From bae6737cb33ebe47c0655a704ff434539db3dc00 Mon Sep 17 00:00:00 2001
From: Douglas Mendizabal <dmendiza@redhat.com>
Date: Tue, 19 Nov 2024 14:45:18 -0500
Subject: [PATCH] Increase unit testing coverage for PKCS#11

This patch adds a few tests to increase the test coverage for the
PKCS#11 backend.

Related-Bug: #2036506
Change-Id: I3a95d3c1bedb42f8874be8ef622f0b9b7ae27bd7
---
 .../tests/plugin/crypto/test_p11_crypto.py    | 22 +++++++++++++++
 barbican/tests/plugin/crypto/test_pkcs11.py   | 27 +++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/barbican/tests/plugin/crypto/test_p11_crypto.py b/barbican/tests/plugin/crypto/test_p11_crypto.py
index 9e59a92c9..3ee1fd3c6 100644
--- a/barbican/tests/plugin/crypto/test_p11_crypto.py
+++ b/barbican/tests/plugin/crypto/test_p11_crypto.py
@@ -391,3 +391,25 @@ class WhenTestingP11CryptoPlugin(utils.BaseTestCase):
         load_mock.assert_called_with(
             'test_kek', None, key, hmac,
             'test_mkek', 'test_hmac', 'CKM_AES_CBC_PAD')
+
+    def test_load_kek_no_iv(self):
+        key = os.urandom(32)
+        wrapped = base64.b64encode(key).decode('UTF-8')
+        hmac = base64.b64encode(os.urandom(16)).decode('UTF-8')
+
+        self.plugin._load_kek('test_key', None, wrapped, hmac, 'mkek_label',
+                              'hmac_label', 'CKM_AES_KEY_WRAP_KWP')
+
+        key in self.pkcs11.verify_hmac.call_args.args
+
+    def test_generate_wrapped_kek_no_iv(self):
+        wrapped = base64.b64encode(os.urandom(32))
+        self.pkcs11.wrap_key.return_value = {
+            'iv': None,
+            'wrapped_key': wrapped,
+            'key_wrap_mechanism': 'CKM_AES_KEY_WRAP_KWP'
+        }
+
+        _ = self.plugin._generate_wrapped_kek(32, 'test_kek')
+
+        wrapped in self.pkcs11.compute_hmac.call_args.args
diff --git a/barbican/tests/plugin/crypto/test_pkcs11.py b/barbican/tests/plugin/crypto/test_pkcs11.py
index 694073aa9..d7dcb8713 100644
--- a/barbican/tests/plugin/crypto/test_pkcs11.py
+++ b/barbican/tests/plugin/crypto/test_pkcs11.py
@@ -178,6 +178,33 @@ class WhenTestingPKCS11(utils.BaseTestCase):
     def _verify(self, *args, **kwargs):
         return pkcs11.CKR_OK
 
+    def test_init_raises_invalid_encryption_mechanism(self):
+        self.assertRaises(
+            ValueError,
+            pkcs11.PKCS11,
+            self.cfg_mock.library_path,
+            self.cfg_mock.login_passphrase,
+            encryption_mechanism='CKM_BOGUS')
+
+    def test_init_raises_invalid_hmac_mechanism(self):
+        self.assertRaises(
+            ValueError,
+            pkcs11.PKCS11,
+            self.cfg_mock.library_path,
+            self.cfg_mock.login_passphrase,
+            encryption_mechanism='CKM_AES_GCM',
+            hmac_mechanism='CKM_BOGUS')
+
+    def test_init_raises_invalid_key_wrap_mechanism(self):
+        self.assertRaises(
+            ValueError,
+            pkcs11.PKCS11,
+            self.cfg_mock.library_path,
+            self.cfg_mock.login_passphrase,
+            encryption_mechanism='CKM_AES_GCM',
+            hmac_mechanism='CKM_SHA256_HMAC',
+            key_wrap_mechanism='CKM_BOGUS')
+
     def test_get_slot_id_from_serial_number(self):
         slot_id = self.pkcs11._get_slot_id('111111', None, 2)
         self.assertEqual(1, slot_id)