Source code
Revision control
Copy as Markdown
Other Tools
#include "cert.h"
#include "certdb.h"
#include "nspr.h"
#include "nss.h"
#include "pk11pub.h"
#include "secmod.h"
#include "secerr.h"
#include "nss_scoped_ptrs.h"
#include "util.h"
#define GTEST_HAS_RTTI 0
#include "gtest/gtest.h"
#include "databuffer.h"
#include <fstream>
#include <chrono>
#include <sqlite3.h>
using namespace std::chrono;
#include "softoken_dh_vectors.h"
namespace nss_test {
class SoftokenTest : public ::testing::Test {
protected:
SoftokenTest() : mNSSDBDir("SoftokenTest.d-") {}
SoftokenTest(const std::string &prefix) : mNSSDBDir(prefix) {}
virtual void SetUp() {
std::string nssInitArg("sql:");
nssInitArg.append(mNSSDBDir.GetUTF8Path());
ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB,
NSS_INIT_NOROOTINIT));
}
virtual void TearDown() {
ASSERT_EQ(SECSuccess, NSS_Shutdown());
const std::string &nssDBDirPath = mNSSDBDir.GetPath();
ASSERT_EQ(0, unlink((nssDBDirPath + "/cert9.db").c_str()));
ASSERT_EQ(0, unlink((nssDBDirPath + "/key4.db").c_str()));
ASSERT_EQ(0, unlink((nssDBDirPath + "/pkcs11.txt").c_str()));
}
ScopedUniqueDirectory mNSSDBDir;
};
TEST_F(SoftokenTest, CheckDefaultPbkdf2Iterations) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
// Open key4.db and check encoded PBE algorithm and iteration count.
// Compare bytes against the expected values to avoid ASN.1 here.
std::string key_db = mNSSDBDir.GetPath() + "/key4.db";
sqlite3 *sql_db = NULL;
ASSERT_EQ(SQLITE_OK, sqlite3_open(key_db.c_str(), &sql_db));
char *query_str = sqlite3_mprintf("SELECT item2 FROM metaData;");
ASSERT_NE(nullptr, query_str);
sqlite3_stmt *statement = NULL;
ASSERT_EQ(SQLITE_OK,
sqlite3_prepare_v2(sql_db, query_str, -1, &statement, NULL));
ASSERT_EQ(SQLITE_ROW, sqlite3_step(statement));
unsigned int len = sqlite3_column_bytes(statement, 0);
const unsigned char *reader = sqlite3_column_text(statement, 0);
ASSERT_NE(nullptr, reader);
ASSERT_EQ(133U, len);
// pkcs5PBES2, pkcs5PBKDF2
const uint8_t pkcs5_with_pbkdf2[] = {
0x30, 0x81, 0x82, 0x30, 0x6E, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x01, 0x05, 0x0D, 0x30, 0x61, 0x30, 0x42, 0x06, 0x09,
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x05, 0x0C, 0x30, 0x35};
EXPECT_EQ(0, memcmp(reader, pkcs5_with_pbkdf2, sizeof(pkcs5_with_pbkdf2)));
reader += sizeof(pkcs5_with_pbkdf2);
// Skip over the 32B random salt
const uint8_t salt_prefix[] = {0x04, 0x20};
EXPECT_EQ(0, memcmp(reader, salt_prefix, sizeof(salt_prefix)));
reader += sizeof(salt_prefix) + 0x20;
// Expect 10000 iterations
const uint8_t iterations[] = {0x02, 0x02, 0x27, 0x10};
EXPECT_EQ(0, memcmp(reader, iterations, sizeof(iterations)));
reader += sizeof(iterations);
// hmacWithSHA256, aes256-CBC
const uint8_t oids[] = {0x02, 0x01, 0x20, 0x30, 0x0A, 0x06, 0x08,
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02,
0x09, 0x30, 0x1B, 0x06, 0x09, 0x60, 0x86,
0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2A};
EXPECT_EQ(0, memcmp(reader, oids, sizeof(oids)));
EXPECT_EQ(SQLITE_OK, sqlite3_finalize(statement));
sqlite3_free(query_str);
sqlite3_close(sql_db);
}
TEST_F(SoftokenTest, ResetSoftokenEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
EXPECT_EQ(SECSuccess, PK11_ResetToken(slot.get(), nullptr));
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
}
TEST_F(SoftokenTest, ResetSoftokenNonEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
EXPECT_EQ(SECSuccess, PK11_ResetToken(slot.get(), nullptr));
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password2"));
}
// Test certificate to use in the CreateObject tests.
static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST;
static const CK_BBOOL ck_false = CK_FALSE;
static const CK_BBOOL ck_true = CK_TRUE;
static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST;
static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR;
static const CK_ATTRIBUTE attributes[] = {
{CKA_CLASS, (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS)},
{CKA_TOKEN, (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL)},
{CKA_PRIVATE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)},
{CKA_MODIFIABLE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)},
{CKA_LABEL,
(void *)"Symantec Class 2 Public Primary Certification Authority - G4",
(PRUint32)61},
{CKA_CERT_SHA1_HASH,
(void *)"\147\044\220\056\110\001\260\042\226\100\020\106\264\261\147\054"
"\251\165\375\053",
(PRUint32)20},
{CKA_CERT_MD5_HASH,
(void *)"\160\325\060\361\332\224\227\324\327\164\337\276\355\150\336\226",
(PRUint32)16},
{CKA_ISSUER,
(void *)"\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123"
"\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156"
"\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061"
"\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164"
"\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153"
"\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156"
"\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154"
"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
"\164\171\040\055\040\107\064",
(PRUint32)151},
{CKA_SERIAL_NUMBER,
(void *)"\002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125"
"\246\036",
(PRUint32)18},
{CKA_TRUST_SERVER_AUTH, (void *)&ckt_nss_must_verify_trust,
(PRUint32)sizeof(CK_TRUST)},
{CKA_TRUST_EMAIL_PROTECTION, (void *)&ckt_nss_trusted_delegator,
(PRUint32)sizeof(CK_TRUST)},
{CKA_TRUST_CODE_SIGNING, (void *)&ckt_nss_must_verify_trust,
(PRUint32)sizeof(CK_TRUST)},
{CKA_TRUST_STEP_UP_APPROVED, (void *)&ck_false,
(PRUint32)sizeof(CK_BBOOL)}};
TEST_F(SoftokenTest, GetInvalidAttribute) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
ASSERT_NE(nullptr, obj);
SECItem out = {siBuffer, nullptr, 0};
SECStatus rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj.get(),
CKA_ALLOWED_MECHANISMS, &out);
EXPECT_EQ(SECFailure, rv);
// CKR_ATTRIBUTE_TYPE_INVALID maps to SEC_ERROR_BAD_DATA.
EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError());
}
TEST_F(SoftokenTest, GetValidAttributes) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
ASSERT_NE(nullptr, obj);
CK_ATTRIBUTE template_attrs[] = {
{CKA_LABEL, NULL, 0},
{CKA_CERT_SHA1_HASH, NULL, 0},
{CKA_ISSUER, NULL, 0},
};
SECStatus rv =
PK11_ReadRawAttributes(nullptr, PK11_TypeGeneric, obj.get(),
template_attrs, PR_ARRAY_SIZE(template_attrs));
EXPECT_EQ(SECSuccess, rv);
ASSERT_EQ(attributes[4].ulValueLen, template_attrs[0].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[4].pValue, template_attrs[0].pValue,
template_attrs[0].ulValueLen));
ASSERT_EQ(attributes[5].ulValueLen, template_attrs[1].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[5].pValue, template_attrs[1].pValue,
template_attrs[1].ulValueLen));
ASSERT_EQ(attributes[7].ulValueLen, template_attrs[2].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[7].pValue, template_attrs[2].pValue,
template_attrs[2].ulValueLen));
for (unsigned int i = 0; i < PR_ARRAY_SIZE(template_attrs); i++) {
PORT_Free(template_attrs[i].pValue);
}
}
TEST_F(SoftokenTest, GetOnlyInvalidAttributes) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
ASSERT_NE(nullptr, obj);
// Provide buffers of sufficient size, so that token
// will write the data. This is annoying, but PK11_GetAttributes
// won't allocate in the cases below when a single attribute
// is missing. So, just put them all on the stack.
unsigned char buf1[100];
unsigned char buf2[100];
CK_ATTRIBUTE template_attrs[] = {{0xffffffffUL, buf1, sizeof(buf1)},
{0xfffffffeUL, buf2, sizeof(buf2)}};
SECStatus rv =
PK11_ReadRawAttributes(nullptr, PK11_TypeGeneric, obj.get(),
template_attrs, PR_ARRAY_SIZE(template_attrs));
EXPECT_EQ(SECFailure, rv);
EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError());
// MSVC rewards -1UL with a C4146 warning...
ASSERT_EQ(0UL, template_attrs[0].ulValueLen + 1);
ASSERT_EQ(0UL, template_attrs[1].ulValueLen + 1);
}
TEST_F(SoftokenTest, GetAttributesInvalidInterspersed1) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
ASSERT_NE(nullptr, obj);
unsigned char buf1[100];
unsigned char buf2[100];
unsigned char buf3[200];
CK_ATTRIBUTE template_attrs[] = {{0xffffffff, buf1, sizeof(buf1)},
{CKA_CERT_SHA1_HASH, buf2, sizeof(buf2)},
{CKA_ISSUER, buf3, sizeof(buf3)}};
SECStatus rv =
PK11_ReadRawAttributes(nullptr, PK11_TypeGeneric, obj.get(),
template_attrs, PR_ARRAY_SIZE(template_attrs));
EXPECT_EQ(SECFailure, rv);
EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError());
ASSERT_EQ(0UL, template_attrs[0].ulValueLen + 1);
ASSERT_EQ(attributes[5].ulValueLen, template_attrs[1].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[5].pValue, template_attrs[1].pValue,
template_attrs[1].ulValueLen));
ASSERT_EQ(attributes[7].ulValueLen, template_attrs[2].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[7].pValue, template_attrs[2].pValue,
template_attrs[2].ulValueLen));
}
TEST_F(SoftokenTest, GetAttributesInvalidInterspersed2) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
ASSERT_NE(nullptr, obj);
unsigned char buf1[100];
unsigned char buf2[100];
unsigned char buf3[100];
CK_ATTRIBUTE template_attrs[] = {{CKA_LABEL, buf1, sizeof(buf1)},
{CKA_CERT_SHA1_HASH, buf2, sizeof(buf2)},
{0xffffffffUL, buf3, sizeof(buf3)}};
SECStatus rv =
PK11_ReadRawAttributes(nullptr, PK11_TypeGeneric, obj.get(),
template_attrs, PR_ARRAY_SIZE(template_attrs));
EXPECT_EQ(SECFailure, rv);
EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError());
ASSERT_EQ(attributes[4].ulValueLen, template_attrs[0].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[4].pValue, template_attrs[0].pValue,
template_attrs[0].ulValueLen));
ASSERT_EQ(attributes[5].ulValueLen, template_attrs[1].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[5].pValue, template_attrs[1].pValue,
template_attrs[1].ulValueLen));
ASSERT_EQ(0UL, template_attrs[2].ulValueLen + 1);
}
TEST_F(SoftokenTest, GetAttributesInvalidInterspersed3) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
ASSERT_NE(nullptr, obj);
unsigned char buf1[100];
unsigned char buf2[100];
unsigned char buf3[100];
unsigned char buf4[100];
unsigned char buf5[100];
unsigned char buf6[200];
CK_ATTRIBUTE template_attrs[6] = {{CKA_LABEL, buf1, sizeof(buf1)},
{0xffffffffUL, buf2, sizeof(buf2)},
{0xfffffffeUL, buf3, sizeof(buf3)},
{CKA_CERT_SHA1_HASH, buf4, sizeof(buf4)},
{0xfffffffdUL, buf5, sizeof(buf5)},
{CKA_ISSUER, buf6, sizeof(buf6)}};
SECStatus rv =
PK11_ReadRawAttributes(nullptr, PK11_TypeGeneric, obj.get(),
template_attrs, PR_ARRAY_SIZE(template_attrs));
EXPECT_EQ(SECFailure, rv);
EXPECT_EQ(SEC_ERROR_BAD_DATA, PORT_GetError());
ASSERT_EQ(attributes[4].ulValueLen, template_attrs[0].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[4].pValue, template_attrs[0].pValue,
template_attrs[0].ulValueLen));
ASSERT_EQ(0UL, template_attrs[1].ulValueLen + 1);
ASSERT_EQ(0UL, template_attrs[2].ulValueLen + 1);
ASSERT_EQ(attributes[5].ulValueLen, template_attrs[3].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[5].pValue, template_attrs[3].pValue,
template_attrs[3].ulValueLen));
ASSERT_EQ(0UL, template_attrs[4].ulValueLen + 1);
ASSERT_EQ(attributes[7].ulValueLen, template_attrs[5].ulValueLen);
EXPECT_EQ(0, memcmp(attributes[7].pValue, template_attrs[5].pValue,
template_attrs[5].ulValueLen));
}
TEST_F(SoftokenTest, CreateObjectNonEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
EXPECT_EQ(nullptr, obj);
}
TEST_F(SoftokenTest, CreateObjectChangePassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "", "password"));
EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
EXPECT_EQ(nullptr, obj);
}
// The size limit for a password is 500 characters as defined in pkcs11i.h
TEST_F(SoftokenTest, CreateObjectChangeToBigPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
EXPECT_EQ(
SECSuccess,
PK11_ChangePW(slot.get(), "",
"rUIFIFr2bxKnbJbitsfkyqttpk6vCJzlYMNxcxXcaN37gSZKbLk763X7iR"
"yeVNWZHQ02lSF69HYjzTyPW3318ZD0DBFMMbALZ8ZPZP73CIo5uIQlaowV"
"IbP8eOhRYtGUqoLGlcIFNEYogV8Q3GN58VeBMs0KxrIOvPQ9s8SnYYkqvt"
"zzgntmAvCgvk64x6eQf0okHwegd5wi6m0WVJytEepWXkP9J629FSa5kNT8"
"FvL3jvslkiImzTNuTvl32fQDXXMSc8vVk5Q3mH7trMZM0VDdwHWYERjHbz"
"kGxFgp0VhediHx7p9kkz6H6ac4et9sW4UkTnN7xhYc1Zr17wRSk2heQtcX"
"oZJGwuzhiKm8A8wkuVxms6zO56P4JORIk8oaUW6lyNTLo2kWWnTA"));
EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
EXPECT_EQ(nullptr, obj);
}
TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "password", ""));
// PK11_Logout returnes an error and SEC_ERROR_TOKEN_NOT_LOGGED_IN if the user
// is not "logged in".
EXPECT_EQ(SECFailure, PK11_Logout(slot.get()));
EXPECT_EQ(SEC_ERROR_TOKEN_NOT_LOGGED_IN, PORT_GetError());
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
// Because there's no password we can't logout and the operation should have
// succeeded.
EXPECT_NE(nullptr, obj);
}
// We should be able to read CRLF, LF and CR.
// During the Initialization of the NSS Database, is called a function to load
// PKCS11 modules defined in pkcs11.txt. This file is read to get the
// specifications, parse them and load the modules. Here we are ensuring that
// the parsing will work correctly, independent of the breaking line format of
// pkcs11.txt file, which could vary depending where it was created.
// If the parsing is not well interpreted, the database cannot initialize.
TEST_F(SoftokenTest, CreateObjectReadBreakLine) {
const std::string path = mNSSDBDir.GetPath();
const std::string dbname_in = path + "/pkcs11.txt";
const std::string dbname_out_cr = path + "/pkcs11_cr.txt";
const std::string dbname_out_crlf = path + "/pkcs11_crlf.txt";
const std::string dbname_out_lf = path + "/pkcs11_lf.txt";
std::ifstream in(dbname_in);
ASSERT_TRUE(in);
std::ofstream out_cr(dbname_out_cr);
ASSERT_TRUE(out_cr);
std::ofstream out_crlf(dbname_out_crlf);
ASSERT_TRUE(out_crlf);
std::ofstream out_lf(dbname_out_lf);
ASSERT_TRUE(out_lf);
// Database should be correctly initialized by Setup()
ASSERT_TRUE(NSS_IsInitialized());
ASSERT_EQ(SECSuccess, NSS_Shutdown());
// Prepare the file formats with CR, CRLF and LF
for (std::string line; getline(in, line);) {
out_cr << line << "\r";
out_crlf << line << "\r\n";
out_lf << line << "\n";
}
in.close();
out_cr.close();
out_crlf.close();
out_lf.close();
// Change the pkcs11.txt to CR format.
ASSERT_TRUE(!remove(dbname_in.c_str()));
ASSERT_TRUE(!rename(dbname_out_cr.c_str(), dbname_in.c_str()));
// Try to initialize with CR format.
std::string nssInitArg("sql:");
nssInitArg.append(mNSSDBDir.GetUTF8Path());
ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB,
NSS_INIT_NOROOTINIT));
ASSERT_TRUE(NSS_IsInitialized());
ASSERT_EQ(SECSuccess, NSS_Shutdown());
// Change the pkcs11.txt to CRLF format.
ASSERT_TRUE(!remove(dbname_in.c_str()));
ASSERT_TRUE(!rename(dbname_out_crlf.c_str(), dbname_in.c_str()));
// Try to initialize with CRLF format.
ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB,
NSS_INIT_NOROOTINIT));
ASSERT_TRUE(NSS_IsInitialized());
ASSERT_EQ(SECSuccess, NSS_Shutdown());
// Change the pkcs11.txt to LF format.
ASSERT_TRUE(!remove(dbname_in.c_str()));
ASSERT_TRUE(!rename(dbname_out_lf.c_str(), dbname_in.c_str()));
// Try to initialize with LF format.
ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB,
NSS_INIT_NOROOTINIT));
ASSERT_TRUE(NSS_IsInitialized());
}
class SoftokenNonAsciiTest : public SoftokenTest {
protected:
SoftokenNonAsciiTest() : SoftokenTest("SoftokenTest.\xF7-") {}
};
TEST_F(SoftokenNonAsciiTest, NonAsciiPathWorking) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
EXPECT_EQ(SECSuccess, PK11_ResetToken(slot.get(), nullptr));
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
}
// This is just any X509 certificate. Its contents don't matter.
static unsigned char certDER[] = {
0x30, 0x82, 0x01, 0xEF, 0x30, 0x82, 0x01, 0x94, 0xA0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x14, 0x49, 0xC4, 0xC4, 0x4A, 0xB6, 0x86, 0x07, 0xA3, 0x06,
0xDC, 0x4D, 0xC8, 0xC3, 0xFE, 0xC7, 0x21, 0x3A, 0x2D, 0xE4, 0xDA, 0x30,
0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31,
0x35, 0x31, 0x31, 0x32, 0x38, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A,
0x18, 0x0F, 0x32, 0x30, 0x31, 0x38, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30,
0x30, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06,
0x03, 0x55, 0x04, 0x03, 0x0C, 0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x82,
0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBA, 0x88, 0x51, 0xA8, 0x44,
0x8E, 0x16, 0xD6, 0x41, 0xFD, 0x6E, 0xB6, 0x88, 0x06, 0x36, 0x10, 0x3D,
0x3C, 0x13, 0xD9, 0xEA, 0xE4, 0x35, 0x4A, 0xB4, 0xEC, 0xF5, 0x68, 0x57,
0x6C, 0x24, 0x7B, 0xC1, 0xC7, 0x25, 0xA8, 0xE0, 0xD8, 0x1F, 0xBD, 0xB1,
0x9C, 0x06, 0x9B, 0x6E, 0x1A, 0x86, 0xF2, 0x6B, 0xE2, 0xAF, 0x5A, 0x75,
0x6B, 0x6A, 0x64, 0x71, 0x08, 0x7A, 0xA5, 0x5A, 0xA7, 0x45, 0x87, 0xF7,
0x1C, 0xD5, 0x24, 0x9C, 0x02, 0x7E, 0xCD, 0x43, 0xFC, 0x1E, 0x69, 0xD0,
0x38, 0x20, 0x29, 0x93, 0xAB, 0x20, 0xC3, 0x49, 0xE4, 0xDB, 0xB9, 0x4C,
0xC2, 0x6B, 0x6C, 0x0E, 0xED, 0x15, 0x82, 0x0F, 0xF1, 0x7E, 0xAD, 0x69,
0x1A, 0xB1, 0xD3, 0x02, 0x3A, 0x8B, 0x2A, 0x41, 0xEE, 0xA7, 0x70, 0xE0,
0x0F, 0x0D, 0x8D, 0xFD, 0x66, 0x0B, 0x2B, 0xB0, 0x24, 0x92, 0xA4, 0x7D,
0xB9, 0x88, 0x61, 0x79, 0x90, 0xB1, 0x57, 0x90, 0x3D, 0xD2, 0x3B, 0xC5,
0xE0, 0xB8, 0x48, 0x1F, 0xA8, 0x37, 0xD3, 0x88, 0x43, 0xEF, 0x27, 0x16,
0xD8, 0x55, 0xB7, 0x66, 0x5A, 0xAA, 0x7E, 0x02, 0x90, 0x2F, 0x3A, 0x7B,
0x10, 0x80, 0x06, 0x24, 0xCC, 0x1C, 0x6C, 0x97, 0xAD, 0x96, 0x61, 0x5B,
0xB7, 0xE2, 0x96, 0x12, 0xC0, 0x75, 0x31, 0xA3, 0x0C, 0x91, 0xDD, 0xB4,
0xCA, 0xF7, 0xFC, 0xAD, 0x1D, 0x25, 0xD3, 0x09, 0xEF, 0xB9, 0x17, 0x0E,
0xA7, 0x68, 0xE1, 0xB3, 0x7B, 0x2F, 0x22, 0x6F, 0x69, 0xE3, 0xB4, 0x8A,
0x95, 0x61, 0x1D, 0xEE, 0x26, 0xD6, 0x25, 0x9D, 0xAB, 0x91, 0x08, 0x4E,
0x36, 0xCB, 0x1C, 0x24, 0x04, 0x2C, 0xBF, 0x16, 0x8B, 0x2F, 0xE5, 0xF1,
0x8F, 0x99, 0x17, 0x31, 0xB8, 0xB3, 0xFE, 0x49, 0x23, 0xFA, 0x72, 0x51,
0xC4, 0x31, 0xD5, 0x03, 0xAC, 0xDA, 0x18, 0x0A, 0x35, 0xED, 0x8D, 0x02,
0x03, 0x01, 0x00, 0x01, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20,
0x5C, 0x75, 0x51, 0x9F, 0x13, 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20,
0xA3, 0xBC, 0x06, 0x30, 0x91, 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64,
0xEC, 0xFD, 0xCB, 0x42, 0x80, 0x0A, 0x70, 0xE6, 0x02, 0x21, 0x00, 0x82,
0x12, 0xF7, 0xE5, 0xEA, 0x40, 0x27, 0xFD, 0xF7, 0xC0, 0x0E, 0x25, 0xF3,
0x3E, 0x34, 0x95, 0x80, 0xB9, 0xA3, 0x38, 0xE0, 0x56, 0x68, 0xDA, 0xE5,
0xC1, 0xF5, 0x37, 0xC7, 0xB5, 0xCE, 0x0D};
struct PasswordPair {
const char *mInitialPassword;
const char *mSecondPassword;
};
class SoftokenPasswordChangeTest
: public SoftokenTest,
public ::testing::WithParamInterface<PasswordPair> {};
TEST_P(SoftokenPasswordChangeTest, KeepTrustAfterPasswordChange) {
const PasswordPair &passwords = GetParam();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
// Set a password.
EXPECT_EQ(SECSuccess,
PK11_InitPin(slot.get(), nullptr, passwords.mInitialPassword));
SECItem certDERItem = {siBuffer, certDER, sizeof(certDER)};
// Import a certificate.
ScopedCERTCertificate cert(CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &certDERItem, nullptr, true, true));
EXPECT_TRUE(cert);
SECStatus result =
PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, "test", false);
EXPECT_EQ(SECSuccess, result);
// Set a trust value.
CERTCertTrust trust = {CERTDB_TRUSTED_CLIENT_CA | CERTDB_NS_TRUSTED_CA |
CERTDB_TRUSTED_CA | CERTDB_VALID_CA,
0, 0};
result = CERT_ChangeCertTrust(nullptr, cert.get(), &trust);
EXPECT_EQ(SECSuccess, result);
// Release the certificate to ensure we get it from the DB rather than an
// in-memory cache, below.
cert = nullptr;
// Change the password.
result = PK11_ChangePW(slot.get(), passwords.mInitialPassword,
passwords.mSecondPassword);
EXPECT_EQ(SECSuccess, result);
// Look up the certificate again.
ScopedCERTCertificate newCert(
PK11_FindCertFromDERCertItem(slot.get(), &certDERItem, nullptr));
EXPECT_TRUE(newCert.get());
// The trust should be the same as before.
CERTCertTrust newTrust = {0, 0, 0};
result = CERT_GetCertTrust(newCert.get(), &newTrust);
EXPECT_EQ(SECSuccess, result);
EXPECT_EQ(trust.sslFlags, newTrust.sslFlags);
EXPECT_EQ(trust.emailFlags, newTrust.emailFlags);
EXPECT_EQ(trust.objectSigningFlags, newTrust.objectSigningFlags);
}
static const PasswordPair PASSWORD_CHANGE_TESTS[] = {
{"password", ""}, // non-empty to empty password
{"", "password"}, // empty to non-empty password
{"password", "password2"}, // non-empty to non-empty password
};
INSTANTIATE_TEST_SUITE_P(SoftokenPasswordChangeTests,
SoftokenPasswordChangeTest,
::testing::ValuesIn(PASSWORD_CHANGE_TESTS));
class SoftokenNoDBTest : public ::testing::Test {};
TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) {
ASSERT_EQ(SECSuccess, NSS_NoDB_Init("."));
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(PR_FALSE, PK11_NeedUserInit(slot.get()));
// When shutting down in here we have to release the slot first.
slot = nullptr;
ASSERT_EQ(SECSuccess, NSS_Shutdown());
}
SECStatus test_dh_value(const PQGParams *params, const SECItem *pub_key_value,
PRBool genFailOK, time_t *time) {
SECKEYDHParams dh_params;
dh_params.base = params->base;
dh_params.prime = params->prime;
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
EXPECT_TRUE(slot);
if (!slot) return SECFailure;
/* create a private/public key pair in with the given params */
SECKEYPublicKey *pub_tmp = nullptr;
ScopedSECKEYPrivateKey priv_key(
PK11_GenerateKeyPair(slot.get(), CKM_DH_PKCS_KEY_PAIR_GEN, &dh_params,
&pub_tmp, PR_FALSE, PR_TRUE, nullptr));
if ((genFailOK) && ((priv_key.get() == nullptr) || (pub_tmp == nullptr))) {
return SECFailure;
}
EXPECT_NE(nullptr, priv_key.get())
<< "PK11_GenerateKeyPair failed: " << PORT_ErrorToName(PORT_GetError());
EXPECT_NE(nullptr, pub_tmp);
if ((priv_key.get() == nullptr) || (pub_tmp == nullptr)) return SECFailure;
ScopedSECKEYPublicKey pub_key(pub_tmp);
ScopedSECKEYPublicKey peer_pub_key_manager(nullptr);
SECKEYPublicKey *peer_pub_key = pub_key.get();
/* if a subprime has been given set it on the PKCS #11 key */
if (params->subPrime.data != nullptr) {
SECStatus rv;
EXPECT_EQ(SECSuccess, rv = PK11_WriteRawAttribute(
PK11_TypePrivKey, priv_key.get(), CKA_SUBPRIME,
(SECItem *)¶ms->subPrime))
<< "PK11_WriteRawAttribute failed: "
<< PORT_ErrorToString(PORT_GetError());
if (rv != SECSuccess) {
return rv;
}
}
/* find if we weren't passed a public value in, use the
* one we just generated */
if (pub_key_value && pub_key_value->data) {
peer_pub_key = SECKEY_CopyPublicKey(pub_key.get());
EXPECT_NE(nullptr, peer_pub_key);
if (peer_pub_key == nullptr) {
return SECFailure;
}
peer_pub_key->u.dh.publicValue = *pub_key_value;
peer_pub_key_manager.reset(peer_pub_key);
}
/* now do the derive. time it and return the time if
* the caller requested it. */
auto start = high_resolution_clock::now();
ScopedPK11SymKey derivedKey(PK11_PubDerive(
priv_key.get(), peer_pub_key, PR_FALSE, nullptr, nullptr,
CKM_DH_PKCS_DERIVE, CKM_HKDF_DERIVE, CKA_DERIVE, 32, nullptr));
auto stop = high_resolution_clock::now();
if (!derivedKey) {
std::cerr << "PK11_PubDerive failed: "
<< PORT_ErrorToString(PORT_GetError()) << std::endl;
}
if (time) {
auto duration = duration_cast<microseconds>(stop - start);
*time = duration.count();
}
return derivedKey ? SECSuccess : SECFailure;
}
class SoftokenDhTest : public SoftokenTest {
protected:
SoftokenDhTest() : SoftokenTest("SoftokenDhTest.d-") {}
#ifdef NSS_USE_TIMING_CODE
time_t reference_time[CLASS_LAST] = {0};
#endif
virtual void SetUp() {
SoftokenTest::SetUp();
#ifdef NSS_USE_TIMING_CODE
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_TRUE(slot);
time_t time;
for (int i = CLASS_FIRST; i < CLASS_LAST; i++) {
PQGParams params;
params.prime.data = (unsigned char *)reference_prime[i];
params.prime.len = reference_prime_len[i];
params.base.data = (unsigned char *)g2;
params.base.len = sizeof(g2);
params.subPrime.data = nullptr;
params.subPrime.len = 0;
ASSERT_EQ(SECSuccess, test_dh_value(¶ms, nullptr, PR_FALSE, &time));
reference_time[i] = time / 2 + 3 * time;
}
#endif
};
};
const char *param_value(DhParamType param_type) {
switch (param_type) {
case TLS_APPROVED:
return "TLS_APPROVED";
case IKE_APPROVED:
return "IKE_APPROVED";
case SAFE_PRIME:
return "SAFE_PRIME";
case SAFE_PRIME_WITH_SUBPRIME:
return "SAFE_PRIME_WITH_SUBPRIME";
case KNOWN_SUBPRIME:
return "KNOWN_SUBPRIME";
case UNKNOWN_SUBPRIME:
return "UNKNOWN_SUBPRIME";
case WRONG_SUBPRIME:
return "WRONG_SUBPRIME";
case BAD_PUB_KEY:
return "BAD_PUB_KEY";
}
return "**Invalid**";
}
const char *key_value(DhKeyClass key_class) {
switch (key_class) {
case CLASS_1536:
return "CLASS_1536";
case CLASS_2048:
return "CLASS_2048";
case CLASS_3072:
return "CLASS_3072";
case CLASS_4096:
return "CLASS_4096";
case CLASS_6144:
return "CLASS_6144";
case CLASS_8192:
return "CLASS_8192";
case CLASS_LAST:
break;
}
return "**Invalid**";
}
class SoftokenDhValidate : public SoftokenDhTest,
public ::testing::WithParamInterface<DhTestVector> {
};
/* test the DH validation process. In non-fips mode, only BAD_PUB_KEY tests
* should fail */
TEST_P(SoftokenDhValidate, DhVectors) {
const DhTestVector dhTestValues = GetParam();
std::string testId = (char *)(dhTestValues.id);
std::string err = "Test(" + testId + ") failed";
SECStatus rv;
time_t time;
PQGParams params;
params.prime = dhTestValues.p;
params.base = dhTestValues.g;
params.subPrime = dhTestValues.q;
std::cerr << "Test: " + testId << std::endl
<< "param_type: " << param_value(dhTestValues.param_type)
<< ", key_class: " << key_value(dhTestValues.key_class) << std::endl
<< "p: " << DataBuffer(dhTestValues.p.data, dhTestValues.p.len)
<< std::endl
<< "g: " << DataBuffer(dhTestValues.g.data, dhTestValues.g.len)
<< std::endl
<< "q: " << DataBuffer(dhTestValues.q.data, dhTestValues.q.len)
<< std::endl
<< "pub_key: "
<< DataBuffer(dhTestValues.pub_key.data, dhTestValues.pub_key.len)
<< std::endl;
rv = test_dh_value(¶ms, &dhTestValues.pub_key, PR_FALSE, &time);
switch (dhTestValues.param_type) {
case TLS_APPROVED:
case IKE_APPROVED:
case SAFE_PRIME:
case UNKNOWN_SUBPRIME:
EXPECT_EQ(SECSuccess, rv) << err;
#ifdef NSS_USE_TIMING_CODE
EXPECT_LE(time, reference_time[dhTestValues.key_class]) << err;
#endif
break;
case KNOWN_SUBPRIME:
case SAFE_PRIME_WITH_SUBPRIME:
EXPECT_EQ(SECSuccess, rv) << err;
#ifdef NSS_USE_TIMING_CODE
EXPECT_GT(time, reference_time[dhTestValues.key_class]) << err;
#endif
break;
case WRONG_SUBPRIME:
case BAD_PUB_KEY:
EXPECT_EQ(SECFailure, rv) << err;
break;
}
}
INSTANTIATE_TEST_SUITE_P(DhValidateCases, SoftokenDhValidate,
::testing::ValuesIn(DH_TEST_VECTORS));
#ifndef NSS_FIPS_DISABLED
class SoftokenFipsTest : public SoftokenTest {
protected:
SoftokenFipsTest() : SoftokenTest("SoftokenFipsTest.d-") {}
SoftokenFipsTest(const std::string &prefix) : SoftokenTest(prefix) {}
virtual void SetUp() {
SoftokenTest::SetUp();
// Turn on FIPS mode (code borrowed from FipsMode in modutil/pk11.c)
char *internal_name;
ASSERT_FALSE(PK11_IsFIPS());
internal_name = PR_smprintf("%s", SECMOD_GetInternalModule()->commonName);
ASSERT_EQ(SECSuccess, SECMOD_DeleteInternalModule(internal_name))
<< PORT_ErrorToName(PORT_GetError());
PR_smprintf_free(internal_name);
ASSERT_TRUE(PK11_IsFIPS());
}
};
class SoftokenFipsDhTest : public SoftokenFipsTest {
protected:
SoftokenFipsDhTest() : SoftokenFipsTest("SoftokenFipsDhTest.d-") {}
#ifdef NSS_USE_TIMING_CODE
time_t reference_time[CLASS_LAST] = {0};
#endif
virtual void SetUp() {
SoftokenFipsTest::SetUp();
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_TRUE(slot);
ASSERT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, ""));
ASSERT_EQ(SECSuccess, PK11_Authenticate(slot.get(), PR_FALSE, nullptr));
#ifdef NSS_USE_TIMING_CODE
time_t time;
for (int i = CLASS_FIRST; i < CLASS_LAST; i++) {
PQGParams params;
params.prime.data = (unsigned char *)reference_prime[i];
params.prime.len = reference_prime_len[i];
params.base.data = (unsigned char *)g2;
params.base.len = sizeof(g2);
params.subPrime.data = nullptr;
params.subPrime.len = 0;
ASSERT_EQ(SECSuccess, test_dh_value(¶ms, nullptr, PR_FALSE, &time));
reference_time[i] = time / 2 + 3 * time;
}
#endif
};
};
const std::vector<std::string> kFipsPasswordCases[] = {
// FIPS level1 -> level1 -> level1
{"", "", ""},
// FIPS level1 -> level1 -> level2
{"", "", "strong-_123"},
// FIXME: this should work: FIPS level1 -> level2 -> level2
// {"", "strong-_123", "strong-_456"},
// FIPS level2 -> level2 -> level2
{"strong-_123", "strong-_456", "strong-_123"}};
const std::vector<std::string> kFipsPasswordBadCases[] = {
// FIPS level1 -> level2 -> level1
{"", "strong-_123", ""},
// FIPS level2 -> level1 -> level1
{"strong-_123", ""},
// FIPS level2 -> level2 -> level1
{"strong-_123", "strong-_456", ""},
// initialize with a weak password
{"weak"},
// FIPS level1 -> weak password
{"", "weak"},
// FIPS level2 -> weak password
{"strong-_123", "weak"}};
class SoftokenFipsPasswordTest
: public SoftokenFipsTest,
public ::testing::WithParamInterface<std::vector<std::string>> {};
class SoftokenFipsBadPasswordTest
: public SoftokenFipsTest,
public ::testing::WithParamInterface<std::vector<std::string>> {};
TEST_P(SoftokenFipsPasswordTest, SetPassword) {
const std::vector<std::string> &passwords = GetParam();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
auto it = passwords.begin();
auto prev_it = it;
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, (*it).c_str()));
for (it++; it != passwords.end(); it++, prev_it++) {
EXPECT_EQ(SECSuccess,
PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str()));
}
}
TEST_P(SoftokenFipsBadPasswordTest, SetBadPassword) {
const std::vector<std::string> &passwords = GetParam();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
auto it = passwords.begin();
auto prev_it = it;
SECStatus rv = PK11_InitPin(slot.get(), nullptr, (*it).c_str());
if (it + 1 == passwords.end())
EXPECT_EQ(SECFailure, rv);
else
EXPECT_EQ(SECSuccess, rv);
for (it++; it != passwords.end(); it++, prev_it++) {
rv = PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str());
if (it + 1 == passwords.end())
EXPECT_EQ(SECFailure, rv);
else
EXPECT_EQ(SECSuccess, rv);
}
}
class SoftokenFipsDhValidate
: public SoftokenFipsDhTest,
public ::testing::WithParamInterface<DhTestVector> {};
/* test the DH validation process. In fips mode, primes with unknown
* subprimes, and all sorts of bad public keys should fail */
TEST_P(SoftokenFipsDhValidate, DhVectors) {
const DhTestVector dhTestValues = GetParam();
std::string testId = (char *)(dhTestValues.id);
std::string err = "Test(" + testId + ") failed";
time_t time;
PRBool genFailOK = PR_FALSE;
SECStatus rv;
PQGParams params;
params.prime = dhTestValues.p;
params.base = dhTestValues.g;
params.subPrime = dhTestValues.q;
std::cerr << "Test:" + testId << std::endl
<< "param_type: " << param_value(dhTestValues.param_type)
<< ", key_class: " << key_value(dhTestValues.key_class) << std::endl
<< "p: " << DataBuffer(dhTestValues.p.data, dhTestValues.p.len)
<< std::endl
<< "g: " << DataBuffer(dhTestValues.g.data, dhTestValues.g.len)
<< std::endl
<< "q: " << DataBuffer(dhTestValues.q.data, dhTestValues.q.len)
<< std::endl
<< "pub_key: "
<< DataBuffer(dhTestValues.pub_key.data, dhTestValues.pub_key.len)
<< std::endl;
if ((dhTestValues.param_type != TLS_APPROVED) &&
(dhTestValues.param_type != IKE_APPROVED)) {
genFailOK = PR_TRUE;
}
rv = test_dh_value(¶ms, &dhTestValues.pub_key, genFailOK, &time);
switch (dhTestValues.param_type) {
case TLS_APPROVED:
case IKE_APPROVED:
EXPECT_EQ(SECSuccess, rv) << err;
#ifdef NSS_USE_TIMING_CODE
EXPECT_LE(time, reference_time[dhTestValues.key_class]) << err;
#endif
break;
case SAFE_PRIME:
case SAFE_PRIME_WITH_SUBPRIME:
case KNOWN_SUBPRIME:
case UNKNOWN_SUBPRIME:
case WRONG_SUBPRIME:
case BAD_PUB_KEY:
EXPECT_EQ(SECFailure, rv) << err;
break;
}
}
INSTANTIATE_TEST_SUITE_P(FipsPasswordCases, SoftokenFipsPasswordTest,
::testing::ValuesIn(kFipsPasswordCases));
INSTANTIATE_TEST_SUITE_P(BadFipsPasswordCases, SoftokenFipsBadPasswordTest,
::testing::ValuesIn(kFipsPasswordBadCases));
INSTANTIATE_TEST_SUITE_P(FipsDhCases, SoftokenFipsDhValidate,
::testing::ValuesIn(DH_TEST_VECTORS));
#endif
} // namespace nss_test
int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv);
return RUN_ALL_TESTS();
}