rpms/opensc
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Test with libcacard

Browse Source
This commit is contained in:
Jakub Jelen 2019-08-23 16:14:30 +02:00
parent 88b6e849e2
commit a5b7b9742a
4 changed files with 247 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
tests/pkcs11-tool/Makefile
View File

@ -28,7 +28,7 @@ export TESTVERSION=1.0
BUILT_FILES= BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE cert.cfg FILES=$(METADATA) runtest.sh Makefile PURPOSE cert.cfg virtcacard.cil
.PHONY: all install download clean .PHONY: all install download clean
@ -51,9 +51,13 @@ $(METADATA): Makefile
@echo "Path: $(TEST_DIR)" >> $(METADATA) @echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: This is a sanity test for pkcs11-tool" >> $(METADATA) @echo "Description: This is a sanity test for pkcs11-tool" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA) @echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA) @echo "TestTime: 15m" >> $(METADATA)
@echo "RunFor: opensc" >> $(METADATA) @echo "RunFor: opensc" >> $(METADATA)
@echo "Requires: opensc openssl gnutls-utils opencryptoki-libs" >> $(METADATA) @echo "Requires: opensc openssl gnutls-utils" >> $(METADATA)
@echo "Requires: opencryptoki-libs opencryptoki opencryptoki-swtok" >> $(METADATA)
@echo "Requires: libcacard-devel autoconf" >> $(METADATA)
@echo "Requires: autoconf-archive automake libtool" >> $(METADATA)
@echo "Requires: softhsm help2man pcsc-lite-devel nss-tools policycoreutils" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA) @echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA) @echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: yes" >> $(METADATA) @echo "Confidential: yes" >> $(METADATA)

132
tests/pkcs11-tool/runtest.sh
View File

@ -35,6 +35,7 @@ PIN="123456"
export GNUTLS_PIN=$PIN export GNUTLS_PIN=$PIN
GENERATE_KEYS=1 GENERATE_KEYS=1
PKCS11_TOOL="pkcs11-tool" PKCS11_TOOL="pkcs11-tool"
NSSDB=db
function generate_cert() { function generate_cert() {
TYPE="$1" TYPE="$1"
@ -76,11 +77,13 @@ function generate_cert() {
} }
function card_setup() { function card_setup() {
ECC_KEYS=1
case $1 in case $1 in
"softhsm") "softhsm")
P11LIB="/usr/lib64/pkcs11/libsofthsm2.so" P11LIB="/usr/lib64/pkcs11/libsofthsm2.so"
echo "directories.tokendir = .tokens/" > .softhsm2.conf echo "directories.tokendir = .tokens/" > .softhsm2.conf
echo "slots.removable = true" >> .softhsm2.conf
echo "objectstore.backend = file" >> .softhsm2.conf
echo "log.level = INFO" >> .softhsm2.conf
mkdir ".tokens" mkdir ".tokens"
export SOFTHSM2_CONF=".softhsm2.conf" export SOFTHSM2_CONF=".softhsm2.conf"
# Init token # Init token
@ -88,23 +91,60 @@ function card_setup() {
;; ;;
"opencryptoki") "opencryptoki")
# Supports only RSA mechanisms # Supports only RSA mechanisms
ECC_KEYS=0
P11LIB="/usr/lib64/pkcs11/libopencryptoki.so" P11LIB="/usr/lib64/pkcs11/libopencryptoki.so"
SO_PIN=87654321 SO_PIN=87654321
SLOT_ID=3 # swtok slot SLOT_ID=3 # swtok slot
systemctl is-active pkcsslotd > /dev/null rlServiceStart "pkcsslotd"
if [[ "$?" -ne "0" ]]; then
echo "Opencryptoki needs pkcsslotd running"
exit 1
fi
groups | grep pkcs11 > /dev/null
if [[ "$?" -ne "0" ]]; then
echo "Opencryptoki requires the user to be in pkcs11 group"
exit 1
fi
echo "test_swtok" | /usr/sbin/pkcsconf -I -c $SLOT_ID -S $SO_PIN echo "test_swtok" | /usr/sbin/pkcsconf -I -c $SLOT_ID -S $SO_PIN
/usr/sbin/pkcsconf -u -c $SLOT_ID -S $SO_PIN -n $PIN /usr/sbin/pkcsconf -u -c $SLOT_ID -S $SO_PIN -n $PIN
;; ;;
"libcacard")
# Remove OpenSC from p11-kit so we do not recurse
rlRun "rlFileBackup /usr/share/p11-kit/modules/"
rlRun "rm /usr/share/p11-kit/modules/opensc.module"
# we use softhsm internally
rlRun "card_setup softhsm"
# Setup NSS DB
rlRun "mkdir $NSSDB"
# Do not add a softhsm2 to the nssdb if there is already p11-kit-proxy
rlRun "modutil -create -dbdir sql:$NSSDB -force"
rlRun "modutil -list -dbdir sql:$NSSDB | grep 'library name: p11-kit-proxy.so'" 0,1
if [ "$?" = "1" ]; then
rlRun "modutil -force -add 'SoftHSM PKCS#11' -dbdir sql:$NSSDB -libfile $P11LIB"
fi
# Download and Install vsmartcard
rlRun "git clone https://github.com/frankmorgner/vsmartcard.git"
rlRun "pushd vsmartcard/virtualsmartcard"
rlRun "autoreconf -vis && ./configure && make -j4 && make install"
rlRun "popd"
# Download and Install virt_cacard
rlRun "git clone https://github.com/PL4typus/virt_cacard.git"
rlRun "pushd virt_cacard && ./autogen.sh && ./configure && make"
rlRun "popd"
# Install the temporary SELinux policy
rlRun "semodule -i virtcacard.cil"
# Restart pcscd
rlRun "systemctl restart pcscd"
# Start virtcacard
#rlRun "G_MESSAGES_DEBUG=libcacard LIBCACARD_DEBUG=1 ./virt_cacard/virt_cacard 2> virt_cacard.debug &"
rlRun "./virt_cacard/virt_cacard 2> virt_cacard.debug &"
rlRun "sleep 5"
# We will use OpenSC directly from here
P11LIB="/usr/lib64/pkcs11/opensc-pkcs11.so"
rlRun "$PKCS11_TOOL -O"
# The keys are already generated in softhsm
return 0
;;
*) *)
echo "Error: Missing argument." echo "Error: Missing argument."
exit 1; exit 1;
@ -113,15 +153,11 @@ function card_setup() {
if [[ $GENERATE_KEYS -eq 1 ]]; then if [[ $GENERATE_KEYS -eq 1 ]]; then
# Generate 1024b RSA Key pair # Generate 1024b RSA Key pair
generate_cert "RSA:1024" "01" "RSA_auth" generate_cert "RSA:1024" "0001" "RSA1024"
# Generate 2048b RSA Key pair # Generate 2048b RSA Key pair
generate_cert "RSA:2048" "02" "RSA2048" generate_cert "RSA:2048" "0002" "RSA2048"
if [[ $ECC_KEYS -eq 1 ]]; then # Generate 3092b RSA Key pair
# Generate 256b ECC Key pair generate_cert "RSA:2048" "0003" "RSA3"
generate_cert "EC:secp256r1" "03" "ECC_auth"
# Generate 521b ECC Key pair
generate_cert "EC:secp521r1" "04" "ECC521"
fi
fi fi
} }
@ -131,6 +167,13 @@ function card_cleanup() {
rm .softhsm2.conf rm .softhsm2.conf
rm -rf ".tokens" rm -rf ".tokens"
;; ;;
"libcacard")
rlRun "pkill virt_cacard" 0,1
rlFileSubmit virt_cacard.debug
rlRun "rm -rf $NSSDB"
card_cleanup softhsm
rlRun "rlFileRestore"
;;
esac esac
if [[ $GENERATE_KEYS -eq 1 ]]; then if [[ $GENERATE_KEYS -eq 1 ]]; then
rm "0{1,2,3,4}.{cert,pub}" rm "0{1,2,3,4}.{cert,pub}"
@ -139,30 +182,43 @@ function card_cleanup() {
rlJournalStart rlJournalStart
rlPhaseStartSetup rlPhaseStartSetup "General setup"
rlAssertRpm $PACKAGE rlAssertRpm $PACKAGE
rlPhaseEnd
for BACKEND in "softhsm" "opencryptoki" "libcacard"; do
rlPhaseStartSetup "Set up $BACKEND"
rlAssertRpm $BACKEND
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "cp cert.cfg $TmpDir" rlRun "cp cert.cfg virtcacard.cil $TmpDir"
rlRun "pushd $TmpDir" rlRun "pushd $TmpDir"
card_setup "softhsm" rlRun "card_setup $BACKEND"
rlRun 'echo "data to sign (max 100 bytes)" > data' rlRun 'echo "data to sign (max 100 bytes)" > data'
# Read the certificates from the module (the IDs might get mixed up in libcacard)
for ID in "0001" "0002" "0003"; do
rlRun ">$ID.cert"
rlRun "$PKCS11_TOOL --read-object --id $ID --type cert --output-file $ID.cert --module $P11LIB"
rlRun "openssl x509 -inform DER -in $ID.cert -pubkey > $ID.pub"
done
rlPhaseEnd rlPhaseEnd
for HASH in "" "SHA1" "SHA224" "SHA256" "SHA384" "SHA512"; do for HASH in "" "SHA1" "SHA224" "SHA256" "SHA384" "SHA512"; do
for SIGN_KEY in "01" "02"; do for SIGN_KEY in "0001" "0002" "0003"; do
METHOD="RSA-PKCS" METHOD="RSA-PKCS"
if [[ ! -z $HASH ]]; then if [[ ! -z $HASH ]]; then
METHOD="$HASH-$METHOD" METHOD="$HASH-$METHOD"
fi fi
rlPhaseStartTest "$METHOD: Sing & Verify (KEY $SIGN_KEY)" # OpenCryptoki does not work with hashed mechanisms
if [[ "$BACKEND" != "opencryptoki" ]]; then
rlPhaseStartTest "$BACKEND: $METHOD: Sign & Verify (KEY $SIGN_KEY)"
rlRun "$PKCS11_TOOL --id $SIGN_KEY -s -p $PIN -m $METHOD --module $P11LIB \ rlRun "$PKCS11_TOOL --id $SIGN_KEY -s -p $PIN -m $METHOD --module $P11LIB \
--input-file data --output-file data.sig" --input-file data --output-file data.sig"
# OpenSSL verification # OpenSSL verification
if [[ -z $HASH ]]; then if [[ -z $HASH ]]; then
rlRun "openssl rsautl -verify -inkey $SIGN_KEY.cert -in data.sig -certin" rlRun "openssl rsautl -verify -pubin -inkey $SIGN_KEY.pub -in data.sig"
else else
rlRun "openssl dgst -keyform PEM -verify $SIGN_KEY.pub -${HASH,,*} \ rlRun "openssl dgst -verify $SIGN_KEY.pub -${HASH,,*} \
-signature data.sig data" -signature data.sig data"
fi fi
@ -171,14 +227,15 @@ rlJournalStart
--input-file data --signature-file data.sig" --input-file data --signature-file data.sig"
rlRun "rm data.sig" rlRun "rm data.sig"
rlPhaseEnd rlPhaseEnd
fi
METHOD="$METHOD-PSS" METHOD="$METHOD-PSS"
if [[ "$HASH" == "SHA512" ]]; then if [[ "$HASH" == "SHA512" ]]; then
continue; # This one is broken continue; # This one is broken
fi fi
rlPhaseStartTest "$METHOD: Sing & Verify (KEY $SIGN_KEY)" rlPhaseStartTest "$BACKEND: $METHOD: Sign & Verify (KEY $SIGN_KEY)"
if [[ -z $HASH ]]; then if [[ -z $HASH ]]; then
# hashing is done outside of the module. We chouse here SHA256 # hashing is done outside of the module. We chose here SHA256
rlRun "openssl dgst -binary -sha256 data > data.hash" rlRun "openssl dgst -binary -sha256 data > data.hash"
HASH_ALGORITM="--hash-algorithm=SHA256" HASH_ALGORITM="--hash-algorithm=SHA256"
VERIFY_DGEST="-sha256" VERIFY_DGEST="-sha256"
@ -195,7 +252,7 @@ rlJournalStart
--input-file data.hash --output-file data.sig" --input-file data.hash --output-file data.sig"
# OpenSSL verification # OpenSSL verification
rlRun "openssl dgst -keyform PEM -verify $SIGN_KEY.pub $VERIFY_DGEST \ rlRun "openssl dgst -verify $SIGN_KEY.pub $VERIFY_DGEST \
-sigopt rsa_padding_mode:pss $VERIFY_OPTS -sigopt rsa_pss_saltlen:-1 \ -sigopt rsa_padding_mode:pss $VERIFY_OPTS -sigopt rsa_pss_saltlen:-1 \
-signature data.sig data" -signature data.sig data"
@ -204,6 +261,7 @@ rlJournalStart
$HASH_ALGORITM --salt-len=-1 \ $HASH_ALGORITM --salt-len=-1 \
--input-file data.hash --signature-file data.sig" --input-file data.hash --signature-file data.sig"
rlRun "rm data.{sig,hash}" rlRun "rm data.{sig,hash}"
rlPhaseEnd rlPhaseEnd
done done
@ -212,11 +270,11 @@ rlJournalStart
continue; continue;
fi fi
METHOD="RSA-PKCS" METHOD="RSA-PKCS"
for ENC_KEY in "01" "02"; do for ENC_KEY in "0001" "0002" "0003"; do
rlPhaseStartTest "$METHOD: Encrypt & Decrypt (KEY $ENC_KEY)" rlPhaseStartTest "$BACKEND: $METHOD: Encrypt & Decrypt (KEY $ENC_KEY)"
# OpenSSL Encryption # OpenSSL Encryption
rlRun "openssl rsautl -encrypt -inkey $ENC_KEY.cert -in data \ rlRun "openssl rsautl -encrypt -pubin -inkey $ENC_KEY.pub -in data \
-certin -out data.crypt" -out data.crypt"
rlRun "$PKCS11_TOOL --id $ENC_KEY --decrypt -p $PIN -m $METHOD \ rlRun "$PKCS11_TOOL --id $ENC_KEY --decrypt -p $PIN -m $METHOD \
--module $P11LIB --input-file data.crypt > data.decrypted" --module $P11LIB --input-file data.crypt > data.decrypted"
rlRun "diff data{,.decrypted}" rlRun "diff data{,.decrypted}"
@ -227,9 +285,11 @@ rlJournalStart
done done
done done
rlPhaseStartCleanup rlPhaseStartCleanup "Cleanup $BACKEND"
card_cleanup "softhsm" card_cleanup $BACKEND
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory" rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd rlPhaseEnd
done
rlJournalPrintText rlJournalPrintText
rlJournalEnd rlJournalEnd

2
tests/pkcs11-tool/virtcacard.cil Normal file
View File

@ -0,0 +1,2 @@
(allow pcscd_t node_t (tcp_socket (node_bind)))

14
tests/tests.yml
View File

@ -19,4 +19,18 @@
- softhsm # software PKCS#11 module - softhsm # software PKCS#11 module
- openssl # openssl tools - openssl # openssl tools
- gnutls-utils # p11tool - gnutls-utils # p11tool
- opencryptoki-libs # opencryptoki
- opencryptoki
- opencryptoki-swtok
- git # to download vsmartcard and virt_cacard projects
- libcacard-devel # Build requires for virt_cacard and vsmartcard
- autoconf
- autoconf-archive
- automake
- libtool
- softhsm
- help2man
- pcsc-lite-devel
- nss-tools # Handling NSS DB
- policycoreutils # Loading custom selinux modules