Go to the documentation of this file.
41 #define token_name "Test Token"
52 while ((e = ERR_get_error()))
54 msg(flags,
"OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL));
60 parse_line(
const char *line,
char **p,
const int n,
const char *file,
61 const int line_num,
int msglevel,
struct gc_arena *gc)
83 query_user_add(
char *prompt,
size_t prompt_len,
char *resp,
size_t resp_len,
bool echo)
101 const char *algorithm)
144 assert(
sizeof(certs_local) ==
sizeof(
certs));
145 memcpy(
certs, certs_local,
sizeof(certs_local));
151 const unsigned int flags,
const char *unused)
166 msg(
M_NONFATAL,
"ERROR: get_user_pass called with unknown request <%s> ignored\n", prefix);
177 assert_true(capacity >= EVP_MD_size(EVP_sha1()));
178 assert_int_equal(X509_digest(x509, EVP_sha1(),
hash, NULL), 1);
181 #if defined(HAVE_XKEY_PROVIDER)
203 fail_msg(
"make tmpfile using template <%s> failed (error = %d)",
softhsm2_conf_path, errno);
207 assert_int_equal(
write(fd, config, strlen(config)), strlen(config));
218 argv_printf(&a,
"%s --init-token --free --label \"%s\" --so-pin %s --pin %s",
223 char cert[] =
"cert_XXXXXX";
224 char key[] =
"key_XXXXXX";
225 int cert_fd = mkstemp(cert);
226 int key_fd = mkstemp(
key);
227 if (cert_fd < 0 || key_fd < 0)
229 fail_msg(
"make tmpfile for certificate or key data failed (error = %d)", errno);
235 BIO *buf = BIO_new_mem_buf(c->cert, -1);
239 x509 = PEM_read_bio_X509(buf, NULL, NULL, NULL);
242 assert_non_null(x509);
248 assert_int_equal(
write(cert_fd, c->cert, strlen(c->cert)), strlen(c->cert));
249 assert_int_equal(
write(key_fd, c->key, strlen(c->key)), strlen(c->key));
254 argv_printf(&a,
"%s --provider %s --load-certificate %s --label \"%s\" --id %08x --login --write",
255 P11TOOL_PATH, SOFTHSM2_MODULE_PATH, cert, c->friendly_name,
num_certs+1);
260 argv_printf(&a,
"%s --provider %s --load-privkey %s --label \"%s\" --id %08x --login --write",
261 P11TOOL_PATH, SOFTHSM2_MODULE_PATH,
key, c->friendly_name,
num_certs+1);
264 assert_int_equal(ftruncate(cert_fd, 0), 0);
265 assert_int_equal(ftruncate(key_fd, 0), 0);
301 #if defined(HAVE_XKEY_PROVIDER)
304 prov[0] = OSSL_PROVIDER_load(
tls_libctx,
"default");
305 OSSL_PROVIDER_add_builtin(
tls_libctx,
"ovpn.xkey", xkey_provider_init);
306 prov[1] = OSSL_PROVIDER_load(
tls_libctx,
"ovpn.xkey");
307 assert_non_null(prov[1]);
310 EVP_set_default_properties(
tls_libctx,
"?provider!=ovpn.xkey");
312 pkcs11_initialize(
true, 0);
313 pkcs11_addProvider(SOFTHSM2_MODULE_PATH,
false, 0,
false);
321 #if defined(HAVE_XKEY_PROVIDER)
322 for (
size_t i = 0; i <
SIZE(prov); i++)
326 OSSL_PROVIDER_unload(prov[i]);
343 return c->
cert ? c : NULL;
353 int n = pkcs11_management_id_count();
356 for (
int i = 0; i < n; i++)
363 if (!pkcs11_management_id_get(i, &
p11_id, &base64))
365 fail_msg(
"Failed to get pkcs11-id for index (%d) from pkcs11-helper", i);
368 unsigned char *der = malloc(strlen(base64));
369 assert_non_null(der);
372 assert_true(derlen > 0);
374 const unsigned char *ppin = der;
375 assert_non_null(d2i_X509(&x509, &ppin, derlen));
391 fail_msg(
"Certificate <%s> not enumerated by pkcs11-helper", c->friendly_name);
407 #ifdef HAVE_XKEY_PROVIDER
410 tls_ctx.
ctx = SSL_CTX_new(SSLv23_client_method());
418 tls_ctx_use_pkcs11(&tls_ctx, 1, NULL);
423 tls_ctx_use_pkcs11(&tls_ctx, 0, c->p11_id);
427 X509 *x509 = SSL_CTX_get0_certificate(tls_ctx.
ctx);
428 assert_non_null(x509);
430 assert_memory_equal(sha1, c->hash,
HASHSIZE);
434 EVP_PKEY *privkey = SSL_CTX_get0_privatekey(tls_ctx.
ctx);
435 assert_non_null(pubkey);
436 assert_non_null(privkey);
437 #ifdef HAVE_XKEY_PROVIDER
441 if (!SSL_CTX_check_private_key(tls_ctx.
ctx))
443 fail_msg(
"Certificate and private key in ssl_ctx do not match for <%s>", c->friendly_name);
447 SSL_CTX_free(tls_ctx.
ctx);
462 const struct CMUnitTest tests[] = {
470 int ret = cmocka_run_group_tests_name(
"pkcs11_tests", tests,
init,
cleanup);
void query_user_clear(void)
Wipes all data put into all of the query_user structs.
static const char *const cert2
int openvpn_base64_decode(const char *str, void *data, int size)
static int setup_pkcs11(void **state)
static const char *const cert1
char * x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc)
static const char * pkcs11_id_current
void env_set_destroy(struct env_set *es)
static const char *const key1
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
int parse_line(const char *line, char **p, const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
const char *const friendly_name
static char softhsm2_tokens_path[]
Container for unidirectional cipher and HMAC key material.
static void sha1_fingerprint(X509 *x509, uint8_t *hash, int capacity)
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
static struct test_cert certs[5]
#define SSL_CTX_new_ex(libctx, propq, method)
Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3.
static int teardown_pkcs11(void **state)
struct management * management
static EVP_PKEY * X509_get0_pubkey(const X509 *x)
Get the public key from a X509 certificate.
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
static const char *const cname2
static const char *const cname3
static const char *const key3
void query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo)
Adds an item to ask the user for.
struct env_set * env_set_create(struct gc_arena *gc)
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
static void test_pkcs11_ids(void **state)
static const char *const cname1
Garbage collection arena used to keep track of dynamically allocated memory.
void setenv_str(struct env_set *es, const char *name, const char *value)
static int init(void **state)
static void strncpynt(char *dest, const char *src, size_t maxlen)
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *unused)
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
int digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey)
Structure that wraps the TLS context.
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
static void test_tls_ctx_use_pkcs11(void **state)
#define GET_USER_PASS_PASSWORD_ONLY
static struct test_cert * lookup_cert_byhash(uint8_t *sha1)
OSSL_LIB_CTX * tls_libctx
static char softhsm2_conf_path[]
char password[USER_PASS_LEN]
bool query_user_exec_builtin(void)
Executes a configured setup, using the built-in method for querying the user.
void purge_user_pass(struct user_pass *up, const bool force)
#define GET_USER_PASS_NEED_STR
static bool pkcs11_id_management
static void test_tls_ctx_use_pkcs11__management(void **state)
static const char *const cert4
static const char *const cert3
static int cleanup(void **state)