1# $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ 2# Placed in the Public Domain. 3 4tid="pkcs11 agent test" 5 6TEST_SSH_PIN="" 7TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0 8 9test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" 10 11# setup environment for soft-pkcs11 token 12SOFTPKCS11RC=$OBJ/pkcs11.info 13export SOFTPKCS11RC 14# prevent ssh-agent from calling ssh-askpass 15SSH_ASKPASS=/usr/bin/true 16export SSH_ASKPASS 17unset DISPLAY 18 19# start command w/o tty, so ssh-add accepts pin from stdin 20notty() { 21 perl -e 'use POSIX; POSIX::setsid(); 22 if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" 23} 24 25trace "start agent" 26eval `${SSHAGENT} -s` > /dev/null 27r=$? 28if [ $r -ne 0 ]; then 29 fail "could not start ssh-agent: exit code $r" 30else 31 trace "generating key/cert" 32 rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt 33 openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1 34 chmod 600 $OBJ/pkcs11.key 35 openssl req -key $OBJ/pkcs11.key -new -x509 \ 36 -out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null 37 printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC 38 # add to authorized keys 39 ${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER 40 41 trace "add pkcs11 key to agent" 42 echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 43 r=$? 44 if [ $r -ne 0 ]; then 45 fail "ssh-add -s failed: exit code $r" 46 fi 47 48 trace "pkcs11 list via agent" 49 ${SSHADD} -l > /dev/null 2>&1 50 r=$? 51 if [ $r -ne 0 ]; then 52 fail "ssh-add -l failed: exit code $r" 53 fi 54 55 trace "pkcs11 connect via agent" 56 ${SSH} -F $OBJ/ssh_proxy somehost exit 5 57 r=$? 58 if [ $r -ne 5 ]; then 59 fail "ssh connect failed (exit code $r)" 60 fi 61 62 trace "remove pkcs11 keys" 63 echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 64 r=$? 65 if [ $r -ne 0 ]; then 66 fail "ssh-add -e failed: exit code $r" 67 fi 68 69 trace "kill agent" 70 ${SSHAGENT} -k > /dev/null 71fi 72