[Spice-devel] [PATCH libcacard 42/45] Add automated way of running tests with softhsm

Jakub Jelen jjelen at redhat.com
Tue Jul 31 14:50:36 UTC 2018


 * This is useful for CI or manual running of the tests without a need
   of a physical CAC card.
 * The script goes through the whole setting of environment, soft token,
   generating testing keys, certificates and running the test suite.

Signed-off-by: Jakub Jelen <jjelen at redhat.com>
Reviewed-by: Robert Relyea <rrelyea at redhat.com>
---
 run_tests.sh   | 108 +++++++++++++++++++++++++++++++++++++++++++++++++
 tests/cert.cfg |   6 +++
 2 files changed, 114 insertions(+)
 create mode 100755 run_tests.sh
 create mode 100644 tests/cert.cfg

diff --git a/run_tests.sh b/run_tests.sh
new file mode 100755
index 0000000..d6ac390
--- /dev/null
+++ b/run_tests.sh
@@ -0,0 +1,108 @@
+#/bin/bash
+
+NSSDB=tests/hwdb
+CONF=.softhsm2.conf
+SOPIN="12345678"
+PIN="77777777"
+export GNUTLS_PIN=$PIN
+
+P11LIB=/usr/lib64/pkcs11/libsofthsm2.so
+
+generate_cert() {
+	TYPE="$1"
+	ID="$2"
+	LABEL="$3"
+
+	# Generate key pair
+	pkcs11-tool --keypairgen --key-type="$TYPE" --login --pin=$PIN \
+		--module="$P11LIB" --label="$LABEL" --id=$ID
+
+	if [[ "$?" -ne "0" ]]; then
+		echo "Couldn't generate $TYPE key pair"
+		return 1
+	fi
+
+	# check type value for the PKCS#11 URI (RHEL7 is using old "object-type")
+	TYPE_KEY="type"
+	p11tool --list-all --provider="$P11LIB" --login | grep "object-type" && \
+		TYPE_KEY="object-type"
+
+	# Generate certificate
+	certtool --generate-self-signed --outfile="$TYPE.cert" --template=tests/cert.cfg \
+		--provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
+		--load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
+	# convert to DER:
+	openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"
+	# Write certificate
+	pkcs11-tool --write-object "$TYPE.cert.der" --type=cert --id=$ID \
+		--label="$LABEL" --module="$P11LIB"
+
+	rm "$TYPE.cert" "$TYPE.cert.der"
+
+	p11tool --login --provider="$P11LIB" --list-all
+}
+
+# Check requirements
+if [ ! -f $(which pkcs11-tool) ]; then
+	echo "ERROR: Need 'opensc' package to run tests"
+	exit 1
+fi
+if [ ! -f $(which p11tool) -o ! -f $(which certtool) ]; then
+	echo "ERROR: Need 'gnutls-utils' package to run tests"
+	exit 1
+fi
+if [ ! -f $(which modutil) ]; then
+	echo "ERROR: Need 'nss-tools' package to run tests"
+	exit 1
+fi
+if [ ! -f $(which openssl) ]; then
+	echo "ERROR: Need 'openssl' package to run tests"
+	exit 1
+fi
+if [ ! -f $(which softhsm2-util) ]; then
+	echo "ERROR: Need 'softhsm' package to run tests"
+	exit 1
+fi
+
+
+
+export SOFTHSM2_CONF="$CONF"
+# SoftHSM configuration file
+if [ ! -f "$CONF" ]; then
+	echo "directories.tokendir = .tokens/" > $CONF
+	echo "slots.removable = true" >> $CONF
+fi
+
+# SoftHSM configuration directory
+if [ ! -d ".tokens" ]; then
+	mkdir ".tokens"
+
+	# Init token
+	softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
+
+	# Generate 1024b RSA Key pair
+	generate_cert "RSA:1024" "01" "RSA_auth"
+	generate_cert "RSA:1024" "02" "RSA_sign"
+fi
+# NSS DB
+if [ ! -d "$NSSDB" ]; then
+	mkdir "$NSSDB"
+	modutil -create -dbdir "sql:$NSSDB" -force
+	modutil -add "SoftHSM PKCS#11" -dbdir "sql:$NSSDB" -libfile "$P11LIB" -force
+fi
+
+
+if [ "$1" == "cleanup" ]; then
+	rm -rf .tokens $CONF $NSSDB
+	exit
+fi
+
+# Drop the requirement of HW slot in the libcacard:
+sed -e 's/ || !PK11_IsHW(slot)//g' -i.backup src/vcard_emul_nss.c
+make check
+RV=$?
+#restore from backup
+mv src/vcard_emul_nss.c{.backup,}
+make
+
+exit $RV
diff --git a/tests/cert.cfg b/tests/cert.cfg
new file mode 100644
index 0000000..409aa93
--- /dev/null
+++ b/tests/cert.cfg
@@ -0,0 +1,6 @@
+organization = "OpenSC"
+expiration_days = 365
+email = "none at example.org"
+signing_key
+encryption_key
+
-- 
2.17.1



More information about the Spice-devel mailing list