Fixed failing tests for multi-part operations

[jacobprudhomme]

Author: Jacob Prud'homme
Email: [email protected]

Description

In tests relating to multi-part operations, added missing attributes to key templates, since Kryoptic was throwing errors about said keys not having the correct attributes set on them to perform certain operations (see here)

Summary of Changes

• Tweaked tests for multipart encrypt/decrypt/verify/sign/digest functionality
  • Added missing attributes to templates for keys
  • Asserted that only a generic PKCS#11 error happens for the *_not_initialized tests, since the exact error returned by various backends is different
  • Similarly, changed the *_already_initialized tests to account for differing behaviour between backends
  • Ignored sha256_digest_key test, since it seems to be impossible to test the desired functionality on all backends for the moment (in particular, extracting the value from a secret key marked Extractable and not Sensitive is not always supported)

[jacobprudhomme]

It seems a host of new errors has popped up now. I'll keep exploring

[wiktor-k]

I'll CC @Jakuje just in case they have some thoughts on the Kryoptic issues. kthxbai 🙇

[Jakuje]

I think we had some issues with the multipart operations recently. They were fixed in main, but not in any release version yet: latchset/kryoptic#179

I will see if we will get a new release out (and update in Fedora) or I can backport the changes to Fedora later today. Sorry for inconvenience! I think the issue is not on your side!

[wiktor-k]

I think we had some issues with the multipart operations recently. They were fixed in main, but not in any release version yet: latchset/kryoptic#179

I will see if we will get a new release out (and update in Fedora) or I can backport the changes to Fedora later today. Sorry for inconvenience! I think the issue is not on your side!

Thank you. 🙏 It's great to hear your remarks directly.

[jacobprudhomme]

Fixed the tests! I had to ignore one to get all of them to pass. I'm open to suggestions on how to rewrite that test, though. I already tried manually creating a key with a manually set value and using that to compare against, but it seems Kryoptic doesn't allow using a key created this way to be used in C_DigestKey

[wiktor-k]

Okay, I think it looks good. I guess the ignored test could check for softhsm the same way as some other tests (it's hard to check on mobile for me now).

Let's leave it open for a while as @Jakuje may have an idea on how to better adjust it.

[Jakuje]

(but still odd that the rust-cryptoki tries to call it without any template)

Ok, I see the bug. With the optimizations, we do not pull all attributes from db for get_attributes and the cka_sensitive defaults to true. Filled in latchset/kryoptic#193 -- I will try to have a look into that.

For the time being, feel free to skip this test for kryoptic, similarly as I skipped some others (with the link to the above issue). Once I will have a fix and new release, we can remove the exclusion.

[wiktor-k]

For the time being, feel free to skip this test for kryoptic, similarly as I skipped some others (with the link to the above issue). Once I will have a fix and new release, we can remove the exclusion.

Hah, it seems including Kryoptic makes for a nice cross-testing experience. Great that we have you here to help debug the issues.

@jacobprudhomme Would you be so kind to add a simple if !softhsm { return } code branch there? I think otherwise this is good to go (unless @hug-dev spots something 😅 ).

[jacobprudhomme]

Alright, done!

[wiktor-k]

Much appreciated 🙏

[hug-dev]

Thank you!