[Spice-devel] [PATCH libcacard 42/45] Add automated way of running tests with softhsm
Jakub Jelen
jjelen at redhat.com
Tue Jul 31 14:50:36 UTC 2018
* This is useful for CI or manual running of the tests without a need
of a physical CAC card.
* The script goes through the whole setting of environment, soft token,
generating testing keys, certificates and running the test suite.
Signed-off-by: Jakub Jelen <jjelen at redhat.com>
Reviewed-by: Robert Relyea <rrelyea at redhat.com>
---
run_tests.sh | 108 +++++++++++++++++++++++++++++++++++++++++++++++++
tests/cert.cfg | 6 +++
2 files changed, 114 insertions(+)
create mode 100755 run_tests.sh
create mode 100644 tests/cert.cfg
diff --git a/run_tests.sh b/run_tests.sh
new file mode 100755
index 0000000..d6ac390
--- /dev/null
+++ b/run_tests.sh
@@ -0,0 +1,108 @@
+#/bin/bash
+
+NSSDB=tests/hwdb
+CONF=.softhsm2.conf
+SOPIN="12345678"
+PIN="77777777"
+export GNUTLS_PIN=$PIN
+
+P11LIB=/usr/lib64/pkcs11/libsofthsm2.so
+
+generate_cert() {
+ TYPE="$1"
+ ID="$2"
+ LABEL="$3"
+
+ # Generate key pair
+ pkcs11-tool --keypairgen --key-type="$TYPE" --login --pin=$PIN \
+ --module="$P11LIB" --label="$LABEL" --id=$ID
+
+ if [[ "$?" -ne "0" ]]; then
+ echo "Couldn't generate $TYPE key pair"
+ return 1
+ fi
+
+ # check type value for the PKCS#11 URI (RHEL7 is using old "object-type")
+ TYPE_KEY="type"
+ p11tool --list-all --provider="$P11LIB" --login | grep "object-type" && \
+ TYPE_KEY="object-type"
+
+ # Generate certificate
+ certtool --generate-self-signed --outfile="$TYPE.cert" --template=tests/cert.cfg \
+ --provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
+ --load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
+ # convert to DER:
+ openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"
+ # Write certificate
+ pkcs11-tool --write-object "$TYPE.cert.der" --type=cert --id=$ID \
+ --label="$LABEL" --module="$P11LIB"
+
+ rm "$TYPE.cert" "$TYPE.cert.der"
+
+ p11tool --login --provider="$P11LIB" --list-all
+}
+
+# Check requirements
+if [ ! -f $(which pkcs11-tool) ]; then
+ echo "ERROR: Need 'opensc' package to run tests"
+ exit 1
+fi
+if [ ! -f $(which p11tool) -o ! -f $(which certtool) ]; then
+ echo "ERROR: Need 'gnutls-utils' package to run tests"
+ exit 1
+fi
+if [ ! -f $(which modutil) ]; then
+ echo "ERROR: Need 'nss-tools' package to run tests"
+ exit 1
+fi
+if [ ! -f $(which openssl) ]; then
+ echo "ERROR: Need 'openssl' package to run tests"
+ exit 1
+fi
+if [ ! -f $(which softhsm2-util) ]; then
+ echo "ERROR: Need 'softhsm' package to run tests"
+ exit 1
+fi
+
+
+
+export SOFTHSM2_CONF="$CONF"
+# SoftHSM configuration file
+if [ ! -f "$CONF" ]; then
+ echo "directories.tokendir = .tokens/" > $CONF
+ echo "slots.removable = true" >> $CONF
+fi
+
+# SoftHSM configuration directory
+if [ ! -d ".tokens" ]; then
+ mkdir ".tokens"
+
+ # Init token
+ softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
+
+ # Generate 1024b RSA Key pair
+ generate_cert "RSA:1024" "01" "RSA_auth"
+ generate_cert "RSA:1024" "02" "RSA_sign"
+fi
+# NSS DB
+if [ ! -d "$NSSDB" ]; then
+ mkdir "$NSSDB"
+ modutil -create -dbdir "sql:$NSSDB" -force
+ modutil -add "SoftHSM PKCS#11" -dbdir "sql:$NSSDB" -libfile "$P11LIB" -force
+fi
+
+
+if [ "$1" == "cleanup" ]; then
+ rm -rf .tokens $CONF $NSSDB
+ exit
+fi
+
+# Drop the requirement of HW slot in the libcacard:
+sed -e 's/ || !PK11_IsHW(slot)//g' -i.backup src/vcard_emul_nss.c
+make check
+RV=$?
+#restore from backup
+mv src/vcard_emul_nss.c{.backup,}
+make
+
+exit $RV
diff --git a/tests/cert.cfg b/tests/cert.cfg
new file mode 100644
index 0000000..409aa93
--- /dev/null
+++ b/tests/cert.cfg
@@ -0,0 +1,6 @@
+organization = "OpenSC"
+expiration_days = 365
+email = "none at example.org"
+signing_key
+encryption_key
+
--
2.17.1
More information about the Spice-devel
mailing list