From fa11e82b67378f8044d4a235e5fbe85934983e1f Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Thu, 28 Oct 2021 19:45:19 -0700
Subject: [PATCH] Add tests with extractable property.

---
 kms/pkcs11/pkcs11_test.go | 29 +++++++++++++++++++++++++++--
 kms/pkcs11/setup_test.go  |  1 +
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/kms/pkcs11/pkcs11_test.go b/kms/pkcs11/pkcs11_test.go
index 6df9b92a..409cfb3f 100644
--- a/kms/pkcs11/pkcs11_test.go
+++ b/kms/pkcs11/pkcs11_test.go
@@ -208,6 +208,16 @@ func TestPKCS11_CreateKey(t *testing.T) {
 				SigningKey: testObject,
 			},
 		}, false},
+		{"default extractable", args{&apiv1.CreateKeyRequest{
+			Name:        testObject,
+			Extractable: true,
+		}}, &apiv1.CreateKeyResponse{
+			Name:      testObject,
+			PublicKey: &ecdsa.PublicKey{},
+			CreateSignerRequest: apiv1.CreateSignerRequest{
+				SigningKey: testObject,
+			},
+		}, false},
 		{"RSA SHA256WithRSA", args{&apiv1.CreateKeyRequest{
 			Name:               testObject,
 			SignatureAlgorithm: apiv1.SHA256WithRSA,
@@ -563,6 +573,7 @@ func TestPKCS11_StoreCertificate(t *testing.T) {
 	// Make sure to delete the created certificate
 	t.Cleanup(func() {
 		k.DeleteCertificate(testObject)
+		k.DeleteCertificate(testObjectAlt)
 	})
 
 	type args struct {
@@ -577,6 +588,11 @@ func TestPKCS11_StoreCertificate(t *testing.T) {
 			Name:        testObject,
 			Certificate: cert,
 		}}, false},
+		{"ok extractable", args{&apiv1.StoreCertificateRequest{
+			Name:        testObjectAlt,
+			Certificate: cert,
+			Extractable: true,
+		}}, false},
 		{"fail already exists", args{&apiv1.StoreCertificateRequest{
 			Name:        testObject,
 			Certificate: cert,
@@ -593,13 +609,22 @@ func TestPKCS11_StoreCertificate(t *testing.T) {
 			Name:        "http:id=7770;object=create-cert",
 			Certificate: cert,
 		}}, true},
-		{"fail ImportCertificateWithLabel", args{&apiv1.StoreCertificateRequest{
-			Name:        "pkcs11:foo=bar",
+		{"fail missing id", args{&apiv1.StoreCertificateRequest{
+			Name:        "pkcs11:object=create-cert",
+			Certificate: cert,
+		}}, true},
+		{"fail missing object", args{&apiv1.StoreCertificateRequest{
+			Name:        "pkcs11:id=7770;object=",
 			Certificate: cert,
 		}}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			if tt.args.req.Extractable {
+				if testModule == "SoftHSM2" {
+					t.Skip("Extractable certificates are not supported on SoftHSM2")
+				}
+			}
 			if err := k.StoreCertificate(tt.args.req); (err != nil) != tt.wantErr {
 				t.Errorf("PKCS11.StoreCertificate() error = %v, wantErr %v", err, tt.wantErr)
 			}
diff --git a/kms/pkcs11/setup_test.go b/kms/pkcs11/setup_test.go
index 8aba2aaa..902d89ac 100644
--- a/kms/pkcs11/setup_test.go
+++ b/kms/pkcs11/setup_test.go
@@ -18,6 +18,7 @@ import (
 var (
 	testModule        = ""
 	testObject        = "pkcs11:id=7370;object=test-name"
+	testObjectAlt     = "pkcs11:id=7377;object=alt-test-name"
 	testObjectByID    = "pkcs11:id=7370"
 	testObjectByLabel = "pkcs11:object=test-name"
 	testKeys          = []struct {