diff --git a/tests/meson.build b/tests/meson.build index 7e7f00bd..03119db0 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -140,6 +140,7 @@ tests = { 'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'ecxc': {'suites': ['softhsm', 'kryoptic']}, 'cms': {'suites': ['softokn', 'kryoptic']}, + 'pinlock': {'suites': ['kryoptic']}, } test_wrapper = find_program('test-wrapper') diff --git a/tests/setup.sh b/tests/setup.sh index 56977359..bc5cec1b 100755 --- a/tests/setup.sh +++ b/tests/setup.sh @@ -391,7 +391,8 @@ sed -e "s|@libtoollibs@|${LIBSPATH}|g" \ title LINE "Export test variables to ${TMPPDIR}/testvars" cat >> "${TMPPDIR}/testvars" < +# SPDX-License-Identifier: Apache-2.0 + +source "${TESTSSRCDIR}/helpers.sh" + +title PARA "Test PIN lock prevention" + +ORIG_OPENSSL_CONF=${OPENSSL_CONF} +sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF}.nopin" +OPENSSL_CONF=${OPENSSL_CONF}.nopin + +BADPIN="bad" +export BADPINURI="${PRIURI}?pin-value=${BADPIN}" +export GOODPINURI="${PRIURI}?pin-value=${PINVALUE}" + +TOOLDEFARGS=("--module=${P11LIB}" "--token-label=${TOKENLABEL}") + +FAIL=0 +pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "PIN initialized" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to detect PIN status" + exit 1 +fi + +# Kryoptic allows for 10 tries by default +for i in {1..10}; do + echo "Login attempt: $i" + pkcs11-tool "${TOOLDEFARGS[@]}" -l -I -p "${BADPIN}" && false + DETECT=0 + pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && DETECT=1 + if [ $DETECT -eq 1 ]; then + break + fi +done +FAIL=0 +pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to reach "final try" status" + exit 1 +fi + +# Now we test one operation with a bad pin. +# It should fail but not lock the token +title LINE "Try op with bad pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${BADPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + +# Now we test one operation with a good pin. +# It should fail because the token is on last try +title LINE "Try op with good pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + + +# Now reset the token counter with a good try +pkcs11-tool "${TOOLDEFARGS[@]}" -l -T -p "${PINVALUE}" + +# Now we test one operation with a good pin. +# It should succeed +title LINE "Try op with good pin and succeed" +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' + +OPENSSL_CONF=${ORIG_OPENSSL_CONF}