tidy and refactor PKCS#11 setup code
authordjm <djm@openbsd.org>
Mon, 30 Oct 2023 17:32:00 +0000 (17:32 +0000)
committerdjm <djm@openbsd.org>
Mon, 30 Oct 2023 17:32:00 +0000 (17:32 +0000)
Replace the use of a perl script to delete the controlling TTY with a
SSH_ASKPASS script to directly load the PIN.

Move PKCS#11 setup code to functions in anticipation of it being used
elsewhere in additional tests.

Reduce stdout spam

regress/usr.bin/ssh/agent-pkcs11.sh

index 66efa21..edbbc19 100644 (file)
@@ -1,26 +1,43 @@
-#      $OpenBSD: agent-pkcs11.sh,v 1.11 2023/10/06 03:32:15 djm Exp $
+#      $OpenBSD: agent-pkcs11.sh,v 1.12 2023/10/30 17:32:00 djm Exp $
 #      Placed in the Public Domain.
 
 tid="pkcs11 agent test"
 
-TEST_SSH_PIN=1234
-TEST_SSH_SOPIN=12345678
-TEST_SSH_PKCS11=/usr/local/lib/softhsm/libsofthsm2.so
-if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
-       SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
-       export SSH_PKCS11_HELPER
-fi
+# Find a PKCS#11 library.
+p11_find_lib() {
+       TEST_SSH_PKCS11=""
+       for _lib in "$@" ; do
+               if test -f "$_lib" ; then
+                       TEST_SSH_PKCS11="$_lib"
+                       return
+               fi
+       done
+}
 
-test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
+# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
+# keys and loads them into the virtual token.
+PKCS11_OK=
+export PKCS11_OK
+p11_setup() {
+       p11_find_lib \
+               /usr/local/lib/softhsm/libsofthsm2.so
+       test -z "$TEST_SSH_PKCS11" && return 1
+       verbose "using token library $TEST_SSH_PKCS11"
+       TEST_SSH_PIN=1234
+       TEST_SSH_SOPIN=12345678
+       if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
+               SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
+               export SSH_PKCS11_HELPER
+       fi
 
-# setup environment for softhsm2 token
-DIR=$OBJ/SOFTHSM
-rm -rf $DIR
-TOKEN=$DIR/tokendir
-mkdir -p $TOKEN
-SOFTHSM2_CONF=$DIR/softhsm2.conf
-export SOFTHSM2_CONF
-cat > $SOFTHSM2_CONF << EOF
+       # setup environment for softhsm2 token
+       DIR=$OBJ/SOFTHSM
+       rm -rf $DIR
+       TOKEN=$DIR/tokendir
+       mkdir -p $TOKEN
+       SOFTHSM2_CONF=$DIR/softhsm2.conf
+       export SOFTHSM2_CONF
+       cat > $SOFTHSM2_CONF << EOF
 # SoftHSM v2 configuration file
 directories.tokendir = ${TOKEN}
 objectstore.backend = file
@@ -29,40 +46,50 @@ log.level = DEBUG
 # If CKF_REMOVABLE_DEVICE flag should be set
 slots.removable = false
 EOF
-out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
-slot=$(echo -- $out | sed 's/.* //')
-
-# prevent ssh-agent from calling ssh-askpass
-SSH_ASKPASS=/usr/bin/true
-export SSH_ASKPASS
-unset DISPLAY
-
-# start command w/o tty, so ssh-add accepts pin from stdin
-# XXX could force askpass instead
-notty() {
-       perl -e 'use POSIX; POSIX::setsid(); 
-           if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
+       out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
+       slot=$(echo -- $out | sed 's/.* //')
+       trace "generating keys"
+       # RSA key
+       RSA=${DIR}/RSA
+       RSAP8=${DIR}/RSAP8
+       $OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
+           fatal "genpkey RSA fail"
+       $OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
+       softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
+           --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
+       chmod 600 $RSA
+       ssh-keygen -y -f $RSA > ${RSA}.pub
+       # ECDSA key
+       ECPARAM=${DIR}/ECPARAM
+       EC=${DIR}/EC
+       ECP8=${DIR}/ECP8
+       $OPENSSL_BIN genpkey -genparam -algorithm ec \
+           -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
+           fatal "param EC fail"
+       $OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
+           fatal "genpkey EC fail"
+       $OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
+       softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
+           --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
+       chmod 600 $EC
+       ssh-keygen -y -f $EC > ${EC}.pub
+       # Prepare askpass script to load PIN.
+       PIN_SH=$DIR/pin.sh
+       cat > $PIN_SH << EOF
+#!/bin/sh
+echo "${TEST_SSH_PIN}"
+EOF
+       chmod 0700 "$PIN_SH"
+       PKCS11_OK=yes
+       return 0
 }
 
-trace "generating keys"
-RSA=${DIR}/RSA
-RSAP8=${DIR}/RSAP8
-ECPARAM=${DIR}/ECPARAM
-EC=${DIR}/EC
-ECP8=${DIR}/ECP8
-$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
-softhsm2-util --slot "$slot" --label 01 --id 01 \
-    --pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail"
+# Peforms ssh-add with the right token PIN.
+p11_ssh_add() {
+       env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
+}
 
-$OPENSSL_BIN genpkey \
-    -genparam \
-    -algorithm ec \
-    -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail"
-$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail"
-$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
-softhsm2-util --slot "$slot" --label 02 --id 02 \
-    --pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhsm import EC fail"
+p11_setup || skip "No PKCS#11 library found"
 
 trace "start agent"
 eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
@@ -71,7 +98,7 @@ if [ $r -ne 0 ]; then
        fail "could not start ssh-agent: exit code $r"
 else
        trace "add pkcs11 key to agent"
-       echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
+       p11_ssh_add -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
        r=$?
        if [ $r -ne 0 ]; then
                fail "ssh-add -s failed: exit code $r"
@@ -86,8 +113,6 @@ else
 
        for k in $RSA $EC; do
                trace "testing $k"
-               chmod 600 $k
-               ssh-keygen -y -f $k > $k.pub
                pub=$(cat $k.pub)
                ${SSHADD} -L | grep -q "$pub" || \
                        fail "key $k missing in ssh-add -L"
@@ -104,7 +129,7 @@ else
        done
 
        trace "remove pkcs11 keys"
-       echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
+       p11_ssh_add -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
        r=$?
        if [ $r -ne 0 ]; then
                fail "ssh-add -e failed: exit code $r"