Hi
On Tue, Jul 31, 2018 at 4:50 PM, Jakub Jelen <jjelen@xxxxxxxxxx> wrote:
> * This is useful for CI or manual running of the tests without a need
> of a physical CAC card.
> * The script goes through the whole setting of environment, soft token,
> generating testing keys, certificates and running the test suite.
Annoyingly, this isn't done as part of make check, but should be run
first. This can be fixed later.
>
> Signed-off-by: Jakub Jelen <jjelen@xxxxxxxxxx>
> Reviewed-by: Robert Relyea <rrelyea@xxxxxxxxxx>
> ---
> run_tests.sh | 108 +++++++++++++++++++++++++++++++++++++++++++++++++
> tests/cert.cfg | 6 +++
> 2 files changed, 114 insertions(+)
> create mode 100755 run_tests.sh
> create mode 100644 tests/cert.cfg
>
> diff --git a/run_tests.sh b/run_tests.sh
> new file mode 100755
> index 0000000..d6ac390
> --- /dev/null
> +++ b/run_tests.sh
> @@ -0,0 +1,108 @@
> +#/bin/bash
> +
> +NSSDB=tests/hwdb
> +CONF=.softhsm2.conf
> +SOPIN="12345678"
> +PIN="77777777"
> +export GNUTLS_PIN=$PIN
> +
> +P11LIB=/usr/lib64/pkcs11/libsofthsm2.so
> +
> +generate_cert() {
> + TYPE="$1"
> + ID="$2"
> + LABEL="$3"
> +
> + # Generate key pair
> + pkcs11-tool --keypairgen --key-type="$TYPE" --login --pin=$PIN \
> + --module="$P11LIB" --label="$LABEL" --id=$ID
> +
> + if [[ "$?" -ne "0" ]]; then
> + echo "Couldn't generate $TYPE key pair"
> + return 1
> + fi
> +
> + # check type value for the PKCS#11 URI (RHEL7 is using old "object-type")
> + TYPE_KEY="type"
> + p11tool --list-all --provider="$P11LIB" --login | grep "object-type" && \
> + TYPE_KEY="object-type"
> +
> + # Generate certificate
> + certtool --generate-self-signed --outfile="$TYPE.cert" --template=tests/cert.cfg \
> + --provider="$P11LIB" --load-privkey "pkcs11:object=$LABEL;$TYPE_KEY=private" \
> + --load-pubkey "pkcs11:object=$LABEL;$TYPE_KEY=public"
> + # convert to DER:
> + openssl x509 -inform PEM -outform DER -in "$TYPE.cert" -out "$TYPE.cert.der"
> + # Write certificate
> + pkcs11-tool --write-object "$TYPE.cert.der" --type=cert --id=$ID \
> + --label="$LABEL" --module="$P11LIB"
> +
> + rm "$TYPE.cert" "$TYPE.cert.der"
> +
> + p11tool --login --provider="$P11LIB" --list-all
> +}
> +
> +# Check requirements
> +if [ ! -f $(which pkcs11-tool) ]; then
> + echo "ERROR: Need 'opensc' package to run tests"
> + exit 1
> +fi
> +if [ ! -f $(which p11tool) -o ! -f $(which certtool) ]; then
> + echo "ERROR: Need 'gnutls-utils' package to run tests"
> + exit 1
> +fi
> +if [ ! -f $(which modutil) ]; then
> + echo "ERROR: Need 'nss-tools' package to run tests"
> + exit 1
> +fi
> +if [ ! -f $(which openssl) ]; then
> + echo "ERROR: Need 'openssl' package to run tests"
> + exit 1
> +fi
> +if [ ! -f $(which softhsm2-util) ]; then
> + echo "ERROR: Need 'softhsm' package to run tests"
> + exit 1
> +fi
> +
> +
> +
> +export SOFTHSM2_CONF="$CONF"
> +# SoftHSM configuration file
> +if [ ! -f "$CONF" ]; then
> + echo "directories.tokendir = .tokens/" > $CONF
> + echo "slots.removable = true" >> $CONF
> +fi
> +
> +# SoftHSM configuration directory
> +if [ ! -d ".tokens" ]; then
> + mkdir ".tokens"
> +
> + # Init token
> + softhsm2-util --init-token --slot 0 --label "SC test" --so-pin="$SOPIN" --pin="$PIN"
> +
> + # Generate 1024b RSA Key pair
> + generate_cert "RSA:1024" "01" "RSA_auth"
> + generate_cert "RSA:1024" "02" "RSA_sign"
> +fi
> +# NSS DB
> +if [ ! -d "$NSSDB" ]; then
> + mkdir "$NSSDB"
> + modutil -create -dbdir "sql:$NSSDB" -force
> + modutil -add "SoftHSM PKCS#11" -dbdir "sql:$NSSDB" -libfile "$P11LIB" -force
> +fi
> +
> +
> +if [ "$1" == "cleanup" ]; then
> + rm -rf .tokens $CONF $NSSDB
> + exit
> +fi
> +
> +# Drop the requirement of HW slot in the libcacard:
> +sed -e 's/ || !PK11_IsHW(slot)//g' -i.backup src/vcard_emul_nss.c
This is quite a hack too! you could simply introduce an option or an
environement variable for testing... If you don't address it now,
please add a TODO.
> +make check
> +RV=$?
> +#restore from backup
> +mv src/vcard_emul_nss.c{.backup,}
> +make
> +
> +exit $RV
> diff --git a/tests/cert.cfg b/tests/cert.cfg
> new file mode 100644
> index 0000000..409aa93
> --- /dev/null
> +++ b/tests/cert.cfg
> @@ -0,0 +1,6 @@
> +organization = "OpenSC"
> +expiration_days = 365
> +email = "none@xxxxxxxxxxx"
> +signing_key
> +encryption_key
> +
> --
> 2.17.1
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
--
Marc-André Lureau
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel