Skip to content

Commit 98517c9

Browse files
FrauschiFrauschi
committed
Add more test coverage for ML-KEM and ML-DSA
* C_CopyObject: ML-DSA * pkcs11str: ML-KEM & ML-DSA * pkcs11mtt: ML-KEM & ML-DSA As more concurrent sessions are required in the multi-threaded tests due to the additional ML-KEM and ML-DSA tests, the default WP11_SESSION_CNT_MAX values has been increased from 70 to 80. However, a user can override that value anytime in case that causes too high resource usage.
1 parent 58682a2 commit 98517c9

4 files changed

Lines changed: 618 additions & 3 deletions

File tree

tests/pkcs11mtt.c

Lines changed: 277 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,8 @@ static int soPinLen = 14;
6565
static byte* userPin = (byte*)"wolfpkcs11-test";
6666
static int userPinLen;
6767

68-
#if !defined(NO_RSA) || defined(HAVE_ECC) || !defined(NO_DH)
68+
#if !defined(NO_RSA) || defined(HAVE_ECC) || !defined(NO_DH) || \
69+
defined(WOLFPKCS11_MLDSA) || defined(WOLFPKCS11_MLKEM)
6970
static CK_OBJECT_CLASS pubKeyClass = CKO_PUBLIC_KEY;
7071
#endif
7172
static CK_OBJECT_CLASS privKeyClass = CKO_PRIVATE_KEY;
@@ -89,6 +90,12 @@ static CK_KEY_TYPE dhKeyType = CKK_DH;
8990
static CK_KEY_TYPE aesKeyType = CKK_AES;
9091
#endif
9192
static CK_KEY_TYPE genericKeyType = CKK_GENERIC_SECRET;
93+
#ifdef WOLFPKCS11_MLDSA
94+
static CK_KEY_TYPE mldsaKeyType = CKK_ML_DSA;
95+
#endif
96+
#ifdef WOLFPKCS11_MLKEM
97+
static CK_KEY_TYPE mlkemKeyType = CKK_ML_KEM;
98+
#endif
9299

93100

94101
static CK_RV test_session(void* args)
@@ -6407,6 +6414,269 @@ static CK_RV test_hmac_sha512_fail(void* args)
64076414
#endif
64086415
#endif
64096416

6417+
#ifdef WOLFPKCS11_MLDSA
6418+
static CK_RV gen_mldsa_keys(CK_SESSION_HANDLE session,
6419+
CK_ML_DSA_PARAMETER_SET_TYPE paramSet,
6420+
CK_OBJECT_HANDLE* pubKey,
6421+
CK_OBJECT_HANDLE* privKey,
6422+
unsigned char* privId, int privIdLen,
6423+
unsigned char* pubId, int pubIdLen, int onToken)
6424+
{
6425+
CK_RV ret = CKR_OK;
6426+
CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
6427+
CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
6428+
CK_MECHANISM mech;
6429+
CK_BBOOL token = (CK_BBOOL)onToken;
6430+
CK_ATTRIBUTE pubKeyTmpl[] = {
6431+
{ CKA_PARAMETER_SET, &paramSet, sizeof(paramSet) },
6432+
{ CKA_VERIFY, &ckTrue, sizeof(ckTrue) },
6433+
{ CKA_TOKEN, &token, sizeof(token) },
6434+
{ CKA_ID, pubId, pubIdLen },
6435+
};
6436+
int pubTmplCnt = sizeof(pubKeyTmpl) / sizeof(*pubKeyTmpl);
6437+
CK_ATTRIBUTE privKeyTmpl[] = {
6438+
{ CKA_SIGN, &ckTrue, sizeof(ckTrue) },
6439+
{ CKA_TOKEN, &token, sizeof(token) },
6440+
{ CKA_ID, privId, privIdLen },
6441+
};
6442+
int privTmplCnt = sizeof(privKeyTmpl) / sizeof(*privKeyTmpl);
6443+
6444+
if (pubId == NULL)
6445+
pubTmplCnt--;
6446+
if (privId == NULL)
6447+
privTmplCnt--;
6448+
6449+
mech.mechanism = CKM_ML_DSA_KEY_PAIR_GEN;
6450+
mech.pParameter = NULL;
6451+
mech.ulParameterLen = 0;
6452+
6453+
ret = funcList->C_GenerateKeyPair(session, &mech, pubKeyTmpl, pubTmplCnt,
6454+
privKeyTmpl, privTmplCnt, &pub, &priv);
6455+
CHECK_CKR(ret, "ML-DSA Key Generation");
6456+
if (ret == CKR_OK && pubKey != NULL)
6457+
*pubKey = pub;
6458+
if (ret == CKR_OK && privKey != NULL)
6459+
*privKey = priv;
6460+
6461+
return ret;
6462+
}
6463+
6464+
static CK_RV find_mldsa_priv_key(CK_SESSION_HANDLE session,
6465+
CK_OBJECT_HANDLE* key, unsigned char* id, int idLen)
6466+
{
6467+
CK_RV ret;
6468+
CK_ATTRIBUTE tmpl[] = {
6469+
{ CKA_CLASS, &privKeyClass, sizeof(privKeyClass) },
6470+
{ CKA_KEY_TYPE, &mldsaKeyType, sizeof(mldsaKeyType) },
6471+
{ CKA_ID, id, idLen },
6472+
};
6473+
CK_ULONG count;
6474+
6475+
ret = funcList->C_FindObjectsInit(session, tmpl,
6476+
sizeof(tmpl) / sizeof(*tmpl));
6477+
CHECK_CKR(ret, "ML-DSA Find Priv Objects Init");
6478+
if (ret == CKR_OK) {
6479+
ret = funcList->C_FindObjects(session, key, 1, &count);
6480+
CHECK_CKR(ret, "ML-DSA Find Priv Objects");
6481+
}
6482+
if (ret == CKR_OK) {
6483+
ret = funcList->C_FindObjectsFinal(session);
6484+
CHECK_CKR(ret, "ML-DSA Find Priv Objects Final");
6485+
}
6486+
if (ret == CKR_OK && count == 0) {
6487+
ret = -1;
6488+
CHECK_CKR(ret, "ML-DSA Find Priv Objects Count");
6489+
}
6490+
6491+
return ret;
6492+
}
6493+
6494+
static CK_RV mldsa_sign_verify(CK_SESSION_HANDLE session,
6495+
CK_OBJECT_HANDLE privKey, CK_OBJECT_HANDLE pubKey)
6496+
{
6497+
CK_RV ret;
6498+
CK_MECHANISM mech;
6499+
CK_SIGN_ADDITIONAL_CONTEXT signCtx;
6500+
byte data[64];
6501+
byte sig[4672]; /* ML-DSA-44 max sig size */
6502+
CK_ULONG sigSz;
6503+
6504+
XMEMSET(data, 0x5A, sizeof(data));
6505+
XMEMSET(&signCtx, 0, sizeof(signCtx));
6506+
signCtx.hedgeVariant = CKH_HEDGE_REQUIRED;
6507+
signCtx.pContext = NULL;
6508+
signCtx.ulContextLen = 0;
6509+
6510+
mech.mechanism = CKM_ML_DSA;
6511+
mech.pParameter = &signCtx;
6512+
mech.ulParameterLen = sizeof(signCtx);
6513+
6514+
ret = funcList->C_SignInit(session, &mech, privKey);
6515+
CHECK_CKR(ret, "ML-DSA Sign Init");
6516+
if (ret == CKR_OK) {
6517+
sigSz = sizeof(sig);
6518+
ret = funcList->C_Sign(session, data, sizeof(data), sig, &sigSz);
6519+
CHECK_CKR(ret, "ML-DSA Sign");
6520+
}
6521+
if (ret == CKR_OK) {
6522+
ret = funcList->C_VerifyInit(session, &mech, pubKey);
6523+
CHECK_CKR(ret, "ML-DSA Verify Init");
6524+
}
6525+
if (ret == CKR_OK) {
6526+
ret = funcList->C_Verify(session, data, sizeof(data), sig, sigSz);
6527+
CHECK_CKR(ret, "ML-DSA Verify");
6528+
}
6529+
6530+
return ret;
6531+
}
6532+
6533+
static CK_RV test_mldsa_gen_keys(void* args)
6534+
{
6535+
CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
6536+
CK_RV ret;
6537+
CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
6538+
CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
6539+
unsigned char* privId = (unsigned char*)"123mldsamttpriv";
6540+
int privIdLen = (int)strlen((char*)privId);
6541+
6542+
/* Generate and sign/verify */
6543+
ret = gen_mldsa_keys(session, CKP_ML_DSA_44, &pub, &priv, NULL, 0,
6544+
NULL, 0, 0);
6545+
if (ret == CKR_OK)
6546+
ret = mldsa_sign_verify(session, priv, pub);
6547+
6548+
funcList->C_DestroyObject(session, pub);
6549+
funcList->C_DestroyObject(session, priv);
6550+
pub = CK_INVALID_HANDLE;
6551+
priv = CK_INVALID_HANDLE;
6552+
6553+
/* Generate with ID and find */
6554+
if (ret == CKR_OK) {
6555+
ret = gen_mldsa_keys(session, CKP_ML_DSA_44, &pub, NULL, privId,
6556+
privIdLen, NULL, 0, 0);
6557+
}
6558+
if (ret == CKR_OK)
6559+
ret = find_mldsa_priv_key(session, &priv, privId, privIdLen);
6560+
if (ret == CKR_OK)
6561+
ret = mldsa_sign_verify(session, priv, pub);
6562+
6563+
funcList->C_DestroyObject(session, pub);
6564+
funcList->C_DestroyObject(session, priv);
6565+
6566+
return ret;
6567+
}
6568+
#endif /* WOLFPKCS11_MLDSA */
6569+
6570+
#ifdef WOLFPKCS11_MLKEM
6571+
static CK_RV gen_mlkem_keys(CK_SESSION_HANDLE session,
6572+
CK_ML_KEM_PARAMETER_SET_TYPE paramSet,
6573+
CK_OBJECT_HANDLE* pubKey,
6574+
CK_OBJECT_HANDLE* privKey,
6575+
unsigned char* privId, int privIdLen,
6576+
unsigned char* pubId, int pubIdLen, int onToken)
6577+
{
6578+
CK_RV ret = CKR_OK;
6579+
CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
6580+
CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
6581+
CK_MECHANISM mech;
6582+
CK_BBOOL token = (CK_BBOOL)onToken;
6583+
CK_ATTRIBUTE pubKeyTmpl[] = {
6584+
{ CKA_PARAMETER_SET, &paramSet, sizeof(paramSet) },
6585+
{ CKA_ENCAPSULATE, &ckTrue, sizeof(ckTrue) },
6586+
{ CKA_TOKEN, &token, sizeof(token) },
6587+
{ CKA_ID, pubId, pubIdLen },
6588+
};
6589+
int pubTmplCnt = sizeof(pubKeyTmpl) / sizeof(*pubKeyTmpl);
6590+
CK_ATTRIBUTE privKeyTmpl[] = {
6591+
{ CKA_DECAPSULATE, &ckTrue, sizeof(ckTrue) },
6592+
{ CKA_TOKEN, &token, sizeof(token) },
6593+
{ CKA_ID, privId, privIdLen },
6594+
};
6595+
int privTmplCnt = sizeof(privKeyTmpl) / sizeof(*privKeyTmpl);
6596+
6597+
if (pubId == NULL)
6598+
pubTmplCnt--;
6599+
if (privId == NULL)
6600+
privTmplCnt--;
6601+
6602+
mech.mechanism = CKM_ML_KEM_KEY_PAIR_GEN;
6603+
mech.pParameter = NULL;
6604+
mech.ulParameterLen = 0;
6605+
6606+
ret = funcList->C_GenerateKeyPair(session, &mech, pubKeyTmpl, pubTmplCnt,
6607+
privKeyTmpl, privTmplCnt, &pub, &priv);
6608+
CHECK_CKR(ret, "ML-KEM Key Generation");
6609+
if (ret == CKR_OK && pubKey != NULL)
6610+
*pubKey = pub;
6611+
if (ret == CKR_OK && privKey != NULL)
6612+
*privKey = priv;
6613+
6614+
return ret;
6615+
}
6616+
6617+
static CK_RV find_mlkem_priv_key(CK_SESSION_HANDLE session,
6618+
CK_OBJECT_HANDLE* key, unsigned char* id, int idLen)
6619+
{
6620+
CK_RV ret;
6621+
CK_ATTRIBUTE tmpl[] = {
6622+
{ CKA_CLASS, &privKeyClass, sizeof(privKeyClass) },
6623+
{ CKA_KEY_TYPE, &mlkemKeyType, sizeof(mlkemKeyType) },
6624+
{ CKA_ID, id, idLen },
6625+
};
6626+
CK_ULONG count;
6627+
6628+
ret = funcList->C_FindObjectsInit(session, tmpl,
6629+
sizeof(tmpl) / sizeof(*tmpl));
6630+
CHECK_CKR(ret, "ML-KEM Find Priv Objects Init");
6631+
if (ret == CKR_OK) {
6632+
ret = funcList->C_FindObjects(session, key, 1, &count);
6633+
CHECK_CKR(ret, "ML-KEM Find Priv Objects");
6634+
}
6635+
if (ret == CKR_OK) {
6636+
ret = funcList->C_FindObjectsFinal(session);
6637+
CHECK_CKR(ret, "ML-KEM Find Priv Objects Final");
6638+
}
6639+
if (ret == CKR_OK && count == 0) {
6640+
ret = -1;
6641+
CHECK_CKR(ret, "ML-KEM Find Priv Objects Count");
6642+
}
6643+
6644+
return ret;
6645+
}
6646+
6647+
static CK_RV test_mlkem_gen_keys(void* args)
6648+
{
6649+
CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
6650+
CK_RV ret;
6651+
CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
6652+
CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
6653+
unsigned char* privId = (unsigned char*)"123mlkemmttpriv";
6654+
int privIdLen = (int)strlen((char*)privId);
6655+
6656+
/* Generate key pair */
6657+
ret = gen_mlkem_keys(session, CKP_ML_KEM_512, &pub, &priv, NULL, 0,
6658+
NULL, 0, 0);
6659+
6660+
funcList->C_DestroyObject(session, pub);
6661+
funcList->C_DestroyObject(session, priv);
6662+
pub = CK_INVALID_HANDLE;
6663+
priv = CK_INVALID_HANDLE;
6664+
6665+
/* Generate with ID and find */
6666+
if (ret == CKR_OK) {
6667+
ret = gen_mlkem_keys(session, CKP_ML_KEM_512, &pub, NULL, privId,
6668+
privIdLen, NULL, 0, 0);
6669+
}
6670+
if (ret == CKR_OK)
6671+
ret = find_mlkem_priv_key(session, &priv, privId, privIdLen);
6672+
6673+
funcList->C_DestroyObject(session, pub);
6674+
funcList->C_DestroyObject(session, priv);
6675+
6676+
return ret;
6677+
}
6678+
#endif /* WOLFPKCS11_MLKEM */
6679+
64106680
static CK_RV test_random(void* args)
64116681
{
64126682
CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
@@ -6700,6 +6970,12 @@ static TEST_FUNC testFunc[] = {
67006970
PKCS11MTT_CASE(test_hmac_sha512),
67016971
PKCS11MTT_CASE(test_hmac_sha512_fail),
67026972
#endif
6973+
#endif
6974+
#ifdef WOLFPKCS11_MLDSA
6975+
PKCS11MTT_CASE(test_mldsa_gen_keys),
6976+
#endif
6977+
#ifdef WOLFPKCS11_MLKEM
6978+
PKCS11MTT_CASE(test_mlkem_gen_keys),
67036979
#endif
67046980
PKCS11MTT_CASE(test_random),
67056981
};

0 commit comments

Comments
 (0)