Closed
Bug 342582
Opened 18 years ago
Closed 18 years ago
Test program of the softoken as a stand-alone PKCS #11 library
Categories
(NSS :: Test, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.4
People
(Reporter: wtc, Assigned: glenbeasley)
Details
Attachments
(3 files, 7 obsolete files)
8.86 KB,
text/plain
|
Details | |
188.25 KB,
patch
|
Details | Diff | Splinter Review | |
13.90 KB,
patch
|
Details | Diff | Splinter Review |
We are considering writing a test program of the softoken as a stand-alone PKCS #11 library for FIPS 140-2 validation.
Reporter | ||
Comment 1•18 years ago
|
||
This test program doesn't use NSPR or NSS to simlate a third-party application that uses the softoken as a stand-alone PKCS #11 library. It now does the following: initialize the cert and key databases, set a password, generate a few random bytes, log in, log out, generate an AES key, use it to encrypt another plaintext AES key and import that key into the FIPS module, and use the imported AES key to encrypt a FIPS AES test case. It passed the test.
Reporter | ||
Comment 2•18 years ago
|
||
Added DSA domain parameter (PQG) generation, key pair generation, signature generation and verification. Added SHA-1 message digest.
Attachment #226864 -
Attachment is obsolete: true
Reporter | ||
Comment 3•18 years ago
|
||
This test program shows that concurrent login attempts from multiple threads are serialized and each have a one second delay after login failure. So an application can make at most 60 login attempts within one minute.
Assignee | ||
Comment 4•18 years ago
|
||
* pk11mode.c - Test FIPS or NONFIPS Modes for the NSS PKCS11 api. * The goal of this program is to test every function * entry point of the PKCS11 api at least once. * To test in FIPS mode: pk11mode * To test in NONFIPS mode: pk11mode nonFIPS * * Currently this program is Windows only. * * NSS PKCS11 API entry points still todo: * FC_DigestEncryptUpdate * FC_DecryptDigestUpdate * FC_SignEncryptUpdate * FC_DecryptVerifyUpdate * FC_DeriveKey * Notify
Attachment #227171 -
Attachment is obsolete: true
Assignee | ||
Updated•18 years ago
|
Assignee: nobody → glen.beasley
Assignee | ||
Comment 5•18 years ago
|
||
Attachment #230850 -
Attachment is obsolete: true
Assignee | ||
Comment 6•18 years ago
|
||
Attachment #234950 -
Attachment is obsolete: true
Assignee | ||
Updated•18 years ago
|
Priority: -- → P2
Assignee | ||
Comment 7•18 years ago
|
||
Reporter | ||
Comment 8•18 years ago
|
||
We need to include the NSPR headers "prenv.h" and "prprf.h", otherwise there are compiler warnings.
Attachment #237150 -
Attachment is obsolete: true
Comment 9•18 years ago
|
||
I experimented with the earlier version of the program that didn't use NSPR, but used native Windows code instead. I did this experiment with the OS_TARGET=WINNT configuration . I made a single modification to the test program : I added a Sleep(10000) statement right after the call to FreeLibrary() right before the end of main() to sleep for 10 seconds at the end of the program. Then, I tried to load the NSS 3.10 softoken . Many tests failed, starting with login. So, I #ifdef'ed them out, but I kept the LoadLibrary / C_Initialize / C_Finalize / FreeLibrary and the sleep statement . The pk11mode program crashed, trying to execute code in one of the threads that had been started by NSPR, because NSPR had been unloaded as a result of the FreeLibrary call on softoken . That is because NSPR got unloaded from memory by the OS at the time that softoken got unloaded from the program by pk11mode . With the NSS 3.11 softoken, this crashing problem doesn't currently exist, because softoken leaks freebl3.so in memory, which causes libnspr4.so to also be leaked. Fixing this leak causes the above-mentioned crash to reappear. If the pk11mode test program used NSPR, NSPR would stay resident in memory, hiding this crash. Currently, pk11mode uses native code on Windows, and NSPR on other platforms. I think it is worth having pk11mode not use NSPR so we can test that the softoken works properly in non-NSPR programs. It may be worth doing that on platforms other than just windows, since we know for example that the Solaris JDK doesn't use NSPR and loads / unloads softoken .
Comment 10•18 years ago
|
||
Note that the crash I reported in comment 9 did not occur when I tested the OS_TARGET=WIN95 version of the NSS 3.10 softoken .
Reporter | ||
Comment 11•18 years ago
|
||
Originally I wanted the test program to be completely independent of NSPR and NSS for exactly this reason. I wanted to be sure that a third-party application can use the softoken. The test program used native OS functions and the official PKCS #11 header files. I made it work on Windows. But we didn't have time to port the code to other platforms, so we use NSPR on the other platforms. Then, we decided to use NSS's PKCS #11 header files. (The official PKCS #11 headers need platform-dependent macro definitions. RSA Security only provides the macro definitions for Windows. So even the PKCS #11 headers need to be ported to non-Windows platforms.)
Assignee | ||
Comment 12•18 years ago
|
||
Attachment #237783 -
Attachment is obsolete: true
Reporter | ||
Comment 13•18 years ago
|
||
Added environment variables to make the conditional self-tests (pair-wise consistency test and continuous RNG test) fail.
Attachment #242219 -
Attachment is obsolete: true
Reporter | ||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.11.4
You need to log in
before you can comment on or make changes to this bug.
Description
•