Permalink
Test pin locking prevention
Browse files Browse the repository at this point in the history
Only kryoptic seem to correctly enforce pin lockout and return the
correct flags.
Softhsm seem to expose CKF_PIN_COUNT_LOW at some point but never lock
the token.
Softoken seem not support pin counting or locking at all.

Signed-off-by: Simo Sorce <simo@redhat.com>
  • Loading branch information
simo5 committed Oct 29, 2024
1 parent f740d8d commit 9e36e1f
Show file tree
Hide file tree
Showing 3 changed files with 84 additions and 1 deletion.
1 change: 1 addition & 0 deletions tests/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ tests = {
'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'ecxc': {'suites': ['softhsm', 'kryoptic']},
'cms': {'suites': ['softokn', 'kryoptic']},
'pinlock': {'suites': ['kryoptic']},
}

test_wrapper = find_program('test-wrapper')
Expand Down
3 changes: 2 additions & 1 deletion tests/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,8 @@ sed -e "s|@libtoollibs@|${LIBSPATH}|g" \
title LINE "Export test variables to ${TMPPDIR}/testvars"
cat >> "${TMPPDIR}/testvars" <<DBGSCRIPT
${TOKENCONFIGVARS}
export P11LIB=${P11LIB}
export P11LIB="${P11LIB}"
export TOKENLABEL="${TOKENLABEL}"
export PKCS11_PROVIDER_MODULE=${P11LIB}
export PPDBGFILE=${TMPPDIR}/p11prov-debug.log
export PKCS11_PROVIDER_DEBUG="file:${TMPPDIR}/p11prov-debug.log"
Expand Down
81 changes: 81 additions & 0 deletions tests/tpinlock
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
#!/bin/bash -e
# Copyright (C) 2024 Simo Sorce <simo@redhat.com>
# SPDX-License-Identifier: Apache-2.0

source "${TESTSSRCDIR}/helpers.sh"

title PARA "Test PIN lock prevention"

ORIG_OPENSSL_CONF=${OPENSSL_CONF}
sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF}.nopin"
OPENSSL_CONF=${OPENSSL_CONF}.nopin

BADPIN="bad"
export BADPINURI="${PRIURI}?pin-value=${BADPIN}"
export GOODPINURI="${PRIURI}?pin-value=${PINVALUE}"

TOOLDEFARGS=("--module=${P11LIB}" "--token-label=${TOKENLABEL}")

FAIL=0
pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "PIN initialized" && FAIL=1
if [ $FAIL -eq 0 ]; then
echo "Failed to detect PIN status"
exit 1
fi

# Kryoptic allows for 10 tries by default
for i in {1..10}; do
echo "Login attempt: $i"
pkcs11-tool "${TOOLDEFARGS[@]}" -l -I -p "${BADPIN}" && false
DETECT=0
pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && DETECT=1
if [ $DETECT -eq 1 ]; then
break
fi
done
FAIL=0
pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && FAIL=1
if [ $FAIL -eq 0 ]; then
echo "Failed to reach "final try" status"
exit 1
fi

# Now we test one operation with a bad pin.
# It should fail but not lock the token
title LINE "Try op with bad pin and fail"
FAIL=0
ossl '
pkeyutl -sign -inkey "${BADPINURI}"
-in ${TMPPDIR}/sha256.bin
-out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1
if [ $FAIL -eq 0 ]; then
echo "Operation should have failed, pin lock prevention not working"
exit 1
fi

# Now we test one operation with a good pin.
# It should fail because the token is on last try
title LINE "Try op with good pin and fail"
FAIL=0
ossl '
pkeyutl -sign -inkey "${GOODPINURI}"
-in ${TMPPDIR}/sha256.bin
-out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1
if [ $FAIL -eq 0 ]; then
echo "Operation should have failed, pin lock prevention not working"
exit 1
fi


# Now reset the token counter with a good try
pkcs11-tool "${TOOLDEFARGS[@]}" -l -T -p "${PINVALUE}"

# Now we test one operation with a good pin.
# It should succeed
title LINE "Try op with good pin and succeed"
ossl '
pkeyutl -sign -inkey "${GOODPINURI}"
-in ${TMPPDIR}/sha256.bin
-out ${TMPPDIR}/pinlock-sig.bin'

OPENSSL_CONF=${ORIG_OPENSSL_CONF}

0 comments on commit 9e36e1f

Please sign in to comment.