From a729163c56ecc002c0cb04db56e7d86ceec2e8b0 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 26 Jul 2025 01:53:31 +0000 Subject: [PATCH] upstream: regression tests for Ed25519 keys in PKCS#11 tokens OpenBSD-Regress-ID: 50067c0716abfea3a526b4a0c8f1fe15e7665c0f --- regress/agent-pkcs11-cert.sh | 28 +++++++++++++++++++++------- regress/agent-pkcs11-restrict.sh | 3 ++- regress/agent-pkcs11.sh | 4 ++-- regress/test-exec.sh | 14 +++++++++++++- 4 files changed, 38 insertions(+), 11 deletions(-) diff --git a/regress/agent-pkcs11-cert.sh b/regress/agent-pkcs11-cert.sh index 39e839f9c..551067d23 100644 --- a/regress/agent-pkcs11-cert.sh +++ b/regress/agent-pkcs11-cert.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-pkcs11-cert.sh,v 1.2 2025/05/24 04:41:12 djm Exp $ +# $OpenBSD: agent-pkcs11-cert.sh,v 1.3 2025/07/26 01:53:31 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent certificate test" @@ -16,7 +16,10 @@ $SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub || fatal "certify ECDSA key failed" $SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub || fatal "certify RSA key failed" -$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub || +$SSHKEYGEN -qs $OBJ/ca -I "ed25519_key" -n $USER -z 3 \ + ${SSH_SOFTHSM_DIR}/ED25519.pub || + fatal "certify ed25519 key failed" +$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 4 $OBJ/ca.pub || fatal "certify CA key failed" start_ssh_agent @@ -25,6 +28,8 @@ verbose "load pkcs11 keys and certs" # Note: deliberately contains non-cert keys and non-matching cert on commandline p11_ssh_add -qs ${TEST_SSH_PKCS11} \ $OBJ/ca.pub \ + ${SSH_SOFTHSM_DIR}/ED25519.pub \ + ${SSH_SOFTHSM_DIR}/ED25519-cert.pub \ ${SSH_SOFTHSM_DIR}/EC.pub \ ${SSH_SOFTHSM_DIR}/EC-cert.pub \ ${SSH_SOFTHSM_DIR}/RSA.pub \ @@ -33,8 +38,10 @@ p11_ssh_add -qs ${TEST_SSH_PKCS11} \ # Verify their presence verbose "verify presence" cut -d' ' -f1-2 \ + ${SSH_SOFTHSM_DIR}/ED25519.pub \ ${SSH_SOFTHSM_DIR}/EC.pub \ ${SSH_SOFTHSM_DIR}/RSA.pub \ + ${SSH_SOFTHSM_DIR}/ED25519-cert.pub \ ${SSH_SOFTHSM_DIR}/EC-cert.pub \ ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list $SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list @@ -43,16 +50,19 @@ diff $OBJ/expect_list $OBJ/output_list # Verify that all can perform signatures. verbose "check signatures" for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \ - ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do + ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \ + ${SSH_SOFTHSM_DIR}/ED25519.pub ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do $SSHADD -T $x || fail "Signing failed for $x" done # Delete plain keys. verbose "delete plain keys" $SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub +$SSHADD -qd ${SSH_SOFTHSM_DIR}/ED25519.pub # Verify that certs can still perform signatures. verbose "reverify certificate signatures" -for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do +for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \ + ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do $SSHADD -T $x || fail "Signing failed for $x" done @@ -64,18 +74,22 @@ p11_ssh_add -qCs ${TEST_SSH_PKCS11} \ ${SSH_SOFTHSM_DIR}/EC.pub \ ${SSH_SOFTHSM_DIR}/EC-cert.pub \ ${SSH_SOFTHSM_DIR}/RSA.pub \ - ${SSH_SOFTHSM_DIR}/RSA-cert.pub || + ${SSH_SOFTHSM_DIR}/RSA-cert.pub \ + ${SSH_SOFTHSM_DIR}/ED25519.pub \ + ${SSH_SOFTHSM_DIR}/ED25519-cert.pub || fatal "failed to add keys" # Verify their presence verbose "verify presence" cut -d' ' -f1-2 \ ${SSH_SOFTHSM_DIR}/EC-cert.pub \ - ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list + ${SSH_SOFTHSM_DIR}/RSA-cert.pub \ + ${SSH_SOFTHSM_DIR}/ED25519-cert.pub | sort > $OBJ/expect_list $SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list diff $OBJ/expect_list $OBJ/output_list # Verify that certs can perform signatures. verbose "check signatures" -for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do +for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub \ + ${SSH_SOFTHSM_DIR}/ED25519-cert.pub ; do $SSHADD -T $x || fail "Signing failed for $x" done diff --git a/regress/agent-pkcs11-restrict.sh b/regress/agent-pkcs11-restrict.sh index e5763ea8f..9fc5e1c69 100644 --- a/regress/agent-pkcs11-restrict.sh +++ b/regress/agent-pkcs11-restrict.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-pkcs11-restrict.sh,v 1.2 2025/05/24 04:41:12 djm Exp $ +# $OpenBSD: agent-pkcs11-restrict.sh,v 1.3 2025/07/26 01:53:31 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent constraint test" @@ -16,6 +16,7 @@ for h in a b x ca ; do done # XXX test CA hostcerts too. +# XXX test ed25519 keys key_for() { case $h in diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 731c1f9dd..491466659 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-pkcs11.sh,v 1.14 2025/05/24 04:41:03 djm Exp $ +# $OpenBSD: agent-pkcs11.sh,v 1.15 2025/07/26 01:53:31 djm Exp $ # Placed in the Public Domain. tid="pkcs11 agent test" @@ -21,7 +21,7 @@ if [ $r -ne 0 ]; then fail "ssh-add -l failed: exit code $r" fi -for k in $RSA $EC; do +for k in $ED25519 $RSA $EC; do trace "testing $k" pub=$(cat $k.pub) ${SSHADD} -L | grep -q "$pub" || \ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 0ecf6c5a8..c5270042e 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.130 2025/06/28 13:34:08 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.131 2025/07/26 01:53:31 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -979,6 +979,18 @@ EOF --import $ECP8 >/dev/null || fatal "softhsm import EC fail" chmod 600 $EC ssh-keygen -y -f $EC > ${EC}.pub + # Ed25519 key + ED25519=${SSH_SOFTHSM_DIR}/ED25519 + ED25519P8=${SSH_SOFTHSM_DIR}/ED25519P8 + $OPENSSL_BIN genpkey -algorithm ed25519 > $ED25519 || \ + fatal "genpkey Ed25519 fail" + $OPENSSL_BIN pkcs8 -nocrypt -in $ED25519 > $ED25519P8 || \ + fatal "pkcs8 Ed25519 fail" + softhsm2-util --slot "$slot" --label 03 --id 03 --pin "$TEST_SSH_PIN" \ + --import $ED25519P8 >/dev/null || \ + fatal "softhsm import ed25519 fail" + chmod 600 $ED25519 + ssh-keygen -y -f $ED25519 > ${ED25519}.pub # Prepare askpass script to load PIN. PIN_SH=$SSH_SOFTHSM_DIR/pin.sh cat > $PIN_SH << EOF -- 2.47.2