F-2380 - https://fenrir.wolfssl.com/finding/2380 - Add test for CKA_SIGN/CKA_VERIFY attribute enforcement in C_SignInit/C_VerifyInit

aidangarske · aidangarske · commit 6dfe00d38d9d · 2026-04-08T11:05:15.000-07:00
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
@@ -5446,6 +5446,63 @@ static CK_RV test_sign_verify(void* args)
     return ret;
 }
 
+static CK_RV test_sign_verify_op_not_supported(void* args)
+{
+    CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
+    CK_RV ret;
+    CK_MECHANISM mech;
+    CK_OBJECT_HANDLE key;
+    byte keyData[32];
+    CK_ULONG keySz = sizeof(keyData);
+    CK_BBOOL falseVal = CK_FALSE;
+    CK_BBOOL trueVal = CK_TRUE;
+
+    CK_ATTRIBUTE noSignKey[] = {
+        { CKA_CLASS,             &secretKeyClass,   sizeof(secretKeyClass)    },
+        { CKA_KEY_TYPE,          &genericKeyType,   sizeof(genericKeyType)    },
+        { CKA_SIGN,              &falseVal,         sizeof(falseVal)          },
+        { CKA_VERIFY,            &trueVal,          sizeof(trueVal)           },
+        { CKA_VALUE,             keyData,           keySz                     },
+    };
+    CK_ATTRIBUTE noVerifyKey[] = {
+        { CKA_CLASS,             &secretKeyClass,   sizeof(secretKeyClass)    },
+        { CKA_KEY_TYPE,          &genericKeyType,   sizeof(genericKeyType)    },
+        { CKA_SIGN,              &trueVal,          sizeof(trueVal)           },
+        { CKA_VERIFY,            &falseVal,         sizeof(falseVal)          },
+        { CKA_VALUE,             keyData,           keySz                     },
+    };
+
+    memset(keyData, 9, sizeof(keyData));
+    mech.mechanism      = CKM_SHA256_HMAC;
+    mech.ulParameterLen = 0;
+    mech.pParameter     = NULL;
+
+    /* Create key with CKA_SIGN=FALSE, try C_SignInit */
+    ret = funcList->C_CreateObject(session, noSignKey,
+                                   sizeof(noSignKey)/sizeof(*noSignKey), &key);
+    CHECK_CKR(ret, "Create generic key with CKA_SIGN=FALSE");
+    if (ret == CKR_OK) {
+        ret = funcList->C_SignInit(session, &mech, key);
+        CHECK_CKR_FAIL(ret, CKR_KEY_TYPE_INCONSISTENT,
+                        "SignInit should fail with CKA_SIGN=FALSE");
+    }
+
+    /* Create key with CKA_VERIFY=FALSE, try C_VerifyInit */
+    if (ret == CKR_OK) {
+        ret = funcList->C_CreateObject(session, noVerifyKey,
+                                       sizeof(noVerifyKey)/sizeof(*noVerifyKey),
+                                       &key);
+        CHECK_CKR(ret, "Create generic key with CKA_VERIFY=FALSE");
+    }
+    if (ret == CKR_OK) {
+        ret = funcList->C_VerifyInit(session, &mech, key);
+        CHECK_CKR_FAIL(ret, CKR_KEY_TYPE_INCONSISTENT,
+                        "VerifyInit should fail with CKA_VERIFY=FALSE");
+    }
+
+    return ret;
+}
+
 static CK_RV test_recover(void* args)
 {
     CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
@@ -16773,6 +16830,7 @@ static TEST_FUNC testFunc[] = {
 #endif
     PKCS11TEST_FUNC_SESS_DECL(test_digest_fail),
     PKCS11TEST_FUNC_SESS_DECL(test_sign_verify),
+    PKCS11TEST_FUNC_SESS_DECL(test_sign_verify_op_not_supported),
     PKCS11TEST_FUNC_SESS_DECL(test_recover),
 #if !defined(NO_RSA) && defined(WC_RSA_DIRECT)
     PKCS11TEST_FUNC_SESS_DECL(test_verify_recover_pkcs),
