1#	$OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $
2#	Placed in the Public Domain.
3
4tid="pkcs11 agent test"
5
6try_token_libs() {
7	for _lib in "$@" ; do
8		if test -f "$_lib" ; then
9			verbose "Using token library $_lib"
10			TEST_SSH_PKCS11="$_lib"
11			return
12		fi
13	done
14	echo "skipped: Unable to find PKCS#11 token library"
15	exit 0
16}
17
18try_token_libs \
19	/usr/local/lib/softhsm/libsofthsm2.so \
20	/usr/lib64/pkcs11/libsofthsm2.so \
21	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
22
23TEST_SSH_PIN=1234
24TEST_SSH_SOPIN=12345678
25if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
26	SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
27	export SSH_PKCS11_HELPER
28fi
29
30test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
31
32# setup environment for softhsm2 token
33DIR=$OBJ/SOFTHSM
34rm -rf $DIR
35TOKEN=$DIR/tokendir
36mkdir -p $TOKEN
37SOFTHSM2_CONF=$DIR/softhsm2.conf
38export SOFTHSM2_CONF
39cat > $SOFTHSM2_CONF << EOF
40# SoftHSM v2 configuration file
41directories.tokendir = ${TOKEN}
42objectstore.backend = file
43# ERROR, WARNING, INFO, DEBUG
44log.level = DEBUG
45# If CKF_REMOVABLE_DEVICE flag should be set
46slots.removable = false
47EOF
48out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
49slot=$(echo -- $out | sed 's/.* //')
50
51# prevent ssh-agent from calling ssh-askpass
52SSH_ASKPASS=/usr/bin/true
53export SSH_ASKPASS
54unset DISPLAY
55
56# start command w/o tty, so ssh-add accepts pin from stdin
57notty() {
58	perl -e 'use POSIX; POSIX::setsid();
59	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
60}
61
62trace "generating keys"
63RSA=${DIR}/RSA
64EC=${DIR}/EC
65openssl genpkey -algorithm rsa > $RSA
66openssl pkcs8 -nocrypt -in $RSA |\
67    softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin
68openssl genpkey \
69    -genparam \
70    -algorithm ec \
71    -pkeyopt ec_paramgen_curve:prime256v1 |\
72    openssl genpkey \
73    -paramfile /dev/stdin > $EC
74openssl pkcs8 -nocrypt -in $EC |\
75    softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
76
77trace "start agent"
78eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
79r=$?
80if [ $r -ne 0 ]; then
81	fail "could not start ssh-agent: exit code $r"
82else
83	trace "add pkcs11 key to agent"
84	echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
85	r=$?
86	if [ $r -ne 0 ]; then
87		fail "ssh-add -s failed: exit code $r"
88	fi
89
90	trace "pkcs11 list via agent"
91	${SSHADD} -l > /dev/null 2>&1
92	r=$?
93	if [ $r -ne 0 ]; then
94		fail "ssh-add -l failed: exit code $r"
95	fi
96
97	for k in $RSA $EC; do
98		trace "testing $k"
99		chmod 600 $k
100		ssh-keygen -y -f $k > $k.pub
101		pub=$(cat $k.pub)
102		${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L"
103		${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed"
104
105		# add to authorized keys
106		cat $k.pub > $OBJ/authorized_keys_$USER
107		trace "pkcs11 connect via agent ($k)"
108		${SSH} -F $OBJ/ssh_proxy somehost exit 5
109		r=$?
110		if [ $r -ne 5 ]; then
111			fail "ssh connect failed (exit code $r)"
112		fi
113	done
114
115	trace "remove pkcs11 keys"
116	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
117	r=$?
118	if [ $r -ne 0 ]; then
119		fail "ssh-add -e failed: exit code $r"
120	fi
121
122	trace "kill agent"
123	${SSHAGENT} -k > /dev/null
124fi
125