F-2386 - https://fenrir.wolfssl.com/finding/2386 - Add test for CKA_VERIFY attribute enforcement in C_VerifyRecoverInit

aidangarske · aidangarske · commit be7c9a4aaf53 · 2026-04-08T11:15:03.000-07:00
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
@@ -5722,6 +5722,39 @@ static CK_RV test_verify_recover_x509(void* args)
 }
 #endif
 
+#ifndef NO_RSA
+static CK_RV test_verify_recover_op_not_supported(void* args)
+{
+    CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
+    CK_RV ret;
+    CK_OBJECT_HANDLE pubKey;
+    CK_BBOOL falseVal = CK_FALSE;
+    CK_BBOOL trueVal = CK_TRUE;
+    CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
+
+    CK_ATTRIBUTE rsaPubNoVerify[] = {
+        { CKA_CLASS,             &pubKeyClass,      sizeof(pubKeyClass)       },
+        { CKA_KEY_TYPE,          &rsaKeyType,       sizeof(rsaKeyType)        },
+        { CKA_ENCRYPT,           &trueVal,          sizeof(trueVal)           },
+        { CKA_VERIFY,            &falseVal,         sizeof(falseVal)          },
+        { CKA_MODULUS,           rsa_2048_modulus,   sizeof(rsa_2048_modulus)  },
+        { CKA_PUBLIC_EXPONENT,   rsa_2048_pub_exp,  sizeof(rsa_2048_pub_exp)  },
+    };
+
+    ret = funcList->C_CreateObject(session, rsaPubNoVerify,
+                                   sizeof(rsaPubNoVerify)/sizeof(*rsaPubNoVerify),
+                                   &pubKey);
+    CHECK_CKR(ret, "Create RSA pub key with CKA_VERIFY=FALSE");
+    if (ret == CKR_OK) {
+        ret = funcList->C_VerifyRecoverInit(session, &mech, pubKey);
+        CHECK_CKR_FAIL(ret, CKR_KEY_TYPE_INCONSISTENT,
+                        "VerifyRecoverInit should fail with CKA_VERIFY=FALSE");
+    }
+
+    return ret;
+}
+#endif
+
 static CK_RV test_encdec_digest(void* args)
 {
     CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
@@ -16836,6 +16869,9 @@ static TEST_FUNC testFunc[] = {
     PKCS11TEST_FUNC_SESS_DECL(test_verify_recover_pkcs),
     PKCS11TEST_FUNC_SESS_DECL(test_verify_recover_x509),
     PKCS11TEST_FUNC_SESS_DECL(test_verify_recover_init_double),
+#endif
+#ifndef NO_RSA
+    PKCS11TEST_FUNC_SESS_DECL(test_verify_recover_op_not_supported),
 #endif
     PKCS11TEST_FUNC_SESS_DECL(test_encdec_digest),
     PKCS11TEST_FUNC_SESS_DECL(test_encdec_signverify),
