[Spice-devel] [PATCH libcacard 42/45] Add automated way of running tests with softhsm

Marc-André Lureau marcandre.lureau at gmail.com
Tue Jul 31 22:19:38 UTC 2018 

Hi

On Tue, Jul 31, 2018 at 4:50 PM, Jakub Jelen <jjelen at redhat.com> wrote:
>  * This is useful for CI or manual running of the tests without a need
>    of a physical CAC card.
>  * The script goes through the whole setting of environment, soft token,
>    generating testing keys, certificates and running the test suite.

Annoyingly, this isn't done as part of make check, but should be run
first. This can be fixed later.

>
> Signed-off-by: Jakub Jelen <jjelen at redhat.com>
> Reviewed-by: Robert Relyea <rrelyea at redhat.com>
> ---
>  run_tests.sh   | 108 +++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/cert.cfg |   6 +++
>  2 files changed, 114 insertions(+)
>  create mode 100755 run_tests.sh
>  create mode 100644 tests/cert.cfg
>
> diff --git a/run_tests.sh b/run_tests.sh
> new file mode 100755
> index 0000000..d6ac390
> --- /dev/null
> +++ b/run_tests.sh
> @@ -0,0 +1,108 @@
> +#/bin/bash
> +
> +NSSDB=tests/hwdb
> +CONF=.softhsm2.conf
> +SOPIN="12345678"
> +PIN="77777777"
> +export GNUTLS_PIN=$PIN
> +
> +P11LIB=/usr/lib64/pkcs11/libsofthsm2.so
> +
> +generate_cert() {
> +       TYPE="$1"
> +       ID="$2"
> +       LABEL="$3"
> +
> +       # Generate key pair
> +       pkcs11-tool --keypairgen --key-type="$TYPE" --login --pin=$PIN \
> +               --module="$P11LIB" --label="$LABEL" --id=$ID
> +
> +       if [[ "$?" -ne "0" ]]; then
> +               echo "Couldn't generate $TYPE key pair"
> +               return 1
> +       fi
> +
> +       # check type value for the PKCS#11 URI (RHEL7 is using old "object-type")
> +       TYPE_KEY="type"
> +       p11tool --list-all --provider="$P11LIB" --login | grep "object-type" && \
> +               TYPE_KEY="object-type"
> +
> +       # Generate certificate
> +       certtool --generate-self-signed --outfile="$TYPE.cert" --template=tests/cert.cfg \
> +               --provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
> +               --load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
> +       # convert to DER:
> +       openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"
> +       # Write certificate
> +       pkcs11-tool --write-object "$TYPE.cert.der" --type=cert --id=$ID \
> +               --label="$LABEL" --module="$P11LIB"
> +
> +       rm "$TYPE.cert" "$TYPE.cert.der"
> +
> +       p11tool --login --provider="$P11LIB" --list-all
> +}
> +
> +# Check requirements
> +if [ ! -f $(which pkcs11-tool) ]; then
> +       echo "ERROR: Need 'opensc' package to run tests"
> +       exit 1
> +fi
> +if [ ! -f $(which p11tool) -o ! -f $(which certtool) ]; then
> +       echo "ERROR: Need 'gnutls-utils' package to run tests"
> +       exit 1
> +fi
> +if [ ! -f $(which modutil) ]; then
> +       echo "ERROR: Need 'nss-tools' package to run tests"
> +       exit 1
> +fi
> +if [ ! -f $(which openssl) ]; then
> +       echo "ERROR: Need 'openssl' package to run tests"
> +       exit 1
> +fi
> +if [ ! -f $(which softhsm2-util) ]; then
> +       echo "ERROR: Need 'softhsm' package to run tests"
> +       exit 1
> +fi
> +
> +
> +
> +export SOFTHSM2_CONF="$CONF"
> +# SoftHSM configuration file
> +if [ ! -f "$CONF" ]; then
> +       echo "directories.tokendir = .tokens/" > $CONF
> +       echo "slots.removable = true" >> $CONF
> +fi
> +
> +# SoftHSM configuration directory
> +if [ ! -d ".tokens" ]; then
> +       mkdir ".tokens"
> +
> +       # Init token
> +       softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
> +
> +       # Generate 1024b RSA Key pair
> +       generate_cert "RSA:1024" "01" "RSA_auth"
> +       generate_cert "RSA:1024" "02" "RSA_sign"
> +fi
> +# NSS DB
> +if [ ! -d "$NSSDB" ]; then
> +       mkdir "$NSSDB"
> +       modutil -create -dbdir "sql:$NSSDB" -force
> +       modutil -add "SoftHSM PKCS#11" -dbdir "sql:$NSSDB" -libfile "$P11LIB" -force
> +fi
> +
> +
> +if [ "$1" == "cleanup" ]; then
> +       rm -rf .tokens $CONF $NSSDB
> +       exit
> +fi
> +
> +# Drop the requirement of HW slot in the libcacard:
> +sed -e 's/ || !PK11_IsHW(slot)//g' -i.backup src/vcard_emul_nss.c

This is quite a hack too! you could simply introduce an option or an
environement variable for testing... If you don't address it now,
please add a TODO.

> +make check
> +RV=$?
> +#restore from backup
> +mv src/vcard_emul_nss.c{.backup,}
> +make
> +
> +exit $RV
> diff --git a/tests/cert.cfg b/tests/cert.cfg
> new file mode 100644
> index 0000000..409aa93
> --- /dev/null
> +++ b/tests/cert.cfg
> @@ -0,0 +1,6 @@
> +organization = "OpenSC"
> +expiration_days = 365
> +email = "none at example.org"
> +signing_key
> +encryption_key
> +
> --
> 2.17.1
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel



-- 
Marc-André Lureau

More information about the Spice-devel mailing list