Increase test coverage of ALLOWED_MECHANISMS usage

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
beldmit · Jan 20, 2025 · 1f01ddb · 1f01ddb
1 parent d889a1d
commit 1f01ddb
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/src/storage/nssdb/attrs.rs b/src/storage/nssdb/attrs.rs
@@ -262,11 +262,12 @@ pub fn is_db_attribute(attr: CK_ATTRIBUTE_TYPE) -> bool {
     NSS_KNOWN_ATTRIBUTES.contains(&attr)
 }
 
-pub static NSS_SKIP_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 4] = [
+pub static NSS_SKIP_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 5] = [
     CKA_UNIQUE_ID,
     CKA_COPYABLE,
     CKA_DESTROYABLE,
     CKA_VALIDATION_FLAGS,
+    CKA_ALLOWED_MECHANISMS,
 ];
 
 pub fn is_skippable_attribute(attr: CK_ATTRIBUTE_TYPE) -> bool {

diff --git a/src/tests/rsa.rs b/src/tests/rsa.rs
@@ -202,6 +202,7 @@ fn test_rsa_operations() {
         sLen: salt.len() as CK_ULONG,
     };
 
+    /* this is the only allowed mechanism */
     let mechanism: CK_MECHANISM = CK_MECHANISM {
         mechanism: CKM_SHA384_RSA_PKCS_PSS,
         pParameter: &params as *const _ as CK_VOID_PTR,
@@ -222,6 +223,27 @@ fn test_rsa_operations() {
     let ret = sig_verify(session, pub_key_handle, &msg, &signed, &mechanism);
     assert_eq!(ret, CKR_OK);
 
+    if testtokn.dbtype != "nssdb" {
+        /* this is not allowed mechanism per CKA_ALLOWED_MECHANISMS */
+        let params = CK_RSA_PKCS_PSS_PARAMS {
+            hashAlg: CKM_SHA512,
+            mgf: CKG_MGF1_SHA512,
+            sLen: salt.len() as CK_ULONG,
+        };
+        let mechanism: CK_MECHANISM = CK_MECHANISM {
+            mechanism: CKM_SHA512_RSA_PKCS_PSS,
+            pParameter: &params as *const _ as CK_VOID_PTR,
+            ulParameterLen: sizeof!(CK_RSA_PKCS_PSS_PARAMS),
+        };
+
+        match sig_gen(session, pri_key_handle, &msg, &mechanism) {
+            Ok(_) => panic!(
+                "The operation using non-allowed mechanisms should have failed"
+            ),
+            Err(e) => assert_eq!(e.rv(), CKR_MECHANISM_INVALID),
+        }
+    }
+
     #[cfg(not(feature = "fips"))]
     {
         /* RSA PKCS Enc */

diff --git a/testdata/test_rsa_operations.json b/testdata/test_rsa_operations.json
@@ -96,6 +96,7 @@
         "CKA_LABEL": "SigVerPSS_186-3.rsp [mod = 3072]",
         "CKA_MODIFIABLE": false,
         "CKA_MODULUS": "pfPaCq9UtF+ZpdcIXyE8NyHL5+g7Pmw/4PWoTH44e6UTOSwoqQENO2GMA4R+axG7u+TV5H/JfqaWJQaZ6W7NkRQE97gGlXA4pou1mlIPLZAYLRg+A1IEqRTmrAPCvG0/nXhWsl+QQbVt8xDeP+swqkaKBmih5dqc2xhZVsql114c3KwtuCMXNJVhkQU2cjG38t51KKinnsn9u6tgEXiiBKWqThl1nrFupLq4e/SLsXkPn8brTVZ00/vBG5IlWNTlaORUsmpxePPhR76wyMpuz/XlKvJIrAfWoYk5PhcjKt/y90I/VrlLmn1h/eI6lVisejvHwGdIpdoRdZ+SuvTjhrsCElZbW+7PMdBjz6txr4lrPXNHUNm8oHNDv7PChkUibp2tMHD8JHxxwHjpdJNJQQAKedAaurFNIfXmCMTk0T3uwa7ymOEkfFC0e/7mFi81L0HNuoYo0dYohIyHbPsQLazOf6FgwE06q8hmehQqcQt/SV/TUMSGKmU9FcM9kmb9",
+        "CKA_ALLOWED_MECHANISMS": "RAAAAAAAAAA=",
         "CKA_PRIVATE": true,
         "CKA_SENSITIVE": true,
         "CKA_EXTRACTABLE": false,