RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2024-12-18 08:04:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
b560120214
openssh/regress/agent-pkcs11.sh
dtucker@openbsd.org 727ce36c8c upstream: Replace OPENSSL as the variable that points to the 
openssl binary with OPENSSL_BIN.  This will allow us to use the OPENSSL
variable from mk.conf or the make(1) command line indicating if we're
building with our without OpenSSL, and ultimately get the regress tests
working in the OPENSSL=no configuration.

OpenBSD-Regress-ID: 2d788fade3264d7803e5b54cae8875963f688c4e
2021-07-25 22:35:24 +10:00

125 lines
3.2 KiB
Bash
Raw Blame History

# $OpenBSD: agent-pkcs11.sh,v 1.9 2021/07/25 12:13:03 dtucker Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
try_token_libs() {
for _lib in "$@" ; do
if test -f "$_lib" ; then
verbose "Using token library $_lib"
TEST_SSH_PKCS11="$_lib"
return
fi
done
echo "skipped: Unable to find PKCS#11 token library"
exit 0
}
try_token_libs \
/usr/local/lib/softhsm/libsofthsm2.so \
/usr/lib64/pkcs11/libsofthsm2.so \
/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
TEST_SSH_PIN=1234
TEST_SSH_SOPIN=12345678
if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
export SSH_PKCS11_HELPER
fi
test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
# setup environment for softhsm2 token
DIR=$OBJ/SOFTHSM
rm -rf $DIR
TOKEN=$DIR/tokendir
mkdir -p $TOKEN
SOFTHSM2_CONF=$DIR/softhsm2.conf
export SOFTHSM2_CONF
cat > $SOFTHSM2_CONF << EOF
# SoftHSM v2 configuration file
directories.tokendir = ${TOKEN}
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = DEBUG
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
EOF
out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
slot=$(echo -- $out | sed 's/.* //')
# prevent ssh-agent from calling ssh-askpass
SSH_ASKPASS=/usr/bin/true
export SSH_ASKPASS
unset DISPLAY
# start command w/o tty, so ssh-add accepts pin from stdin
notty() {
perl -e 'use POSIX; POSIX::setsid();
if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
}
trace "generating keys"
RSA=${DIR}/RSA
EC=${DIR}/EC
$OPENSSL_BIN genpkey -algorithm rsa > $RSA
$OPENSSL_BIN pkcs8 -nocrypt -in $RSA |\
softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin
$OPENSSL_BIN genpkey \
-genparam \
-algorithm ec \
-pkeyopt ec_paramgen_curve:prime256v1 |\
$OPENSSL_BIN genpkey \
-paramfile /dev/stdin > $EC
$OPENSSL_BIN pkcs8 -nocrypt -in $EC |\
softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
trace "start agent"
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
else
trace "add pkcs11 key to agent"
echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -s failed: exit code $r"
fi
trace "pkcs11 list via agent"
${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l failed: exit code $r"
fi
for k in $RSA $EC; do
trace "testing $k"
chmod 600 $k
ssh-keygen -y -f $k > $k.pub
pub=$(cat $k.pub)
${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L"
${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed"
# add to authorized keys
cat $k.pub > $OBJ/authorized_keys_$USER
trace "pkcs11 connect via agent ($k)"
${SSH} -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -ne 5 ]; then
fail "ssh connect failed (exit code $r)"
fi
done
trace "remove pkcs11 keys"
echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -e failed: exit code $r"
fi
trace "kill agent"
${SSHAGENT} -k > /dev/null
fi
Reference in New Issue View Git Blame Copy Permalink