agent-pkcs11.sh revision 1.5 
1#	$OpenBSD: agent-pkcs11.sh,v 1.5 2019/01/20 23:26:44 djm Exp $
2#	Placed in the Public Domain.
3
4tid="pkcs11 agent test"
5
6TEST_SSH_PIN=1234
7TEST_SSH_SOPIN=12345678
8TEST_SSH_PKCS11=/usr/local/lib/softhsm/libsofthsm2.so
9if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
10	SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
11	export SSH_PKCS11_HELPER
12fi
13
14test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
15
16# setup environment for softhsm2 token
17DIR=$OBJ/SOFTHSM
18rm -rf $DIR
19TOKEN=$DIR/tokendir
20mkdir -p $TOKEN
21SOFTHSM2_CONF=$DIR/softhsm2.conf
22export SOFTHSM2_CONF
23cat > $SOFTHSM2_CONF << EOF
24# SoftHSM v2 configuration file
25directories.tokendir = ${TOKEN}
26objectstore.backend = file
27# ERROR, WARNING, INFO, DEBUG
28log.level = DEBUG
29# If CKF_REMOVABLE_DEVICE flag should be set
30slots.removable = false
31EOF
32out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
33slot=$(echo -- $out | sed 's/.* //')
34
35# prevent ssh-agent from calling ssh-askpass
36SSH_ASKPASS=/usr/bin/true
37export SSH_ASKPASS
38unset DISPLAY
39
40# start command w/o tty, so ssh-add accepts pin from stdin
41notty() {
42	perl -e 'use POSIX; POSIX::setsid(); 
43	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
44}
45
46trace "generating keys"
47RSA=${DIR}/RSA
48EC=${DIR}/EC
49openssl genpkey -algorithm rsa > $RSA
50openssl pkcs8 -nocrypt -in $RSA |\
51    softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin
52openssl genpkey \
53    -genparam \
54    -algorithm ec \
55    -pkeyopt ec_paramgen_curve:prime256v1 |\
56    openssl genpkey \
57    -paramfile /dev/stdin > $EC
58openssl pkcs8 -nocrypt -in $EC |\
59    softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
60
61LIBCRYPTO=${OBJ}/../../../../lib/libcrypto/obj
62
63trace "start agent"
64eval `LD_LIBRARY_PATH=$LIBCRYPTO ${SSHAGENT} -s` > /dev/null
65r=$?
66if [ $r -ne 0 ]; then
67	fail "could not start ssh-agent: exit code $r"
68else
69	trace "add pkcs11 key to agent"
70	echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
71	r=$?
72	if [ $r -ne 0 ]; then
73		fail "ssh-add -s failed: exit code $r"
74	fi
75
76	trace "pkcs11 list via agent"
77	${SSHADD} -l > /dev/null 2>&1
78	r=$?
79	if [ $r -ne 0 ]; then
80		fail "ssh-add -l failed: exit code $r"
81	fi
82
83	for k in $RSA $EC; do
84		trace "testing $k"
85		chmod 600 $k
86		ssh-keygen -y -f $k > $k.pub
87		pub=$(cat $k.pub)
88		${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L"
89		${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed"
90
91		# add to authorized keys
92		cat $k.pub > $OBJ/authorized_keys_$USER
93		trace "pkcs11 connect via agent ($k)"
94		${SSH} -F $OBJ/ssh_proxy somehost exit 5
95		r=$?
96		if [ $r -ne 5 ]; then
97			fail "ssh connect failed (exit code $r)"
98		fi
99	done
100
101	trace "remove pkcs11 keys"
102	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
103	r=$?
104	if [ $r -ne 0 ]; then
105		fail "ssh-add -e failed: exit code $r"
106	fi
107
108	trace "kill agent"
109	${SSHAGENT} -k > /dev/null
110fi
111