add targets for signing and verifying over p11-kit-client.so

5 files changed, 61 insertions, 10 deletions

diff --git a/src/tests/Makefile b/src/tests/Makefile
index 5080813..a1003bf 100644
--- a/src/tests/Makefile
+++ b/src/tests/Makefile
@@ -1,12 +1,20 @@
+# Required packages (Debian 9/stretch):
+#   libengine-pkcs11-openssl: /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
+#   softhsm2: /usr/bin/softhsm2-util
+#   gnutls-bin: /usr/bin/p11tool
+#   openssl: /usr/bin/openssl
+
 TEXT = "A foo is a bar"
 SOFTHSM = /usr/bin/softhsm2-util
 
+SOFTHSM_PROVIDER = /usr/lib/softhsm/libsofthsm2.so
+P11P_PROVIDER = /home/linus/usr/lib/pkcs11/p11-kit-client.so
+
+p11p-softhsm: testsig.hsm.p11p.pem
+	./do-verify.sh ./openssl.p11p.cnf $(P11P_PROVIDER) $< "$(TEXT)"
+
 direct-softhsm: testsig.hsm.pem
-	( \
-	OPENSSL_CONF=./openssl.cnf; \
-	tokenurl=$$(p11tool --login --provider=/usr/lib/softhsm/libsofthsm2.so --list-token-urls); \
-	echo $(TEXT) | openssl dgst -sha256 -engine pkcs11 -keyform ENGINE -prverify $$tokenurl -signature $< | egrep "^Verified OK$$"; \
-	)
+	./do-verify.sh ./openssl.direct.cnf $(SOFTHSM_PROVIDER) $< "$(TEXT)"
 
 softhsm-token-setup: softhsm-token-setup.stamp
 softhsm-token-setup.stamp: softhsm/tokens testkey.pkcs8
@@ -32,11 +40,17 @@ testkey.pem:
 testsig.local.pem: testkey.pem
 	echo $(TEXT) | openssl dgst -sha256 -sign testkey.pem -out $@
 
-testsig.hsm.pem: softhsm-token-setup openssl.cnf
-	( \
-	OPENSSL_CONF=./openssl.cnf; \
-	tokenurl=$$(p11tool --login --provider=/usr/lib/softhsm/libsofthsm2.so --list-token-urls); \
-	echo $(TEXT) | openssl dgst -sha256 -engine pkcs11 -keyform ENGINE -sign $$tokenurl -out $@; \
+testsig.hsm.pem: softhsm-token-setup
+	./do-sign.sh ./openssl.direct.cnf $(SOFTHSM_PROVIDER) $@ "$(TEXT)"
+
+testsig.hsm.p11p.pem: server-running
+	./do-sign.sh ./openssl.p11p.cnf $(P11P_PROVIDER) $@ "$(TEXT)"
+
+server-running:
+	( tokenurl=$$(p11tool --login --provider=$(SOFTHSM_PROVIDER) --list-token-urls); \
+# FIXME: use env printed to 'p11-kit server --kill', at some point
+#	eval p11-kit server --provider $(SOFTHSM_PROVIDER) $$tokenurl; \
+	p11-kit server --provider $(SOFTHSM_PROVIDER) $$tokenurl; \
 	)
 
 clean:
diff --git a/src/tests/do-sign.sh b/src/tests/do-sign.sh
new file mode 100755
index 0000000..3e78560
--- /dev/null
+++ b/src/tests/do-sign.sh
@@ -0,0 +1,13 @@
+#! /bin/sh
+
+set -eu
+
+OPENSSL_CONF="$1"; shift
+P11_PROVIDER="$1"; shift
+SIGFILE="$1"; shift
+TEXT="$1"; shift
+
+tokenurl="$(p11tool --login --provider=$P11_PROVIDER --list-token-urls)"
+echo $TEXT | \
+    openssl dgst -sha256 -engine pkcs11 -keyform ENGINE -sign "$tokenurl" \
+	    -out $SIGFILE
diff --git a/src/tests/do-verify.sh b/src/tests/do-verify.sh
new file mode 100755
index 0000000..a67a982
--- /dev/null
+++ b/src/tests/do-verify.sh
@@ -0,0 +1,13 @@
+#! /bin/sh
+
+set -eu
+
+OPENSSL_CONF="$1"; shift
+P11_PROVIDER="$1"; shift
+SIGFILE="$1"; shift
+TEXT="$1"; shift
+
+tokenurl="$(p11tool --login --provider=$P11_PROVIDER --list-token-urls)"
+echo $TEXT | \
+    openssl dgst -sha256 -engine pkcs11 -keyform ENGINE \
+	    -prverify "$tokenurl" -signature $SIGFILE | egrep "^Verified OK$"
diff --git a/src/tests/openssl.cnf b/src/tests/openssl.direct.cnf
index a1add57..a1add57 100644
--- a/src/tests/openssl.cnf
+++ b/src/tests/openssl.direct.cnf
diff --git a/src/tests/openssl.p11p.cnf b/src/tests/openssl.p11p.cnf
new file mode 100644
index 0000000..30272c7
--- /dev/null
+++ b/src/tests/openssl.p11p.cnf
@@ -0,0 +1,11 @@
+openssl_conf = openssl_init
+
+[openssl_init]
+engines=engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
+MODULE_PATH = /home/linus/usr/lib/pkcs11/p11-kit-client.so