[pkg-opensc-commit] [libp11] 207/239: tests: added check for operation under fork
Eric Dorland
eric at moszumanska.debian.org
Sat Oct 17 06:21:34 UTC 2015
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository libp11.
commit 9ead9b569b45e2704bc49ae6fdbc8ad34d3b933c
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Fri Jul 17 10:32:08 2015 +0200
tests: added check for operation under fork
Unfortunately that is not very reliable because it is based on
softhsm, and softhsm has no issues operating under fork.
---
tests/Makefile.am | 6 +-
tests/{testpkcs11.softhsm => common.sh} | 17 +--
tests/fork-test.c | 225 ++++++++++++++++++++++++++++++++
tests/testfork.softhsm | 32 +++++
tests/testpkcs11.softhsm | 80 +-----------
5 files changed, 265 insertions(+), 95 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 376907e..123dc65 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,4 +1,4 @@
-EXTRA_DIST = cert.der key.der
+EXTRA_DIST = cert.der key.der common.sh
AM_CFLAGS = $(OPENSSL_CFLAGS)
AM_CPPFLAGS = \
@@ -10,8 +10,8 @@ LDADD = ../src/libp11.la $(OPENSSL_LIBS)
auth_SOURCES = ../examples/auth.c
-check_PROGRAMS = auth
-dist_check_SCRIPTS = testpkcs11.softhsm
+check_PROGRAMS = auth fork-test
+dist_check_SCRIPTS = testpkcs11.softhsm testfork.softhsm
TESTS = $(dist_check_SCRIPTS)
diff --git a/tests/testpkcs11.softhsm b/tests/common.sh
old mode 100755
new mode 100644
similarity index 90%
copy from tests/testpkcs11.softhsm
copy to tests/common.sh
index 45e1174..8fb8a14
--- a/tests/testpkcs11.softhsm
+++ b/tests/common.sh
@@ -1,10 +1,9 @@
#!/bin/sh
# Copyright (C) 2013 Nikos Mavrogiannopoulos
+# Copyright (C) 2015 Red Hat, Inc.
#
-# This file is part of GnuTLS.
-#
-# GnuTLS is free software; you can redistribute it and/or modify it
+# This is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
@@ -18,9 +17,6 @@
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-outdir="${top_builddir:-./output}"
-file_dir="${srcdir:-./}"
-
mkdir -p $outdir
if test -f /usr/lib64/pkcs11/libsofthsm2.so; then
@@ -96,12 +92,3 @@ echo "***************"
echo "Listing objects"
echo "***************"
pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O
-
-./auth $ADDITIONAL_PARAM $PIN
-if test $? != 0;then
- exit 1;
-fi
-
-rm -rf $outdir
-
-exit 0
diff --git a/tests/fork-test.c b/tests/fork-test.c
new file mode 100644
index 0000000..c059e08
--- /dev/null
+++ b/tests/fork-test.c
@@ -0,0 +1,225 @@
+/* libp11 example code: auth.c
+ *
+ * This examply simply connects to your smart card
+ * and does a public key authentication.
+ *
+ * Feel free to copy all of the code as needed.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <termios.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <libp11.h>
+#include <unistd.h>
+
+#define RANDOM_SOURCE "/dev/urandom"
+#define RANDOM_SIZE 20
+#define MAX_SIGSIZE 256
+
+int main(int argc, char *argv[])
+{
+ PKCS11_CTX *ctx;
+ PKCS11_SLOT *slots, *slot;
+ PKCS11_CERT *certs;
+ pid_t pid;
+ int status = 0;
+
+ PKCS11_KEY *authkey;
+ PKCS11_CERT *authcert;
+ EVP_PKEY *pubkey = NULL;
+
+ unsigned char *random = NULL, *signature = NULL;
+
+ char password[20];
+ int rc = 0, fd;
+ unsigned int nslots, ncerts, siglen;
+
+ if (argc < 2) {
+ fprintf(stderr, "usage: auth /usr/lib/opensc-pkcs11.so [PIN]\n");
+ return 1;
+ }
+
+ ctx = PKCS11_CTX_new();
+
+ /* load pkcs #11 module */
+ rc = PKCS11_CTX_load(ctx, argv[1]);
+ if (rc) {
+ fprintf(stderr, "loading pkcs11 engine failed: %s\n",
+ ERR_reason_error_string(ERR_get_error()));
+ rc = 1;
+ goto nolib;
+ }
+
+ /* get information on all slots */
+ rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
+ if (rc < 0) {
+ fprintf(stderr, "no slots available\n");
+ rc = 2;
+ goto noslots;
+ }
+
+ /* get first slot with a token */
+ slot = PKCS11_find_token(ctx, slots, nslots);
+ if (!slot || !slot->token) {
+ fprintf(stderr, "no token available\n");
+ rc = 3;
+ goto notoken;
+ }
+ printf("Slot manufacturer......: %s\n", slot->manufacturer);
+ printf("Slot description.......: %s\n", slot->description);
+ printf("Slot token label.......: %s\n", slot->token->label);
+ printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
+ printf("Slot token model.......: %s\n", slot->token->model);
+ printf("Slot token serialnr....: %s\n", slot->token->serialnr);
+
+ if (!slot->token->loginRequired)
+ goto loggedin;
+
+ /* get password */
+ if (argc > 2) {
+ strcpy(password, argv[2]);
+ } else {
+ exit(1);
+ }
+
+ loggedin:
+ /* perform pkcs #11 login */
+ rc = PKCS11_login(slot, 0, password);
+ memset(password, 0, strlen(password));
+ if (rc != 0) {
+ fprintf(stderr, "PKCS11_login failed\n");
+ goto failed;
+ }
+
+ /* get all certs */
+ rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
+ if (rc) {
+ fprintf(stderr, "PKCS11_enumerate_certs failed\n");
+ goto failed;
+ }
+ if (ncerts <= 0) {
+ fprintf(stderr, "no certificates found\n");
+ goto failed;
+ }
+
+ /* use the first cert */
+ authcert=&certs[0];
+
+ /* get random bytes */
+ random = malloc(RANDOM_SIZE);
+ if (!random)
+ goto failed;
+
+ fd = open(RANDOM_SOURCE, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n",
+ strerror(errno));
+ goto failed;
+ }
+
+ rc = read(fd, random, RANDOM_SIZE);
+ if (rc < 0) {
+ fprintf(stderr, "fatal: read from random source failed: %s\n",
+ strerror(errno));
+ close(fd);
+ goto failed;
+ }
+
+ if (rc < RANDOM_SIZE) {
+ fprintf(stderr, "fatal: read returned less than %d<%d bytes\n",
+ rc, RANDOM_SIZE);
+ close(fd);
+ goto failed;
+ }
+
+ close(fd);
+
+ authkey = PKCS11_find_key(authcert);
+ if (!authkey) {
+ fprintf(stderr, "no key matching certificate available\n");
+ goto failed;
+ }
+
+ /* ask for a sha1 hash of the random data, signed by the key */
+ siglen = MAX_SIGSIZE;
+ signature = malloc(MAX_SIGSIZE);
+ if (!signature)
+ goto failed;
+
+ /* Do the operation after a fork */
+ pid = fork();
+ if (pid == -1)
+ exit(5);
+
+ if (pid) {
+ waitpid(pid, &status, 0);
+ if (WIFEXITED(status))
+ return WEXITSTATUS(status);
+ return 2;
+ }
+
+ /* do the operations in child */
+ rc = PKCS11_sign(NID_sha1, random, RANDOM_SIZE, signature, &siglen,
+ authkey);
+ if (rc != 1) {
+ fprintf(stderr, "fatal: pkcs11_sign failed\n");
+ goto failed;
+ }
+
+ /* verify the signature */
+ pubkey = X509_get_pubkey(authcert->x509);
+ if (pubkey == NULL) {
+ fprintf(stderr, "could not extract public key\n");
+ goto failed;
+ }
+
+ /* now verify the result */
+ rc = RSA_verify(NID_sha1, random, RANDOM_SIZE,
+ signature, siglen, pubkey->pkey.rsa);
+ if (rc != 1) {
+ fprintf(stderr, "fatal: RSA_verify failed\n");
+ goto failed;
+ }
+
+ if (pubkey != NULL)
+ EVP_PKEY_free(pubkey);
+
+ if (random != NULL)
+ free(random);
+ if (signature != NULL)
+ free(signature);
+
+ PKCS11_release_all_slots(ctx, slots, nslots);
+ PKCS11_CTX_unload(ctx);
+ PKCS11_CTX_free(ctx);
+
+ CRYPTO_cleanup_all_ex_data();
+ ERR_free_strings();
+ ERR_remove_state(0);
+
+ printf("authentication successfull.\n");
+ return 0;
+
+
+ failed:
+ ERR_print_errors_fp(stderr);
+ notoken:
+ PKCS11_release_all_slots(ctx, slots, nslots);
+
+ noslots:
+ PKCS11_CTX_unload(ctx);
+
+ nolib:
+ PKCS11_CTX_free(ctx);
+
+
+ printf("authentication failed.\n");
+ return 1;
+}
diff --git a/tests/testfork.softhsm b/tests/testfork.softhsm
new file mode 100755
index 0000000..5d463be
--- /dev/null
+++ b/tests/testfork.softhsm
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Copyright (C) 2013 Nikos Mavrogiannopoulos
+# Copyright (C) 2015 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+outdir="${srcdir}/output.$$"
+file_dir="${srcdir:-./}"
+
+. ${srcdir}/common.sh
+
+./fork-test $ADDITIONAL_PARAM $PIN
+if test $? != 0;then
+ exit 1;
+fi
+
+rm -rf "$outdir"
+
+exit 0
diff --git a/tests/testpkcs11.softhsm b/tests/testpkcs11.softhsm
index 45e1174..2e44718 100755
--- a/tests/testpkcs11.softhsm
+++ b/tests/testpkcs11.softhsm
@@ -18,90 +18,16 @@
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-outdir="${top_builddir:-./output}"
+outdir="${srcdir}/output.$$"
file_dir="${srcdir:-./}"
-mkdir -p $outdir
-
-if test -f /usr/lib64/pkcs11/libsofthsm2.so; then
- ADDITIONAL_PARAM="/usr/lib64/pkcs11/libsofthsm2.so"
-else
- if test -f /usr/lib/softhsm/libsofthsm.so; then
- ADDITIONAL_PARAM="/usr/lib/softhsm/libsofthsm.so"
- else
- ADDITIONAL_PARAM="/usr/lib64/softhsm/libsofthsm.so"
- fi
-fi
-
-if ! test -x /usr/bin/pkcs11-tool;then
- exit 77
-fi
-
-init_card () {
- PIN="$1"
- PUK="$2"
-
- if test -x "/usr/bin/softhsm2-util"; then
- export SOFTHSM2_CONF="$outdir/softhsm-testpkcs11.config"
- SOFTHSM_TOOL="/usr/bin/softhsm2-util"
- fi
-
- if test -x "/usr/bin/softhsm"; then
- export SOFTHSM_CONF="$outdir/softhsm-testpkcs11.config"
- SOFTHSM_TOOL="/usr/bin/softhsm"
- fi
-
- if test -z "${SOFTHSM_TOOL}"; then
- echo "Could not find softhsm(2) tool"
- exit 77
- fi
-
- if test -z "${SOFTHSM_CONF}"; then
- rm -rf $outdir/softhsm-testpkcs11.db
- mkdir -p $outdir/softhsm-testpkcs11.db
- echo "objectstore.backend = file" > "${SOFTHSM2_CONF}"
- echo "directories.tokendir = $outdir/softhsm-testpkcs11.db" >> "${SOFTHSM2_CONF}"
- else
- rm -rf $outdir/softhsm-testpkcs11.db
- echo "0:$outdir/softhsm-testpkcs11.db" > "${SOFTHSM_CONF}"
- fi
-
-
- echo -n "* Initializing smart card... "
- ${SOFTHSM_TOOL} --init-token --slot 0 --label "libp11-test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null
- if test $? = 0; then
- echo ok
- else
- echo failed
- exit 1
- fi
-}
-
-PIN=1234
-PUK=1234
-init_card $PIN $PUK
-
-# generate key in token
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 00010203 -a server-key -l -w ${file_dir}/key.der -y privkey >/dev/null
-if test $? != 0;then
- exit 1;
-fi
-
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 00010203 -a server-key -l -w ${file_dir}/cert.der -y cert >/dev/null
-if test $? != 0;then
- exit 1;
-fi
-
-echo "***************"
-echo "Listing objects"
-echo "***************"
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O
+. ${srcdir}/common.sh
./auth $ADDITIONAL_PARAM $PIN
if test $? != 0;then
exit 1;
fi
-rm -rf $outdir
+rm -rf "$outdir"
exit 0
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git
More information about the pkg-opensc-commit
mailing list