[openssh-commits] [openssh] 01/01: upstream: tidy and refactor PKCS#11 setup code

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Oct 31 04:36:35 AEDT 2023 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit f82fa227a52661c37404a6d33bbabf14fed05db0
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Oct 30 17:32:00 2023 +0000

    upstream: tidy and refactor PKCS#11 setup code
    
    Replace the use of a perl script to delete the controlling TTY with a
    SSH_ASKPASS script to directly load the PIN.
    
    Move PKCS#11 setup code to functions in anticipation of it being used
    elsewhere in additional tests.
    
    Reduce stdout spam
    
    OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262
---
 regress/agent-pkcs11.sh | 133 ++++++++++++++++++++++++++----------------------
 1 file changed, 72 insertions(+), 61 deletions(-)

diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 7b61a956..9b9d498a 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,42 +1,45 @@
-#	$OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $
+#	$OpenBSD: agent-pkcs11.sh,v 1.12 2023/10/30 17:32:00 djm Exp $
 #	Placed in the Public Domain.
 
 tid="pkcs11 agent test"
 
-try_token_libs() {
+# Find a PKCS#11 library.
+p11_find_lib() {
+	TEST_SSH_PKCS11=""
 	for _lib in "$@" ; do
 		if test -f "$_lib" ; then
-			verbose "Using token library $_lib"
 			TEST_SSH_PKCS11="$_lib"
 			return
 		fi
 	done
-	echo "skipped: Unable to find PKCS#11 token library"
-	exit 0
 }
 
-try_token_libs \
-	/usr/local/lib/softhsm/libsofthsm2.so \
-	/usr/lib64/pkcs11/libsofthsm2.so \
-	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
+# keys and loads them into the virtual token.
+PKCS11_OK=
+export PKCS11_OK
+p11_setup() {
+	p11_find_lib \
+		/usr/local/lib/softhsm/libsofthsm2.so \
+		/usr/lib64/pkcs11/libsofthsm2.so \
+		/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+	test -z "$TEST_SSH_PKCS11" && return 1
+	verbose "using token library $TEST_SSH_PKCS11"
+	TEST_SSH_PIN=1234
+	TEST_SSH_SOPIN=12345678
+	if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
+		SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
+		export SSH_PKCS11_HELPER
+	fi
 
-TEST_SSH_PIN=1234
-TEST_SSH_SOPIN=12345678
-if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
-	SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
-	export SSH_PKCS11_HELPER
-fi
-
-test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
-
-# setup environment for softhsm2 token
-DIR=$OBJ/SOFTHSM
-rm -rf $DIR
-TOKEN=$DIR/tokendir
-mkdir -p $TOKEN
-SOFTHSM2_CONF=$DIR/softhsm2.conf
-export SOFTHSM2_CONF
-cat > $SOFTHSM2_CONF << EOF
+	# setup environment for softhsm2 token
+	DIR=$OBJ/SOFTHSM
+	rm -rf $DIR
+	TOKEN=$DIR/tokendir
+	mkdir -p $TOKEN
+	SOFTHSM2_CONF=$DIR/softhsm2.conf
+	export SOFTHSM2_CONF
+	cat > $SOFTHSM2_CONF << EOF
 # SoftHSM v2 configuration file
 directories.tokendir = ${TOKEN}
 objectstore.backend = file
@@ -45,40 +48,50 @@ log.level = DEBUG
 # If CKF_REMOVABLE_DEVICE flag should be set
 slots.removable = false
 EOF
-out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
-slot=$(echo -- $out | sed 's/.* //')
-
-# prevent ssh-agent from calling ssh-askpass
-SSH_ASKPASS=/usr/bin/true
-export SSH_ASKPASS
-unset DISPLAY
-
-# start command w/o tty, so ssh-add accepts pin from stdin
-# XXX could force askpass instead
-notty() {
-	perl -e 'use POSIX; POSIX::setsid(); 
-	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
+	out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
+	slot=$(echo -- $out | sed 's/.* //')
+	trace "generating keys"
+	# RSA key
+	RSA=${DIR}/RSA
+	RSAP8=${DIR}/RSAP8
+	$OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
+	    fatal "genpkey RSA fail"
+	$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
+	softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
+	    --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
+	chmod 600 $RSA
+	ssh-keygen -y -f $RSA > ${RSA}.pub
+	# ECDSA key
+	ECPARAM=${DIR}/ECPARAM
+	EC=${DIR}/EC
+	ECP8=${DIR}/ECP8
+	$OPENSSL_BIN genpkey -genparam -algorithm ec \
+	    -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
+	    fatal "param EC fail"
+	$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
+	    fatal "genpkey EC fail"
+	$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
+	softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
+	    --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
+	chmod 600 $EC
+	ssh-keygen -y -f $EC > ${EC}.pub
+	# Prepare askpass script to load PIN.
+	PIN_SH=$DIR/pin.sh
+	cat > $PIN_SH << EOF
+#!/bin/sh
+echo "${TEST_SSH_PIN}"
+EOF
+	chmod 0700 "$PIN_SH"
+	PKCS11_OK=yes
+	return 0
 }
 
-trace "generating keys"
-RSA=${DIR}/RSA
-RSAP8=${DIR}/RSAP8
-ECPARAM=${DIR}/ECPARAM
-EC=${DIR}/EC
-ECP8=${DIR}/ECP8
-$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
-softhsm2-util --slot "$slot" --label 01 --id 01 \
-    --pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail"
+# Peforms ssh-add with the right token PIN.
+p11_ssh_add() {
+	env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
+}
 
-$OPENSSL_BIN genpkey \
-    -genparam \
-    -algorithm ec \
-    -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail"
-$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
-softhsm2-util --slot "$slot" --label 02 --id 02 \
-    --pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhsm import EC fail"
+p11_setup || skip "No PKCS#11 library found"
 
 trace "start agent"
 eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
@@ -87,7 +100,7 @@ if [ $r -ne 0 ]; then
 	fail "could not start ssh-agent: exit code $r"
 else
 	trace "add pkcs11 key to agent"
-	echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
+	p11_ssh_add -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
 	r=$?
 	if [ $r -ne 0 ]; then
 		fail "ssh-add -s failed: exit code $r"
@@ -102,8 +115,6 @@ else
 
 	for k in $RSA $EC; do
 		trace "testing $k"
-		chmod 600 $k
-		ssh-keygen -y -f $k > $k.pub
 		pub=$(cat $k.pub)
 		${SSHADD} -L | grep -q "$pub" || \
 			fail "key $k missing in ssh-add -L"
@@ -120,7 +131,7 @@ else
 	done
 
 	trace "remove pkcs11 keys"
-	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
+	p11_ssh_add -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
 	r=$?
 	if [ $r -ne 0 ]; then
 		fail "ssh-add -e failed: exit code $r"

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list