Add kryoptic multislot testing setup with defaultslot test

Author: bukka

tests/helpers.sh

@@ -104,6 +104,9 @@ ptool() {
     if [ -n "$P11DEFLOGIN" ]; then
         CMDOPTS+=("${P11DEFLOGIN[@]}")
     fi
+    if [ -n "$SLOTID" ]; then
+        CMDOPTS+=("--slot=${SLOTID}")
+    fi
     CMDOPTS+=("$@")
     $CHECKER pkcs11-tool "${CMDOPTS[@]}"
 }

tests/kryoptic-init.sh

@@ -26,10 +26,12 @@ find_kryoptic \
 
 title LINE "Creating Kyroptic database"
 
+SLOTID=${SLOTID:-0}
+
 # Kryoptic configuration
 cat << EOF > "$TOKDIR/kryoptic.conf"
 [[slots]]
-slot = 0
+slot = $SLOTID
 dbtype = "sqlite"
 dbargs = "$TOKDIR/kryoptic.sql"
 #mechanisms
@@ -40,10 +42,10 @@ export TOKENLABEL="${TOKENLABEL:-Kryoptic Token}"
 export TOKENLABELURI="${TOKENLABELURI:-Kryoptic%20Token}"
 
 # init token
-pkcs11-tool --module "${P11LIB}" --init-token \
+pkcs11-tool --module "${P11LIB}" --init-token --slot $SLOTID \
     --label "${TOKENLABEL}" --so-pin "${PINVALUE}" 2>&1
 # set user pin
-pkcs11-tool --module "${P11LIB}" --so-pin "${PINVALUE}" \
+pkcs11-tool --module "${P11LIB}" --so-pin "${PINVALUE}" --slot $SLOTID \
     --login --login-type so --init-pin --pin "${PINVALUE}" 2>&1
 
 export TOKENCONFIGVARS="export KRYOPTIC_CONF=$TOKDIR/kryoptic.conf"

tests/kryoptic.multislot-init.sh

@@ -0,0 +1,65 @@
+#!/bin/bash -ex
+# Copyright (C) 2024 Jakub Zelenka <jakub.openssl@gmail.com>
+# SPDX-License-Identifier: Apache-2.0
+#
+
+export SLOTID=42
+export SLOT2ID=52
+export TOKEN2LABEL="${TOKENLABEL:-Kryoptic Token 2}"
+export TOKEN2LABELURI="${TOKENLABELURI:-Kryoptic%20Token%202}"
+export PIN2VALUE=11111111
+
+export KRYOPTIC_CONF="${TMPPDIR}/kryoptic.conf"
+cat >"${KRYOPTIC_CONF}" <<_EOF
+[[slots]]
+slot = $SLOTID
+dbtype = "sqlite"
+dbargs = "$TOKDIR/kryoptic.sql"
+#mechanisms
+[[slots]]
+slot = $SLOT2ID
+dbtype = "sqlite"
+dbargs = "${TOKDIR}/kryoptic2.sql"
+description = "Kryoptic Token 2"
+_EOF
+
+# this overrides what we define in the generic init
+export TOKENLABEL="Kryoptic Soft Token"
+export TOKENLABELURI="Kryoptic%20Soft%20Token"
+
+# the rest is the same
+source "${TESTSSRCDIR}/kryoptic-init.sh"
+
+# init token 2
+pkcs11-tool --module "${P11LIB}" --init-token --slot "${SLOT2ID}" \
+    --label "${TOKEN2LABEL}" --so-pin "${PIN2VALUE}" 2>&1
+# set user pin 2
+pkcs11-tool --module "${P11LIB}" --so-pin "${PIN2VALUE}" --slot "${SLOT2ID}" \
+    --login --login-type so --init-pin --pin "${PIN2VALUE}" 2>&1
+
+export TOKENCONFIGVARS="export KRYOPTIC_CONF=${TMPPDIR}/kryoptic.conf"
+export TESTPORT="29000"
+
+# generate RSA key
+KEYID='0201'
+URIKEYID="%02%01"
+
+pkcs11-tool --module "${P11LIB}" --slot "${SLOT2ID}" --pin "${PIN2VALUE}" \
+    --keypairgen --key-type="RSA:2048" --id="$KEYID" \
+    --label="testKey" 2>&1
+
+export BASEURI2WITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
+export BASEURI2="pkcs11:id=${URIKEYID}"
+export PUBURI2="pkcs11:type=public;id=${URIKEYID}"
+export PRIURI2="pkcs11:type=private;id=${URIKEYID}"
+
+title LINE "RSA PKCS11 URIS"
+echo "${BASEURI2WITHPINVALUE}"
+echo "${BASEURI2}"
+echo "${PUBURI2}"
+echo "${PRIURI2}"
+echo ""
+
+# While this works with the default DB, the NSS DB does not support this
+# attribute
+export SUPPORT_ALLOWED_MECHANISMS=0

tests/kryoptic.nss-init.sh

@@ -3,10 +3,13 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+export SLOTID=42
+export SLOTSCOUNT=1
+
 export KRYOPTIC_CONF="${TMPPDIR}/kryoptic.conf"
 cat >"${KRYOPTIC_CONF}" <<_EOF
 [[slots]]
-slot = 42
+slot = ${SLOTID}
 dbtype = "nssdb"
 dbargs = "configDir='${TOKDIR}' flags='passwordRequired'"
 description = "Kryoptic Soft Token"

tests/meson.build

@@ -111,6 +111,7 @@ test_programs = {
   'treadkeys': ['treadkeys.c'],
   'tcmpkeys': ['tcmpkeys.c', 'util.c'],
   'tfork': ['tfork.c', 'util.c'],
+  'trefresh': ['trefresh.c', 'util.c'],
   'tpkey': ['tpkey.c', 'util.c'],
   'pincache': ['pincache.c'],
   'ccerts': ['ccerts.c', 'util.c'],
@@ -127,7 +128,9 @@ foreach t, sources : test_programs
 endforeach
 
 setup_script=find_program('setup.sh')
-all_suites=['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']
+multi_suites=['kryoptic.multislot']
+single_suites=['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']
+all_suites=single_suites + multi_suites
 foreach suite : all_suites
   test(
     'setup',
@@ -141,35 +144,36 @@ foreach suite : all_suites
 endforeach
 
 tests = {
-  'basic': {'suites': all_suites},
+  'basic': {'suites': single_suites},
   'mldsa': {'suites': ['kryoptic']},
-  'pubkey': {'suites': all_suites},
-  'certs': {'suites': all_suites},
-  'ecc': {'suites': all_suites},
+  'pubkey': {'suites': single_suites},
+  'certs': {'suites': single_suites},
+  'ecc': {'suites': single_suites},
   'edwards': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
-  'ecdh': {'suites': all_suites},
-  'democa': {'suites': all_suites, 'is_parallel': false},
-  'digest': {'suites': all_suites},
-  'fork': {'suites': all_suites},
+  'ecdh': {'suites': single_suites},
+  'democa': {'suites': single_suites, 'is_parallel': false},
+  'digest': {'suites': single_suites},
+  'fork': {'suites': single_suites},
   'oaepsha2': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'hkdf': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'imported' : {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
-  'pem_encoder': {'suites': all_suites},
-  'rsa': {'suites': all_suites},
-  'rsapss': {'suites': all_suites},
+  'pem_encoder': {'suites': single_suites},
+  'rsa': {'suites': single_suites},
+  'rsapss': {'suites': single_suites},
   'rsapssam': {'suites': ['softhsm', 'kryoptic']},
-  'genkey': {'suites': all_suites},
-  'pkey': {'suites': all_suites},
-  'session': {'suites': all_suites},
-  'skey': {'suites': all_suites},
-  'rand': {'suites': all_suites},
-  'readkeys': {'suites': all_suites},
-  'tls': {'suites': all_suites, 'is_parallel': false, 'timeout': 60},
-  'tlsfuzzer': {'suites': all_suites, 'timeout': 90},
-  'uri': {'suites': all_suites, 'timeout': 90},
+  'genkey': {'suites': single_suites},
+  'pkey': {'suites': single_suites},
+  'session': {'suites': single_suites},
+  'skey': {'suites': single_suites},
+  'rand': {'suites': single_suites},
+  'readkeys': {'suites': single_suites},
+  'tls': {'suites': single_suites, 'is_parallel': false, 'timeout': 60},
+  'tlsfuzzer': {'suites': single_suites, 'timeout': 90},
+  'uri': {'suites': single_suites, 'timeout': 90},
   'ecxc': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
   'cms': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'pinlock': {'suites': ['kryoptic']},
+  'defaultslot': {'suites': ['kryoptic.multislot']},
 }
 
 test_wrapper = find_program('test-wrapper')

tests/openssl.cnf.in

@@ -23,6 +23,7 @@ activate = 1
 [pkcs11_sect]
 module = @libtoollibs@/pkcs11@SHARED_EXT@
 pkcs11-module-token-pin = file:@PINFILE@
+#pkcs11-module-default-slot-id
 ##TOKENOPTIONS
 #pkcs11-module-encode-provider-uri-to-pem
 #pkcs11-module-allow-export

tests/setup.sh

@@ -82,6 +82,8 @@ elif [ "${TOKENTYPE}" == "kryoptic" ]; then
     source "${TESTSSRCDIR}/kryoptic-init.sh"
 elif [ "${TOKENTYPE}" == "kryoptic.nss" ]; then
     source "${TESTSSRCDIR}/kryoptic.nss-init.sh"
+elif [ "${TOKENTYPE}" == "kryoptic.multislot" ]; then
+    source "${TESTSSRCDIR}/kryoptic.multislot-init.sh"
 else
     echo "Unknown token type: $1"
     exit 1
@@ -628,6 +630,17 @@ export RSAPSS2CRTURI="${RSAPSS2CRTURI}"
 DBGSCRIPT
 fi
 
+if [ -n "${PRIURI2}" ]; then
+    cat >> "${TMPPDIR}/testvars" <<DBGSCRIPT
+
+export BASEURI2WITHPINVALUE="${BASEURI2WITHPINVALUE}"
+export BASEURI2="${BASEURI2}"
+export PUBURI2="${PUBURI2}"
+export PRIURI2="${PRIURI2}"
+DBGSCRIPT
+fi
+
+
 cat >> "${TMPPDIR}/testvars" <<DBGSCRIPT
 
 # for listing the separate pkcs11 calls

tests/tdefaultslot

@@ -0,0 +1,24 @@
+#!/bin/bash -e
+# Copyright (C) 2025 Jakub Zelenka <jakub.openssl@gmail.com>
+# SPDX-License-Identifier: Apache-2.0
+
+source "${TESTSSRCDIR}/helpers.sh"
+
+title PARA "Test PKCS11 SLOTS"
+ORIG_OPENSSL_CONF=${OPENSSL_CONF}
+sed -e "s/#pkcs11-module-default-slot-id/pkcs11-module-default-slot-id = 52/" \
+    -e "s/^pkcs11-module-token-pin.*$/pkcs11-module-token-pin = 11111111/" \
+    "${OPENSSL_CONF}" > "${OPENSSL_CONF}.defaultslot"
+export OPENSSL_CONF=${OPENSSL_CONF}.defaultslot
+
+title PARA "Sign and Verify with provided Hash and RSA"
+ossl 'dgst -sha256 -binary -out ${TMPPDIR}/sha256.bin ${SEEDFILE}'
+ossl '
+pkeyutl -sign -inkey "${PRIURI2}"
+              -in ${TMPPDIR}/sha256.bin
+              -out ${TMPPDIR}/sha256-sig.bin
+              -pkeyopt digest:sha256'
+
+$CHECKER "${TESTBLDDIR}/trefresh" "${PUBURI2}" ${SEEDFILE} "${TMPPDIR}/sha256-sig.bin"
+
+export OPENSSL_CONF=${ORIG_OPENSSL_CONF}