diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Makefile.am | 4 | ||||
-rw-r--r--[-rwxr-xr-x] | tests/destructive/p11-kit-load.sh | 71 | ||||
-rwxr-xr-x | tests/p11-kit-load.sh | 181 | ||||
-rw-r--r-- | tests/pkcs11/list-tokens.c | 19 |
4 files changed, 232 insertions, 43 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 27d971232b..755743e253 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -388,9 +388,9 @@ dist_check_SCRIPTS += gnutls-cli-self-signed.sh if ENABLE_PKCS11 dist_check_SCRIPTS += p11-kit-trust.sh -if ENABLE_DESTRUCTIVE_TESTS if HAVE_PKCS11_TRUST_STORE -dist_check_SCRIPTS += destructive/p11-kit-load.sh +if P11KIT_0_23_10_API +dist_check_SCRIPTS += p11-kit-load.sh indirect_tests += pkcs11/list-tokens endif endif diff --git a/tests/destructive/p11-kit-load.sh b/tests/destructive/p11-kit-load.sh index d961aa55be..8f3bff80f5 100755..100644 --- a/tests/destructive/p11-kit-load.sh +++ b/tests/destructive/p11-kit-load.sh @@ -25,8 +25,8 @@ P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}" -TMPDIR="backup.$$.tmp" TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp" +P11DIR="p11-kit-conf.$$.tmp" PIN=1234 PUK=1234 @@ -65,22 +65,14 @@ fi # Create pkcs11.conf with two modules, a trusted (p11-kit-trust) # and softhsm (not trusted) -DIR=$(${PKGCONFIG} --var=p11_system_config_modules p11-kit-1) -if test $? != 0 || test -z ${DIR} || test ${DIR} = '/';then - echo "Cannot determine p11-kit module config directory" - exit 1 -fi - -mkdir -p ${TMPDIR} -cp ${DIR}/* ${TMPDIR} -rm -f ${DIR}/* +mkdir -p ${P11DIR} -cat <<_EOF_ >${DIR}/p11-kit-trust.module +cat <<_EOF_ >${P11DIR}/p11-kit-trust.module module: p11-kit-trust.so trust-policy: yes _EOF_ -cat <<_EOF_ >${DIR}/softhsm.module +cat <<_EOF_ >${P11DIR}/softhsm.module module: libsofthsm2.so _EOF_ @@ -98,93 +90,96 @@ if test $? != 0; then exit 1 fi +FILTERTOKEN="sed s/token=.*//g" -# Check whether p11tool would list them both +# Check whether both are listed -nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) +#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l) if test "$nr" != 2;then echo "Error: did not find 2 modules ($nr)" - ${P11TOOL} --list-tokens|grep 'Module:'|sort|uniq + ${builddir}/pkcs11/list-tokens -o ${P11DIR} exit 1 fi -# Check whether p11tool with a specific provider would list only that -# That is, check whether p11tool will list the trust module -# if we only load softhsm (it should as trust modules -# are always loaded).ould list them both +## Check whether p11tool with a specific provider would list only that +## That is, check whether p11tool will list the trust module +## if we only load softhsm (it should as trust modules +## are always loaded).ould list them both + -nr=$(${P11TOOL} --provider "${SOFTHSM_MODULE}" --list-tokens|grep -c ^Token) +#nr=$(${P11TOOL} --provider "${SOFTHSM_MODULE}" --list-tokens|grep -c ^Token) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error: did not find softhsm modules" - ${P11TOOL} --list-tokens --provider "${SOFTHSM_MODULE}" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}" exit 1 fi -FILTERTOKEN="sed s/token=.*//g" # Check whether both modules are found when gnutls_pkcs11_init # is not called but a pkcs11 operation is called. -nr=$(${builddir}/pkcs11/list-tokens -d|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -d|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 1: did not find 2 modules" - ${builddir}/pkcs11/list-tokens -d + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -d exit 1 fi # Check whether both modules are found when gnutls_pkcs11_init # is called with the auto flag -nr=$(${builddir}/pkcs11/list-tokens -a|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 2: did not find 2 modules" - ${builddir}/pkcs11/list-tokens -a + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -a exit 1 fi # Check whether only trusted modules are listed when the # trusted flag is given to gnutls_pkcs11_init(). -nr=$(${builddir}/pkcs11/list-tokens -t|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -t|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error in test 3: did not find the trusted module" - ${builddir}/pkcs11/list-tokens -t + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -t exit 1 fi # Check whether only trusted is listed after certificate verification # is performed. -nr=$(${builddir}/pkcs11/list-tokens -v|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error in test 4: did not find 1 module" - ${builddir}/pkcs11/list-tokens -v + echo xxx + GNUTLS_DEBUG_LEVEL=4 P11_KIT_DEBUG=all ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v exit 1 fi # Check whether only trusted is listed when gnutls_pkcs11_init # is called with manual flag and a certificate verification is performed. -nr=$(${builddir}/pkcs11/list-tokens -m -v|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 1;then echo "Error in test 5: did not find 1 module" - ${builddir}/pkcs11/list-tokens -m -v + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v exit 1 fi # Check whether all modules are listed after certificate verification # is performed then a PKCS#11 function is called. -nr=$(${builddir}/pkcs11/list-tokens -v -d|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 6: did not find all modules" - ${builddir}/pkcs11/list-tokens -v -d + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d exit 1 fi # Check whether all modules are listed after a private key operation. -nr=$(${builddir}/pkcs11/list-tokens -p|${FILTERTOKEN}|sort -u|wc -l) +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -p|${FILTERTOKEN}|sort -u|wc -l) if test "$nr" != 2;then echo "Error in test 7: did not find all modules" - ${builddir}/pkcs11/list-tokens -p + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -p exit 1 fi -rm -f ${DIR}/* +rm -f ${P11DIR}/* rm -rf ${TMP_SOFTHSM_DIR} -cp ${TMPDIR}/* ${DIR}/ exit 0 diff --git a/tests/p11-kit-load.sh b/tests/p11-kit-load.sh new file mode 100755 index 0000000000..2a306fa886 --- /dev/null +++ b/tests/p11-kit-load.sh @@ -0,0 +1,181 @@ +#!/bin/sh + +# Copyright (C) 2017 Red Hat, Inc. +# +# This file is part of p11-kit. +# +# p11-kit is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# p11-kit is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/> + +#set -e + +srcdir="${srcdir:-.}" +builddir="${builddir:-.}" +CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff}" +PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}" +TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp" +P11DIR="p11-kit-conf.$$.tmp" +PIN=1234 +PUK=1234 + +for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do + if test -f "${lib}/p11-kit-trust.so"; then + TRUST_MODULE="${lib}/p11-kit-trust.so" + echo "located ${MODULE}" + break + fi +done + +for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/ /usr/lib/softhsm/;do + if test -f "${lib}/libsofthsm2.so"; then + SOFTHSM_MODULE="${lib}/libsofthsm2.so" + echo "located ${MODULE}" + break + fi +done + +${PKGCONFIG} --version >/dev/null || exit 77 + +${PKGCONFIG} --atleast-version=0.23.10 p11-kit-1 +if test $? != 0;then + echo p11-kit 0.23.10 is required + exit 77 +fi + +if ! test -f "${TRUST_MODULE}"; then + echo "p11-kit trust module was not found" + exit 77 +fi + +if ! test -f "${SOFTHSM_MODULE}"; then + echo "softhsm module was not found" + exit 77 +fi + +# Create pkcs11.conf with two modules, a trusted (p11-kit-trust) +# and softhsm (not trusted) +mkdir -p ${P11DIR} + +cat <<_EOF_ >${P11DIR}/p11-kit-trust.module +module: p11-kit-trust.so +trust-policy: yes +_EOF_ + +cat <<_EOF_ >${P11DIR}/softhsm.module +module: libsofthsm2.so +_EOF_ + +# Setup softhsm +rm -rf ${TMP_SOFTHSM_DIR} +mkdir -p ${TMP_SOFTHSM_DIR} +SOFTHSM2_CONF=${TMP_SOFTHSM_DIR}/conf +export SOFTHSM2_CONF +echo "objectstore.backend = file" > "${SOFTHSM2_CONF}" +echo "directories.tokendir = ${TMP_SOFTHSM_DIR}" >> "${SOFTHSM2_CONF}" + +softhsm2-util --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1 +if test $? != 0; then + echo "failed to initialize softhsm" + exit 1 +fi + +FILTERTOKEN="sed s/token=.*//g" + +# Check whether both are listed + +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) +#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error: did not find 2 modules ($nr)" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} + exit 1 +fi + +# Check whether whether list-tokens will list the trust module +# if we only load softhsm. It shouldn't as we only load the +# trust module when needed (e.g., verification). + +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error: did not find softhsm module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}" + exit 1 +fi + +# Check whether both modules are found when gnutls_pkcs11_init +# is not called but a pkcs11 operation is called. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -d|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 1: did not find 2 modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -d + exit 1 +fi + +# Check whether both modules are found when gnutls_pkcs11_init +# is called with the auto flag +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 2: did not find 2 modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -a + exit 1 +fi + +# Check whether only trusted modules are listed when the +# trusted flag is given to gnutls_pkcs11_init(). +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -t|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error in test 3: did not find the trusted module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -t + exit 1 +fi + +# Check whether only trusted is listed after certificate verification +# is performed. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error in test 4: did not find 1 module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v + exit 1 +fi + +# Check whether only trusted is listed when gnutls_pkcs11_init +# is called with manual flag and a certificate verification is performed. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 1;then + echo "Error in test 5: did not find 1 module" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v + exit 1 +fi + +# Check whether all modules are listed after certificate verification +# is performed then a PKCS#11 function is called. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 6: did not find all modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d + exit 1 +fi + +# Check whether all modules are listed after a private key operation. +nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -p|${FILTERTOKEN}|sort -u|wc -l) +if test "$nr" != 2;then + echo "Error in test 7: did not find all modules" + ${builddir}/pkcs11/list-tokens -o ${P11DIR} -p + exit 1 +fi + +rm -f ${P11DIR}/* +rm -rf ${TMP_SOFTHSM_DIR} + +exit 0 diff --git a/tests/pkcs11/list-tokens.c b/tests/pkcs11/list-tokens.c index cc4326d901..2bfe65c836 100644 --- a/tests/pkcs11/list-tokens.c +++ b/tests/pkcs11/list-tokens.c @@ -35,6 +35,8 @@ #include <gnutls/abstract.h> #include <getopt.h> #include <assert.h> +#define P11_KIT_FUTURE_UNSTABLE_API +#include <p11-kit/p11-kit.h> #include "cert-common.h" /* lists the registered PKCS#11 modules by p11-kit. @@ -55,12 +57,11 @@ int main(int argc, char **argv) int ret; unsigned i; int opt; - char *url; + char *url, *mod; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t crt; gnutls_pkcs11_privkey_t key; unsigned flag = 1; - unsigned private = 0; unsigned int status; ret = gnutls_global_init(); @@ -72,8 +73,12 @@ int main(int argc, char **argv) gnutls_global_set_log_function(tls_log_func); //gnutls_global_set_log_level(4711); - while((opt = getopt(argc, argv, "mvatdp")) != -1) { + while((opt = getopt(argc, argv, "s:o:mvatdp")) != -1) { switch(opt) { + case 'o': + mod = strdup(optarg); + p11_kit_override_system_files(NULL, NULL, mod, mod, NULL); + break; case 'm': /* initialize manually - i.e., do no module loading */ ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); @@ -82,6 +87,14 @@ int main(int argc, char **argv) exit(1); } break; + case 's': + /* load module */ + ret = gnutls_pkcs11_add_provider(optarg, NULL); + if (ret != 0) { + fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); + exit(1); + } + break; case 'd': /* when call _gnutls_pkcs11_token_get_url() do proper initialization * if none done */ |