tests: Authentication with Ed25519 pkcs11 key

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Pavol Žáčik <pzacik@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-04 12:20:42 +09:00 · 2026-01-09 16:30:42 +01:00
parent a983142a07
commit 18ec01c980
3 changed files with 26 additions and 1 deletions
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -419,6 +419,9 @@ if (CLIENT_TESTING OR SERVER_TESTING)
    file(READ keys/pkcs11/id_pkcs11_ecdsa_521_openssh.pub CONTENTS)
    file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/home/charlie/.ssh/authorized_keys "${CONTENTS}")

+    file(READ keys/pkcs11/id_pkcs11_ed25519_openssh.pub CONTENTS)
+    file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/home/charlie/.ssh/authorized_keys "${CONTENTS}")
+
    # Copy the signed key to an doe's homedir.
    file(COPY keys/certauth/id_rsa DESTINATION
        ${CMAKE_CURRENT_BINARY_DIR}/home/doe/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
--- a/tests/client/torture_auth_pkcs11.c
+++ b/tests/client/torture_auth_pkcs11.c
@@ -39,6 +39,7 @@
 #define LIBSSH_ECDSA_256_TESTKEY  "id_pkcs11_ecdsa_256"
 #define LIBSSH_ECDSA_384_TESTKEY  "id_pkcs11_ecdsa_384"
 #define LIBSSH_ECDSA_521_TESTKEY  "id_pkcs11_ecdsa_521"
+#define LIBSSH_ED25519_TESTKEY    "id_pkcs11_ed25519"

 const char template[] = "/tmp/temp_dir_XXXXXX";

@@ -142,6 +143,9 @@ static int setup_pkcs11(void **state)
    setup_tokens(state, LIBSSH_ECDSA_256_TESTKEY, "ecdsa256");
    setup_tokens(state, LIBSSH_ECDSA_384_TESTKEY, "ecdsa384");
    setup_tokens(state, LIBSSH_ECDSA_521_TESTKEY, "ecdsa521");
+    if (!ssh_fips_mode()) {
+        setup_tokens(state, LIBSSH_ED25519_TESTKEY, "ed25519");
+    }

    return 0;
 }
@@ -238,6 +242,18 @@ static void torture_auth_autopubkey_ecdsa_key_521(void **state)
    torture_auth_autopubkey(state, "ecdsa521", "1234");
 }

+#ifdef WITH_PKCS11_PROVIDER
+static void torture_auth_autopubkey_ed25519(void **state)
+{
+    /* The Ed25519 keys are not supported in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
+    torture_auth_autopubkey(state, "ed25519", "1234");
+}
+#endif /* WITH_PKCS11_PROVIDER */
+
 int torture_run_tests(void)
 {
    int rc;
@@ -254,6 +270,11 @@ int torture_run_tests(void)
        cmocka_unit_test_setup_teardown(torture_auth_autopubkey_ecdsa_key_521,
                                        session_setup,
                                        session_teardown),
+#ifdef WITH_PKCS11_PROVIDER
+        cmocka_unit_test_setup_teardown(torture_auth_autopubkey_ed25519,
+                                        session_setup,
+                                        session_teardown),
+#endif /* WITH_PKCS11_PROVIDER */
    };

    /* Do not use system openssl.cnf for the pkcs11 uri tests.
--- a/tests/keys/pkcs11/id_pkcs11_ed25519_openssh.pub
+++ b/tests/keys/pkcs11/id_pkcs11_ed25519_openssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1aDCZfQOPArIsxnS8uMipbQtjM/FD77+hpkyo9i95W
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1aDCZfQOPArIsxnS8uMipbQtjM/FD77+hpkyo9i95W`