Re: [Opensc-devel] PKCS#11 Test suite (PIV)

[Thomas C. <cal...@gm...>]

Hi everybody,

In addition to pkcs11-tool it might be worth mentioning opkcs11-tool [1], a
tool that I co-develop.

It mimics the CLI interface of pkcs11-tool but allows for advanced PKCS#11
use cases:
  - template based operations (management and crypto)
  - PSS signature
  - Wrap/Unwrap
  - and much more as it is easy to extend

In a sense, the tool could be used to perform some regression testing from
the CLI.

[1] https://github.com/ANSSI-FR/opkcs11-tool

Cheers,

Thomas

On Tue, May 17, 2016 at 1:39 PM, Jakub Jelen <jj...@re...> wrote:

> On 05/16/2016 07:20 PM, Douglas E Engert wrote:
> > On 5/16/2016 10:04 AM, Jakub Jelen wrote:
> >> Hello OpenSC devels,
> >>
> >> I didn't find any test suite or unit tests for OpenSC project. As I
> >> noticed, there is a lot of hand-testing work on pull requests for
> >> various cards and users. I believe everyone has some use cases to verify
> >> basic functionality of their cards.
> >> I understand that this fields is very divergent, there is a lot of card
> >> variants and it is almost impossible to build automatic test suite that
> >> would run in cloud with every build. But would it make sense to have
> >> something that devels (or users) can simply run and what would verify
> >> basic functionality and possible regressions?
> > In-cloud testing would require the cloud test machine to have physical
> cards.
> > (Unless you are suggesting some RDC access to cards.)
> Yes, this would be awesome, but probably impossible to achieve. Rather
> having
> something that can be simply run by many users with many different cards
> and
> report general success or failure would be achievable.
>
> Theoretically generating logs, collecting them from different cards and
> users and
> representing them in readable form could be too useful for future
> codebase stability
> among releases. But it is a bit over the initial idea.
> > I would say the closest tool we have is: pkcs11-tool -t -l
> > It does some basic tests, but as you may have noted if you try and run it
> > with a PIV card, it has some problems, especially with the decryption,
> as it
> > says the user is not logged in when trying to use the Sign key. The key
> usage
> > says it should not be used for decryption. With other cards it may have
> different problems.
> Thanks for mentioning pkcs11-tool test mode. I struggled upon it, but
> there were
> some problems that prevented me to work with that. I will check what can
> be done there.
> >> I went to the directory src/tests/ and fixed the tests that are
> >> available now (see pull request [1], broken for 6 years), but they are
> >> far away from complete test suite.
> >>
> >> I also started with the idea from PKCS#11 API and put together basic
> >> test suite and inspector for OpenSC, which is currently in my OpenSC
> >> fork [2]. It is by no mean complete test suite of all the use cases, but
> >> I tried to catch most common cases, represent results in understandable
> >> form (currently tested with PIV cards) and add regression test for
> >> recent pull request [3].
> > Good choice of card :-)
> >
> > Are you using the the NIST set of 16 demo/test cards?
> Yes.
>
> Regards,
>
> --
> Jakub Jelen
> Security Technologies
> Red Hat
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>