diff --git a/.github/actions/basic-autotools/action.yaml b/.github/actions/basic-autotools/action.yaml index ba7b9e4f..f273cf37 100644 --- a/.github/actions/basic-autotools/action.yaml +++ b/.github/actions/basic-autotools/action.yaml @@ -42,11 +42,19 @@ runs: cd $GITHUB_WORKSPACE/$BUILDDIR make install # This is necessary for 'trust/test-extract.sh' + mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/etc/pki/ca-trust-source + mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/share/pki/ca-trust-source mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/libexec/p11-kit ln -sf /usr/bin/true $GITHUB_WORKSPACE/$INSTALLDIR/libexec/p11-kit/trust-extract-compat if [ "$RUNNER_OS" = "macOS" ]; then - DD=gdd - export DD + export DD=gdd fi + # This is necessary for 'p11-kit/test-softhsm2.sh' + mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/share/p11-kit/modules + ln -sf /usr/share/p11-kit/modules/softhsm2.module $GITHUB_WORKSPACE/$INSTALLDIR/share/p11-kit/modules || : + export PATH=$GITHUB_WORKSPACE/$INSTALLDIR/bin:$PATH + export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/$INSTALLDIR/lib + export abs_top_builddir=$GITHUB_WORKSPACE/$BUILDDIR + export abs_top_srcdir=$GITHUB_WORKSPACE make installcheck shell: bash diff --git a/.github/actions/basic-meson/action.yaml b/.github/actions/basic-meson/action.yaml index 67519e99..730ffeab 100644 --- a/.github/actions/basic-meson/action.yaml +++ b/.github/actions/basic-meson/action.yaml @@ -10,7 +10,7 @@ runs: - name: Setup run: | - $GITHUB_WORKSPACE/build/run-wrapper.sh meson setup $GITHUB_WORKSPACE/$BUILDDIR -Dstrict=true -Dprefix=$GITHUB_WORKSPACE/$INSTALLDIR -Dlibdir=$GITHUB_WORKSPACE/$INSTALLDIR/lib -Dsysconfdir=$GITHUB_WORKSPACE/$INSTALLDIR/etc -Dtrust_paths=$GITHUB_WORKSPACE/$INSTALLDIR/etc/pki/ca-trust-source:$GITHUB_WORKSPACE/$INSTALLDIR/share/pki/ca-trust-source -Dsystemd=disabled -Dbash_completion=disabled $MESON_BUILD_OPTS + $GITHUB_WORKSPACE/build/run-wrapper.sh meson setup $GITHUB_WORKSPACE/$BUILDDIR -Dstrict=true -Dprefix=$GITHUB_WORKSPACE/$INSTALLDIR -Dlibdir=$GITHUB_WORKSPACE/$INSTALLDIR/lib -Dsysconfdir=$GITHUB_WORKSPACE/$INSTALLDIR/etc -Dtrust_paths=$GITHUB_WORKSPACE/$INSTALLDIR/etc/pki/ca-trust-source:$GITHUB_WORKSPACE/$INSTALLDIR/share/pki/ca-trust-source -Dsystemd=disabled -Dbash_completion=disabled -Dpost_install_test=true $MESON_BUILD_OPTS shell: bash - name: Build (scan-build) @@ -32,6 +32,21 @@ runs: exit $ret shell: bash + - name: Prepare for post-install tests + run: | + # This is necessary for 'trust/test-extract.sh' + mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/etc/pki/ca-trust-source + mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/share/pki/ca-trust-source + mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/libexec/p11-kit + ln -sf /usr/bin/true $GITHUB_WORKSPACE/$INSTALLDIR/libexec/p11-kit/trust-extract-compat + if [ "$RUNNER_OS" = "macOS" ]; then + export DD=gdd + fi + # This is necessary for 'p11-kit/test-softhsm2.sh' + mkdir -p $GITHUB_WORKSPACE/$INSTALLDIR/share/p11-kit/modules + ln -sf /usr/share/p11-kit/modules/softhsm2.module $GITHUB_WORKSPACE/$INSTALLDIR/share/p11-kit/modules || : + shell: bash + - name: Install run: ninja -C $GITHUB_WORKSPACE/$BUILDDIR install shell: bash diff --git a/Makefile.am b/Makefile.am index da5990b1..dc14913c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -43,6 +43,9 @@ c_tests = sh_tests = TESTS = $(c_tests) $(sh_tests) +post_install_tests = +noinst_SCRIPTS = $(post_install_tests) + moduledir = $(p11_module_path) module_LTLIBRARIES = @@ -76,6 +79,8 @@ DISTCHECK_CONFIGURE_FLAGS = \ AM_TESTS_ENVIRONMENT = \ abs_top_builddir="$(abs_top_builddir)"; \ export abs_top_builddir; \ + abs_top_srcdir="$(abs_top_srcdir)"; \ + export abs_top_srcdir; \ P11_MODULE_PATH="$(abs_top_builddir)/.libs"; \ export P11_MODULE_PATH; AM_TESTS_FD_REDIRECT = 9>&2; @@ -113,6 +118,15 @@ dist-hook: echo A git clone is required to generate a ChangeLog >&2; \ fi +noinst_SCRIPTS += $(post_install_tests) + +if !OS_WIN32 +installcheck-local: + for t in $(post_install_tests); do \ + abs_top_builddir="$(abs_top_builddir)" $(SHELL) $(srcdir)/$$t; \ + done +endif + if WITH_COVERAGE coverage: mkdir -p build/coverage diff --git a/meson_options.txt b/meson_options.txt index a07f6867..34d6f61d 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -74,6 +74,10 @@ option('test', type : 'boolean', value : true, description : 'Enable building test programs') +option('post_install_test', type : 'boolean', + value : false, + description : 'Enable running post-install test programs') + option('rpc_min', type : 'integer', min : 0, max : 0, value : 0, description : 'Minimum RPC protocol version we support') diff --git a/meson_post_install_test.sh b/meson_post_install_test.sh new file mode 100755 index 00000000..5afb90ce --- /dev/null +++ b/meson_post_install_test.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +set +x + +bindir="$1" +libdir="$2" +shift 2 + +export PATH="$MESON_INSTALL_DESTDIR_PREFIX/$bindir:$PATH" +export LD_LIBRARY_PATH="$MESON_INSTALL_DESTDIR_PREFIX/$libdir:$LD_LIBRARY_PATH" +export PKG_CONFIG_PATH="$MESON_INSTALL_DESTDIR_PREFIX/$libdir/pkg-config:$PKG_CONFIG_PATH" +export abs_top_builddir="$MESON_BUILD_ROOT" +export abs_top_srcdir="$MESON_SOURCE_ROOT" + +exec "$@" diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am index 8465478a..f943a86f 100644 --- a/p11-kit/Makefile.am +++ b/p11-kit/Makefile.am @@ -545,7 +545,8 @@ check_LTLIBRARIES += \ mock-ten.la \ mock-eleven.la \ mock-twelve.la \ - mock-thirteen.la + mock-thirteen.la \ + mock-fourteen.la mock_one_la_SOURCES = p11-kit/mock-module-ep.c mock_one_la_LIBADD = libp11-test.la libp11-common.la @@ -622,6 +623,18 @@ else mock_thirteen_la_LIBADD = $(mock_one_la_LIBADD) endif +mock_fourteen_la_SOURCES = p11-kit/mock-module-ep12.c +mock_fourteen_la_LDFLAGS = $(mock_one_la_LDFLAGS) +if WITH_ASN1 +mock_fourteen_la_LIBADD = libp11-asn1.la $(mock_one_la_LIBADD) $(LIBTASN1_LIBS) +else +mock_fourteen_la_LIBADD = $(mock_one_la_LIBADD) +endif + +if WITH_ASN1 +post_install_tests += p11-kit/test-softhsm2.sh +endif + EXTRA_DIST += \ p11-kit/fixtures \ p11-kit/templates \ @@ -637,4 +650,5 @@ EXTRA_DIST += \ p11-kit/test-import-public.sh \ p11-kit/test-list-mechanisms.sh \ p11-kit/test-generate-keypair.sh \ + p11-kit/test-softhsm2.sh \ $(NULL) diff --git a/p11-kit/fixtures/package-modules/softhsm2.module b/p11-kit/fixtures/package-modules/fourteen.module similarity index 62% rename from p11-kit/fixtures/package-modules/softhsm2.module rename to p11-kit/fixtures/package-modules/fourteen.module index d64528c8..e3fd1d4b 100644 --- a/p11-kit/fixtures/package-modules/softhsm2.module +++ b/p11-kit/fixtures/package-modules/fourteen.module @@ -1,4 +1,4 @@ -module: libsofthsm2.so +module: mock-fourteen.so managed: yes enable-in: p11-kit-testable diff --git a/p11-kit/meson.build b/p11-kit/meson.build index 70583f14..c7a47f5a 100644 --- a/p11-kit/meson.build +++ b/p11-kit/meson.build @@ -386,6 +386,7 @@ if get_option('test') p11_kit_tests_env = environment() p11_kit_tests_env.set('abs_top_builddir', top_build_dir) + p11_kit_tests_env.set('abs_top_srcdir', top_source_dir) p11_kit_tests_env.set('P11_MODULE_PATH', meson.current_build_dir()) if host_system != 'windows' @@ -432,6 +433,15 @@ if get_option('test') env: p11_kit_tests_env) endif + if get_option('post_install_test') and with_asn1 and host_system != 'windows' + meson.add_install_script( + top_source_dir / 'meson_post_install_test.sh', + bindir, + libdir, + find_program('test-softhsm2.sh'), + ) + endif + mock_sources = { 'mock-one': ['mock-module-ep.c'], 'mock-v3-one': ['mock-module-v3-ep.c'], @@ -447,7 +457,8 @@ if get_option('test') 'mock-ten': ['mock-module-ep8.c'], 'mock-eleven': ['mock-module-ep9.c'], 'mock-twelve': ['mock-module-ep10.c'], - 'mock-thirteen': ['mock-module-ep11.c'] + 'mock-thirteen': ['mock-module-ep11.c'], + 'mock-fourteen': ['mock-module-ep12.c'] } if host_system != 'windows' diff --git a/p11-kit/mock-module-ep12.c b/p11-kit/mock-module-ep12.c new file mode 100644 index 00000000..ea5dafb8 --- /dev/null +++ b/p11-kit/mock-module-ep12.c @@ -0,0 +1,203 @@ +/* + * Copyright (c) 2023, Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Zoltan Fridrich , Daiki Ueno + */ + +#include "config.h" + +#define CRYPTOKI_EXPORTS 1 +#include "pkcs11.h" + +#include "attrs.h" +#include "debug.h" +#include "mock.h" + +#ifdef WITH_ASN1 +#include "persist.h" +#endif + +#include +#include + +static const CK_TOKEN_INFO MOCK_TOKEN_INFO = { + "PERSIST LABEL ONE ", + "PERSIST MANUFACTURER ", + "PERSIST MODEL ", + "PERSIST SERIAL ", + CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED, + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + { 75, 175 }, + { 85, 185 }, + { '1', '9', '9', '9', '0', '5', '2', '5', '0', '9', '1', '9', '5', '9', '0', '0' } +}; + +static CK_RV +override_C_GetTokenInfo (CK_SLOT_ID slot_id, + CK_TOKEN_INFO_PTR info) +{ + return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD); + + switch (slot_id) { + case MOCK_SLOT_ONE_ID: + memcpy (info, &MOCK_TOKEN_INFO, sizeof (*info)); + return CKR_OK; + case MOCK_SLOT_TWO_ID: + return CKR_TOKEN_NOT_PRESENT; + default: + return CKR_SLOT_ID_INVALID; + } +} + +#ifdef WITH_ASN1 +static CK_RV +override_C_Initialize (CK_VOID_PTR init_args) +{ + bool ok; + size_t i, size = 0; + void *data = NULL; + const char *filename = "test-persist.p11-kit"; + p11_mmap *map = NULL; + p11_persist *persist = NULL; + p11_array *objects = NULL; + CK_ATTRIBUTE *attrs = NULL; + CK_RV rv; + + map = p11_mmap_open (filename, NULL, &data, &size); + if (map == NULL) + return mock_C_Initialize (init_args); + + ok = p11_persist_magic (data, size); + return_val_if_fail (ok, CKR_GENERAL_ERROR); + + persist = p11_persist_new (); + return_val_if_fail (persist != NULL, CKR_HOST_MEMORY); + + objects = p11_array_new (NULL); + return_val_if_fail (objects != NULL, CKR_HOST_MEMORY); + + ok = p11_persist_read (persist, filename, (const unsigned char *)data, size, objects); + return_val_if_fail (ok, CKR_GENERAL_ERROR); + + rv = mock_C_Initialize (init_args); + for (i = 0; i < objects->num; ++i) { + attrs = p11_attrs_build (objects->elem[i], NULL); + mock_module_add_object (MOCK_SLOT_ONE_ID, attrs); + p11_attrs_free (attrs); + } + + p11_array_free (objects); + p11_persist_free (persist); + p11_mmap_close (map); + return rv; +} + +struct WriteData { + p11_persist *persist; + p11_buffer buf; +}; + +static bool +persist_enumerator (CK_OBJECT_HANDLE handle, + CK_ATTRIBUTE *attrs, + void *user_data) +{ + struct WriteData *data = user_data; + + p11_persist_write (data->persist, attrs, &data->buf); + + return true; +} + +static CK_RV +override_C_Finalize (CK_VOID_PTR reserved) +{ + bool ok; + FILE *f = NULL; + const char *filename = "test-persist.p11-kit"; + CK_SESSION_HANDLE session = 0; + struct WriteData data; + CK_RV rv; + + ok = p11_buffer_init (&data.buf, 0); + return_val_if_fail (ok, CKR_HOST_MEMORY); + + data.persist = p11_persist_new (); + return_val_if_fail (data.persist != NULL, CKR_HOST_MEMORY); + + rv = mock_C_OpenSession (MOCK_SLOT_ONE_ID, CKF_SERIAL_SESSION, NULL, NULL, &session); + return_val_if_fail (rv == CKR_OK, CKR_GENERAL_ERROR); + + mock_module_enumerate_objects (session, + persist_enumerator, + &data); + + rv = mock_C_CloseSession (session); + return_val_if_fail (rv == CKR_OK, CKR_GENERAL_ERROR); + + f = fopen (filename, "wb"); + return_val_if_fail (f != NULL, CKR_HOST_MEMORY); + fwrite (data.buf.data, 1, data.buf.len, f); + fclose (f); + + p11_persist_free (data.persist); + p11_buffer_uninit (&data.buf); + return mock_C_Finalize (reserved); +} +#endif /* WITH_ASN1 */ + +#ifdef OS_WIN32 +__declspec(dllexport) +#endif +CK_RV +C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list) +{ + mock_module_init (); +#ifdef WITH_ASN1 + mock_module.C_Initialize = override_C_Initialize; + mock_module.C_Finalize = override_C_Finalize; +#endif + mock_module.C_GetFunctionList = C_GetFunctionList; + mock_module.C_GetTokenInfo = override_C_GetTokenInfo; + if (list == NULL) + return CKR_ARGUMENTS_BAD; + *list = &mock_module; + return CKR_OK; +} diff --git a/p11-kit/test-generate-keypair.sh b/p11-kit/test-generate-keypair.sh index fcc56067..8371dfce 100755 --- a/p11-kit/test-generate-keypair.sh +++ b/p11-kit/test-generate-keypair.sh @@ -10,83 +10,60 @@ test "${abs_top_builddir+set}" = set || { : ${P11_MODULE_PATH="$abs_top_builddir"/.libs} setup() { - testdir=$PWD/test-objects-$$ + testdir=$PWD/test-genkey-$$ test -d "$testdir" || mkdir "$testdir" cd "$testdir" - mkdir tokens - cat > softhsm2.conf </dev/null; then - skip "softhsm2-util not found" - return - fi - softhsm2-util --init-token --free --label test-genkey --so-pin 12345 --pin 12345 - - : ${PKG_CONFIG=pkg-config} - if ! "$PKG_CONFIG" p11-kit-1 --exists; then - skip "pkgconfig(p11-kit-1) not found" - return - fi - - module_path=$("$PKG_CONFIG" p11-kit-1 --variable=p11_module_path) - if ! test -e "$module_path/libsofthsm2.so"; then - skip "unable to resolve libsofthsm2.so" - return - fi - - ln -sf "$module_path"/libsofthsm2.so "$P11_MODULE_PATH" } teardown() { - unset SOFTHSM2_CONF rm -rf "$testdir" } +test_generate_keypair_mock() { + if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=mock --type=mock "pkcs11:token=PUBKEY%20LABEL?pin-value=booo"; then + assert_fail "unable to run p11-kit generate-keypair" + fi +} + test_generate_keypair_rsa() { - if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=rsa --type=rsa --bits=2048 "pkcs11:token=test-genkey?pin-value=12345"; then - assert_fail "unable to run: p11-kit generate-keypair" + if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=rsa --type=rsa --bits=2048 "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then + assert_fail "expected to fail: p11-kit generate-keypair" + fi + assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized" + + if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label=rsa --type=rsa "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then + assert_fail "expected to fail: p11-kit generate-keypair" fi + assert_contains err.out "no bits specified" } test_generate_keypair_ecdsa() { for curve in secp256r1 secp384r1 secp521r1; do - if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-$curve" --type=ecdsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then - assert_fail "unable to run: p11-kit generate-keypair" + if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-$curve" --type=ecdsa --curve="$curve" "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then + assert_fail "expected to fail: p11-kit generate-keypair" fi done + assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized" - if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-unknown" --type=ecdsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then + if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="ecdsa-unknown" --type=ecdsa --curve=unknown "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then assert_fail "p11-kit generate-keypair succeeded for unknown ecdsa curve" fi + assert_contains err.out "unknown curve name: unknown" } test_generate_keypair_eddsa() { - curves= - mech=$("$abs_top_builddir"/p11-kit/p11-kit-testable list-mechanisms "pkcs11:token=test-genkey" | sed -n '/CKM_EDDSA/p') - if test -z "$mech"; then - skip "no support for EdDSA" - return - fi - if expr "$mech" : ".*key-size=256-" > /dev/null; then - curve="$curve ed25519" - fi - if expr "$mech" : ".*key-size=.*-456" > /dev/null; then - curve="$curve ed448" - fi - for curve in $curves; do - if ! "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-$curve" --type=eddsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then + for curve in ed25519 ed448; do + if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-$curve" --type=eddsa --curve="$curve" "pkcs11:token=PUBKEY%20LABEL?pin-value=booo" 2> err.out; then assert_fail "unable to run: p11-kit generate-keypair" fi done + assert_contains err.out "key-pair generation failed: The crypto mechanism is invalid or unrecognized" - if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then + if "$abs_top_builddir"/p11-kit/p11-kit-testable generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=PUBKEY%20LABEL?pin-value=booo"; then assert_fail "p11-kit generate-keypair succeeded for unknown eddsa curve" fi + assert_contains err.out "unknown curve name: unknown" } -run test_generate_keypair_rsa test_generate_keypair_ecdsa \ - test_generate_keypair_ecdsa +run test_generate_keypair_mock test_generate_keypair_rsa \ + test_generate_keypair_ecdsa test_generate_keypair_ecdsa diff --git a/p11-kit/test-import-public.sh b/p11-kit/test-import-public.sh index 604f4316..1972a8ba 100755 --- a/p11-kit/test-import-public.sh +++ b/p11-kit/test-import-public.sh @@ -5,87 +5,34 @@ test "${abs_top_builddir+set}" = set || { exit 1 } -. "$abs_top_builddir/common/test-init.sh" +test "${abs_top_srcdir+set}" = set || { + echo "set abs_top_srcdir" 1>&2 + exit 1 +} -: ${P11_MODULE_PATH="$abs_top_builddir"/.libs} +. "$abs_top_builddir/common/test-init.sh" setup() { - testdir=$PWD/test-objects-$$ + testdir=$PWD/test-import-$$ test -d "$testdir" || mkdir "$testdir" cd "$testdir" - mkdir tokens - cat > softhsm2.conf </dev/null; then - skip "softhsm2-util not found" - return - fi - softhsm2-util --init-token --free --label test-import-key --so-pin 12345 --pin 12345 - - : ${PKG_CONFIG=pkg-config} - if ! "$PKG_CONFIG" p11-kit-1 --exists; then - skip "pkgconfig(p11-kit-1) not found" - return - fi - - module_path=$("$PKG_CONFIG" p11-kit-1 --variable=p11_module_path) - if ! test -e "$module_path/libsofthsm2.so"; then - skip "unable to resolve libsofthsm2.so" - return - fi - - ln -sf "$module_path"/libsofthsm2.so "$P11_MODULE_PATH" } teardown() { - unset SOFTHSM2_CONF rm -rf "$testdir" } test_import_cert() { - # Taken from: trust/fixtures/thawte.pem - cat > export.exp < export.out; then + if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=cert?pin-value=booo" > export.out; then assert_fail "unable to run: p11-kit export-object" fi : ${DIFF=diff} - if ! ${DIFF} export.exp export.out > export.diff; then + if ! ${DIFF} "$abs_top_srcdir"/trust/fixtures/cacert3.pem export.out > export.diff; then sed 's/^/# /' export.diff assert_fail "output contains incorrect result" fi @@ -107,11 +54,11 @@ fQIDAQAB -----END PUBLIC KEY----- EOF - if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=rsa "pkcs11:token=test-import-key?pin-value=12345"; then + if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=rsa "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then assert_fail "unable to run: p11-kit import-object" fi - if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=test-import-key;object=rsa?pin-value=12345" > export.out; then + if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=rsa?pin-value=booo" > export.out; then assert_fail "unable to run: p11-kit export-object" fi @@ -133,11 +80,11 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsaTJt0debXaW7Hpcrpn7X07SsTk9 -----END PUBLIC KEY----- EOF - if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=ec "pkcs11:token=test-import-key?pin-value=12345"; then + if ! "$abs_top_builddir"/p11-kit/p11-kit-testable import-object -q --login --file="export.exp" --label=ec "pkcs11:token=PERSIST%20LABEL%20ONE?pin-value=booo"; then assert_fail "unable to run: p11-kit import-object" fi - if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=test-import-key;object=ec?pin-value=12345" > export.out; then + if ! "$abs_top_builddir"/p11-kit/p11-kit-testable export-object -q --login "pkcs11:token=PERSIST%20LABEL%20ONE;object=ec?pin-value=booo" > export.out; then assert_fail "unable to run: p11-kit export-object" fi diff --git a/p11-kit/test-lists.sh b/p11-kit/test-lists.sh index ae2d30cc..6a460002 100755 --- a/p11-kit/test-lists.sh +++ b/p11-kit/test-lists.sh @@ -53,6 +53,23 @@ module: eleven user-pin-initialized clock-on-token token-initialized +module: fourteen + uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER + library-description: MOCK LIBRARY + library-manufacturer: MOCK MANUFACTURER + library-version: 45.145 + token: PERSIST LABEL ONE + uri: pkcs11:model=PERSIST%20MODEL;manufacturer=PERSIST%20MANUFACTURER;serial=PERSIST%20SERIAL;token=PERSIST%20LABEL%20ONE + manufacturer: PERSIST MANUFACTURER + model: PERSIST MODEL + serial-number: PERSIST SERIAL + hardware-version: 75.175 + firmware-version: 85.185 + flags: + login-required + user-pin-initialized + clock-on-token + token-initialized module: one uri: pkcs11:library-description=MOCK%20LIBRARY;library-manufacturer=MOCK%20MANUFACTURER library-description: MOCK LIBRARY diff --git a/p11-kit/test-softhsm2.sh b/p11-kit/test-softhsm2.sh new file mode 100755 index 00000000..0aefd8ae --- /dev/null +++ b/p11-kit/test-softhsm2.sh @@ -0,0 +1,180 @@ +#!/bin/sh + +test "${abs_top_builddir+set}" = set || { + echo "set abs_top_builddir" 1>&2 + exit 1 +} + +. "$abs_top_builddir/common/test-init.sh" + +setup() { + testdir=$PWD/test-objects-$$ + test -d "$testdir" || mkdir "$testdir" + cd "$testdir" + mkdir tokens + cat > softhsm2.conf </dev/null; then + skip "softhsm2-util not found" + return + fi + softhsm2-util --init-token --free --label test-genkey --so-pin 12345 --pin 12345 + softhsm2-util --init-token --free --label test-import --so-pin 12345 --pin 12345 +} + +teardown() { + unset SOFTHSM2_CONF + rm -rf "$testdir" +} + +test_generate_keypair_rsa() { + if ! p11-kit generate-keypair --login --label=rsa --type=rsa --bits=2048 "pkcs11:token=test-genkey?pin-value=12345"; then + assert_fail "unable to run: p11-kit generate-keypair" + fi +} + +test_generate_keypair_ecdsa() { + for curve in secp256r1 secp384r1 secp521r1; do + if ! p11-kit generate-keypair --login --label="ecdsa-$curve" --type=ecdsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then + assert_fail "unable to run: p11-kit generate-keypair" + fi + done + + if p11-kit generate-keypair --login --label="ecdsa-unknown" --type=ecdsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then + assert_fail "p11-kit generate-keypair succeeded for unknown ecdsa curve" + fi +} + +test_generate_keypair_eddsa() { + curves= + mech=$(p11-kit list-mechanisms "pkcs11:token=test-genkey" | sed -n '/CKM_EDDSA/p') + if test -z "$mech"; then + skip "no support for EdDSA" + return + fi + if expr "$mech" : ".*key-size=256-" > /dev/null; then + curve="$curve ed25519" + fi + if expr "$mech" : ".*key-size=.*-456" > /dev/null; then + curve="$curve ed448" + fi + for curve in $curves; do + if ! p11-kit generate-keypair --login --label="eddsa-$curve" --type=eddsa --curve="$curve" "pkcs11:token=test-genkey?pin-value=12345"; then + assert_fail "unable to run: p11-kit generate-keypair" + fi + done + + if p11-kit generate-keypair --login --label="eddsa-unknown" --type=eddsa --curve=unknown "pkcs11:token=test-genkey?pin-value=12345"; then + assert_fail "p11-kit generate-keypair succeeded for unknown eddsa curve" + fi +} + +test_import_cert() { + # Taken from: trust/fixtures/thawte.pem + cat > export.exp < export.out; then + assert_fail "unable to run: p11-kit export-object" + fi + + : ${DIFF=diff} + if ! ${DIFF} export.exp export.out > export.diff; then + sed 's/^/# /' export.diff + assert_fail "output contains incorrect result" + fi +} + +test_import_pubkey_rsa() { + # Generated and extracted with: + # p11-kit generate-keypair --type=rsa --bits=2048 --label=RSA 'pkcs11:model=SoftHSM%20v2' + # p11tool --export 'pkcs11:model=SoftHSM%20v2;object=RSA;type=public' + cat > export.exp < export.out; then + assert_fail "unable to run: p11-kit export-object" + fi + + : ${DIFF=diff} + if ! ${DIFF} export.exp export.out > export.diff; then + sed 's/^/# /' export.diff + assert_fail "output contains incorrect result" + fi +} + +test_import_pubkey_ec() { + # Generated and extracted with: + # p11-kit generate-keypair --type=ecdsa --curve=secp256r1 --label=EC 'pkcs11:model=SoftHSM%20v2' + # p11tool --export 'pkcs11:model=SoftHSM%20v2;object=EC;type=public' + cat > export.exp < export.out; then + assert_fail "unable to run: p11-kit export-object" + fi + + : ${DIFF=diff} + if ! ${DIFF} export.exp export.out > export.diff; then + sed 's/^/# /' export.diff + assert_fail "output contains incorrect result" + fi +} + +run test_generate_keypair_rsa test_generate_keypair_ecdsa \ + test_generate_keypair_ecdsa \ + test_import_cert test_import_pubkey_rsa test_import_pubkey_ec diff --git a/trust/Makefile.am b/trust/Makefile.am index 564f6e17..89bc2e0f 100644 --- a/trust/Makefile.am +++ b/trust/Makefile.am @@ -292,13 +292,7 @@ frob_token_SOURCES = trust/frob-token.c frob_token_LDADD = $(trust_LIBS) frob_token_CFLAGS = $(trust_CFLAGS) -noinst_SCRIPTS += trust/test-extract.sh trust/test-trust.sh - -if !OS_WIN32 -installcheck-local: - abs_top_builddir="$(abs_top_builddir)" $(SHELL) $(srcdir)/trust/test-extract.sh - abs_top_builddir="$(abs_top_builddir)" $(SHELL) $(srcdir)/trust/test-trust.sh -endif +post_install_tests += trust/test-extract.sh trust/test-trust.sh EXTRA_DIST += \ trust/input \ diff --git a/trust/meson.build b/trust/meson.build index 6178a7eb..f507c2dc 100644 --- a/trust/meson.build +++ b/trust/meson.build @@ -167,4 +167,23 @@ if get_option('test') libp11_test_dep] + libtasn1_deps + libffi_deps + dlopen_deps, link_with: [libtrust_testable, libtrust_data, libtrust_test]) endforeach + + if get_option('post_install_test') and host_system != 'windows' + # TODO: this cannot run under meson, as it installs a placeholder + # extract-compat script and there is no way to replace it. + # + # meson.add_install_script( + # top_source_dir / 'meson_post_install_test.sh', + # bindir, + # libdir, + # find_program('test-extract.sh'), + # ) + + meson.add_install_script( + top_source_dir / 'meson_post_install_test.sh', + bindir, + libdir, + find_program('test-trust.sh'), + ) + endif endif diff --git a/trust/test-extract.sh b/trust/test-extract.sh old mode 100644 new mode 100755 index 14aafce3..82102cdc --- a/trust/test-extract.sh +++ b/trust/test-extract.sh @@ -29,6 +29,11 @@ openssl_quiet() setup() { + if [ -z "$with_trust_paths" ]; then + skip "with_trust_paths is empty" + return + fi + # Parse the trust paths oldifs="$IFS" IFS=: diff --git a/trust/test-trust.sh b/trust/test-trust.sh old mode 100644 new mode 100755