pkcs11_protect_server 0.2.2

data/ext/pk11s_struct_def.inc

@@ -0,0 +1,79 @@
+PKCS11_DEFINE_STRUCT(CK_DES_CBC_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_DES_CBC_PARAMS, iv);
+PKCS11_DEFINE_MEMBER(CK_DES_CBC_PARAMS, data);
+
+PKCS11_DEFINE_STRUCT(CK_DES2_CBC_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_DES2_CBC_PARAMS, iv);
+PKCS11_DEFINE_MEMBER(CK_DES2_CBC_PARAMS, data);
+
+PKCS11_DEFINE_STRUCT(CK_DES3_CBC_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_DES3_CBC_PARAMS, iv);
+PKCS11_DEFINE_MEMBER(CK_DES3_CBC_PARAMS, data);
+
+PKCS11_DEFINE_STRUCT(CK_TIMESTAMP_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_TIMESTAMP_PARAMS, useMilliseconds);
+PKCS11_DEFINE_MEMBER(CK_TIMESTAMP_PARAMS, timestampFormat);
+
+PKCS11_DEFINE_STRUCT(CK_ATTRIBUTES);
+PKCS11_DEFINE_MEMBER(CK_ATTRIBUTES, attributes);
+
+PKCS11_DEFINE_STRUCT(CK_MECH_AND_OBJECT);
+PKCS11_DEFINE_MEMBER(CK_MECH_AND_OBJECT, mechanism);
+PKCS11_DEFINE_MEMBER(CK_MECH_AND_OBJECT, obj);
+
+PKCS11_DEFINE_STRUCT(CK_MECH_TYPE_AND_OBJECT);
+PKCS11_DEFINE_MEMBER(CK_MECH_TYPE_AND_OBJECT, mechanism);
+PKCS11_DEFINE_MEMBER(CK_MECH_TYPE_AND_OBJECT, obj);
+
+PKCS11_DEFINE_STRUCT(CK_MECH_AND_OBJECTS);
+PKCS11_DEFINE_MEMBER(CK_MECH_AND_OBJECTS, mechanism);
+
+PKCS11_DEFINE_STRUCT(CK_PKCS_7_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_PKCS_7_PARAMS, flags);
+PKCS11_DEFINE_MEMBER(CK_PKCS_7_PARAMS, length);
+PKCS11_DEFINE_MEMBER(CK_PKCS_7_PARAMS, signature);
+PKCS11_DEFINE_MEMBER(CK_PKCS_7_PARAMS, encryption);
+PKCS11_DEFINE_MEMBER(CK_PKCS_7_PARAMS, extensions);
+
+PKCS11_DEFINE_STRUCT(CK_PP_LOAD_SECRET_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_PP_LOAD_SECRET_PARAMS, prompt);
+PKCS11_DEFINE_MEMBER(CK_PP_LOAD_SECRET_PARAMS, bMaskInput);
+PKCS11_DEFINE_MEMBER(CK_PP_LOAD_SECRET_PARAMS, cConvert);
+/* unimplemented attr CK_CHAR cTimeout  */
+/* unimplemented attr CK_CHAR reserved  */
+
+PKCS11_DEFINE_STRUCT(CK_REPLICATE_TOKEN_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_REPLICATE_TOKEN_PARAMS, peerId);
+
+PKCS11_DEFINE_STRUCT(CK_SECRET_SHARE_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_SECRET_SHARE_PARAMS, n);
+PKCS11_DEFINE_MEMBER(CK_SECRET_SHARE_PARAMS, m);
+
+PKCS11_DEFINE_STRUCT(CK_PKCS12_PBE_EXPORT_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_EXPORT_PARAMS, passwordAuthSafe);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_EXPORT_PARAMS, passwordHMAC);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_EXPORT_PARAMS, keyCert);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_EXPORT_PARAMS, safeBagKgMech);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_EXPORT_PARAMS, safeContentKgMech);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_EXPORT_PARAMS, hmacKgMech);
+
+PKCS11_DEFINE_STRUCT(CK_PKCS12_PBE_IMPORT_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_IMPORT_PARAMS, certAttr);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_IMPORT_PARAMS, passwordAuthSafe);
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_IMPORT_PARAMS, passwordHMAC);
+/* unimplemented attr CK_OBJECT_HANDLE_PTR hCert  */
+PKCS11_DEFINE_MEMBER(CK_PKCS12_PBE_IMPORT_PARAMS, hCertCount);
+
+PKCS11_DEFINE_STRUCT(CK_ECIES_PARAMS);
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, pSharedData1);
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, pSharedData2);
+/* unimplemented attr CK_EC_DH_PRIMITIVE dhPrimitive  */
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, kdf);
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, ulSharedDataLen1);
+/* unimplemented attr CK_EC_ENC_SCHEME encScheme  */
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, ulEncKeyLenInBits);
+/* unimplemented attr CK_EC_MAC_SCHEME macScheme  */
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, ulMacKeyLenInBits);
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, ulMacLenInBits);
+PKCS11_DEFINE_MEMBER(CK_ECIES_PARAMS, ulSharedDataLen2);
+

data/ext/pk11s_struct_impl.inc

@@ -0,0 +1,79 @@
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_DES_CBC_PARAMS);
+PKCS11_IMPLEMENT_STRING_ACCESSOR(CK_DES_CBC_PARAMS, iv);
+PKCS11_IMPLEMENT_STRING_ACCESSOR(CK_DES_CBC_PARAMS, data);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_DES2_CBC_PARAMS);
+PKCS11_IMPLEMENT_STRING_ACCESSOR(CK_DES2_CBC_PARAMS, iv);
+PKCS11_IMPLEMENT_STRING_ACCESSOR(CK_DES2_CBC_PARAMS, data);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_DES3_CBC_PARAMS);
+PKCS11_IMPLEMENT_STRING_ACCESSOR(CK_DES3_CBC_PARAMS, iv);
+PKCS11_IMPLEMENT_STRING_ACCESSOR(CK_DES3_CBC_PARAMS, data);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_TIMESTAMP_PARAMS);
+PKCS11_IMPLEMENT_BOOL_ACCESSOR(CK_TIMESTAMP_PARAMS, useMilliseconds);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_TIMESTAMP_PARAMS, timestampFormat);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_ATTRIBUTES);
+PKCS11_IMPLEMENT_PKCS11_STRUCT_PTR_ARRAY_ACCESSOR(CK_ATTRIBUTES, CK_ATTRIBUTE, attributes, count);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_MECH_AND_OBJECT);
+PKCS11_IMPLEMENT_PKCS11_STRUCT_ACCESSOR(CK_MECH_AND_OBJECT, CK_MECHANISM, mechanism);
+PKCS11_IMPLEMENT_HANDLE_ACCESSOR(CK_MECH_AND_OBJECT, obj);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_MECH_TYPE_AND_OBJECT);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_MECH_TYPE_AND_OBJECT, mechanism);
+PKCS11_IMPLEMENT_HANDLE_ACCESSOR(CK_MECH_TYPE_AND_OBJECT, obj);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_MECH_AND_OBJECTS);
+PKCS11_IMPLEMENT_STRUCT_PTR_ARRAY_ACCESSOR(CK_MECH_AND_OBJECTS, CK_MECH_AND_OBJECT, mechanism, count);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_PKCS_7_PARAMS);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_PKCS_7_PARAMS, flags);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_PKCS_7_PARAMS, length);
+PKCS11_IMPLEMENT_STRUCT_ACCESSOR(CK_PKCS_7_PARAMS, CK_MECH_AND_OBJECTS, signature);
+PKCS11_IMPLEMENT_STRUCT_ACCESSOR(CK_PKCS_7_PARAMS, CK_MECH_AND_OBJECTS, encryption);
+PKCS11_IMPLEMENT_STRUCT_ACCESSOR(CK_PKCS_7_PARAMS, CK_ATTRIBUTES, extensions);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_PP_LOAD_SECRET_PARAMS);
+PKCS11_IMPLEMENT_STRING_PTR_ACCESSOR(CK_PP_LOAD_SECRET_PARAMS, prompt);
+PKCS11_IMPLEMENT_BOOL_ACCESSOR(CK_PP_LOAD_SECRET_PARAMS, bMaskInput);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_PP_LOAD_SECRET_PARAMS, cConvert);
+/* unimplemented attr CK_CHAR cTimeout  */
+/* unimplemented attr CK_CHAR reserved  */
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_REPLICATE_TOKEN_PARAMS);
+PKCS11_IMPLEMENT_STRING_ACCESSOR(CK_REPLICATE_TOKEN_PARAMS, peerId);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_SECRET_SHARE_PARAMS);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_SECRET_SHARE_PARAMS, n);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_SECRET_SHARE_PARAMS, m);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_PKCS12_PBE_EXPORT_PARAMS);
+PKCS11_IMPLEMENT_STRING_PTR_LEN_ACCESSOR(CK_PKCS12_PBE_EXPORT_PARAMS, passwordAuthSafe, passwordAuthSafeLen);
+PKCS11_IMPLEMENT_STRING_PTR_LEN_ACCESSOR(CK_PKCS12_PBE_EXPORT_PARAMS, passwordHMAC, passwordHMACLen);
+PKCS11_IMPLEMENT_HANDLE_ACCESSOR(CK_PKCS12_PBE_EXPORT_PARAMS, keyCert);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_PKCS12_PBE_EXPORT_PARAMS, safeBagKgMech);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_PKCS12_PBE_EXPORT_PARAMS, safeContentKgMech);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_PKCS12_PBE_EXPORT_PARAMS, hmacKgMech);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_PKCS12_PBE_IMPORT_PARAMS);
+PKCS11_IMPLEMENT_PKCS11_STRUCT_PTR_ARRAY_ACCESSOR(CK_PKCS12_PBE_IMPORT_PARAMS, CK_ATTRIBUTE, certAttr, certAttrCount);
+PKCS11_IMPLEMENT_STRING_PTR_LEN_ACCESSOR(CK_PKCS12_PBE_IMPORT_PARAMS, passwordAuthSafe, passwordAuthSafeLen);
+PKCS11_IMPLEMENT_STRING_PTR_LEN_ACCESSOR(CK_PKCS12_PBE_IMPORT_PARAMS, passwordHMAC, passwordHMACLen);
+/* unimplemented attr CK_OBJECT_HANDLE_PTR hCert  */
+PKCS11_IMPLEMENT_ULONG_PTR_ACCESSOR(CK_PKCS12_PBE_IMPORT_PARAMS, hCertCount);
+
+PKCS11_IMPLEMENT_STRUCT_WITH_ALLOCATOR(CK_ECIES_PARAMS);
+PKCS11_IMPLEMENT_STRING_PTR_ACCESSOR(CK_ECIES_PARAMS, pSharedData1);
+PKCS11_IMPLEMENT_STRING_PTR_ACCESSOR(CK_ECIES_PARAMS, pSharedData2);
+/* unimplemented attr CK_EC_DH_PRIMITIVE dhPrimitive  */
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_ECIES_PARAMS, kdf);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_ECIES_PARAMS, ulSharedDataLen1);
+/* unimplemented attr CK_EC_ENC_SCHEME encScheme  */
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_ECIES_PARAMS, ulEncKeyLenInBits);
+/* unimplemented attr CK_EC_MAC_SCHEME macScheme  */
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_ECIES_PARAMS, ulMacKeyLenInBits);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_ECIES_PARAMS, ulMacLenInBits);
+PKCS11_IMPLEMENT_ULONG_ACCESSOR(CK_ECIES_PARAMS, ulSharedDataLen2);
+

data/lib/pkcs11_protect_server/extensions.rb

@@ -0,0 +1,113 @@
+#!/usr/bin/env ruby
+
+module PKCS11
+module ProtectServer
+  # Derive CK_ATTRIBUTE to get converted attributes.
+  class CK_ATTRIBUTE < PKCS11::CK_ATTRIBUTE
+    ATTRIBUTES = {
+      CKA_EXPORT => :bool,
+      CKA_EXPORTABLE => :bool,
+      CKA_TRUSTED => :bool,
+      CKA_DELETABLE => :bool,
+      CKA_SIGN_LOCAL_CERT => :bool,
+      CKA_IMPORT => :bool,
+      CKA_USAGE_COUNT => :ulong,
+      CKA_KEY_SIZE => :ulong,
+    }
+
+    def value
+      case ATTRIBUTES[type]
+        when :bool
+          super != "\0"
+        when :ulong
+          super.unpack("L!")[0]
+        else
+          super
+      end
+    end
+  end
+
+  # A ProtectServer::Library instance holds a handle to the opened +cryptoki.dll+ or +cryptoki.so+ file.
+  #
+  # This class is derived from
+  # PKCS11::Library[http://pkcs11.rubyforge.org/pkcs11/PKCS11/Library.html] of pkcs11.gem.
+  class Library < PKCS11::Library
+    MechanismParameters = {
+      CKM_DES_DERIVE_CBC => CK_DES_CBC_PARAMS,
+      CKM_DES3_DERIVE_CBC => CK_DES3_CBC_PARAMS,
+      CKM_ECIES => CK_ECIES_PARAMS,
+      CKM_ENCODE_X_509 => CK_MECH_TYPE_AND_OBJECT,
+      CKM_PKCS12_PBE_EXPORT => CK_PKCS12_PBE_EXPORT_PARAMS,
+      CKM_PKCS12_PBE_IMPORT => CK_PKCS12_PBE_IMPORT_PARAMS,
+      CKM_PP_LOAD_SECRET => CK_PP_LOAD_SECRET_PARAMS,
+      CKM_REPLICATE_TOKEN_RSA_AES => CK_REPLICATE_TOKEN_PARAMS,
+      CKM_SECRET_RECOVER_WITH_ATTRIBUTES => CK_SECRET_SHARE_PARAMS,
+      CKM_SHA1_RSA_PKCS_TIMESTAMP => CK_TIMESTAMP_PARAMS,
+    }
+
+    # Path and file name of the loaded cryptoki library.
+    attr_reader :so_path
+
+    # Load and initialize a pkcs11 dynamic library with Safenet Protect Server extensions.
+    #
+    # Set +so_path+ to +:hsm+, +:sw+ or +:logger+ in order to autodetect the cryptoki-HSM or
+    # software emulation library file.
+    #
+    # @param [String, Symbol, nil] so_path  Shortcut-Symbol or path to the *.so or *.dll file to load.
+    # @param [Hash, CK_C_INITIALIZE_ARGS] args  A Hash or CK_C_INITIALIZE_ARGS instance with load params.
+    #
+    # See also PKCS11::Library#initialize[http://pkcs11.rubyforge.org/pkcs11/PKCS11/Library.html#initialize-instance_method] of pkcs11.gem
+    def initialize(so_path = nil, args = {})
+      if [:sw, :hsm].include?(so_path)
+        if RUBY_PLATFORM =~ /mswin|mingw/
+          libctsw_so = "cryptoki.dll"
+          libctsw_so_paths = [
+            File.join(ENV['ProgramFiles'], "SafeNet/ProtectToolkit C SDK/bin/#{so_path}"),
+          ]
+        else
+          libctsw_so = "libct#{so_path}.so"
+          libctsw_so_paths = [
+            "/opt/ETcpsdk/lib/linux-i386",
+            "/opt/ETcpsdk/lib/linux-x86_64",
+            "/opt/PTK/lib",
+          ]
+        end
+
+        unless so_path=ENV['CRYPTOKI_SO']
+          paths = libctsw_so_paths.collect{|path| File.join(path, libctsw_so) }
+          so_path = paths.find{|path| File.exist?(path) }
+        end
+
+        raise "#{libctsw_so} not found - please install ProtectServer PTK-C or set ENV['CRYPTOKI_SO']" unless so_path
+      end
+
+      @so_path = so_path
+      super(so_path, args)
+    end
+
+    def vendor_const_get(name)
+      return ProtectServer.const_get(name) if ProtectServer.const_defined?(name)
+      super
+    end
+
+    def vendor_all_attribute_names
+      return ProtectServer::ATTRIBUTES.values + super
+    end
+
+    def vendor_mechanism_parameter_struct(mech)
+      MechanismParameters[mech] || super
+    end
+
+    def vendor_raise_on_return_value(rv)
+      if ex=ProtectServer::RETURN_VALUES[rv]
+        raise(ex, rv.to_s)
+      end
+      super
+    end
+
+    def vendor_class_CK_ATTRIBUTE
+      ProtectServer::CK_ATTRIBUTE
+    end
+  end
+end
+end

data/lib/pkcs11_protect_server.rb

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+
+# Extend the search path for Windows binary gem, depending of the current ruby version
+major_minor = RUBY_VERSION[ /^(\d+\.\d+)/ ] or
+  raise "Oops, can't extract the major/minor version from #{RUBY_VERSION.dump}"
+$: << File.join(File.dirname(__FILE__), major_minor)
+
+require 'rubygems'
+require 'pkcs11'
+require 'pkcs11_protect_server_ext'
+require 'pkcs11_protect_server/extensions'

data/test/helper.rb

@@ -0,0 +1,14 @@
+def open_ctsw
+  PKCS11::ProtectServer::Library.new(:sw, :flags=>0)
+end
+
+def adjust_parity(data)
+  out = []
+  count_digit = "1"
+  data.each_byte{|b|
+    b &= 0xfe
+    b |= 1 if b.to_s(2).count(count_digit) % 2 == 0
+    out << b
+  }
+  return out.pack("C*")
+end

data/test/test_pkcs11_protect_server.rb

@@ -0,0 +1,50 @@
+require "test/unit"
+require "pkcs11_protect_server"
+require "test/helper"
+
+class TestPkcs11ProtectServer < Test::Unit::TestCase
+  include PKCS11
+
+  def test_CStruct
+    s = ProtectServer::CK_SECRET_SHARE_PARAMS.new
+    s.n, s.m = 2, 3
+
+    assert_match( /m=3/, s.inspect, 'There should be a n value in CK_SECRET_SHARE_PARAMS')
+    assert_equal ["n", "m"], s.members, 'CK_SECRET_SHARE_PARAMS should contain some attributes'
+    assert_equal [2, 3], s.values, 'values of CK_SECRET_SHARE_PARAMS'
+    assert_equal( {:n=>2, :m=>3}, s.to_hash, 'CK_SECRET_SHARE_PARAMS as hash' )
+  end
+
+  def test_CK_PKCS12_PBE_IMPORT_PARAMS
+    s = ProtectServer::CK_PKCS12_PBE_IMPORT_PARAMS.new
+    assert_equal [], s.certAttr
+    s1 = CK_ATTRIBUTE.new ProtectServer::CKA_EXPORT, true
+    s2 = CK_ATTRIBUTE.new ProtectServer::CKA_EXPORTABLE, false
+    s.certAttr = [s1, s2]
+    assert_equal [s1.to_hash, s2.to_hash], s.certAttr.map{|e| e.to_hash }
+    GC.start
+    assert_raise(ArgumentError){ s.certAttr = [s1, s2, nil] }
+    assert_equal [s1.to_hash, s2.to_hash], s.certAttr.map{|e| e.to_hash }
+
+    s.certAttr = []
+    assert_equal [], s.certAttr
+  end
+
+  def test_constants
+    assert_equal 0x80000990, ProtectServer::CKM_OS_UPGRADE, "CKM_OS_UPGRADE should be defined"
+    assert_equal 0x80000128, ProtectServer::CKA_EXPORT, "CKA_EXPORT should be defined"
+    assert_equal 0x80000129, ProtectServer::CKA_EXPORTABLE, "CKA_EXPORTABLE should be defined"
+    assert ProtectServer::CKR_ET_NOT_ODD_PARITY.ancestors.include?(PKCS11::Error), "CKR_ET_NOT_ODD_PARITY should be defined"
+    assert_equal 0x8000020c, ProtectServer::CKO_FM, "CKO_FM should be defined"
+  end
+
+  def test_loading
+    pk = PKCS11::ProtectServer::Library.new(:sw, :flags=>0)
+    so_path = pk.so_path
+    pk.close
+    assert !so_path.empty?, "Used path shouldn't be empty"
+
+    pk = PKCS11::ProtectServer::Library.new(so_path, :flags=>0)
+    pk.close
+  end
+end

data/test/test_pkcs11_protect_server_crypt.rb

@@ -0,0 +1,103 @@
+require "test/unit"
+require "pkcs11_protect_server"
+require "test/helper"
+
+class TestPkcs11ProtectServerCrypt < Test::Unit::TestCase
+  include PKCS11
+  attr_reader :slots
+  attr_reader :slot
+  attr_reader :session
+  attr_reader :secret_key
+
+  def setup
+    $pkcs11 ||= open_ctsw
+    @slots = pk.active_slots
+    @slot = slots.first
+
+    # Init SO-PIN if not already done.
+    if slot.token_info.flags & CKF_TOKEN_INITIALIZED == 0
+      slot.init_token('1234', 'test-token')
+      assert_match(/^test-token/, slot.token_info.label, "Token label should be set now")
+    end
+    assert_equal CKF_TOKEN_INITIALIZED, slot.token_info.flags & CKF_TOKEN_INITIALIZED, "Token should be initialized"
+
+    # Init USER-PIN if not already done.
+    if slot.token_info.flags & CKF_USER_PIN_INITIALIZED == 0
+      s = slot.open(CKF_SERIAL_SESSION | CKF_RW_SESSION)
+      assert_equal CKF_RW_SESSION, s.info.flags & CKF_RW_SESSION, "Session should be read/write"
+      assert_equal CKS_RW_PUBLIC_SESSION, s.info.state, "Session should be in logoff state"
+      s.login(:SO, '1234')
+      assert_equal CKS_RW_SO_FUNCTIONS, s.info.state, "Session should be in SO state"
+      s.init_pin('1234')
+      s.close
+    end
+    assert_equal CKF_USER_PIN_INITIALIZED, slot.token_info.flags & CKF_USER_PIN_INITIALIZED, "User PIN should be initialized"
+
+    @session = slot.open
+    assert_equal CKS_RO_PUBLIC_SESSION, session.info.state, "Session should be in logoff state"
+    session.login(:USER, ENV['CRYPTOKI_PIN'] || '1234')
+    assert_equal CKS_RO_USER_FUNCTIONS, session.info.state, "Session should be in USER state"
+
+    @secret_key = session.create_object(
+      :CLASS=>CKO_SECRET_KEY,
+      :KEY_TYPE=>CKK_DES2,
+      :ENCRYPT=>true, :WRAP=>true, :DECRYPT=>true, :UNWRAP=>true, :TOKEN=>false, :DERIVE=>true,
+      :USAGE_COUNT=>0, :EXPORTABLE=>true,
+      :VALUE=>adjust_parity("0123456789abcdef"),
+      :LABEL=>'test_secret_key')
+  end
+
+  def teardown
+    @secret_key.destroy
+    @session.logout
+    @session.close
+  end
+
+  def pk
+    $pkcs11
+  end
+
+  def test_bad_parity
+    assert_raise(ProtectServer::CKR_ET_NOT_ODD_PARITY) do
+      session.create_object(
+        :CLASS=>CKO_SECRET_KEY,
+        :KEY_TYPE=>CKK_DES2,
+        :VALUE=>"0123456789abcdef",
+        :LABEL=>'test_secret_key2')
+    end
+  end
+
+  def test_derive_des_cbc
+    pa = ProtectServer::CK_DES3_CBC_PARAMS.new
+    pa.data = "1"*16
+    pa.iv = "2"*8
+
+    new_key1 = session.derive_key( {ProtectServer::CKM_DES3_DERIVE_CBC => pa}, secret_key,
+      :CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_DES2, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>false )
+    assert_not_equal secret_key[:VALUE], new_key1[:VALUE], 'Derived key shouldn\'t have equal key value'
+
+    new_key2 = session.derive_key( {:DES3_DERIVE_CBC => {:data=>"1"*16, :iv=>"2"*16}}, secret_key,
+      :CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_DES2, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>false )
+    assert_equal new_key1[:VALUE], new_key2[:VALUE], 'Both derived key should be equal'
+
+    encrypted_key_value = session.encrypt( {:DES3_CBC => "2"*8}, secret_key, "1"*16)
+    encrypted_key_value = adjust_parity(encrypted_key_value)
+    assert_equal new_key1[:VALUE], encrypted_key_value, 'Encrypted data should equal derived key value'
+
+    assert_equal 3, secret_key[:USAGE_COUNT], 'The secret key should be used 3 times'
+  end
+
+
+  def test_attributes
+    assert_equal true, secret_key[:EXPORTABLE], 'CKA_EXTRACTABLE should be usable'
+    secret_key[:EXPORTABLE] = false
+    assert_equal false, secret_key[:EXPORTABLE], 'CKA_EXTRACTABLE should be usable'
+
+    assert_equal 0, secret_key[:USAGE_COUNT], 'CKA_USAGE_COUNT should be usable'
+    secret_key[:USAGE_COUNT] = 5
+    assert_equal 5, secret_key[:USAGE_COUNT], 'CKA_USAGE_COUNT should be usable'
+
+    assert_equal false, secret_key[:IMPORT], 'CKA_IMPORT should default to false'
+    assert_not_nil secret_key.attributes.find{|a| a.type==ProtectServer::CKA_EXPORT}, 'CKA_EXPORT should be returned for Object#attributes'
+  end
+end