Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1303986 - don't do sign/verify test on x25519 keys, r=mt
--HG--
extra : rebase_source : 5b0b96e41c0b12a7352925bb5c9391940abb0cb8
extra : amend_source : 52a4f5ee64d8891055698f6081a7b70462d19e90
extra : histedit_source : 75c5403775f2d6067a7a4e171a0dbf96ad5c53c9
  • Loading branch information
franziskuskiefer committed Sep 20, 2016
1 parent e00452f commit cbc21a9
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 2 deletions.
8 changes: 8 additions & 0 deletions lib/softoken/pkcs11c.c
Expand Up @@ -4543,6 +4543,14 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
/**********************************************/

canSignVerify = sftk_isTrue(privateKey, CKA_SIGN);
/* Unfortunately CKA_SIGN is always true in lg dbs. We have to check the
* actual curve to determine if we can do sign/verify. */
if (canSignVerify && keyType == CKK_EC) {
NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(privateKey, CKK_EC, &crv);
if (privKey && privKey->u.ec.ecParams.name == ECCurve25519) {
canSignVerify = PR_FALSE;
}
}

if (canSignVerify) {
/* Determine length of signature. */
Expand Down
35 changes: 33 additions & 2 deletions tests/ec/ectest.sh
Expand Up @@ -39,13 +39,44 @@ ectest_cleanup()
. common/cleanup.sh
}

ectest_genkeydb_test()
{
certutil -N -d "${HOSTDIR}" -f "${R_PWFILE}" 2>&1
if [ $? -ne 0 ]; then
return $?
fi
curves=( \
"curve25519" \
"secp256r1" \
"secp384r1" \
"secp521r1" \
)
for curve in "${curves[@]}"; do
echo "Test $curve key generation using certutil ..."
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
if [ $? -ne 0 ]; then
html_failed "ec test certutil keygen - $curve"
else
html_passed "ec test certutil keygen - $curve"
fi
done
echo "Test sect571r1 key generation using certutil that should fail because it's not implemented ..."
certutil -G -d "${HOSTDIR}" -k ec -q sect571r1 -f "${R_PWFILE}" -z ${NOISE_FILE}
if [ $? -eq 0 ]; then
html_failed "ec test certutil keygen - $curve"
else
html_passed "ec test certutil keygen - $curve"
fi
}

ectest_init
ectest_genkeydb_test
ECTEST_OUT=$(ectest -f -p -n -d 2>&1)
ECTEST_OUT=`echo $ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
# TODO: expose individual tests and failures instead of overall
if [ -n "$ECTEST_OUT" ] ; then
html_failed "ec(test) test"
html_failed "ec freebl and pk11 test"
else
html_passed "ec(test) test"
html_passed "ec freebl and pk11 test"
fi
ectest_cleanup

0 comments on commit cbc21a9

Please sign in to comment.