Skip to content

Commit

Permalink
tests: Check CA cert in TLS test
Browse files Browse the repository at this point in the history
Signed-off-by: Jakub Jelen <[email protected]>
  • Loading branch information
Jakuje committed Jul 30, 2024
1 parent 7c36c08 commit 56c5fd3
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 10 deletions.
14 changes: 10 additions & 4 deletions tests/setup-kryoptic.sh
Original file line number Diff line number Diff line change
Expand Up @@ -118,22 +118,26 @@ SERIAL=1
title LINE "Creating new Self Sign CA"
KEYID='0000'
URIKEYID="%00%00"
CACRT="${TMPPDIR}/CAcert"
CACRT="${TMPPDIR}/CAcert.crt"
CACRT_PEM="${TMPPDIR}/CAcert.pem"
CACRTN="caCert"


((SERIAL+=1))
# shellcheck disable=SC2086
pkcs11-tool ${P11DEFARGS} --keypairgen --key-type="RSA:2048" \
--label="${CACRTN}" --id="${KEYID}" 2>&1
"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \
"${certtool}" --generate-self-signed --outfile="${CACRT}" \
--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
--load-privkey "pkcs11:object=$CACRTN;type=private" \
--load-pubkey "pkcs11:object=$CACRTN;type=public" --outder 2>&1
# shellcheck disable=SC2086
pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}.crt" --type=cert \
pkcs11-tool ${P11DEFARGS} --write-object "${CACRT}" --type=cert \
--id=$KEYID --label="$CACRTN" 2>&1

# convert the DER cert to PEM
openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM"

# the organization identification is not in the CA
echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg"
# the cert_signing_key and "ca" should be only on the CA
Expand All @@ -155,7 +159,7 @@ ca_sign() {
--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
--load-privkey "pkcs11:object=$LABEL;type=private" \
--load-pubkey "pkcs11:object=$LABEL;type=public" --outder \
--load-ca-certificate "${CACRT}.crt" --inder \
--load-ca-certificate "${CACRT}" --inder \
--load-ca-privkey="pkcs11:object=$CACRTN;type=private" 2>&1
# shellcheck disable=SC2086
pkcs11-tool ${P11DEFARGS} --write-object "${CRT}.crt" --type=cert \
Expand Down Expand Up @@ -405,6 +409,8 @@ export KRYOPTIC_CONF="${TMPPDIR}/tokens/kryoptic.sql"
export TESTSSRCDIR="${TESTSSRCDIR}"
export TESTBLDDIR="${TESTBLDDIR}"
export CACRT="${CACRT_PEM}"
export TOKDIR="${TOKDIR}"
export TMPPDIR="${TMPPDIR}"
export PINVALUE="${PINVALUE}"
Expand Down
14 changes: 10 additions & 4 deletions tests/setup-softhsm.sh
Original file line number Diff line number Diff line change
Expand Up @@ -127,18 +127,22 @@ softhsm2-util --init-token --label "token_name" --free --pin $PINVALUE --so-pin
title LINE "Creating new Self Sign CA"
KEYID='0000'
URIKEYID="%00%00"
CACRT="${TMPPDIR}/CAcert"
CACRT="${TMPPDIR}/CAcert.crt"
CACRT_PEM="${TMPPDIR}/CAcert.pem"
CACRTN="caCert"
((SERIAL+=1))
pkcs11-tool --keypairgen --key-type="RSA:2048" --login --pin=$PINVALUE \
--module="$P11LIB" --label="${CACRTN}" --id="$KEYID"
"${certtool}" --generate-self-signed --outfile="${CACRT}.crt" \
"${certtool}" --generate-self-signed --outfile="${CACRT}" \
--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
--load-privkey "pkcs11:object=$CACRTN;type=private" \
--load-pubkey "pkcs11:object=$CACRTN;type=public" --outder
pkcs11-tool --write-object "${CACRT}.crt" --type=cert --id=$KEYID \
pkcs11-tool --write-object "${CACRT}" --type=cert --id=$KEYID \
--label="$CACRTN" --module="$P11LIB"

# convert the DER cert to PEM
openssl x509 -inform DER -in "$CACRT" -outform PEM > "$CACRT_PEM"

# the organization identification is not in the CA
echo 'organization = "PKCS11 Provider"' >> "${TMPPDIR}/cert.cfg"
# the cert_signing_key and "ca" should be only on the CA
Expand All @@ -159,7 +163,7 @@ ca_sign() {
--template="${TMPPDIR}/cert.cfg" --provider="$P11LIB" \
--load-privkey "pkcs11:object=$LABEL;type=private" \
--load-pubkey "pkcs11:object=$LABEL;type=public" --outder \
--load-ca-certificate "${CACRT}.crt" --inder \
--load-ca-certificate "${CACRT}" --inder \
--load-ca-privkey="pkcs11:object=$CACRTN;type=private"
pkcs11-tool --write-object "${CRT}.crt" --type=cert --id="$KEYID" \
--label="$LABEL" --module="$P11LIB"
Expand Down Expand Up @@ -403,6 +407,8 @@ export PINVALUE="${PINVALUE}"
export SEEDFILE="${TMPPDIR}/noisefile.bin"
export RAND64FILE="${TMPPDIR}/64krandom.bin"
export CACRT="${CACRT_PEM}"
export BASEURIWITHPINVALUE="${BASEURIWITHPINVALUE}"
export BASEURIWITHPINSOURCE="${BASEURIWITHPINSOURCE}"
export BASEURI="${BASEURI}"
Expand Down
9 changes: 8 additions & 1 deletion tests/setup-softokn.sh
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ certutil -N -d "${TOKDIR}" -f "${PINFILE}"

title LINE "Creating new Self Sign CA"
((SERIAL+=1))
certutil -S -s "CN=Issuer" -n selfCA -x -t "C,C,C" \
CACRTN="selfCA"
certutil -S -s "CN=Issuer" -n "${CACRTN}" -x -t "C,C,C" \
-m "${SERIAL}" -1 -2 -5 --keyUsage certSigning,crlSigning \
--nsCertType sslCA,smimeCA,objectSigningCA \
-f "${PINFILE}" -d "${TOKDIR}" -z "${SEEDFILE}" >/dev/null 2>&1 <<CERTSCRIPT
Expand All @@ -51,6 +52,10 @@ y
n
CERTSCRIPT

CACRT="${TMPPDIR}/CAcert.crt"
title LINE "Read CA cert of of the token"
certutil -L -a -n "${CACRTN}" -d "${TOKDIR}" -o "$CACRT"

# RSA
TSTCRT="${TMPPDIR}/testcert"
TSTCRTN="testCert"
Expand Down Expand Up @@ -181,6 +186,8 @@ export PINVALUE="${PINVALUE}"
export SEEDFILE="${TMPPDIR}/noisefile.bin"
export RAND64FILE="${TMPPDIR}/64krandom.bin"
export CACRT="${CACRT}"
export BASEURIWITHPINVALUE="${BASEURIWITHPINVALUE}"
export BASEURIWITHPINSOURCE="${BASEURIWITHPINSOURCE}"
export BASEURI="${BASEURI}"
Expand Down
2 changes: 1 addition & 1 deletion tests/ttls
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ run_test() {

read -r < "${TMPPDIR}/s_server_ready"

expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\" $CLNT_ARGS;
expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\" -CAfile \"${CACRT}\" $CLNT_ARGS;
set timeout 60;
expect {
\" TLS SUCCESSFUL \" {};
Expand Down

0 comments on commit 56c5fd3

Please sign in to comment.