Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compare trimmed token serial numbers (PKCS11 provider) #621

Merged
merged 2 commits into from
Jul 22, 2022
Merged

Compare trimmed token serial numbers (PKCS11 provider) #621

merged 2 commits into from
Jul 22, 2022

Conversation

mohamedasaker-arm
Copy link
Contributor

Fixes: #615

Signed-off-by: Mohamed Omar Asaker mohamed.omarasaker@arm.com

ionut-arm
ionut-arm reviewed Jul 1, 2022
View reviewed changes
Copy link
Member

@ionut-arm ionut-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Could you add a config test to prevent regressions?

@mohamedasaker-arm
Copy link
Contributor Author

Thanks, @ionut-arm!
An (e2e) config test will require knowledge of the token serial number to compare it against the provided one.
The token's serial number should be less than 16 characters to have a meaningful test.
Given the above info, here are the challenges/limitations I found

  • The token serial number the system will use as a reference in the comparison (can be retrieved using std::Command) https://rust-lang-nursery.github.io/rust-cookbook/os/external.html.
  • The token generated via softhsm-util is 16 characters.
  • This test couples with softhsm.
  • Using cryptoki needs to extend the e2e framework to have the ability to extract the pkcs11 backend implementation from the config file.

Suggestion:

  • Create a mock backend to fully control the provider backend, which allows driving logic/data from the test.
    for instance, this mock can set the token info
    then by running the service with this backend implementation
    it will use the token data set in the test.
  • Rely on the softhsm for now and use the command line approach

ionut-arm
ionut-arm approved these changes Jul 12, 2022
View reviewed changes
Copy link
Member

@ionut-arm ionut-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 👍

@mohamedasaker-arm mohamedasaker-arm force-pushed the fix/615-match-trimmed-serial_number-pkcs11 branch from b681490 to 9b1b033 Compare July 12, 2022 11:58
@ionut-arm
Copy link
Member

(As for the test, you can leave it for another PR. Though now that the CI is failing... :( )

@mohamedasaker-arm
Copy link
Contributor Author

Failures: It's the new version of the Clippy issue, It's better to fix them, then rebase this PR.
As for the test, Which one from the above suggestions do you think is better, or do you have another idea?

@ionut-arm
Copy link
Member

I'd go for the CLI approach - don't think it's particularly likely we'll move to some other PKCS11 implementation, and we already have stuff in the CI pipeline that expects softhsm for setup. And it's a lot easier. If you want you can create some sort of tagging/tracking mechanism for the places where we make explicit use of a specific backend.

@mohamedasaker-arm mohamedasaker-arm force-pushed the fix/615-match-trimmed-serial_number-pkcs11 branch from 9b1b033 to fcf82c4 Compare July 13, 2022 12:35
@mohamedasaker-arm
Copy link
Contributor Author

Rethinking the test, we will depend on the softhsm-util in generating the tokens, which generates a 16 char token.
I wonder how the test will be different from the serial_number_only test in e2e_tests/tests/all_providers/config
Could you give me your insights @ionut-arm?

@ionut-arm
Copy link
Member

Rethinking the test, we will depend on the softhsm-util in generating the tokens, which generates a 16 char token. I wonder how the test will be different from the serial_number_only test in e2e_tests/tests/all_providers/config Could you give me your insights @ionut-arm?

Hey! Well, serial_number_only does not check the trimming functionality IIUC, it passes whether or not we trim the value in the config file. What I'd like is some guarantee that we can identify the SN successfully even when it's padded with spaces, to protect against any regressions on it. The service doesn't know that a SN has to be 16 characters, so we can put as many spaces as we'd like. Ideally, softhsm would let us set whatever serial number we want so that we can test that side too, but I don't think that's something we can do.

What we want to support here is for an admin to give a serial number of (abcd + 2 spaces) even when the real serial number is (abcd + 12 white spaces) - and have some way to prove that it works.

@mohamedasaker-arm
Copy link
Contributor Author

Hey @ionut-arm
About this statement,

"Ideally, softhsm would let us set whatever serial number we want so that we can test that side too, but I don't think that's something we can do."

I agree, and I am not aware of such an option to set the serial number ourselves. So relaying on softhsm in this test won't add any value.
So the conclusion, we want to go with other approaches in which we can set/manipulate the token serial number.

@ionut-arm
Copy link
Member

we want to go with other approaches in which we can set/manipulate the token serial number.

Do we have such an option?

@ionut-arm
Copy link
Member

So what my aim would be with the test is to verify if the trimming works correctly. Because the operation is symmetrical (on both what's in the config file and what's coming from the token), it doesn't really matter which one we can control. It would be nice to be able to test both of them (setting the SN in the config file to something with whitespace around in one test, and the serial number of the token to something with whitespace around in another), but if we can only do one of them that would still be preferable - though maybe there's something preventing us from doing that?

@mohamedasaker-arm
Copy link
Contributor Author

Nothing is preventing us from doing that (Adding spaces to the provided serial number), but that won't fulfil the following statement

What we want to support here is for an admin to give a serial number of (abcd + 2 spaces) even when the actual serial number is (abcd + 12 white spaces) - and have some way to prove that it works.

I got from this statement that you want to validate both sides.
For clarity:
SN_A: Provided Token SN has written in config.toml provided by the user
SN_B: The Token SN (generated by softhsm2-util)

Option1: SN_A is set to SN_B with extra spaces
The test should pass and is testing that SN_A.trim is okay
Option2: SN_B is less than 16 char and has spaces ex: SN_B = "abcd "
SN_A is SN_B with different spaces ex: SN_A = " abcd "
Option 2 isn't achievable with the current testing framework and system assumptions
I am okay with option1 only for now.
Is that what you meant?
Sorry for the misunderstanding 😄

@anta5010
Copy link
Collaborator

In real world SN_B might be "abcdef123 ". i.e 16 chars with spaces at the end. For example with Nitrokey USB HSM.
Ideally we need the test to pass when SN_A either "abcdef123 " or "abcdef123".
But, it looks like it's not straightforward to test with softhsm2-util.
Although as we build softhsm2-util from sources for CI tests we can patch it to produce the required SN_B

@ionut-arm
Copy link
Member

Yeah, option 1 should be fine, testing at least part of it.

@mohamedasaker-arm mohamedasaker-arm force-pushed the fix/615-match-trimmed-serial_number-pkcs11 branch from 9685e30 to a39f3fd Compare July 20, 2022 19:36
@mohamedasaker-arm
Compare trimmed token serial numbers (PKCS11 provider)
5b9d656 
Fixes: parallaxsecond#615

Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com>
@mohamedasaker-arm
Add a configuration test to test trimming of the provided serial number
1d4d05c 
Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com>
@mohamedasaker-arm mohamedasaker-arm force-pushed the fix/615-match-trimmed-serial_number-pkcs11 branch from a39f3fd to 1d4d05c Compare July 20, 2022 21:17
@mohamedasaker-arm
Copy link
Contributor Author

mohamedasaker-arm commented Jul 21, 2022
edited
Loading

@ionut-arm, Could you retrigger this test.
I think it's just unstable.
Is there an issue to tackle this instability?

@ionut-arm
Copy link
Member

Is there an issue to tackle this instability?

No, I don't think so, and we have multiple issues, mostly in the stress test it seems. One affects the "Mbed Crypto derivatives", and another the PKCS11 provider. The PKCS11 provider issues we've tried to fix and it's definitely better now than before, but Softhsm probably still has multithreading issues.

Feel free to open issues!

@ionut-arm ionut-arm merged commit 334d0f9 into parallaxsecond:main Jul 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anta5010 anta5010 anta5010 approved these changes

@ionut-arm ionut-arm ionut-arm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PKCS11 provider serial_number configuration
3 participants
@mohamedasaker-arm @ionut-arm @anta5010