Re: [PATCH v2 7/8] tests: Extend sign_verify test with pkcs11-specific test

[PATCH v2 0/8] ima-evm-utils: Add support for signing with pkcs11 URIs · Stefan Berger <hidden> · 2021-08-10
[PATCH v2 2/8] evmctl: Handle engine initialization properly · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 2/8] evmctl: Handle engine initialization properly · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03
[PATCH v2 3/8] evmctl: Move code setting up engine to own funtion · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 3/8] evmctl: Move code setting up engine to own funtion · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03
[PATCH v2 7/8] tests: Extend sign_verify test with pkcs11-specific test · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 7/8] tests: Extend sign_verify test with pkcs11-specific test · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03
Re: [PATCH v2 7/8] tests: Extend sign_verify test with pkcs11-specific test · Stefan Berger <stefanb@linux.ibm.com> · 2021-09-03
[PATCH v2 5/8] evmctl: Setup the pkcs11 engine if key has pkcs11: prefix · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 5/8] evmctl: Setup the pkcs11 engine if key has pkcs11: prefix · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03
[PATCH v2 8/8] tests: Get the packages for pkcs11 testing on the CI/CD system · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 8/8] tests: Get the packages for pkcs11 testing on the CI/CD system · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03
Re: [PATCH v2 8/8] tests: Get the packages for pkcs11 testing on the CI/CD system · Stefan Berger <stefanb@linux.ibm.com> · 2021-09-03
[PATCH v2 6/8] libimaevm: Add support for pkcs11 private keys for signing a v2 hash · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 6/8] libimaevm: Add support for pkcs11 private keys for signing a v2 hash · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03
[PATCH v2 1/8] evmctl: Implement support for EVMCTL_KEY_PASSWORD environment variable · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 1/8] evmctl: Implement support for EVMCTL_KEY_PASSWORD environment variable · Mimi Zohar <zohar@linux.ibm.com> · 2021-08-27
Re: [PATCH v2 1/8] evmctl: Implement support for EVMCTL_KEY_PASSWORD environment variable · Vitaly Chikunov <hidden> · 2021-09-04
[PATCH v2 4/8] evmctl: Extend libimaevm_params with ENGINE field and use it · Stefan Berger <hidden> · 2021-08-10
Re: [PATCH v2 4/8] evmctl: Extend libimaevm_params with ENGINE field and use it · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03
Re: [PATCH v2 0/8] ima-evm-utils: Add support for signing with pkcs11 URIs · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-03

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2021-09-03 19:11:41

Hi Stefan,

On Tue, 2021-08-10 at 09:45 -0400, Stefan Berger wrote:

From: Stefan Berger <stefanb@linux.ibm.com>

Extend the sign_verify test with a pkcs11-specific test.
Import softhsm_setup script from my swtpm project and contribute
it to this porject under dual license BSD 3-clause and GLP 2.0.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Up to here, the patches were nicely split up.  Just from reading the
patch description, this patch needs to be split up.

quoted hunk ↗ jump to hunk

---
 tests/functions.sh     |  26 ++++
 tests/sign_verify.test |  50 +++++--
 tests/softhsm_setup    | 290 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 352 insertions(+), 14 deletions(-)
 create mode 100755 tests/softhsm_setup

diff --git a/tests/functions.sh b/tests/functions.sh
index 91cd5d9..cbb7ea4 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh

@@ -272,3 +272,29 @@ _report_exit() {
   fi
 }
 
+_at_exit() {
+  _report_exit
+  if [ -n "${WORKDIR}" ]; then
+    rm -f "${WORKDIR}"
+  fi
+}
+

It would be nice to have a function comment here.

+_softhsm_setup() {
+  local workdir="$1"
+

${WORKDIR} is being passed as a parameter.  Why is a local environment
variable needed?

+  local msg
+
+  export SOFTHSM_SETUP_CONFIGDIR="${workdir}"
+  export SOFTHSM2_CONF="${workdir}/softhsm2.conf"
+
+  msg=$(./softhsm_setup setup 2>&1)
+  if [ $? -eq 0 ]; then
+    echo "softhsm_setup setup succeeded: $msg"
+    PKCS11_KEYURI=$(echo $msg | sed -n 's|^keyuri: \(.*\)|\1|p')
+
+    export OPENSSL_ENGINE="-engine pkcs11"
+    export OPENSSL_KEYFORM="-keyform engine"
+  else
+    echo "softhsm_setup setup failed: ${msg}"
+  fi

Should there be a test checking that softhsm_setup is installed before
using it?   If it's not installed, then the test is "skipped".

quoted hunk ↗ jump to hunk

+}

diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 3b42eec..369765e 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test

@@ -28,7 +28,8 @@ fi
 
 ./gen-keys.sh >/dev/null 2>&1
 
-trap _report_exit EXIT
+trap _at_exit EXIT
+WORKDIR=$(mktemp -d)
 set -f # disable globbing
 
 # Determine keyid from a cert

@@ -132,11 +133,16 @@ check_sign() {
   # OPTS (additional options for evmctl),
   # FILE (working file to sign).
   local "$@"
-  local KEY=${KEY%.*}.key
+  local key verifykey

Agreed, don't modify the global variable, use a local one.  Making this
a separate patch, would simplify review.

thanks,

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help