From 78182875168da04fabd1842ccd065b381fe07af6 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 9 Dec 2024 14:12:20 +0100 Subject: [PATCH 1/2] Test kryoptic with NSS DB The NSSDB backend is now super-slow so I am bumping the timeout to 60s/test. The kryoptic build is also adjusted to include this non-default feature. Signed-off-by: Jakub Jelen --- .github/workflows/kryoptic.yml | 4 +-- tests/kryoptic-init.sh | 6 ++--- tests/kryoptic.nss-init.sh | 27 +++++++++++++++++++ tests/meson.build | 47 +++++++++++++++++----------------- tests/setup.sh | 2 ++ 5 files changed, 58 insertions(+), 28 deletions(-) create mode 100644 tests/kryoptic.nss-init.sh diff --git a/.github/workflows/kryoptic.yml b/.github/workflows/kryoptic.yml index 664047ac..02ad84f8 100644 --- a/.github/workflows/kryoptic.yml +++ b/.github/workflows/kryoptic.yml @@ -75,8 +75,8 @@ jobs: - name: Build Kryoptic run: | cd kryoptic - cargo build --features standard - cargo test --features standard | tee testout.log 2>&1 + cargo build --features standard,nssdb + cargo test --features standard,nssdb | tee testout.log 2>&1 grep -q "0 failed" testout.log - name: Setup diff --git a/tests/kryoptic-init.sh b/tests/kryoptic-init.sh index 346ecd0f..705ba8a7 100755 --- a/tests/kryoptic-init.sh +++ b/tests/kryoptic-init.sh @@ -27,10 +27,10 @@ find_kryoptic \ title LINE "Creating Kyroptic database" # Kryoptic configuration -export KRYOPTIC_CONF="$TOKDIR/kryoptic.sql" +export KRYOPTIC_CONF="${KRYOPTIC_CONF:-$TOKDIR/kryoptic.sql}" -export TOKENLABEL="Kryoptic Token" -export TOKENLABELURI="Kryoptic%20Token" +export TOKENLABEL="${TOKENLABEL:-Kryoptic Token}" +export TOKENLABELURI="${TOKENLABELURI:-Kryoptic%20Token}" # init token pkcs11-tool --module "${P11LIB}" --init-token \ diff --git a/tests/kryoptic.nss-init.sh b/tests/kryoptic.nss-init.sh new file mode 100644 index 00000000..14c00320 --- /dev/null +++ b/tests/kryoptic.nss-init.sh @@ -0,0 +1,27 @@ +#!/bin/bash -ex +# Copyright (C) 2024 Jakub Jelen +# SPDX-License-Identifier: Apache-2.0 +# + +export KRYOPTIC_CONF="${TMPPDIR}/kryoptic.conf" +cat >"${KRYOPTIC_CONF}" <<_EOF +[[slots]] +slot = 42 +dbtype = "nssdb" +dbargs = "configDir='${TOKDIR}' flags='passwordRequired'" +description = "Kryoptic Soft Token" +_EOF +# flags='passwordRequired' is needed for p11tool to do login before the +# search for private objects, otherwise the set up fails. + +# this overrides what we define in the generic init +# the NSS DB can not store custom labels +export TOKENLABEL="Kryoptic Soft Token" +export TOKENLABELURI="Kryoptic%20Soft%20Token" + +# the rest is the same +source "${TESTSSRCDIR}/kryoptic-init.sh" + +export TOKENCONFIGVARS="export KRYOPTIC_CONF=${TMPPDIR}/kryoptic.conf" +export TOKENOPTIONS="pkcs11-module-quirks = no-allowed-mechanisms" +export TESTPORT="36000" diff --git a/tests/meson.build b/tests/meson.build index 3c640638..abbdaa62 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -31,7 +31,7 @@ if nss_softokn.found() endif setup_script=find_program('setup.sh') -foreach suite : ['softokn', 'softhsm', 'kryoptic'] +foreach suite : ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss'] test( 'setup', setup_script, @@ -118,29 +118,29 @@ foreach t, sources : test_programs endforeach tests = { - 'basic': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'pubkey': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'certs': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'ecc': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'edwards': {'suites': ['softhsm', 'kryoptic']}, - 'ecdh': {'suites': ['softokn', 'kryoptic']}, - 'democa': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false}, - 'digest': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'fork': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'oaepsha2': {'suites': ['softokn', 'kryoptic']}, - 'hkdf': {'suites': ['softokn', 'kryoptic']}, - 'imported' : {'suites': ['softokn', 'kryoptic']}, - 'rsapss': {'suites': ['softokn', 'softhsm', 'kryoptic']}, + 'basic': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'pubkey': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'certs': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'ecc': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'edwards': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']}, + 'ecdh': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']}, + 'democa': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss'], 'is_parallel': false}, + 'digest': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'fork': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'oaepsha2': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']}, + 'hkdf': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']}, + 'imported' : {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']}, + 'rsapss': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, 'rsapssam': {'suites': ['softhsm']}, - 'genkey': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'session': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'rand': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'readkeys': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'tls': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false}, - 'tlsfuzzer': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']}, - 'ecxc': {'suites': ['softhsm', 'kryoptic']}, - 'cms': {'suites': ['softokn', 'kryoptic']}, + 'genkey': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'session': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'rand': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'readkeys': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'tls': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss'], 'is_parallel': false}, + 'tlsfuzzer': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'uri': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']}, + 'ecxc': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']}, + 'cms': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']}, 'pinlock': {'suites': ['kryoptic']}, } @@ -157,6 +157,7 @@ foreach t, extra_args : tests env: test_env, depends: test_executables, is_parallel: false, + timeout: 60, ) endforeach endforeach diff --git a/tests/setup.sh b/tests/setup.sh index 900cc202..9cbd9292 100755 --- a/tests/setup.sh +++ b/tests/setup.sh @@ -31,6 +31,8 @@ elif [ "${TOKENTYPE}" == "softokn" ]; then source "${TESTSSRCDIR}/softokn-init.sh" elif [ "${TOKENTYPE}" == "kryoptic" ]; then source "${TESTSSRCDIR}/kryoptic-init.sh" +elif [ "${TOKENTYPE}" == "kryoptic.nss" ]; then + source "${TESTSSRCDIR}/kryoptic.nss-init.sh" else echo "Unknown token type: $1" exit 1 From edfa16e62dc0a31d49eca5f0e88933a3b77d0cbe Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 17 Dec 2024 11:08:41 +0100 Subject: [PATCH 2/2] tests: Fix random failure when base64 string starts with URI At random times, the uri test was failing with some error like this: ``` openssl storeutl -text "$uri" Couldn't open file or uri URI7xnNajqYJnkZTktp42UM2yp38/G8hCR7QWsnuREHRXLaVoqVJouteOg== 40A7BAF0F27F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file 40A7BAF0F27F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(URI7xnNajqYJnkZTktp42UM2yp38/G8hCR7QWsnuREHRXLaVoqVJouteOg==) ``` Signed-off-by: Jakub Jelen --- tests/turi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/turi b/tests/turi index f9224e57..872dc412 100755 --- a/tests/turi +++ b/tests/turi @@ -14,7 +14,7 @@ if [ $FAIL -ne 0 ]; then exit 1 fi -URISonly=$(echo "$helper_output" | grep "^URI") +URISonly=$(echo "$helper_output" | grep "^URI pkcs11:") # poor mans mapfile for bash 3 on macos declare -a URIS while read -r var; do