-# $OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $
+# $OpenBSD: agent-pkcs11.sh,v 1.12 2023/10/30 17:32:00 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
-TEST_SSH_PIN=1234
-TEST_SSH_SOPIN=12345678
-TEST_SSH_PKCS11=/usr/local/lib/softhsm/libsofthsm2.so
-if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
- SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
- export SSH_PKCS11_HELPER
-fi
+# Find a PKCS#11 library.
+p11_find_lib() {
+ TEST_SSH_PKCS11=""
+ for _lib in "$@" ; do
+ if test -f "$_lib" ; then
+ TEST_SSH_PKCS11="$_lib"
+ return
+ fi
+ done
+}
-test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
+# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
+# keys and loads them into the virtual token.
+PKCS11_OK=
+export PKCS11_OK
+p11_setup() {
+ p11_find_lib \
+ /usr/local/lib/softhsm/libsofthsm2.so
+ test -z "$TEST_SSH_PKCS11" && return 1
+ verbose "using token library $TEST_SSH_PKCS11"
+ TEST_SSH_PIN=1234
+ TEST_SSH_SOPIN=12345678
+ if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
+ SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
+ export SSH_PKCS11_HELPER
+ fi
-# setup environment for softhsm2 token
-DIR=$OBJ/SOFTHSM
-rm -rf $DIR
-TOKEN=$DIR/tokendir
-mkdir -p $TOKEN
-SOFTHSM2_CONF=$DIR/softhsm2.conf
-export SOFTHSM2_CONF
-cat > $SOFTHSM2_CONF << EOF
+ # setup environment for softhsm2 token
+ DIR=$OBJ/SOFTHSM
+ rm -rf $DIR
+ TOKEN=$DIR/tokendir
+ mkdir -p $TOKEN
+ SOFTHSM2_CONF=$DIR/softhsm2.conf
+ export SOFTHSM2_CONF
+ cat > $SOFTHSM2_CONF << EOF
# SoftHSM v2 configuration file
directories.tokendir = ${TOKEN}
objectstore.backend = file
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
EOF
-out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
-slot=$(echo -- $out | sed 's/.* //')
-
-# prevent ssh-agent from calling ssh-askpass
-SSH_ASKPASS=/usr/bin/true
-export SSH_ASKPASS
-unset DISPLAY
-
-# start command w/o tty, so ssh-add accepts pin from stdin
-# XXX could force askpass instead
-notty() {
- perl -e 'use POSIX; POSIX::setsid();
- if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
+ out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
+ slot=$(echo -- $out | sed 's/.* //')
+ trace "generating keys"
+ # RSA key
+ RSA=${DIR}/RSA
+ RSAP8=${DIR}/RSAP8
+ $OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
+ fatal "genpkey RSA fail"
+ $OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
+ softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
+ --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
+ chmod 600 $RSA
+ ssh-keygen -y -f $RSA > ${RSA}.pub
+ # ECDSA key
+ ECPARAM=${DIR}/ECPARAM
+ EC=${DIR}/EC
+ ECP8=${DIR}/ECP8
+ $OPENSSL_BIN genpkey -genparam -algorithm ec \
+ -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
+ fatal "param EC fail"
+ $OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
+ fatal "genpkey EC fail"
+ $OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
+ softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
+ --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
+ chmod 600 $EC
+ ssh-keygen -y -f $EC > ${EC}.pub
+ # Prepare askpass script to load PIN.
+ PIN_SH=$DIR/pin.sh
+ cat > $PIN_SH << EOF
+#!/bin/sh
+echo "${TEST_SSH_PIN}"
+EOF
+ chmod 0700 "$PIN_SH"
+ PKCS11_OK=yes
+ return 0
}
-trace "generating keys"
-RSA=${DIR}/RSA
-RSAP8=${DIR}/RSAP8
-ECPARAM=${DIR}/ECPARAM
-EC=${DIR}/EC
-ECP8=${DIR}/ECP8
-$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
-softhsm2-util --slot "$slot" --label 01 --id 01 \
- --pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail"
+# Peforms ssh-add with the right token PIN.
+p11_ssh_add() {
+ env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
+}
-$OPENSSL_BIN genpkey \
- -genparam \
- -algorithm ec \
- -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail"
-$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
-softhsm2-util --slot "$slot" --label 02 --id 02 \
- --pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhsm import EC fail"
+p11_setup || skip "No PKCS#11 library found"
trace "start agent"
eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
fail "could not start ssh-agent: exit code $r"
else
trace "add pkcs11 key to agent"
- echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
+ p11_ssh_add -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -s failed: exit code $r"
for k in $RSA $EC; do
trace "testing $k"
- chmod 600 $k
- ssh-keygen -y -f $k > $k.pub
pub=$(cat $k.pub)
${SSHADD} -L | grep -q "$pub" || \
fail "key $k missing in ssh-add -L"
done
trace "remove pkcs11 keys"
- echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
+ p11_ssh_add -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -e failed: exit code $r"