agent-pkcs11.sh revision 1.9
1# $OpenBSD: agent-pkcs11.sh,v 1.9 2021/07/25 12:13:03 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="pkcs11 agent test" 5 6TEST_SSH_PIN=1234 7TEST_SSH_SOPIN=12345678 8TEST_SSH_PKCS11=/usr/local/lib/softhsm/libsofthsm2.so 9if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then 10 SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}" 11 export SSH_PKCS11_HELPER 12fi 13 14test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" 15 16# setup environment for softhsm2 token 17DIR=$OBJ/SOFTHSM 18rm -rf $DIR 19TOKEN=$DIR/tokendir 20mkdir -p $TOKEN 21SOFTHSM2_CONF=$DIR/softhsm2.conf 22export SOFTHSM2_CONF 23cat > $SOFTHSM2_CONF << EOF 24# SoftHSM v2 configuration file 25directories.tokendir = ${TOKEN} 26objectstore.backend = file 27# ERROR, WARNING, INFO, DEBUG 28log.level = DEBUG 29# If CKF_REMOVABLE_DEVICE flag should be set 30slots.removable = false 31EOF 32out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") 33slot=$(echo -- $out | sed 's/.* //') 34 35# prevent ssh-agent from calling ssh-askpass 36SSH_ASKPASS=/usr/bin/true 37export SSH_ASKPASS 38unset DISPLAY 39 40# start command w/o tty, so ssh-add accepts pin from stdin 41notty() { 42 perl -e 'use POSIX; POSIX::setsid(); 43 if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" 44} 45 46trace "generating keys" 47RSA=${DIR}/RSA 48EC=${DIR}/EC 49$OPENSSL_BIN genpkey -algorithm rsa > $RSA 50$OPENSSL_BIN pkcs8 -nocrypt -in $RSA |\ 51 softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin 52$OPENSSL_BIN genpkey \ 53 -genparam \ 54 -algorithm ec \ 55 -pkeyopt ec_paramgen_curve:prime256v1 |\ 56 $OPENSSL_BIN genpkey \ 57 -paramfile /dev/stdin > $EC 58$OPENSSL_BIN pkcs8 -nocrypt -in $EC |\ 59 softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin 60 61trace "start agent" 62eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null 63r=$? 64if [ $r -ne 0 ]; then 65 fail "could not start ssh-agent: exit code $r" 66else 67 trace "add pkcs11 key to agent" 68 echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 69 r=$? 70 if [ $r -ne 0 ]; then 71 fail "ssh-add -s failed: exit code $r" 72 fi 73 74 trace "pkcs11 list via agent" 75 ${SSHADD} -l > /dev/null 2>&1 76 r=$? 77 if [ $r -ne 0 ]; then 78 fail "ssh-add -l failed: exit code $r" 79 fi 80 81 for k in $RSA $EC; do 82 trace "testing $k" 83 chmod 600 $k 84 ssh-keygen -y -f $k > $k.pub 85 pub=$(cat $k.pub) 86 ${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L" 87 ${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed" 88 89 # add to authorized keys 90 cat $k.pub > $OBJ/authorized_keys_$USER 91 trace "pkcs11 connect via agent ($k)" 92 ${SSH} -F $OBJ/ssh_proxy somehost exit 5 93 r=$? 94 if [ $r -ne 5 ]; then 95 fail "ssh connect failed (exit code $r)" 96 fi 97 done 98 99 trace "remove pkcs11 keys" 100 echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 101 r=$? 102 if [ $r -ne 0 ]; then 103 fail "ssh-add -e failed: exit code $r" 104 fi 105 106 trace "kill agent" 107 ${SSHAGENT} -k > /dev/null 108fi 109