From 9510dc77217872a21e5e1252044c68e7d9333449 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 28 Nov 2023 15:46:51 -0800
Subject: [PATCH] wolfPKCS11 support for using TPM 2.0 module as backend. Uses
 wolfTPM and supports RSA and ECC. Requires
 https://github.com/wolfSSL/wolfTPM/pull/311 Added CI testing for wolfPKCS11
 with wolfTPM backend and single threaded.

---
 .github/workflows/build-workflow.yml |  40 +++++-
 .github/workflows/unit-test.yml      |  13 +-
 README.md                            |  15 +-
 configure.ac                         |  14 ++
 src/internal.c                       | 200 +++++++++++++++++++++++----
 tests/pkcs11mtt.c                    |  22 ++-
 tests/pkcs11test.c                   |  31 ++---
 7 files changed, 285 insertions(+), 50 deletions(-)

diff --git a/.github/workflows/build-workflow.yml b/.github/workflows/build-workflow.yml
index 077b1b0..06505e2 100644
--- a/.github/workflows/build-workflow.yml
+++ b/.github/workflows/build-workflow.yml
@@ -7,6 +7,10 @@ on:
         config:
           required: false
           type: string
+        check:
+          required: false
+          type: string
+          default: 'make check'
 
 jobs:
   build:
@@ -30,7 +34,7 @@ jobs:
     - name: wolfssl configure
       working-directory: ./wolfssl
       run: |
-        ./configure --enable-cryptonly --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
+        ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
             C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
     - name: wolfssl make install
       working-directory: ./wolfssl
@@ -41,6 +45,38 @@ jobs:
           sudo make install
           sudo ldconfig
 
+#setup ibmswtpm2
+    - uses: actions/checkout@v3
+      with:
+        repository: kgoldman/ibmswtpm2
+        path: ibmswtpm2
+    - name: ibmswtpm2 make
+      working-directory: ./ibmswtpm2/src
+      run: |
+          make
+          ./tpm_server &
+
+#setup wolftpm
+    - uses: actions/checkout@v3
+      with:
+        repository: wolfssl/wolftpm
+        path: wolftpm
+    - name: wolftpm autogen
+      working-directory: ./wolftpm
+      run: ./autogen.sh
+    - name: wolftpm configure
+      working-directory: ./wolftpm
+      run: |
+        ./configure --enable-swtpm
+    - name: wolftpm make install
+      working-directory: ./wolftpm
+      run: make
+    - name: wolftpm make install
+      working-directory: ./wolftpm
+      run: |
+          sudo make install
+          sudo ldconfig
+
 #setup wolfPKCS11
     - name: wolfpkcs11 autogen
       run: ./autogen.sh
@@ -49,7 +85,7 @@ jobs:
     - name: wolfpkcs11 make
       run: make
     - name: wolfpkcs11 make check
-      run: make check
+      run: ${{inputs.check}}
     - name: wolfpkcs11 make install
       run: sudo make install
     - name: wolfpkcs11 make dist
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index 8bf687e..e42d2a5 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -2,7 +2,7 @@ name: wolfPKCS11 Build Tests
 
 on:
   push:
-    branches: [ '*' ]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
 
@@ -11,6 +11,17 @@ jobs:
   defaults_all:
     uses: ./.github/workflows/build-workflow.yml
 
+  single_theaded:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-singlethreaded
+
+  tpm:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE"
+      check: ./tests/pkcs11test
+
   no_rsa:
     uses: ./.github/workflows/build-workflow.yml
     with:
diff --git a/README.md b/README.md
index 70dc10a..c30bb2b 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ Build wolfSSL:
 git clone https://github.com/wolfSSL/wolfssl.git
 cd wolfssl
 ./autogen.sh
-./configure --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
+./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
 make
 make check
 sudo make install
@@ -35,6 +35,18 @@ make check
 
 ### Build options and defines
 
+#### TPM support with wolfTPM
+
+Enables using a TPM for cryptography and keystore.
+Tested using `./configure --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE" && make`.
+
+Note: The TPM does not support DH, so only RSA and ECC are supported.
+
+##### Define WOLFPKCS11_TPM_STORE
+
+Use `WOLFPKCS11_TPM_STORE` storing objects in TPM NV.
+
+
 #### Define WOLFPKCS11_NO_STORE
 
 Disables storage of tokens.
@@ -48,6 +60,7 @@ See wolfpkcs11/store.h for prototypes of functions to implement.
 
 Sets the private key's label against the public key when generating key pairs.
 
+
 ## Environment variables
 
 ### WOLFPKCS11_TOKEN_PATH
diff --git a/configure.ac b/configure.ac
index db5fc06..873cc76 100644
--- a/configure.ac
+++ b/configure.ac
@@ -324,6 +324,20 @@ if test "$enable_shared" = "no"; then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS11_STATIC"
 fi
 
+
+AC_ARG_ENABLE([wolftpm],
+    [AS_HELP_STRING([--enable-wolftpm],[Enable wolfTPM keystore support (default: disabled)])],
+    [ ENABLED_TPM=$enableval ],
+    [ ENABLED_TPM=no ]
+    )
+if test "$ENABLED_TPM" = "yes"
+then
+    LIBS="$LIBS -lwolftpm"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_TPM"
+fi
+
+
+
 AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])
 
 
diff --git a/src/internal.c b/src/internal.c
index bd64d5b..0cef815 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -48,6 +48,17 @@
         "--enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"`
 #endif
 
+#ifdef WOLFPKCS11_TPM
+    #include <wolftpm/tpm2_wrap.h>
+
+    #ifndef WOLFPKCS11_TPM_CUST_IO
+        #include <hal/tpm_io.h>
+        #ifndef TPM2_IOCB_CTX
+        #define TPM2_IOCB_CTX NULL
+        #endif
+    #endif
+#endif
+
 /* Size of hash calculated from PIN. */
 #define PIN_HASH_SZ                    32
 /* Size of seed used when calculating hash from PIN. */
@@ -102,12 +113,12 @@
 /* Disable locking. */
 typedef int WP11_Lock;
 
-#define WP11_Lock_Init(l)              0
+#define WP11_Lock_Init(l)              ({ 0; })
 #define WP11_Lock_Free(l)
-#define WP11_Lock_LockRW(l)            0
-#define WP11_Lock_UnlockRW(l)          0
-#define WP11_Lock_LockRO(l)            0
-#define WP11_Lock_UnlockRO(l)          0
+#define WP11_Lock_LockRW(l)            ({ 0; })
+#define WP11_Lock_UnlockRW(l)          ({ 0; })
+#define WP11_Lock_LockRO(l)            ({ 0; })
+#define WP11_Lock_UnlockRO(l)          ({ 0; })
 
 #else
 typedef struct WP11_Lock {
@@ -145,6 +156,9 @@ struct WP11_Object {
     #endif
         WP11_Data symmKey;             /* Symmetric key object                */
     } data;
+#ifdef WOLFPKCS11_TPM
+    WOLFTPM2_KEYBLOB tpmKey;
+#endif
     CK_KEY_TYPE type;                  /* Key type of this object             */
     word32 size;                       /* Size of the key in bits or bytes    */
 #ifndef WOLFPKCS11_NO_STORE
@@ -272,6 +286,7 @@ struct WP11_Session {
 #endif
     } params;
 
+    int devId;
     WP11_Session* next;                /* Next session for slot               */
 };
 
@@ -307,6 +322,14 @@ struct WP11_Slot {
     WP11_Token token;                  /* Token information for slot          */
     WP11_Session* session;             /* Linked list of sessions             */
     WP11_Lock lock;                    /* Lock for access to slot info        */
+
+    int devId;
+#ifdef WOLFPKCS11_TPM
+    WOLFTPM2_DEV tpmDev;
+    WOLFTPM2_KEY tpmSrk;
+    WOLFTPM2_SESSION tpmSession;
+    TpmCryptoDevCtx  tpmCtx;
+#endif
 };
 
 
@@ -464,6 +487,7 @@ static int Rng_New(WC_RNG* baseRng, WP11_Lock* lock, WC_RNG* rng)
     WP11_Lock_LockRW(lock);
     ret = wc_RNG_GenerateBlock(baseRng, seed, sizeof(seed));
     WP11_Lock_UnlockRW(lock);
+    (void)lock;
 
     if (ret == 0)
         ret = wc_InitRngNonce_ex(rng, seed, sizeof(seed), NULL, INVALID_DEVID);
@@ -501,6 +525,7 @@ static int wp11_Session_New(WP11_Slot* slot, CK_OBJECT_HANDLE handle,
         sess->slotId = slot->id;
         sess->slot = slot;
         sess->handle = handle;
+        sess->devId = slot->devId;
         *session = sess;
     }
 
@@ -1662,7 +1687,7 @@ static int wp11_Object_Decode_EccKey(WP11_Object* object)
                                     sizeof(object->iv));
         }
         if (ret == 0) {
-            ret = wc_ecc_init(&object->data.ecKey);
+            ret = wc_ecc_init_ex(&object->data.ecKey, NULL, object->slot->devId);
         }
         if (ret == 0) {
             /* Decode ECC private key. */
@@ -2967,6 +2992,73 @@ static void wp11_Slot_FreeSession(WP11_Slot* slot, WP11_Session* session)
     }
 }
 
+
+#ifdef WOLFPKCS11_TPM
+static int wp11_TpmInit(WP11_Slot* slot)
+{
+    int ret;
+    WOLFTPM2_CAPS caps;
+    TPM_ALG_ID alg;
+
+    ret = wolfTPM2_Init(&slot->tpmDev, TPM2_IoCb, TPM2_IOCB_CTX);
+    if (ret == 0) {
+        /* Get device capabilities + options */
+        ret = wolfTPM2_GetCapabilities(&slot->tpmDev, &caps);
+    }
+    if (ret == 0) {
+        printf("Mfg %s (%d), Vendor %s, Fw %u.%u (0x%x), "
+            "FIPS 140-2 %d, CC-EAL4 %d\n",
+            caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor,
+            caps.fwVerMinor, caps.fwVerVendor, caps.fips140_2, caps.cc_eal4);
+    }
+    if (ret == 0) {
+        ret = wolfTPM2_SetCryptoDevCb(&slot->tpmDev, wolfTPM2_CryptoDevCb,
+            &slot->tpmCtx, &slot->devId);
+    }
+    if (ret == 0) {
+        /* Create a primary storage key - no auth needed for param enc to work */
+        /* Prefer ECC as its faster */
+    #ifdef HAVE_ECC
+        alg = TPM_ALG_ECC;
+    #elif !defined(NO_RSA)
+        alg = TPM_ALG_RSA;
+    #else
+        alg = TPM_ALG_NULL;
+    #endif
+        ret = wolfTPM2_CreateSRK(&slot->tpmDev, &slot->tpmSrk, alg, NULL, 0);
+        if (ret == 0) {
+            /* set values needed for crypto callback */
+            slot->tpmCtx.dev = &slot->tpmDev;
+            slot->tpmCtx.storageKey = &slot->tpmSrk;
+
+            /* Setup a TPM session that can be used for parameter encryption */
+            ret = wolfTPM2_StartSession(&slot->tpmDev, &slot->tpmSession,
+                &slot->tpmSrk, NULL, TPM_SE_HMAC, TPM_ALG_CFB);
+        }
+        if (ret != 0) {
+            printf("TPM Create SRK or Session error %d (%s)!\n",
+                ret, wolfTPM2_GetRCString(ret));
+        }
+    }
+
+    if (ret != 0) {
+        printf("TPM Init failed! %d (%s)\n", ret, wolfTPM2_GetRCString(ret));
+    }
+    return ret;
+}
+
+static void wp11_TpmFinal(WP11_Slot* slot)
+{
+#ifdef WOLFPKCS11_TPM
+    wolfTPM2_UnloadHandle(&slot->tpmDev, &slot->tpmSession.handle);
+    wolfTPM2_UnloadHandle(&slot->tpmDev, &slot->tpmSrk.handle);
+#endif
+
+    wolfTPM2_Cleanup(&slot->tpmDev);
+}
+#endif /* WOLFPKCS11_TPM */
+
+
 /**
  * Free dynamic memory associated with the slot.
  *
@@ -2974,9 +3066,13 @@ static void wp11_Slot_FreeSession(WP11_Slot* slot, WP11_Session* session)
  */
 static void wp11_Slot_Final(WP11_Slot* slot)
 {
+    if (slot == NULL) return;
     while (slot->session != NULL)
         wp11_Slot_FreeSession(slot, slot->session);
     wp11_Token_Final(&slot->token);
+#ifdef WOLFPKCS11_TPM
+    wp11_TpmFinal(slot);
+#endif
     WP11_Lock_Free(&slot->lock);
 }
 
@@ -3001,6 +3097,11 @@ static int wp11_Slot_Init(WP11_Slot* slot, int id)
 
     ret = WP11_Lock_Init(&slot->lock);
     if (ret == 0) {
+    #ifdef WOLFPKCS11_TPM
+        if (ret == 0) {
+            ret = wp11_TpmInit(slot);
+        }
+    #endif
         /* Create the minimum number of unused sessions. */
         for (i = 0; ret == 0 && i < WP11_SESSION_CNT_MIN; i++)
             ret = wp11_Slot_AddSession(slot, &curr);
@@ -4544,6 +4645,10 @@ void WP11_Session_FindFinal(WP11_Session* session)
  */
 void WP11_Object_Free(WP11_Object* object)
 {
+#ifdef WOLFPKCS11_TPM
+    wolfTPM2_UnloadHandle(&object->slot->tpmDev, &object->tpmKey.handle);
+#endif
+
     /* Release dynamic memory. */
     if (object->label != NULL)
         XFREE(object->label, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -4650,7 +4755,7 @@ int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data,
         WP11_Lock_LockRW(object->lock);
 
     key = &object->data.rsaKey;
-    ret = wc_InitRsaKey_ex(key, NULL, INVALID_DEVID);
+    ret = wc_InitRsaKey_ex(key, NULL, object->slot->devId);
     if (ret == 0) {
         ret = SetMPI(&key->n, data[0], (int)len[0]);
         if (ret == 0)
@@ -4681,6 +4786,15 @@ int WP11_Object_SetRsaKey(WP11_Object* object, unsigned char** data,
                 key->type = RSA_PRIVATE;
             }
         }
+    #ifdef WOLFPKCS11_TPM
+        if (ret == 0 && key->type == RSA_PRIVATE) {
+            /* load private key - populates handle */
+            object->slot->tpmCtx.rsaKey = (WOLFTPM2_KEY*)&object->tpmKey;
+            ret = wolfTPM2_RsaKey_WolfToTpm_ex(&object->slot->tpmDev,
+                &object->slot->tpmSrk, &object->data.rsaKey,
+                (WOLFTPM2_KEY*)&object->tpmKey);
+        }
+    #endif
 
         if (ret != 0)
             wc_FreeRsaKey(key);
@@ -4828,7 +4942,7 @@ int WP11_Object_SetEcKey(WP11_Object* object, unsigned char** data,
         WP11_Lock_LockRW(object->lock);
 
     key = &object->data.ecKey;
-    ret = wc_ecc_init_ex(key, NULL, INVALID_DEVID);
+    ret = wc_ecc_init_ex(key, NULL, object->slot->devId);
     if (ret == 0) {
         if (ret == 0 && data[0] != NULL)
             ret = EcSetParams(key, data[0], (int)len[0]);
@@ -4843,6 +4957,16 @@ int WP11_Object_SetEcKey(WP11_Object* object, unsigned char** data,
                 key->type = ECC_PUBLICKEY;
             ret = EcSetPoint(key, data[2], (int)len[2]);
         }
+    #ifdef WOLFPKCS11_TPM
+        if (ret == 0 &&
+            (key->type == ECC_PRIVATEKEY_ONLY || key->type == ECC_PRIVATEKEY)) {
+            /* load private key */
+            object->slot->tpmCtx.eccKey = (WOLFTPM2_KEY*)&object->tpmKey;
+            ret = wolfTPM2_EccKey_WolfToTpm_ex(&object->slot->tpmDev,
+                &object->slot->tpmSrk, &object->data.ecKey,
+                (WOLFTPM2_KEY*)&object->tpmKey);
+        }
+    #endif
 
         if (ret != 0)
             wc_ecc_free(key);
@@ -5960,7 +6084,7 @@ int WP11_Rsa_ParsePrivKey(byte* data, word32 dataLen, WP11_Object* privKey)
     int ret = 0;
     word32 idx = 0;
 
-    ret = wc_InitRsaKey(&privKey->data.rsaKey, NULL);
+    ret = wc_InitRsaKey_ex(&privKey->data.rsaKey, NULL, privKey->slot->devId);
     if (ret == 0) {
         ret = wc_RsaPrivateKeyDecode(data, &idx, &privKey->data.rsaKey, dataLen);
     }
@@ -5983,7 +6107,7 @@ int WP11_Rsa_PrivKey2PubKey(WP11_Object* privKey, WP11_Object* pubKey,
     int ret;
     word32 idx = 0;
 
-    ret = wc_InitRsaKey(&pubKey->data.rsaKey, NULL);
+    ret = wc_InitRsaKey_ex(&pubKey->data.rsaKey, NULL, pubKey->slot->devId);
     if (ret == 0) {
         ret = wc_RsaKeyToPublicDer(&privKey->data.rsaKey, workbuf, worksz);
         if (ret >= 0) {
@@ -6041,8 +6165,19 @@ int WP11_Rsa_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv,
     if (ret == 0) {
         ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
         if (ret == 0) {
-            /* Generate into the private key. */
-            ret = wc_MakeRsaKey(&priv->data.rsaKey, pub->size, e, &rng);
+            ret = wc_InitRsaKey_ex(&priv->data.rsaKey, NULL, priv->slot->devId);
+            if (ret == 0) {
+            #ifdef WOLFPKCS11_TPM
+                priv->slot->tpmCtx.rsaKeyGen = &priv->tpmKey;
+                priv->slot->tpmCtx.rsaKey = (WOLFTPM2_KEY*)&priv->tpmKey;
+            #endif
+
+                /* Generate into the private key. */
+                ret = wc_MakeRsaKey(&priv->data.rsaKey, pub->size, e, &rng);
+                if (ret != 0) {
+                    wc_FreeRsaKey(&priv->data.rsaKey);
+                }
+            }
             Rng_Free(&rng);
         }
     }
@@ -6635,21 +6770,38 @@ int WP11_Ec_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv,
     int ret = 0;
     WC_RNG rng;
 
-    /* Copy parameters from public key into private key. */
-    priv->data.ecKey.dp = pub->data.ecKey.dp;
-
-    /* Generate into the private key. */
-    ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
+    ret = wc_ecc_init_ex(&priv->data.ecKey, NULL, priv->slot->devId);
     if (ret == 0) {
-        ret = wc_ecc_make_key(&rng, priv->data.ecKey.dp->size,
-                                                             &priv->data.ecKey);
-        Rng_Free(&rng);
-    }
-    if (ret == 0) {
-        /* Copy the public part into public key. */
-        ret = wc_ecc_copy_point(&priv->data.ecKey.pubkey,
+    #ifdef WOLFPKCS11_TPM
+        CK_BBOOL isSign = CK_FALSE;
+        CK_ULONG len = sizeof(isSign);
+        ret = WP11_Object_GetAttr(priv, CKA_SIGN, &isSign, &len);
+        if (isSign)
+            priv->slot->tpmCtx.eccKey = (WOLFTPM2_KEY*)&priv->tpmKey;
+        else
+            priv->slot->tpmCtx.ecdhKey = (WOLFTPM2_KEY*)&priv->tpmKey;
+    #endif
+
+        /* Copy parameters from public key into private key. */
+        priv->data.ecKey.dp = pub->data.ecKey.dp;
+
+        /* Generate into the private key. */
+        ret = Rng_New(&slot->token.rng, &slot->token.rngLock, &rng);
+        if (ret == 0) {
+            ret = wc_ecc_make_key_ex(&rng, priv->data.ecKey.dp->size,
+                                    &priv->data.ecKey, priv->data.ecKey.dp->id);
+            Rng_Free(&rng);
+        }
+        if (ret == 0) {
+            /* Copy the public part into public key. */
+            ret = wc_ecc_copy_point(&priv->data.ecKey.pubkey,
                                                        &pub->data.ecKey.pubkey);
+        }
+        if (ret != 0) {
+            wc_ecc_free(&priv->data.ecKey);
+        }
     }
+
     if (ret == 0) {
         priv->data.ecKey.type = ECC_PRIVATEKEY;
         pub->data.ecKey.type = ECC_PUBLICKEY;
diff --git a/tests/pkcs11mtt.c b/tests/pkcs11mtt.c
index be864f9..97c31e0 100644
--- a/tests/pkcs11mtt.c
+++ b/tests/pkcs11mtt.c
@@ -28,9 +28,12 @@
 #endif
 
 #include <wolfssl/options.h>
-#include <wolfssl/wolfcrypt/misc.h>
-
 #include <wolfpkcs11/options.h>
+
+#include <stdio.h>
+
+#ifdef _POSIX_THREADS
+#include <wolfssl/wolfcrypt/misc.h>
 #include <wolfpkcs11/pkcs11.h>
 
 #define TEST_MULTITHREADED
@@ -5686,7 +5689,7 @@ static CK_RV test_hmac_fail(CK_SESSION_HANDLE session, CK_MECHANISM* mech,
         mech->pParameter = data;
         ret = funcList->C_SignInit(session, mech, key);
         CHECK_CKR_FAIL(ret, CKR_MECHANISM_PARAM_INVALID,
-                                               "HMAC Sign Init bad parametere");
+                                               "HMAC Sign Init bad parameter");
         mech->pParameter = NULL;
     }
     if (ret == CKR_OK) {
@@ -5707,7 +5710,7 @@ static CK_RV test_hmac_fail(CK_SESSION_HANDLE session, CK_MECHANISM* mech,
         mech->pParameter = data;
         ret = funcList->C_VerifyInit(session, mech, key);
         CHECK_CKR_FAIL(ret, CKR_MECHANISM_PARAM_INVALID,
-                                             "HMAC Verify Init bad parametere");
+                                             "HMAC Verify Init bad parameter");
         mech->pParameter = NULL;
     }
     if (ret == CKR_OK) {
@@ -6596,3 +6599,14 @@ int main(int argc, char* argv[])
     return ret;
 }
 
+#else
+
+int main(int argc, char* argv[])
+{
+    (void)argc;
+    (void)argv;
+    fprintf(stderr, "%s: multi-threaded example not compiled in!\n", argv[0]);
+    return 0;
+}
+
+#endif /* _POSIX_THREADS */
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
index 1c22c3c..f05bfbc 100644
--- a/tests/pkcs11test.c
+++ b/tests/pkcs11test.c
@@ -3824,6 +3824,7 @@ static CK_RV test_rsa_fixed_keys_store_token(void* args)
 {
     CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
     CK_RV ret;
+    CK_SESSION_HANDLE sessionRO = CK_INVALID_HANDLE;
     CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
     CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
     unsigned char* privId = (unsigned char *)"123rsafixedpriv";
@@ -3835,26 +3836,21 @@ static CK_RV test_rsa_fixed_keys_store_token(void* args)
     if (ret == CKR_OK)
         ret = get_rsa_pub_key(session, pubId, pubIdLen, &pub);
 
-    return ret;
-}
-
-static CK_RV test_rsa_token_keys_raw(void* args)
-{
-    CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
-    CK_RV ret;
-    CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
-    CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
-    unsigned char* privId = (unsigned char *)"123rsafixedpriv";
-    int privIdLen = (int)strlen((char*)privId);
-    unsigned char* pubId = (unsigned char *)"123rsafixedpub";
-    int pubIdLen = (int)strlen((char*)pubId);
-
-    ret = find_rsa_priv_key(session, &priv, privId, privIdLen);
+    if (ret == CKR_OK) {
+        ret = funcList->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
+                                                                    &sessionRO);
+        CHECK_CKR(ret, "Open Session read only");
+    }
+    if (ret == CKR_OK)
+        ret = find_rsa_priv_key(session, &priv, privId, privIdLen);
     if (ret == CKR_OK)
         ret = find_rsa_pub_key(session, &pub, pubId, pubIdLen);
     if (ret == CKR_OK)
         ret = rsa_raw_test(session, priv, pub);
 
+    funcList->C_CloseSession(sessionRO);
+    funcList->C_DestroyObject(session, pub);
+    funcList->C_DestroyObject(session, priv);
     return ret;
 }
 
@@ -7120,7 +7116,7 @@ static CK_RV test_hmac_fail(CK_SESSION_HANDLE session, CK_MECHANISM* mech,
         mech->pParameter = data;
         ret = funcList->C_SignInit(session, mech, key);
         CHECK_CKR_FAIL(ret, CKR_MECHANISM_PARAM_INVALID,
-                                               "HMAC Sign Init bad parametere");
+                                               "HMAC Sign Init bad parameter");
         mech->pParameter = NULL;
     }
     if (ret == CKR_OK) {
@@ -7141,7 +7137,7 @@ static CK_RV test_hmac_fail(CK_SESSION_HANDLE session, CK_MECHANISM* mech,
         mech->pParameter = data;
         ret = funcList->C_VerifyInit(session, mech, key);
         CHECK_CKR_FAIL(ret, CKR_MECHANISM_PARAM_INVALID,
-                                             "HMAC Verify Init bad parametere");
+                                             "HMAC Verify Init bad parameter");
         mech->pParameter = NULL;
     }
     if (ret == CKR_OK) {
@@ -7701,7 +7697,6 @@ static TEST_FUNC testFunc[] = {
     PKCS11TEST_FUNC_SESS_DECL(test_rsa_fixed_keys_pss),
 #endif
     PKCS11TEST_FUNC_SESS_DECL(test_rsa_fixed_keys_store_token),
-    PKCS11TEST_FUNC_SESS_DECL(test_rsa_token_keys_raw),
     PKCS11TEST_FUNC_SESS_DECL(test_rsa_x_509_fail),
     PKCS11TEST_FUNC_SESS_DECL(test_rsa_pkcs_encdec_fail),
 #ifndef WC_NO_RSA_OAEP