[openssh-commits] [openssh] 03/03: upstream: regression tests for Ed25519 keys in PKCS#11 tokens

Sat Jul 26 11:58:25 AEST 2025

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit a729163c56ecc002c0cb04db56e7d86ceec2e8b0
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sat Jul 26 01:53:31 2025 +0000

    upstream: regression tests for Ed25519 keys in PKCS#11 tokens
    
    OpenBSD-Regress-ID: 50067c0716abfea3a526b4a0c8f1fe15e7665c0f
---
 regress/agent-pkcs11-cert.sh     | 28 +++++++++++++++++++++-------
 regress/agent-pkcs11-restrict.sh |  3 ++-
 regress/agent-pkcs11.sh          |  4 ++--
 regress/test-exec.sh             | 14 +++++++++++++-
 4 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/regress/agent-pkcs11-cert.sh b/regress/agent-pkcs11-cert.sh
index 39e839f9c..551067d23 100644
--- a/regress/agent-pkcs11-cert.sh
+++ b/regress/agent-pkcs11-cert.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-pkcs11-cert.sh,v 1.2 2025/05/24 04:41:12 djm Exp $
+#	$OpenBSD: agent-pkcs11-cert.sh,v 1.3 2025/07/26 01:53:31 djm Exp $
 #	Placed in the Public Domain.
 
 tid="pkcs11 agent certificate test"
@@ -16,7 +16,10 @@ $SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub ||
 	fatal "certify ECDSA key failed"
 $SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub ||
 	fatal "certify RSA key failed"
-$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub ||
+$SSHKEYGEN -qs $OBJ/ca -I "ed25519_key" -n $USER -z 3 \
+    ${SSH_SOFTHSM_DIR}/ED25519.pub ||
+	fatal "certify ed25519 key failed"
+$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 4 $OBJ/ca.pub ||
 	fatal "certify CA key failed"
 
 start_ssh_agent
@@ -25,6 +28,8 @@ verbose "load pkcs11 keys and certs"
 # Note: deliberately contains non-cert keys and non-matching cert on commandline
 p11_ssh_add -qs ${TEST_SSH_PKCS11} \
     $OBJ/ca.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519-cert.pub \
     ${SSH_SOFTHSM_DIR}/EC.pub \
     ${SSH_SOFTHSM_DIR}/EC-cert.pub \
     ${SSH_SOFTHSM_DIR}/RSA.pub \
@@ -33,8 +38,10 @@ p11_ssh_add -qs ${TEST_SSH_PKCS11} \
 # Verify their presence
 verbose "verify presence"
 cut -d' ' -f1-2 \
+    ${SSH_SOFTHSM_DIR}/ED25519.pub \
     ${SSH_SOFTHSM_DIR}/EC.pub \
     ${SSH_SOFTHSM_DIR}/RSA.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519-cert.pub \
     ${SSH_SOFTHSM_DIR}/EC-cert.pub \
     ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
 $SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
@@ -43,16 +50,19 @@ diff $OBJ/expect_list $OBJ/output_list
 # Verify that all can perform signatures.
 verbose "check signatures"
 for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \
-    ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+    ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519.pub ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do
 	$SSHADD -T $x || fail "Signing failed for $x"
 done
 
 # Delete plain keys.
 verbose "delete plain keys"
 $SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub
+$SSHADD -qd ${SSH_SOFTHSM_DIR}/ED25519.pub 
 # Verify that certs can still perform signatures.
 verbose "reverify certificate signatures"
-for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do
 	$SSHADD -T $x || fail "Signing failed for $x"
 done
 
@@ -64,18 +74,22 @@ p11_ssh_add -qCs ${TEST_SSH_PKCS11} \
     ${SSH_SOFTHSM_DIR}/EC.pub \
     ${SSH_SOFTHSM_DIR}/EC-cert.pub \
     ${SSH_SOFTHSM_DIR}/RSA.pub \
-    ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
+    ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ||
 	fatal "failed to add keys"
 # Verify their presence
 verbose "verify presence"
 cut -d' ' -f1-2 \
     ${SSH_SOFTHSM_DIR}/EC-cert.pub \
-    ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
+    ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519-cert.pub | sort > $OBJ/expect_list
 $SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
 diff $OBJ/expect_list $OBJ/output_list
 
 # Verify that certs can perform signatures.
 verbose "check signatures"
-for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+    ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do
 	$SSHADD -T $x || fail "Signing failed for $x"
 done
diff --git a/regress/agent-pkcs11-restrict.sh b/regress/agent-pkcs11-restrict.sh
index e5763ea8f..9fc5e1c69 100644
--- a/regress/agent-pkcs11-restrict.sh
+++ b/regress/agent-pkcs11-restrict.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-pkcs11-restrict.sh,v 1.2 2025/05/24 04:41:12 djm Exp $
+#	$OpenBSD: agent-pkcs11-restrict.sh,v 1.3 2025/07/26 01:53:31 djm Exp $
 #	Placed in the Public Domain.
 
 tid="pkcs11 agent constraint test"
@@ -16,6 +16,7 @@ for h in a b x ca ; do
 done
 
 # XXX test CA hostcerts too.
+# XXX test ed25519 keys
 
 key_for() {
 	case $h in
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 731c1f9dd..491466659 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-pkcs11.sh,v 1.14 2025/05/24 04:41:03 djm Exp $
+#	$OpenBSD: agent-pkcs11.sh,v 1.15 2025/07/26 01:53:31 djm Exp $
 #	Placed in the Public Domain.
 
 tid="pkcs11 agent test"
@@ -21,7 +21,7 @@ if [ $r -ne 0 ]; then
 	fail "ssh-add -l failed: exit code $r"
 fi
 
-for k in $RSA $EC; do
+for k in $ED25519 $RSA $EC; do
 	trace "testing $k"
 	pub=$(cat $k.pub)
 	${SSHADD} -L | grep -q "$pub" || \
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 0ecf6c5a8..c5270042e 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.130 2025/06/28 13:34:08 dtucker Exp $
+#	$OpenBSD: test-exec.sh,v 1.131 2025/07/26 01:53:31 djm Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -979,6 +979,18 @@ EOF
 	    --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
 	chmod 600 $EC
 	ssh-keygen -y -f $EC > ${EC}.pub
+	# Ed25519 key
+	ED25519=${SSH_SOFTHSM_DIR}/ED25519
+	ED25519P8=${SSH_SOFTHSM_DIR}/ED25519P8
+	$OPENSSL_BIN genpkey -algorithm ed25519 > $ED25519 || \
+	    fatal "genpkey Ed25519 fail"
+	$OPENSSL_BIN pkcs8 -nocrypt -in $ED25519 > $ED25519P8 || \
+		fatal "pkcs8 Ed25519 fail"
+	softhsm2-util --slot "$slot" --label 03 --id 03 --pin "$TEST_SSH_PIN" \
+	    --import $ED25519P8 >/dev/null || \
+		fatal "softhsm import ed25519 fail"
+	chmod 600 $ED25519
+	ssh-keygen -y -f $ED25519 > ${ED25519}.pub
 	# Prepare askpass script to load PIN.
 	PIN_SH=$SSH_SOFTHSM_DIR/pin.sh
 	cat > $PIN_SH << EOF

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
