agent-pkcs11.sh revision 1.4 
1#	$OpenBSD: agent-pkcs11.sh,v 1.4 2019/01/20 23:25:25 djm Exp $
2#	Placed in the Public Domain.
3
4tid="pkcs11 agent test"
5
6TEST_SSH_PIN=1234
7TEST_SSH_SOPIN=12345678
8TEST_SSH_PKCS11=/usr/local/lib/softhsm/libsofthsm2.so
9
10test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
11
12# setup environment for softhsm2 token
13DIR=$OBJ/SOFTHSM
14rm -rf $DIR
15TOKEN=$DIR/tokendir
16mkdir -p $TOKEN
17SOFTHSM2_CONF=$DIR/softhsm2.conf
18export SOFTHSM2_CONF
19cat > $SOFTHSM2_CONF << EOF
20# SoftHSM v2 configuration file
21directories.tokendir = ${TOKEN}
22objectstore.backend = file
23# ERROR, WARNING, INFO, DEBUG
24log.level = DEBUG
25# If CKF_REMOVABLE_DEVICE flag should be set
26slots.removable = false
27EOF
28out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
29slot=$(echo -- $out | sed 's/.* //')
30
31# prevent ssh-agent from calling ssh-askpass
32SSH_ASKPASS=/usr/bin/true
33export SSH_ASKPASS
34unset DISPLAY
35
36# start command w/o tty, so ssh-add accepts pin from stdin
37notty() {
38	perl -e 'use POSIX; POSIX::setsid(); 
39	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
40}
41
42trace "generating keys"
43RSA=${DIR}/RSA
44EC=${DIR}/EC
45openssl genpkey -algorithm rsa > $RSA
46openssl pkcs8 -nocrypt -in $RSA |\
47    softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin
48openssl genpkey \
49    -genparam \
50    -algorithm ec \
51    -pkeyopt ec_paramgen_curve:prime256v1 |\
52    openssl genpkey \
53    -paramfile /dev/stdin > $EC
54openssl pkcs8 -nocrypt -in $EC |\
55    softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
56
57LIBCRYPTO=${OBJ}/../../../../lib/libcrypto/obj
58
59trace "start agent"
60eval `LD_LIBRARY_PATH=$LIBCRYPTO ${SSHAGENT} -s` > /dev/null
61r=$?
62if [ $r -ne 0 ]; then
63	fail "could not start ssh-agent: exit code $r"
64else
65	trace "add pkcs11 key to agent"
66	echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
67	r=$?
68	if [ $r -ne 0 ]; then
69		fail "ssh-add -s failed: exit code $r"
70	fi
71
72	trace "pkcs11 list via agent"
73	${SSHADD} -l > /dev/null 2>&1
74	r=$?
75	if [ $r -ne 0 ]; then
76		fail "ssh-add -l failed: exit code $r"
77	fi
78
79	for k in $RSA $EC; do
80		trace "testing $k"
81		chmod 600 $k
82		ssh-keygen -y -f $k > $k.pub
83		pub=$(cat $k.pub)
84		${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L"
85		${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed"
86
87		# add to authorized keys
88		cat $k.pub > $OBJ/authorized_keys_$USER
89		trace "pkcs11 connect via agent ($k)"
90		${SSH} -F $OBJ/ssh_proxy somehost exit 5
91		r=$?
92		if [ $r -ne 5 ]; then
93			fail "ssh connect failed (exit code $r)"
94		fi
95	done
96
97	trace "remove pkcs11 keys"
98	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
99	r=$?
100	if [ $r -ne 0 ]; then
101		fail "ssh-add -e failed: exit code $r"
102	fi
103
104	trace "kill agent"
105	${SSHAGENT} -k > /dev/null
106fi
107