add system test for the tedge-p11-server

reubenmiller · reubenmiller · commit 5b6c68fe925f · 2025-04-07T15:37:46.000+02:00
Signed-off-by: reubenmiller &lt;reuben.d.miller@gmail.com&gt;
diff --git a/tests/RobotFramework/tests/pkcs11/data/init_softhsm.sh b/tests/RobotFramework/tests/pkcs11/data/init_softhsm.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+set -e
+
+DEVICE_ID="${DEVICE_ID:-}"
+IS_SELF_SIGNED=0
+export GNUTLS_PIN="${GNUTLS_PIN:-123456}"
+export GNUTLS_SO_PIN="${GNUTLS_SO_PIN:-123456}"
+export TOKEN_LABEL="${TOKEN_LABEL:-tedge}"
+PKCS_URI=
+
+#
+# Parse arguments
+#
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --self-signed)
+            IS_SELF_SIGNED=1
+            ;;
+        --pin)
+            GNUTLS_PIN="$2"
+            shift
+            ;;
+        --so-pin)
+            GNUTLS_SO_PIN="$2"
+            shift
+            ;;
+        --device-id)
+            DEVICE_ID="$2"
+            shift
+            ;;
+    esac
+    shift
+done
+
+get_token() {
+    p11tool --list-tokens | grep "token=$TOKEN_LABEL" | awk '{ print $2 }' | head -n1
+}
+
+get_key() {
+    p11tool --login --list-all "$PKCS_URI" | grep type=private | awk '{ print $2 }'
+}
+
+#
+# Get/Init slot
+#
+PKCS_URI=$(get_token)
+if [ -z "$(get_token)" ]; then
+    echo "Initializing softhsm2 token" >&2
+    softhsm2-util --init-token --free --label "$TOKEN_LABEL" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
+    PKCS_URI=$(get_token)
+fi
+echo "Using token URI: $PKCS_URI" >&2
+
+
+#
+# Get/Create key
+#
+KEY=$(get_key)
+if [ -z "$KEY" ]; then
+    mkdir -p /etc/tedge/hsm
+    p11tool --login --generate-privkey ECDSA --curve=secp256r1  --label "tedge" --outfile /etc/tedge/hsm/tedge.pub "$PKCS_URI"
+    KEY=$(get_key)
+fi
+
+
+#
+# Get/Create CSR template
+#
+CSR_TEMPLATE=/etc/tedge/hsm/cert.template
+if [ ! -f "$CSR_TEMPLATE" ]; then
+    if [ -z "${DEVICE_ID:-}" ]; then
+        DEVICE_ID=$(tedge-identity 2>/dev/null)
+    fi
+
+    # If it is self-signed, then Cumulocity requires the ca property
+    # to be added, otherwise certificate will be rejected by Cumulocity
+    # when trying to upload it
+    IS_CA=""
+    if [ "$IS_SELF_SIGNED" ]; then
+        IS_CA="ca"
+    fi
+
+    cat <<EOT > "$CSR_TEMPLATE"
+organization = "Thin Edge"
+unit = "Test Device"
+state = "QLD"
+country = AU
+cn = "$DEVICE_ID"
+$IS_CA
+EOT
+fi
+
+#
+# Create CSR (to be signed externally) or create a self-signed certificate
+#
+if [ "$IS_SELF_SIGNED" = 0 ]; then
+    #
+    # Create CSR
+    #
+    CSR_PATH=$(tedge config get device.csr_path)
+    certtool --generate-request --template "$CSR_TEMPLATE" --load-privkey "$KEY" --outfile "$CSR_PATH"
+    echo "Created csr: $CSR_PATH" >&2
+else
+    # Optional: Self sign the Certificate
+    echo "Creating self-signed certificate" >&2
+    CERT_PATH=$(tedge config get device.cert_path)
+    certtool --generate-self-signed --template "$CSR_TEMPLATE" --load-privkey "$KEY" --outfile "$CERT_PATH"
+fi
diff --git a/tests/RobotFramework/tests/pkcs11/private_key_storage.robot b/tests/RobotFramework/tests/pkcs11/private_key_storage.robot
@@ -0,0 +1,51 @@
+*** Settings ***
+Documentation       Test thin-edge.io MQTT client authentication using a Hardware Security Module (HSM).
+...
+...                 To do this, we install SoftHSM2 which allows us to create software-backed PKCS#11 (cryptoki)
+...                 cryptographic tokens that will be read by thin-edge. In real production environments a dedicated
+...                 hardware device would be used.
+
+Resource            ../resources/common.resource
+Library             ThinEdgeIO
+
+Suite Setup         Custom Setup
+Suite Teardown      Get Suite Logs
+
+Test Tags           adapter:docker    theme:cryptoki
+
+
+*** Test Cases ***
+Use Private Key in SoftHSM2 using tedge-p11-server
+    # initialize the soft hsm and create a self-signed certificate
+    Configure tedge-p11-server    module_path=/usr/lib/softhsm/libsofthsm2.so    pin=123456
+    Execute Command    sudo -u tedge /usr/bin/init_softhsm.sh --self-signed --device-id "${DEVICE_SN}" --pin 123456
+
+    # configure tedge
+    Execute Command    tedge config set c8y.url "$(echo ${C8Y_CONFIG.host} | sed 's|https?://||g')"
+    Execute Command    tedge config set mqtt.bridge.built_in true
+    Execute Command    tedge config set device.cryptoki.mode socket
+
+    # Upload the self-signed certificate
+    Execute Command
+    ...    cmd=sudo env C8Y_USER='${C8Y_CONFIG.username}' C8Y_PASSWORD='${C8Y_CONFIG.password}' tedge cert upload c8y
+
+    Execute Command    tedge reconnect c8y
+
+
+*** Keywords ***
+Custom Setup
+    ${DEVICE_SN}=    Setup    skip_bootstrap=${True}
+    Set Suite Variable    $DEVICE_SN
+    Execute Command    test -f ./bootstrap.sh && ./bootstrap.sh --no-connect || true
+    # Allow the tedge user to access softhsm
+    Execute Command    sudo usermod -a -G softhsm tedge
+    Transfer To Device    ${CURDIR}/data/init_softhsm.sh    /usr/bin/
+    Remove Existing Certificates
+
+Remove Existing Certificates
+    Execute Command    cmd=rm -f "$(tedge config get device.key_path)" "$(tedge config get device.cert_path)"
+
+Configure tedge-p11-server
+    [Arguments]    ${module_path}    ${pin}
+    Execute Command
+    ...    cmd=printf 'TEDGE_DEVICE_CRYPTOKI_MODULE_PATH=%s\nTEDGE_DEVICE_CRYPTOKI_PIN=%s\n' "${module_path}" "${pin}" | sudo tee /etc/tedge/plugins/tedge-p11-server.conf
diff --git a/tests/images/debian-systemd/debian-systemd.dockerfile b/tests/images/debian-systemd/debian-systemd.dockerfile
@@ -26,6 +26,9 @@ RUN apt-get -y update \
     bash-completion \
     zsh \
     fish \
+    # PKCS11 / cryptoki support
+    gnutls-bin \
+    softhsm2 \
     # mosquitto (default version used by Debian, see below for more details)
     mosquitto \
     mosquitto-clients
