[pkg-opensc-commit] [libp11] 207/239: tests: added check for operation under fork

Eric Dorland eric at moszumanska.debian.org
Sat Oct 17 06:21:34 UTC 2015


This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository libp11.

commit 9ead9b569b45e2704bc49ae6fdbc8ad34d3b933c
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date:   Fri Jul 17 10:32:08 2015 +0200

    tests: added check for operation under fork
    
    Unfortunately that is not very reliable because it is based on
    softhsm, and softhsm has no issues operating under fork.
---
 tests/Makefile.am                       |   6 +-
 tests/{testpkcs11.softhsm => common.sh} |  17 +--
 tests/fork-test.c                       | 225 ++++++++++++++++++++++++++++++++
 tests/testfork.softhsm                  |  32 +++++
 tests/testpkcs11.softhsm                |  80 +-----------
 5 files changed, 265 insertions(+), 95 deletions(-)

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 376907e..123dc65 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,4 +1,4 @@
-EXTRA_DIST = cert.der key.der
+EXTRA_DIST = cert.der key.der common.sh
 
 AM_CFLAGS = $(OPENSSL_CFLAGS)
 AM_CPPFLAGS = \
@@ -10,8 +10,8 @@ LDADD = ../src/libp11.la $(OPENSSL_LIBS)
 
 auth_SOURCES = ../examples/auth.c
 
-check_PROGRAMS = auth
-dist_check_SCRIPTS = testpkcs11.softhsm
+check_PROGRAMS = auth fork-test
+dist_check_SCRIPTS = testpkcs11.softhsm testfork.softhsm
 
 TESTS = $(dist_check_SCRIPTS)
 
diff --git a/tests/testpkcs11.softhsm b/tests/common.sh
old mode 100755
new mode 100644
similarity index 90%
copy from tests/testpkcs11.softhsm
copy to tests/common.sh
index 45e1174..8fb8a14
--- a/tests/testpkcs11.softhsm
+++ b/tests/common.sh
@@ -1,10 +1,9 @@
 #!/bin/sh
 
 # Copyright (C) 2013 Nikos Mavrogiannopoulos
+# Copyright (C) 2015 Red Hat, Inc.
 #
-# This file is part of GnuTLS.
-#
-# GnuTLS is free software; you can redistribute it and/or modify it
+# This is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
 # Free Software Foundation; either version 3 of the License, or (at
 # your option) any later version.
@@ -18,9 +17,6 @@
 # along with GnuTLS; if not, write to the Free Software Foundation,
 # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
-outdir="${top_builddir:-./output}"
-file_dir="${srcdir:-./}"
-
 mkdir -p $outdir
 
 if test -f /usr/lib64/pkcs11/libsofthsm2.so; then
@@ -96,12 +92,3 @@ echo "***************"
 echo "Listing objects"
 echo "***************"
 pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O
-
-./auth $ADDITIONAL_PARAM $PIN
-if test $? != 0;then
-	exit 1;
-fi
-
-rm -rf $outdir
-
-exit 0
diff --git a/tests/fork-test.c b/tests/fork-test.c
new file mode 100644
index 0000000..c059e08
--- /dev/null
+++ b/tests/fork-test.c
@@ -0,0 +1,225 @@
+/* libp11 example code: auth.c
+ *
+ * This examply simply connects to your smart card
+ * and does a public key authentication.
+ *
+ * Feel free to copy all of the code as needed.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <termios.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <libp11.h>
+#include <unistd.h>
+
+#define RANDOM_SOURCE "/dev/urandom"
+#define RANDOM_SIZE 20
+#define MAX_SIGSIZE 256
+
+int main(int argc, char *argv[])
+{
+	PKCS11_CTX *ctx;
+	PKCS11_SLOT *slots, *slot;
+	PKCS11_CERT *certs;
+	pid_t pid;
+	int status = 0;
+	
+	PKCS11_KEY *authkey;
+	PKCS11_CERT *authcert;
+	EVP_PKEY *pubkey = NULL;
+
+	unsigned char *random = NULL, *signature = NULL;
+
+	char password[20];
+	int rc = 0, fd;
+	unsigned int nslots, ncerts, siglen;
+
+	if (argc < 2) {
+		fprintf(stderr, "usage: auth /usr/lib/opensc-pkcs11.so [PIN]\n");
+		return 1;
+	}
+
+	ctx = PKCS11_CTX_new();
+
+	/* load pkcs #11 module */
+	rc = PKCS11_CTX_load(ctx, argv[1]);
+	if (rc) {
+		fprintf(stderr, "loading pkcs11 engine failed: %s\n",
+			ERR_reason_error_string(ERR_get_error()));
+		rc = 1;
+		goto nolib;
+	}
+
+	/* get information on all slots */
+	rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
+	if (rc < 0) {
+		fprintf(stderr, "no slots available\n");
+		rc = 2;
+		goto noslots;
+	}
+
+	/* get first slot with a token */
+	slot = PKCS11_find_token(ctx, slots, nslots);
+	if (!slot || !slot->token) {
+		fprintf(stderr, "no token available\n");
+		rc = 3;
+		goto notoken;
+	}
+	printf("Slot manufacturer......: %s\n", slot->manufacturer);
+	printf("Slot description.......: %s\n", slot->description);
+	printf("Slot token label.......: %s\n", slot->token->label);
+	printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
+	printf("Slot token model.......: %s\n", slot->token->model);
+	printf("Slot token serialnr....: %s\n", slot->token->serialnr);
+
+	if (!slot->token->loginRequired)
+		goto loggedin;
+
+	/* get password */
+	if (argc > 2) {
+		strcpy(password, argv[2]);
+	} else {
+		exit(1);
+	}
+
+ loggedin:
+	/* perform pkcs #11 login */
+	rc = PKCS11_login(slot, 0, password);
+	memset(password, 0, strlen(password));
+	if (rc != 0) {
+		fprintf(stderr, "PKCS11_login failed\n");
+		goto failed;
+	}
+
+	/* get all certs */
+	rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
+	if (rc) {
+		fprintf(stderr, "PKCS11_enumerate_certs failed\n");
+		goto failed;
+	}
+	if (ncerts <= 0) {
+		fprintf(stderr, "no certificates found\n");
+		goto failed;
+	}
+
+	/* use the first cert */
+	authcert=&certs[0];
+
+	/* get random bytes */
+	random = malloc(RANDOM_SIZE);
+	if (!random)
+		goto failed;
+
+	fd = open(RANDOM_SOURCE, O_RDONLY);
+	if (fd < 0) {
+		fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n",
+				strerror(errno));
+		goto failed;
+	}
+
+	rc = read(fd, random, RANDOM_SIZE);
+	if (rc < 0) {
+		fprintf(stderr, "fatal: read from random source failed: %s\n",
+			strerror(errno));
+		close(fd);
+		goto failed;
+	}
+
+	if (rc < RANDOM_SIZE) {
+		fprintf(stderr, "fatal: read returned less than %d<%d bytes\n",
+		       rc, RANDOM_SIZE);
+		close(fd);
+		goto failed;
+	}
+
+	close(fd);
+
+	authkey = PKCS11_find_key(authcert);
+	if (!authkey) {
+		fprintf(stderr, "no key matching certificate available\n");
+		goto failed;
+	}
+
+	/* ask for a sha1 hash of the random data, signed by the key */
+	siglen = MAX_SIGSIZE;
+	signature = malloc(MAX_SIGSIZE);
+	if (!signature)
+		goto failed;
+
+	/* Do the operation after a fork */
+	pid = fork();
+	if (pid == -1)
+		exit(5);
+
+	if (pid) {
+		waitpid(pid, &status, 0);
+		if (WIFEXITED(status))
+			return WEXITSTATUS(status);
+		return 2;
+	}
+
+	/* do the operations in child */
+	rc = PKCS11_sign(NID_sha1, random, RANDOM_SIZE, signature, &siglen,
+			 authkey);
+	if (rc != 1) {
+		fprintf(stderr, "fatal: pkcs11_sign failed\n");
+		goto failed;
+	}
+
+	/* verify the signature */
+	pubkey = X509_get_pubkey(authcert->x509);
+	if (pubkey == NULL) {
+		fprintf(stderr, "could not extract public key\n");
+		goto failed;
+	}
+
+	/* now verify the result */
+	rc = RSA_verify(NID_sha1, random, RANDOM_SIZE,
+			signature, siglen, pubkey->pkey.rsa);
+	if (rc != 1) {
+		fprintf(stderr, "fatal: RSA_verify failed\n");
+		goto failed;
+	}
+
+	if (pubkey != NULL)
+		EVP_PKEY_free(pubkey);
+
+	if (random != NULL)
+		free(random);
+	if (signature != NULL)
+		free(signature);
+
+	PKCS11_release_all_slots(ctx, slots, nslots);
+	PKCS11_CTX_unload(ctx);
+	PKCS11_CTX_free(ctx);
+
+	CRYPTO_cleanup_all_ex_data();
+	ERR_free_strings();
+	ERR_remove_state(0);
+
+	printf("authentication successfull.\n");
+	return 0;
+
+
+      failed:
+	ERR_print_errors_fp(stderr);
+      notoken:
+	PKCS11_release_all_slots(ctx, slots, nslots);
+
+      noslots:
+	PKCS11_CTX_unload(ctx);
+
+      nolib:
+	PKCS11_CTX_free(ctx);
+	
+
+	printf("authentication failed.\n");
+	return 1;
+}
diff --git a/tests/testfork.softhsm b/tests/testfork.softhsm
new file mode 100755
index 0000000..5d463be
--- /dev/null
+++ b/tests/testfork.softhsm
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+outdir="${srcdir}/output.$$"
+file_dir="${srcdir:-./}"
+
+. ${srcdir}/common.sh
+
+./fork-test $ADDITIONAL_PARAM $PIN
+if test $? != 0;then
+	exit 1;
+fi
+
+rm -rf "$outdir"
+
+exit 0
diff --git a/tests/testpkcs11.softhsm b/tests/testpkcs11.softhsm
index 45e1174..2e44718 100755
--- a/tests/testpkcs11.softhsm
+++ b/tests/testpkcs11.softhsm
@@ -18,90 +18,16 @@
 # along with GnuTLS; if not, write to the Free Software Foundation,
 # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
-outdir="${top_builddir:-./output}"
+outdir="${srcdir}/output.$$"
 file_dir="${srcdir:-./}"
 
-mkdir -p $outdir
-
-if test -f /usr/lib64/pkcs11/libsofthsm2.so; then
-	ADDITIONAL_PARAM="/usr/lib64/pkcs11/libsofthsm2.so"
-else
-	if test -f /usr/lib/softhsm/libsofthsm.so; then
-		ADDITIONAL_PARAM="/usr/lib/softhsm/libsofthsm.so"
-	else
-		ADDITIONAL_PARAM="/usr/lib64/softhsm/libsofthsm.so"
-	fi
-fi
-
-if ! test -x /usr/bin/pkcs11-tool;then
-	exit 77
-fi
-
-init_card () {
-	PIN="$1"
-	PUK="$2"
-
-	if test -x "/usr/bin/softhsm2-util"; then
-		export SOFTHSM2_CONF="$outdir/softhsm-testpkcs11.config"
-		SOFTHSM_TOOL="/usr/bin/softhsm2-util"
-	fi
-
-	if test -x "/usr/bin/softhsm"; then
-		export SOFTHSM_CONF="$outdir/softhsm-testpkcs11.config"
-		SOFTHSM_TOOL="/usr/bin/softhsm"
-	fi
-
-	if test -z "${SOFTHSM_TOOL}"; then
-		echo "Could not find softhsm(2) tool"
-		exit 77
-	fi
-
-	if test -z "${SOFTHSM_CONF}"; then
-		rm -rf $outdir/softhsm-testpkcs11.db
-		mkdir -p $outdir/softhsm-testpkcs11.db
-		echo "objectstore.backend = file" > "${SOFTHSM2_CONF}"
-		echo "directories.tokendir = $outdir/softhsm-testpkcs11.db" >> "${SOFTHSM2_CONF}"
-	else
-		rm -rf $outdir/softhsm-testpkcs11.db
-		echo "0:$outdir/softhsm-testpkcs11.db" > "${SOFTHSM_CONF}"
-	fi
-
-
-	echo -n "* Initializing smart card... "
-	${SOFTHSM_TOOL} --init-token --slot 0 --label "libp11-test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null
-	if test $? = 0; then
-		echo ok
-	else
-		echo failed
-		exit 1
-	fi
-}
-
-PIN=1234
-PUK=1234
-init_card $PIN $PUK
-
-# generate key in token
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 00010203 -a server-key -l -w ${file_dir}/key.der -y privkey >/dev/null
-if test $? != 0;then
-	exit 1;
-fi
-
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 00010203 -a server-key -l -w ${file_dir}/cert.der -y cert >/dev/null
-if test $? != 0;then
-	exit 1;
-fi
-
-echo "***************"
-echo "Listing objects"
-echo "***************"
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O
+. ${srcdir}/common.sh
 
 ./auth $ADDITIONAL_PARAM $PIN
 if test $? != 0;then
 	exit 1;
 fi
 
-rm -rf $outdir
+rm -rf "$outdir"
 
 exit 0

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git



More information about the pkg-opensc-commit mailing list