path: root/tests/p11-kit-load.sh

#!/bin/sh

# Copyright (C) 2017 Red Hat, Inc.
#
# This file is part of p11-kit.
#
# p11-kit is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# p11-kit is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>

#set -e

: ${srcdir=.}
: ${builddir=.}
: ${CERTTOOL=../src/certtool${EXEEXT}}
: ${P11TOOL=../src/p11tool${EXEEXT}}
: ${DIFF=diff}
: ${PKG_CONFIG=pkg-config}
TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp"
TMP_SOFTHSM_REMOTE_DIR="./softhsm-remote.$$.tmp"
P11DIR="p11-kit-conf.$$.tmp"
PIN=1234
PUK=1234

for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/;do
	if test -f "${lib}/p11-kit-trust.so"; then
		TRUST_MODULE="${lib}/p11-kit-trust.so"
		echo "located ${MODULE}"
		break
	fi
done

for lib in ${libdir} ${libdir}/pkcs11 /usr/lib64/pkcs11/ /usr/lib/pkcs11/ /usr/lib/x86_64-linux-gnu/pkcs11/ /usr/lib/softhsm/;do
	if test -f "${lib}/libsofthsm2.so"; then
		SOFTHSM_MODULE="${lib}/libsofthsm2.so"
		echo "located ${MODULE}"
		break
	fi
done

${PKG_CONFIG} --version >/dev/null || exit 77

${PKG_CONFIG} --atleast-version=0.23.10 p11-kit-1
if test $? != 0;then
	echo p11-kit 0.23.10 is required
	exit 77
fi

if ! test -f "${TRUST_MODULE}"; then
	echo "p11-kit trust module was not found"
	exit 77
fi

if ! test -f "${SOFTHSM_MODULE}"; then
	echo "softhsm module was not found"
	exit 77
fi

# Create pkcs11.conf with three modules, a trusted (p11-kit-trust)
# and two non-trusted softhsm modules (local and remote)
mkdir -p ${P11DIR}

cat <<_EOF_ >${P11DIR}/p11-kit-trust.module
module: p11-kit-trust.so
trust-policy: yes
_EOF_

cat <<_EOF_ >${P11DIR}/softhsm.module
module: libsofthsm2.so
_EOF_

cat <<_EOF_ >${P11DIR}/softhsm-remote.module
remote: |env - SOFTHSM2_CONF=${TMP_SOFTHSM_REMOTE_DIR}/conf p11-kit remote ${SOFTHSM_MODULE}
_EOF_

# Setup local softhsm
rm -rf ${TMP_SOFTHSM_DIR}
mkdir -p ${TMP_SOFTHSM_DIR}
SOFTHSM2_CONF=${TMP_SOFTHSM_DIR}/conf
export SOFTHSM2_CONF
echo "objectstore.backend = file" > "${SOFTHSM2_CONF}"
echo "directories.tokendir = ${TMP_SOFTHSM_DIR}" >> "${SOFTHSM2_CONF}"

softhsm2-util --init-token --slot 0 --label "GnuTLS-Test" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1
if test $? != 0; then
	echo "failed to initialize softhsm"
	exit 1
fi

GNUTLS_PIN="${PIN}" ${P11TOOL} --login --label GnuTLS-Test-RSA --generate-privkey rsa --provider "${SOFTHSM_MODULE}" pkcs11: --outfile /dev/null
if test $? != 0; then
	echo "failed to generate privkey"
	exit 1
fi

# Setup remote softhsm
rm -rf ${TMP_SOFTHSM_REMOTE_DIR}
mkdir -p ${TMP_SOFTHSM_REMOTE_DIR}
SOFTHSM2_CONF=${TMP_SOFTHSM_REMOTE_DIR}/conf
export SOFTHSM2_CONF
echo "objectstore.backend = file" > "${SOFTHSM2_CONF}"
echo "directories.tokendir = ${TMP_SOFTHSM_REMOTE_DIR}" >> "${SOFTHSM2_CONF}"

softhsm2-util --init-token --slot 0 --label "GnuTLS-Remote" --so-pin "${PUK}" --pin "${PIN}" >/dev/null #2>&1
if test $? != 0; then
	echo "failed to initialize softhsm"
	exit 1
fi

GNUTLS_PIN="${PIN}" ${P11TOOL} --login --label GnuTLS-Test-RSA --generate-privkey rsa --provider "${SOFTHSM_MODULE}" pkcs11: --outfile /dev/null
if test $? != 0; then
	echo "failed to generate privkey"
	exit 1
fi

# Use the local softhsm configuration throughout the tests, unless
# explicitly specified with the module configuration
SOFTHSM2_CONF=${TMP_SOFTHSM_DIR}/conf
export SOFTHSM2_CONF

FILTERTOKEN="sed s/token=.*//g"

# Check whether both are listed
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l)
#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l)
if test "$nr" != 3;then
	echo "Error: did not find 3 modules ($nr)"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -a
	exit 1
fi

# Check whether duplicate modules are filtered
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a -i|${FILTERTOKEN}|sort -u|wc -l)
#nr=$(${P11TOOL} --list-tokens|grep 'Module:'|sort -u|wc -l)
if test "$nr" != 2;then
	echo "Error: did not find 2 modules ($nr)"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -a -i
	exit 1
fi

# Check whether whether list-tokens will list the trust module
# if we only load softhsm. It shouldn't as we only load the
# trust module when needed (e.g., verification).

nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
	echo "Error: did not find softhsm module"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -s "${SOFTHSM_MODULE}"
	exit 1
fi

# Check whether both modules are found when gnutls_pkcs11_init
# is not called but a pkcs11 operation is called.
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -d|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 3;then
	echo "Error in test 1: did not find 3 modules"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -d
	exit 1
fi

# Check whether both modules are found when gnutls_pkcs11_init 
# is called with the auto flag
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -a|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 3;then
	echo "Error in test 2: did not find 3 modules"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -a
	exit 1
fi

# Check whether only trusted modules are listed when the
# trusted flag is given to gnutls_pkcs11_init().
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -t|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
	echo "Error in test 3: did not find the trusted module"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -t
	exit 1
fi

# Check whether only trusted is listed after certificate verification
# is performed.
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
	echo "Error in test 4: did not find 1 module"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -v
	exit 1
fi

# Check whether only trusted is listed when gnutls_pkcs11_init
# is called with manual flag and a certificate verification is performed.
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 1;then
	echo "Error in test 5: did not find 1 module"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -m -v
	exit 1
fi

# Check whether all modules are listed after certificate verification
# is performed then a PKCS#11 function is called.
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 2;then
	echo "Error in test 6: did not find all modules"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -v -d
	exit 1
fi

# Check whether all modules are listed after a private key operation.
nr=$(${builddir}/pkcs11/list-tokens -o ${P11DIR} -p|${FILTERTOKEN}|sort -u|wc -l)
if test "$nr" != 2;then
	echo "Error in test 7: did not find all modules"
	${builddir}/pkcs11/list-tokens -o ${P11DIR} -p
	exit 1
fi

# Check whether public key and privkey are listed.
nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test|sort -u|wc -l)
if test "$nr" != 2;then
	echo "Error in test 8: did not find all objects"
	${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test
	exit 1
fi

# Check whether all privkeys are listed even if trust module is registered.
nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:|sort -u|wc -l)
if test "$nr" != 1;then
	echo "Error in test 9: did not find privkey objects"
	${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:
	exit 1
fi

rm -f ${P11DIR}/*
rm -rf ${TMP_SOFTHSM_DIR}

exit 0