diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/Makefile | 58 | ||||
| -rwxr-xr-x | tests/do-sign.sh | 22 | ||||
| -rwxr-xr-x | tests/do-verify.sh | 23 | ||||
| -rw-r--r-- | tests/openssl.direct.cnf | 11 | ||||
| -rw-r--r-- | tests/openssl.p11p.cnf | 11 |
5 files changed, 125 insertions, 0 deletions
diff --git a/tests/Makefile b/tests/Makefile new file mode 100644 index 0000000..9d83a7e --- /dev/null +++ b/tests/Makefile @@ -0,0 +1,58 @@ +# Required packages (Debian 9/stretch): +# libengine-pkcs11-openssl: /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so +# softhsm2: /usr/bin/softhsm2-util +# gnutls-bin: /usr/bin/p11tool +# openssl: /usr/bin/openssl + +TEXT = "A foo is a bar" +SOFTHSM = /usr/bin/softhsm2-util + +SOFTHSM_PROVIDER = /usr/lib/softhsm/libsofthsm2.so +P11P_PROVIDER = /home/linus/usr/lib/pkcs11/p11-kit-client.so + +p11p-softhsm: testsig.hsm.p11p.pem + echo "$(TEXT)" |./do-verify.sh $< $(P11P_PROVIDER) ./openssl.p11p.cnf $(SOFTHSM_PROVIDER) + +direct-softhsm: testsig.hsm.pem + echo "$(TEXT)" | ./do-verify.sh $< $(SOFTHSM_PROVIDER) ./openssl.direct.cnf + +softhsm-token-setup: softhsm-token-setup.stamp +softhsm-token-setup.stamp: softhsm/tokens testkey.pkcs8 + test -x $(SOFTHSM) + ( \ + BASEDIR=$$(pwd); \ + export SOFTHSM2_CONF=$$BASEDIR/softhsm/softhsm2.conf; \ + echo "directories.tokendir = $$BASEDIR/softhsm/tokens/" > $$SOFTHSM2_CONF; \ + ${SOFTHSM} --init-token --free --label mytoken --so-pin ffffff --pin ffff; \ + ${SOFTHSM} --import testkey.pkcs8 --token mytoken --label mykey --id 00 --pin ffff; \ + ) + touch $@ + +softhsm/tokens: + mkdir -p $@ + +testkey.pkcs8: testkey.pem + openssl pkey -in $< -outform pem -out $@ + +testkey.pem: + openssl genrsa -out $@ 2048 + +testsig.local.pem: testkey.pem + echo "$(TEXT)" | openssl dgst -sha256 -sign testkey.pem -out $@ + +testsig.hsm.pem: softhsm-token-setup + echo "$(TEXT)" | ./do-sign.sh $@ $(SOFTHSM_PROVIDER) ./openssl.direct.cnf + +testsig.hsm.p11p.pem: softhsm-token-setup + echo "$(TEXT)" | ./do-sign.sh $@ $(P11P_PROVIDER) ./openssl.p11p.cnf $(SOFTHSM_PROVIDER) + +server-running: +# FIXME: use env printed to do 'p11-kit server --kill', at some point + +clean: + -rm -r softhsm + -rm softhsm-token-setup.stamp + -rm testkey.pem testkey.pkcs8 + -rm testsig.*.pem + +.PHONY: clean diff --git a/tests/do-sign.sh b/tests/do-sign.sh new file mode 100755 index 0000000..9552a5a --- /dev/null +++ b/tests/do-sign.sh @@ -0,0 +1,22 @@ +#! /bin/sh + +set -eu + +SIGFILE="$1"; shift +P11_PROVIDER="$1"; shift +OPENSSL_CONF="$1"; shift +SERVER_PROVIDER= +[ $# -ge 1 ] && { SERVER_PROVIDER="$1"; shift; } + +if [ -n "$SERVER_PROVIDER" ]; then + P11_KIT_ENV=$(p11-kit server $SERVER_PROVIDER) + eval "$P11_KIT_ENV" +fi + +openssl dgst -sha256 -engine pkcs11 -keyform ENGINE \ + -sign "$(p11tool --login --provider=$P11_PROVIDER --list-token-urls)" \ + -out $SIGFILE + +if [ -n "$SERVER_PROVIDER" ]; then + p11-kit server --kill > /dev/null +fi diff --git a/tests/do-verify.sh b/tests/do-verify.sh new file mode 100755 index 0000000..a18a762 --- /dev/null +++ b/tests/do-verify.sh @@ -0,0 +1,23 @@ +#! /bin/sh + +set -eu + +SIGFILE="$1"; shift +P11_PROVIDER="$1"; shift +OPENSSL_CONF="$1"; shift +SERVER_PROVIDER= +[ $# -ge 1 ] && { SERVER_PROVIDER="$1"; shift; } + + +if [ -n "$SERVER_PROVIDER" ]; then + P11_KIT_ENV=$(p11-kit server $SERVER_PROVIDER) + eval "$P11_KIT_ENV" +fi + +openssl dgst -sha256 -engine pkcs11 -keyform ENGINE \ + -prverify "$(p11tool --login --provider=$P11_PROVIDER --list-token-urls)" \ + -signature $SIGFILE | egrep "^Verified OK$" + +if [ -n "$SERVER_PROVIDER" ]; then + p11-kit server --kill > /dev/null +fi diff --git a/tests/openssl.direct.cnf b/tests/openssl.direct.cnf new file mode 100644 index 0000000..a1add57 --- /dev/null +++ b/tests/openssl.direct.cnf @@ -0,0 +1,11 @@ +openssl_conf = openssl_init + +[openssl_init] +engines=engine_section + +[engine_section] +pkcs11 = pkcs11_section + +[pkcs11_section] +dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so +MODULE_PATH = /usr/lib/softhsm/libsofthsm2.so diff --git a/tests/openssl.p11p.cnf b/tests/openssl.p11p.cnf new file mode 100644 index 0000000..30272c7 --- /dev/null +++ b/tests/openssl.p11p.cnf @@ -0,0 +1,11 @@ +openssl_conf = openssl_init + +[openssl_init] +engines=engine_section + +[engine_section] +pkcs11 = pkcs11_section + +[pkcs11_section] +dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so +MODULE_PATH = /home/linus/usr/lib/pkcs11/p11-kit-client.so |