Closed Bug 342582 Opened 18 years ago Closed 18 years ago

Test program of the softoken as a stand-alone PKCS #11 library

Categories

(NSS :: Test, enhancement, P2)

Product:
NSS
Component:
Test
Version:
3.11
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.4

People

(Reporter: wtc, Assigned: glenbeasley)

Details

Attachments

(3 files, 7 obsolete files)

login.c: test program for concurrent login attempts within one minute
8.86 KB, text/plain
Details
work in progess v5
188.25 KB, patch
Details | Diff | Splinter Review
patch to create Broken Builds v4 (never to be checked in)
13.90 KB, patch
Details | Diff | Splinter Review 
We are considering writing a test program of the softoken
as a stand-alone PKCS #11 library for FIPS 140-2 validation.
Attached file Work in progress (obsolete) — 
This test program doesn't use NSPR or NSS to
simlate a third-party application that uses
the softoken as a stand-alone PKCS #11 library.

It now does the following:
initialize the cert and key databases,
set a password,
generate a few random bytes,
log in,
log out,
generate an AES key,
use it to encrypt another plaintext AES key and import that
key into the FIPS module, and
use the imported AES key to encrypt a FIPS AES test case.

It passed the test.
Attached file Work in progress v2 (obsolete) — 
Added DSA domain parameter (PQG) generation, key
pair generation, signature generation and verification.

Added SHA-1 message digest.
Attachment #226864 - Attachment is obsolete: true
This test program shows that concurrent login attempts
from multiple threads are serialized and each have a
one second delay after login failure.  So an application
can make at most 60 login attempts within one minute.
Attached patch Work in Progress V3 (obsolete) — Splinter Review 
* pk11mode.c - Test FIPS or NONFIPS Modes for the NSS PKCS11 api.
 *              The goal of this program is to test every function
 *              entry point of the PKCS11 api at least once.
 *              To test in FIPS mode: pk11mode
 *              To test in NONFIPS mode: pk11mode nonFIPS
 *
 * Currently this program is Windows only.
 *
 * NSS PKCS11 API entry points still todo:
 * FC_DigestEncryptUpdate
 * FC_DecryptDigestUpdate
 * FC_SignEncryptUpdate
 * FC_DecryptVerifyUpdate
 * FC_DeriveKey
 * Notify
Attachment #227171 - Attachment is obsolete: true
Assignee: nobody → glen.beasley
Attached patch work in progress v4 (obsolete) — Splinter Review 

        Attachment #230850 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #234950 -
        Attachment is obsolete: true

    
  
Priority: -- → P2

    
    

    
  


  
We need to include the NSPR headers "prenv.h" and "prprf.h",
otherwise there are compiler warnings.

        Attachment #237150 -
        Attachment is obsolete: true

    
    

    
  
I experimented with the earlier version of the program that didn't use NSPR, but used native Windows code instead. I did this experiment with the OS_TARGET=WINNT configuration .

I made a single modification to the test program :
I added a Sleep(10000) statement right after the call to FreeLibrary() right before the end of main() to sleep for 10 seconds at the end of the program.

Then, I tried to load the NSS 3.10 softoken . Many tests failed, starting with login. So, I #ifdef'ed them out, but I kept the LoadLibrary / C_Initialize / C_Finalize / FreeLibrary and the sleep statement .

The pk11mode program crashed, trying to execute code in one of the threads that had been started by NSPR, because NSPR had been unloaded as a result of the FreeLibrary call on softoken . That is because NSPR got unloaded from memory by the OS at the time that softoken got unloaded from the program by pk11mode .

With the NSS 3.11 softoken, this crashing problem doesn't currently exist, because softoken leaks freebl3.so in memory, which causes libnspr4.so to also be leaked. Fixing this leak causes the above-mentioned crash to reappear.

If the pk11mode test program used NSPR, NSPR would stay resident in memory, hiding this crash. Currently, pk11mode uses native code on Windows, and NSPR on other platforms. I think it is worth having pk11mode not use NSPR so we can test that the softoken works properly in non-NSPR programs. It may be worth doing that on platforms other than just windows, since we know for example that the Solaris JDK doesn't use NSPR and loads / unloads softoken .


    
    

    
  
Note that the crash I reported in comment 9 did not occur when I tested the OS_TARGET=WIN95 version of the NSS 3.10 softoken .


    
    

    
  
Originally I wanted the test program to be completely
independent of NSPR and NSS for exactly this reason.
I wanted to be sure that a third-party application can
use the softoken.  The test program used native OS functions
and the official PKCS #11 header files.  I made it work
on Windows.  But we didn't have time to port the code to
other platforms, so we use NSPR on the other platforms.
Then, we decided to use NSS's PKCS #11 header files.
(The official PKCS #11 headers need platform-dependent
macro definitions.  RSA Security only provides the
macro definitions for Windows.  So even the PKCS #11
headers need to be ported to non-Windows platforms.)

    
    

    
  


  

        Attachment #237783 -
        Attachment is obsolete: true

    
    

    
  


  
Added environment variables to make the conditional self-tests
(pair-wise consistency test and continuous RNG test) fail.

        Attachment #242219 -
        Attachment is obsolete: true

    
  
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.11.4

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: