[openssh-commits] [openssh] 01/01: upstream: tidy and refactor PKCS#11 setup code
git+noreply at mindrot.org
git+noreply at mindrot.org
Tue Oct 31 04:36:35 AEDT 2023
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit f82fa227a52661c37404a6d33bbabf14fed05db0
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Oct 30 17:32:00 2023 +0000
upstream: tidy and refactor PKCS#11 setup code
Replace the use of a perl script to delete the controlling TTY with a
SSH_ASKPASS script to directly load the PIN.
Move PKCS#11 setup code to functions in anticipation of it being used
elsewhere in additional tests.
Reduce stdout spam
OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262
---
regress/agent-pkcs11.sh | 133 ++++++++++++++++++++++++++----------------------
1 file changed, 72 insertions(+), 61 deletions(-)
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 7b61a956..9b9d498a 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,42 +1,45 @@
-# $OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $
+# $OpenBSD: agent-pkcs11.sh,v 1.12 2023/10/30 17:32:00 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
-try_token_libs() {
+# Find a PKCS#11 library.
+p11_find_lib() {
+ TEST_SSH_PKCS11=""
for _lib in "$@" ; do
if test -f "$_lib" ; then
- verbose "Using token library $_lib"
TEST_SSH_PKCS11="$_lib"
return
fi
done
- echo "skipped: Unable to find PKCS#11 token library"
- exit 0
}
-try_token_libs \
- /usr/local/lib/softhsm/libsofthsm2.so \
- /usr/lib64/pkcs11/libsofthsm2.so \
- /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
+# keys and loads them into the virtual token.
+PKCS11_OK=
+export PKCS11_OK
+p11_setup() {
+ p11_find_lib \
+ /usr/local/lib/softhsm/libsofthsm2.so \
+ /usr/lib64/pkcs11/libsofthsm2.so \
+ /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+ test -z "$TEST_SSH_PKCS11" && return 1
+ verbose "using token library $TEST_SSH_PKCS11"
+ TEST_SSH_PIN=1234
+ TEST_SSH_SOPIN=12345678
+ if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
+ SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
+ export SSH_PKCS11_HELPER
+ fi
-TEST_SSH_PIN=1234
-TEST_SSH_SOPIN=12345678
-if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
- SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
- export SSH_PKCS11_HELPER
-fi
-
-test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
-
-# setup environment for softhsm2 token
-DIR=$OBJ/SOFTHSM
-rm -rf $DIR
-TOKEN=$DIR/tokendir
-mkdir -p $TOKEN
-SOFTHSM2_CONF=$DIR/softhsm2.conf
-export SOFTHSM2_CONF
-cat > $SOFTHSM2_CONF << EOF
+ # setup environment for softhsm2 token
+ DIR=$OBJ/SOFTHSM
+ rm -rf $DIR
+ TOKEN=$DIR/tokendir
+ mkdir -p $TOKEN
+ SOFTHSM2_CONF=$DIR/softhsm2.conf
+ export SOFTHSM2_CONF
+ cat > $SOFTHSM2_CONF << EOF
# SoftHSM v2 configuration file
directories.tokendir = ${TOKEN}
objectstore.backend = file
@@ -45,40 +48,50 @@ log.level = DEBUG
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
EOF
-out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
-slot=$(echo -- $out | sed 's/.* //')
-
-# prevent ssh-agent from calling ssh-askpass
-SSH_ASKPASS=/usr/bin/true
-export SSH_ASKPASS
-unset DISPLAY
-
-# start command w/o tty, so ssh-add accepts pin from stdin
-# XXX could force askpass instead
-notty() {
- perl -e 'use POSIX; POSIX::setsid();
- if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
+ out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
+ slot=$(echo -- $out | sed 's/.* //')
+ trace "generating keys"
+ # RSA key
+ RSA=${DIR}/RSA
+ RSAP8=${DIR}/RSAP8
+ $OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
+ fatal "genpkey RSA fail"
+ $OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
+ softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
+ --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
+ chmod 600 $RSA
+ ssh-keygen -y -f $RSA > ${RSA}.pub
+ # ECDSA key
+ ECPARAM=${DIR}/ECPARAM
+ EC=${DIR}/EC
+ ECP8=${DIR}/ECP8
+ $OPENSSL_BIN genpkey -genparam -algorithm ec \
+ -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
+ fatal "param EC fail"
+ $OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
+ fatal "genpkey EC fail"
+ $OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
+ softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
+ --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
+ chmod 600 $EC
+ ssh-keygen -y -f $EC > ${EC}.pub
+ # Prepare askpass script to load PIN.
+ PIN_SH=$DIR/pin.sh
+ cat > $PIN_SH << EOF
+#!/bin/sh
+echo "${TEST_SSH_PIN}"
+EOF
+ chmod 0700 "$PIN_SH"
+ PKCS11_OK=yes
+ return 0
}
-trace "generating keys"
-RSA=${DIR}/RSA
-RSAP8=${DIR}/RSAP8
-ECPARAM=${DIR}/ECPARAM
-EC=${DIR}/EC
-ECP8=${DIR}/ECP8
-$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
-softhsm2-util --slot "$slot" --label 01 --id 01 \
- --pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail"
+# Peforms ssh-add with the right token PIN.
+p11_ssh_add() {
+ env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
+}
-$OPENSSL_BIN genpkey \
- -genparam \
- -algorithm ec \
- -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail"
-$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
-softhsm2-util --slot "$slot" --label 02 --id 02 \
- --pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhsm import EC fail"
+p11_setup || skip "No PKCS#11 library found"
trace "start agent"
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
@@ -87,7 +100,7 @@ if [ $r -ne 0 ]; then
fail "could not start ssh-agent: exit code $r"
else
trace "add pkcs11 key to agent"
- echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
+ p11_ssh_add -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -s failed: exit code $r"
@@ -102,8 +115,6 @@ else
for k in $RSA $EC; do
trace "testing $k"
- chmod 600 $k
- ssh-keygen -y -f $k > $k.pub
pub=$(cat $k.pub)
${SSHADD} -L | grep -q "$pub" || \
fail "key $k missing in ssh-add -L"
@@ -120,7 +131,7 @@ else
done
trace "remove pkcs11 keys"
- echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
+ p11_ssh_add -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -e failed: exit code $r"
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list