2021-09-07 18:35:51 +00:00
|
|
|
//go:build cgo
|
2021-01-28 04:17:14 +00:00
|
|
|
// +build cgo
|
|
|
|
|
|
|
|
package pkcs11
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto"
|
|
|
|
"crypto/rand"
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"math/big"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/smallstep/certificates/kms/apiv1"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2021-01-29 03:48:08 +00:00
|
|
|
testModule = ""
|
|
|
|
testObject = "pkcs11:id=7370;object=test-name"
|
2021-10-29 02:45:19 +00:00
|
|
|
testObjectAlt = "pkcs11:id=7377;object=alt-test-name"
|
2021-01-29 03:48:08 +00:00
|
|
|
testObjectByID = "pkcs11:id=7370"
|
|
|
|
testObjectByLabel = "pkcs11:object=test-name"
|
|
|
|
testKeys = []struct {
|
2021-01-28 04:17:14 +00:00
|
|
|
Name string
|
|
|
|
SignatureAlgorithm apiv1.SignatureAlgorithm
|
|
|
|
Bits int
|
|
|
|
}{
|
|
|
|
{"pkcs11:id=7371;object=rsa-key", apiv1.SHA256WithRSA, 2048},
|
|
|
|
{"pkcs11:id=7372;object=rsa-pss-key", apiv1.SHA256WithRSAPSS, DefaultRSASize},
|
|
|
|
{"pkcs11:id=7373;object=ecdsa-p256-key", apiv1.ECDSAWithSHA256, 0},
|
|
|
|
{"pkcs11:id=7374;object=ecdsa-p384-key", apiv1.ECDSAWithSHA384, 0},
|
|
|
|
{"pkcs11:id=7375;object=ecdsa-p521-key", apiv1.ECDSAWithSHA512, 0},
|
|
|
|
}
|
|
|
|
|
|
|
|
testCerts = []struct {
|
|
|
|
Name string
|
|
|
|
Key string
|
|
|
|
Certificates []*x509.Certificate
|
|
|
|
}{
|
2021-01-29 03:48:08 +00:00
|
|
|
{"pkcs11:id=7376;object=test-root", "pkcs11:id=7373;object=ecdsa-p256-key", nil},
|
2021-01-28 04:17:14 +00:00
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2021-01-29 03:48:08 +00:00
|
|
|
type TBTesting interface {
|
|
|
|
Helper()
|
|
|
|
Cleanup(f func())
|
|
|
|
Log(args ...interface{})
|
|
|
|
Errorf(format string, args ...interface{})
|
|
|
|
Fatalf(format string, args ...interface{})
|
|
|
|
Skipf(format string, args ...interface{})
|
|
|
|
}
|
|
|
|
|
2021-01-28 04:17:14 +00:00
|
|
|
func generateCertificate(pub crypto.PublicKey, signer crypto.Signer) (*x509.Certificate, error) {
|
|
|
|
now := time.Now()
|
|
|
|
template := &x509.Certificate{
|
|
|
|
Subject: pkix.Name{CommonName: "Test Root Certificate"},
|
|
|
|
Issuer: pkix.Name{CommonName: "Test Root Certificate"},
|
|
|
|
IsCA: true,
|
|
|
|
MaxPathLen: 1,
|
|
|
|
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
|
|
|
|
NotBefore: now,
|
|
|
|
NotAfter: now.Add(time.Hour),
|
|
|
|
SerialNumber: big.NewInt(100),
|
|
|
|
}
|
|
|
|
|
|
|
|
b, err := x509.CreateCertificate(rand.Reader, template, template, pub, signer)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return x509.ParseCertificate(b)
|
|
|
|
}
|
|
|
|
|
2021-01-29 03:48:08 +00:00
|
|
|
func setup(t TBTesting, k *PKCS11) {
|
2021-01-28 22:43:22 +00:00
|
|
|
t.Log("Running using", testModule)
|
2021-01-28 04:17:14 +00:00
|
|
|
for _, tk := range testKeys {
|
|
|
|
_, err := k.CreateKey(&apiv1.CreateKeyRequest{
|
|
|
|
Name: tk.Name,
|
|
|
|
SignatureAlgorithm: tk.SignatureAlgorithm,
|
|
|
|
Bits: tk.Bits,
|
|
|
|
})
|
|
|
|
if err != nil && !errors.Is(errors.Cause(err), apiv1.ErrAlreadyExists{
|
|
|
|
Message: tk.Name + " already exists",
|
|
|
|
}) {
|
|
|
|
t.Errorf("PKCS11.GetPublicKey() error = %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for i, c := range testCerts {
|
|
|
|
signer, err := k.CreateSigner(&apiv1.CreateSignerRequest{
|
|
|
|
SigningKey: c.Key,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("PKCS11.CreateSigner() error = %v", err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
cert, err := generateCertificate(signer.Public(), signer)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("x509.CreateCertificate() error = %v", err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if err := k.StoreCertificate(&apiv1.StoreCertificateRequest{
|
|
|
|
Name: c.Name,
|
|
|
|
Certificate: cert,
|
2021-01-29 03:48:08 +00:00
|
|
|
}); err != nil && !errors.Is(errors.Cause(err), apiv1.ErrAlreadyExists{
|
|
|
|
Message: c.Name + " already exists",
|
|
|
|
}) {
|
2021-10-29 01:16:16 +00:00
|
|
|
t.Errorf("PKCS1.StoreCertificate() error = %v", err)
|
2021-01-28 04:17:14 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
testCerts[i].Certificates = append(testCerts[i].Certificates, cert)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-29 03:48:08 +00:00
|
|
|
func teardown(t TBTesting, k *PKCS11) {
|
|
|
|
testObjects := []string{testObject, testObjectByID, testObjectByLabel}
|
|
|
|
for _, name := range testObjects {
|
|
|
|
if err := k.DeleteKey(name); err != nil {
|
|
|
|
t.Errorf("PKCS11.DeleteKey() error = %v", err)
|
|
|
|
}
|
|
|
|
if err := k.DeleteCertificate(name); err != nil {
|
|
|
|
t.Errorf("PKCS11.DeleteCertificate() error = %v", err)
|
|
|
|
}
|
|
|
|
}
|
2021-01-28 04:17:14 +00:00
|
|
|
for _, tk := range testKeys {
|
|
|
|
if err := k.DeleteKey(tk.Name); err != nil {
|
|
|
|
t.Errorf("PKCS11.DeleteKey() error = %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, tc := range testCerts {
|
|
|
|
if err := k.DeleteCertificate(tc.Name); err != nil {
|
|
|
|
t.Errorf("PKCS11.DeleteCertificate() error = %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-29 03:48:08 +00:00
|
|
|
func setupPKCS11(t TBTesting) *PKCS11 {
|
|
|
|
t.Helper()
|
2021-01-28 22:43:22 +00:00
|
|
|
k := mustPKCS11(t)
|
2021-01-28 04:17:14 +00:00
|
|
|
t.Cleanup(func() {
|
2021-01-28 22:43:22 +00:00
|
|
|
k.Close()
|
2021-01-28 04:17:14 +00:00
|
|
|
})
|
|
|
|
return k
|
|
|
|
}
|