From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v4 8/9] tests: Extend sign_verify test with pkcs11-specific test
Date: Mon, 13 Sep 2021 18:18:12 -0400 [thread overview]
Message-ID: <20210913221813.2554880-9-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20210913221813.2554880-1-stefanb@linux.ibm.com>
Extend the sign_verify test with a pkcs11-specific test.
Since the openssl command line tool now needs to use a key provided by
an engine, extend some command lines with the additional parameters
'--keyform engine'. These parameters are passed using the global variable
OPENSSL_KEYFORM, which is only set when pkcs11 URIs are used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/functions.sh | 45 ++++++++++++++++++++++++++++++++++--
tests/ima_hash.test | 2 +-
tests/sign_verify.test | 52 ++++++++++++++++++++++++++++++------------
3 files changed, 82 insertions(+), 17 deletions(-)
diff --git a/tests/functions.sh b/tests/functions.sh
index 91cd5d9..8f6f02d 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh
@@ -248,8 +248,12 @@ _enable_gost_engine() {
}
# Show test stats and exit into automake test system
-# with proper exit code (same as ours).
-_report_exit() {
+# with proper exit code (same as ours). Do cleanups.
+_report_exit_and_cleanup() {
+ if [ -n "${WORKDIR}" ]; then
+ rm -rf "${WORKDIR}"
+ fi
+
if [ $testsfail -gt 0 ]; then
echo "================================="
echo " Run with FAILEARLY=1 $0 $*"
@@ -272,3 +276,40 @@ _report_exit() {
fi
}
+# Setup SoftHSM for local testing by calling the softhsm_setup script.
+# Use the provided workdir as the directory where SoftHSM will store its state
+# into.
+# Upon successfully setting up SoftHSM, this function sets the global variables
+# OPENSSL_ENGINE and OPENSSL_KEYFORM so that the openssl command line tool can
+# use SoftHSM. Also the PKCS11_KEYURI global variable is set to the test key's
+# pkcs11 URI.
+_softhsm_setup() {
+ local workdir="$1"
+
+ local msg
+
+ export SOFTHSM_SETUP_CONFIGDIR="${workdir}/softhsm"
+ export SOFTHSM2_CONF="${workdir}/softhsm/softhsm2.conf"
+
+ mkdir -p "${SOFTHSM_SETUP_CONFIGDIR}"
+
+ msg=$(./softhsm_setup setup 2>&1)
+ if [ $? -eq 0 ]; then
+ echo "softhsm_setup setup succeeded: $msg"
+ PKCS11_KEYURI=$(echo $msg | sed -n 's|^keyuri: \(.*\)|\1|p')
+
+ export EVMCTL_ENGINE="--engine pkcs11"
+ export OPENSSL_ENGINE="-engine pkcs11"
+ export OPENSSL_KEYFORM="-keyform engine"
+ else
+ echo "softhsm_setup setup failed: ${msg}"
+ fi
+}
+
+# Tear down the SoftHSM setup and clean up the environment
+_softhsm_teardown() {
+ ./softhsm_setup teardown &>/dev/null
+ rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
+ unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
+ EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
+}
\ No newline at end of file
diff --git a/tests/ima_hash.test b/tests/ima_hash.test
index 6e0e463..e88fd59 100755
--- a/tests/ima_hash.test
+++ b/tests/ima_hash.test
@@ -20,7 +20,7 @@ PATH=../src:$PATH
source ./functions.sh
_require evmctl openssl getfattr
-trap _report_exit EXIT
+trap _report_exit_and_cleanup EXIT
set -f # disable globbing
check() {
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 3b42eec..c56290a 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -28,7 +28,8 @@ fi
./gen-keys.sh >/dev/null 2>&1
-trap _report_exit EXIT
+trap _report_exit_and_cleanup EXIT
+WORKDIR=$(mktemp -d)
set -f # disable globbing
# Determine keyid from a cert
@@ -132,11 +133,16 @@ check_sign() {
# OPTS (additional options for evmctl),
# FILE (working file to sign).
local "$@"
- local KEY=${KEY%.*}.key
+ local key verifykey
local FILE=${FILE:-$ALG.txt}
- # Normalize key filename
- KEY=test-${KEY#test-}
+ # Normalize key filename if it's not a pkcs11 URI
+ if [ ${KEY:0:7} != pkcs11: ]; then
+ key=${KEY%.*}.key
+ key=test-${key#test-}
+ else
+ key=${KEY}
+ fi
# Append suffix to files for negative tests, because we may
# leave only good files for verify tests.
@@ -152,33 +158,33 @@ check_sign() {
if _test_expected_to_pass; then
# Can openssl work with this digest?
- cmd="openssl dgst $OPENSSL_ENGINE -$ALG $FILE"
+ cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG $FILE"
echo - "$cmd"
if ! $cmd >/dev/null; then
- echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to digest)$NORM"
+ echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to digest)$NORM"
return "$SKIP"
fi
- if [ ! -e "$KEY" ]; then
- echo "${CYAN}$ALG ($KEY) test is skipped (key file not found)$NORM"
+ if [ "${key:0:7}" != pkcs11: ] && [ ! -e "$key" ]; then
+ echo "${CYAN}$ALG ($key) test is skipped (key file not found)$NORM"
return "$SKIP"
fi
# Can openssl sign with this digest and key?
- cmd="openssl dgst $OPENSSL_ENGINE -$ALG -sign $KEY -hex $FILE"
+ cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -sign $key -hex $FILE"
echo - "$cmd"
if ! $cmd >/dev/null; then
- echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to sign)$NORM"
+ echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to sign)$NORM"
return "$SKIP"
fi
fi
# Insert keyid from cert into PREFIX in-place of marker `:K:'
if [[ $PREFIX =~ :K: ]]; then
- keyid=$(_keyid_from_cert "$KEY")
+ keyid=$(_keyid_from_cert "$key")
if [ $? -ne 0 ]; then
color_red
- echo "Unable to determine keyid for $KEY"
+ echo "Unable to determine keyid for $key"
color_restore
return "$HARDFAIL"
fi
@@ -187,7 +193,7 @@ check_sign() {
fi
# Perform signing by evmctl
- _evmctl_sign "$TYPE" "$KEY" "$ALG" "$FILE" "$OPTS" || return
+ _evmctl_sign "$TYPE" "$key" "$ALG" "$FILE" "$OPTS" || return
# First simple pattern match the signature.
ADD_TEXT_FOR=$ALG \
@@ -207,7 +213,13 @@ check_sign() {
_extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX"
# Verify extracted signature with openssl
- cmd="openssl dgst $OPENSSL_ENGINE -$ALG -verify ${KEY%.*}.pub \
+ if [ "${key:0:7}" != pkcs11: ]; then
+ verifykey=${key%.*}.pub
+ else
+ verifykey=${key}
+ fi
+
+ cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -verify ${verifykey} \
-signature $FILE.sig2 $FILE"
echo - "$cmd"
if ! $cmd; then
@@ -413,3 +425,15 @@ expect_fail \
expect_fail \
check_sign TYPE=ima KEY=gost2012_256-B ALG=md_gost12_512 PREFIX=0x0302 OPTS=
+# Test signing with key described by pkcs11 URI
+_softhsm_setup "${WORKDIR}"
+if [ -n "${PKCS11_KEYURI}" ]; then
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd
+else
+ # to have a constant number of tests, skip these two tests
+ __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; }
+ expect_pass __skip
+ expect_pass __skip
+fi
+_softhsm_teardown "${WORKDIR}"
--
2.31.1
next prev parent reply other threads:[~2021-09-13 22:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-13 22:18 [PATCH v4 0/9] ima-evm-utils: Add support for signing with pkcs11 URIs Stefan Berger
2021-09-13 22:18 ` [PATCH v4 1/9] evmctl: Implement support for EVMCTL_KEY_PASSWORD environment variable Stefan Berger
2021-09-13 22:18 ` [PATCH v4 2/9] evmctl: Handle failure to initialize the openssl engine Stefan Berger
2021-09-13 22:18 ` [PATCH v4 3/9] evmctl: Implement function for setting up an OpenSSL engine Stefan Berger
2021-09-13 22:18 ` [PATCH v4 4/9] evmctl: Define and use an ENGINE field in libimaevm_params Stefan Berger
2021-09-13 22:18 ` [PATCH v4 5/9] evmctl: use the pkcs11 engine for pkcs11: prefixed URIs Stefan Berger
2021-09-13 22:18 ` [PATCH v4 6/9] libimaevm: Add support for pkcs11 private keys for signing a v2 hash Stefan Berger
2021-09-13 22:18 ` [PATCH v4 7/9] tests: Import softhsm_setup script to enable pkcs11 test case Stefan Berger
2021-09-13 22:18 ` Stefan Berger [this message]
2021-09-13 22:18 ` [PATCH v4 9/9] tests: Get the packages for pkcs11 testing on the CI/CD system Stefan Berger
2021-09-14 15:24 ` [PATCH v4 0/9] ima-evm-utils: Add support for signing with pkcs11 URIs Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210913221813.2554880-9-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox