p11test: Reformat the script and allow running against softhsm ed25519 keys (with few tweaks)
The Ed25519 implementation in SoftHSM is now broken /non-interoperable. After fixing that, the interoperability tests should work with this script: * SoftHSMv2#528: Avoid creating duplicate mechanisms * SoftHSMv2#522: Fix advertised min and max mechanism sizes according to final PKCS#11 3.0 specification * SoftHSMv2#526: Adjust EDDSA code to return valid EC_PARAMS according to the final PKCS #11 3.0 specification
This commit is contained in:
parent
35cfc291ce
commit
091b7670eb
|
@ -29,6 +29,7 @@ function generate_cert() {
|
||||||
TYPE="$1"
|
TYPE="$1"
|
||||||
ID="$2"
|
ID="$2"
|
||||||
LABEL="$3"
|
LABEL="$3"
|
||||||
|
CERT="$4" # whether to generate certificate too
|
||||||
|
|
||||||
# Generate key pair
|
# Generate key pair
|
||||||
$PKCS11_TOOL --keypairgen --key-type="$TYPE" --login --pin=$PIN \
|
$PKCS11_TOOL --keypairgen --key-type="$TYPE" --login --pin=$PIN \
|
||||||
|
@ -39,104 +40,116 @@ function generate_cert() {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# check type value for the PKCS#11 URI (RHEL7 is using old "object-type")
|
# We can not do this with EdDSA keys as they are not supported in certtool
|
||||||
TYPE_KEY="type"
|
# We can not do this with curve25519 keys as they do not need to support signatures at all
|
||||||
p11tool --list-all --provider="$P11LIB" --login | grep "object-type" && \
|
if [[ "$CERT" -ne 0 ]]; then
|
||||||
TYPE_KEY="object-type"
|
# check type value for the PKCS#11 URI (RHEL7 is using old "object-type")
|
||||||
|
TYPE_KEY="type"
|
||||||
|
p11tool --list-all --provider="$P11LIB" --login | grep "object-type" && \
|
||||||
|
TYPE_KEY="object-type"
|
||||||
|
|
||||||
# Generate certificate
|
# Generate certificate
|
||||||
certtool --generate-self-signed --outfile="$TYPE.cert" --template=cert.cfg \
|
certtool --generate-self-signed --outfile="$TYPE.cert" --template=cert.cfg \
|
||||||
--provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
|
--provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
|
||||||
--load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
|
--load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
|
||||||
# convert to DER:
|
# convert to DER:
|
||||||
openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"
|
openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"
|
||||||
# Write certificate
|
# Write certificate
|
||||||
#p11tool --login --write --load-certificate="$TYPE.cert" --label="$LABEL" \
|
#p11tool --login --write --load-certificate="$TYPE.cert" --label="$LABEL" \
|
||||||
# --provider="$P11LIB"
|
# --provider="$P11LIB"
|
||||||
$PKCS11_TOOL --write-object "$TYPE.cert.der" --type=cert --id=$ID \
|
$PKCS11_TOOL --write-object "$TYPE.cert.der" --type=cert --id=$ID \
|
||||||
--label="$LABEL" --module="$P11LIB"
|
--label="$LABEL" --module="$P11LIB"
|
||||||
|
|
||||||
rm "$TYPE.cert" "$TYPE.cert.der"
|
rm "$TYPE.cert" "$TYPE.cert.der"
|
||||||
|
fi
|
||||||
|
|
||||||
p11tool --login --provider="$P11LIB" --list-all
|
p11tool --login --provider="$P11LIB" --list-all
|
||||||
}
|
}
|
||||||
|
|
||||||
function card_setup() {
|
function card_setup() {
|
||||||
ECC_KEYS=1
|
ECC_KEYS=1
|
||||||
case $1 in
|
EDDSA=1
|
||||||
"softhsm")
|
case $1 in
|
||||||
P11LIB="/usr/lib64/pkcs11/libsofthsm2.so"
|
"softhsm")
|
||||||
echo "directories.tokendir = .tokens/" > .softhsm2.conf
|
P11LIB="/usr/lib64/pkcs11/libsofthsm2.so"
|
||||||
mkdir ".tokens"
|
echo "directories.tokendir = .tokens/" > .softhsm2.conf
|
||||||
export SOFTHSM2_CONF=".softhsm2.conf"
|
mkdir ".tokens"
|
||||||
# Init token
|
export SOFTHSM2_CONF=".softhsm2.conf"
|
||||||
softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
|
# Init token
|
||||||
;;
|
softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
|
||||||
"opencryptoki")
|
;;
|
||||||
# Supports only RSA mechanisms
|
"opencryptoki")
|
||||||
ECC_KEYS=0
|
# Supports only RSA mechanisms
|
||||||
P11LIB="/usr/lib64/pkcs11/libopencryptoki.so"
|
ECC_KEYS=0
|
||||||
SO_PIN=87654321
|
EDDSA=0
|
||||||
SLOT_ID=3 # swtok slot
|
P11LIB="/usr/lib64/pkcs11/libopencryptoki.so"
|
||||||
systemctl is-active pkcsslotd > /dev/null
|
SO_PIN=87654321
|
||||||
if [[ "$?" -ne "0" ]]; then
|
SLOT_ID=3 # swtok slot
|
||||||
echo "Opencryptoki needs pkcsslotd running"
|
systemctl is-active pkcsslotd > /dev/null
|
||||||
exit 1
|
if [[ "$?" -ne "0" ]]; then
|
||||||
fi
|
echo "Opencryptoki needs pkcsslotd running"
|
||||||
groups | grep pkcs11 > /dev/null
|
exit 1
|
||||||
if [[ "$?" -ne "0" ]]; then
|
|
||||||
echo "Opencryptoki requires the user to be in pkcs11 group"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
echo "test_swtok" | /usr/sbin/pkcsconf -I -c $SLOT_ID -S $SO_PIN
|
|
||||||
/usr/sbin/pkcsconf -u -c $SLOT_ID -S $SO_PIN -n $PIN
|
|
||||||
;;
|
|
||||||
"readonly")
|
|
||||||
GENERATE_KEYS=0
|
|
||||||
if [[ ! -z "$2" && -f "$2" ]]; then
|
|
||||||
P11LIB="$2"
|
|
||||||
else
|
|
||||||
P11LIB="/usr/lib64/pkcs11/opensc-pkcs11.so"
|
|
||||||
P11LIB="../pkcs11/.libs/opensc-pkcs11.so"
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Error: Missing argument."
|
|
||||||
echo " Usage:"
|
|
||||||
echo " runtest.sh [softhsm|opencryptoki|readonly [pkcs-library.so]]"
|
|
||||||
exit 1;
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [[ $GENERATE_KEYS -eq 1 ]]; then
|
|
||||||
# Generate 1024b RSA Key pair
|
|
||||||
generate_cert "RSA:1024" "01" "RSA_auth"
|
|
||||||
# Generate 2048b RSA Key pair
|
|
||||||
generate_cert "RSA:2048" "02" "RSA2048"
|
|
||||||
if [[ $ECC_KEYS -eq 1 ]]; then
|
|
||||||
# Generate 256b ECC Key pair
|
|
||||||
generate_cert "EC:secp256r1" "03" "ECC_auth"
|
|
||||||
# Generate 521b ECC Key pair
|
|
||||||
generate_cert "EC:secp521r1" "04" "ECC521"
|
|
||||||
fi
|
fi
|
||||||
|
groups | grep pkcs11 > /dev/null
|
||||||
|
if [[ "$?" -ne "0" ]]; then
|
||||||
|
echo "Opencryptoki requires the user to be in pkcs11 group"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "test_swtok" | /usr/sbin/pkcsconf -I -c $SLOT_ID -S $SO_PIN
|
||||||
|
/usr/sbin/pkcsconf -u -c $SLOT_ID -S $SO_PIN -n $PIN
|
||||||
|
;;
|
||||||
|
"readonly")
|
||||||
|
GENERATE_KEYS=0
|
||||||
|
if [[ ! -z "$2" && -f "$2" ]]; then
|
||||||
|
P11LIB="$2"
|
||||||
|
else
|
||||||
|
P11LIB="/usr/lib64/pkcs11/opensc-pkcs11.so"
|
||||||
|
P11LIB="../pkcs11/.libs/opensc-pkcs11.so"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Error: Missing argument."
|
||||||
|
echo " Usage:"
|
||||||
|
echo " runtest.sh [softhsm|opencryptoki|readonly [pkcs-library.so]]"
|
||||||
|
exit 1;
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [[ $GENERATE_KEYS -eq 1 ]]; then
|
||||||
|
# Generate 1024b RSA Key pair
|
||||||
|
generate_cert "RSA:1024" "01" "RSA_auth" 1
|
||||||
|
# Generate 2048b RSA Key pair
|
||||||
|
generate_cert "RSA:2048" "02" "RSA2048" 1
|
||||||
|
if [[ $ECC_KEYS -eq 1 ]]; then
|
||||||
|
# Generate 256b ECC Key pair
|
||||||
|
generate_cert "EC:secp256r1" "03" "ECC_auth" 1
|
||||||
|
# Generate 521b ECC Key pair
|
||||||
|
generate_cert "EC:secp521r1" "04" "ECC521" 1
|
||||||
fi
|
fi
|
||||||
|
if [[ $EDDSA -eq 1 ]]; then
|
||||||
|
# Generate Ed25519
|
||||||
|
generate_cert "EC:edwards25519" "05" "EDDSA" 0
|
||||||
|
# Generate curve25519
|
||||||
|
#generate_cert "EC:curve25519" "06" "Curve25519" 0
|
||||||
|
# not supported by softhsm either
|
||||||
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function card_cleanup() {
|
function card_cleanup() {
|
||||||
case $1 in
|
case $1 in
|
||||||
"softhsm")
|
"softhsm")
|
||||||
rm .softhsm2.conf
|
rm .softhsm2.conf
|
||||||
rm -rf ".tokens"
|
rm -rf ".tokens"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
card_setup "$@"
|
card_setup "$@"
|
||||||
|
|
||||||
make p11test || exit
|
make p11test || exit
|
||||||
if [[ "$PKCS11SPY" -ne "" ]]; then
|
if [[ "$PKCS11SPY" != "" ]]; then
|
||||||
export PKCS11SPY="$P11LIB"
|
export PKCS11SPY="$P11LIB"
|
||||||
$VALGRIND ./p11test -m /usr/lib64/pkcs11/pkcs11-spy.so -p $PIN
|
$VALGRIND ./p11test -m ../../pkcs11/.libs/pkcs11-spy.so -p $PIN &> /tmp/spy.log
|
||||||
else
|
else
|
||||||
#bash
|
#bash
|
||||||
$VALGRIND ./p11test -m "$P11LIB" -o test.json -p $PIN
|
$VALGRIND ./p11test -m "$P11LIB" -o test.json -p $PIN
|
||||||
|
|
Loading…
Reference in New Issue