From f82fa227a52661c37404a6d33bbabf14fed05db0 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 30 Oct 2023 17:32:00 +0000 Subject: [PATCH] upstream: tidy and refactor PKCS#11 setup code Replace the use of a perl script to delete the controlling TTY with a SSH_ASKPASS script to directly load the PIN. Move PKCS#11 setup code to functions in anticipation of it being used elsewhere in additional tests. Reduce stdout spam OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262 --- regress/agent-pkcs11.sh | 133 ++++++++++++++++++++++------------------ 1 file changed, 72 insertions(+), 61 deletions(-) diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 7b61a9566..9b9d498a4 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh @@ -1,42 +1,45 @@ -# $OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $ +# $OpenBSD: agent-pkcs11.sh,v 1.12 2023/10/30 17:32:00 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent test" -try_token_libs() { +# Find a PKCS#11 library. +p11_find_lib() { + TEST_SSH_PKCS11="" for _lib in "$@" ; do if test -f "$_lib" ; then - verbose "Using token library $_lib" TEST_SSH_PKCS11="$_lib" return fi done - echo "skipped: Unable to find PKCS#11 token library" - exit 0 } -try_token_libs \ - /usr/local/lib/softhsm/libsofthsm2.so \ - /usr/lib64/pkcs11/libsofthsm2.so \ - /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so +# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated +# keys and loads them into the virtual token. +PKCS11_OK= +export PKCS11_OK +p11_setup() { + p11_find_lib \ + /usr/local/lib/softhsm/libsofthsm2.so \ + /usr/lib64/pkcs11/libsofthsm2.so \ + /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + test -z "$TEST_SSH_PKCS11" && return 1 + verbose "using token library $TEST_SSH_PKCS11" + TEST_SSH_PIN=1234 + TEST_SSH_SOPIN=12345678 + if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then + SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}" + export SSH_PKCS11_HELPER + fi -TEST_SSH_PIN=1234 -TEST_SSH_SOPIN=12345678 -if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then - SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}" - export SSH_PKCS11_HELPER -fi - -test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" - -# setup environment for softhsm2 token -DIR=$OBJ/SOFTHSM -rm -rf $DIR -TOKEN=$DIR/tokendir -mkdir -p $TOKEN -SOFTHSM2_CONF=$DIR/softhsm2.conf -export SOFTHSM2_CONF -cat > $SOFTHSM2_CONF << EOF + # setup environment for softhsm2 token + DIR=$OBJ/SOFTHSM + rm -rf $DIR + TOKEN=$DIR/tokendir + mkdir -p $TOKEN + SOFTHSM2_CONF=$DIR/softhsm2.conf + export SOFTHSM2_CONF + cat > $SOFTHSM2_CONF << EOF # SoftHSM v2 configuration file directories.tokendir = ${TOKEN} objectstore.backend = file @@ -45,40 +48,50 @@ log.level = DEBUG # If CKF_REMOVABLE_DEVICE flag should be set slots.removable = false EOF -out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") -slot=$(echo -- $out | sed 's/.* //') - -# prevent ssh-agent from calling ssh-askpass -SSH_ASKPASS=/usr/bin/true -export SSH_ASKPASS -unset DISPLAY - -# start command w/o tty, so ssh-add accepts pin from stdin -# XXX could force askpass instead -notty() { - perl -e 'use POSIX; POSIX::setsid(); - if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" + out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") + slot=$(echo -- $out | sed 's/.* //') + trace "generating keys" + # RSA key + RSA=${DIR}/RSA + RSAP8=${DIR}/RSAP8 + $OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \ + fatal "genpkey RSA fail" + $OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail" + softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \ + --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail" + chmod 600 $RSA + ssh-keygen -y -f $RSA > ${RSA}.pub + # ECDSA key + ECPARAM=${DIR}/ECPARAM + EC=${DIR}/EC + ECP8=${DIR}/ECP8 + $OPENSSL_BIN genpkey -genparam -algorithm ec \ + -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \ + fatal "param EC fail" + $OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \ + fatal "genpkey EC fail" + $OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail" + softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \ + --import $ECP8 >/dev/null || fatal "softhsm import EC fail" + chmod 600 $EC + ssh-keygen -y -f $EC > ${EC}.pub + # Prepare askpass script to load PIN. + PIN_SH=$DIR/pin.sh + cat > $PIN_SH << EOF +#!/bin/sh +echo "${TEST_SSH_PIN}" +EOF + chmod 0700 "$PIN_SH" + PKCS11_OK=yes + return 0 } -trace "generating keys" -RSA=${DIR}/RSA -RSAP8=${DIR}/RSAP8 -ECPARAM=${DIR}/ECPARAM -EC=${DIR}/EC -ECP8=${DIR}/ECP8 -$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail" -$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail" -softhsm2-util --slot "$slot" --label 01 --id 01 \ - --pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail" +# Peforms ssh-add with the right token PIN. +p11_ssh_add() { + env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@" +} -$OPENSSL_BIN genpkey \ - -genparam \ - -algorithm ec \ - -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail" -$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail" -$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail" -softhsm2-util --slot "$slot" --label 02 --id 02 \ - --pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhsm import EC fail" +p11_setup || skip "No PKCS#11 library found" trace "start agent" eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null @@ -87,7 +100,7 @@ if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" else trace "add pkcs11 key to agent" - echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 + p11_ssh_add -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -s failed: exit code $r" @@ -102,8 +115,6 @@ else for k in $RSA $EC; do trace "testing $k" - chmod 600 $k - ssh-keygen -y -f $k > $k.pub pub=$(cat $k.pub) ${SSHADD} -L | grep -q "$pub" || \ fail "key $k missing in ssh-add -L" @@ -120,7 +131,7 @@ else done trace "remove pkcs11 keys" - echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 + p11_ssh_add -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -e failed: exit code $r"