From 9e36e1fdeca1e23b7dc337b006b15dc8c62dd375 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 25 Oct 2024 16:03:59 -0400 Subject: [PATCH] Test pin locking prevention Only kryoptic seem to correctly enforce pin lockout and return the correct flags. Softhsm seem to expose CKF_PIN_COUNT_LOW at some point but never lock the token. Softoken seem not support pin counting or locking at all. Signed-off-by: Simo Sorce --- tests/meson.build | 1 + tests/setup.sh | 3 +- tests/tpinlock | 81 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100755 tests/tpinlock diff --git a/tests/meson.build b/tests/meson.build index 7e7f00bd..03119db0 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -140,6 +140,7 @@ tests = { 'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'ecxc': {'suites': ['softhsm', 'kryoptic']}, 'cms': {'suites': ['softokn', 'kryoptic']}, + 'pinlock': {'suites': ['kryoptic']}, } test_wrapper = find_program('test-wrapper') diff --git a/tests/setup.sh b/tests/setup.sh index 56977359..bc5cec1b 100755 --- a/tests/setup.sh +++ b/tests/setup.sh @@ -391,7 +391,8 @@ sed -e "s|@libtoollibs@|${LIBSPATH}|g" \ title LINE "Export test variables to ${TMPPDIR}/testvars" cat >> "${TMPPDIR}/testvars" < +# SPDX-License-Identifier: Apache-2.0 + +source "${TESTSSRCDIR}/helpers.sh" + +title PARA "Test PIN lock prevention" + +ORIG_OPENSSL_CONF=${OPENSSL_CONF} +sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF}.nopin" +OPENSSL_CONF=${OPENSSL_CONF}.nopin + +BADPIN="bad" +export BADPINURI="${PRIURI}?pin-value=${BADPIN}" +export GOODPINURI="${PRIURI}?pin-value=${PINVALUE}" + +TOOLDEFARGS=("--module=${P11LIB}" "--token-label=${TOKENLABEL}") + +FAIL=0 +pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "PIN initialized" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to detect PIN status" + exit 1 +fi + +# Kryoptic allows for 10 tries by default +for i in {1..10}; do + echo "Login attempt: $i" + pkcs11-tool "${TOOLDEFARGS[@]}" -l -I -p "${BADPIN}" && false + DETECT=0 + pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && DETECT=1 + if [ $DETECT -eq 1 ]; then + break + fi +done +FAIL=0 +pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to reach "final try" status" + exit 1 +fi + +# Now we test one operation with a bad pin. +# It should fail but not lock the token +title LINE "Try op with bad pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${BADPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + +# Now we test one operation with a good pin. +# It should fail because the token is on last try +title LINE "Try op with good pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + + +# Now reset the token counter with a good try +pkcs11-tool "${TOOLDEFARGS[@]}" -l -T -p "${PINVALUE}" + +# Now we test one operation with a good pin. +# It should succeed +title LINE "Try op with good pin and succeed" +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' + +OPENSSL_CONF=${ORIG_OPENSSL_CONF}