search

CardContact / sc-hsm-embedded

PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards
BSD 3-Clause "New" or "Revised" License
95 stars 31 forks source link

sc-hsm-pkcs11-test: "Find a private key after login" test failure on an empty token #39

Open saper opened 1 year ago

saper commented 1 year ago

As of https://github.com/CardContact/sc-hsm-embedded/commit/4f26f202b28d5fe1c91a7a5b84061dd5b385b440 I get the following running the tests on an freshly initialized Nitrokey HSM 2:

Script started on Sat Jan 28 11:55:01 2023
Command: ./src/tests/sc-hsm-pkcs11-test --module src/pkcs11/.libs/libsc-hsm-pkcs11.so
 --pin 000000 --invasive
PKCS11 unit test running.

and then:

Find a private key after loginCalling C_FindObjectsInit - CKR_OK : Passed
Calling C_FindObjects - CKR_OK : Passed
Calling C_FindObjectsFinal - CKR_OK : Passed
- CKR_ARGUMENTS_BAD : Failed

Quick analysis:

At the time the testLogin() https://github.com/CardContact/sc-hsm-embedded/blob/4f26f202b28d5fe1c91a7a5b84061dd5b385b440/src/tests/sc-hsm-pkcs11-test.c#L2833 is run, there is no private key on the token at all.

If I run the following sequence instead:

radziecki> sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 000000                                                                
Using reader with a card: Nitrokey Nitrokey HSM (DENK01045710000         ) 00 00
radziecki> /usr/local/bin/pkcs11-tool -l -p 000000 --module ./src/pkcs11/.libs/libsc-hsm-pkcs11.so --keypairgen --key-type rsa:1024 --id 10                                   
Using slot 0 with a present token (0x1)
Key pair generated:
Private Key Object; RSA 
  label:      
  ID:         10
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 1024 bits
  label:      
  ID:         10
  Usage:      encrypt, verify
  Access:     local
radziecki> ./src/tests/sc-hsm-pkcs11-test --module src/pkcs11/.libs/libsc-hsm-pkcs11.so --pin 000000 --invasive                           PKCS11 unit test running.           
Calling C_GetFunctionList Calling C_Initialize - CKR_OK : Passed
Calling C_GetInfo - CKR_OK : Passed
Calling C_GetSlotList - CKR_OK : Passed
Calling C_GetSlotInfo for slot 1 - CKR_OK : Passed
Slot manufacturer: CardContact
Slot ID : Slot description: 1 : Nitrokey Nitrokey HSM (DENK01045710000         ) 00 00
Slot flags: 7
Calling C_GetTokenInfo - CKR_OK : Passed
...

then I finally get

Unit test finished.
455 tests performed.
0 tests failed.
saper commented 1 year ago

I have also noticed that if there is no AES key already, testAES() is skipped.

After adding the AES key, I got

Unit test finished.
472 tests performed.
0 tests failed.