mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-23 20:29:50 +00:00
02b7d5da10
We need to run the softhsm/pkcs11 test case as root (sudo) under OS X so that we can write the file /etc/gnutls/pkcs11.conf. However, once we run the tests as root we cannot run the 'brew ls' command anymore since it refuses to run with high privileges. So, if we run as root we need to use sudo to switch to the nobody user to run the 'brew ls' command that gives us the name of the softhsm pkcs11 module. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
273 lines
6.9 KiB
Bash
Executable File
273 lines
6.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
|
|
# This script does not work with softhsm2 2.0.0 but with >= 2.3.0
|
|
|
|
if [ -z "$(type -P p11tool)" ]; then
|
|
echo "Need p11tool from gnutls"
|
|
exit 77
|
|
fi
|
|
|
|
if [ -z "$(type -P softhsm2-util)" ]; then
|
|
echo "Need softhsm2-util from softhsm2 package"
|
|
exit 77
|
|
fi
|
|
|
|
MYKEY="
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDGjc47VG+btr7L
|
|
2JSAV48n+ciZBYehMqUXhfouMm+b1GIV8WLgv3ndiAqO1tYzvS8fH0EtCbVQIJdN
|
|
1bhqYFPnKoVdVPqdcU0Z7cQbx5bj6lL8IHujM5e1oQsg6SG0uIJ8pbIauYBC+FiD
|
|
HBkvcBmVTi3K3AZtSU0XjBn6WY+pTfnSNS/3OpSZZykaNaW01u11CA4GR771R5Ls
|
|
rDWpULavYTqR7+E4tOqcko9mtfg/7jIamfCKda7MAa9Xy2IE/S+y+JGtwccFYeY4
|
|
i/n4XFJMGVLf0Q3IWMa4ieMJa3yWafs/m13LomENby8+/lKrXFMv2gJ1u28F0TpR
|
|
Rc9/j0M5rYRBVe/7rmQNJrPZn1A7iK/JMTxF3BAQ3OIbdshyeSdfYmKF7zfT3cEW
|
|
3ryvhkVCD9JRrXibQ75EsFDVGRGCGYHDrUFvtkgecuQPBLNOGxaMuUMROTOiUmDp
|
|
DtynkggCCNxL7KupIO5DtsmieqQ+bsIk4pjNPKfwgkd3njcNIgMCAwEAAQKCAYAM
|
|
aNB65MwU71b9ZovheZd46COhbLcNXBz1W2pHeN+A3cVDmdKUOWNkdRwz0TmSAkDv
|
|
sQRhzDmIyICsXK8p9ttHl2C+dJE1Rd+Lv1CCa/cCR6LoHx+bE55nu6j2ZZu1r9J3
|
|
9+MpyG47wUnG5/qq/Fac/kXeZ+H+8pXe4uK8wtw3uKfke26EBSVEcS4gdTnmE4jD
|
|
x70Yp2NH8TE9mYXBD0pbq7f9ZwCsiqIfJwnPYZAibsCy6OwfuzsxhOlwk0WNCkXU
|
|
mmPUuA1d6xbqKIfcFZRz4VymRcyGRtKMxrpEjO8XUbaZC2SReEDXBPiMZ54mnLwr
|
|
wzGC03fsGiPeMkLfqDSJP+Sjro4B/SnsMkNyV9sf2l4jHkseeZiITlU1r+bYCN9q
|
|
R+Lp5p4NM1wb2HR3+qp6WQNKUad1IoOh0CMPBMw6FginvMsUkJv/Fr7WBJLNN90a
|
|
jIhmriOy683Mj9JYP48k1KhtoYiPcjTmiiE4l4+N2kjB5DzjJSWLuRxKhi66gAEC
|
|
gcEA9/1+gujpN0UKUG84nIEZFq4rYkZ21tLRtsrlr33qxBJXNcKvW8EJvXPOsYm/
|
|
1U1u6qgg4xCWvFPyKirF2a/jtqNAzisDTixW++rf4SU175PhMbYvPsWfyPVRXfbQ
|
|
bDBhcpHA5JkLIq73taIhd/hj3hIxLfObpyHvb1d+W2ubzd8vIW/Jagj+SwYwvqbB
|
|
4SmHqIznHbxiZB4CEQB2p7xXosdteBq6piXqN0e6RXLxYOeQV/meC5tqWCMC55bq
|
|
t1J3AoHBAMz3jDkavG6VjpQloRIEMJ4OHwNjajBQZ8gqjKV6V45KxV241KIUMlue
|
|
Z3dx6fJgt708DTJbLFBcSKG4+IcuHGvDZTn30aTPTnt42a7FQtCc7r+0KTrLACl5
|
|
uH0uL4dNTrpbzoS9rXQYNG3zljCbuhPFxu5qwIeCQpAchIcvwcYWJsXmSu/yQNhA
|
|
1IQnZFBG6b2SLMAUKy08U1I0d363OhkEmq8yjfNOvoB+kzF7MIbpyAoZDkuAsop0
|
|
xFXfuErj1QKBwHa+rhZXGlz5tR+gshXWh0Hh8iojnYHt/rctXl/yxjhOo+29JCSm
|
|
QVizHDTMxcuIQWUhTmYLqnHRLHLeelBrNXldoIlX9UQ4XQpRhBQVskbeo4UfPG4t
|
|
SP574RNCPLihTfgDLL8JPVjFOR2C3c3JZWCPi3b6X/zedfz1gy6ZT0h75uB225Xn
|
|
aoRYGX0g8lMzhJ7DoWMOsnpIGCs18psMx1XNcnCBNACcxRLlSJ86k7QYDXjisLfU
|
|
Gk7LrPdhv1A6rwKBwQC1osXbsQq9QMG6HWKQka/30PHA0e+/YvGlW7eJyVIf4bjn
|
|
ZizgeN9re4ObQRKd3QHWq4nSTyOFD1K6Ji3vtXgwM1bYOPnKgH+/QYg+rcaZEgkt
|
|
T12eIVlCaACKxkwOLf8PfN4VmfVFRVHpAgzdhJMwhHrWuzlknJWaGfuDxVmFzgmM
|
|
JJnR6y91tHXfqvzlewIWIZyQlw7wJl58IcynOX49v2vIyBctP2HogsKz/cQyOqgv
|
|
8qZNWH5f3jxDEV/C1gUCgcEA7m9imZn3RIM5J3mqz2JKdbpobh7N9ulCGIOkGDHo
|
|
1oumVO+D1eSObUDE684keyiSyERlnpQuGZjkbF5585cF+gEXWsxxOHKKZC3CiRFK
|
|
fCgMJtm7S4E5V2B+fTnCFwMK4IBFrTagpVVe9/bTABvaqu3TDlAslGyXBS8ilmz6
|
|
1eRfFRe1aXiqpfm8pB0mH5sALS0EjHu87saAyf2vq7BEZA0NJO/QVhZZI/0tFR8B
|
|
ifNpEJG5p2K2AKnYFw6Dt49S
|
|
-----END PRIVATE KEY-----"
|
|
|
|
NAME=swtpm-test
|
|
PIN=${PIN:-1234}
|
|
SO_PIN=${SO_PIN:-1234}
|
|
|
|
UNAME_S="$(uname -s)"
|
|
|
|
case "${UNAME_S}" in
|
|
Darwin)
|
|
msg=$(sudo -v -n)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf"
|
|
exit 1
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
teardown_softhsm() {
|
|
local configdir=~/.config/softhsm2
|
|
local configfile=${configdir}/softhsm2.conf
|
|
local bakconfigfile=${configfile}.bak
|
|
local tokendir=${configdir}/tokens
|
|
|
|
case "${UNAME_S}" in
|
|
Darwin*)
|
|
if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
|
|
sudo rm -f /etc/gnutls/pkcs11.conf
|
|
sudo mv /etc/gnutls/pkcs11.conf.bak \
|
|
/etc/gnutls/pkcs11.conf &>/dev/null
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
if [ -f "$bakconfigfile" ]; then
|
|
mv "$bakconfigfile" "$configfile"
|
|
else
|
|
rm -f "$configfile"
|
|
fi
|
|
if [ -d "$tokendir" ]; then
|
|
rm -rf "${tokendir}"
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
setup_softhsm() {
|
|
local msg tokenuri keyuri
|
|
local configdir=~/.config/softhsm2
|
|
local configfile=${configdir}/softhsm2.conf
|
|
local bakconfigfile=${configfile}.bak
|
|
local tokendir=${configdir}/tokens
|
|
local rc
|
|
|
|
case "${UNAME_S}" in
|
|
Darwin*)
|
|
if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
|
|
echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first"
|
|
return 1
|
|
fi
|
|
sudo mv /etc/gnutls/pkcs11.conf \
|
|
/etc/gnutls/pkcs11.conf.bak &>/dev/null
|
|
if [ $(id -u) -eq 0 ]; then
|
|
SONAME="$(sudo -u nobody brew ls --verbose softhsm | \
|
|
grep -E "\.so$")"
|
|
else
|
|
SONAME="$(brew ls --verbose softhsm | \
|
|
grep -E "\.so$")"
|
|
fi
|
|
sudo mkdir -p /etc/gnutls &>/dev/null
|
|
sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf"
|
|
;;
|
|
esac
|
|
|
|
if ! [ -d $configdir ]; then
|
|
mkdir -p $configdir
|
|
fi
|
|
mkdir -p ${tokendir}
|
|
|
|
if [ -f $configfile ]; then
|
|
mv "$configfile" "$bakconfigfile"
|
|
fi
|
|
|
|
if ! [ -f $configfile ]; then
|
|
cat <<_EOF_ > $configfile
|
|
directories.tokendir = ${tokendir}
|
|
objectstore.backend = file
|
|
log.level = DEBUG
|
|
slots.removable = false
|
|
_EOF_
|
|
fi
|
|
|
|
msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not list existing tokens"
|
|
echo "$msg"
|
|
fi
|
|
tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
|
|
|
|
if [ -z "$tokenuri" ]; then
|
|
msg=$(softhsm2-util \
|
|
--init-token --pin ${PIN} --so-pin ${SO_PIN} \
|
|
--free --label ${NAME} 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not initialize token"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
slot=$(echo "$msg" | \
|
|
sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p')
|
|
if [ -z "$slot" ]; then
|
|
echo "Could not parse slot number from output."
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
msg=$(softhsm2-util \
|
|
--slot "$slot" --label mykey --id 01 \
|
|
--import <(echo "${MYKEY}") --pin ${PIN} 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not import key"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
fi
|
|
|
|
getkeyuri_softhsm
|
|
rc=$?
|
|
|
|
if [ $rc -ne 0 ]; then
|
|
teardown_softhsm
|
|
fi
|
|
|
|
return $rc
|
|
}
|
|
|
|
getkeyuri_softhsm() {
|
|
local msg tokenuri keyuri
|
|
|
|
msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}")
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not list existing tokens"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
|
|
if [ -z "$tokenuri" ]; then
|
|
echo "Could not get token URL"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
msg=$(p11tool --list-all ${tokenuri} 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not list object under token $tokenuri"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
|
|
if [ -z "$keyuri" ]; then
|
|
echo "Could not get key URL"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
echo "keyuri: $keyuri"
|
|
return 0
|
|
}
|
|
|
|
usage() {
|
|
cat <<_EOF_
|
|
Usage: $0 [command]
|
|
|
|
Supported commands are:
|
|
|
|
setup : Setup the user's account for softhsm and create a
|
|
token and key with a test configuration
|
|
|
|
getkeyuri : Get the key's URL; must be called after setup
|
|
|
|
teardown : Remove the temporary softhsm test configuration
|
|
|
|
_EOF_
|
|
}
|
|
|
|
main() {
|
|
local ret
|
|
|
|
if [ $# -lt 1 ]; then
|
|
usage $0
|
|
echo -e "Missing command.\n\n"
|
|
return 1
|
|
fi
|
|
case "$1" in
|
|
setup)
|
|
setup_softhsm
|
|
ret=$?
|
|
;;
|
|
getkeyuri)
|
|
getkeyuri_softhsm
|
|
ret=$?
|
|
;;
|
|
teardown)
|
|
teardown_softhsm
|
|
ret=$?
|
|
;;
|
|
*)
|
|
echo -e "Unsupported command: $1\n\n"
|
|
usage $0
|
|
ret=1
|
|
esac
|
|
return $ret
|
|
}
|
|
|
|
main "$@"
|
|
exit $?
|