Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Commits
[openssh] 01/01: upstream: move PKCS#11 setup code to test-exec.sh so it can be reused
git+noreply at mindrot
Oct 30, 2023, 4:04 PM
Post #1 of 1 (54 views)
Permalink
This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 3a506598fddd3f18f9095af3fe917f24cbdd32e0
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Oct 30 23:00:25 2023 +0000

upstream: move PKCS#11 setup code to test-exec.sh so it can be reused

elsewhere

OpenBSD-Regress-ID: 1d29e6be40f994419795d9e660a8d07f538f0acb
---
regress/agent-pkcs11.sh | 90 +----------------------------------------------
regress/test-exec.sh | 93 ++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 93 insertions(+), 90 deletions(-)

diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 9b9d498a..304734f4 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,96 +1,8 @@
-# $OpenBSD: agent-pkcs11.sh,v 1.12 2023/10/30 17:32:00 djm Exp $
+# $OpenBSD: agent-pkcs11.sh,v 1.13 2023/10/30 23:00:25 djm Exp $
# Placed in the Public Domain.

tid="pkcs11 agent test"

-# Find a PKCS#11 library.
-p11_find_lib() {
- TEST_SSH_PKCS11=""
- for _lib in "$@" ; do
- if test -f "$_lib" ; then
- TEST_SSH_PKCS11="$_lib"
- return
- fi
- done
-}
-
-# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
-# keys and loads them into the virtual token.
-PKCS11_OK=
-export PKCS11_OK
-p11_setup() {
- p11_find_lib \
- /usr/local/lib/softhsm/libsofthsm2.so \
- /usr/lib64/pkcs11/libsofthsm2.so \
- /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
- test -z "$TEST_SSH_PKCS11" && return 1
- verbose "using token library $TEST_SSH_PKCS11"
- TEST_SSH_PIN=1234
- TEST_SSH_SOPIN=12345678
- if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
- SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
- export SSH_PKCS11_HELPER
- fi
-
- # setup environment for softhsm2 token
- DIR=$OBJ/SOFTHSM
- rm -rf $DIR
- TOKEN=$DIR/tokendir
- mkdir -p $TOKEN
- SOFTHSM2_CONF=$DIR/softhsm2.conf
- export SOFTHSM2_CONF
- cat > $SOFTHSM2_CONF << EOF
-# SoftHSM v2 configuration file
-directories.tokendir = ${TOKEN}
-objectstore.backend = file
-# ERROR, WARNING, INFO, DEBUG
-log.level = DEBUG
-# If CKF_REMOVABLE_DEVICE flag should be set
-slots.removable = false
-EOF
- out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
- slot=$(echo -- $out | sed 's/.* //')
- trace "generating keys"
- # RSA key
- RSA=${DIR}/RSA
- RSAP8=${DIR}/RSAP8
- $OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
- fatal "genpkey RSA fail"
- $OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
- softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
- --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
- chmod 600 $RSA
- ssh-keygen -y -f $RSA > ${RSA}.pub
- # ECDSA key
- ECPARAM=${DIR}/ECPARAM
- EC=${DIR}/EC
- ECP8=${DIR}/ECP8
- $OPENSSL_BIN genpkey -genparam -algorithm ec \
- -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
- fatal "param EC fail"
- $OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
- fatal "genpkey EC fail"
- $OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
- softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
- --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
- chmod 600 $EC
- ssh-keygen -y -f $EC > ${EC}.pub
- # Prepare askpass script to load PIN.
- PIN_SH=$DIR/pin.sh
- cat > $PIN_SH << EOF
-#!/bin/sh
-echo "${TEST_SSH_PIN}"
-EOF
- chmod 0700 "$PIN_SH"
- PKCS11_OK=yes
- return 0
-}
-
-# Peforms ssh-add with the right token PIN.
-p11_ssh_add() {
- env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
-}
-
p11_setup || skip "No PKCS#11 library found"

trace "start agent"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 5b2f2938..bf4eeac3 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.102 2023/10/29 06:22:07 dtucker Exp $
+# $OpenBSD: test-exec.sh,v 1.103 2023/10/30 23:00:25 djm Exp $
# Placed in the Public Domain.

#SUDO=sudo
@@ -321,6 +321,8 @@ cat >$SSHDLOGWRAP <<EOD
timestamp="\`$OBJ/timestamp\`"
logfile="${TEST_SSH_LOGDIR}/\${timestamp}.sshd.\$\$.log"
rm -f $TEST_SSHD_LOGFILE
+touch \$logfile
+chown $USER \$logfile
ln -f -s \${logfile} $TEST_SSHD_LOGFILE
echo "Executing: ${SSHD} \$@" log \${logfile} >>$TEST_REGRESS_LOGFILE
echo "Executing: ${SSHD} \$@" >>\${logfile}
@@ -853,6 +855,95 @@ start_sshd ()
test -f $PIDFILE || fatal "no sshd running on port $PORT"
}

+# Find a PKCS#11 library.
+p11_find_lib() {
+ TEST_SSH_PKCS11=""
+ for _lib in "$@" ; do
+ if test -f "$_lib" ; then
+ TEST_SSH_PKCS11="$_lib"
+ return
+ fi
+ done
+}
+
+# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
+# keys and loads them into the virtual token.
+PKCS11_OK=
+export PKCS11_OK
+p11_setup() {
+ p11_find_lib \
+ /usr/local/lib/softhsm/libsofthsm2.so \
+ /usr/lib64/pkcs11/libsofthsm2.so \
+ /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+ test -z "$TEST_SSH_PKCS11" && return 1
+ verbose "using token library $TEST_SSH_PKCS11"
+ TEST_SSH_PIN=1234
+ TEST_SSH_SOPIN=12345678
+ if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
+ SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
+ export SSH_PKCS11_HELPER
+ fi
+
+ # setup environment for softhsm2 token
+ SSH_SOFTHSM_DIR=$OBJ/SOFTHSM
+ export SSH_SOFTHSM_DIR
+ rm -rf $SSH_SOFTHSM_DIR
+ TOKEN=$SSH_SOFTHSM_DIR/tokendir
+ mkdir -p $TOKEN
+ SOFTHSM2_CONF=$SSH_SOFTHSM_DIR/softhsm2.conf
+ export SOFTHSM2_CONF
+ cat > $SOFTHSM2_CONF << EOF
+# SoftHSM v2 configuration file
+directories.tokendir = ${TOKEN}
+objectstore.backend = file
+# ERROR, WARNING, INFO, DEBUG
+log.level = DEBUG
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+EOF
+ out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
+ slot=$(echo -- $out | sed 's/.* //')
+ trace "generating keys"
+ # RSA key
+ RSA=${SSH_SOFTHSM_DIR}/RSA
+ RSAP8=${SSH_SOFTHSM_DIR}/RSAP8
+ $OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
+ fatal "genpkey RSA fail"
+ $OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
+ softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
+ --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
+ chmod 600 $RSA
+ ssh-keygen -y -f $RSA > ${RSA}.pub
+ # ECDSA key
+ ECPARAM=${SSH_SOFTHSM_DIR}/ECPARAM
+ EC=${SSH_SOFTHSM_DIR}/EC
+ ECP8=${SSH_SOFTHSM_DIR}/ECP8
+ $OPENSSL_BIN genpkey -genparam -algorithm ec \
+ -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
+ fatal "param EC fail"
+ $OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
+ fatal "genpkey EC fail"
+ $OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
+ softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
+ --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
+ chmod 600 $EC
+ ssh-keygen -y -f $EC > ${EC}.pub
+ # Prepare askpass script to load PIN.
+ PIN_SH=$SSH_SOFTHSM_DIR/pin.sh
+ cat > $PIN_SH << EOF
+#!/bin/sh
+echo "${TEST_SSH_PIN}"
+EOF
+ chmod 0700 "$PIN_SH"
+ PKCS11_OK=yes
+ return 0
+}
+
+# Peforms ssh-add with the right token PIN.
+p11_ssh_add() {
+ env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
+}
+
# source test body
. $SCRIPT


--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal