source: mod_gnutls/test/softhsm.bash @ d92899e

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since d92899e was 3f00958, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

New test case: PKCS #11 URLs for server key and certificate

The new test case checks if the server can access its key and
certificate using PKCS #11 URLs. SoftHSM (v1 only for now) is used to
provide the PKCS #11 token. If SoftHSM is not available, the test case
is skipped.

  • Property mode set to 100755
File size: 3.6 KB
Line 
1#!/bin/bash
2
3# Initialize the SoftHSM token with the given label
4function init_token
5{
6    local token_label="${1}"
7
8    ${softhsm} --init-token --slot 0 --label "${token_label}" \
9        --so-pin "${so_pin}" --pin "${GNUTLS_PIN}"
10}
11
12# Put a private key into the token with the given label
13function store_privkey
14{
15    local token="${1}"
16    local keyfile="${2}"
17    local label="${3}"
18
19    p11tool --provider=${softhsm_lib} --login --write --label "${label}" \
20            --load-privkey "${keyfile}" "${token}"
21}
22
23# Put a certificate into the token with the given label
24function store_cert
25{
26    local token="${1}"
27    local certfile="${2}"
28    local label="${3}"
29
30    p11tool --provider=${softhsm_lib} --login --write --no-mark-private \
31            --label "${label}" --load-certificate "${certfile}" "${token}"
32}
33
34# Get the URL of the SoftHSM token
35function get_token_url
36{
37    local label="${1}"
38    p11tool --provider=${softhsm_lib} --list-tokens | \
39        grep -o -P "(?<=URL:\s)(.*token=${label}.*)$"
40}
41
42# Get the PKCS #11 URL for the object with the given name
43# Usage: get_object_url TOKEN OBJECTNAME
44function get_object_url
45{
46    p11tool --provider=${softhsm_lib} --list-all --login "${1}" | \
47        grep -o -P "(?<=URL:\s)(.*object=${2}.*)$"
48}
49
50# Initialize the token and store the given key and certificate
51# Usage: prepare_token TOKEN_LABEL PRIVKEY CERTIFICATE
52function prepare_token
53{
54    local token_label="${1}"
55    local privkey="${2}"
56    local certificate="${3}"
57
58    init_token "${token_label}"
59    token=$(get_token_url ${token_label})
60    store_privkey "${token}" "${privkey}" "${key_label}"
61    store_cert "${token}" "${certificate}" "${cert_label}"
62}
63
64
65
66# try to find SoftHSM
67softhsm="$(which softhsm)"
68
69case "${1}" in
70    (init)
71        init="true"
72        # If SoftHSM is not available, there's nothing to init. Just
73        # exit.
74        if [ -z "${softhsm}" ]; then
75            echo "SoftHSM not found, PKCS #11 test(s) will be skipped."
76            exit 0
77        fi
78        ;;
79    (*)
80        # Skip the test case if SoftHSM is not available.
81        if [ -z "${softhsm}" ]; then
82            echo "SoftHSM not found, skipping test."
83            exit 77
84        fi
85        ;;
86esac
87
88set -e
89
90# Guess location of libsofthsm based on softhsm binary. The path
91# matches SoftHSM upstream, but this might fail if someone changes the
92# libdir or bindir of the SoftHSM installation independently of its
93# general prefix.
94softhsm_prefix="$(realpath $(dirname ${softhsm})/..)"
95softhsm_lib="${softhsm_prefix}/lib/softhsm/libsofthsm.so"
96
97# provided SOFTHSM_CONF always takes precedence, otherwise try to
98# guess based on testdir
99if [ -z "${SOFTHSM_CONF}" ]; then
100    if [ -n "${testdir}" ]; then
101        export SOFTHSM_CONF="$(realpath ${testdir}/softhsm.conf)"
102    else
103        echo "ERROR: Neither SOFTHSM_CONF nor testdir set!" 2>&1
104        exit 1
105    fi
106else
107    export SOFTHSM_CONF
108fi
109echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\""
110
111# variables for token configuration
112token_label="mod_gnutls-test"
113so_pin="123456"
114export GNUTLS_PIN="1234"
115key_label="privkey"
116cert_label="certificate"
117
118# The Apache/SoftHSM configuration mixes up directories, so generate
119# softhsm.conf with an absolute path to the token database if a
120# template is present. Generating it on every run avoids problems if
121# the source tree was moved.
122if [ -e "${SOFTHSM_CONF}.in" ]; then
123    cat "${SOFTHSM_CONF}.in" | sed "s,__DIR__,$(realpath $(dirname ${SOFTHSM_CONF}))," \
124        >"${SOFTHSM_CONF}"
125fi
126
127if [ "${init}" = "true" ]; then
128    prepare_token "${token_label}" "${2}" "${3}"
129    exit 0
130fi
131
132token=$(get_token_url ${token_label})
133
134# environment variables for the Apache configuration
135export P11_KEY_URL="$(get_object_url ${token} ${key_label})"
136export P11_CERT_URL="$(get_object_url ${token} ${cert_label})"
137export P11_PIN="${GNUTLS_PIN}"
Note: See TracBrowser for help on using the repository browser.