test(pkcs11): Add tedge-p11-server compatibility suite

Bravo555 · Bravo555 · commit 753799cf6256 · 2025-07-14T14:17:02.000Z
New compatibility.robot suite uses pinned tedge-p11-server to ensure new
versions of thin-edge.io are backwards compatibile with
tedge-p11-server.

Shared keywords were extracted into a resource file.

Signed-off-by: Marcel Guzik &lt;marcel.guzik@cumulocity.com&gt;
diff --git a/tests/RobotFramework/tests/pkcs11/compatibility.robot b/tests/RobotFramework/tests/pkcs11/compatibility.robot
@@ -0,0 +1,194 @@
+*** Settings ***
+Documentation       This test suite runs the tests with tedge-p11-server pinned to a fixed version to ensure that new
+...                 versions of thin-edge remain backwards compatible with tedge-p11-server's binary communication protocol. The
+...                 scope of this test is limited to tedge-p11-server's initial feature set and will generally not be expanded.
+
+Resource            pkcs11_common.resource
+
+Suite Setup         Custom Setup
+Suite Teardown      Get Suite Logs
+
+Test Tags           adapter:docker    theme:cryptoki    compatibility
+
+
+*** Variables ***
+${TEDGE_P11_SERVER_VERSION}     1.5.1
+
+
+*** Test Cases ***
+# the test cases are basically copy-pasted from private_key_storage.robot, as the purpose of this suite is to run the
+# exact same tests with a slightly different setup. It would be easiest if we could import the test cases themselves
+# from another test suite, but this isn't possible. So we extract reusable keywords into a resource file, but test cases
+# remain duplicated.
+Use Private Key in SoftHSM2 using tedge-p11-server
+    Tedge Reconnect Should Succeed
+
+Select Private key using tedge-p11-server URI
+    [Documentation]    Make sure that we can select different keys and tokens using a PKCS#11 URI.
+    ...    The URI can either point to a specific key, or to a specific token where we will attempt to find a key.
+    ...
+    ...    To ensure that correct key is selected and reduce the need to generate and upload different keys and
+    ...    certificates, we'll only be using one key and we'll only import it to the chosen token, keeping other tokens
+    ...    empty.
+    ...
+    ...    We set the URI on tedge-p11-server, which means that all connecting clients will use the selected key until
+    ...    tedge-p11-server is restarted with a different URI.
+
+    Set tedge-p11-server Uri    value=
+    Tedge Reconnect Should Succeed
+
+    # expect failure if we try to use a token that doesn't exist
+    Set tedge-p11-server Uri    value=pkcs11:token=asdf
+    Tedge Reconnect Should Fail With    Failed to find a signing key: Didn't find a slot to use
+
+    # create tokens with no keys on them, so key selection fails if wrong token is selected
+    Execute Command    softhsm2-util --init-token --free --label token1 --pin "123456" --so-pin "123456"
+
+    Set tedge-p11-server Uri    value=pkcs11:token=token1
+    Tedge Reconnect Should Fail With    Failed to find a signing key
+
+    Set tedge-p11-server Uri    value=pkcs11:token=tedge
+    Tedge Reconnect Should Succeed
+
+    # import another private key to the primary token (one that has valid tedge key) so we can select a key
+    Execute Command
+    ...    cmd=p11tool --set-pin=123456 --login --generate-privkey ECDSA --curve=secp256r1 --label "key2" "pkcs11:token=tedge"
+
+    Set tedge-p11-server Uri    value=pkcs11:token=tedge;object=key2
+    Tedge Reconnect Should Fail With    HandshakeFailure
+
+    # but when URI has correct label, we expect valid key to be used again
+    Set tedge-p11-server Uri    value=pkcs11:token=tedge;object=tedge
+    Tedge Reconnect Should Succeed
+
+    Set tedge-p11-server Uri    value=
+
+Select Private key using a request URI
+    [Documentation]    Like above, we select the key using a URI, but this time we include it in a request, which means
+    ...    we can select different keys without restarting tedge-p11-server.
+
+    Execute Command    cmd=tedge config set device.key_uri pkcs11:token=token123
+    ${stderr}=    Tedge Reconnect Should Fail With    Failed to find a signing key
+    Should Contain    ${stderr}    item=cryptoki: socket (key: pkcs11:token=token123)
+
+    Execute Command    cmd=tedge config unset device.key_uri
+    Execute Command    cmd=tedge config set device.key_uri pkcs11:token=token123
+    ${stderr}=    Tedge Reconnect Should Fail With    Failed to find a signing key
+    Should Contain    ${stderr}    item=cryptoki: socket (key: pkcs11:token=token123)
+
+    Execute Command    cmd=tedge config set device.key_uri "pkcs11:token=tedge;object=tedge"
+    ${stderr}=    Tedge Reconnect Should Succeed
+    Should Contain    ${stderr}    item=cryptoki: socket (key: pkcs11:token=tedge;object=tedge)
+
+Connects to C8y using an RSA key
+    [Documentation]    Test that we can connect to C8y using an RSA private keys of all sizes.
+    [Setup]    Set tedge-p11-server Uri    value=${EMPTY}
+    [Template]    Connect to C8y using new keypair
+    type=rsa    bits=4096
+    type=rsa    bits=3072
+    type=rsa    bits=2048
+    # type=rsa    bits=1024    # RSA 1024 is considered to be insecure is not supported when using the Cumulocity Certificate Authority feature
+
+Connects to C8y supporting all TLS13 ECDSA signature algorithms
+    [Documentation]    Check that we support all ECDSA sigschemes used in TLS1.3, i.e: ecdsa_secp256r1_sha256,
+    ...    ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512.
+    [Setup]    Set tedge-p11-server Uri    value=${EMPTY}
+    [Template]    Connect to C8y using new keypair
+    type=ecdsa    curve=secp256r1
+
+Ignore tedge.toml if missing
+    Execute Command    rm -f ./tedge.toml
+    ${stderr}=    Execute Command    tedge-p11-server --config-dir . --module-path xx.so    exp_exit_code=!0
+    # Don't log anything (this is normal behaviour as the user does not have to create a tedge.toml file)
+    Should Not Contain    ${stderr}    Failed to read ./tedge.toml: No such file
+    # And proceed
+    Should Contain    ${stderr}    Using cryptoki configuration
+    # Using default values
+    Should Contain    ${stderr}    tedge-p11-server.sock
+
+Ignore tedge.toml if empty
+    Execute Command    touch ./tedge.toml
+    ${stderr}=    Execute Command    tedge-p11-server --config-dir . --module-path xx.so    exp_exit_code=!0
+    # Don't log anything (this is normal behaviour, where the file is used for tedge and not tedge-p11-server)
+    Should Not Contain    ${stderr}    Failed to parse ./tedge.toml: invalid TOML
+    # And proceed
+    Should Contain    ${stderr}    Using cryptoki configuration
+    # Using default values
+    Should Contain    ${stderr}    tedge-p11-server.sock
+
+Ignore tedge.toml if incomplete
+    Execute Command    echo '[device]' >./tedge.toml
+    ${stderr}=    Execute Command    tedge-p11-server --config-dir . --module-path xx.so    exp_exit_code=!0
+    # Don't log anything (this is normal behaviour, where the file is used for tedge and not tedge-p11-server)
+    Should Not Contain    ${stderr}    Failed to parse ./tedge.toml: invalid TOML
+    Should Not Contain    ${stderr}    missing field `cryptoki`
+    # And proceed
+    Should Contain    ${stderr}    Using cryptoki configuration
+    # Using default values
+    Should Contain    ${stderr}    tedge-p11-server.sock
+
+Do not warn the user if tedge.toml is incomplete but not used
+    Execute Command    rm -f ./tedge.toml
+    ${stderr}=    Execute Command
+    ...    tedge-p11-server --config-dir . --module-path xx.so --pin 11.pin --socket-path yy.sock --uri zz.uri
+    ...    exp_exit_code=!0
+    # Don't warn as all values are provided on the command line
+    Should Not Contain    ${stderr}    Failed to read ./tedge.toml: No such file
+    # And proceed
+    Should Contain    ${stderr}    Using cryptoki configuration
+    # Using the values provided on the command lin
+    Should Contain    ${stderr}    xx.so
+    Should Contain    ${stderr}    yy.sock
+    Should Contain    ${stderr}    zz.uri
+
+Warn the user if tedge.toml exists but cannot be read
+    Execute Command    echo '[device.cryptoki]' >./tedge.toml
+    Execute Command    chmod a-rw ./tedge.toml
+    ${stderr}=    Execute Command
+    ...    sudo -u tedge tedge-p11-server --config-dir . --module-path xx.so
+    ...    exp_exit_code=!0
+    # Warn the user
+    Should Contain    ${stderr}    Failed to read ./tedge.toml: Permission denied
+    # But proceed
+    Should Contain    ${stderr}    Using cryptoki configuration
+
+Warn the user if tedge.toml cannot be parsed
+    Execute Command    rm -f ./tedge.toml
+    Execute Command    echo '[corrupted toml ...' >./tedge.toml
+    ${stderr}=    Execute Command    tedge-p11-server --config-dir . --module-path xx.so    exp_exit_code=!0
+    # Warn the user
+    Should Contain    ${stderr}    Failed to parse ./tedge.toml: invalid TOML
+    # But proceed
+    Should Contain    ${stderr}    Using cryptoki configuration
+
+
+*** Keywords ***
+Custom Setup
+    ${DEVICE_SN}=    Setup    register=${False}
+    Set Suite Variable    ${DEVICE_SN}
+
+    # this doesn't install anything but adds cloudsmith repo to apt
+    Execute Command    curl -1sLf 'https://dl.cloudsmith.io/public/thinedge/tedge-main/setup.deb.sh' | sudo -E bash
+    Execute Command    cmd=apt-get install -y --allow-downgrades tedge-p11-server=${TEDGE_P11_SERVER_VERSION}
+    ${stdout}=    Execute Command    tedge-p11-server -V    strip=True
+    Should Be Equal    ${stdout}    tedge-p11-server ${TEDGE_P11_SERVER_VERSION}
+
+    # Allow the tedge user to access softhsm
+    Execute Command    sudo usermod -a -G softhsm tedge
+    Transfer To Device    ${CURDIR}/data/init_softhsm.sh    /usr/bin/
+
+    # initialize the soft hsm and create a certificate signing request
+    Execute Command    tedge config set device.cryptoki.pin 123456
+    Execute Command    tedge config set device.cryptoki.module_path /usr/lib/softhsm/libsofthsm2.so
+    Execute Command    sudo -u tedge /usr/bin/init_softhsm.sh --device-id "${DEVICE_SN}" --pin 123456
+
+    # configure tedge
+    ${domain}=    Cumulocity.Get Domain
+    Execute Command    tedge config set c8y.url "${domain}"
+    Execute Command    tedge config set mqtt.bridge.built_in true
+    Execute Command    tedge config set device.cryptoki.mode socket
+
+    ${csr_path}=    Execute Command    cmd=tedge config get device.csr_path    strip=${True}
+    Register Device With Cumulocity CA    ${csr_path}
+
+    Set tedge-p11-server Uri    value=
diff --git a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource
@@ -0,0 +1,82 @@
+*** Settings ***
+Documentation       Keywords used for testing thin-edge.io PKCS11 integration and tedge-p11-server.
+
+Resource            ../resources/common.resource
+Library             String
+Library             Cumulocity
+Library             ThinEdgeIO
+
+
+*** Variables ***
+${DEVICE_SN}        ${EMPTY}    # should be set in setup of test suites
+${CERT_TEMPLATE}    /etc/tedge/hsm/cert.template    # created by init_softhsm script
+
+
+*** Keywords ***
+Connect to C8y using new keypair
+    [Documentation]    Connects to C8y with a newly generated keypair and a self-signed certificate.
+    ...    The private key is saved on the token, and the self-signed certificate is registered with c8y.
+    [Arguments]    ${type}    # ecdsa or rsa
+    ...    ${curve}=secp256r1    # if type == ECDSA, curve of the key - one of {secp256r1, secp384r1, secp521r1}
+    ...    ${bits}=4096    # if type == RSA, length in bits of the RSA key - one of {1024, 2048, 3072, 4096}
+
+    # We could alternatively use Cumulocity CA to start with a signed cert, but for testing certificate renewal, we want
+    # to test both renewing a self-signed cert and a cert issued by C8y CA. When we start with self-signed cert, after
+    # the first renewal we get a cert signed by CA, so we test all scenarios by just doing renew 2 times.
+
+    IF    '${type}' == 'ecdsa'
+        VAR    ${object_name}=    ${type}-${curve}
+        VAR    ${p11tool_args}=    --curve=${curve}
+    ELSE IF    '${type}' == 'rsa'
+        VAR    ${object_name}=    ${type}-${bits}
+        VAR    ${p11tool_args}=    --bits=${bits}
+    ELSE
+        Fail    Wrong key type provided.
+    END
+
+    # guarantee name of the object is unique even if multiple keys of the same type and bits/curve are generated
+    ${identifier}=    String.Generate Random String
+    VAR    ${object_name}=    ${object_name}-${identifier}
+
+    VAR    ${cert_path}=    /etc/tedge/device-certs/${object_name}.csr
+    Execute Command    cmd=tedge config set device.cert_path ${cert_path}
+
+    Execute Command
+    ...    cmd=p11tool --set-pin=123456 --login --generate-privkey ${type} ${p11tool_args} --label ${object_name} "pkcs11:token=tedge"
+    Execute Command
+    ...    cmd=GNUTLS_PIN=123456 certtool --generate-self-signed --template "${CERT_TEMPLATE}" --outfile "${cert_path}" --load-privkey "pkcs11:token=tedge;object=${object_name}"
+
+    Execute Command    cmd=tedge config set device.key_uri "pkcs11:token=tedge;object=${object_name}"
+
+    Execute Command
+    ...    cmd=sudo env C8Y_USER="${C8Y_CONFIG.username}" C8Y_PASSWORD="${C8Y_CONFIG.password}" tedge cert upload c8y
+    ThinEdgeIO.Register Certificate For Cleanup
+
+    Tedge Reconnect Should Succeed
+
+Set tedge-p11-server Uri
+    [Arguments]    ${value}
+    Execute Command    tedge config set device.cryptoki.uri '${value}'
+    Restart Service    tedge-p11-server
+
+Tedge Reconnect Should Succeed
+    ${stderr}=    Execute Command    tedge reconnect c8y    stdout=false    stderr=true
+    RETURN    ${stderr}
+
+Tedge Reconnect Should Fail With
+    [Arguments]    ${error}
+    ${stderr}=    Command Should Fail With    tedge reconnect c8y    ${error}
+    RETURN    ${stderr}
+
+Command Should Fail With
+    [Arguments]    ${command}    ${error}
+    ${stderr}=    Execute Command    ${command}    exp_exit_code=!0    stdout=false    stderr=true
+    Should Contain    ${stderr}    ${error}
+    RETURN    ${stderr}
+
+Register Device With Cumulocity CA
+    [Documentation]    Registers a new certificate with Cumulocity CA and places it under `c8y.device.cert_path`
+    [Arguments]    ${csr_path}
+    ${credentials}=    Cumulocity.Bulk Register Device With Cumulocity CA    external_id=${DEVICE_SN}
+    Execute Command
+    ...    cmd=tedge cert download c8y --csr-path "${csr_path}" --device-id "${DEVICE_SN}" --one-time-password '${credentials.one_time_password}' --retry-every 5s --max-timeout 60s
diff --git a/tests/RobotFramework/tests/pkcs11/private_key_storage.robot b/tests/RobotFramework/tests/pkcs11/private_key_storage.robot
@@ -6,21 +6,14 @@ Documentation       Test thin-edge.io MQTT client authentication using a Hardwar
 ...                 hardware device would be used.
 
 # it would be good to explain here why we use the tedge-p11-server exclusively and not the module mode
-Resource            ../resources/common.resource
-Library             String
-Library             Cumulocity
-Library             ThinEdgeIO
+Resource            pkcs11_common.resource
 
 Suite Setup         Custom Setup
 Suite Teardown      Get Suite Logs
 
 Test Tags           adapter:docker    theme:cryptoki
 
 
-*** Variables ***
-${CERT_TEMPLATE}    /etc/tedge/hsm/cert.template    # created by init_softhsm script
-
-
 *** Test Cases ***
 Use Private Key in SoftHSM2 using tedge-p11-server
     Tedge Reconnect Should Succeed
@@ -222,50 +215,10 @@ Warn the user if tedge.toml cannot be parsed
 
 
 *** Keywords ***
-Connect to C8y using new keypair
-    [Documentation]    Connects to C8y with a newly generated keypair and a self-signed certificate.
-    ...    The private key is saved on the token, and the self-signed certificate is registered with c8y.
-    [Arguments]    ${type}    # ecdsa or rsa
-    ...    ${curve}=secp256r1    # if type == ECDSA, curve of the key - one of {secp256r1, secp384r1, secp521r1}
-    ...    ${bits}=4096    # if type == RSA, length in bits of the RSA key - one of {1024, 2048, 3072, 4096}
-
-    # We could alternatively use Cumulocity CA to start with a signed cert, but for testing certificate renewal, we want
-    # to test both renewing a self-signed cert and a cert issued by C8y CA. When we start with self-signed cert, after
-    # the first renewal we get a cert signed by CA, so we test all scenarios by just doing renew 2 times.
-
-    IF    '${type}' == 'ecdsa'
-        VAR    ${object_name}=    ${type}-${curve}
-        VAR    ${p11tool_args}=    --curve=${curve}
-    ELSE IF    '${type}' == 'rsa'
-        VAR    ${object_name}=    ${type}-${bits}
-        VAR    ${p11tool_args}=    --bits=${bits}
-    ELSE
-        Fail    Wrong key type provided.
-    END
-
-    # guarantee name of the object is unique even if multiple keys of the same type and bits/curve are generated
-    ${identifier}=    String.Generate Random String
-    VAR    ${object_name}=    ${object_name}-${identifier}
-
-    VAR    ${cert_path}=    /etc/tedge/device-certs/${object_name}.csr
-    Execute Command    cmd=tedge config set device.cert_path ${cert_path}
-
-    Execute Command
-    ...    cmd=p11tool --set-pin=123456 --login --generate-privkey ${type} ${p11tool_args} --label ${object_name} "pkcs11:token=tedge"
-    Execute Command
-    ...    cmd=GNUTLS_PIN=123456 certtool --generate-self-signed --template "${CERT_TEMPLATE}" --outfile "${cert_path}" --load-privkey "pkcs11:token=tedge;object=${object_name}"
-
-    Execute Command    cmd=tedge config set device.key_uri "pkcs11:token=tedge;object=${object_name}"
-
-    Execute Command
-    ...    cmd=sudo env C8Y_USER="${C8Y_CONFIG.username}" C8Y_PASSWORD="${C8Y_CONFIG.password}" tedge cert upload c8y
-    ThinEdgeIO.Register Certificate For Cleanup
-
-    Tedge Reconnect Should Succeed
-
 Custom Setup
     ${DEVICE_SN}=    Setup    register=${False}
     Set Suite Variable    ${DEVICE_SN}
+
     # Allow the tedge user to access softhsm
     Execute Command    sudo usermod -a -G softhsm tedge
     Transfer To Device    ${CURDIR}/data/init_softhsm.sh    /usr/bin/
@@ -285,30 +238,3 @@ Custom Setup
     Register Device With Cumulocity CA    ${csr_path}
 
     Set tedge-p11-server Uri    value=
-
-Set tedge-p11-server Uri
-    [Arguments]    ${value}
-    Execute Command    tedge config set device.cryptoki.uri '${value}'
-    Restart Service    tedge-p11-server
-
-Tedge Reconnect Should Succeed
-    ${stderr}=    Execute Command    tedge reconnect c8y    stdout=false    stderr=true
-    RETURN    ${stderr}
-
-Tedge Reconnect Should Fail With
-    [Arguments]    ${error}
-    ${stderr}=    Command Should Fail With    tedge reconnect c8y    ${error}
-    RETURN    ${stderr}
-
-Command Should Fail With
-    [Arguments]    ${command}    ${error}
-    ${stderr}=    Execute Command    ${command}    exp_exit_code=!0    stdout=false    stderr=true
-    Should Contain    ${stderr}    ${error}
-    RETURN    ${stderr}
-
-Register Device With Cumulocity CA
-    [Documentation]    Registers a new certificate with Cumulocity CA and places it under `c8y.device.cert_path`
-    [Arguments]    ${csr_path}
-    ${credentials}=    Cumulocity.Bulk Register Device With Cumulocity CA    external_id=${DEVICE_SN}
-    Execute Command
-    ...    cmd=tedge cert download c8y --csr-path "${csr_path}" --device-id "${DEVICE_SN}" --one-time-password '${credentials.one_time_password}' --retry-every 5s --max-timeout 60s
