Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test kryoptic with NSS DB #487

Merged
merged 2 commits into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/kryoptic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ jobs:
- name: Build Kryoptic
run: |
cd kryoptic
cargo build --features standard
cargo test --features standard | tee testout.log 2>&1
cargo build --features standard,nssdb
cargo test --features standard,nssdb | tee testout.log 2>&1
grep -q "0 failed" testout.log

- name: Setup
Expand Down
6 changes: 3 additions & 3 deletions tests/kryoptic-init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,10 @@ find_kryoptic \
title LINE "Creating Kyroptic database"

# Kryoptic configuration
export KRYOPTIC_CONF="$TOKDIR/kryoptic.sql"
export KRYOPTIC_CONF="${KRYOPTIC_CONF:-$TOKDIR/kryoptic.sql}"

export TOKENLABEL="Kryoptic Token"
export TOKENLABELURI="Kryoptic%20Token"
export TOKENLABEL="${TOKENLABEL:-Kryoptic Token}"
export TOKENLABELURI="${TOKENLABELURI:-Kryoptic%20Token}"

# init token
pkcs11-tool --module "${P11LIB}" --init-token \
Expand Down
27 changes: 27 additions & 0 deletions tests/kryoptic.nss-init.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#!/bin/bash -ex
# Copyright (C) 2024 Jakub Jelen <jjelen@redhat.com>
# SPDX-License-Identifier: Apache-2.0
#

export KRYOPTIC_CONF="${TMPPDIR}/kryoptic.conf"
cat >"${KRYOPTIC_CONF}" <<_EOF
[[slots]]
slot = 42
dbtype = "nssdb"
dbargs = "configDir='${TOKDIR}' flags='passwordRequired'"
description = "Kryoptic Soft Token"
_EOF
# flags='passwordRequired' is needed for p11tool to do login before the
# search for private objects, otherwise the set up fails.

# this overrides what we define in the generic init
# the NSS DB can not store custom labels
export TOKENLABEL="Kryoptic Soft Token"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can pass in some of these labels via configuration like you did for the passwordRequired Flags

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to make sure that we will really work with the NSS DB so using different one than the SQL DB. I am not sure if these particular knobs are used, but I can double-check

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tokenlabel is needed by opensc pkcs11-tool to be able to find the right slot/token for some of the operations.
I also do not think they should be identical to the std kryoptic run, I would see it specific like "Kryoptic NSSDB Token"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My intention was to keep the most of the options default.

The flags='passwordRequired' is needed for gnutls p11tool to attempt to login when searching for private keys. Without that, it skips the login and fails. It might make sense to describe this in the comment in the script rather than here though.

export TOKENLABELURI="Kryoptic%20Soft%20Token"

# the rest is the same
source "${TESTSSRCDIR}/kryoptic-init.sh"

export TOKENCONFIGVARS="export KRYOPTIC_CONF=${TMPPDIR}/kryoptic.conf"
export TOKENOPTIONS="pkcs11-module-quirks = no-allowed-mechanisms"
export TESTPORT="36000"
47 changes: 24 additions & 23 deletions tests/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ if nss_softokn.found()
endif

setup_script=find_program('setup.sh')
foreach suite : ['softokn', 'softhsm', 'kryoptic']
foreach suite : ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']
test(
'setup',
setup_script,
Expand Down Expand Up @@ -118,29 +118,29 @@ foreach t, sources : test_programs
endforeach

tests = {
'basic': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'pubkey': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'certs': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'ecc': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'edwards': {'suites': ['softhsm', 'kryoptic']},
'ecdh': {'suites': ['softokn', 'kryoptic']},
'democa': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false},
'digest': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'fork': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'oaepsha2': {'suites': ['softokn', 'kryoptic']},
'hkdf': {'suites': ['softokn', 'kryoptic']},
'imported' : {'suites': ['softokn', 'kryoptic']},
'rsapss': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'basic': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'pubkey': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'certs': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'ecc': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'edwards': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
'ecdh': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
'democa': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss'], 'is_parallel': false},
'digest': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'fork': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'oaepsha2': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
'hkdf': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
'imported' : {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
'rsapss': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'rsapssam': {'suites': ['softhsm']},
'genkey': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'session': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'rand': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'readkeys': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'tls': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false},
'tlsfuzzer': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'ecxc': {'suites': ['softhsm', 'kryoptic']},
'cms': {'suites': ['softokn', 'kryoptic']},
'genkey': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'session': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'rand': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'readkeys': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'tls': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss'], 'is_parallel': false},
'tlsfuzzer': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'uri': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
'ecxc': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
'cms': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
'pinlock': {'suites': ['kryoptic']},
}

Expand All @@ -157,6 +157,7 @@ foreach t, extra_args : tests
env: test_env,
depends: test_executables,
is_parallel: false,
timeout: 60,
)
endforeach
endforeach
2 changes: 2 additions & 0 deletions tests/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ elif [ "${TOKENTYPE}" == "softokn" ]; then
source "${TESTSSRCDIR}/softokn-init.sh"
elif [ "${TOKENTYPE}" == "kryoptic" ]; then
source "${TESTSSRCDIR}/kryoptic-init.sh"
elif [ "${TOKENTYPE}" == "kryoptic.nss" ]; then
source "${TESTSSRCDIR}/kryoptic.nss-init.sh"
else
echo "Unknown token type: $1"
exit 1
Expand Down
2 changes: 1 addition & 1 deletion tests/turi
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ if [ $FAIL -ne 0 ]; then
exit 1
fi

URISonly=$(echo "$helper_output" | grep "^URI")
URISonly=$(echo "$helper_output" | grep "^URI pkcs11:")
# poor mans mapfile for bash 3 on macos
declare -a URIS
while read -r var; do
Expand Down
Loading