diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0a079b9d..80e7176e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,31 +37,45 @@ jobs: dnf -y install $dnf_opts \ git ${{ matrix.compiler }} meson \ pkgconf-pkg-config openssl-devel openssl \ - diffutils expect valgrind + diffutils expect valgrind opensc gnutls-utils if [ "${{ matrix.token }}" = "softokn" ]; then - dnf -y install nss-softokn nss-tools nss-softokn-devel + dnf -y install nss-softokn nss-tools nss-softokn-devel \ + nss-devel elif [ "${{ matrix.token }}" = "softhsm" ]; then - dnf -y install softhsm opensc p11-kit-devel p11-kit-server \ - gnutls-utils + dnf -y install softhsm p11-kit-devel fi elif [ -f /etc/debian_version ]; then apt-get -q update apt-get -yq install git ${{ matrix.compiler }} meson \ pkg-config libssl-dev openssl expect \ - valgrind procps + valgrind procps opensc gnutls-bin if [ "${{ matrix.token }}" = "softokn" ]; then apt-get -yq install libnss3 libnss3-tools libnss3-dev elif [ "${{ matrix.token }}" = "softhsm" ]; then - apt-get -yq install softhsm2 opensc p11-kit libp11-kit-dev \ - p11-kit-modules gnutls-bin + apt-get -yq install softhsm2 p11-kit libp11-kit-dev \ + p11-kit-modules fi fi + - name: Check NSS version + id: nss-version-check + run: | + if [ "${{ matrix.name }}" = "centos" ]; then + if [ "${{ matrix.token }}" = "softokn" ]; then + NSSMINVER=`nss-config --version nss | cut -d '.' -f 2` + if [ $NSSMINVER -lt 101 ]; then + echo "skiptest=true" >> $GITHUB_OUTPUT + fi + fi + fi - name: Checkout Repository + if : ( steps.nss-version-check.outputs.skiptest != 'true' ) uses: actions/checkout@v4 - name: Setup + if : ( steps.nss-version-check.outputs.skiptest != 'true' ) run: | CC=${{ matrix.compiler }} meson setup builddir - name: Build and Test + if : ( steps.nss-version-check.outputs.skiptest != 'true' ) run: | meson compile -C builddir meson test --num-processes 1 -C builddir @@ -75,6 +89,7 @@ jobs: builddir/tests/tmp.${{ matrix.token }}/testvars builddir/tests/tmp.${{ matrix.token }}/openssl.cnf - name: Run tests with valgrind + if : ( steps.nss-version-check.outputs.skiptest != 'true' ) run: | if [ "${{ matrix.compiler }}" = "gcc" ]; then meson test --num-processes 1 -C builddir --setup=valgrind @@ -103,13 +118,13 @@ jobs: brew install \ meson \ openssl@3 \ - pkg-config + pkg-config \ + opensc \ + p11-kit if [ "${{ matrix.token }}" = "softokn" ]; then brew install nss elif [ "${{ matrix.token }}" = "softhsm" ]; then brew install \ - opensc \ - p11-kit \ softhsm fi - name: Checkout Repository diff --git a/packaging/pkcs11-provider.spec b/packaging/pkcs11-provider.spec index 1eccb725..5fe18a8f 100644 --- a/packaging/pkcs11-provider.spec +++ b/packaging/pkcs11-provider.spec @@ -29,7 +29,6 @@ BuildRequires: openssl BuildRequires: softhsm BuildRequires: opensc BuildRequires: p11-kit-devel -BuildRequires: p11-kit-server BuildRequires: gnutls-utils BuildRequires: xz BuildRequires: expect diff --git a/tests/integration/bind.sh b/tests/integration/bind.sh index 8b0bbd8e..3a0a152c 100755 --- a/tests/integration/bind.sh +++ b/tests/integration/bind.sh @@ -17,7 +17,7 @@ install_dependencies() dnf install -y --skip-broken \ meson \ p11-kit httpd mod_ssl openssl-devel gnutls-utils nss-tools \ - p11-kit-devel p11-kit-server opensc softhsm-devel procps-ng \ + p11-kit-devel opensc softhsm-devel procps-ng \ openssl util-linux bind9-next opensc } diff --git a/tests/integration/httpd.sh b/tests/integration/httpd.sh index 3fb43478..d4c948ff 100755 --- a/tests/integration/httpd.sh +++ b/tests/integration/httpd.sh @@ -19,7 +19,7 @@ install_dependencies() dnf install -y --skip-broken \ meson \ p11-kit httpd mod_ssl openssl-devel gnutls-utils nss-tools \ - p11-kit-devel p11-kit-server opensc softhsm-devel procps-ng \ + p11-kit-devel opensc softhsm-devel procps-ng \ openssl util-linux } diff --git a/tests/kryoptic-init.sh b/tests/kryoptic-init.sh new file mode 100755 index 00000000..0b626d4d --- /dev/null +++ b/tests/kryoptic-init.sh @@ -0,0 +1,42 @@ +#!/bin/bash -e +# Copyright (C) 2024 Simo Sorce +# SPDX-License-Identifier: Apache-2.0 + +title SECTION "Searching for Kryoptic module" + +find_kryoptic() { + for _lib in "$@" ; do + if test -f "$_lib" ; then + echo "Using kryoptic path $_lib" + P11LIB="$_lib" + return + fi + done + echo "skipped: Unable to find kryoptic PKCS#11 library" + exit 0 +} + +find_kryoptic \ + "${KRYOPTIC}/target/debug/libkryoptic_pkcs11.so" \ + "${KRYOPTIC}/target/release/libkryoptic_pkcs11.so" \ + /usr/local/lib/kryoptic/libkryoptic_pkcs11so \ + /usr/lib64/pkcs11/libkryoptic_pkcs11.so \ + /usr/lib/pkcs11/libkryoptic_pkcs11.so \ + /usr/lib/x86_64-linux-gnu/kryoptic/libkryoptic_pkcs11.so + +title LINE "Creating Kyroptic database" + +# Kryoptic configuration +export KRYOPTIC_CONF="$TOKDIR/kryoptic.sql" + +export TOKENLABEL="Kryoptic Token" +export TOKENLABELURI="Kryoptic%20Token" + +# init token +pkcs11-tool --module "${P11LIB}" --init-token \ + --label "${TOKENLABEL}" --so-pin "${PINVALUE}" 2>&1 +# set user pin +pkcs11-tool --module "${P11LIB}" --so-pin "${PINVALUE}" \ + --login --login-type so --init-pin --pin "${PINVALUE}" 2>&1 + +export TOKENCONFIGVARS="export KRYOPTIC_CONF=$TOKDIR/kryoptic.sql" diff --git a/tests/meson.build b/tests/meson.build index ec686512..d4b42285 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -30,17 +30,13 @@ if nss_softokn.found() endif endif -test_setup = { - 'setup_softokn': {'suite': 'softokn', 'exe': find_program('setup-softokn.sh')}, - 'setup_softhsm': {'suite': 'softhsm', 'exe': find_program('setup-softhsm.sh')}, - 'setup_kryoptic': {'suite': 'kryoptic', 'exe': find_program('setup-kryoptic.sh')}, -} - -foreach name, targs : test_setup +setup_script=find_program('setup.sh') +foreach suite : ['softokn', 'softhsm', 'kryoptic'] test( - name, - targs.get('exe'), - suite: targs.get('suite'), + 'setup', + setup_script, + args: suite, + suite: suite, env: conf_env, is_parallel: false, ) diff --git a/tests/openssl.cnf.in b/tests/openssl.cnf.in index 00b76697..698584b5 100644 --- a/tests/openssl.cnf.in +++ b/tests/openssl.cnf.in @@ -22,13 +22,12 @@ activate = 1 [pkcs11_sect] module = @libtoollibs@/pkcs11@SHARED_EXT@ -pkcs11-module-init-args = configDir=@testsblddir@/tmp.softokn/tokens pkcs11-module-token-pin = file:@PINFILE@ +##TOKENOPTIONS #pkcs11-module-encode-provider-uri-to-pem #pkcs11-module-allow-export #pkcs11-module-load-behavior #pkcs11-module-block-operations -##QUIRKS activate = 1 #################################################################### diff --git a/tests/setup-softhsm.sh b/tests/setup-softhsm.sh deleted file mode 100755 index d647787d..00000000 --- a/tests/setup-softhsm.sh +++ /dev/null @@ -1,480 +0,0 @@ -#!/bin/bash -e -# Copyright (C) 2022 Jakub Jelen -# SPDX-License-Identifier: Apache-2.0 - -source "${TESTSSRCDIR}/helpers.sh" - -if ! command -v softhsm2-util &> /dev/null -then - echo "SoftHSM is is required" - exit 0 -fi - -# On macOS, /usr/bin/certtool is a different program. Both MacPorts and -# Homebrew rename GnuTLS' certtool to gnutls-certtool, so check for that first. -# -# https://github.com/macports/macports-ports/blob/4494b720a4807ddfc18bddf876620a5c6b24ce4f/devel/gnutls/Portfile#L206-L209 -# https://github.com/Homebrew/homebrew-core/blob/83be349adb47980b4046258b74fa8c1e99ca96a3/Formula/gnutls.rb#L56-L58 -if [ "$(uname)" == "Darwin" ]; then - certtool=$(type -p gnutls-certtool) -else - certtool=$(type -p certtool) -fi -if [ -z "$certtool" ]; then - echo "Missing GnuTLS certtool (on macOS, commonly installed as gnutls-certtool)" - exit 0 -fi - -# macOS uses BSD sed, which expects the argument after -i (with a space after -# it!) to be the backup suffix, while GNU sed expects a potential backup suffix -# directly after -i and interprets -i as in-place editing with no -# backup. -# -# Use "${sed_inplace[@]}" to make that work transparently by setting it to the -# arguments required to achieve in-place editing without backups depending on -# the version of sed. -if sed --version 2>/dev/null | grep -q 'GNU sed'; then - sed_inplace=("-i") -else - sed_inplace=("-i" "") -fi - -find_softhsm() { - for _lib in "$@" ; do - if test -f "$_lib" ; then - echo "Using softhsm path $_lib" - P11LIB="$_lib" - return - fi - done - echo "skipped: Unable to find softhsm PKCS#11 library" - exit 0 -} - -title SECTION "Searching for SoftHSM PKCS#11 library" -# Attempt to guess the path to libsofthsm2.so relative to that. This fixes -# auto-detection on platforms such as macOS with MacPorts (and potentially -# Homebrew). -# -# This should never be empty, since we checked for the presence of -# softhsm2-util above and use it below. - -# Strip bin/softhsm2-util -softhsm_prefix=$(dirname "$(dirname "$(type -p softhsm2-util)")") - -find_softhsm \ - "$softhsm_prefix/lib64/softhsm/libsofthsm2.so" \ - "$softhsm_prefix/lib/softhsm/libsofthsm2.so" \ - "$softhsm_prefix/lib64/pkcs11/libsofthsm2.so" \ - "$softhsm_prefix/lib/pkcs11/libsofthsm2.so" \ - /usr/local/lib/softhsm/libsofthsm2.so \ - /usr/lib64/pkcs11/libsofthsm2.so \ - /usr/lib/pkcs11/libsofthsm2.so \ - /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so - -title SECTION "Set up testing system" - -TMPPDIR="${TESTBLDDIR}/tmp.softhsm" - -if [ -d "${TMPPDIR}" ]; then - rm -fr "${TMPPDIR}" -fi -mkdir "${TMPPDIR}" - -PINVALUE="12345678" -PINFILE="${TMPPDIR}/pinfile.txt" -echo ${PINVALUE} > "${PINFILE}" - -#RANDOM data -SEEDFILE="${TMPPDIR}/noisefile.bin" -dd if=/dev/urandom of="${SEEDFILE}" bs=2048 count=1 >/dev/null 2>&1 -RAND64FILE="${TMPPDIR}/64krandom.bin" -dd if=/dev/urandom of="${RAND64FILE}" bs=2048 count=32 >/dev/null 2>&1 - -# Create brand new tokens and certs -TOKDIR="$TMPPDIR/tokens" -if [ -d "${TOKDIR}" ]; then - rm -fr "${TOKDIR}" -fi -mkdir "${TOKDIR}" - -# Create SoftHSM configuration file -cat >"$TMPPDIR/softhsm.conf" <> "${TMPPDIR}/cert.cfg" < "$CACRT_PEM" - -# the organization identification is not in the CA -echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg" -# the cert_signing_key and "ca" should be only on the CA -sed -e "/^cert_signing_key$/d" -e "/^ca$/d" "${sed_inplace[@]}" "${TMPPDIR}/cert.cfg" - -ca_sign() { - CRT=$1 - LABEL=$2 - CN=$3 - KEYID=$4 - ((SERIAL+=1)) - sed -e "s|cn = .*|cn = $CN|g" \ - -e "s|serial = .*|serial = $SERIAL|g" \ - -e "/^ca$/d" \ - "${sed_inplace[@]}" \ - "${TMPPDIR}/cert.cfg" - "${certtool}" --generate-certificate --outfile="${CRT}.crt" \ - --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ - --load-privkey "pkcs11:object=$LABEL;type=private" \ - --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \ - --load-ca-certificate "${CACRT}" --inder \ - --load-ca-privkey="pkcs11:object=$CACRTN;type=private" - pkcs11-tool --write-object "${CRT}.crt" --type=cert --id="$KEYID" \ - --label="$LABEL" --module="$P11LIB" - -} - - -# generate RSA key pair and self-signed certificate -KEYID='0001' -URIKEYID="%00%01" -TSTCRT="${TMPPDIR}/testcert" -TSTCRTN="testCert" - -pkcs11-tool --keypairgen --key-type="RSA:2048" --login --pin=$PINVALUE \ - --module="$P11LIB" --label="${TSTCRTN}" --id="$KEYID" -ca_sign "$TSTCRT" $TSTCRTN "My Test Cert" $KEYID - -BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" -BASEURI="pkcs11:id=${URIKEYID}" -PUBURI="pkcs11:type=public;id=${URIKEYID}" -PRIURI="pkcs11:type=private;id=${URIKEYID}" -CRTURI="pkcs11:type=cert;object=${TSTCRTN}" - -title LINE "RSA PKCS11 URIS" -echo "${BASEURIWITHPINVALUE}" -echo "${BASEURIWITHPINSOURCE}" -echo "${BASEURI}" -echo "${PUBURI}" -echo "${PRIURI}" -echo "${CRTURI}" -echo "" - -# generate ECC key pair -KEYID='0002' -URIKEYID="%00%02" -ECCRT="${TMPPDIR}/eccert" -ECCRTN="ecCert" - -pkcs11-tool --keypairgen --key-type="EC:secp256r1" --login --pin=$PINVALUE \ - --module="$P11LIB" --label="${ECCRTN}" --id="$KEYID" -ca_sign "$ECCRT" $ECCRTN "My EC Cert" $KEYID - -ECBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -ECBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" -ECBASEURI="pkcs11:id=${URIKEYID}" -ECPUBURI="pkcs11:type=public;id=${URIKEYID}" -ECPRIURI="pkcs11:type=private;id=${URIKEYID}" -ECCRTURI="pkcs11:type=cert;object=${ECCRTN}" - -KEYID='0003' -URIKEYID="%00%03" -ECPEERCRT="${TMPPDIR}/ecpeercert" -ECPEERCRTN="ecPeerCert" - -pkcs11-tool --keypairgen --key-type="EC:secp256r1" --login --pin=$PINVALUE \ - --module="$P11LIB" --label="$ECPEERCRTN" --id="$KEYID" -ca_sign "$ECPEERCRT" $ECPEERCRTN "My Peer EC Cert" $KEYID - -ECPEERBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -ECPEERBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" -ECPEERBASEURI="pkcs11:id=${URIKEYID}" -ECPEERPUBURI="pkcs11:type=public;id=${URIKEYID}" -ECPEERPRIURI="pkcs11:type=private;id=${URIKEYID}" -ECPEERCRTURI="pkcs11:type=cert;object=${ECPEERCRTN}" - -title LINE "EC PKCS11 URIS" -echo "${ECBASEURIWITHPINVALUE}" -echo "${ECBASEURIWITHPINSOURCE}" -echo "${ECBASEURI}" -echo "${ECPUBURI}" -echo "${ECPRIURI}" -echo "${ECCRTURI}" -echo "${ECPEERBASEURIWITHPINVALUE}" -echo "${ECPEERBASEURIWITHPINSOURCE}" -echo "${ECPEERBASEURI}" -echo "${ECPEERPUBURI}" -echo "${ECPEERPRIURI}" -echo "${ECPEERCRTURI}" -echo "" - -# generate ED25519 -KEYID='0004' -URIKEYID="%00%04" -EDCRT="${TMPPDIR}/edcert" -EDCRTN="edCert" - -pkcs11-tool --keypairgen --key-type="EC:edwards25519" --login --pin=$PINVALUE --module="$P11LIB" \ - --label="${EDCRTN}" --id="$KEYID" -ca_sign "$EDCRT" $EDCRTN "My ED25519 Cert" $KEYID - -EDBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" -EDBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" -EDBASEURI="pkcs11:id=${URIKEYID}" -EDPUBURI="pkcs11:type=public;id=${URIKEYID}" -EDPRIURI="pkcs11:type=private;id=${URIKEYID}" -EDCRTURI="pkcs11:type=cert;object=${EDCRTN}" - -title LINE "ED25519 PKCS11 URIS" -echo "${EDBASEURIWITHPINVALUE}" -echo "${EDBASEURIWITHPINSOURCE}" -echo "${EDBASEURI}" -echo "${EDPUBURI}" -echo "${EDPRIURI}" -echo "${EDCRTURI}" - - -title PARA "generate RSA key pair, self-signed certificate, remove public key" -KEYID='0005' -URIKEYID="%00%05" -TSTCRT="${TMPPDIR}/testcert2" -TSTCRTN="testCert2" - -pkcs11-tool --keypairgen --key-type="RSA:2048" --login --pin=$PINVALUE \ - --module="$P11LIB" --label="${TSTCRTN}" --id="$KEYID" -ca_sign "$TSTCRT" $TSTCRTN "My Test Cert 2" $KEYID -pkcs11-tool --delete-object --type pubkey --id 0005 --module="$P11LIB" - -BASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -BASE2URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=${PINFILE}" -BASE2URI="pkcs11:id=${URIKEYID}" -PRI2URI="pkcs11:type=private;id=${URIKEYID}" -CRT2URI="pkcs11:type=cert;object=${TSTCRTN}" - -title LINE "RSA2 PKCS11 URIS" -echo "${BASE2URIWITHPINVALUE}" -echo "${BASE2URIWITHPINSOURCE}" -echo "${BASE2URI}" -echo "${PRI2URI}" -echo "${CRT2URI}" -echo "" - -title PARA "generate EC key pair, self-signed certificate, remove public key" -KEYID='0006' -URIKEYID="%00%06" -TSTCRT="${TMPPDIR}/eccert2" -TSTCRTN="ecCert2" - -pkcs11-tool --keypairgen --key-type="EC:secp384r1" --login --pin=$PINVALUE \ - --module="$P11LIB" --label="${TSTCRTN}" --id="$KEYID" -ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 2" $KEYID -pkcs11-tool --delete-object --type pubkey --id 0006 --module="$P11LIB" - -ECBASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -ECBASE2URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file${PINFILE}" -ECBASE2URI="pkcs11:id=${URIKEYID}" -ECPRI2URI="pkcs11:type=private;id=${URIKEYID}" -ECCRT2URI="pkcs11:type=cert;object=${TSTCRTN}" - -title LINE "EC2 PKCS11 URIS" -echo "${ECBASE2URIWITHPINVALUE}" -echo "${ECBASE2URIWITHPINSOURCE}" -echo "${ECBASE2URI}" -echo "${ECPRI2URI}" -echo "${ECCRT2URI}" -echo "" - -if [ -f /etc/redhat-release ]; then - title PARA "explicit EC unsupported on Fedora/EL" -else - title PARA "generate explicit EC key pair" - KEYID='0007' - URIKEYID="%00%07" - ECXCRTN="ecExplicitCert" - - pkcs11-tool --write-object="${TESTSSRCDIR}/explicit_ec.key.der" --type=privkey --login --pin=$PINVALUE \ - --module="$P11LIB" --label="${ECXCRTN}" --id="$KEYID" - pkcs11-tool --write-object="${TESTSSRCDIR}/explicit_ec.pub.der" --type=pubkey --login --pin=$PINVALUE \ - --module="$P11LIB" --label="${ECXCRTN}" --id="$KEYID" - - ECXBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" - ECXBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" - ECXBASEURI="pkcs11:id=${URIKEYID}" - ECXPUBURI="pkcs11:type=public;id=${URIKEYID}" - ECXPRIURI="pkcs11:type=private;id=${URIKEYID}" - - title LINE "EXPLICIT EC PKCS11 URIS" - echo "${ECXBASEURI}" - echo "${ECXPUBURI}" - echo "${ECXPRIURI}" - echo "" -fi - -title PARA "generate EC key pair with ALWAYS AUTHENTICATE flag, self-signed certificate" -KEYID='0008' -URIKEYID="%00%08" -TSTCRT="${TMPPDIR}/eccert3" -TSTCRTN="ecCert3" - -pkcs11-tool --keypairgen --key-type="EC:secp521r1" --login --pin=$PINVALUE \ - --module="$P11LIB" --label="${TSTCRTN}" --id="$KEYID" --always-auth -ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 3" $KEYID - -ECBASE3URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -ECBASE3URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" -ECBASE3URI="pkcs11:id=${URIKEYID}" -ECPUB3URI="pkcs11:type=public;id=${URIKEYID}" -ECPRI3URI="pkcs11:type=private;id=${URIKEYID}" -ECCRT3URI="pkcs11:type=cert;object=${TSTCRTN}" - -title LINE "EC3 PKCS11 URIS" -echo "${ECBASE3URIWITHPINVALUE}" -echo "${ECBASE3URIWITHPINSOURCE}" -echo "${ECBASE3URI}" -echo "${ECPUB3URI}" -echo "${ECPRI3URI}" -echo "${ECCRT3URI}" -echo "" - -title PARA "Show contents of softhsm token" -echo " ----------------------------------------------------------------------------------------------------" -pkcs11-tool -O --login --pin=$PINVALUE --module="$P11LIB" -echo " ----------------------------------------------------------------------------------------------------" - -title PARA "Output configurations" -OPENSSL_CONF=${TMPPDIR}/openssl.cnf - -title LINE "Generate openssl config file" -sed -e "s|@libtoollibs@|${LIBSPATH}|g" \ - -e "s|@testsblddir@|${TESTBLDDIR}|g" \ - -e "s|@testsdir@|${TMPPDIR}|g" \ - -e "s|@SHARED_EXT@|${SHARED_EXT}|g" \ - -e "s|@PINFILE@|${PINFILE}|g" \ - -e "s|##QUIRKS|pkcs11-module-quirks = no-deinit|g" \ - -e "/pkcs11-module-init-args/d" \ - "${TESTSSRCDIR}/openssl.cnf.in" > "${OPENSSL_CONF}" - -title LINE "Export test variables to ${TMPPDIR}/testvars" -cat >> "${TMPPDIR}/testvars" <> "${TMPPDIR}/testvars" <> "${TMPPDIR}/testvars" < -# SPDX-License-Identifier: Apache-2.0 - -source "${TESTSSRCDIR}/helpers.sh" - -if ! command -v certutil &> /dev/null -then - echo "NSS's certutil command is required" - exit 0 -fi - -title SECTION "Set up testing system" - -TMPPDIR="${TESTBLDDIR}/tmp.softokn" -if [ -d "${TMPPDIR}" ]; then - rm -fr "${TMPPDIR}" -fi -mkdir "${TMPPDIR}" - -PINVALUE="12345678" -PINFILE="${TMPPDIR}/pinfile.txt" -echo ${PINVALUE} > "${PINFILE}" - -#RANDOM data -SEEDFILE="${TMPPDIR}/noisefile.bin" -dd if=/dev/urandom of="${SEEDFILE}" bs=2048 count=1 >/dev/null 2>&1 -RAND64FILE="${TMPPDIR}/64krandom.bin" -dd if=/dev/urandom of="${RAND64FILE}" bs=2048 count=32 >/dev/null 2>&1 - -# Create brand new tokens and certs -TOKDIR="$TMPPDIR/tokens" -if [ -d "${TOKDIR}" ]; then - rm -fr "${TOKDIR}" -fi -mkdir "${TOKDIR}" - -SERIAL=0 - -title LINE "Creating new NSS Database" -certutil -N -d "${TOKDIR}" -f "${PINFILE}" - -title LINE "Creating new Self Sign CA" -((SERIAL+=1)) -CACRTN="selfCA" -certutil -S -s "CN=Issuer" -n "${CACRTN}" -x -t "C,C,C" \ - -m "${SERIAL}" -1 -2 -5 --keyUsage certSigning,crlSigning \ - --nsCertType sslCA,smimeCA,objectSigningCA \ - -f "${PINFILE}" -d "${TOKDIR}" -z "${SEEDFILE}" >/dev/null 2>&1 </dev/null 2>&1 -((SERIAL+=1)) -certutil -C -m "${SERIAL}" -i "${TSTCRT}.req" -o "${TSTCRT}.crt" -c selfCA \ - -d "${TOKDIR}" -f "${PINFILE}" >/dev/null 2>&1 -certutil -A -n "${TSTCRTN}" -i "${TSTCRT}.crt" -t "u,u,u" -d "${TOKDIR}" \ - -f "${PINFILE}" >/dev/null 2>&1 - -KEYID=$(certutil -K -d "${TOKDIR}" -f "${PINFILE}" |grep "${TSTCRTN}"| cut -b 15-54) -URIKEYID="" -for (( i=0; i<${#KEYID}; i+=2 )); do - line="${KEYID:$i:2}" - URIKEYID="$URIKEYID%$line" -done - -BASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -BASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" -BASEURI="pkcs11:id=${URIKEYID}" -PUBURI="pkcs11:type=public;id=${URIKEYID}" -PRIURI="pkcs11:type=private;id=${URIKEYID}" -CRTURI="pkcs11:type=cert;object=${TSTCRTN}" - -title LINE "RSA PKCS11 URIS" -echo "${BASEURIWITHPINVALUE}" -echo "${BASEURIWITHPINSOURCE}" -echo "${BASEURI}" -echo "${PUBURI}" -echo "${PRIURI}" -echo "${CRTURI}" -echo "" - -# ECC -ECCRT="${TMPPDIR}/eccert" -ECCRTN="ecCert" -title LINE "Creating Certificate request for 'My EC Cert'" -certutil -R -s "CN=My EC Cert, O=PKCS11 Provider" -k ec -q nistp256 \ - -o "${ECCRT}.req" -d "${TOKDIR}" -f "${PINFILE}" -z "${SEEDFILE}" >/dev/null 2>&1 -((SERIAL+=1)) -certutil -C -m "${SERIAL}" -i "${ECCRT}.req" -o "${ECCRT}.crt" -c selfCA \ - -d "${TOKDIR}" -f "${PINFILE}" >/dev/null 2>&1 -certutil -A -n "${ECCRTN}" -i "${ECCRT}.crt" -t "u,u,u" \ - -d "${TOKDIR}" -f "${PINFILE}" >/dev/null 2>&1 - -KEYID=$(certutil -K -d "${TOKDIR}" -f "${PINFILE}" |grep "${ECCRTN}"| cut -b 15-54) -URIKEYID="" -for (( i=0; i<${#KEYID}; i+=2 )); do - line="${KEYID:$i:2}" - URIKEYID="$URIKEYID%$line" -done - -ECBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" -ECBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file:${PINFILE}" -ECBASEURI="pkcs11:id=${URIKEYID}" -ECPUBURI="pkcs11:type=public;id=${URIKEYID}" -ECPRIURI="pkcs11:type=private;id=${URIKEYID}" -ECCRTURI="pkcs11:type=cert;object=${ECCRTN}" - -title LINE "Creating Certificate request for 'My Peer EC Cert'" -ECPEERCRT="${TMPPDIR}/ecpeercert" -ECPEERCRTN="ecPeerCert" -certutil -R -s "CN=My Peer EC Cert, O=PKCS11 Provider" \ - -k ec -q nistp256 -o "${ECPEERCRT}.req" \ - -d "${TOKDIR}" -f "${PINFILE}" -z "${SEEDFILE}" >/dev/null 2>&1 -((SERIAL+=1)) -certutil -C -m "${SERIAL}" -i "${ECPEERCRT}.req" -o "${ECPEERCRT}.crt" \ - -c selfCA -d "${TOKDIR}" -f "${PINFILE}" >/dev/null 2>&1 -certutil -A -n "${ECPEERCRTN}" -i "${ECPEERCRT}.crt" -t "u,u,u" \ - -d "${TOKDIR}" -f "${PINFILE}" >/dev/null 2>&1 - -KEYID=$(certutil -K -d "${TOKDIR}" -f "${PINFILE}" |grep "${ECPEERCRTN}"| cut -b 15-54) -URIKEYID="" -for (( i=0; i<${#KEYID}; i+=2 )); do - line="${KEYID:$i:2}" - URIKEYID="$URIKEYID%$line" -done - -ECPEERBASEURI="pkcs11:id=${URIKEYID}" -ECPEERPUBURI="pkcs11:type=public;id=${URIKEYID}" -ECPEERPRIURI="pkcs11:type=private;id=${URIKEYID}" -ECPEERCRTURI="pkcs11:type=cert;object=${ECPEERCRTN}" - -title LINE "EC PKCS11 URIS" -echo "${ECBASEURIWITHPINVALUE}" -echo "${ECBASEURIWITHPINSOURCE}" -echo "${ECBASEURI}" -echo "${ECPUBURI}" -echo "${ECPRIURI}" -echo "${ECCRTURI}" -echo "${ECPEERBASEURI}" -echo "${ECPEERPUBURI}" -echo "${ECPEERPRIURI}" -echo "${ECPEERCRTURI}" -echo "" - -title PARA "Show contents of softoken" -echo " ----------------------------------------------------------------------------------------------------" -certutil -L -d "${TOKDIR}" -certutil -K -d "${TOKDIR}" -f "${PINFILE}" -echo " ----------------------------------------------------------------------------------------------------" - -title PARA "Output configurations" -OPENSSL_CONF=${TMPPDIR}/openssl.cnf - -title LINE "Generate openssl config file" -sed -e "s|@libtoollibs@|${LIBSPATH}|g" \ - -e "s|@testsblddir@|${TESTBLDDIR}|g" \ - -e "s|@testsdir@|${TMPPDIR}|g" \ - -e "s|@SHARED_EXT@|${SHARED_EXT}|g" \ - -e "s|@PINFILE@|${PINFILE}|g" \ - "${TESTSSRCDIR}/openssl.cnf.in" > "${OPENSSL_CONF}" - -title LINE "Export tests variables to ${TMPPDIR}/testvars" -cat > "${TMPPDIR}/testvars" < # SPDX-License-Identifier: Apache-2.0 source "${TESTSSRCDIR}/helpers.sh" -if ! command -v p11tool &> /dev/null -then - echo "GnuTLS utils are required" - exit 0 +if [ $# -ne 1 ]; then + echo "Usage setup.sh " + exit 1 +fi + +TOKENTYPE=$1 + +# Temporary dir and Token data dir +TMPPDIR="${TESTBLDDIR}/${TOKENTYPE}" +TOKDIR="$TMPPDIR/tokens" +if [ -d "${TMPPDIR}" ]; then + rm -fr "${TMPPDIR}" +fi +mkdir "${TMPPDIR}" +mkdir "${TOKDIR}" + +PINVALUE="12345678" +PINFILE="${TMPPDIR}/pinfile.txt" +echo ${PINVALUE} > "${PINFILE}" +export GNUTLS_PIN=$PINVALUE + +if [ "${TOKENTYPE}" == "softhsm" ]; then + source "${TESTSSRCDIR}/softhsm-init.sh" +elif [ "${TOKENTYPE}" == "softokn" ]; then + source "${TESTSSRCDIR}/softokn-init.sh" +elif [ "${TOKENTYPE}" == "kryoptic" ]; then + source "${TESTSSRCDIR}/kryoptic-init.sh" +else + echo "Unknown token type: $1" + exit 1 fi +#RANDOM data +SEEDFILE="${TMPPDIR}/noisefile.bin" +dd if=/dev/urandom of="${SEEDFILE}" bs=2048 count=1 >/dev/null 2>&1 +RAND64FILE="${TMPPDIR}/64krandom.bin" +dd if=/dev/urandom of="${RAND64FILE}" bs=2048 count=32 >/dev/null 2>&1 + # On macOS, /usr/bin/certtool is a different program. Both MacPorts and # Homebrew rename GnuTLS' certtool to gnutls-certtool, so check for that first. # @@ -33,74 +65,17 @@ fi # Use "${sed_inplace[@]}" to make that work transparently by setting it to the # arguments required to achieve in-place editing without backups depending on # the version of sed. -# if sed --version 2>/dev/null | grep -q 'GNU sed'; then sed_inplace=("-i") else sed_inplace=("-i" "") fi -title SECTION "Searching for Cryoptic module" - -find_kryoptic() { - for _lib in "$@" ; do - if test -f "$_lib" ; then - echo "Using kryoptic path $_lib" - P11LIB="$_lib" - return - fi - done - echo "skipped: Unable to find kryoptic PKCS#11 library" - exit 0 -} - -find_kryoptic \ - "${KRYOPTIC}/target/debug/libkryoptic_pkcs11.so" \ - "${KRYOPTIC}/target/release/libkryoptic_pkcs11.so" \ - /usr/local/lib/kryoptic/libkryoptic_pkcs11so \ - /usr/lib64/pkcs11/libkryoptic_pkcs11.so \ - /usr/lib/pkcs11/libkryoptic_pkcs11.so \ - /usr/lib/x86_64-linux-gnu/kryoptic/libkryoptic_pkcs11.so - -title SECTION "Set up Kryoptic token" - -TMPPDIR="${TESTBLDDIR}/tmp.kryoptic" -if [ -d "${TMPPDIR}" ]; then - rm -fr "${TMPPDIR}" -fi -mkdir "${TMPPDIR}" - -PINVALUE="12345678" -PINFILE="${TMPPDIR}/pinfile.txt" -echo ${PINVALUE} > "${PINFILE}" - -#RANDOM data -SEEDFILE="${TMPPDIR}/noisefile.bin" -dd if=/dev/urandom of="${SEEDFILE}" bs=2048 count=1 >/dev/null 2>&1 -RAND64FILE="${TMPPDIR}/64krandom.bin" -dd if=/dev/urandom of="${RAND64FILE}" bs=2048 count=32 >/dev/null 2>&1 - -# Create brand new tokens and certs -TOKDIR="$TMPPDIR/tokens" -if [ -d "${TOKDIR}" ]; then - rm -fr "${TOKDIR}" -fi -mkdir "${TOKDIR}" - -title LINE "Creating Kyroptic database" - -# Kryoptic configuration -export KRYOPTIC_CONF="$TMPPDIR/tokens/kryoptic.sql" -# init token -pkcs11-tool --module "${P11LIB}" --init-token \ - --label "Pkcs11 Provider Tests" --so-pin "${PINVALUE}" 2>&1 -# set user pin -pkcs11-tool --module "${P11LIB}" --so-pin "${PINVALUE}" \ - --login --login-type so --init-pin --pin "${PINVALUE}" 2>&1 +# NSS uses the second slot for certificates, so we need to provide the token +# label in the args to allow pkcs11-tool to find the right slot +P11DEFARGS=("--module=${P11LIB}" "--login" "--pin=${PINVALUE}" "--token-label=${TOKENLABEL}") -P11DEFARGS="--module=${P11LIB} --login --pin=${PINVALUE}" - -# General cert configs +# prepare certtool configuration cat >> "${TMPPDIR}/cert.cfg" <&1 "${certtool}" --generate-self-signed --outfile="${CACRT}" \ --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ - --load-privkey "pkcs11:object=$CACRTN;type=private" \ - --load-pubkey "pkcs11:object=$CACRTN;type=public" --outder 2>&1 -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}" --type=cert \ + --load-privkey "pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=private" \ + --load-pubkey "pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=public" --outder 2>&1 +pkcs11-tool "${P11DEFARGS[@]}" --write-object "${CACRT}" --type=cert \ --id=$KEYID --label="$CACRTN" 2>&1 +# Serial = 1 is the CA +SERIAL=2 + # convert the DER cert to PEM openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM" # the organization identification is not in the CA echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg" # the cert_signing_key and "ca" should be only on the CA -sed -i -e "/cert_signing_key/d" "${TMPPDIR}/cert.cfg" - +sed -e "/^cert_signing_key$/d" -e "/^ca$/d" "${sed_inplace[@]}" "${TMPPDIR}/cert.cfg" ca_sign() { CRT=$1 @@ -157,23 +126,22 @@ ca_sign() { "${TMPPDIR}/cert.cfg" "${certtool}" --generate-certificate --outfile="${CRT}.crt" \ --template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \ - --load-privkey "pkcs11:object=$LABEL;type=private" \ - --load-pubkey "pkcs11:object=$LABEL;type=public" --outder \ + --load-privkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=private" \ + --load-pubkey "pkcs11:object=$LABEL;token=$TOKENLABELURI;type=public" --outder \ --load-ca-certificate "${CACRT}" --inder \ - --load-ca-privkey="pkcs11:object=$CACRTN;type=private" 2>&1 -# shellcheck disable=SC2086 - pkcs11-tool ${P11DEFARGS} --write-object "${CRT}.crt" --type=cert \ + --load-ca-privkey="pkcs11:object=$CACRTN;token=$TOKENLABELURI;type=private" + pkcs11-tool "${P11DEFARGS[@]}" --write-object "${CRT}.crt" --type=cert \ --id="$KEYID" --label="$LABEL" 2>&1 } + # generate RSA key pair and self-signed certificate KEYID='0001' URIKEYID="%00%01" TSTCRT="${TMPPDIR}/testcert" TSTCRTN="testCert" -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="RSA:2048" \ +pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \ --label="${TSTCRTN}" --id="$KEYID" ca_sign "$TSTCRT" $TSTCRTN "My Test Cert" $KEYID @@ -199,8 +167,7 @@ URIKEYID="%00%02" ECCRT="${TMPPDIR}/eccert" ECCRTN="ecCert" -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:secp256r1" \ +pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp256r1" \ --label="${ECCRTN}" --id="$KEYID" ca_sign "$ECCRT" $ECCRTN "My EC Cert" $KEYID @@ -216,8 +183,7 @@ URIKEYID="%00%03" ECPEERCRT="${TMPPDIR}/ecpeercert" ECPEERCRTN="ecPeerCert" -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:secp256r1" \ +pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp256r1" \ --label="$ECPEERCRTN" --id="$KEYID" ca_sign "$ECPEERCRT" $ECPEERCRTN "My Peer EC Cert" $KEYID @@ -243,31 +209,35 @@ echo "${ECPEERPRIURI}" echo "${ECPEERCRTURI}" echo "" -# generate ED25519 -KEYID='0004' -URIKEYID="%00%04" -EDCRT="${TMPPDIR}/edcert" -EDCRTN="edCert" - -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:edwards25519" \ - --label="${EDCRTN}" --id="$KEYID" -ca_sign "$EDCRT" $EDCRTN "My ED25519 Cert" $KEYID - -EDBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" -EDBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" -EDBASEURI="pkcs11:id=${URIKEYID}" -EDPUBURI="pkcs11:type=public;id=${URIKEYID}" -EDPRIURI="pkcs11:type=private;id=${URIKEYID}" -EDCRTURI="pkcs11:type=cert;object=${EDCRTN}" - -title LINE "ED25519 PKCS11 URIS" -echo "${EDBASEURIWITHPINVALUE}" -echo "${EDBASEURIWITHPINSOURCE}" -echo "${EDBASEURI}" -echo "${EDPUBURI}" -echo "${EDPRIURI}" -echo "${EDCRTURI}" + +## Softtokn does not support edwrds curves yet +if [ "${TOKENTYPE}" != "softokn" ]; then + + # generate ED25519 + KEYID='0004' + URIKEYID="%00%04" + EDCRT="${TMPPDIR}/edcert" + EDCRTN="edCert" + + pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:edwards25519" \ + --label="${EDCRTN}" --id="$KEYID" + ca_sign "$EDCRT" $EDCRTN "My ED25519 Cert" $KEYID + + EDBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID};pin-value=${PINVALUE}" + EDBASEURIWITHPINSOURCE="pkcs11:id=${URIKEYID};pin-source=file:${PINFILE}" + EDBASEURI="pkcs11:id=${URIKEYID}" + EDPUBURI="pkcs11:type=public;id=${URIKEYID}" + EDPRIURI="pkcs11:type=private;id=${URIKEYID}" + EDCRTURI="pkcs11:type=cert;object=${EDCRTN}" + + title LINE "ED25519 PKCS11 URIS" + echo "${EDBASEURIWITHPINVALUE}" + echo "${EDBASEURIWITHPINSOURCE}" + echo "${EDBASEURI}" + echo "${EDPUBURI}" + echo "${EDPRIURI}" + echo "${EDCRTURI}" +fi # FIXME The pkcs11-tool before OpenSC 0.26 does not support Ed448 so they can # not be generated here @@ -278,8 +248,7 @@ echo "${EDCRTURI}" #ED2CRT="${TMPPDIR}/ed2cert" #ED2CRTN="ed2Cert" # -# shellcheck disable=SC2086 -# pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:edwards448" \ +# pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:edwards448" \ # --label="${ED2CRTN}" --id="$KEYID" # ca_sign "$EDCRT" $ED2CRTN "My ED448 Cert" $KEYID # @@ -298,19 +267,16 @@ echo "${EDCRTURI}" # echo "${EDPRIURI}" # echo "${EDCRTURI}" - title PARA "generate RSA key pair, self-signed certificate, remove public key" KEYID='0005' URIKEYID="%00%05" TSTCRT="${TMPPDIR}/testcert2" TSTCRTN="testCert2" -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="RSA:2048" \ +pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="RSA:2048" \ --label="${TSTCRTN}" --id="$KEYID" ca_sign "$TSTCRT" $TSTCRTN "My Test Cert 2" $KEYID -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --delete-object --type pubkey --id 0005 +pkcs11-tool "${P11DEFARGS[@]}" --delete-object --type pubkey --id 0005 BASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" BASE2URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=${PINFILE}" @@ -332,12 +298,10 @@ URIKEYID="%00%06" TSTCRT="${TMPPDIR}/eccert2" TSTCRTN="ecCert2" -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:secp384r1" \ +pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp384r1" \ --label="${TSTCRTN}" --id="$KEYID" ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 2" $KEYID -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --delete-object --type pubkey --id 0006 +pkcs11-tool "${P11DEFARGS[@]}" --delete-object --type pubkey --id 0006 ECBASE2URIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" ECBASE2URIWITHPINSOURCE="pkcs11:id=${URIKEYID}?pin-source=file${PINFILE}" @@ -355,17 +319,17 @@ echo "" if [ -f /etc/redhat-release ]; then title PARA "explicit EC unsupported on Fedora/EL" +elif [ "${TOKENTYPE}" == "softokn" ]; then + title PARA "explicit EC unsupported with softokn" else title PARA "generate explicit EC key pair" KEYID='0007' URIKEYID="%00%07" ECXCRTN="ecExplicitCert" -# shellcheck disable=SC2086 - pkcs11-tool ${P11DEFARGS} --write-object="${TESTSSRCDIR}/explicit_ec.key.der" --type=privkey \ + pkcs11-tool "${P11DEFARGS[@]}" --write-object="${TESTSSRCDIR}/explicit_ec.key.der" --type=privkey \ --label="${ECXCRTN}" --id="$KEYID" -# shellcheck disable=SC2086 - pkcs11-tool ${P11DEFARGS} --write-object="${TESTSSRCDIR}/explicit_ec.pub.der" --type=pubkey \ + pkcs11-tool "${P11DEFARGS[@]}" --write-object="${TESTSSRCDIR}/explicit_ec.pub.der" --type=pubkey \ --label="${ECXCRTN}" --id="$KEYID" ECXBASEURIWITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}" @@ -387,8 +351,7 @@ URIKEYID="%00%08" TSTCRT="${TMPPDIR}/eccert3" TSTCRTN="ecCert3" -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="EC:secp521r1" \ +pkcs11-tool "${P11DEFARGS[@]}" --keypairgen --key-type="EC:secp521r1" \ --label="${TSTCRTN}" --id="$KEYID" --always-auth ca_sign "$TSTCRT" $TSTCRTN "My EC Cert 3" $KEYID @@ -408,10 +371,9 @@ echo "${ECPRI3URI}" echo "${ECCRT3URI}" echo "" -title PARA "Show contents of kryoptic token" +title PARA "Show contents of ${TOKENTYPE} token" echo " ----------------------------------------------------------------------------------------------------" -# shellcheck disable=SC2086 -pkcs11-tool ${P11DEFARGS} -O +pkcs11-tool "${P11DEFARGS[@]}" -O echo " ----------------------------------------------------------------------------------------------------" title PARA "Output configurations" @@ -423,17 +385,17 @@ sed -e "s|@libtoollibs@|${LIBSPATH}|g" \ -e "s|@testsdir@|${TMPPDIR}|g" \ -e "s|@SHARED_EXT@|${SHARED_EXT}|g" \ -e "s|@PINFILE@|${PINFILE}|g" \ - -e "/pkcs11-module-init-args/d" \ + -e "s|##TOKENOPTIONS|${TOKENOPTIONS}|g" \ "${TESTSSRCDIR}/openssl.cnf.in" > "${OPENSSL_CONF}" title LINE "Export test variables to ${TMPPDIR}/testvars" cat >> "${TMPPDIR}/testvars" <> "${TMPPDIR}/testvars" <> "${TMPPDIR}/testvars" < +# SPDX-License-Identifier: Apache-2.0 + +title SECTION "Searching for SoftHSM PKCS#11 library" + +if ! command -v softhsm2-util &> /dev/null +then + echo "SoftHSM is is required" + exit 0 +fi + +find_softhsm() { + for _lib in "$@" ; do + if test -f "$_lib" ; then + echo "Using softhsm path $_lib" + P11LIB="$_lib" + return + fi + done + echo "skipped: Unable to find softhsm PKCS#11 library" + exit 0 +} + +# Attempt to guess the path to libsofthsm2.so relative to that. This fixes +# auto-detection on platforms such as macOS with MacPorts (and potentially +# Homebrew). +# +# This should never be empty, since we checked for the presence of +# softhsm2-util above and use it below. + +# Strip bin/softhsm2-util +softhsm_prefix=$(dirname "$(dirname "$(type -p softhsm2-util)")") + +find_softhsm \ + "$softhsm_prefix/lib64/softhsm/libsofthsm2.so" \ + "$softhsm_prefix/lib/softhsm/libsofthsm2.so" \ + "$softhsm_prefix/lib64/pkcs11/libsofthsm2.so" \ + "$softhsm_prefix/lib/pkcs11/libsofthsm2.so" \ + /usr/local/lib/softhsm/libsofthsm2.so \ + /usr/lib64/pkcs11/libsofthsm2.so \ + /usr/lib/pkcs11/libsofthsm2.so \ + /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + +export P11LIB + +title SECTION "Set up testing system" + +# Create SoftHSM configuration file +cat >"$TMPPDIR/softhsm.conf" < -# SPDX-License-Identifier: Apache-2.0 - -source "${TESTSSRCDIR}/helpers.sh" - -# p11-kit complains if there is not runtime directory -if [ -z "$XDG_RUNTIME_DIR" ]; then - export XDG_RUNTIME_DIR=$PWD -fi - -if [ "$P11KITCLIENTPATH" = "" ]; then - echo "Missing P11KITCLIENTPATH env variable" - exit 0 -fi - -title PARA "Start the p11-kit server and check if it works" -# shellcheck disable=SC2046 # we want to split these for eval -eval $(p11-kit server --provider "$P11LIB" "pkcs11:") - -# unset OPENSSL_CONF here to avoid automatically loading the provider -# and SoftHSM from pkcs11-tool and crashing during the cleanup again. -OPENSSL_CONF='' pkcs11-tool -O --login --pin="$PINVALUE" --module="$P11KITCLIENTPATH" > /dev/null - -#register clean function to kill p11-kit-server -trap 'cleanup_server p11-kit $P11_KIT_SERVER_PID' EXIT - -#Set up environment variables -export PKCS11_PROVIDER_MODULE="${P11KITCLIENTPATH}" - -"$*" diff --git a/tests/softokn-init.sh b/tests/softokn-init.sh new file mode 100755 index 00000000..a1f430b3 --- /dev/null +++ b/tests/softokn-init.sh @@ -0,0 +1,21 @@ +#!/bin/bash -e +# Copyright (C) 2022 Simo Sorce +# SPDX-License-Identifier: Apache-2.0 + +title SECTION "Setup NSS Softokn" + +if ! command -v certutil &> /dev/null +then + echo "NSS's certutil command is required" + exit 0 +fi + +title LINE "Creating new NSS Database" +certutil -N -d "${TOKDIR}" -f "${PINFILE}" + +export P11LIB="${SOFTOKNPATH%%/}/libsoftokn3${SHARED_EXT}" +export NSS_LIB_PARAMS="configDir=${TOKDIR}" + +export TOKENLABEL="NSS Certificate DB" +export TOKENLABELURI="NSS%20Certificate%20DB" +export TOKENCONFIGVARS="export NSS_LIB_PARAMS=configDir=${TOKDIR}" diff --git a/tests/test-wrapper b/tests/test-wrapper index e31332ae..2cc6e615 100755 --- a/tests/test-wrapper +++ b/tests/test-wrapper @@ -14,9 +14,9 @@ NAME=${BNAME%.*} TEST_NAME=${NAME%-*} TOKEN_DRIVER=${NAME#*-} -if [ -f "${TESTBLDDIR}/tmp.${TOKEN_DRIVER}/testvars" ]; then +if [ -f "${TESTBLDDIR}/${TOKEN_DRIVER}/testvars" ]; then # shellcheck source=/dev/null # we do not care about linting this source - source "${TESTBLDDIR}/tmp.${TOKEN_DRIVER}/testvars" + source "${TESTBLDDIR}/${TOKEN_DRIVER}/testvars" else exit 77 # token not configured, skip fi @@ -41,12 +41,6 @@ if [ -f "${TEST_PATH}/t${TEST_NAME}.c" ]; then COMMAND="$CHECKER $COMMAND" fi -for option in "${TEST_PARAMS[@]}"; do - if [[ "$option" == "proxy" ]]; then - COMMAND="${TESTSSRCDIR}/softhsm-proxy.sh $COMMAND" - fi -done - LOGFILE="${TESTBLDDIR}/${TEST_NAME}.${TOKEN_DRIVER}.log" echo "Executing ${COMMAND}"