Nginx test

.github/workflows/rust-tests.yml

@@ -52,7 +52,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: install opensc and dependencies
-        run: apt-get update && apt-get install -y curl opensc openssl gcc xxd jq gnutls-bin
+        run: apt-get update && apt-get install -y curl opensc openssl gcc xxd jq gnutls-bin make
 
       - name: Install Rust
         uses: actions-rs/toolchain@v1
@@ -88,3 +88,8 @@ jobs:
         with:
           files: ./coverage.txt
           verbose: true
+
+      - name: build release
+        run: cargo build --release
+      - name: run fork tests
+        run: cd fork-tests && make

.gitignore

@@ -18,4 +18,5 @@ _*
 profile
 *.profraw
 coverage
-coverage.txt
+coverage.txt
+fork-tests/fork_test

README.md

@@ -45,3 +45,31 @@ RUSTFLAGS="-C target-feature=-crt-static" cargo build --release
 ## Debug Options
 
 Set the `RUST_LOG` env variable to `trace`, `debug`, `info`, `warn` or `err` to change the logging level.
+
+## Docker examples
+
+For testing and development purposes there are two examples using the PKCS11 driver with Nginx and Apache.
+
+They require each a certificate built with the `container/<server>/generate.sh`.
+
+They can be built with:
+
+```bash
+# Building the images 
+docker build -t nginx-testing -f container/nginx/Dockerfile .
+docker build -t apache-testing -f container/apache/Dockerfile .
+```
+
+Assuming that a NetHSM is runnig on localhost:8443, they can then be run with :
+
+```bash
+docker run --net=host nginx-testing:latest
+docker run --net=host apache-testing:latest
+```
+
+The NetHSM is expected to have be provisionned with the following configuration:
+
+```bash
+nitropy nethsm --host localhost:8443 --no-verify-tls provision -u 0123456789 -a Administrator
+nitropy nethsm --host localhost:8443 --no-verify-tls add-user -n Operator -u operator -p opPassphrase -r Operator
+```

container/apache/Dockerfile

@@ -1,14 +1,12 @@
-FROM rust:1.72-bookworm AS builder
+FROM docker.io/rust:1.72-bookworm AS builder
 
 WORKDIR /rust
 
-ADD .git/ /tmp/repo
-
-RUN git clone -s /tmp/repo build
+ADD '.' /rust/build
 
 RUN cd build && cargo build --release
 
-FROM httpd:2.4
+FROM docker.io/httpd:2.4
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
   libengine-pkcs11-openssl \

container/apache/generate.sh

@@ -4,10 +4,9 @@ set -e
 
 HOST='localhost:8443'
 ADMIN_ACCOUNT='admin'
-ADMIN_ACCOUNT_PWD='adminadmin'
+ADMIN_ACCOUNT_PWD='Administrator'
 
-OPENSSL_PKCS11_ENGINE_PATH="/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so"
-NETHSM_PKCS11_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so"
+NETHSM_PKCS11_LIBRARY_PATH="target/release/libnethsm_pkcs11.so"
 
 
 CREDENTIALS="${ADMIN_ACCOUNT}:${ADMIN_ACCOUNT_PWD}"
@@ -24,7 +23,6 @@ pkcs11 = pkcs11_section
 
 [pkcs11_section]
 engine_id = pkcs11
-dynamic_path = ${OPENSSL_PKCS11_ENGINE_PATH}
 MODULE_PATH = ${NETHSM_PKCS11_LIBRARY_PATH}
 init = 0
 "
@@ -46,7 +44,7 @@ curl --include --insecure --user $CREDENTIALS --request POST \
 
 export OPENSSL_CONF="/dev/fd/3"
 
-openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
+P11NETHSM_CONFIG_FILE="p11nethsm.conf" openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
 
 curl -k -i -w '\n' -u $CREDENTIALS -X PUT \
   "https://${HOST}/api/v1/keys/webserver/cert" \

container/apache/httpd.conf

@@ -1,6 +1,7 @@
 ServerRoot "/usr/local/apache2"
-Listen 80
-Listen 443
+# Listen 80
+# Listen 443
+Listen 8081
 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 LoadModule mpm_event_module modules/mod_mpm_event.so
 LoadModule authn_file_module modules/mod_authn_file.so
@@ -87,7 +88,7 @@ Include conf/extra/proxy-html.conf
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 </IfModule>
-<VirtualHost *:443>
+<VirtualHost *:8081>
       DocumentRoot /usr/local/apache2/htdocs
       SSLEngine on
       SSLCertificateFile /certs/certificate.pem

container/apache/p11nethsm.conf

@@ -5,7 +5,7 @@ slots:
     description: Local HSM (docker)
     operator:
       username: "operator"
-      password: "operatoroperator"
+      password: "opPassphrase"
     instances:
       - url: "https://localhost:8443/api/v1"
         danger_insecure_cert: true

container/nginx/Dockerfile

@@ -1,14 +1,12 @@
-FROM rust:1.70-buster AS builder
+FROM docker.io/rust:1.70-buster AS builder
 
 WORKDIR /rust
 
-ADD .git/ /tmp/repo
-
-RUN git clone -s /tmp/repo build
+ADD '.' /rust/build
 
 RUN cd build && cargo build --release
 
-FROM nginx:stable
+FROM docker.io/nginx:stable
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
   libengine-pkcs11-openssl \

container/nginx/default.conf

@@ -1,5 +1,6 @@
 server {
-    listen       443 ssl;
+#    listen       433 ssl;
+    listen       8081 ssl;
     server_name  localhost;
 
     ssl_certificate      /certs/certificate.pem;

container/nginx/generate.sh

@@ -4,10 +4,9 @@ set -e
 
 HOST='localhost:8443'
 ADMIN_ACCOUNT='admin'
-ADMIN_ACCOUNT_PWD='adminadmin'
+ADMIN_ACCOUNT_PWD='Administrator'
 
-OPENSSL_PKCS11_ENGINE_PATH="/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so"
-NETHSM_PKCS11_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so"
+NETHSM_PKCS11_LIBRARY_PATH="target/release/libnethsm_pkcs11.so"
 
 
 CREDENTIALS="${ADMIN_ACCOUNT}:${ADMIN_ACCOUNT_PWD}"
@@ -24,7 +23,6 @@ pkcs11 = pkcs11_section
 
 [pkcs11_section]
 engine_id = pkcs11
-dynamic_path = ${OPENSSL_PKCS11_ENGINE_PATH}
 MODULE_PATH = ${NETHSM_PKCS11_LIBRARY_PATH}
 init = 0
 "
@@ -46,7 +44,7 @@ curl --include --insecure --user $CREDENTIALS --request POST \
 
 export OPENSSL_CONF="/dev/fd/3"
 
-openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
+P11NETHSM_CONFIG_FILE="p11nethsm.conf" openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
 
 curl -k -i -w '\n' -u $CREDENTIALS -X PUT \
   "https://${HOST}/api/v1/keys/webserver/cert" \

container/nginx/p11nethsm.conf

@@ -3,7 +3,7 @@ slots:
     description: Local HSM (docker)
     operator:
       username: "operator"
-      password: "operatoroperator"
+      password: "opPassphrase"
     instances:
       - url: "https://localhost:8443/api/v1"
         danger_insecure_cert: true

fork-tests/Makefile

@@ -0,0 +1,7 @@
+.PHONY: test
+test: fork_test
+	P11NETHSM_CONFIG_FILE=../p11nethsm.conf ./fork_test
+
+fork_test: fork_test.c
+	gcc fork_test.c -o fork_test
+

fork-tests/fork_test.c

@@ -0,0 +1,56 @@
+#include "dlfcn.h"
+#include "pkcs11.h"
+#include "stdio.h"
+#include "unistd.h"
+#include "sys/wait.h"
+
+
+int main() {
+  void *handle = dlopen("../target/release/libnethsm_pkcs11.so", RTLD_LAZY)  ;
+  if (!handle) {
+    fprintf(stderr, "%s\n", dlerror());
+    return 1;
+  }
+  dlerror();
+
+
+  CK_C_GetFunctionList c_get_function_list = dlsym(handle, "C_GetFunctionList");
+
+  char * error = dlerror();
+  if (error != NULL) {
+    fprintf(stderr, "%s\n", error);
+    return 1;
+  }
+
+  struct _CK_FUNCTION_LIST *flist;
+  c_get_function_list(&flist);
+
+  flist->C_Initialize(NULL);
+
+  pid_t p = fork(); 
+  if (p < 0) {
+    perror("Fork failed");
+    return 1;
+  }
+
+  int wstatus = 0;
+  if (p == 0 ) {
+    flist->C_Initialize(NULL);
+    CK_SLOT_ID slotId = CK_UNAVAILABLE_INFORMATION;
+    CK_SESSION_HANDLE session;
+    CK_RV rv = flist->C_OpenSession(0,CKF_SERIAL_SESSION, NULL, NULL, &session);
+    if (rv != CKR_OK) {
+      printf("Failed open session: %lu", rv);
+    }
+
+    unsigned char random[8];
+    rv = flist->C_GenerateRandom(session, random, 8);
+    if (rv != CKR_OK) {
+      printf("Failed get random: %lu", rv);
+    }
+    return 0;
+  } else {
+    wait(&wstatus);
+    return WEXITSTATUS(wstatus);
+  }
+}