Merge pull request #621 from mohamedasaker-arm/fix/615-match-trimmed-…

…serial_number-pkcs11 Compare trimmed token serial numbers (PKCS11 provider)
parallaxsecond · Jul 22, 2022 · 334d0f9 · 334d0f9
2 parents 8d8bbe9 + 1d4d05c
commit 334d0f9
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 1 deletion.
diff --git a/config.toml b/config.toml
@@ -152,6 +152,7 @@ key_info_manager = "sqlite-manager"
 #library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
 # (Optional) PKCS 11 serial number of the token that will be used by Parsec.
 # If the token serial number is entered, then the slot that has the provided serial number will be used. Otherwise, if both `serial_number` and `slot_number` are given but do not match, a warning is issued and serial number takes precedence.
+# Note: Matching the serial_number done after trimming the leading and trailing whitespaces for serial numbers shorter than 16 charachter.
 #serial_number = "0123456789abcdef"
 # (Optional) PKCS 11 slot that will be used by Parsec If Token serial number is not entered. i.e, serial_number is preferred
 # If the slot number is not entered and there is only one slot available - with a valid token - it will be automatically used

diff --git a/e2e_tests/Cargo.toml b/e2e_tests/Cargo.toml
@@ -29,6 +29,7 @@ picky-asn1-der = "0.2.4"
 picky-asn1 = "0.3.1"
 sha2 = "0.9.3"
 serial_test = "0.5.1"
+regex = "1.6.0"
 
 [features]
 mbed-crypto-provider = []

diff --git a/e2e_tests/tests/all_providers/config/mod.rs b/e2e_tests/tests/all_providers/config/mod.rs
@@ -10,6 +10,7 @@ use parsec_client::core::interface::operations::psa_key_attributes::{
     Attributes, Lifetime, Policy, Type, UsageFlags,
 };
 use parsec_client::core::interface::requests::ResponseStatus;
+use regex::Regex;
 use std::env;
 use std::fs;
 use std::path::PathBuf;
@@ -338,6 +339,49 @@ fn serial_number_only() {
     let _ = client.ping().unwrap();
 }
 
+#[test]
+fn serial_number_padding() {
+    // Extracting the serial number of the first token found in the system
+    let showslots_cmd = Command::new("softhsm2-util")
+        .arg("--show-slots")
+        .output()
+        .expect("Show slots failed");
+    let pattern = Regex::new(r"Serial number:[ ]+([0-9a-zA-Z]+)").unwrap();
+
+    let serials: Vec<_> = String::from_utf8(showslots_cmd.stdout)
+        .unwrap()
+        .lines()
+        .filter_map(|line| pattern.captures(line))
+        .map(|cap| cap[1].to_string())
+        .take(1)
+        .collect();
+
+    // At least 1 token exists in the system
+    assert!(!serials.is_empty());
+
+    // Populating serial_number_padding.toml with serial number found
+    let mut config_file_path = env::current_dir().unwrap();
+    config_file_path.push(CONFIG_TOMLS_FOLDER);
+    config_file_path.push("serial_number_padding.toml");
+    let _sed_cmd = Command::new("sed")
+        .arg("-i")
+        // Put Serial number with extra spaces
+        .arg(format!(
+            "s/^# serial_number.*/serial_number = \"{}{}{}\"/",
+            "   ", serials[0], "   "
+        ))
+        .arg(config_file_path.into_os_string())
+        .output()
+        .expect("Populating Serial Number failed");
+
+    set_config("serial_number_padding.toml");
+    // The service should still start, using the padded serial number.
+    reload_service();
+
+    let mut client = TestClient::new();
+    let _ = client.ping().unwrap();
+}
+
 #[test]
 fn slot_numbers_mismatch() {
     set_config("slot_numbers_mismatch.toml");

diff --git a/e2e_tests/tests/all_providers/config/tomls/serial_number_padding.toml b/e2e_tests/tests/all_providers/config/tomls/serial_number_padding.toml
@@ -0,0 +1,31 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "sqlite-manager"
+manager_type = "SQLite"
+database_path = "./kim-mappings/sqlite/sqlite-key-info-manager.sqlite3"
+
+[[provider]]
+provider_type = "Pkcs11"
+key_info_manager = "sqlite-manager"
+library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
+user_pin = "123456"
+# The serial number optional field is going to replace the following line with a valid number
+# serial_number
diff --git a/src/providers/pkcs11/mod.rs b/src/providers/pkcs11/mod.rs
@@ -524,7 +524,7 @@ impl ProviderBuilder {
                             format_error!("Failed parsing token serial number", e);
                             Error::new(ErrorKind::InvalidData, "Failed parsing token serial number")
                         })?;
-                    if sn == serial_number {
+                    if sn.trim() == serial_number.trim() {
                         slot = Some(current_slot);
                         break;
                     }