openssh-portable/regress/agent-pkcs11.sh

#	$OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $
#	Placed in the Public Domain.

tid="pkcs11 agent test"

try_token_libs() {
	for _lib in "$@" ; do
		if test -f "$_lib" ; then
			verbose "Using token library $_lib"
			TEST_SSH_PKCS11="$_lib"
			return
		fi
	done
	echo "skipped: Unable to find PKCS#11 token library"
	exit 0
}

try_token_libs \
	/usr/local/lib/softhsm/libsofthsm2.so \
	/usr/lib64/pkcs11/libsofthsm2.so \
	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so

TEST_SSH_PIN=1234
TEST_SSH_SOPIN=12345678
if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
	SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
	export SSH_PKCS11_HELPER
fi

test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"

# setup environment for softhsm2 token
DIR=$OBJ/SOFTHSM
rm -rf $DIR
TOKEN=$DIR/tokendir
mkdir -p $TOKEN
SOFTHSM2_CONF=$DIR/softhsm2.conf
export SOFTHSM2_CONF
cat > $SOFTHSM2_CONF << EOF
# SoftHSM v2 configuration file
directories.tokendir = ${TOKEN}
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = DEBUG
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
EOF
out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
slot=$(echo -- $out | sed 's/.* //')

# prevent ssh-agent from calling ssh-askpass
SSH_ASKPASS=/usr/bin/true
export SSH_ASKPASS
unset DISPLAY

# start command w/o tty, so ssh-add accepts pin from stdin
# XXX could force askpass instead
notty() {
	perl -e 'use POSIX; POSIX::setsid(); 
	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
}

trace "generating keys"
RSA=${DIR}/RSA
RSAP8=${DIR}/RSAP8
ECPARAM=${DIR}/ECPARAM
EC=${DIR}/EC
ECP8=${DIR}/ECP8
$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail"
$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
softhsm2-util --slot "$slot" --label 01 --id 01 \
    --pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail"

$OPENSSL_BIN genpkey \
    -genparam \
    -algorithm ec \
    -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail"
$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail"
$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
softhsm2-util --slot "$slot" --label 02 --id 02 \
    --pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhsm import EC fail"

trace "start agent"
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
r=$?
if [ $r -ne 0 ]; then
	fail "could not start ssh-agent: exit code $r"
else
	trace "add pkcs11 key to agent"
	echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add -s failed: exit code $r"
	fi

	trace "pkcs11 list via agent"
	${SSHADD} -l > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add -l failed: exit code $r"
	fi

	for k in $RSA $EC; do
		trace "testing $k"
		chmod 600 $k
		ssh-keygen -y -f $k > $k.pub
		pub=$(cat $k.pub)
		${SSHADD} -L | grep -q "$pub" || \
			fail "key $k missing in ssh-add -L"
		${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed"

		# add to authorized keys
		cat $k.pub > $OBJ/authorized_keys_$USER
		trace "pkcs11 connect via agent ($k)"
		${SSH} -F $OBJ/ssh_proxy somehost exit 5
		r=$?
		if [ $r -ne 5 ]; then
			fail "ssh connect failed (exit code $r)"
		fi
	done

	trace "remove pkcs11 keys"
	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
	r=$?
	if [ $r -ne 0 ]; then
		fail "ssh-add -e failed: exit code $r"
	fi

	trace "kill agent"
	${SSHAGENT} -k > /dev/null
fi
upstream: typo in error message OpenBSD-Regress-ID: 6a8edf0dc39941298e3780b147b10c0a600b4fee 2023-10-06 05:32:15 +02:00			`# $OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $`
- markus@cvs.openbsd.org 2010/02/08 10:52:47 [regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled) 2010-02-24 07:31:20 +01:00			`# Placed in the Public Domain.`

			`tid="pkcs11 agent test"`

make agent-pkcs11 search harder for softhsm2.so 2019-01-21 02:31:29 +01:00			`try_token_libs() {`
			`for _lib in "$@" ; do`
			`if test -f "$_lib" ; then`
			`verbose "Using token library $_lib"`
			`TEST_SSH_PKCS11="$_lib"`
			`return`
			`fi`
			`done`
			`echo "skipped: Unable to find PKCS#11 token library"`
			`exit 0`
			`}`

			`try_token_libs \`
			`/usr/local/lib/softhsm/libsofthsm2.so \`
Adjust softhsm2 path on Fedora Linux for regress The SoftHSM lives in Fedora in /usr/lib64/pkcs11/libsofthsm2.so 2019-03-29 12:29:41 +01:00			`/usr/lib64/pkcs11/libsofthsm2.so \`
make agent-pkcs11 search harder for softhsm2.so 2019-01-21 02:31:29 +01:00			`/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so`

upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00			`TEST_SSH_PIN=1234`
			`TEST_SSH_SOPIN=12345678`
upstream: allow override of ssh-pkcs11-helper binary via $TEST_SSH_SSHPKCS11HELPER from markus@ OpenBSD-Regress-ID: 7382a3d76746f5a792d106912a5819fd5e49e469 2019-01-21 00:26:44 +01:00			`if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then`
			`SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"`
			`export SSH_PKCS11_HELPER`
			`fi`
- markus@cvs.openbsd.org 2010/02/08 10:52:47 [regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled) 2010-02-24 07:31:20 +01:00
upstream commit fatal if soft-PKCS11 library is missing rather (rather than continue and fail with a more cryptic error) 2015-01-12 12:46:32 +01:00			`test -f "$TEST_SSH_PKCS11" \|\| fatal "$TEST_SSH_PKCS11 does not exist"`

upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00			`# setup environment for softhsm2 token`
			`DIR=$OBJ/SOFTHSM`
			`rm -rf $DIR`
			`TOKEN=$DIR/tokendir`
			`mkdir -p $TOKEN`
			`SOFTHSM2_CONF=$DIR/softhsm2.conf`
			`export SOFTHSM2_CONF`
			`cat > $SOFTHSM2_CONF << EOF`
			`# SoftHSM v2 configuration file`
			`directories.tokendir = ${TOKEN}`
			`objectstore.backend = file`
			`# ERROR, WARNING, INFO, DEBUG`
			`log.level = DEBUG`
			`# If CKF_REMOVABLE_DEVICE flag should be set`
			`slots.removable = false`
			`EOF`
			`out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")`
			`slot=$(echo -- $out \| sed 's/.* //')`

- markus@cvs.openbsd.org 2010/02/08 10:52:47 [regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled) 2010-02-24 07:31:20 +01:00			`# prevent ssh-agent from calling ssh-askpass`
			`SSH_ASKPASS=/usr/bin/true`
			`export SSH_ASKPASS`
			`unset DISPLAY`

			`# start command w/o tty, so ssh-add accepts pin from stdin`
upstream: Perform the softhsm2 setup as discrete steps rather than as a long shell pipeline. Makes it easier to figure out what has happened when it breaks. OpenBSD-Regress-ID: b3f1292115fed65765d0a95414df16e27772d81c 2023-10-06 05:25:14 +02:00			`# XXX could force askpass instead`
- markus@cvs.openbsd.org 2010/02/08 10:52:47 [regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled) 2010-02-24 07:31:20 +01:00			`notty() {`
			`perl -e 'use POSIX; POSIX::setsid();`
			`if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"`
			`}`

upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00			`trace "generating keys"`
			`RSA=${DIR}/RSA`
upstream: Perform the softhsm2 setup as discrete steps rather than as a long shell pipeline. Makes it easier to figure out what has happened when it breaks. OpenBSD-Regress-ID: b3f1292115fed65765d0a95414df16e27772d81c 2023-10-06 05:25:14 +02:00			`RSAP8=${DIR}/RSAP8`
			`ECPARAM=${DIR}/ECPARAM`
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00			`EC=${DIR}/EC`
upstream: Perform the softhsm2 setup as discrete steps rather than as a long shell pipeline. Makes it easier to figure out what has happened when it breaks. OpenBSD-Regress-ID: b3f1292115fed65765d0a95414df16e27772d81c 2023-10-06 05:25:14 +02:00			`ECP8=${DIR}/ECP8`
			`$OPENSSL_BIN genpkey -algorithm rsa > $RSA \|\| fatal "genpkey RSA fail"`
			`$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 \|\| fatal "pkcs8 RSA fail"`
			`softhsm2-util --slot "$slot" --label 01 --id 01 \`
			`--pin "$TEST_SSH_PIN" --import $RSAP8 \|\| fatal "softhsm import RSA fail"`

upstream: Replace OPENSSL as the variable that points to the openssl binary with OPENSSL_BIN. This will allow us to use the OPENSSL variable from mk.conf or the make(1) command line indicating if we're building with our without OpenSSL, and ultimately get the regress tests working in the OPENSSL=no configuration. OpenBSD-Regress-ID: 2d788fade3264d7803e5b54cae8875963f688c4e 2021-07-25 14:13:03 +02:00			`$OPENSSL_BIN genpkey \`
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00			`-genparam \`
			`-algorithm ec \`
upstream: Perform the softhsm2 setup as discrete steps rather than as a long shell pipeline. Makes it easier to figure out what has happened when it breaks. OpenBSD-Regress-ID: b3f1292115fed65765d0a95414df16e27772d81c 2023-10-06 05:25:14 +02:00			`-pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM \|\| fatal "param EC fail"`
			`$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC \|\| fatal "genpkey EC fail"`
			`$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 \|\| fatal "pkcs8 EC fail"`
			`softhsm2-util --slot "$slot" --label 02 --id 02 \`
upstream: typo in error message OpenBSD-Regress-ID: 6a8edf0dc39941298e3780b147b10c0a600b4fee 2023-10-06 05:32:15 +02:00			`--pin "$TEST_SSH_PIN" --import $ECP8 \|\| fatal "softhsm import EC fail"`
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00
- markus@cvs.openbsd.org 2010/02/08 10:52:47 [regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled) 2010-02-24 07:31:20 +01:00			`trace "start agent"`
upstream: test FIDO2/U2F key types; ok markus@ OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474 2019-11-27 00:43:10 +01:00			eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
- markus@cvs.openbsd.org 2010/02/08 10:52:47 [regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled) 2010-02-24 07:31:20 +01:00			`r=$?`
			`if [ $r -ne 0 ]; then`
			`fail "could not start ssh-agent: exit code $r"`
			`else`
			`trace "add pkcs11 key to agent"`
			`echo ${TEST_SSH_PIN} \| notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1`
			`r=$?`
			`if [ $r -ne 0 ]; then`
			`fail "ssh-add -s failed: exit code $r"`
			`fi`

			`trace "pkcs11 list via agent"`
			`${SSHADD} -l > /dev/null 2>&1`
			`r=$?`
			`if [ $r -ne 0 ]; then`
			`fail "ssh-add -l failed: exit code $r"`
			`fi`

upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00			`for k in $RSA $EC; do`
			`trace "testing $k"`
			`chmod 600 $k`
			`ssh-keygen -y -f $k > $k.pub`
			`pub=$(cat $k.pub)`
upstream: Perform the softhsm2 setup as discrete steps rather than as a long shell pipeline. Makes it easier to figure out what has happened when it breaks. OpenBSD-Regress-ID: b3f1292115fed65765d0a95414df16e27772d81c 2023-10-06 05:25:14 +02:00			`${SSHADD} -L \| grep -q "$pub" \|\| \`
			`fail "key $k missing in ssh-add -L"`
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support for ECDSA keys work by markus@, ok djm@ OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe 2019-01-21 00:25:25 +01:00			`${SSHADD} -T $k.pub \|\| fail "ssh-add -T with $k failed"`

			`# add to authorized keys`
			`cat $k.pub > $OBJ/authorized_keys_$USER`
			`trace "pkcs11 connect via agent ($k)"`
			`${SSH} -F $OBJ/ssh_proxy somehost exit 5`
			`r=$?`
			`if [ $r -ne 5 ]; then`
			`fail "ssh connect failed (exit code $r)"`
			`fi`
			`done`
- markus@cvs.openbsd.org 2010/02/08 10:52:47 [regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled) 2010-02-24 07:31:20 +01:00
			`trace "remove pkcs11 keys"`
			`echo ${TEST_SSH_PIN} \| notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1`
			`r=$?`
			`if [ $r -ne 0 ]; then`
			`fail "ssh-add -e failed: exit code $r"`
			`fi`

			`trace "kill agent"`
			`${SSHAGENT} -k > /dev/null`
			`fi`