diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-01-20 23:25:25 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-01-21 11:51:54 +1100 |
| commit | 760ae37b4505453c6fa4faf1aa39a8671ab053af (patch) | |
| tree | 9469cf8c2289abe981cc045aa6027adbb1a693fe | |
| parent | b2ce8b31a1f974a13e6d12e0a0c132b50bc45115 (diff) | |
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support
for ECDSA keys
work by markus@, ok djm@
OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe
| -rw-r--r-- | regress/agent-pkcs11.sh | 81 |
1 files changed, 58 insertions, 23 deletions
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index db3018b88..34662871f 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh | |||
| @@ -1,16 +1,33 @@ | |||
| 1 | # $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: agent-pkcs11.sh,v 1.4 2019/01/20 23:25:25 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="pkcs11 agent test" | 4 | tid="pkcs11 agent test" |
| 5 | 5 | ||
| 6 | TEST_SSH_PIN="" | 6 | TEST_SSH_PIN=1234 |
| 7 | TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0 | 7 | TEST_SSH_SOPIN=12345678 |
| 8 | TEST_SSH_PKCS11=/usr/local/lib/softhsm/libsofthsm2.so | ||
| 8 | 9 | ||
| 9 | test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" | 10 | test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" |
| 10 | 11 | ||
| 11 | # setup environment for soft-pkcs11 token | 12 | # setup environment for softhsm2 token |
| 12 | SOFTPKCS11RC=$OBJ/pkcs11.info | 13 | DIR=$OBJ/SOFTHSM |
| 13 | export SOFTPKCS11RC | 14 | rm -rf $DIR |
| 15 | TOKEN=$DIR/tokendir | ||
| 16 | mkdir -p $TOKEN | ||
| 17 | SOFTHSM2_CONF=$DIR/softhsm2.conf | ||
| 18 | export SOFTHSM2_CONF | ||
| 19 | cat > $SOFTHSM2_CONF << EOF | ||
| 20 | # SoftHSM v2 configuration file | ||
| 21 | directories.tokendir = ${TOKEN} | ||
| 22 | objectstore.backend = file | ||
| 23 | # ERROR, WARNING, INFO, DEBUG | ||
| 24 | log.level = DEBUG | ||
| 25 | # If CKF_REMOVABLE_DEVICE flag should be set | ||
| 26 | slots.removable = false | ||
| 27 | EOF | ||
| 28 | out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") | ||
| 29 | slot=$(echo -- $out | sed 's/.* //') | ||
| 30 | |||
| 14 | # prevent ssh-agent from calling ssh-askpass | 31 | # prevent ssh-agent from calling ssh-askpass |
| 15 | SSH_ASKPASS=/usr/bin/true | 32 | SSH_ASKPASS=/usr/bin/true |
| 16 | export SSH_ASKPASS | 33 | export SSH_ASKPASS |
| @@ -22,22 +39,29 @@ notty() { | |||
| 22 | if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" | 39 | if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" |
| 23 | } | 40 | } |
| 24 | 41 | ||
| 42 | trace "generating keys" | ||
| 43 | RSA=${DIR}/RSA | ||
| 44 | EC=${DIR}/EC | ||
| 45 | openssl genpkey -algorithm rsa > $RSA | ||
| 46 | openssl pkcs8 -nocrypt -in $RSA |\ | ||
| 47 | softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin | ||
| 48 | openssl genpkey \ | ||
| 49 | -genparam \ | ||
| 50 | -algorithm ec \ | ||
| 51 | -pkeyopt ec_paramgen_curve:prime256v1 |\ | ||
| 52 | openssl genpkey \ | ||
| 53 | -paramfile /dev/stdin > $EC | ||
| 54 | openssl pkcs8 -nocrypt -in $EC |\ | ||
| 55 | softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin | ||
| 56 | |||
| 57 | LIBCRYPTO=${OBJ}/../../../../lib/libcrypto/obj | ||
| 58 | |||
| 25 | trace "start agent" | 59 | trace "start agent" |
| 26 | eval `${SSHAGENT} -s` > /dev/null | 60 | eval `LD_LIBRARY_PATH=$LIBCRYPTO ${SSHAGENT} -s` > /dev/null |
| 27 | r=$? | 61 | r=$? |
| 28 | if [ $r -ne 0 ]; then | 62 | if [ $r -ne 0 ]; then |
| 29 | fail "could not start ssh-agent: exit code $r" | 63 | fail "could not start ssh-agent: exit code $r" |
| 30 | else | 64 | else |
| 31 | trace "generating key/cert" | ||
| 32 | rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt | ||
| 33 | openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1 | ||
| 34 | chmod 600 $OBJ/pkcs11.key | ||
| 35 | openssl req -key $OBJ/pkcs11.key -new -x509 \ | ||
| 36 | -out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null | ||
| 37 | printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC | ||
| 38 | # add to authorized keys | ||
| 39 | ${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER | ||
| 40 | |||
| 41 | trace "add pkcs11 key to agent" | 65 | trace "add pkcs11 key to agent" |
| 42 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 | 66 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 |
| 43 | r=$? | 67 | r=$? |
| @@ -52,12 +76,23 @@ else | |||
| 52 | fail "ssh-add -l failed: exit code $r" | 76 | fail "ssh-add -l failed: exit code $r" |
| 53 | fi | 77 | fi |
| 54 | 78 | ||
| 55 | trace "pkcs11 connect via agent" | 79 | for k in $RSA $EC; do |
| 56 | ${SSH} -F $OBJ/ssh_proxy somehost exit 5 | 80 | trace "testing $k" |
| 57 | r=$? | 81 | chmod 600 $k |
| 58 | if [ $r -ne 5 ]; then | 82 | ssh-keygen -y -f $k > $k.pub |
| 59 | fail "ssh connect failed (exit code $r)" | 83 | pub=$(cat $k.pub) |
| 60 | fi | 84 | ${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L" |
| 85 | ${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed" | ||
| 86 | |||
| 87 | # add to authorized keys | ||
| 88 | cat $k.pub > $OBJ/authorized_keys_$USER | ||
| 89 | trace "pkcs11 connect via agent ($k)" | ||
| 90 | ${SSH} -F $OBJ/ssh_proxy somehost exit 5 | ||
| 91 | r=$? | ||
| 92 | if [ $r -ne 5 ]; then | ||
| 93 | fail "ssh connect failed (exit code $r)" | ||
| 94 | fi | ||
| 95 | done | ||
| 61 | 96 | ||
| 62 | trace "remove pkcs11 keys" | 97 | trace "remove pkcs11 keys" |
| 63 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 | 98 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 |