-# $OpenBSD: agent-pkcs11-cert.sh,v 1.2 2025/05/24 04:41:12 djm Exp $
+# $OpenBSD: agent-pkcs11-cert.sh,v 1.3 2025/07/26 01:53:31 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent certificate test"
fatal "certify ECDSA key failed"
$SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub ||
fatal "certify RSA key failed"
-$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub ||
+$SSHKEYGEN -qs $OBJ/ca -I "ed25519_key" -n $USER -z 3 \
+ ${SSH_SOFTHSM_DIR}/ED25519.pub ||
+ fatal "certify ed25519 key failed"
+$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 4 $OBJ/ca.pub ||
fatal "certify CA key failed"
start_ssh_agent
# Note: deliberately contains non-cert keys and non-matching cert on commandline
p11_ssh_add -qs ${TEST_SSH_PKCS11} \
$OBJ/ca.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519-cert.pub \
${SSH_SOFTHSM_DIR}/EC.pub \
${SSH_SOFTHSM_DIR}/EC-cert.pub \
${SSH_SOFTHSM_DIR}/RSA.pub \
# Verify their presence
verbose "verify presence"
cut -d' ' -f1-2 \
+ ${SSH_SOFTHSM_DIR}/ED25519.pub \
${SSH_SOFTHSM_DIR}/EC.pub \
${SSH_SOFTHSM_DIR}/RSA.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519-cert.pub \
${SSH_SOFTHSM_DIR}/EC-cert.pub \
${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
# Verify that all can perform signatures.
verbose "check signatures"
for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \
- ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+ ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519.pub ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do
$SSHADD -T $x || fail "Signing failed for $x"
done
# Delete plain keys.
verbose "delete plain keys"
$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub
+$SSHADD -qd ${SSH_SOFTHSM_DIR}/ED25519.pub
# Verify that certs can still perform signatures.
verbose "reverify certificate signatures"
-for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do
$SSHADD -T $x || fail "Signing failed for $x"
done
${SSH_SOFTHSM_DIR}/EC.pub \
${SSH_SOFTHSM_DIR}/EC-cert.pub \
${SSH_SOFTHSM_DIR}/RSA.pub \
- ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
+ ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ||
fatal "failed to add keys"
# Verify their presence
verbose "verify presence"
cut -d' ' -f1-2 \
${SSH_SOFTHSM_DIR}/EC-cert.pub \
- ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
+ ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519-cert.pub | sort > $OBJ/expect_list
$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
diff $OBJ/expect_list $OBJ/output_list
# Verify that certs can perform signatures.
verbose "check signatures"
-for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
+for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \
+ ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do
$SSHADD -T $x || fail "Signing failed for $x"
done
-# $OpenBSD: test-exec.sh,v 1.130 2025/06/28 13:34:08 dtucker Exp $
+# $OpenBSD: test-exec.sh,v 1.131 2025/07/26 01:53:31 djm Exp $
# Placed in the Public Domain.
#SUDO=sudo
--import $ECP8 >/dev/null || fatal "softhsm import EC fail"
chmod 600 $EC
ssh-keygen -y -f $EC > ${EC}.pub
+ # Ed25519 key
+ ED25519=${SSH_SOFTHSM_DIR}/ED25519
+ ED25519P8=${SSH_SOFTHSM_DIR}/ED25519P8
+ $OPENSSL_BIN genpkey -algorithm ed25519 > $ED25519 || \
+ fatal "genpkey Ed25519 fail"
+ $OPENSSL_BIN pkcs8 -nocrypt -in $ED25519 > $ED25519P8 || \
+ fatal "pkcs8 Ed25519 fail"
+ softhsm2-util --slot "$slot" --label 03 --id 03 --pin "$TEST_SSH_PIN" \
+ --import $ED25519P8 >/dev/null || \
+ fatal "softhsm import ed25519 fail"
+ chmod 600 $ED25519
+ ssh-keygen -y -f $ED25519 > ${ED25519}.pub
# Prepare askpass script to load PIN.
PIN_SH=$SSH_SOFTHSM_DIR/pin.sh
cat > $PIN_SH << EOF
projects / thirdparty / openssh-portable.git / commitdiff
