URL: https://github.com/freeipa/freeipa/pull/3559
Author: tiran
Title: #3559: Test HSM support with SoftHSM2
Action: opened
PR body:
"""
Test basic installation with SoftHSM2 as PKCS#11 provider for Dogtag.
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3559/head:pr3559
git checkout pr3559
From afea92cb1745ef46b9d29bf3bc7171aa24271268 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 19 Aug 2019 10:33:13 +0200
Subject: [PATCH 1/2] Temp commit
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
.freeipa-pr-ci.yaml | 2 +-
.travis.yml | 20 --------------------
ipatests/prci_definitions/temp_commit.yaml | 2 +-
3 files changed, 2 insertions(+), 22 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/.travis.yml b/.travis.yml
index d9d26d9c6d..76e76186e3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,26 +22,6 @@ env:
matrix:
- TASK_TO_RUN="lint"
TEST_RUNNER_CONFIG=".test_runner_config.yaml"
- - TASK_TO_RUN="webui-unit"
- TEST_RUNNER_CONFIG=".test_runner_config.yaml"
- - TASK_TO_RUN="run-tests"
- PYTHON=/usr/bin/python3
- TEST_RUNNER_CONFIG=".test_runner_config.yaml"
- TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
- - TASK_TO_RUN="run-tests"
- PYTHON=/usr/bin/python3
- TEST_RUNNER_CONFIG=".test_runner_config.yaml"
- TESTS_TO_RUN="test_cmdline
- test_install
- test_ipaclient
- test_ipalib
- test_ipaplatform
- test_ipapython
- test_ipaserver
- test_ipatests_plugins
- test_xmlrpc/test_[l-z]*.py"
- - TASK_TO_RUN="tox"
- TEST_RUNNER_CONFIG=".test_runner_config.yaml"
before_install:
- ip addr show
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index bbcdab1ac2..637f53e618 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -56,7 +56,7 @@ jobs:
class: RunPytest
args:
build_url: '{fedora-30/build_url}'
- test_suite: test_integration/test_REPLACEME.py
+ test_suite: test_integration/test_hsmsupport.py
template: *ci-master-f30
timeout: 3600
topology: *master_1repl_1client
From 1f53764b3722e1fe55a2c027605bac08da4b4b2f Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 19 Aug 2019 10:39:05 +0200
Subject: [PATCH 2/2] Test HSM support with SoftHSM2
Test basic installation with SoftHSM2 as PKCS#11 provider for Dogtag.
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 10 +-
ipatests/test_integration/test_hsmsupport.py | 172 ++++++++++++++++++
.../test_integration/test_installation.py | 2 +-
3 files changed, 181 insertions(+), 3 deletions(-)
create mode 100644 ipatests/test_integration/test_hsmsupport.py
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index d09a67968b..96db14f196 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1514,10 +1514,14 @@ def run_certutil(host, args, reqdir, dbtype=None,
stdin_text=stdin)
-def certutil_certs_keys(host, reqdir, pwd_file, token_name=None):
+def certutil_certs_keys(host, reqdir, *, pwd_file=None, password=None,
+ token_name=None):
"""Run certutils and get mappings of cert and key files
"""
- base_args = ['-f', pwd_file]
+ if password is not None:
+ pwd_file = upload_temp_contents(host, password)
+ if pwd_file is not None:
+ base_args = ['-f', pwd_file]
if token_name is not None:
base_args.extend(['-h', token_name])
cert_args = base_args + ['-L']
@@ -1531,6 +1535,8 @@ def certutil_certs_keys(host, reqdir, pwd_file, token_name=None):
certs[mo.group('nick')] = mo.group('flags')
result = run_certutil(host, key_args, reqdir)
+ if password is not None:
+ host.run_command(['rm', '-f', pwd_file])
assert 'orphan' not in result.stdout_text
keys = {}
for line in result.stdout_text.splitlines():
diff --git a/ipatests/test_integration/test_hsmsupport.py b/ipatests/test_integration/test_hsmsupport.py
new file mode 100644
index 0000000000..0ee4ab567a
--- /dev/null
+++ b/ipatests/test_integration/test_hsmsupport.py
@@ -0,0 +1,172 @@
+#
+# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+#
+"""HSM support for Dogtag PKI
+"""
+from __future__ import absolute_import
+
+import os
+import logging
+
+from ipaplatform.paths import paths
+from ipaplatform.constants import constants
+from ipaplatform.tasks import tasks as platformtasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_ipa.integration import tasks
+
+logger = logging.getLogger(__name__)
+
+SELINUX_ENABLED = platformtasks.is_selinux_enabled()
+SOFTHSM_DIR = "/var/lib/softhsm"
+TOKEN_DIR = os.path.join(SOFTHSM_DIR, "tokens")
+
+TOKEN_NAME = "softhsm_token"
+TOKEN_PIN = "TokenSecret123"
+TOKEN_SO_PIN = "TokenSOSecret123"
+
+SOFTHSM2_PKI_INI = """\
+[DEFAULT]
+pki_hsm_enable=True
+pki_hsm_libfile={libfile}
+pki_hsm_modulename=softhsm2
+pki_token_name={name}
+pki_token_password={pin}
+""".format(
+ libfile=paths.LIBSOFTHSM2_SO, name=TOKEN_NAME, pin=TOKEN_PIN
+)
+
+SOFTHSM_CMD = ["runuser", "-u", constants.PKI_USER, "--", paths.SOFTHSM2_UTIL]
+
+
+def prepare_softhsm(
+ host, token_name=TOKEN_NAME, token_pin=TOKEN_PIN, token_so_pin=TOKEN_SO_PIN
+):
+ """Prepare host for softhsm2
+ """
+ # HACK: patch Dogtag
+ # https://github.com/frasertweedale/pki/commit/443bfa1f20a0fa0d020893f0e827d7cf3e76e2f4
+ host.run_command(
+ [
+ "sed",
+ "-i",
+ r"s,token = pki\.nssdb\.normalize_token(token),,",
+ "/usr/lib/python3.7/site-packages/pki/server/deployment/pkiparser.py",
+ ]
+ )
+ # HACK: Workaround for https://pagure.io/dogtagpki/issue/3091, disable
+ # p11-kit-proxy so that Dogtag is able to install SoftHSM2 PKCS#11.
+ # host.run_command([
+ # 'rm', '-f', '/etc/crypto-policies/local.d/nss-p11-kit.config'
+ # ])
+ # host.run_command(['update-crypto-policies'])
+
+ # HACK: add pkiuser to ods group, so it can create softhsm tokens
+ # see https://bugzilla.redhat.com/show_bug.cgi?id=1625548
+ host.run_command(["usermod", "-G", constants.ODS_GROUP, "-a", constants.PKI_USER])
+ # HACK: remove existing dummy token for DNSSEC to reduce SELinux noise
+ # IPA uses different token directory for its DNSSEC keys.
+ # use sh for wildcard expansion.
+ host.run_command(["sh", "-c", "rm -rf {}".format(os.path.join(TOKEN_DIR, "*"))])
+ # HACK: change SELinux context from default named_cache_t to pki_tomcat_t
+ # to avoid AVCs for certutil and pkitool
+ host.run_command(["restorecon", "-rv", SOFTHSM_DIR])
+ # chcon_cmd = [
+ # 'chcon', '--recursive', '--verbose',
+ # 'unconfined_u:object_r:pki_tomcat_var_lib_t:s0',
+ # SOFTHSM_DIR
+ # ]
+ # host.run_command(chcon_cmd)
+
+ # create softhsm token as pkiuser
+ cmd = list(SOFTHSM_CMD)
+ cmd.extend(
+ [
+ "--init-token",
+ "--free",
+ "--pin",
+ token_pin,
+ "--so-pin",
+ token_so_pin,
+ "--label",
+ token_name,
+ ]
+ )
+ host.run_command(cmd)
+ # HACK: chcon again
+ host.run_command(["restorecon", "-rv", SOFTHSM_DIR])
+ # host.run_command(chcon_cmd)
+
+ # verify the softhsm token
+ cmd = list(SOFTHSM_CMD)
+ cmd.append("--show-slots")
+ result = host.run_command(cmd)
+ assert token_name in result.stdout_text
+ host.run_command(["ls", "-laRZ", SOFTHSM_DIR])
+
+ # collect more files for debugging
+ host.collect_log(SOFTHSM_DIR)
+ host.collect_log(paths.CA_CS_CFG_PATH)
+
+ # upload ini override
+ pki_ini = tasks.upload_temp_contents(host, SOFTHSM2_PKI_INI)
+ return pki_ini
+
+
+class TestHSMSupport(IntegrationTest):
+ @classmethod
+ def install(cls, mh):
+ cls.pki_ini = prepare_softhsm(cls.master)
+ extra_args = ["--pki-config-override", cls.pki_ini]
+ result = tasks.install_master(
+ cls.master, setup_dns=False, extra_args=extra_args, raiseonerr=False
+ )
+ cls.debug_softhsm2(cls.master)
+ assert result.returncode == 0
+
+ @classmethod
+ def debug_softhsm2(cls, host):
+ cls.master.run_command(["ls", "-laRZ", SOFTHSM_DIR])
+ cls.master.run_command([paths.SOFTHSM2_UTIL, "--show-slots"])
+ certs, keys = tasks.certutil_certs_keys(
+ host, paths.PKI_TOMCAT_ALIAS_DIR, password=TOKEN_PIN, token_name=TOKEN_NAME
+ )
+ print(certs)
+ print(keys)
+ result = tasks.run_certutil(host, ["-L"], paths.PKI_TOMCAT_ALIAS_DIR)
+ print(result.stdout_text)
+
+ def test_hsm_certutil(self):
+ certs, keys = tasks.certutil_certs_keys(
+ self.master,
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ pwd_file=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
+ )
+ assert certs == {
+ "caSigningCert cert-pki-ca": "CT,C,C",
+ "auditSigningCert cert-pki-ca": ",,P", # why P?
+ "Server-Cert cert-pki-ca": "u,u,u",
+ }
+ assert len(keys) == 1
+ serverkey = list(keys)[0]
+ assert "Server-Cert cert-pki-ca" in serverkey
+
+ certs, keys = tasks.certutil_certs_keys(
+ self.master,
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ password=TOKEN_PIN,
+ token_name=TOKEN_NAME,
+ )
+ assert certs == {
+ TOKEN_NAME + ":ocspSigningCert cert-pki-ca": "u,u,u",
+ TOKEN_NAME + ":caSigningCert cert-pki-ca": "CTu,Cu,Cu",
+ TOKEN_NAME + ":subsystemCert cert-pki-ca": "u,u,u",
+ TOKEN_NAME + ":auditSigningCert cert-pki-ca": "u,u,Pu",
+ }
+ assert set(keys) == {
+ "ocspSigningCert cert-pki-ca",
+ "caSigningCert cert-pki-ca",
+ "subsystemCert cert-pki-ca",
+ "auditSigningCert cert-pki-ca",
+ }
+
+ self.master.run_command([paths.GETCERT, "list"])
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 6d7930d4c6..d0a1c1e5a0 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -481,7 +481,7 @@ def test_pki_certs(self):
certs, keys = tasks.certutil_certs_keys(
self.master,
paths.PKI_TOMCAT_ALIAS_DIR,
- paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT
+ pwd_file=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT
)
expected_certs = {
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
