From 4cb0d53a8a3c8d7552d1a907cb82a332561e3af5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 25 Oct 2024 16:03:59 -0400 Subject: [PATCH] Test pin locking prevention Signed-off-by: Simo Sorce --- tests/meson.build | 1 + tests/tpinlock | 79 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100755 tests/tpinlock diff --git a/tests/meson.build b/tests/meson.build index 7e7f00bd..03119db0 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -140,6 +140,7 @@ tests = { 'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'ecxc': {'suites': ['softhsm', 'kryoptic']}, 'cms': {'suites': ['softokn', 'kryoptic']}, + 'pinlock': {'suites': ['kryoptic']}, } test_wrapper = find_program('test-wrapper') diff --git a/tests/tpinlock b/tests/tpinlock new file mode 100755 index 00000000..d5921cd0 --- /dev/null +++ b/tests/tpinlock @@ -0,0 +1,79 @@ +#!/bin/bash -e +# Copyright (C) 2022 Simo Sorce +# SPDX-License-Identifier: Apache-2.0 + +source "${TESTSSRCDIR}/helpers.sh" + +title PARA "Test PIN lock prevention" + +ORIG_OPENSSL_CONF=${OPENSSL_CONF} +sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF}.nopin" +OPENSSL_CONF=${OPENSSL_CONF}.nopin + +BADPIN="bad" +export BADPINURI="${PRIURI}?pin-value=${BADPIN}" +export GOODPINURI="${PRIURI}?pin-value=${PINVALUE}" + +FAIL=0 +pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -T | grep "PIN initialized" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to detect PIN status" + exit 1 +fi + +# Kryoptic allows for 10 tries by default +for i in {1..10}; do + echo "Login attempt: $i" + pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -l -T -p "${BADPIN}" && false + DETECT=0 + pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -T | grep "final user PIN try" && DETECT=1 + if [ $DETECT -eq 1 ]; then + break + fi +done +FAIL=0 +pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -T | grep "final user PIN try" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to reach "final try" status" + exit 1 +fi + +# Now we test one operation with a bad pin. +# It should fail but not lock the token +title LINE "Try op with bad pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${BADPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + +# Now we test one operation with a good pin. +# It should fail because the token is on last try +title LINE "Try op with good pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + + +# Now reset the token counter with a good try +pkcs11-tool --module "${PKCS11_PROVIDER_MODULE}" -l -T -p "${PINVALUE}" + +# Now we test one operation with a good pin. +# It should succeed +title LINE "Try op with good pin and succeed" +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' + +OPENSSL_CONF=${ORIG_OPENSSL_CONF}