From: Vladimir Stoiakin <VStoiakin@lavabit.com>
Date: Wed, 1 Nov 2023 14:52:50 +0000 (+0300)
Subject: TEST-24-CRYPTSETUP: add test for PKCS#11 tokens
X-Git-Tag: v256-rc1~1427^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F28658%2Fhead;p=thirdparty%2Fsystemd.git

TEST-24-CRYPTSETUP: add test for PKCS#11 tokens

Introduces new dependencies on SoftHSM, OpenSC and GnuTLS for the test.
---

diff --git a/src/basic/build.c b/src/basic/build.c
index c587adad7b0..8fb32ab9b6e 100644
--- a/src/basic/build.c
+++ b/src/basic/build.c
@@ -138,6 +138,12 @@ const char* const systemd_features =
         " -LIBCRYPTSETUP"
 #endif
 
+#if HAVE_LIBCRYPTSETUP_PLUGINS
+        " +LIBCRYPTSETUP_PLUGINS"
+#else
+        " -LIBCRYPTSETUP_PLUGINS"
+#endif
+
 #if HAVE_LIBFDISK
         " +LIBFDISK"
 #else
diff --git a/test/TEST-24-CRYPTSETUP/template.cfg b/test/TEST-24-CRYPTSETUP/template.cfg
new file mode 100644
index 00000000000..42f8b9d7484
--- /dev/null
+++ b/test/TEST-24-CRYPTSETUP/template.cfg
@@ -0,0 +1,8 @@
+dn = "cn = systemd"
+expiration_days = 30
+
+signing_key
+encryption_key
+
+tls_www_client
+email_protection_key
diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh
index eace3f23c03..a6739eee1cd 100755
--- a/test/TEST-24-CRYPTSETUP/test.sh
+++ b/test/TEST-24-CRYPTSETUP/test.sh
@@ -39,6 +39,117 @@ check_result_qemu() {
     return $ret
 }
 
+can_test_pkcs11() {
+    if ! command -v "softhsm2-util" >/dev/null; then
+        ddebug "softhsm2-util not available, skipping the PKCS#11 test"
+        return 1
+    fi
+    if ! command -v "pkcs11-tool" >/dev/null; then
+        ddebug "pkcs11-tool not available, skipping the PKCS#11 test"
+        return 1
+    fi
+    if ! command -v "certtool" >/dev/null; then
+        ddebug "certtool not available, skipping the PKCS#11 test"
+        return 1
+    fi
+    if ! "${SYSTEMCTL:?}" --version | grep -q "+P11KIT"; then
+        ddebug "Support for p11-kit is disabled, skipping the PKCS#11 test"
+        return 1
+    fi
+    if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP\b"; then
+        ddebug "Support for libcryptsetup is disabled, skipping the PKCS#11 test"
+        return 1
+    fi
+    if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
+        ddebug "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test"
+        return 1
+    fi
+
+    return 0
+}
+
+setup_pkcs11_token() {
+    dinfo "Setup PKCS#11 token"
+    local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
+
+    export SOFTHSM2_CONF="/tmp/softhsm2.conf"
+    mkdir -p "$initdir/var/lib/softhsm/tokens/"
+    cat >${SOFTHSM2_CONF} <<EOF
+directories.tokendir = $initdir/var/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+EOF
+    export GNUTLS_PIN="1234"
+    export GNUTLS_SO_PIN="12345678"
+    softhsm2-util --init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN}
+
+    if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
+        P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
+    fi
+
+    if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
+        P11_MODULE_DIR="/usr/lib/pkcs11"
+    fi
+
+    SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
+    if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
+        SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
+    fi
+
+    # RSA #####################################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
+      --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
+      --outder --outfile "/tmp/rsa_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
+    rm "/tmp/rsa_test.crt"
+
+    # prime256v1 ##############################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
+      --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
+      --outder --outfile "/tmp/ec_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
+    rm "/tmp/ec_test.crt"
+
+    ###########################################################
+    rm ${SOFTHSM2_CONF}
+    unset SOFTHSM2_CONF
+
+    inst_libs "$SOFTHSM_MODULE"
+    inst_library "$SOFTHSM_MODULE"
+    inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"
+
+    cat >"$initdir/etc/softhsm2.conf" <<EOF
+directories.tokendir = /var/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+log.level = INFO
+EOF
+
+    mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
+    cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
+[Service]
+Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
+Environment="PIN=$GNUTLS_PIN"
+EOF
+
+    unset GNUTLS_PIN
+    unset GNUTLS_SO_PIN
+}
+
 test_create_image() {
     create_empty_image_rootdir
 
@@ -57,6 +168,10 @@ test_create_image() {
     install_dmevent
     generate_module_dependencies
 
+    if can_test_pkcs11; then
+        setup_pkcs11_token
+    fi
+
     # Create a keydev
     dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16
     mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img"
@@ -83,7 +198,7 @@ EOF
         if command -v dracut >/dev/null; then
             dracut --force --verbose --add crypt "$INITRD"
         elif command -v mkinitcpio >/dev/null; then
-            mkinitcpio --addhooks sd-encrypt --generate "$INITRD"
+            mkinitcpio -S autodetect --addhooks sd-encrypt --generate "$INITRD"
         elif command -v mkinitramfs >/dev/null; then
             # The cryptroot hook is provided by the cryptsetup-initramfs package
             if ! dpkg-query -s cryptsetup-initramfs; then
diff --git a/test/units/testsuite-24.sh b/test/units/testsuite-24.sh
index 0a8a920eeb4..eeec411e9c8 100755
--- a/test/units/testsuite-24.sh
+++ b/test/units/testsuite-24.sh
@@ -5,8 +5,6 @@ set -o pipefail
 
 # TODO:
 #   - /proc/cmdline parsing
-#   - figure out token support (apart from TPM2, as that's covered by TEST-70-TPM2)
-#       - this might help https://www.qemu.org/docs/master/system/devices/ccid.html
 #   - expect + interactive auth?
 
 # We set up an encrypted /var partition which should get mounted automatically
@@ -185,6 +183,7 @@ empty0               $IMAGE_EMPTY    -                               headless=1,
 empty1               $IMAGE_EMPTY    -                               headless=1,try-empty-password=1
 # This one expects the key to be under /{etc,run}/cryptsetup-keys.d/empty_nokey.key
 empty_nokey          $IMAGE_EMPTY    -                               headless=1
+empty_pkcs11_auto    $IMAGE_EMPTY    -                               headless=1,pkcs11-uri=auto
 
 detached             $IMAGE_DETACHED $IMAGE_DETACHED_KEYFILE         headless=1,header=$IMAGE_DETACHED_HEADER,keyfile-offset=32,keyfile-size=16
 detached_store0      $IMAGE_DETACHED $IMAGE_DETACHED_KEYFILE         headless=1,header=/header:LABEL=header_store,keyfile-offset=32,keyfile-size=16
@@ -229,6 +228,19 @@ mkdir -p /run/cryptsetup-keys.d
 cp "$IMAGE_EMPTY_KEYFILE" /run/cryptsetup-keys.d/empty_nokey.key
 cryptsetup_start_and_check empty_nokey
 
+if [[ -r /etc/softhsm2.conf ]]; then
+    # Test unlocking with a PKCS#11 token
+    export SOFTHSM2_CONF="/etc/softhsm2.conf"
+    PIN="1234" systemd-cryptenroll --pkcs11-token-uri="pkcs11:token=TestToken;object=RSATestKey" --unlock-key-file="$IMAGE_EMPTY_KEYFILE" "$IMAGE_EMPTY"
+    cryptsetup_start_and_check empty_pkcs11_auto
+    cryptsetup luksKillSlot -q "$IMAGE_EMPTY" 2
+    cryptsetup token remove --token-id 0 "$IMAGE_EMPTY"
+    PIN="1234" systemd-cryptenroll --pkcs11-token-uri="pkcs11:token=TestToken;object=ECTestKey" --unlock-key-file="$IMAGE_EMPTY_KEYFILE" "$IMAGE_EMPTY"
+    cryptsetup_start_and_check empty_pkcs11_auto
+    cryptsetup luksKillSlot -q "$IMAGE_EMPTY" 2
+    cryptsetup token remove --token-id 0 "$IMAGE_EMPTY"
+fi
+
 cryptsetup_start_and_check detached
 cryptsetup_start_and_check detached_store{0..2}
 cryptsetup_start_and_check -f detached_fail{0..4}