TrueCloudLab/certificates
17
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Convert pkcs11 tests to use tags.

Browse source
This commit is contained in:
Mariano Cano 2021-01-28 14:43:22 -08:00
parent 6c113542c8
commit 673675fa89
5 changed files with 393 additions and 366 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

178
kms/pkcs11/other_test.go Normal file
View file

@ -0,0 +1,178 @@
// +build !softhsm2,!yubihsm2
package pkcs11
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"fmt"
"io"
"math/big"
"testing"
"github.com/ThalesIgnite/crypto11"
"github.com/pkg/errors"
)
func mustPKCS11(t *testing.T) *PKCS11 {
t.Helper()
testModule = "Golang crypto"
k := &PKCS11{
p11: &stubPKCS11{
signerIndex: make(map[keyType]int),
certIndex: make(map[keyType]int),
},
}
for i := range testCerts {
testCerts[i].Certificates = nil
}
setup(t, k)
return k
}
type keyType struct {
id string
label string
serial string
}
func newKey(id, label []byte, serial *big.Int) keyType {
var serialString string
if serial != nil {
serialString = serial.String()
}
return keyType{
id: string(id),
label: string(label),
serial: serialString,
}
}
type stubPKCS11 struct {
signers []crypto11.Signer
certs []*x509.Certificate
signerIndex map[keyType]int
certIndex map[keyType]int
}
func (s *stubPKCS11) FindKeyPair(id, label []byte) (crypto11.Signer, error) {
if id == nil && label == nil {
return nil, errors.New("id and label cannot both be nil")
}
i, ok := s.signerIndex[newKey(id, label, nil)]
fmt.Println(i, ok)
if ok {
return s.signers[i], nil
}
return nil, nil
}
func (s *stubPKCS11) FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error) {
if id == nil && label == nil && serial == nil {
return nil, errors.New("id, label and serial cannot both be nil")
}
if i, ok := s.certIndex[newKey(id, label, serial)]; ok {
return s.certs[i], nil
}
return nil, nil
}
func (s *stubPKCS11) ImportCertificateWithLabel(id, label []byte, cert *x509.Certificate) error {
switch {
case id == nil && label == nil:
return errors.New("id and label cannot both be nil")
case cert == nil:
return errors.New("certificate cannot be nil")
}
i := len(s.certs)
s.certs = append(s.certs, cert)
s.certIndex[newKey(id, label, cert.SerialNumber)] = i
s.certIndex[newKey(id, nil, nil)] = i
s.certIndex[newKey(nil, label, nil)] = i
s.certIndex[newKey(nil, nil, cert.SerialNumber)] = i
s.certIndex[newKey(id, label, nil)] = i
s.certIndex[newKey(id, nil, cert.SerialNumber)] = i
s.certIndex[newKey(nil, label, cert.SerialNumber)] = i
return nil
}
func (s *stubPKCS11) DeleteCertificate(id, label []byte, serial *big.Int) error {
if id == nil && label == nil && serial == nil {
return errors.New("id, label and serial cannot both be nil")
}
if i, ok := s.certIndex[newKey(id, label, serial)]; ok {
s.certs[i] = nil
}
return nil
}
func (s *stubPKCS11) GenerateRSAKeyPairWithLabel(id, label []byte, bits int) (crypto11.SignerDecrypter, error) {
if id == nil && label == nil {
return nil, errors.New("id and label cannot both be nil")
}
p, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return nil, err
}
k := &privateKey{
Signer: p,
index: len(s.signers),
stub: s,
}
s.signers = append(s.signers, k)
s.signerIndex[newKey(id, label, nil)] = k.index
s.signerIndex[newKey(id, nil, nil)] = k.index
s.signerIndex[newKey(nil, label, nil)] = k.index
return k, nil
}
func (s *stubPKCS11) GenerateECDSAKeyPairWithLabel(id, label []byte, curve elliptic.Curve) (crypto11.Signer, error) {
if id == nil && label == nil {
return nil, errors.New("id and label cannot both be nil")
}
p, err := ecdsa.GenerateKey(curve, rand.Reader)
if err != nil {
return nil, err
}
k := &privateKey{
Signer: p,
index: len(s.signers),
stub: s,
}
s.signers = append(s.signers, k)
s.signerIndex[newKey(id, label, nil)] = k.index
s.signerIndex[newKey(id, nil, nil)] = k.index
s.signerIndex[newKey(nil, label, nil)] = k.index
return k, nil
}
func (s *stubPKCS11) Close() error {
return nil
}
type privateKey struct {
crypto.Signer
index int
stub *stubPKCS11
}
func (s *privateKey) Delete() error {
s.stub.signers[s.index] = nil
return nil
}
func (s *privateKey) Decrypt(rand io.Reader, msg []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error) {
k, ok := s.Signer.(*rsa.PrivateKey)
if !ok {
return nil, errors.New("key is not an rsa key")
}
return k.Decrypt(rand, msg, opts)
}

340
kms/pkcs11/pkcs11_test.go
View file

@ -45,78 +45,49 @@ func TestNew(t *testing.T) {
} }
func TestPKCS11_GetPublicKey(t *testing.T) { func TestPKCS11_GetPublicKey(t *testing.T) {
setupSoftHSM2, setupYubiHSM2 := setupFuncs(t) k := setupPKCS11(t)
type args struct { type args struct {
req *apiv1.GetPublicKeyRequest req *apiv1.GetPublicKeyRequest
} }
tests := []struct { tests := []struct {
name string name string
setup func(t *testing.T) *PKCS11
args args args args
want crypto.PublicKey want crypto.PublicKey
wantErr bool wantErr bool
}{ }{
// SoftHSM2 {"RSA", args{&apiv1.GetPublicKeyRequest{
{"softhsm RSA", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7371;object=rsa-key", Name: "pkcs11:id=7371;object=rsa-key",
}}, &rsa.PublicKey{}, false}, }}, &rsa.PublicKey{}, false},
{"softhsm RSA by id", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{ {"RSA by id", args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7371", Name: "pkcs11:id=7371",
}}, &rsa.PublicKey{}, false}, }}, &rsa.PublicKey{}, false},
{"softhsm RSA by label", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{ {"RSA by label", args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:object=rsa-key", Name: "pkcs11:object=rsa-key",
}}, &rsa.PublicKey{}, false}, }}, &rsa.PublicKey{}, false},
{"softhsm ECDSA", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{ {"ECDSA", args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7373;object=ecdsa-p256-key", Name: "pkcs11:id=7373;object=ecdsa-p256-key",
}}, &ecdsa.PublicKey{}, false}, }}, &ecdsa.PublicKey{}, false},
{"softhsm ECDSA by id", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{ {"ECDSA by id", args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7373", Name: "pkcs11:id=7373",
}}, &ecdsa.PublicKey{}, false}, }}, &ecdsa.PublicKey{}, false},
{"softhsm ECDSA by label", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{ {"ECDSA by label", args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:object=ecdsa-p256-key", Name: "pkcs11:object=ecdsa-p256-key",
}}, &ecdsa.PublicKey{}, false}, }}, &ecdsa.PublicKey{}, false},
// YubiHSM2 {"fail name", args{&apiv1.GetPublicKeyRequest{
{"yubiHSM2 RSA", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7371;object=rsa-key",
}}, &rsa.PublicKey{}, false},
{"yubiHSM2 RSA by id", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7371",
}}, &rsa.PublicKey{}, false},
{"yubiHSM2 RSA by label", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:object=rsa-key",
}}, &rsa.PublicKey{}, false},
{"yubiHSM2 ECDSA", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7373;object=ecdsa-p256-key",
}}, &ecdsa.PublicKey{}, false},
{"yubiHSM2 ECDSA by id", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=7373",
}}, &ecdsa.PublicKey{}, false},
{"yubiHSM2 ECDSA by label", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:object=ecdsa-p256-key",
}}, &ecdsa.PublicKey{}, false},
// Errors
{"fail name", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "", Name: "",
}}, nil, true}, }}, nil, true},
{"fail uri", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{ {"fail uri", args{&apiv1.GetPublicKeyRequest{
Name: "https:id=9999;object=https", Name: "https:id=9999;object=https",
}}, nil, true}, }}, nil, true},
{"fail softhsm missing", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{ {"fail missing", args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=9999;object=rsa-key", Name: "pkcs11:id=9999;object=rsa-key",
}}, nil, true}, }}, nil, true},
{"fail yubiHSM2 missing", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{ {"fail FindKeyPair", args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:id=9999;object=ecdsa-p256-key",
}}, nil, true},
{"fail softhsm FindKeyPair", setupSoftHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:foo=bar",
}}, nil, true},
{"fail yubiHSM2 FindKeyPair", setupYubiHSM2, args{&apiv1.GetPublicKeyRequest{
Name: "pkcs11:foo=bar", Name: "pkcs11:foo=bar",
}}, nil, true}, }}, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
k := tt.setup(t)
got, err := k.GetPublicKey(tt.args.req) got, err := k.GetPublicKey(tt.args.req)
if (err != nil) != tt.wantErr { if (err != nil) != tt.wantErr {
t.Errorf("PKCS11.GetPublicKey() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("PKCS11.GetPublicKey() error = %v, wantErr %v", err, tt.wantErr)
@ -130,244 +101,170 @@ func TestPKCS11_GetPublicKey(t *testing.T) {
} }
func TestPKCS11_CreateKey(t *testing.T) { func TestPKCS11_CreateKey(t *testing.T) {
setupSoftHSM2, setupYubiHSM2 := setupFuncs(t) k := setupPKCS11(t)
// Make sure to delete the created key
keyName := "pkcs11:id=7771;object=create-key"
k.DeleteKey(keyName)
type args struct { type args struct {
req *apiv1.CreateKeyRequest req *apiv1.CreateKeyRequest
} }
tests := []struct { tests := []struct {
name string name string
setup func(t *testing.T) *PKCS11
args args args args
want *apiv1.CreateKeyResponse want *apiv1.CreateKeyResponse
wantErr bool wantErr bool
}{ }{
// SoftHSM2 // SoftHSM2
{"softhsm Default", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"default", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=ecdsa-create-key", Name: keyName,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=ecdsa-create-key", Name: keyName,
PublicKey: &ecdsa.PublicKey{}, PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=ecdsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA SHA256WithRSA", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA SHA256WithRSA", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA256WithRSA, SignatureAlgorithm: apiv1.SHA256WithRSA,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA SHA384WithRSA", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA SHA384WithRSA", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA384WithRSA, SignatureAlgorithm: apiv1.SHA384WithRSA,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA SHA512WithRSA", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA SHA512WithRSA", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA512WithRSA, SignatureAlgorithm: apiv1.SHA512WithRSA,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA SHA256WithRSAPSS", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA SHA256WithRSAPSS", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA256WithRSAPSS, SignatureAlgorithm: apiv1.SHA256WithRSAPSS,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA SHA384WithRSAPSS", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA SHA384WithRSAPSS", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA384WithRSAPSS, SignatureAlgorithm: apiv1.SHA384WithRSAPSS,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA SHA512WithRSAPSS", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA SHA512WithRSAPSS", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA512WithRSAPSS, SignatureAlgorithm: apiv1.SHA512WithRSAPSS,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA 2048", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA 2048", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA256WithRSA, SignatureAlgorithm: apiv1.SHA256WithRSA,
Bits: 2048, Bits: 2048,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm RSA 4096", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"RSA 4096", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.SHA256WithRSA, SignatureAlgorithm: apiv1.SHA256WithRSA,
Bits: 4096, Bits: 4096,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &rsa.PublicKey{}, PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm ECDSA P256", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"ECDSA P256", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.ECDSAWithSHA256, SignatureAlgorithm: apiv1.ECDSAWithSHA256,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &ecdsa.PublicKey{}, PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm ECDSA P384", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"ECDSA P384", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.ECDSAWithSHA384, SignatureAlgorithm: apiv1.ECDSAWithSHA384,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &ecdsa.PublicKey{}, PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
{"softhsm ECDSA P521", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"ECDSA P521", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
SignatureAlgorithm: apiv1.ECDSAWithSHA512, SignatureAlgorithm: apiv1.ECDSAWithSHA512,
}}, &apiv1.CreateKeyResponse{ }}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key", Name: keyName,
PublicKey: &ecdsa.PublicKey{}, PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{ CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key", SigningKey: keyName,
}, },
}, false}, }, false},
// YubiHSM2 {"fail name", args{&apiv1.CreateKeyRequest{
{"yubihsm RSA", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key",
SignatureAlgorithm: apiv1.SHA256WithRSA,
}}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key",
PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key",
},
}, false},
{"yubihsm RSA 2048", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key",
SignatureAlgorithm: apiv1.SHA256WithRSA,
Bits: 2048,
}}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key",
PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key",
},
}, false},
{"yubihsm RSA 4096", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key",
SignatureAlgorithm: apiv1.SHA256WithRSA,
Bits: 4096,
}}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key",
PublicKey: &rsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key",
},
}, false},
{"yubihsm Default", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=ecdsa-create-key",
}}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=ecdsa-create-key",
PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=ecdsa-create-key",
},
}, false},
{"yubihsm ECDSA P256", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key",
SignatureAlgorithm: apiv1.ECDSAWithSHA256,
}}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key",
PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key",
},
}, false},
{"yubihsm ECDSA P384", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key",
SignatureAlgorithm: apiv1.ECDSAWithSHA384,
}}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key",
PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key",
},
}, false},
{"yubihsm ECDSA P521", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=7771;object=rsa-create-key",
SignatureAlgorithm: apiv1.ECDSAWithSHA512,
}}, &apiv1.CreateKeyResponse{
Name: "pkcs11:id=7771;object=rsa-create-key",
PublicKey: &ecdsa.PublicKey{},
CreateSignerRequest: apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7771;object=rsa-create-key",
},
}, false},
// Errors
{"fail name", setupSoftHSM2, args{&apiv1.CreateKeyRequest{
Name: "", Name: "",
}}, nil, true}, }}, nil, true},
{"fail bits", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"fail bits", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=9999;object=rsa-create-key", Name: "pkcs11:id=9999;object=rsa-create-key",
Bits: -1, Bits: -1,
SignatureAlgorithm: apiv1.SHA256WithRSAPSS, SignatureAlgorithm: apiv1.SHA256WithRSAPSS,
}}, nil, true}, }}, nil, true},
{"fail ed25519", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"fail ed25519", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=9999;object=rsa-create-key", Name: "pkcs11:id=9999;object=rsa-create-key",
SignatureAlgorithm: apiv1.PureEd25519, SignatureAlgorithm: apiv1.PureEd25519,
}}, nil, true}, }}, nil, true},
{"fail unknown", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"fail unknown", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=9999;object=rsa-create-key", Name: "pkcs11:id=9999;object=rsa-create-key",
SignatureAlgorithm: apiv1.SignatureAlgorithm(100), SignatureAlgorithm: apiv1.SignatureAlgorithm(100),
}}, nil, true}, }}, nil, true},
{"fail uri", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"fail uri", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:id=xxxx;object=https", Name: "pkcs11:id=xxxx;object=https",
SignatureAlgorithm: apiv1.SHA256WithRSAPSS, SignatureAlgorithm: apiv1.SHA256WithRSAPSS,
}}, nil, true}, }}, nil, true},
{"fail softhsm FindKeyPair", setupSoftHSM2, args{&apiv1.CreateKeyRequest{ {"fail FindKeyPair", args{&apiv1.CreateKeyRequest{
Name: "pkcs11:foo=bar",
SignatureAlgorithm: apiv1.SHA256WithRSAPSS,
}}, nil, true},
{"fail yubihsm FindKeyPair", setupYubiHSM2, args{&apiv1.CreateKeyRequest{
Name: "pkcs11:foo=bar", Name: "pkcs11:foo=bar",
SignatureAlgorithm: apiv1.SHA256WithRSAPSS, SignatureAlgorithm: apiv1.SHA256WithRSAPSS,
}}, nil, true}, }}, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
k := tt.setup(t)
got, err := k.CreateKey(tt.args.req) got, err := k.CreateKey(tt.args.req)
if (err != nil) != tt.wantErr { if (err != nil) != tt.wantErr {
t.Errorf("PKCS11.CreateKey() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("PKCS11.CreateKey() error = %v, wantErr %v", err, tt.wantErr)
@ -389,8 +286,8 @@ func TestPKCS11_CreateKey(t *testing.T) {
} }
func TestPKCS11_CreateSigner(t *testing.T) { func TestPKCS11_CreateSigner(t *testing.T) {
k := setupPKCS11(t)
data := []byte("buggy-coheir-RUBRIC-rabbet-liberal-eaglet-khartoum-stagger") data := []byte("buggy-coheir-RUBRIC-rabbet-liberal-eaglet-khartoum-stagger")
setupSoftHSM2, setupYubiHSM2 := setupFuncs(t)
// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the // VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
// public key, pub. Its return value records whether the signature is valid. // public key, pub. Its return value records whether the signature is valid.
@ -415,61 +312,39 @@ func TestPKCS11_CreateSigner(t *testing.T) {
} }
tests := []struct { tests := []struct {
name string name string
setup func(t *testing.T) *PKCS11
args args args args
algorithm apiv1.SignatureAlgorithm algorithm apiv1.SignatureAlgorithm
signerOpts crypto.SignerOpts signerOpts crypto.SignerOpts
wantErr bool wantErr bool
}{ }{
// SoftHSM2 // SoftHSM2
{"softhsm RSA", setupSoftHSM2, args{&apiv1.CreateSignerRequest{ {"RSA", args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7371;object=rsa-key", SigningKey: "pkcs11:id=7371;object=rsa-key",
}}, apiv1.SHA256WithRSA, crypto.SHA256, false}, }}, apiv1.SHA256WithRSA, crypto.SHA256, false},
{"softhsm RSA PSS", setupSoftHSM2, args{&apiv1.CreateSignerRequest{ {"RSA PSS", args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7371;object=rsa-key", SigningKey: "pkcs11:id=7371;object=rsa-key",
}}, apiv1.SHA256WithRSA, crypto.SHA256, false}, }}, apiv1.SHA256WithRSA, crypto.SHA256, false},
{"softhsm ECDSA P256", setupSoftHSM2, args{&apiv1.CreateSignerRequest{ {"ECDSA P256", args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7373;object=ecdsa-p256-key", SigningKey: "pkcs11:id=7373;object=ecdsa-p256-key",
}}, apiv1.ECDSAWithSHA256, crypto.SHA256, false}, }}, apiv1.ECDSAWithSHA256, crypto.SHA256, false},
{"softhsm ECDSA P384", setupSoftHSM2, args{&apiv1.CreateSignerRequest{ {"ECDSA P384", args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7374;object=ecdsa-p384-key", SigningKey: "pkcs11:id=7374;object=ecdsa-p384-key",
}}, apiv1.ECDSAWithSHA384, crypto.SHA384, false}, }}, apiv1.ECDSAWithSHA384, crypto.SHA384, false},
{"softhsm ECDSA P521", setupSoftHSM2, args{&apiv1.CreateSignerRequest{ {"ECDSA P521", args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7375;object=ecdsa-p521-key", SigningKey: "pkcs11:id=7375;object=ecdsa-p521-key",
}}, apiv1.ECDSAWithSHA512, crypto.SHA512, false}, }}, apiv1.ECDSAWithSHA512, crypto.SHA512, false},
// YubiHSM2 {"fail SigningKey", args{&apiv1.CreateSignerRequest{
{"yubihsm RSA", setupYubiHSM2, args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7371;object=rsa-key",
}}, apiv1.SHA256WithRSA, crypto.SHA256, false},
{"yubihsm RSA PSS", setupYubiHSM2, args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7371;object=rsa-key",
}}, apiv1.SHA256WithRSA, crypto.SHA256, false},
{"yubihsm ECDSA P256", setupYubiHSM2, args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7373;object=ecdsa-p256-key",
}}, apiv1.ECDSAWithSHA256, crypto.SHA256, false},
{"yubihsm ECDSA P384", setupYubiHSM2, args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7374;object=ecdsa-p384-key",
}}, apiv1.ECDSAWithSHA384, crypto.SHA384, false},
{"yubihsm ECDSA P521", setupYubiHSM2, args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:id=7375;object=ecdsa-p521-key",
}}, apiv1.ECDSAWithSHA512, crypto.SHA512, false},
// Errors
{"fail SigningKey", setupSoftHSM2, args{&apiv1.CreateSignerRequest{
SigningKey: "", SigningKey: "",
}}, 0, nil, true}, }}, 0, nil, true},
{"fail uri", setupSoftHSM2, args{&apiv1.CreateSignerRequest{ {"fail uri", args{&apiv1.CreateSignerRequest{
SigningKey: "https:id=7375;object=ecdsa-p521-key", SigningKey: "https:id=7375;object=ecdsa-p521-key",
}}, 0, nil, true}, }}, 0, nil, true},
{"fail softhsm FindKeyPair", setupSoftHSM2, args{&apiv1.CreateSignerRequest{ {"fail FindKeyPair", args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:foo=bar",
}}, 0, nil, true},
{"fail yubihsm FindKeyPair", setupYubiHSM2, args{&apiv1.CreateSignerRequest{
SigningKey: "pkcs11:foo=bar", SigningKey: "pkcs11:foo=bar",
}}, 0, nil, true}, }}, 0, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
k := tt.setup(t)
got, err := k.CreateSigner(tt.args.req) got, err := k.CreateSigner(tt.args.req)
if (err != nil) != tt.wantErr { if (err != nil) != tt.wantErr {
t.Errorf("PKCS11.CreateSigner() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("PKCS11.CreateSigner() error = %v, wantErr %v", err, tt.wantErr)
@ -513,7 +388,7 @@ func TestPKCS11_CreateSigner(t *testing.T) {
} }
func TestPKCS11_LoadCertificate(t *testing.T) { func TestPKCS11_LoadCertificate(t *testing.T) {
setupSoftHSM2, setupYubiHSM2 := setupFuncs(t) k := setupPKCS11(t)
getCertFn := func(i, j int) func() *x509.Certificate { getCertFn := func(i, j int) func() *x509.Certificate {
return func() *x509.Certificate { return func() *x509.Certificate {
@ -526,51 +401,34 @@ func TestPKCS11_LoadCertificate(t *testing.T) {
} }
tests := []struct { tests := []struct {
name string name string
setup func(t *testing.T) *PKCS11
args args args args
wantFn func() *x509.Certificate wantFn func() *x509.Certificate
wantErr bool wantErr bool
}{ }{
{"softhsm", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{ {"load", args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:id=7370;object=root", Name: "pkcs11:id=7370;object=root",
}}, getCertFn(0, 0), false}, }}, getCertFn(0, 0), false},
{"softhsm by id", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{ {"load by id", args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:id=7370", Name: "pkcs11:id=7370",
}}, getCertFn(0, 0), false}, }}, getCertFn(0, 0), false},
{"softhsm by label", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{ {"load by label", args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:object=root", Name: "pkcs11:object=root",
}}, getCertFn(0, 0), false}, }}, getCertFn(0, 0), false},
{"yubihsm", setupYubiHSM2, args{&apiv1.LoadCertificateRequest{ {"fail missing", args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:id=7370;object=root",
}}, getCertFn(0, 1), false},
{"yubihsm by id", setupYubiHSM2, args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:id=7370",
}}, getCertFn(0, 1), false},
{"yubihsm by label", setupYubiHSM2, args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:object=root",
}}, getCertFn(0, 1), false},
{"fail softhsm missing", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:id=9999;object=root", Name: "pkcs11:id=9999;object=root",
}}, nil, true}, }}, nil, true},
{"fail yubihsm missing", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{ {"fail name", args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:id=9999;object=root",
}}, nil, true},
{"fail name", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{
Name: "", Name: "",
}}, nil, true}, }}, nil, true},
{"fail uri", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{ {"fail uri", args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:id=xxxx;object=root", Name: "pkcs11:id=xxxx;object=root",
}}, nil, true}, }}, nil, true},
{"fail softhsm FindCertificate", setupSoftHSM2, args{&apiv1.LoadCertificateRequest{ {"fail FindCertificate", args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:foo=bar",
}}, nil, true},
{"fail yubihsm FindCertificate", setupYubiHSM2, args{&apiv1.LoadCertificateRequest{
Name: "pkcs11:foo=bar", Name: "pkcs11:foo=bar",
}}, nil, true}, }}, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
k := tt.setup(t)
got, err := k.LoadCertificate(tt.args.req) got, err := k.LoadCertificate(tt.args.req)
if (err != nil) != tt.wantErr { if (err != nil) != tt.wantErr {
t.Errorf("PKCS11.LoadCertificate() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("PKCS11.LoadCertificate() error = %v, wantErr %v", err, tt.wantErr)
@ -590,7 +448,7 @@ func TestPKCS11_LoadCertificate(t *testing.T) {
} }
func TestPKCS11_StoreCertificate(t *testing.T) { func TestPKCS11_StoreCertificate(t *testing.T) {
setupSoftHSM2, setupYubiHSM2 := setupFuncs(t) k := setupPKCS11(t)
pub, priv, err := ed25519.GenerateKey(rand.Reader) pub, priv, err := ed25519.GenerateKey(rand.Reader)
if err != nil { if err != nil {
@ -607,42 +465,32 @@ func TestPKCS11_StoreCertificate(t *testing.T) {
} }
tests := []struct { tests := []struct {
name string name string
setup func(t *testing.T) *PKCS11
args args args args
wantErr bool wantErr bool
}{ }{
{"softhsm", setupSoftHSM2, args{&apiv1.StoreCertificateRequest{ {"ok", args{&apiv1.StoreCertificateRequest{
Name: "pkcs11:id=7771;object=root", Name: "pkcs11:id=7771;object=root",
Certificate: cert, Certificate: cert,
}}, false}, }}, false},
{"yubihsm", setupYubiHSM2, args{&apiv1.StoreCertificateRequest{ {"fail name", args{&apiv1.StoreCertificateRequest{
Name: "pkcs11:id=7771;object=root",
Certificate: cert,
}}, false},
{"fail name", setupSoftHSM2, args{&apiv1.StoreCertificateRequest{
Name: "", Name: "",
Certificate: cert, Certificate: cert,
}}, true}, }}, true},
{"fail certificate", setupSoftHSM2, args{&apiv1.StoreCertificateRequest{ {"fail certificate", args{&apiv1.StoreCertificateRequest{
Name: "pkcs11:id=7771;object=root", Name: "pkcs11:id=7771;object=root",
Certificate: nil, Certificate: nil,
}}, true}, }}, true},
{"fail uri", setupSoftHSM2, args{&apiv1.StoreCertificateRequest{ {"fail uri", args{&apiv1.StoreCertificateRequest{
Name: "http:id=7771;object=root", Name: "http:id=7771;object=root",
Certificate: cert, Certificate: cert,
}}, true}, }}, true},
{"fail softhsm ImportCertificateWithLabel", setupSoftHSM2, args{&apiv1.StoreCertificateRequest{ {"fail ImportCertificateWithLabel", args{&apiv1.StoreCertificateRequest{
Name: "pkcs11:foo=bar",
Certificate: cert,
}}, true},
{"fail yubihsm ImportCertificateWithLabel", setupYubiHSM2, args{&apiv1.StoreCertificateRequest{
Name: "pkcs11:foo=bar", Name: "pkcs11:foo=bar",
Certificate: cert, Certificate: cert,
}}, true}, }}, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
k := tt.setup(t)
if err := k.StoreCertificate(tt.args.req); (err != nil) != tt.wantErr { if err := k.StoreCertificate(tt.args.req); (err != nil) != tt.wantErr {
t.Errorf("PKCS11.StoreCertificate() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("PKCS11.StoreCertificate() error = %v, wantErr %v", err, tt.wantErr)
} }

126
kms/pkcs11/setup_test.go
View file

@ -8,24 +8,17 @@ import (
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"math/big" "math/big"
"runtime"
"sync"
"testing" "testing"
"time" "time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/ThalesIgnite/crypto11"
"github.com/smallstep/certificates/kms/apiv1" "github.com/smallstep/certificates/kms/apiv1"
) )
var ( var (
softHSM2Once sync.Once testModule = ""
yubiHSM2Once sync.Once testKeys = []struct {
)
var (
testKeys = []struct {
Name string Name string
SignatureAlgorithm apiv1.SignatureAlgorithm SignatureAlgorithm apiv1.SignatureAlgorithm
Bits int Bits int
@ -68,6 +61,7 @@ func generateCertificate(pub crypto.PublicKey, signer crypto.Signer) (*x509.Cert
} }
func setup(t *testing.T, k *PKCS11) { func setup(t *testing.T, k *PKCS11) {
t.Log("Running using", testModule)
for _, tk := range testKeys { for _, tk := range testKeys {
_, err := k.CreateKey(&apiv1.CreateKeyRequest{ _, err := k.CreateKey(&apiv1.CreateKeyRequest{
Name: tk.Name, Name: tk.Name,
@ -118,118 +112,10 @@ func teardown(t *testing.T, k *PKCS11) {
} }
} }
type setupFunc func(t *testing.T) *PKCS11 func setupPKCS11(t *testing.T) *PKCS11 {
k := mustPKCS11(t)
func setupFuncs(t *testing.T) (setupFunc, setupFunc) {
var sh2, yh2 *PKCS11
t.Cleanup(func() { t.Cleanup(func() {
if sh2 != nil { k.Close()
sh2.Close()
}
if yh2 != nil {
yh2.Close()
}
}) })
setupSoftHSM2 := func(t *testing.T) *PKCS11 {
if sh2 != nil {
return sh2
}
sh2 = softHSM2(t)
return sh2
}
setupYubiHSM2 := func(t *testing.T) *PKCS11 {
if yh2 != nil {
return yh2
}
yh2 = yubiHSM2(t)
return yh2
}
return setupSoftHSM2, setupYubiHSM2
}
// softHSM2 configures a *PKCS11 KMS to be used with softHSM2. To initialize
// this tests, we should run:
// softhsm2-util --init-token --free \
// --token pkcs11-test --label pkcs11-test \
// --so-pin password --pin password
//
// To delete we should run:
// softhsm2-util --delete-token --token pkcs11-test
func softHSM2(t *testing.T) *PKCS11 {
t.Helper()
if runtime.GOARCH != "amd64" {
t.Skipf("softHSM2 test skipped on %s:%s", runtime.GOOS, runtime.GOARCH)
}
var path string
switch runtime.GOOS {
case "darwin":
path = "/usr/local/lib/softhsm/libsofthsm2.so"
case "linux":
path = "/usr/lib/softhsm/libsofthsm2.so"
default:
t.Skipf("softHSM2 test skipped on %s", runtime.GOOS)
return nil
}
p11, err := crypto11.Configure(&crypto11.Config{
Path: path,
TokenLabel: "pkcs11-test",
Pin: "password",
})
if err != nil {
t.Skipf("softHSM test skipped on %s: %v", runtime.GOOS, err)
}
k := &PKCS11{
p11: p11,
}
// Setup
softHSM2Once.Do(func() {
teardown(t, k)
setup(t, k)
})
return k
}
// yubiHSM2 configures a *PKCS11 KMS to be used with YubiHSM2. To initialize
// this tests, we should run:
// yubihsm-connector -d
func yubiHSM2(t *testing.T) *PKCS11 {
t.Helper()
if runtime.GOARCH != "amd64" {
t.Skipf("yubiHSM2 test skipped on %s:%s", runtime.GOOS, runtime.GOARCH)
}
var path string
switch runtime.GOOS {
case "darwin":
path = "/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib"
case "linux":
path = "/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so"
default:
t.Skipf("yubiHSM2 test skipped on %s", runtime.GOOS)
return nil
}
p11, err := crypto11.Configure(&crypto11.Config{
Path: path,
TokenLabel: "YubiHSM",
Pin: "0001password",
})
if err != nil {
t.Skipf("yubiHSM2 test skipped on %s: %v", runtime.GOOS, err)
}
k := &PKCS11{
p11: p11,
}
// Setup
yubiHSM2Once.Do(func() {
teardown(t, k)
setup(t, k)
})
return k return k
} }

60
kms/pkcs11/softhsm2_test.go Normal file
View file

@ -0,0 +1,60 @@
// +build softhsm2,!yubihsm2
package pkcs11
import (
"runtime"
"sync"
"testing"
"github.com/ThalesIgnite/crypto11"
)
var softHSM2Once sync.Once
// mustPKCS11 configures a *PKCS11 KMS to be used with SoftHSM2. To initialize
// this tests, we should run:
// softhsm2-util --init-token --free \
// --token pkcs11-test --label pkcs11-test \
// --so-pin password --pin password
//
// To delete we should run:
// softhsm2-util --delete-token --token pkcs11-test
func mustPKCS11(t *testing.T) *PKCS11 {
t.Helper()
testModule = "SoftHSM2"
if runtime.GOARCH != "amd64" {
t.Fatalf("softHSM2 test skipped on %s:%s", runtime.GOOS, runtime.GOARCH)
}
var path string
switch runtime.GOOS {
case "darwin":
path = "/usr/local/lib/softhsm/libsofthsm2.so"
case "linux":
path = "/usr/lib/softhsm/libsofthsm2.so"
default:
t.Skipf("softHSM2 test skipped on %s", runtime.GOOS)
return nil
}
p11, err := crypto11.Configure(&crypto11.Config{
Path: path,
TokenLabel: "pkcs11-test",
Pin: "password",
})
if err != nil {
t.Fatalf("failed to configure softHSM2 on %s: %v", runtime.GOOS, err)
}
k := &PKCS11{
p11: p11,
}
// Setup
softHSM2Once.Do(func() {
teardown(t, k)
setup(t, k)
})
return k
}

55
kms/pkcs11/yubihsm2_test.go Normal file
View file

@ -0,0 +1,55 @@
// +build !softhsm2,yubihsm2
package pkcs11
import (
"runtime"
"sync"
"testing"
"github.com/ThalesIgnite/crypto11"
)
var yubiHSM2Once sync.Once
// mustPKCS11 configures a *PKCS11 KMS to be used with YubiHSM2. To initialize
// this tests, we should run:
// yubihsm-connector -d
func mustPKCS11(t *testing.T) *PKCS11 {
t.Helper()
testModule = "YubiHSM2"
if runtime.GOARCH != "amd64" {
t.Skipf("yubiHSM2 test skipped on %s:%s", runtime.GOOS, runtime.GOARCH)
}
var path string
switch runtime.GOOS {
case "darwin":
path = "/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib"
case "linux":
path = "/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so"
default:
t.Skipf("yubiHSM2 test skipped on %s", runtime.GOOS)
return nil
}
p11, err := crypto11.Configure(&crypto11.Config{
Path: path,
TokenLabel: "YubiHSM",
Pin: "0001password",
})
if err != nil {
t.Fatalf("failed to configure yubiHSM2 on %s: %v", runtime.GOOS, err)
}
k := &PKCS11{
p11: p11,
}
// Setup
yubiHSM2Once.Do(func() {
teardown(t, k)
setup(t, k)
})
return k
}