+
+
+class KbkdfGroupFixture: public DPL::Test::TestGroup
+{
+public:
+ void Init() override
+ {
+ remove_user_data(UID);
+ assert_positive(ckmc_unlock_user_key, UID, "db-pass");
+
+ ckmc_raw_buffer_s* secret = createRandomBufferCAPI(12);
+
+ assert_positive(ckmc_save_data, SECRET.c_str(), *secret, UNEXPORTABLE);
+ }
+
+ void Finish() override
+ {
+ int ret = ckmc_lock_user_key(UID);
+ if (ret != CKMC_ERROR_NONE)
+ RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
+ remove_user_data(UID);
+ }
+};
+
+RUNNER_TEST_GROUP_INIT_ENV(CKM_DERIVE_KBKDF, KbkdfGroupFixture);
+
+RUNNER_TEST(TKBKDF_0010_positive, DerivedFixture)
+{
+ KbkdfParamTester test;
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+
+ test.Ok(&U16, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Ok(&U24, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+
+ test.Ok(&U32, &HMAC384, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Ok(&U32, &HMAC512, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &AFTER, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Ok(&U32, &HMAC256, &COUNTER, &MIDDLE, CTX, LAB, nullptr, nullptr, nullptr);
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, ONE, LAB, nullptr, nullptr, nullptr);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, ONE, nullptr, nullptr, nullptr);
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, nullptr, nullptr, FIX, nullptr, nullptr);
+ test.Ok(&U32, &HMAC256, &COUNTER, &AFTER, nullptr, nullptr, FIX, nullptr, nullptr);
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, nullptr, nullptr, ONE, nullptr, nullptr);
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U32, nullptr);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U24, nullptr);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U16, nullptr);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U8, nullptr);
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U32);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U24);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U16);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U8);
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U0);
+
+ test.Ok(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr, true);
+ test.Ok(&U32, &HMAC256, &COUNTER, &MIDDLE, CTX, LAB, nullptr, nullptr, nullptr, true);
+}
+
+RUNNER_TEST(TKBKDF_0020_derive_from_derived, DerivedFixture)
+{
+ auto kbkdfParams = getDefaultKBKDFParams();
+ assert_positive(ckmc_key_derive,
+ kbkdfParams.get(),
+ SECRET.c_str(),
+ "",
+ DERIVED.c_str(),
+ UNEXPORTABLE);
+
+ assert_positive(ckmc_key_derive,
+ kbkdfParams.get(),
+ DERIVED.c_str(),
+ "",
+ "derived2",
+ EXPORTABLE);
+
+ ckmc_key_s *derived2 = nullptr;
+ assert_positive(ckmc_get_key, "derived2", "", &derived2);
+ ckmc_key_free(derived2);
+}
+
+RUNNER_TEST(TKBKDF_0030_unknown_alias, DerivedFixture)
+{
+ auto kbkdfParams = getDefaultKBKDFParams();
+ assert_result(CKMC_ERROR_DB_ALIAS_UNKNOWN,
+ ckmc_key_derive,
+ kbkdfParams.get(),
+ "nonexistent-alias",
+ "",
+ DERIVED.c_str(),
+ EXPORTABLE);
+}
+
+RUNNER_TEST(TKBKDF_0040_wrong_password, DerivedFixture)
+{
+ auto kbkdfParams = getDefaultKBKDFParams();
+ assert_result(CKMC_ERROR_AUTHENTICATION_FAILED,
+ ckmc_key_derive,
+ kbkdfParams.get(),
+ SECRET.c_str(),
+ "wrong-password",
+ DERIVED.c_str(),
+ EXPORTABLE);
+}
+
+RUNNER_TEST(TKBKDF_0050_alias_exists, DerivedFixture)
+{
+ auto kbkdfParams = getDefaultKBKDFParams();
+ assert_positive(ckmc_key_derive,
+ kbkdfParams.get(),
+ SECRET.c_str(),
+ "",
+ DERIVED.c_str(),
+ EXPORTABLE);
+
+ assert_result(CKMC_ERROR_DB_ALIAS_EXISTS,
+ ckmc_key_derive,
+ kbkdfParams.get(),
+ SECRET.c_str(),
+ "",
+ DERIVED.c_str(),
+ EXPORTABLE);
+}
+
+RUNNER_TEST(TKBKDF_0060_derived_password, DerivedFixture)
+{
+ auto kbkdfParams = getDefaultKBKDFParams();
+ assert_positive(ckmc_key_derive,
+ kbkdfParams.get(),
+ SECRET.c_str(),
+ "",
+ DERIVED.c_str(),
+ EXPORTABLE);
+
+ ckmc_key_s *derived = nullptr;
+ assert_result(
+ CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_key, DERIVED.c_str(), PASSWORD, &derived);
+
+ assert_positive(ckmc_remove_alias, DERIVED.c_str());
+
+ assert_positive(ckmc_key_derive,
+ kbkdfParams.get(),
+ SECRET.c_str(),
+ "",
+ DERIVED.c_str(),
+ EXPORTABLE_PW);
+
+ assert_result(
+ CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_key, DERIVED.c_str(), "", &derived);
+ assert_positive(ckmc_get_key, DERIVED.c_str(), PASSWORD, &derived);
+ ckmc_key_free(derived);
+}
+
+RUNNER_TEST(TKBKDF_0070_unexportable, DerivedFixture)
+{
+ auto kbkdfParams = getDefaultKBKDFParams();
+ assert_positive(ckmc_key_derive,
+ kbkdfParams.get(),
+ SECRET.c_str(),
+ "",
+ DERIVED.c_str(),
+ UNEXPORTABLE);
+
+ ckmc_key_s *derived = nullptr;
+ assert_result(CKMC_ERROR_NOT_EXPORTABLE, ckmc_get_key, DERIVED.c_str(), "", &derived);
+}
+
+RUNNER_TEST(TKBKDF_0100_wrong_params, DerivedFixture)
+{
+ KbkdfParamTester test;
+
+ // missing parameters
+ test.Fail(nullptr, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, nullptr, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, nullptr, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, nullptr, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, nullptr, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, nullptr, nullptr, nullptr, nullptr);
+
+ // conflicting parameters
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, FIX, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, nullptr, LAB, FIX, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, nullptr, FIX, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &MIDDLE, nullptr, nullptr, FIX, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &MIDDLE, nullptr, nullptr, FIX, nullptr, &U32);
+ test.Fail(&U32, &HMAC256, &COUNTER, &MIDDLE, nullptr, nullptr, FIX, nullptr, &U0);
+ test.Fail(&U32, &HMAC256, &COUNTER, &MIDDLE, nullptr, nullptr, FIX, nullptr, nullptr, true);
+
+ // invalid values
+ test.Fail(&U0, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U1, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U8, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U64, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+
+ auto wrongPrf1 = static_cast<ckmc_kdf_prf_e>(0);
+ auto wrongPrf2 = static_cast<ckmc_kdf_prf_e>(4);
+ test.Fail(&U32, &wrongPrf1, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, &wrongPrf2, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+
+ auto wrongMode1 = static_cast<ckmc_kbkdf_mode_e>(0);
+ auto wrongMode2 = static_cast<ckmc_kbkdf_mode_e>(2);
+ test.Fail(&U32, &HMAC256, &wrongMode1, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &wrongMode2, &BEFORE, CTX, LAB, nullptr, nullptr, nullptr);
+
+ auto wrongLocation1 = static_cast<ckmc_kbkdf_counter_location_e>(0);
+ auto wrongLocation2 = static_cast<ckmc_kbkdf_counter_location_e>(4);
+ test.Fail(&U32, &HMAC256, &COUNTER, &wrongLocation1, CTX, LAB, nullptr, nullptr, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &wrongLocation2, CTX, LAB, nullptr, nullptr, nullptr);
+
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U0, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U1, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U7, nullptr);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, &U64, nullptr);
+
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U1);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U7);
+ test.Fail(&U32, &HMAC256, &COUNTER, &BEFORE, CTX, LAB, nullptr, nullptr, &U64);
+}