tests: Verify objects have appropriate validation flags

Jakuje · Jakuje · commit a88b4b579010 · 2025-08-18T18:03:22.000+02:00
Signed-off-by: Jakub Jelen &lt;jjelen@redhat.com&gt;
diff --git a/src/tests/aes.rs b/src/tests/aes.rs
@@ -50,6 +50,8 @@ fn test_aes_operations() {
             (CKA_UNWRAP, true),
         ],
     ));
+    assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     {
         /* AES ECB */
@@ -690,6 +692,7 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
 
         let ciphertext = hex::decode("4154c0be71072945d8156f5f046d198d")
             .expect("Failed to decode ciphertext");
@@ -718,6 +721,8 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
+
         let iv = hex::decode("1dbbeb2f19abb448af849796244a19d7")
             .expect("Failed to decode IV");
         let plaintext = hex::decode(
@@ -759,6 +764,8 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
+
         let (iv, aad, tag, ct, plaintext) = get_gcm_test_data();
 
         let param = CK_GCM_PARAMS {
@@ -795,6 +802,8 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
+
         let iv = hex::decode("0007bdfd5cbd60278dcc091200000001")
             .expect("failed to decode iv");
         let plaintext = hex::decode(
@@ -911,6 +920,7 @@ fn test_aes_operations() {
             &mut wp_handle2,
         );
         assert_eq!(ret, CKR_OK);
+        assert_eq!(check_object_validation(session, wp_handle2, 1), true);
 
         let mut value = [0u8; AES_BLOCK_SIZE];
         let mut extract_template = make_ptrs_template(&[(
@@ -1033,6 +1043,7 @@ fn test_aes_operations() {
                 Ok(k) => k,
                 Err(e) => panic!("{}", e),
             };
+        assert_eq!(check_object_validation(session, key_handle, 1), true);
         let (iv, aad, tag, ct, plaintext) = get_gcm_test_data();
 
         let ret = fn_message_decrypt_init(session, &mut mechanism, key_handle);
@@ -1272,6 +1283,7 @@ fn test_aes_macs() {
         &[],
         &[(CKA_SIGN, true), (CKA_VERIFY, true),],
     ));
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     #[cfg(not(feature = "fips"))]
     {
diff --git a/src/tests/keys.rs b/src/tests/keys.rs
@@ -447,6 +447,15 @@ fn test_ec_keys() {
                 (CKA_EXTRACTABLE, true),
             ],
         ));
+        assert_eq!(check_validation(session, t.fips_indicator), true);
+        assert_eq!(
+            check_object_validation(session, pubkey, t.fips_indicator),
+            true
+        );
+        assert_eq!(
+            check_object_validation(session, prikey, t.fips_indicator),
+            true
+        );
 
         if t.op_flags.1 == CKA_SIGN {
             let sig = ret_or_panic!(sig_gen(
@@ -526,6 +535,10 @@ fn test_ec_keys() {
         assert_eq!(ret, CKR_OK);
 
         assert_eq!(check_validation(session, t.fips_indicator), true);
+        assert_eq!(
+            check_object_validation(session, prikey2, t.fips_indicator),
+            true
+        );
 
         if t.op_flags.1 == CKA_SIGN {
             /* Test the unwrapped key can be used */
diff --git a/src/tests/rsa.rs b/src/tests/rsa.rs
@@ -392,6 +392,8 @@ fn test_rsa_operations() {
     ));
 
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, hpri, 1), true);
+    assert_eq!(check_object_validation(session, hpub, 1), true);
 
     let label = "Public Key test 1";
     let mut template = make_ptrs_template(&[(
@@ -583,6 +585,8 @@ fn test_rsa_mechs() {
     ));
 
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, pubkey, 1), true);
+    assert_eq!(check_object_validation(session, prikey, 1), true);
 
     /* Classic PKCS 1.5 */
     for mech in [
diff --git a/src/tests/simplekdf.rs b/src/tests/simplekdf.rs
@@ -67,6 +67,7 @@ fn test_concatenate_kdf() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 0), true);
+    assert_eq!(check_object_validation(session, dk_handle, 0), true);
 
     let exp_value = hex::decode("0123456789abcdef").unwrap();
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
@@ -96,6 +97,7 @@ fn test_concatenate_kdf() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 0), true);
+    assert_eq!(check_object_validation(session, dk_handle, 0), true);
 
     let exp_value = hex::decode("0123456789abcdef").unwrap();
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
@@ -125,6 +127,7 @@ fn test_concatenate_kdf() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 0), true);
+    assert_eq!(check_object_validation(session, dk_handle, 0), true);
 
     let exp_value = hex::decode("89abcdef01234567").unwrap();
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
@@ -154,6 +157,7 @@ fn test_concatenate_kdf() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 0), true);
+    assert_eq!(check_object_validation(session, dk_handle, 0), true);
 
     let exp_value = hex::decode("88888888").unwrap();
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
@@ -229,6 +233,7 @@ fn test_concatenate_kdf_fips() {
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
     assert_eq!(value, exp_value);
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, dk_handle, 1), true);
 
     // Concatenate base and data
     let data = hex::decode("0e0f").unwrap();
@@ -254,6 +259,7 @@ fn test_concatenate_kdf_fips() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, dk_handle, 1), true);
 
     let exp_value = hex::decode("000102030405060708090a0b0c0d0e0f").unwrap();
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
@@ -283,6 +289,7 @@ fn test_concatenate_kdf_fips() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, dk_handle, 1), true);
 
     let exp_value = hex::decode("0e0f000102030405060708090a0b0c0d").unwrap();
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
@@ -312,6 +319,7 @@ fn test_concatenate_kdf_fips() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, dk_handle, 1), true);
 
     let exp_value = hex::decode("00112233445566778899aabbccdd").unwrap();
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
@@ -361,6 +369,7 @@ fn test_concatenate_kdf_fips() {
     let value = ret_or_panic!(extract_key_value(session, dk_handle));
     assert_eq!(value, exp_value);
     assert_eq!(check_validation(session, 0), true);
+    assert_eq!(check_object_validation(session, dk_handle, 0), true);
 
     testtokn.finalize();
 }
diff --git a/src/tests/tls.rs b/src/tests/tls.rs
@@ -474,6 +474,8 @@ fn test_tls_mechanisms() {
             (CKA_DERIVE, true),
         ],
     ));
+    assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     let params = CK_TLS_MAC_PARAMS {
         prfHashMechanism: CKM_SHA256,
@@ -566,6 +568,7 @@ fn test_tls_mechanisms() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     /* Try again with non-FIPS-approved hash */
     let params = CK_TLS12_KEY_MAT_PARAMS {
@@ -588,13 +591,14 @@ fn test_tls_mechanisms() {
         pParameter: void_ptr!(&params),
         ulParameterLen: paramslen,
     };
+    let mut dk_handle = CK_INVALID_HANDLE;
     let ret = fn_derive_key(
         session,
         &derive_mech as *const _ as CK_MECHANISM_PTR,
         handle,
         derive_template.as_ptr() as *mut _,
         derive_template.len() as CK_ULONG,
-        std::ptr::null_mut(),
+        &mut dk_handle,
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 0), true);
@@ -639,6 +643,7 @@ fn test_tls_mechanisms() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 0), true);
+    assert_eq!(check_object_validation(session, dk_handle, 0), true);
 
     /* The End */
     testtokn.finalize();
@@ -666,6 +671,8 @@ fn test_tls_ems_mechanisms() {
             (CKA_DERIVE, true),
         ],
     ));
+    assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     /* test CKM_TLS12_EXTENDED_MASTER_KEY_DERIVE */
     let hash = hex::decode("9bbe436ba940f017b17652849a71db35").unwrap();
@@ -704,6 +711,7 @@ fn test_tls_ems_mechanisms() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, dk_handle, 1), true);
 
     /* Try again with non-FIPS-approved hash */
     let params = CK_TLS12_EXTENDED_MASTER_KEY_DERIVE_PARAMS {
@@ -728,6 +736,7 @@ fn test_tls_ems_mechanisms() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 0), true);
+    assert_eq!(check_object_validation(session, dk_handle, 0), true);
 
     /* ensure Version fields were filled */
     //assert_not_eq!(version.major.as_slice(), 0);
@@ -756,6 +765,7 @@ fn test_tls_ems_mechanisms() {
     );
     assert_eq!(ret, CKR_OK);
     assert_eq!(check_validation(session, 1), true);
+    assert_eq!(check_object_validation(session, handle, 1), true);
 
     /* ensure Version fields were filled */
     //assert_not_eq!(version.major.as_slice(), 0);
diff --git a/src/tests/util.rs b/src/tests/util.rs
@@ -622,3 +622,32 @@ pub fn check_validation(session: CK_SESSION_HANDLE, expect: CK_FLAGS) -> bool {
 pub fn check_validation(_: CK_SESSION_HANDLE, _: CK_FLAGS) -> bool {
     return true;
 }
+
+#[cfg(feature = "fips")]
+pub fn check_object_validation(
+    session: CK_SESSION_HANDLE,
+    handle: CK_OBJECT_HANDLE,
+    expect: CK_FLAGS,
+) -> bool {
+    #[allow(unused_mut)]
+    let mut flag: CK_ULONG = 0;
+    let mut template = make_ptrs_template(&[(
+        CKA_OBJECT_VALIDATION_FLAGS,
+        void_ptr!(std::ptr::addr_of!(flag)),
+        std::mem::size_of::<CK_ULONG>(),
+    )]);
+    let ret = fn_get_attribute_value(session, handle, template.as_mut_ptr(), 1);
+    if ret != CKR_OK {
+        return false;
+    }
+    return flag == expect;
+}
+
+#[cfg(not(feature = "fips"))]
+pub fn check_object_validation(
+    _: CK_SESSION_HANDLE,
+    _: CK_OBJECT_HANDLE,
+    _: CK_FLAGS,
+) -> bool {
+    return true;
+}
diff --git a/testdata/test_aes_operations.json b/testdata/test_aes_operations.json
@@ -11,6 +11,7 @@
         "CKA_PRIVATE": true,
         "CKA_SENSITIVE": true,
         "CKA_VALUE": "LBRBN1HDHicwVwujNhx4aw==",
+        "CKA_VALUE_LEN": 16,
         "CKA_TOKEN": true
     }
 }, {
@@ -26,6 +27,7 @@
         "CKA_PRIVATE": true,
         "CKA_SENSITIVE": true,
         "CKA_VALUE": "qB/WylZoPQ9URWWd3k2ZXcZfS84giWMFPijX8t9RfOQ=",
+        "CKA_VALUE_LEN": 32,
         "CKA_TOKEN": true
     }
 }, {
@@ -41,6 +43,7 @@
         "CKA_PRIVATE": true,
         "CKA_SENSITIVE": true,
         "CKA_VALUE": "Zg63bz2LbsVOAbijYmMSSw==",
+        "CKA_VALUE_LEN": 16,
         "CKA_TOKEN": true
     }
 }, {
@@ -56,6 +59,7 @@
         "CKA_PRIVATE": true,
         "CKA_SENSITIVE": true,
         "CKA_VALUE": "Ar85HujssVm5WWF7CWUnm/WbYKeG0+D+",
+        "CKA_VALUE_LEN": 24,
         "CKA_TOKEN": true
     }
 }]}
