tests: Test ValidationFlags

Jakuje · Jakuje · commit c7ab4fce358a · 2025-08-18T18:39:59.000+02:00
Signed-off-by: Jakub Jelen &lt;jjelen@redhat.com&gt;
diff --git a/cryptoki/tests/basic.rs b/cryptoki/tests/basic.rs
@@ -3757,7 +3757,6 @@ fn aes_cmac_verify_impl(key: [u8; 16], message: &[u8], expected_mac: [u8; 16]) -
     Ok(())
 }
 
-/// AES-CMAC test vectors from RFC 4493
 #[test]
 #[serial]
 fn unique_id() -> TestResult {
@@ -3835,3 +3834,83 @@ fn unique_id() -> TestResult {
 
     Ok(())
 }
+
+#[test]
+#[serial]
+fn validation() -> TestResult {
+    let (pkcs11, slot) = init_pins();
+    let session = pkcs11.open_rw_session(slot)?;
+    session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
+
+    let key: [u8; 16] = [
+        0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f,
+        0x3c,
+    ];
+
+    // Can not create object with ObjectValidationFlags
+    let key_template = vec![
+        Attribute::Class(ObjectClass::SECRET_KEY),
+        Attribute::KeyType(KeyType::AES),
+        Attribute::Token(true),
+        Attribute::Sensitive(true),
+        Attribute::Private(true),
+        Attribute::Value(key.into()),
+        Attribute::ObjectValidationFlags(0x03.into()),
+    ];
+    let res = session.create_object(&key_template);
+    assert!(res.is_err());
+    assert!(matches!(
+        res,
+        Err(Error::Pkcs11(
+            RvError::AttributeTypeInvalid,
+            Function::CreateObject
+        ))
+    ));
+
+    let generate_template = vec![
+        Attribute::Token(true),
+        Attribute::ValueLen(32.into()),
+        Attribute::Encrypt(true),
+    ];
+
+    // generate a secret key
+    let key = session.generate_key(&Mechanism::AesKeyGen, &generate_template)?;
+
+    // we can get the ObjectValidationFlags attribute
+    let attrs = session.get_attributes(key, &[AttributeType::ObjectValidationFlags])?;
+    if is_softhsm() {
+        // SoftHSM does not support this attribute at all
+        assert_eq!(attrs.len(), 0);
+    } else {
+        // Kryoptic supports the ObjectValidationFlag only if it is built as a FIPS provider
+        //assert!(matches!(attrs.first(), Some(Attribute::ObjectValidationFlags(_))));
+        assert_eq!(attrs.len(), 0);
+    }
+
+    // we can not set the ObjectValidationFlags attribute
+    let update_template = vec![Attribute::ObjectValidationFlags(0x03.into())];
+    let res = session.update_attributes(key, &update_template);
+    assert!(res.is_err());
+    if is_softhsm() {
+        // SoftHSM does not support this attribute at all
+        assert!(matches!(
+            res,
+            Err(Error::Pkcs11(
+                RvError::AttributeTypeInvalid,
+                Function::SetAttributeValue
+            ))
+        ));
+    } else {
+        assert!(matches!(
+            res,
+            Err(Error::Pkcs11(
+                RvError::ActionProhibited,
+                Function::SetAttributeValue
+            ))
+        ));
+    }
+
+    session.destroy_object(key)?;
+
+    Ok(())
+}
