1#	$OpenBSD: agent-pkcs11-cert.sh,v 1.1 2023/12/18 14:50:08 djm Exp $
2#	Placed in the Public Domain.
3
4tid="pkcs11 agent certificate test"
5
6SSH_AUTH_SOCK="$OBJ/agent.sock"
7export SSH_AUTH_SOCK
8LC_ALL=C
9export LC_ALL
10p11_setup || skip "No PKCS#11 library found"
11
12rm -f $SSH_AUTH_SOCK $OBJ/agent.log
13rm -f $OBJ/output_* $OBJ/expect_*
14rm -f $OBJ/ca*
15
16trace "generate CA key and certify keys"
17$SSHKEYGEN -q -t ed25519 -C ca -N '' -f $OBJ/ca ||  fatal "ssh-keygen CA failed"
18$SSHKEYGEN -qs $OBJ/ca -I "ecdsa_key" -n $USER -z 1 ${SSH_SOFTHSM_DIR}/EC.pub ||
19	fatal "certify ECDSA key failed"
20$SSHKEYGEN -qs $OBJ/ca -I "rsa_key" -n $USER -z 2 ${SSH_SOFTHSM_DIR}/RSA.pub ||
21	fatal "certify RSA key failed"
22$SSHKEYGEN -qs $OBJ/ca -I "ca_ca" -n $USER -z 3 $OBJ/ca.pub ||
23	fatal "certify CA key failed"
24
25rm -f $SSH_AUTH_SOCK
26trace "start agent"
27${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK > $OBJ/agent.log 2>&1 &
28AGENT_PID=$!
29trap "kill $AGENT_PID" EXIT
30for x in 0 1 2 3 4 ; do
31	# Give it a chance to start
32	${SSHADD} -l > /dev/null 2>&1
33	r=$?
34	test $r -eq 1 && break
35	sleep 1
36done
37if [ $r -ne 1 ]; then
38	fatal "ssh-add -l did not fail with exit code 1 (got $r)"
39fi
40
41trace "load pkcs11 keys and certs"
42# Note: deliberately contains non-cert keys and non-matching cert on commandline
43p11_ssh_add -qs ${TEST_SSH_PKCS11} \
44    $OBJ/ca.pub \
45    ${SSH_SOFTHSM_DIR}/EC.pub \
46    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
47    ${SSH_SOFTHSM_DIR}/RSA.pub \
48    ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
49	fatal "failed to add keys"
50# Verify their presence
51cut -d' ' -f1-2 \
52    ${SSH_SOFTHSM_DIR}/EC.pub \
53    ${SSH_SOFTHSM_DIR}/RSA.pub \
54    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
55    ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
56$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
57diff $OBJ/expect_list $OBJ/output_list
58
59# Verify that all can perform signatures.
60for x in ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub \
61    ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
62	$SSHADD -T $x || fail "Signing failed for $x"
63done
64
65# Delete plain keys.
66$SSHADD -qd ${SSH_SOFTHSM_DIR}/EC.pub ${SSH_SOFTHSM_DIR}/RSA.pub
67# Verify that certs can still perform signatures.
68for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
69	$SSHADD -T $x || fail "Signing failed for $x"
70done
71
72$SSHADD -qD >/dev/null || fatal "clear agent failed"
73
74trace "load pkcs11 certs only"
75p11_ssh_add -qCs ${TEST_SSH_PKCS11} \
76    $OBJ/ca.pub \
77    ${SSH_SOFTHSM_DIR}/EC.pub \
78    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
79    ${SSH_SOFTHSM_DIR}/RSA.pub \
80    ${SSH_SOFTHSM_DIR}/RSA-cert.pub ||
81	fatal "failed to add keys"
82# Verify their presence
83cut -d' ' -f1-2 \
84    ${SSH_SOFTHSM_DIR}/EC-cert.pub \
85    ${SSH_SOFTHSM_DIR}/RSA-cert.pub | sort > $OBJ/expect_list
86$SSHADD -L | cut -d' ' -f1-2 | sort > $OBJ/output_list
87diff $OBJ/expect_list $OBJ/output_list
88
89# Verify that certs can perform signatures.
90for x in ${SSH_SOFTHSM_DIR}/EC-cert.pub ${SSH_SOFTHSM_DIR}/RSA-cert.pub ; do
91	$SSHADD -T $x || fail "Signing failed for $x"
92done
93