tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: tidy and refactor PKCS#11 setup code 

Replace the use of a perl script to delete the controlling TTY with a
SSH_ASKPASS script to directly load the PIN.

Move PKCS#11 setup code to functions in anticipation of it being used
elsewhere in additional tests.

Reduce stdout spam

OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262
This commit is contained in:
djm@openbsd.org 2023-10-30 17:32:00 +00:00 committed by Damien Miller
parent 3cf698c6d4
commit f82fa227a5
No known key found for this signature in database
1 changed files with 72 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
regress/agent-pkcs11.sh
View File

@ -1,42 +1,45 @@
# $OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $ # $OpenBSD: agent-pkcs11.sh,v 1.12 2023/10/30 17:32:00 djm Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="pkcs11 agent test" tid="pkcs11 agent test"
try_token_libs() { # Find a PKCS#11 library.
p11_find_lib() {
TEST_SSH_PKCS11=""
for _lib in "$@" ; do for _lib in "$@" ; do
if test -f "$_lib" ; then if test -f "$_lib" ; then
verbose "Using token library $_lib"
TEST_SSH_PKCS11="$_lib" TEST_SSH_PKCS11="$_lib"
return return
fi fi
done done
echo "skipped: Unable to find PKCS#11 token library"
exit 0
} }
try_token_libs \ # Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
/usr/local/lib/softhsm/libsofthsm2.so \ # keys and loads them into the virtual token.
/usr/lib64/pkcs11/libsofthsm2.so \ PKCS11_OK=
/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so export PKCS11_OK
p11_setup() {
p11_find_lib \
/usr/local/lib/softhsm/libsofthsm2.so \
/usr/lib64/pkcs11/libsofthsm2.so \
/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
test -z "$TEST_SSH_PKCS11" && return 1
verbose "using token library $TEST_SSH_PKCS11"
TEST_SSH_PIN=1234
TEST_SSH_SOPIN=12345678
if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
export SSH_PKCS11_HELPER
fi
TEST_SSH_PIN=1234 # setup environment for softhsm2 token
TEST_SSH_SOPIN=12345678 DIR=$OBJ/SOFTHSM
if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then rm -rf $DIR
SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}" TOKEN=$DIR/tokendir
export SSH_PKCS11_HELPER mkdir -p $TOKEN
fi SOFTHSM2_CONF=$DIR/softhsm2.conf
export SOFTHSM2_CONF
test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" cat > $SOFTHSM2_CONF << EOF
# setup environment for softhsm2 token
DIR=$OBJ/SOFTHSM
rm -rf $DIR
TOKEN=$DIR/tokendir
mkdir -p $TOKEN
SOFTHSM2_CONF=$DIR/softhsm2.conf
export SOFTHSM2_CONF
cat > $SOFTHSM2_CONF << EOF
# SoftHSM v2 configuration file # SoftHSM v2 configuration file
directories.tokendir = ${TOKEN} directories.tokendir = ${TOKEN}
objectstore.backend = file objectstore.backend = file
@ -45,40 +48,50 @@ log.level = DEBUG
# If CKF_REMOVABLE_DEVICE flag should be set # If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false slots.removable = false
EOF EOF
out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
slot=$(echo -- $out | sed 's/.* //') slot=$(echo -- $out | sed 's/.* //')
trace "generating keys"
# prevent ssh-agent from calling ssh-askpass # RSA key
SSH_ASKPASS=/usr/bin/true RSA=${DIR}/RSA
export SSH_ASKPASS RSAP8=${DIR}/RSAP8
unset DISPLAY $OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
fatal "genpkey RSA fail"
# start command w/o tty, so ssh-add accepts pin from stdin $OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
# XXX could force askpass instead softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
notty() { --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
perl -e 'use POSIX; POSIX::setsid(); chmod 600 $RSA
if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" ssh-keygen -y -f $RSA > ${RSA}.pub
# ECDSA key
ECPARAM=${DIR}/ECPARAM
EC=${DIR}/EC
ECP8=${DIR}/ECP8
$OPENSSL_BIN genpkey -genparam -algorithm ec \
-pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
fatal "param EC fail"
$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
fatal "genpkey EC fail"
$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
--import $ECP8 >/dev/null || fatal "softhsm import EC fail"
chmod 600 $EC
ssh-keygen -y -f $EC > ${EC}.pub
# Prepare askpass script to load PIN.
PIN_SH=$DIR/pin.sh
cat > $PIN_SH << EOF
#!/bin/sh
echo "${TEST_SSH_PIN}"
EOF
chmod 0700 "$PIN_SH"
PKCS11_OK=yes
return 0
} }
trace "generating keys" # Peforms ssh-add with the right token PIN.
RSA=${DIR}/RSA p11_ssh_add() {
RSAP8=${DIR}/RSAP8 env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
ECPARAM=${DIR}/ECPARAM }
EC=${DIR}/EC
ECP8=${DIR}/ECP8
$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail"
$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
softhsm2-util --slot "$slot" --label 01 --id 01 \
--pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail"
$OPENSSL_BIN genpkey \ p11_setup || skip "No PKCS#11 library found"
-genparam \
-algorithm ec \
-pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail"
$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail"
$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
softhsm2-util --slot "$slot" --label 02 --id 02 \
--pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhsm import EC fail"
trace "start agent" trace "start agent"
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
@ -87,7 +100,7 @@ if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r" fail "could not start ssh-agent: exit code $r"
else else
trace "add pkcs11 key to agent" trace "add pkcs11 key to agent"
echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 p11_ssh_add -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$? r=$?
if [ $r -ne 0 ]; then if [ $r -ne 0 ]; then
fail "ssh-add -s failed: exit code $r" fail "ssh-add -s failed: exit code $r"
@ -102,8 +115,6 @@ else
for k in $RSA $EC; do for k in $RSA $EC; do
trace "testing $k" trace "testing $k"
chmod 600 $k
ssh-keygen -y -f $k > $k.pub
pub=$(cat $k.pub) pub=$(cat $k.pub)
${SSHADD} -L | grep -q "$pub" || \ ${SSHADD} -L | grep -q "$pub" || \
fail "key $k missing in ssh-add -L" fail "key $k missing in ssh-add -L"
@ -120,7 +131,7 @@ else
done done
trace "remove pkcs11 keys" trace "remove pkcs11 keys"
echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 p11_ssh_add -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$? r=$?
if [ $r -ne 0 ]; then if [ $r -ne 0 ]; then
fail "ssh-add -e failed: exit code $r" fail "ssh-add -e failed: exit code $r"