Test pin locking prevention

Only kryoptic seem to correctly enforce pin lockout and return the correct flags. Softhsm seem to expose CKF_PIN_COUNT_LOW at some point but never lock the token. Softoken seem not support pin counting or locking at all. Signed-off-by: Simo Sorce <[email protected]>
simo5 · Oct 29, 2024 · 9e36e1f · 9e36e1f
1 parent f740d8d
commit 9e36e1f
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 1 deletion.
diff --git a/tests/meson.build b/tests/meson.build
@@ -140,6 +140,7 @@ tests = {
   'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']},
   'ecxc': {'suites': ['softhsm', 'kryoptic']},
   'cms': {'suites': ['softokn', 'kryoptic']},
+  'pinlock': {'suites': ['kryoptic']},
 }
 
 test_wrapper = find_program('test-wrapper')

diff --git a/tests/setup.sh b/tests/setup.sh
@@ -391,7 +391,8 @@ sed -e "s|@libtoollibs@|${LIBSPATH}|g" \
 title LINE "Export test variables to ${TMPPDIR}/testvars"
 cat >> "${TMPPDIR}/testvars" <<DBGSCRIPT
 ${TOKENCONFIGVARS}
-export P11LIB=${P11LIB}
+export P11LIB="${P11LIB}"
+export TOKENLABEL="${TOKENLABEL}"
 export PKCS11_PROVIDER_MODULE=${P11LIB}
 export PPDBGFILE=${TMPPDIR}/p11prov-debug.log
 export PKCS11_PROVIDER_DEBUG="file:${TMPPDIR}/p11prov-debug.log"

diff --git a/tests/tpinlock b/tests/tpinlock
@@ -0,0 +1,81 @@
+#!/bin/bash -e
+# Copyright (C) 2024 Simo Sorce <[email protected]>
+# SPDX-License-Identifier: Apache-2.0
+
+source "${TESTSSRCDIR}/helpers.sh"
+
+title PARA "Test PIN lock prevention"
+
+ORIG_OPENSSL_CONF=${OPENSSL_CONF}
+sed "s/^pkcs11-module-token-pin.*$/##nopin/" "${OPENSSL_CONF}" > "${OPENSSL_CONF}.nopin"
+OPENSSL_CONF=${OPENSSL_CONF}.nopin
+
+BADPIN="bad"
+export BADPINURI="${PRIURI}?pin-value=${BADPIN}"
+export GOODPINURI="${PRIURI}?pin-value=${PINVALUE}"
+
+TOOLDEFARGS=("--module=${P11LIB}" "--token-label=${TOKENLABEL}")
+
+FAIL=0
+pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "PIN initialized" && FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Failed to detect PIN status"
+    exit 1
+fi
+
+# Kryoptic allows for 10 tries by default
+for i in {1..10}; do
+    echo "Login attempt: $i"
+    pkcs11-tool "${TOOLDEFARGS[@]}" -l -I -p "${BADPIN}" && false
+    DETECT=0
+    pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && DETECT=1
+    if [ $DETECT -eq 1 ]; then
+        break
+    fi
+done
+FAIL=0
+pkcs11-tool "${TOOLDEFARGS[@]}" -T | grep "final user PIN try" && FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Failed to reach "final try" status"
+    exit 1
+fi
+
+# Now we test one operation with a bad pin.
+# It should fail but not lock the token
+title LINE "Try op with bad pin and fail"
+FAIL=0
+ossl '
+pkeyutl -sign -inkey "${BADPINURI}"
+    -in ${TMPPDIR}/sha256.bin
+    -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Operation should have failed, pin lock prevention not working"
+    exit 1
+fi
+
+# Now we test one operation with a good pin.
+# It should fail because the token is on last try
+title LINE "Try op with good pin and fail"
+FAIL=0
+ossl '
+pkeyutl -sign -inkey "${GOODPINURI}"
+    -in ${TMPPDIR}/sha256.bin
+    -out ${TMPPDIR}/pinlock-sig.bin' || FAIL=1
+if [ $FAIL -eq 0 ]; then
+    echo "Operation should have failed, pin lock prevention not working"
+    exit 1
+fi
+
+
+# Now reset the token counter with a good try
+pkcs11-tool "${TOOLDEFARGS[@]}" -l -T -p "${PINVALUE}"
+
+# Now we test one operation with a good pin.
+# It should succeed
+title LINE "Try op with good pin and succeed"
+ossl '
+pkeyutl -sign -inkey "${GOODPINURI}"
+    -in ${TMPPDIR}/sha256.bin
+    -out ${TMPPDIR}/pinlock-sig.bin'
+
+OPENSSL_CONF=${ORIG_OPENSSL_CONF}