1# $OpenBSD: agent-pkcs11-cert.sh,v 1.1 2023/12/18 14:50:08 djm Exp $ 2# Placed in the Public Domain. 3 4tid="pkcs11 agent certificate test" 5 6SSH_AUTH_SOCK="$OBJ/agent.sock" 7export SSH_AUTH_SOCK 8LC_ALL=C 9export LC_ALL 10p11_setup || skip "No PKCS#11 library found" 11 12rm -f $SSH_AUTH_SOCK $OBJ/agent.log 13rm -f $OBJ/output_* $OBJ/expect_* 14rm -f $OBJ/ca* 15 16trace "generate CA key and certify keys" 17$SSHKEYGEN -q -t ed25519 -C ca -N '' -f $OBJ/ca || fatal "ssh-keygen CA failed" 18$SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub || 19 fatal "certify ECDSA key failed" 20$SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub || 21 fatal "certify RSA key failed" 22$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub || 23 fatal "certify CA key failed" 24 25rm -f $SSH_AUTH_SOCK 26trace "start agent" 27${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 & 28AGENT_PID=$! 29trap "kill $AGENT_PID" EXIT 30for x in 0 1 2 3 4 ; do 31 # Give it a chance to start 32 ${SSHADD} -l > /dev/null 2>&1 33 r=$? 34 test $r -eq 1 && break 35 sleep 1 36done 37if [ $r -ne 1 ]; then 38 fatal "ssh-add -l did not fail with exit code 1 (got $r)" 39fi 40 41trace "load pkcs11 keys and certs" 42# Note: deliberately contains non-cert keys and non-matching cert on commandline 43p11_ssh_add -qs ${TEST_SSH_PKCS11} \ 44 $OBJ/ca.pub \ 45 ${SSH_SOFTHSM_DIR}/EC.pub \ 46 ${SSH_SOFTHSM_DIR}/EC-cert.pub \ 47 ${SSH_SOFTHSM_DIR}/RSA.pub \ 48 ${SSH_SOFTHSM_DIR}/RSA-cert.pub || 49 fatal "failed to add keys" 50# Verify their presence 51cut -d' ' -f1-2 \ 52 ${SSH_SOFTHSM_DIR}/EC.pub \ 53 ${SSH_SOFTHSM_DIR}/RSA.pub \ 54 ${SSH_SOFTHSM_DIR}/EC-cert.pub \ 55 ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list 56$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list 57diff $OBJ/expect_list $OBJ/output_list 58 59# Verify that all can perform signatures. 60for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \ 61 ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do 62 $SSHADD -T $x || fail "Signing failed for $x" 63done 64 65# Delete plain keys. 66$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub 67# Verify that certs can still perform signatures. 68for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do 69 $SSHADD -T $x || fail "Signing failed for $x" 70done 71 72$SSHADD -qD >/dev/null || fatal "clear agent failed" 73 74trace "load pkcs11 certs only" 75p11_ssh_add -qCs ${TEST_SSH_PKCS11} \ 76 $OBJ/ca.pub \ 77 ${SSH_SOFTHSM_DIR}/EC.pub \ 78 ${SSH_SOFTHSM_DIR}/EC-cert.pub \ 79 ${SSH_SOFTHSM_DIR}/RSA.pub \ 80 ${SSH_SOFTHSM_DIR}/RSA-cert.pub || 81 fatal "failed to add keys" 82# Verify their presence 83cut -d' ' -f1-2 \ 84 ${SSH_SOFTHSM_DIR}/EC-cert.pub \ 85 ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list 86$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list 87diff $OBJ/expect_list $OBJ/output_list 88 89# Verify that certs can perform signatures. 90for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do 91 $SSHADD -T $x || fail "Signing failed for $x" 92done 93