From 99fcd56135a0edcf2727f181493e04819295fd73 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 22 Jan 2025 17:45:43 +0100
Subject: [PATCH] tests: Remove p11-kit remoting from pkcs11 tests

The p11-kit remoting was initially introduced because softhsm
was crashing during cleanup with OpenSSL 3.0. This was resolved
since then and this code introduces a lot of complexity and
possible bugs, such as when using the mechanisms from PKCS#11 3.0
that are unknown to the p11-kit remoting tool. It decides to remove
them from the list as demonstrated here:

https://github.com/p11-glue/p11-kit/issues/668

This resulted in pkcs11-provider not registering EDDSA siganture
methods to the OpenSSL and failing when asked to provide a singature
by the Ed25519 key from the PKCS#11 token.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
---
 doc/pkcs11.dox                       |  6 +---
 tests/CMakeLists.txt                 | 40 ++++++++-------------
 tests/pkcs11/setup-softhsm-tokens.sh | 52 +---------------------------
 tests/tests_config.h.cmake           |  1 -
 tests/torture.c                      | 36 ++++---------------
 5 files changed, 23 insertions(+), 112 deletions(-)

diff --git a/doc/pkcs11.dox b/doc/pkcs11.dox
index d139f7d4..b358432c 100644
--- a/doc/pkcs11.dox
+++ b/doc/pkcs11.dox
@@ -81,10 +81,6 @@ We recommend the users to provide a specific PKCS #11 URI so that it matches onl
 If the engine discovers multiple slots that could potentially contain the private keys referenced
 by the provided PKCS #11 URI, the engine will not try to authenticate.
 
-For testing, the SoftHSM PKCS#11 library is used. But it has some issues with
-OpenSSL initialization/cleanup when used with OpenSSL 3.0 so we are using it
-indirectly through a p11-kit remoting as described in the following article:
-
-https://p11-glue.github.io/p11-glue/p11-kit/manual/remoting.html
+For testing, the SoftHSM PKCS#11 library is used.
 
 */
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index bb05a5e8..f6b6fad6 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -175,6 +175,20 @@ find_program(SSHD_EXECUTABLE
                 /usr/sbin
                 /usr/local/sbin)
 
+if (WITH_PKCS11_URI)
+    find_package(softhsm)
+    if (NOT SOFTHSM_FOUND)
+        message(SEND_ERROR "Could not find softhsm module!")
+    endif (NOT SOFTHSM_FOUND)
+    find_library(PKCS11SPY
+        NAMES
+            pkcs11-spy.so
+    )
+
+    #Copy the script to setup PKCS11 tokens
+    file(COPY pkcs11/setup-softhsm-tokens.sh DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/pkcs11 FILE_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE)
+endif (WITH_PKCS11_URI)
+
 if (CLIENT_TESTING OR SERVER_TESTING)
     find_package(socket_wrapper 1.1.5 REQUIRED)
     find_package(nss_wrapper 1.1.2 REQUIRED)
@@ -193,27 +207,6 @@ if (CLIENT_TESTING OR SERVER_TESTING)
                     /usr/bin
                     /usr/local/bin)
 
-    if (WITH_PKCS11_URI)
-        find_package(softhsm)
-        if (NOT SOFTHSM_FOUND)
-            message(SEND_ERROR "Could not find softhsm module!")
-        endif (NOT SOFTHSM_FOUND)
-        find_library(PKCS11SPY
-            NAMES
-                pkcs11-spy.so
-        )
-        if (WITH_PKCS11_PROVIDER)
-            find_package(PkgConfig)
-            if (PKG_CONFIG_FOUND)
-                pkg_check_modules(P11_KIT p11-kit-1)
-                if (P11_KIT_FOUND)
-                    pkg_get_variable(P11_MODULE_PATH p11-kit-1 p11_module_path)
-                    set(P11_KIT_CLIENT ${P11_MODULE_PATH}/p11-kit-client.so)
-                endif (P11_KIT_FOUND)
-            endif (PKG_CONFIG_FOUND)
-        endif (WITH_PKCS11_PROVIDER)
-    endif (WITH_PKCS11_URI)
-
     find_program(SSH_EXECUTABLE NAMES ssh)
     if (SSH_EXECUTABLE)
         execute_process(COMMAND ${SSH_EXECUTABLE} -V ERROR_VARIABLE OPENSSH_VERSION_STR)
@@ -342,11 +335,6 @@ if (CLIENT_TESTING OR SERVER_TESTING)
         ${CMAKE_CURRENT_BINARY_DIR}/home/doe/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
 endif ()
 
-if (WITH_PKCS11_URI)
-    #Copy the script to setup PKCS11 tokens
-    file(COPY pkcs11/setup-softhsm-tokens.sh DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/pkcs11 FILE_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE)
-endif (WITH_PKCS11_URI)
-
 file(COPY gss/kdcsetup.sh DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/gss FILE_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE)
 
 message(STATUS "TORTURE_ENVIRONMENT=${TORTURE_ENVIRONMENT}")
diff --git a/tests/pkcs11/setup-softhsm-tokens.sh b/tests/pkcs11/setup-softhsm-tokens.sh
index f61c5a67..863c0c55 100755
--- a/tests/pkcs11/setup-softhsm-tokens.sh
+++ b/tests/pkcs11/setup-softhsm-tokens.sh
@@ -8,7 +8,6 @@ OBJNAME=$3
 TOKENLABEL=$3 # yeah. The same as object label
 LOADPUBLIC=$4
 LIBSOFTHSM_PATH=$5
-P11_KIT_CLIENT=$6
 shift 5
 
 PUBKEY="$PRIVKEY.pub"
@@ -86,55 +85,6 @@ if [ $ret -ne 0 ]; then
 fi
 echo "$out"
 
-# Skip the p11-kit if not needed
-if [ -z "$P11_KIT_CLIENT" ]; then
-    exit 0
-fi
-
-# when creating more keys, we need to restart the p11-kit
-# so it can pick up the new keys
-if [ -h "$TESTDIR/p11-kit-server.socket" ]; then
-    kill -9 "$(cat "$TESTDIR/p11-kit-server.pid")"
-    rm "$TESTDIR/p11-kit-server.socket"
-fi
-
-# p11-kit complains if there is no runtime directory
-if [ -z "$XDG_RUNTIME_DIR" ]; then
-    export XDG_RUNTIME_DIR=$PWD
-fi
-
-# Start the p11-kit server
-cmd="p11-kit server --provider $LIBSOFTHSM_PATH pkcs11:"
-echo "$cmd"
-out=$(eval "$cmd")
-ret=$?
-if [ $ret -ne 0 ]; then
-    echo "Starting p11-kit server failed"
-    echo "$out"
-    exit 1
-fi
-eval "$out"
-
-# Symlink the p11-kit-server socket to "known place"
-P11_KIT_SERVER_ADDRESS_PATH=${P11_KIT_SERVER_ADDRESS:10}
-cmd="ln -s $P11_KIT_SERVER_ADDRESS_PATH $TESTDIR/p11-kit-server.socket"
-echo "$cmd"
-out=$(eval "$cmd")
-
-# Save the PID for the C code to clean up
-cmd="echo $P11_KIT_SERVER_PID > $TESTDIR/p11-kit-server.pid"
-echo "$cmd"
-out=$(eval "$cmd")
-
-cmd="pkcs11-tool -O --login --pin=1234 --module=$P11_KIT_CLIENT --token-label=$TOKENLABEL"
-echo "$cmd"
-out=$(eval "$cmd")
-ret=$?
-echo "$out"
-if [ $ret -ne 0 ]; then
-    echo "Failed to list keys through p11-kit remoting"
-    echo "$out"
-    exit 1
-fi
+pkcs11-tool -M --login --pin=1234 --module="$LIBSOFTHSM_PATH" --token-label="$TOKENLABEL"
 
 exit 0
diff --git a/tests/tests_config.h.cmake b/tests/tests_config.h.cmake
index 356d48cb..780d8242 100644
--- a/tests/tests_config.h.cmake
+++ b/tests/tests_config.h.cmake
@@ -69,5 +69,4 @@
 #cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
 #cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
 #cmakedefine SOFTHSM2_LIBRARY "${SOFTHSM2_LIBRARY}"
-#cmakedefine P11_KIT_CLIENT "${P11_KIT_CLIENT}"
 #cmakedefine PKCS11SPY "${PKCS11SPY}"
diff --git a/tests/torture.c b/tests/torture.c
index 9c49a4fb..5fae5af7 100644
--- a/tests/torture.c
+++ b/tests/torture.c
@@ -1385,70 +1385,48 @@ void torture_setup_tokens(const char *temp_dir,
 {
     char token_setup_start_cmd[1024] = {0};
     char socket_path[1204] = {0};
-#ifndef WITH_PKCS11_PROVIDER
     char conf_path[1024] = {0};
-#endif /* WITH_PKCS11_PROVIDER */
+#ifdef WITH_PKCS11_PROVIDER
     char *env = NULL;
+#endif /* WITH_PKCS11_PROVIDER */
     int rc;
 
     rc = snprintf(token_setup_start_cmd,
                   sizeof(token_setup_start_cmd),
-                  "%s/tests/pkcs11/setup-softhsm-tokens.sh %s %s %s %s %s %s",
+                  "%s/tests/pkcs11/setup-softhsm-tokens.sh %s %s %s %s %s",
                   BINARYDIR,
                   temp_dir,
                   filename,
                   object_name,
                   load_public,
-                  SOFTHSM2_LIBRARY,
-#ifdef WITH_PKCS11_PROVIDER
-                  P11_KIT_CLIENT
-#else
-                  ""
-#endif /* WITH_PKCS11_PROVIDER */
-    );
+                  SOFTHSM2_LIBRARY);
     assert_int_not_equal(rc, sizeof(token_setup_start_cmd));
 
     rc = system(token_setup_start_cmd);
     assert_return_code(rc, errno);
 
 #ifdef WITH_PKCS11_PROVIDER
-    rc = snprintf(socket_path,
-                  sizeof(socket_path),
-                  "unix:path=%s/p11-kit-server.socket",
-                  temp_dir);
-    assert_int_not_equal(rc, sizeof(socket_path));
-    setenv("P11_KIT_SERVER_ADDRESS", socket_path, 1);
+    setenv("PKCS11_PROVIDER_MODULE", SOFTHSM2_LIBRARY, 1);
 
-    setenv("PKCS11_PROVIDER_MODULE", P11_KIT_CLIENT, 1);
     /* This is useful for debugging PKCS#11 calls */
-
     env = getenv("TORTURE_PKCS11");
     if (env != NULL && env[0] != '\0') {
 #ifdef PKCS11SPY
-        setenv("PKCS11SPY", P11_KIT_CLIENT, 1);
+        setenv("PKCS11SPY", SOFTHSM2_LIBRARY, 1);
         setenv("PKCS11_PROVIDER_MODULE", PKCS11SPY, 1);
 #else
         fprintf(stderr, "[ TORTURE  ] >>> pkcs11-spy not found\n");
 #endif /* PKCS11SPY */
     }
-#else
-    (void)env;
+#endif /* WITH_PKCS11_PROVIDER */
 
     snprintf(conf_path, sizeof(conf_path), "%s/softhsm.conf", temp_dir);
     setenv("SOFTHSM2_CONF", conf_path, 1);
-#endif /* WITH_PKCS11_PROVIDER */
 }
 
 void torture_cleanup_tokens(const char *temp_dir)
 {
-#ifdef WITH_PKCS11_PROVIDER
-    char pidfile[1024] = {0};
-
-    snprintf(pidfile, sizeof(pidfile), "%s/p11-kit-server.pid", temp_dir);
-    torture_terminate_process(pidfile);
-#else
     unsetenv("SOFTHSM2_CONF");
-#endif /* WITH_PKCS11_PROVIDER */
 }
 #endif /* WITH_PKCS11_URI */