agent-pkcs11.sh revision 1.5
1# $OpenBSD: agent-pkcs11.sh,v 1.5 2019/01/20 23:26:44 djm Exp $ 2# Placed in the Public Domain. 3 4tid="pkcs11 agent test" 5 6TEST_SSH_PIN=1234 7TEST_SSH_SOPIN=12345678 8TEST_SSH_PKCS11=/usr/local/lib/softhsm/libsofthsm2.so 9if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then 10 SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}" 11 export SSH_PKCS11_HELPER 12fi 13 14test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" 15 16# setup environment for softhsm2 token 17DIR=$OBJ/SOFTHSM 18rm -rf $DIR 19TOKEN=$DIR/tokendir 20mkdir -p $TOKEN 21SOFTHSM2_CONF=$DIR/softhsm2.conf 22export SOFTHSM2_CONF 23cat > $SOFTHSM2_CONF << EOF 24# SoftHSM v2 configuration file 25directories.tokendir = ${TOKEN} 26objectstore.backend = file 27# ERROR, WARNING, INFO, DEBUG 28log.level = DEBUG 29# If CKF_REMOVABLE_DEVICE flag should be set 30slots.removable = false 31EOF 32out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") 33slot=$(echo -- $out | sed 's/.* //') 34 35# prevent ssh-agent from calling ssh-askpass 36SSH_ASKPASS=/usr/bin/true 37export SSH_ASKPASS 38unset DISPLAY 39 40# start command w/o tty, so ssh-add accepts pin from stdin 41notty() { 42 perl -e 'use POSIX; POSIX::setsid(); 43 if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" 44} 45 46trace "generating keys" 47RSA=${DIR}/RSA 48EC=${DIR}/EC 49openssl genpkey -algorithm rsa > $RSA 50openssl pkcs8 -nocrypt -in $RSA |\ 51 softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin 52openssl genpkey \ 53 -genparam \ 54 -algorithm ec \ 55 -pkeyopt ec_paramgen_curve:prime256v1 |\ 56 openssl genpkey \ 57 -paramfile /dev/stdin > $EC 58openssl pkcs8 -nocrypt -in $EC |\ 59 softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin 60 61LIBCRYPTO=${OBJ}/../../../../lib/libcrypto/obj 62 63trace "start agent" 64eval `LD_LIBRARY_PATH=$LIBCRYPTO ${SSHAGENT} -s` > /dev/null 65r=$? 66if [ $r -ne 0 ]; then 67 fail "could not start ssh-agent: exit code $r" 68else 69 trace "add pkcs11 key to agent" 70 echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 71 r=$? 72 if [ $r -ne 0 ]; then 73 fail "ssh-add -s failed: exit code $r" 74 fi 75 76 trace "pkcs11 list via agent" 77 ${SSHADD} -l > /dev/null 2>&1 78 r=$? 79 if [ $r -ne 0 ]; then 80 fail "ssh-add -l failed: exit code $r" 81 fi 82 83 for k in $RSA $EC; do 84 trace "testing $k" 85 chmod 600 $k 86 ssh-keygen -y -f $k > $k.pub 87 pub=$(cat $k.pub) 88 ${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L" 89 ${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed" 90 91 # add to authorized keys 92 cat $k.pub > $OBJ/authorized_keys_$USER 93 trace "pkcs11 connect via agent ($k)" 94 ${SSH} -F $OBJ/ssh_proxy somehost exit 5 95 r=$? 96 if [ $r -ne 5 ]; then 97 fail "ssh connect failed (exit code $r)" 98 fi 99 done 100 101 trace "remove pkcs11 keys" 102 echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 103 r=$? 104 if [ $r -ne 0 ]; then 105 fail "ssh-add -e failed: exit code $r" 106 fi 107 108 trace "kill agent" 109 ${SSHAGENT} -k > /dev/null 110fi 111