shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-09 09:54:25 +09:00
Code Issues Packages Projects Releases Wiki Activity

Add support for PKCS#11 provider in OpenSSL 3.0

Browse Source 
The engine API in OpenSSL 3.0 is deprecated so we are in the progress of working
on a PKCS#11 provider for OpenSSL. This commit introduces a conditional build
with the pkcs11-provider support (instead of engines) with all the changes
required for the provider to work with existing code and tests.

The CI modification is only temporary before we will have the real package in
Fedora or somewhere to use.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Norbert Pocs <npocs@redhat.com>
This commit is contained in:
Jakub Jelen
2022-10-31 15:09:26 +01:00
parent 7291f2173c
commit 2539d72b7c
18 changed files with 276 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
tests/pkcs11/setup-softhsm-tokens.sh
View File

@@ -5,8 +5,10 @@
TESTDIR=$1
PRIVKEY=$2
OBJNAME=$3
TOKENLABEL=$3 # yeah. The same as object label
LOADPUBLIC=$4
LIBSOFTHSM_PATH=$5
P11_KIT_CLIENT=$6
shift 5
PUBKEY="$PRIVKEY.pub"
@@ -15,24 +17,27 @@ echo "TESTDIR: $TESTDIR"
echo "PRIVKEY: $PRIVKEY"
echo "PUBKEY: $PUBKEY"
echo "OBJNAME: $OBJNAME"
echo "TOKENLABEL: $TOKENLABEL"
echo "LOADPUBLIC: $LOADPUBLIC"
# Create temporary directory for tokens
install -d -m 0755 "$TESTDIR/db"
if [ ! -d "$TESTDIR/db" ]; then
# Create temporary directory for tokens
install -d -m 0755 "$TESTDIR/db"
# Create SoftHSM configuration file
cat >"$TESTDIR/softhsm.conf" <<EOF
# Create SoftHSM configuration file
cat >"$TESTDIR/softhsm.conf" <<EOF
directories.tokendir = $TESTDIR/db
objectstore.backend = file
log.level = DEBUG
EOF
cat "$TESTDIR/softhsm.conf"
fi
export SOFTHSM2_CONF=$TESTDIR/softhsm.conf
cat "$TESTDIR/softhsm.conf"
#init
cmd="softhsm2-util --init-token --label $OBJNAME --free --pin 1234 --so-pin 1234"
#init -- each object will have its own token
cmd="softhsm2-util --init-token --label $TOKENLABEL --free --pin 1234 --so-pin 1234"
eval echo "$cmd"
out=$(eval "$cmd")
ret=$?
@@ -43,7 +48,7 @@ if [ $ret -ne 0 ]; then
fi
#load private key
cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-privkey $PRIVKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-privkey $PRIVKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$TOKENLABEL\""
eval echo "$cmd"
out=$(eval "$cmd")
ret=$?
@@ -59,7 +64,7 @@ ls -l "$TESTDIR"
if [ "$LOADPUBLIC" -ne 0 ]; then
#load public key
cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-pubkey $PUBKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$OBJNAME\""
cmd="p11tool --provider $LIBSOFTHSM_PATH --write --load-pubkey $PUBKEY --label $OBJNAME --login --set-pin=1234 \"pkcs11:token=$TOKENLABEL\""
eval echo "$cmd"
out=$(eval "$cmd")
ret=$?
@@ -70,7 +75,7 @@ if [ "$LOADPUBLIC" -ne 0 ]; then
fi
fi
cmd="p11tool --list-all --login \"pkcs11:token=$OBJNAME\" --set-pin=1234"
cmd="p11tool --list-all --login \"pkcs11:token=$TOKENLABEL\" --set-pin=1234"
eval echo "$cmd"
out=$(eval "$cmd")
ret=$?
@@ -81,4 +86,55 @@ if [ $ret -ne 0 ]; then
fi
echo "$out"
# Skip the p11-kit if not needed
if [ -z "$P11_KIT_CLIENT" ]; then
exit 0
fi
# when creating more keys, we need to restart the p11-kit
# so it can pick up the new keys
if [ -h "$TESTDIR/p11-kit-server.socket" ]; then
kill -9 $(cat $TESTDIR/p11-kit-server.pid)
rm $TESTDIR/p11-kit-server.socket
fi
# p11-kit complains if there is no runtime directory
if [ -z "$XDG_RUNTIME_DIR" ]; then
export XDG_RUNTIME_DIR=$PWD
fi
# Start the p11-kit server
cmd="p11-kit server --provider $LIBSOFTHSM_PATH pkcs11:"
echo "$cmd"
out=$(eval "$cmd")
ret=$?
if [ $ret -ne 0 ]; then
echo "Starting p11-kit server failed"
echo "$out"
exit 1
fi
eval $out
# Symlink the p11-kit-server socket to "known place"
P11_KIT_SERVER_ADDRESS_PATH=${P11_KIT_SERVER_ADDRESS:10}
cmd="ln -s $P11_KIT_SERVER_ADDRESS_PATH $TESTDIR/p11-kit-server.socket"
echo "$cmd"
out=$(eval "$cmd")
# Save the PID for the C code to clean up
cmd="echo $P11_KIT_SERVER_PID > $TESTDIR/p11-kit-server.pid"
echo "$cmd"
out=$(eval "$cmd")
cmd="pkcs11-tool -O --login --pin=1234 --module=$P11_KIT_CLIENT --token-label=$TOKENLABEL"
echo "$cmd"
out=$(eval "$cmd")
ret=$?
echo "$out"
if [ $ret -ne 0 ]; then
echo "Failed to list keys through p11-kit remoting"
echo "$out"
exit 1
fi
exit 0