From 9ed4861f913b45955ad2000acc0b43ccb9571c6a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 25 Oct 2024 16:03:59 -0400 Subject: [PATCH] Test pin locking prevention Signed-off-by: Simo Sorce --- tests/meson.build | 1 + tests/tpinlock | 79 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100755 tests/tpinlock diff --git a/tests/meson.build b/tests/meson.build index 7e7f00bd..03119db0 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -140,6 +140,7 @@ tests = { 'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']}, 'ecxc': {'suites': ['softhsm', 'kryoptic']}, 'cms': {'suites': ['softokn', 'kryoptic']}, + 'pinlock': {'suites': ['kryoptic']}, } test_wrapper = find_program('test-wrapper') diff --git a/tests/tpinlock b/tests/tpinlock new file mode 100755 index 00000000..5fcdf027 --- /dev/null +++ b/tests/tpinlock @@ -0,0 +1,79 @@ +#!/bin/bash -e +# Copyright (C) 2022 Simo Sorce +# SPDX-License-Identifier: Apache-2.0 + +source "${TESTSSRCDIR}/helpers.sh" + +title PARA "Test PIN lock prevention" + +ORIG_OPENSSL_CONF=${OPENSSL_CONF} +sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF}.nopin" +OPENSSL_CONF=${OPENSSL_CONF}.nopin + +BADPIN="bad" +BADPINURI=${PRIURI}?pin-value=${BADPIN} +GOODPINURI=${PRIURI}?pin-value=${PINVALUE} + +FAIL=0 +pkcs11-tool --module ${PKCS11_PROVIDER_MODULE=} -T | grep "PIN initialized" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to detect PIN status" + exit 1 +fi + +# Kryoptic allows for 10 tries by default +for i in {1..10}; do + echo "Login attempt: $i" + pkcs11-tool --module ${PKCS11_PROVIDER_MODULE=} -l -T -p ${BADPIN} && false + DETECT=0 + pkcs11-tool --module ${PKCS11_PROVIDER_MODULE=} -T | grep "final user PIN try" && DETECT=1 + if [ $DETECT -eq 1 ]; then + break + fi +done +FAIL=0 +pkcs11-tool --module ${PKCS11_PROVIDER_MODULE=} -T | grep "final user PIN try" && FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Failed to reach "final try" status" + exit 1 +fi + +# Now we test one operation with a bad pin. +# It should fail but not lock the token +title LINE "Try op with bad pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${BADPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + +# Now we test one operation with a good pin. +# It should fail because the token is on last try +title LINE "Try op with good pin and fail" +FAIL=0 +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1 +if [ $FAIL -eq 0 ]; then + echo "Operation should have failed, pin lock prevention not working" + exit 1 +fi + + +# Now reset the token counter with a good try +pkcs11-tool --module ${PKCS11_PROVIDER_MODULE=} -l -T -p ${PINVALUE} + +# Now we test one operation with a good pin. +# It should suceed +title LINE "Try op with good pin and succeed" +ossl ' +pkeyutl -sign -inkey "${GOODPINURI}" + -in ${TMPPDIR}/sha256.bin + -out ${TMPPDIR}/pinlock-sig.bin' + +OPENSSL_CONF=${ORIG_OPENSSL_CONF}