diff options
Diffstat (limited to 'regress/agent-pkcs11.sh')
-rw-r--r-- | regress/agent-pkcs11.sh | 82 |
1 files changed, 6 insertions, 76 deletions
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 268a70de8..304734f4b 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh @@ -1,78 +1,9 @@ -# $OpenBSD: agent-pkcs11.sh,v 1.9 2021/07/25 12:13:03 dtucker Exp $ +# $OpenBSD: agent-pkcs11.sh,v 1.13 2023/10/30 23:00:25 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent test" -try_token_libs() { - for _lib in "$@" ; do - if test -f "$_lib" ; then - verbose "Using token library $_lib" - TEST_SSH_PKCS11="$_lib" - return - fi - done - echo "skipped: Unable to find PKCS#11 token library" - exit 0 -} - -try_token_libs \ - /usr/local/lib/softhsm/libsofthsm2.so \ - /usr/lib64/pkcs11/libsofthsm2.so \ - /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - -TEST_SSH_PIN=1234 -TEST_SSH_SOPIN=12345678 -if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then - SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}" - export SSH_PKCS11_HELPER -fi - -test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" - -# setup environment for softhsm2 token -DIR=$OBJ/SOFTHSM -rm -rf $DIR -TOKEN=$DIR/tokendir -mkdir -p $TOKEN -SOFTHSM2_CONF=$DIR/softhsm2.conf -export SOFTHSM2_CONF -cat > $SOFTHSM2_CONF << EOF -# SoftHSM v2 configuration file -directories.tokendir = ${TOKEN} -objectstore.backend = file -# ERROR, WARNING, INFO, DEBUG -log.level = DEBUG -# If CKF_REMOVABLE_DEVICE flag should be set -slots.removable = false -EOF -out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") -slot=$(echo -- $out | sed 's/.* //') - -# prevent ssh-agent from calling ssh-askpass -SSH_ASKPASS=/usr/bin/true -export SSH_ASKPASS -unset DISPLAY - -# start command w/o tty, so ssh-add accepts pin from stdin -notty() { - perl -e 'use POSIX; POSIX::setsid(); - if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" -} - -trace "generating keys" -RSA=${DIR}/RSA -EC=${DIR}/EC -$OPENSSL_BIN genpkey -algorithm rsa > $RSA -$OPENSSL_BIN pkcs8 -nocrypt -in $RSA |\ - softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin -$OPENSSL_BIN genpkey \ - -genparam \ - -algorithm ec \ - -pkeyopt ec_paramgen_curve:prime256v1 |\ - $OPENSSL_BIN genpkey \ - -paramfile /dev/stdin > $EC -$OPENSSL_BIN pkcs8 -nocrypt -in $EC |\ - softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin +p11_setup || skip "No PKCS#11 library found" trace "start agent" eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null @@ -81,7 +12,7 @@ if [ $r -ne 0 ]; then fail "could not start ssh-agent: exit code $r" else trace "add pkcs11 key to agent" - echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 + p11_ssh_add -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -s failed: exit code $r" @@ -96,10 +27,9 @@ else for k in $RSA $EC; do trace "testing $k" - chmod 600 $k - ssh-keygen -y -f $k > $k.pub pub=$(cat $k.pub) - ${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L" + ${SSHADD} -L | grep -q "$pub" || \ + fail "key $k missing in ssh-add -L" ${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed" # add to authorized keys @@ -113,7 +43,7 @@ else done trace "remove pkcs11 keys" - echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 + p11_ssh_add -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "ssh-add -e failed: exit code $r" |