xref: /freebsd/crypto/openssh/regress/agent-pkcs11-cert.sh (revision 069ac18495ad8fde2748bc94b0f80a50250bb01d) 
1*069ac184SEd Maste#	$OpenBSD: agent-pkcs11-cert.sh,v 1.1 2023/12/18 14:50:08 djm Exp $
2*069ac184SEd Maste#	Placed in the Public Domain.
3*069ac184SEd Maste
4*069ac184SEd Mastetid="pkcs11 agent certificate test"
5*069ac184SEd Maste
6*069ac184SEd MasteSSH_AUTH_SOCK="$OBJ/agent.sock"
7*069ac184SEd Masteexport SSH_AUTH_SOCK
8*069ac184SEd MasteLC_ALL=C
9*069ac184SEd Masteexport LC_ALL
10*069ac184SEd Mastep11_setup || skip "No PKCS#11 library found"
11*069ac184SEd Maste
12*069ac184SEd Masterm -f $SSH_AUTH_SOCK $OBJ/agent.log
13*069ac184SEd Masterm -f $OBJ/output_* $OBJ/expect_*
14*069ac184SEd Masterm -f $OBJ/ca*
15*069ac184SEd Maste
16*069ac184SEd Mastetrace "generate CA key and certify keys"
17*069ac184SEd Maste$SSHKEYGEN -q -t ed25519 -C ca -N '' -f $OBJ/ca ||  fatal "ssh-keygen CA failed"
18*069ac184SEd Maste$SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub ||
19*069ac184SEd Maste	fatal "certify ECDSA key failed"
20*069ac184SEd Maste$SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub ||
21*069ac184SEd Maste	fatal "certify RSA key failed"
22*069ac184SEd Maste$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub ||
23*069ac184SEd Maste	fatal "certify CA key failed"
24*069ac184SEd Maste
25*069ac184SEd Masterm -f $SSH_AUTH_SOCK
26*069ac184SEd Mastetrace "start agent"
27*069ac184SEd Maste${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
28*069ac184SEd MasteAGENT_PID=$!
29*069ac184SEd Mastetrap "kill $AGENT_PID" EXIT
30*069ac184SEd Mastefor x in 0 1 2 3 4 ; do
31*069ac184SEd Maste	# Give it a chance to start
32*069ac184SEd Maste	${SSHADD} -l > /dev/null 2>&1
33*069ac184SEd Maste	r=$?
34*069ac184SEd Maste	test $r -eq 1 && break
35*069ac184SEd Maste	sleep 1
36*069ac184SEd Mastedone
37*069ac184SEd Masteif [ $r -ne 1 ]; then
38*069ac184SEd Maste	fatal "ssh-add -l did not fail with exit code 1 (got $r)"
39*069ac184SEd Mastefi
40*069ac184SEd Maste
41*069ac184SEd Mastetrace "load pkcs11 keys and certs"
42*069ac184SEd Maste# Note: deliberately contains non-cert keys and non-matching cert on commandline
43*069ac184SEd Mastep11_ssh_add -qs ${TEST_SSH_PKCS11} \
44*069ac184SEd Maste    $OBJ/ca.pub \
45*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC.pub \
46*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
47*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/RSA.pub \
48*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
49*069ac184SEd Maste	fatal "failed to add keys"
50*069ac184SEd Maste# Verify their presence
51*069ac184SEd Mastecut -d' ' -f1-2 \
52*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC.pub \
53*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/RSA.pub \
54*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
55*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
56*069ac184SEd Maste$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
57*069ac184SEd Mastediff $OBJ/expect_list $OBJ/output_list
58*069ac184SEd Maste
59*069ac184SEd Maste# Verify that all can perform signatures.
60*069ac184SEd Mastefor x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \
61*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
62*069ac184SEd Maste	$SSHADD -T $x || fail "Signing failed for $x"
63*069ac184SEd Mastedone
64*069ac184SEd Maste
65*069ac184SEd Maste# Delete plain keys.
66*069ac184SEd Maste$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub
67*069ac184SEd Maste# Verify that certs can still perform signatures.
68*069ac184SEd Mastefor x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
69*069ac184SEd Maste	$SSHADD -T $x || fail "Signing failed for $x"
70*069ac184SEd Mastedone
71*069ac184SEd Maste
72*069ac184SEd Maste$SSHADD -qD >/dev/null || fatal "clear agent failed"
73*069ac184SEd Maste
74*069ac184SEd Mastetrace "load pkcs11 certs only"
75*069ac184SEd Mastep11_ssh_add -qCs ${TEST_SSH_PKCS11} \
76*069ac184SEd Maste    $OBJ/ca.pub \
77*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC.pub \
78*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
79*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/RSA.pub \
80*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
81*069ac184SEd Maste	fatal "failed to add keys"
82*069ac184SEd Maste# Verify their presence
83*069ac184SEd Mastecut -d' ' -f1-2 \
84*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
85*069ac184SEd Maste    ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
86*069ac184SEd Maste$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
87*069ac184SEd Mastediff $OBJ/expect_list $OBJ/output_list
88*069ac184SEd Maste
89*069ac184SEd Maste# Verify that certs can perform signatures.
90*069ac184SEd Mastefor x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
91*069ac184SEd Maste	$SSHADD -T $x || fail "Signing failed for $x"
92*069ac184SEd Mastedone
93