1 files changed, 75 insertions, 22 deletions
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index db3018b88..5205d9067 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,16 +1,53 @@
-#       $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
+#       $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $
 #       Placed in the Public Domain.
 tid="pkcs11 agent test"
-TEST_SSH_PIN=""
+try_token_libs() {
-TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0
+        for _lib in "$@" ; do
+                if test -f "$_lib" ; then
+                        verbose "Using token library $_lib"
+                        TEST_SSH_PKCS11="$_lib"
+                        return
+                fi
+        done
+        echo "skipped: Unable to find PKCS#11 token library"
+        exit 0
+}
+try_token_libs \
+        /usr/local/lib/softhsm/libsofthsm2.so \
+        /usr/lib64/pkcs11/libsofthsm2.so \
+        /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+TEST_SSH_PIN=1234
+TEST_SSH_SOPIN=12345678
+if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
+        SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
+        export SSH_PKCS11_HELPER
+fi
 test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
-# setup environment for soft-pkcs11 token
+# setup environment for softhsm2 token
-SOFTPKCS11RC=$OBJ/pkcs11.info
+DIR=$OBJ/SOFTHSM
-export SOFTPKCS11RC
+rm -rf $DIR
+TOKEN=$DIR/tokendir
+mkdir -p $TOKEN
+SOFTHSM2_CONF=$DIR/softhsm2.conf
+export SOFTHSM2_CONF
+cat > $SOFTHSM2_CONF << EOF
+# SoftHSM v2 configuration file
+directories.tokendir = ${TOKEN}
+objectstore.backend = file
+# ERROR, WARNING, INFO, DEBUG
+log.level = DEBUG
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+EOF
+out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
+slot=$(echo -- $out | sed 's/.* //')
 # prevent ssh-agent from calling ssh-askpass
 SSH_ASKPASS=/usr/bin/true
 export SSH_ASKPASS
@@ -22,22 +59,27 @@ notty() {
            if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
 }
+trace "generating keys"
+RSA=${DIR}/RSA
+EC=${DIR}/EC
+openssl genpkey -algorithm rsa > $RSA
+openssl pkcs8 -nocrypt -in $RSA |\
+    softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin
+openssl genpkey \
+    -genparam \
+    -algorithm ec \
+    -pkeyopt ec_paramgen_curve:prime256v1 |\
+    openssl genpkey \
+    -paramfile /dev/stdin > $EC
+openssl pkcs8 -nocrypt -in $EC |\
+    softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
 trace "start agent"
 eval `${SSHAGENT} -s` > /dev/null
 r=$?
 if [ $r -ne 0 ]; then
        fail "could not start ssh-agent: exit code $r"
 else
-        trace "generating key/cert"
-        rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
-        openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
-        chmod 600 $OBJ/pkcs11.key 
-        openssl req -key $OBJ/pkcs11.key -new -x509 \
-            -out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
-        printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
-        # add to authorized keys
-        ${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
        trace "add pkcs11 key to agent"
        echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
        r=$?
@@ -52,12 +94,23 @@ else
                fail "ssh-add -l failed: exit code $r"
        fi
-        trace "pkcs11 connect via agent"
+        for k in $RSA $EC; do
-        ${SSH} -F $OBJ/ssh_proxy somehost exit 5
+                trace "testing $k"
-        r=$?
+                chmod 600 $k
-        if [ $r -ne 5 ]; then
+                ssh-keygen -y -f $k > $k.pub
-                fail "ssh connect failed (exit code $r)"
+                pub=$(cat $k.pub)
-        fi
+                ${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L"
+                ${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed"
+                # add to authorized keys
+                cat $k.pub > $OBJ/authorized_keys_$USER
+                trace "pkcs11 connect via agent ($k)"
+                ${SSH} -F $OBJ/ssh_proxy somehost exit 5
+                r=$?
+                if [ $r -ne 5 ]; then
+                        fail "ssh connect failed (exit code $r)"
+                fi
+        done
        trace "remove pkcs11 keys"
        echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1

diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index db3018b88..5205d9067 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh
@@ -1,16 +1,53 @@
1	# $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $	1	# $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="pkcs11 agent test"	4	tid="pkcs11 agent test"
5		5
6	TEST_SSH_PIN=""	6	try_token_libs() {
7	TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0	7	for _lib in "$@" ; do
		8	if test -f "$_lib" ; then
		9	verbose "Using token library $_lib"
		10	TEST_SSH_PKCS11="$_lib"
		11	return
		12	fi
		13	done
		14	echo "skipped: Unable to find PKCS#11 token library"
		15	exit 0
		16	}
		17
		18	try_token_libs \
		19	/usr/local/lib/softhsm/libsofthsm2.so \
		20	/usr/lib64/pkcs11/libsofthsm2.so \
		21	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
		22
		23	TEST_SSH_PIN=1234
		24	TEST_SSH_SOPIN=12345678
		25	if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
		26	SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
		27	export SSH_PKCS11_HELPER
		28	fi
8		29
9	test -f "$TEST_SSH_PKCS11" \|\| fatal "$TEST_SSH_PKCS11 does not exist"	30	test -f "$TEST_SSH_PKCS11" \|\| fatal "$TEST_SSH_PKCS11 does not exist"
10		31
11	# setup environment for soft-pkcs11 token	32	# setup environment for softhsm2 token
12	SOFTPKCS11RC=$OBJ/pkcs11.info	33	DIR=$OBJ/SOFTHSM
13	export SOFTPKCS11RC	34	rm -rf $DIR
		35	TOKEN=$DIR/tokendir
		36	mkdir -p $TOKEN
		37	SOFTHSM2_CONF=$DIR/softhsm2.conf
		38	export SOFTHSM2_CONF
		39	cat > $SOFTHSM2_CONF << EOF
		40	# SoftHSM v2 configuration file
		41	directories.tokendir = ${TOKEN}
		42	objectstore.backend = file
		43	# ERROR, WARNING, INFO, DEBUG
		44	log.level = DEBUG
		45	# If CKF_REMOVABLE_DEVICE flag should be set
		46	slots.removable = false
		47	EOF
		48	out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
		49	slot=$(echo -- $out \| sed 's/.* //')
		50
14	# prevent ssh-agent from calling ssh-askpass	51	# prevent ssh-agent from calling ssh-askpass
15	SSH_ASKPASS=/usr/bin/true	52	SSH_ASKPASS=/usr/bin/true
16	export SSH_ASKPASS	53	export SSH_ASKPASS
@@ -22,22 +59,27 @@ notty() {
22	if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"	59	if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
23	}	60	}
24		61
		62	trace "generating keys"
		63	RSA=${DIR}/RSA
		64	EC=${DIR}/EC
		65	openssl genpkey -algorithm rsa > $RSA
		66	openssl pkcs8 -nocrypt -in $RSA \|\
		67	softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin
		68	openssl genpkey \
		69	-genparam \
		70	-algorithm ec \
		71	-pkeyopt ec_paramgen_curve:prime256v1 \|\
		72	openssl genpkey \
		73	-paramfile /dev/stdin > $EC
		74	openssl pkcs8 -nocrypt -in $EC \|\
		75	softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
		76
25	trace "start agent"	77	trace "start agent"
26	eval `${SSHAGENT} -s` > /dev/null	78	eval `${SSHAGENT} -s` > /dev/null
27	r=$?	79	r=$?
28	if [ $r -ne 0 ]; then	80	if [ $r -ne 0 ]; then
29	fail "could not start ssh-agent: exit code $r"	81	fail "could not start ssh-agent: exit code $r"
30	else	82	else
31	trace "generating key/cert"
32	rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
33	openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
34	chmod 600 $OBJ/pkcs11.key
35	openssl req -key $OBJ/pkcs11.key -new -x509 \
36	-out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
37	printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
38	# add to authorized keys
39	${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
40
41	trace "add pkcs11 key to agent"	83	trace "add pkcs11 key to agent"
42	echo ${TEST_SSH_PIN} \| notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1	84	echo ${TEST_SSH_PIN} \| notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
43	r=$?	85	r=$?
@@ -52,12 +94,23 @@ else
52	fail "ssh-add -l failed: exit code $r"	94	fail "ssh-add -l failed: exit code $r"
53	fi	95	fi
54		96
55	trace "pkcs11 connect via agent"	97	for k in $RSA $EC; do
56	${SSH} -F $OBJ/ssh_proxy somehost exit 5	98	trace "testing $k"
57	r=$?	99	chmod 600 $k
58	if [ $r -ne 5 ]; then	100	ssh-keygen -y -f $k > $k.pub
59	fail "ssh connect failed (exit code $r)"	101	pub=$(cat $k.pub)
60	fi	102	${SSHADD} -L \| grep -q "$pub" \|\| fail "key $k missing in ssh-add -L"
		103	${SSHADD} -T $k.pub \|\| fail "ssh-add -T with $k failed"
		104
		105	# add to authorized keys
		106	cat $k.pub > $OBJ/authorized_keys_$USER
		107	trace "pkcs11 connect via agent ($k)"
		108	${SSH} -F $OBJ/ssh_proxy somehost exit 5
		109	r=$?
		110	if [ $r -ne 5 ]; then
		111	fail "ssh connect failed (exit code $r)"
		112	fi
		113	done
61		114
62	trace "remove pkcs11 keys"	115	trace "remove pkcs11 keys"
63	echo ${TEST_SSH_PIN} \| notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1	116	echo ${TEST_SSH_PIN} \| notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1