tests: smartcard tests

Add some tests for: - softhsm (v2) - yubikey (disabled by default) Test configuration must be setup in tests/config.env closes #66 Signed-off-by: Jérôme Jutteau <[email protected]>
outscale · Sep 2, 2021 · 15e25d5 · 15e25d5
1 parent cff03c1
commit 15e25d5
Show file tree

Hide file tree

Showing 4 changed files with 157 additions and 0 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -22,13 +22,17 @@ Use the same issue tracker to report problems with the documentation.
 Pre-requisites:
 - An Outscale account on eu-west-2 region
 - At least 50 AccessKeys in your quota
+- Have `softhsm`, `pkcs11-tool` and `openssl` installed (for smartcard tests based on softhsm)
+- Have `ykman` and `yubico-piv-tool` installed (for smartcard tests based on yubikey)
 
 Setup:
 - Fill a valid `default` profile in `~/.osc/config.json`
 - `export OSC_TEST_LOGIN="[email protected]"`
 - `export OSC_TEST_PASSWORD="MySecretPassword"`
 - `export OSC_TEST_ACCESS_KEY="ASJOAEHDIOEXAMPLE"`
 - `export OSC_TEST_SECRET_KEY="ASJOAEHSDF4565D4F6D54F6D5F4F654DIOEXAMPLE"`
+- `export OSC_TEST_SMARTCARD_SOFTHSM=true"`
+- `export OSC_TEST_SMARTCARD_YUBIKEY=false"`
 
 Warning: config files in `~/.osc/config.json` and `~/.osc_sdk/config.json` will be overwritten during tests. Make sure to backup them if needed.
 

diff --git a/tests/gen_smartcard_softhsm_config_file.sh b/tests/gen_smartcard_softhsm_config_file.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+set -e
+echo -n "$(basename $0): "
+
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    ssl_engine="/usr/local/Cellar/libp11/0.4.11/lib/engines-1.1/pkcs11.dylib"
+    module="/usr/local/Cellar/yubico-piv-tool/2.2.0/lib/libykcs11.dylib"
+    openssl="/usr/local/Cellar/[email protected]/1.1.1k/bin/openssl"
+elif [[ "$OSTYPE" == "linux"* ]]; then
+    ssl_engine="/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so"
+    module="/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
+    openssl="openssl"
+fi
+token_label="osc-test-token"
+rsa_label="osc.key"
+cert_label="osc.cert"
+pin="0000"
+
+# Test SoftHSMv2
+softhsm2-util --version &> /dev/null || { echo "softhsm2-util not found"; exit 1; }
+
+# Clean existing SoftHSMv2 token
+softhsm2-util --delete-token --token $token_label &> /dev/null || true
+softhsm2-util --init-token --pin ${pin} --so-pin 1234 --free --label $token_label &> /dev/null || { echo "Cannot initialize SoftHSM token"; exit 1; }
+
+# Test pkcs11-tool
+pkcs11-tool --test --module $module &> /dev/null || { echo "pkcs11-tool --test failed"; exit 1; }
+
+# Test openssl
+$openssl help &> /dev/null || { echo "openssl not found"; exit 1;}
+
+# Generate RSA key on smartcard
+pkcs11-tool --module $module --keypairgen --key-type rsa:2048 --usage-sign --login --pin ${pin} --token-label $token_label --label $rsa_label &> /dev/null || { echo "Cannot create RSA key"; exit 1; }
+
+# Test engine
+$openssl engine -t -c pkcs11 &> /dev/null || { echo "pkcs11 engine not available to openssl"; exit 1; }
+
+# Generate cert
+$openssl req -new -x509 -out osc.crt -days 365 -addext basicConstraints=critical,CA:TRUE,pathlen:1 -subj "/CN=OSC-TEST-CA" -engine pkcs11 -keyform engine -key "pkcs11:token=${token_label};object=${rsa_label};pin-value=${pin}" &> /dev/null || { echo "Cannot create openssl cert"; exit 1; }
+
+# Convert to der format
+$openssl x509 -inform pem -outform der -in osc.crt -out osc.crt.der &> /dev/null || { echo "Cannot convert to der format"; exit 1; }
+
+# Send der to smartcard
+pkcs11-tool --module $module --write-object osc.crt.der --type cert --token-label $token_label --label $cert_label &> /dev/null || { echo "Cannot write certificate to smartcard"; exit 1; }
+
+# Clean files
+rm -rf osc.crt osc.crt.der
+
+# Generate configuration
+rm -rf ~/.osc
+mkdir -p ~/.osc
+echo -n "
+{
+    \"default\": {
+	\"access_key\": \"${OSC_TEST_ACCESS_KEY}\",
+	\"secret_key\": \"${OSC_TEST_SECRET_KEY}\",
+	\"ssl_engine_id\": \"pkcs11\",
+	\"ssl_engine_path\": \"${ssl_engine}\",
+	\"ssl_module_path\": \"${module}\",
+	\"x509_client_cert\": \"pkcs11:token=${token_label};type=cert;object=${cert_label}\",
+	\"x509_client_key\": \"pkcs11:token=${token_label};type=private;object=${rsa_label};pin-value=${pin}\",
+	\"region\": \"eu-west-2\",
+	\"endpoints\": {
+	    \"api\": \"api.eu-west-2.outscale.com/api/v1\",
+	    \"fcu\": \"fcu.eu-west-2.outscale.com\",
+	    \"lbu\": \"lbu.eu-west-2.outscale.com\",
+	    \"eim\": \"eim.eu-west-2.outscale.com\",
+	    \"icu\": \"icu.eu-west-2.outscale.com\",
+	    \"directlink\": \"directlink.eu-west-2.outscale.com\",
+	    \"oos\": \"oos.eu-west-2.outscale.com\"
+	}
+    }
+}" > ~/.osc/config.json
+echo "OK"
diff --git a/tests/gen_smartcard_yubikey_config_file.sh b/tests/gen_smartcard_yubikey_config_file.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+set -e
+echo -n "$(basename $0): "
+
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    ssl_engine="/usr/local/Cellar/libp11/0.4.11/lib/engines-1.1/pkcs11.dylib"
+    module="/usr/local/Cellar/yubico-piv-tool/2.2.0/lib/libykcs11.dylib"
+elif [[ "$OSTYPE" == "linux"* ]]; then
+    ssl_engine="/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so"
+    module="/usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0"
+fi
+pin="123456"
+
+# Test ykman
+ykman --help &> /dev/null || { echo "ykman not found"; exit 1; }
+
+# Reset token with default credentials
+ykman piv reset -f &> /dev/null || { echo "Cannot reset yubikey"; exit 1; }
+
+# Test yubico-piv-tool
+yubico-piv-tool --help &> /dev/null || { echo "yubico-piv-tool not found"; exit 1; }
+
+# Reset token with default credentials
+ykman piv reset -f &> /dev/null || { echo "Cannot reset yubikey"; exit 1; }
+
+# Generate private key
+yubico-piv-tool -s 9a -a generate -o public.pem &> /dev/null || { echo "Cannot generate private key"; exit 1; }
+
+# Generate certificate
+yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem --pin=$pin &> /dev/null || { echo "Cannot generate certificate"; exit 1; }
+
+# Upload certificate
+yubico-piv-tool -a import-certificate -s 9a -i cert.pem &> /dev/null || { echo "Cannot upload certificate"; exit 1; }
+
+# Generate configuration
+rm -rf ~/.osc
+mkdir -p ~/.osc
+echo -n "
+{
+    \"default\": {
+	\"access_key\": \"${OSC_TEST_ACCESS_KEY}\",
+	\"secret_key\": \"${OSC_TEST_SECRET_KEY}\",
+	\"ssl_engine_id\": \"pkcs11\",
+	\"ssl_engine_path\": \"${ssl_engine}\",
+	\"ssl_module_path\": \"${module}\",
+	\"x509_client_cert\": \"pkcs11:type=cert;id=%01\",
+	\"x509_client_key\": \"pkcs11:type=private;id=%01;pin-value=${pin}\",
+	\"region\": \"eu-west-2\",
+	\"endpoints\": {
+	    \"api\": \"api.eu-west-2.outscale.com/api/v1\",
+	    \"fcu\": \"fcu.eu-west-2.outscale.com\",
+	    \"lbu\": \"lbu.eu-west-2.outscale.com\",
+	    \"eim\": \"eim.eu-west-2.outscale.com\",
+	    \"icu\": \"icu.eu-west-2.outscale.com\",
+	    \"directlink\": \"directlink.eu-west-2.outscale.com\",
+	    \"oos\": \"oos.eu-west-2.outscale.com\"
+	}
+    }
+}" > ~/.osc/config.json
+echo "OK"
diff --git a/tests/test_int.sh b/tests/test_int.sh
@@ -22,4 +22,22 @@ for t in *.sh ; do
     ./$t
 done
 
+if $OSC_TEST_SMARTCARD_SOFTHSM; then
+    $PROJECT_ROOT/tests/clean_config_files.sh
+    $PROJECT_ROOT/tests/gen_smartcard_softhsm_config_file.sh
+    cd $PROJECT_ROOT/tests/generic_tests/
+    for t in *.sh ; do
+	./$t
+    done
+fi
+
+if $OSC_TEST_SMARTCARD_YUBIKEY; then
+    $PROJECT_ROOT/tests/clean_config_files.sh
+    $PROJECT_ROOT/tests/gen_smartcard_yubikey_config_file.sh
+    cd $PROJECT_ROOT/tests/generic_tests/
+    for t in *.sh ; do
+	./$t
+    done
+fi
+
 $PROJECT_ROOT/tests/clean_config_files.sh