Add some missing tests

MatthiasValvekens · MatthiasValvekens · commit 6c7eb810992f · 2025-07-03T23:25:43.000+09:00
- Interrupting a Digest operation
 - Interrupting a Verify operation
 - Signing with CKA_ALWAYS_AUTHENTICATE
diff --git a/pkcs11/_pkcs11.pyx b/pkcs11/_pkcs11.pyx
@@ -775,9 +775,8 @@ cdef class DigestOperation(OperationWithBinaryOutput):
     def _finalize(self, silent=False):
         cdef Session session = self.session
         if self.active:
-            self.active = False
-            session.operation_lock.release()
             self.execute_resizing_output(session.funclist.C_DigestFinal)
+        super()._finalize(silent=silent)
 
 
 def merge_templates(default_template, *user_templates):
@@ -1326,9 +1325,7 @@ class GenerateWithParametersMixin(types.DomainParameters):
                 raise ArgumentsBad("No default capabilities for this key "
                                    "type. Please specify `capabilities`.")
 
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_GENERATE_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_GENERATE_MECHANISMS, mechanism, mechanism_param)
 
         # Build attributes
         public_template_ = session.attribute_mapper.public_key_template(
@@ -1418,9 +1415,8 @@ cdef class KeyOperation(OperationWithBinaryOutput):
 
     def _finalize(self, silent=False):
         if self.active:
-            self.active = False
-            self.session.operation_lock.release()
             self._cancel_operation(silent)
+        super()._finalize(silent=silent)
 
 
 cdef class DataCryptOperation(KeyOperation):
@@ -1487,9 +1483,7 @@ class EncryptMixin(types.EncryptMixin):
 
     def __encrypt_operation(self, mechanism, mechanism_param, buffer_size):
 
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_ENCRYPT_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_ENCRYPT_MECHANISMS, mechanism, mechanism_param)
 
         return DataCryptOperation.setup_encrypt(self.session, mech, self.handle, buffer_size)
 
@@ -1522,9 +1516,7 @@ class DecryptMixin(types.DecryptMixin):
 
     def __decrypt_operation(self, mechanism, mechanism_param, buffer_size):
 
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_ENCRYPT_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_ENCRYPT_MECHANISMS, mechanism, mechanism_param)
 
         return DataCryptOperation.setup_decrypt(self.session, mech, self.handle, buffer_size)
 
@@ -1606,9 +1598,7 @@ class SignMixin(types.SignMixin):
     """Expand SignMixin with an implementation."""
 
     def __sign_operation(self, mechanism, mechanism_param, buffer_size):
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_SIGN_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_SIGN_MECHANISMS, mechanism, mechanism_param)
         return DataSignOperation.setup(self.session, mech, self.handle, buffer_size)
 
     def _sign(self, data,
@@ -1681,9 +1671,7 @@ class VerifyMixin(types.VerifyMixin):
     """Expand VerifyMixin with an implementation."""
 
     def __verify_operation(self, mechanism, mechanism_param):
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_SIGN_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_SIGN_MECHANISMS, mechanism, mechanism_param)
         return DataVerifyOperation.setup(self.session, mech, self.handle)
 
     def _verify(self, data, signature,
@@ -1719,9 +1707,7 @@ class WrapMixin(types.WrapMixin):
         if not isinstance(key, types.Key):
             raise ArgumentsBad("`key` must be a Key.")
 
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_WRAP_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_WRAP_MECHANISMS, mechanism, mechanism_param)
 
         cdef Session session = self.session
         cdef CK_MECHANISM *mech_data = mech.data
@@ -1766,9 +1752,7 @@ class UnwrapMixin(types.UnwrapMixin):
                 raise ArgumentsBad("No default capabilities for this key "
                                    "type. Please specify `capabilities`.")
 
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_WRAP_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_WRAP_MECHANISMS, mechanism, mechanism_param)
 
         cdef Session session = self.session
 
@@ -1822,9 +1806,7 @@ class DeriveMixin(types.DeriveMixin):
                 raise ArgumentsBad("No default capabilities for this key "
                                    "type. Please specify `capabilities`.")
 
-        mech = MechanismWithParam(
-            self.key_type, DEFAULT_DERIVE_MECHANISMS,
-            mechanism, mechanism_param)
+        mech = MechanismWithParam(self.key_type, DEFAULT_DERIVE_MECHANISMS, mechanism, mechanism_param)
 
         cdef Session session = self.session
 
diff --git a/tests/test_digest.py b/tests/test_digest.py
@@ -73,3 +73,30 @@ def test_digest_key_data(self):
         m.update(data[1][Attribute.VALUE])
 
         self.assertEqual(digest, m.digest())
+
+    @requires(Mechanism.SHA256)
+    def test_digest_stream_interrupt_releases_operation(self):
+        data = (
+            b"I" * 16,
+            b"N" * 16,
+            b"P" * 16,
+            b"U" * 16,
+            b"T" * 10,
+        )
+
+        def _data_with_error():
+            yield data[0]
+            yield data[1]
+            yield data[2]
+            raise ValueError
+
+        def attempt_digest():
+            self.session.digest(_data_with_error(), mechanism=Mechanism.SHA256)
+
+        self.assertRaises(ValueError, attempt_digest)
+        # ...try again
+        digest = self.session.digest(data, mechanism=Mechanism.SHA256)
+        m = hashlib.sha256()
+        for d in data:
+            m.update(d)
+        self.assertEqual(digest, m.digest())
diff --git a/tests/test_rsa.py b/tests/test_rsa.py
@@ -5,7 +5,7 @@
 import pkcs11
 from pkcs11 import MGF, Attribute, KeyType, Mechanism, ObjectClass
 
-from . import FIXME, TestCase, requires
+from . import FIXME, TOKEN_PIN, TestCase, requires
 
 
 class RSATests(TestCase):
@@ -25,6 +25,18 @@ def test_sign_pkcs_v15(self):
         self.assertTrue(self.public.verify(data, signature, mechanism=Mechanism.RSA_PKCS))
         self.assertFalse(self.public.verify(data, b"1234", mechanism=Mechanism.RSA_PKCS))
 
+    @requires(Mechanism.SHA512_RSA_PKCS)
+    def test_sign_with_reauthentication(self):
+        public, private = self.session.generate_keypair(
+            KeyType.RSA, 1024, private_template={Attribute.ALWAYS_AUTHENTICATE: True}
+        )
+        data = "INPUT"
+
+        signature = private.sign(data, pin=TOKEN_PIN)
+        self.assertIsNotNone(signature)
+        self.assertIsInstance(signature, bytes)
+        self.assertTrue(public.verify(data, signature))
+
     @requires(Mechanism.SHA512_RSA_PKCS)
     def test_sign_default(self):
         data = b"HELLO WORLD" * 1024
@@ -50,6 +62,41 @@ def test_sign_stream(self):
         self.assertIsInstance(signature, bytes)
         self.assertTrue(self.public.verify(data, signature))
 
+    @requires(Mechanism.SHA512_RSA_PKCS)
+    def test_sign_stream_with_reauthentication(self):
+        public, private = self.session.generate_keypair(
+            KeyType.RSA, 1024, private_template={Attribute.ALWAYS_AUTHENTICATE: True}
+        )
+        data = (
+            b"I" * 16,
+            b"N" * 16,
+            b"P" * 16,
+            b"U" * 16,
+            b"T" * 10,
+        )
+
+        signature = private.sign(data, pin=TOKEN_PIN)
+        self.assertIsNotNone(signature)
+        self.assertIsInstance(signature, bytes)
+        self.assertTrue(public.verify(data, signature))
+
+    @requires(Mechanism.SHA512_RSA_PKCS)
+    def test_sign_stream_with_empty_blocks(self):
+        data = (
+            b"I" * 16,
+            b"N" * 16,
+            b"",
+            b"P" * 16,
+            b"" * 10,
+            b"U" * 16,
+            b"T" * 10,
+        )
+
+        signature = self.private.sign(data)
+        self.assertIsNotNone(signature)
+        self.assertIsInstance(signature, bytes)
+        self.assertTrue(self.public.verify(data, signature))
+
     @requires(Mechanism.SHA512_RSA_PKCS)
     def test_sign_stream_undersized_buffer(self):
         data = (
@@ -91,6 +138,31 @@ def attempt_sign():
         self.assertIsInstance(signature, bytes)
         self.assertTrue(self.public.verify(data, signature))
 
+    @requires(Mechanism.SHA512_RSA_PKCS)
+    def test_verify_stream_interrupt_releases_operation(self):
+        data = (
+            b"I" * 16,
+            b"N" * 16,
+            b"P" * 16,
+            b"U" * 16,
+            b"T" * 10,
+        )
+
+        def _data_with_error():
+            yield data[0]
+            yield data[1]
+            yield data[2]
+            raise ValueError
+
+        signature = self.private.sign(data)
+
+        def attempt_verify():
+            self.public.verify(_data_with_error(), signature)
+
+        self.assertRaises(ValueError, attempt_verify)
+        # ...try again
+        self.assertTrue(self.public.verify(data, signature))
+
     @requires(Mechanism.RSA_PKCS_OAEP)
     @FIXME.opencryptoki  # can't set key attributes
     def test_key_wrap(self):
