From f969b07094805bda5d4b7878f6fe6d7d72c8ac11 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Tue, 21 Sep 2021 15:40:34 +0200 Subject: [PATCH 01/30] Refs 11914. Move CA and PK load to abstraction depending on the URI Signed-off-by: Iker Luengo --- src/cpp/CMakeLists.txt | 1 + .../security/accesscontrol/Permissions.cpp | 101 +------ .../artifact_providers/FileProvider.cpp | 262 ++++++++++++++++++ .../artifact_providers/FileProvider.hpp | 72 +++++ src/cpp/security/authentication/PKIDH.cpp | 201 +------------- .../security/accesscontrol/CMakeLists.txt | 1 + .../security/authentication/CMakeLists.txt | 1 + 7 files changed, 356 insertions(+), 283 deletions(-) create mode 100644 src/cpp/security/artifact_providers/FileProvider.cpp create mode 100644 src/cpp/security/artifact_providers/FileProvider.hpp diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index 53b987cfeb8..3d18254aec0 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -296,6 +296,7 @@ set(${PROJECT_NAME}_security_source_files security/accesscontrol/GovernanceParser.cpp security/accesscontrol/PermissionsParser.cpp security/logging/LogTopic.cpp + security/artifact_providers/FileProvider.cpp ) if(SECURITY) diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 55915643117..09d28303fe9 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -43,6 +43,8 @@ #include #include +#include + #include #include @@ -351,105 +353,12 @@ static X509_STORE* load_permissions_ca( std::string& ca_algo, SecurityException& exception) { - X509_STORE* store = X509_STORE_new(); - - if (store != nullptr) - { - if (permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0) - { - BIO* in = BIO_new(BIO_s_file()); - - if (in != nullptr) - { - if (BIO_read_filename(in, permissions_ca.substr(7).c_str()) > 0) - { - STACK_OF(X509_INFO) * inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); - - if (inf != nullptr) - { - int i, count = 0; - there_are_crls = false; - - for (i = 0; i < sk_X509_INFO_num(inf); i++) - { - X509_INFO* itmp = sk_X509_INFO_value(inf, i); - - if (itmp->x509) - { - // Retrieve subject name for future use. - if (ca_sn.empty()) - { - X509_NAME* ca_subject_name = X509_get_subject_name(itmp->x509); - assert(ca_subject_name != nullptr); - char* ca_subject_name_str = X509_NAME_oneline(ca_subject_name, 0, 0); - assert(ca_subject_name_str != nullptr); - ca_sn = ca_subject_name_str; - OPENSSL_free(ca_subject_name_str); - } - - // Retrieve signature algorithm - if (ca_algo.empty()) - { - if (get_signature_algorithm(itmp->x509, ca_algo, exception)) - { - X509_STORE_add_cert(store, itmp->x509); - count++; - } - } - else - { - X509_STORE_add_cert(store, itmp->x509); - count++; - } - } - if (itmp->crl) - { - X509_STORE_add_crl(store, itmp->crl); - there_are_crls = true; - } - } - - sk_X509_INFO_pop_free(inf, X509_INFO_free); - - if (count > 0) - { - BIO_free(in); - - return store; - } - } - else - { - exception = _SecurityException_(std::string( - "OpenSSL library cannot read X509 info in file ") + - permissions_ca.substr(7)); - } - } - else - { - exception = _SecurityException_(std::string( - "OpenSSL library cannot read file ") + permissions_ca.substr(7)); - } - - BIO_free(in); - } - else - { - exception = _SecurityException_("OpenSSL library cannot allocate file"); - } - } - else - { - exception = _SecurityException_("Unsupported permissions_ca format"); - } - - X509_STORE_free(store); - } - else + if (permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0) { - exception = _SecurityException_("Creation of X509 storage"); + return detail::FileProvider::load_ca(permissions_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm, exception); } + exception = _SecurityException_(std::string("Unsupported URI format ") + permissions_ca); return nullptr; } diff --git a/src/cpp/security/artifact_providers/FileProvider.cpp b/src/cpp/security/artifact_providers/FileProvider.cpp new file mode 100644 index 00000000000..9fb124418be --- /dev/null +++ b/src/cpp/security/artifact_providers/FileProvider.cpp @@ -0,0 +1,262 @@ +// Copyright 2021 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/** + * @file FileProvider.cpp + */ + +#include +#include + +#include + +#include + +#define S1(x) #x +#define S2(x) S1(x) +#define LOCATION " (" __FILE__ ":" S2(__LINE__) ")" +#define _SecurityException_(str) SecurityException(std::string(str) + LOCATION) + + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { +namespace detail { + +X509_STORE* FileProvider::load_ca( + const std::string& ca, + bool& there_are_crls, + std::string& ca_sn, + std::string& ca_algo, + std::function get_signature_algorithm, + SecurityException& exception) +{ + X509_STORE* store = X509_STORE_new(); + + if (store != nullptr) + { + BIO* in = BIO_new(BIO_s_file()); + + if (in != nullptr) + { + if (BIO_read_filename(in, ca.substr(7).c_str()) > 0) + { + STACK_OF(X509_INFO) * inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); + + if (inf != nullptr) + { + int i, count = 0; + there_are_crls = false; + + for (i = 0; i < sk_X509_INFO_num(inf); i++) + { + X509_INFO* itmp = sk_X509_INFO_value(inf, i); + + if (itmp->x509) + { + // Retrieve subject name for future use. + if (ca_sn.empty()) + { + X509_NAME* ca_subject_name = X509_get_subject_name(itmp->x509); + assert(ca_subject_name != nullptr); + char* ca_subject_name_str = X509_NAME_oneline(ca_subject_name, 0, 0); + assert(ca_subject_name_str != nullptr); + ca_sn = ca_subject_name_str; + OPENSSL_free(ca_subject_name_str); + } + + // Retrieve signature algorithm + if (ca_algo.empty()) + { + if (get_signature_algorithm(itmp->x509, ca_algo, exception)) + { + X509_STORE_add_cert(store, itmp->x509); + count++; + } + } + else + { + X509_STORE_add_cert(store, itmp->x509); + count++; + } + } + if (itmp->crl) + { + X509_STORE_add_crl(store, itmp->crl); + there_are_crls = true; + } + } + + sk_X509_INFO_pop_free(inf, X509_INFO_free); + + if (count > 0) + { + BIO_free(in); + + return store; + } + } + else + { + exception = _SecurityException_(std::string( + "OpenSSL library cannot read X509 info in file ") + ca.substr(7)); + } + } + else + { + exception = _SecurityException_(std::string( + "OpenSSL library cannot read file ") + ca.substr(7)); + } + + BIO_free(in); + } + else + { + exception = _SecurityException_("OpenSSL library cannot allocate file"); + } + + X509_STORE_free(store); + } + else + { + exception = _SecurityException_("Creation of X509 storage"); + } + + return nullptr; +} + +X509* FileProvider::load_certificate( + const std::string& identity_cert, + SecurityException& exception) +{ + X509* returnedValue = nullptr; + BIO* in = BIO_new(BIO_s_file()); + + if (in != nullptr) + { + if (BIO_read_filename(in, identity_cert.substr(7).c_str()) > 0) + { + returnedValue = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); + } + else + { + exception = + _SecurityException_(std::string("OpenSSL library cannot read file ") + identity_cert.substr(7)); + } + + BIO_free(in); + } + else + { + exception = _SecurityException_("OpenSSL library cannot allocate file"); + } + + return returnedValue; +} + +static int private_key_password_callback( + char* buf, + int bufsize, + int /*verify*/, + const char* password) +{ + assert(password != nullptr); + + int returnedValue = static_cast(strlen(password)); + + if (returnedValue > bufsize) + { + returnedValue = bufsize; + } + + memcpy(buf, password, returnedValue); + return returnedValue; +} + +EVP_PKEY* FileProvider::load_private_key( + X509* certificate, + const std::string& pkey, + const std::string& password, + SecurityException& exception) +{ + EVP_PKEY* returnedValue = nullptr; + BIO* in = BIO_new(BIO_s_file()); + + if (in != nullptr) + { + if (BIO_read_filename(in, pkey.substr(7).c_str()) > 0) + { + returnedValue = + PEM_read_bio_PrivateKey(in, NULL, (pem_password_cb*)private_key_password_callback, + (void*)password.c_str()); + + // Verify private key. + if (!X509_check_private_key(certificate, returnedValue)) + { + exception = _SecurityException_(std::string("Error verifying private key ") + pkey.substr(7)); + EVP_PKEY_free(returnedValue); + returnedValue = nullptr; + } + } + else + { + exception = _SecurityException_(std::string("OpenSSL library cannot read file ") + pkey.substr(7)); + } + + BIO_free(in); + } + else + { + exception = _SecurityException_("OpenSSL library cannot allocate file"); + } + + return returnedValue; +} + +X509_CRL* FileProvider::load_crl( + const std::string& identity_crl, + SecurityException& exception) +{ + X509_CRL* returnedValue = nullptr; + + BIO* in = BIO_new(BIO_s_file()); + + if (in != nullptr) + { + if (BIO_read_filename(in, identity_crl.substr(7).c_str()) > 0) + { + returnedValue = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); + } + else + { + exception = _SecurityException_(std::string("OpenSSL library cannot read file ") + identity_crl.substr(7)); + } + + BIO_free(in); + } + else + { + exception = _SecurityException_("OpenSSL library cannot allocate file"); + } + + return returnedValue; +} + +} // namespace detail +} //namespace security +} //namespace rtps +} //namespace fastrtps +} //namespace eprosima + diff --git a/src/cpp/security/artifact_providers/FileProvider.hpp b/src/cpp/security/artifact_providers/FileProvider.hpp new file mode 100644 index 00000000000..fe70ee61c08 --- /dev/null +++ b/src/cpp/security/artifact_providers/FileProvider.hpp @@ -0,0 +1,72 @@ +// Copyright 2021 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/** + * @file FileProvider.hpp + */ + +#ifndef SECURITY_ARTIFACTPROVIDERS_FILEPROVIDER_HPP +#define SECURITY_ARTIFACTS_FILEPROVIDER_HPP + +#include + +#include +#include +#include + +#include + + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { +namespace detail { + +class FileProvider +{ + +public: + + static X509_STORE* load_ca( + const std::string& ca, + bool& there_are_crls, + std::string& ca_sn, + std::string& ca_algo, + std::function get_signature_algorithm, + SecurityException& exception); + + static EVP_PKEY* load_private_key( + X509* certificate, + const std::string& file, + const std::string& password, + SecurityException& exception); + + static X509* load_certificate( + const std::string& identity_cert, + SecurityException& exception); + + static X509_CRL* load_crl( + const std::string& identity_crl, + SecurityException& exception); + +}; + +} // namespace detail +} //namespace security +} //namespace rtps +} //namespace fastrtps +} //namespace eprosima + +#endif // SECURITY_ARTIFACTS_FILEPROVIDER_HPP diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index 2dfcbf32d05..53e31a43617 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -45,6 +45,8 @@ #include #include +#include + #include #include @@ -158,100 +160,12 @@ static X509_STORE* load_identity_ca( std::string& ca_algo, SecurityException& exception) { - X509_STORE* store = X509_STORE_new(); - - if (store != nullptr) - { - if (identity_ca.size() >= 7 && identity_ca.compare(0, 7, "file://") == 0) - { - BIO* in = BIO_new(BIO_s_file()); - - if (in != nullptr) - { - if (BIO_read_filename(in, identity_ca.substr(7).c_str()) > 0) - { - STACK_OF(X509_INFO) * inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); - - if (inf != nullptr) - { - int i, count = 0; - there_are_crls = false; - - for (i = 0; i < sk_X509_INFO_num(inf); i++) - { - X509_INFO* itmp = sk_X509_INFO_value(inf, i); - - if (itmp->x509) - { - // Retrieve subject name for future use. - if (ca_sn.empty()) - { - X509_NAME* ca_subject_name = X509_get_subject_name(itmp->x509); - assert(ca_subject_name != nullptr); - char* ca_subject_name_str = X509_NAME_oneline(ca_subject_name, 0, 0); - assert(ca_subject_name_str != nullptr); - ca_sn = ca_subject_name_str; - OPENSSL_free(ca_subject_name_str); - } - - // Retrieve signature algorithm - if (ca_algo.empty()) - { - if (get_signature_algorithm(itmp->x509, ca_algo, exception)) - { - X509_STORE_add_cert(store, itmp->x509); - count++; - } - } - else - { - X509_STORE_add_cert(store, itmp->x509); - count++; - } - } - if (itmp->crl) - { - X509_STORE_add_crl(store, itmp->crl); - there_are_crls = true; - } - } - - sk_X509_INFO_pop_free(inf, X509_INFO_free); - - if (count > 0) - { - BIO_free(in); - - return store; - } - } - else - { - exception = _SecurityException_(std::string( - "OpenSSL library cannot read X509 info in file ") + identity_ca.substr(7)); - } - } - else - { - exception = _SecurityException_(std::string( - "OpenSSL library cannot read file ") + identity_ca.substr(7)); - } - - BIO_free(in); - } - else - { - exception = _SecurityException_("OpenSSL library cannot allocate file"); - } - } - - X509_STORE_free(store); - } - else + if (identity_ca.size() >= 7 && identity_ca.compare(0, 7, "file://") == 0) { - exception = _SecurityException_("Creation of X509 storage"); + return detail::FileProvider::load_ca(identity_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm, exception); } + exception = _SecurityException_(std::string("Unsupported URI format ") + identity_ca); return nullptr; } @@ -259,33 +173,13 @@ static X509* load_certificate( const std::string& identity_cert, SecurityException& exception) { - X509* returnedValue = nullptr; - if (identity_cert.size() >= 7 && identity_cert.compare(0, 7, "file://") == 0) { - BIO* in = BIO_new(BIO_s_file()); - - if (in != nullptr) - { - if (BIO_read_filename(in, identity_cert.substr(7).c_str()) > 0) - { - returnedValue = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); - } - else - { - exception = - _SecurityException_(std::string("OpenSSL library cannot read file ") + identity_cert.substr(7)); - } - - BIO_free(in); - } - else - { - exception = _SecurityException_("OpenSSL library cannot allocate file"); - } + return detail::FileProvider::load_certificate(identity_cert, exception); } - return returnedValue; + exception = _SecurityException_(std::string("Unsupported URI format ") + identity_cert); + return nullptr; } static X509* load_certificate( @@ -355,66 +249,19 @@ static bool verify_certificate( return returnedValue; } -static int private_key_password_callback( - char* buf, - int bufsize, - int /*verify*/, - const char* password) -{ - assert(password != nullptr); - - int returnedValue = static_cast(strlen(password)); - - if (returnedValue > bufsize) - { - returnedValue = bufsize; - } - - memcpy(buf, password, returnedValue); - return returnedValue; -} - static EVP_PKEY* load_private_key( X509* certificate, const std::string& file, const std::string& password, SecurityException& exception) { - EVP_PKEY* returnedValue = nullptr; if (file.size() >= 7 && file.compare(0, 7, "file://") == 0) { - BIO* in = BIO_new(BIO_s_file()); - - if (in != nullptr) - { - if (BIO_read_filename(in, file.substr(7).c_str()) > 0) - { - returnedValue = - PEM_read_bio_PrivateKey(in, NULL, (pem_password_cb*)private_key_password_callback, - (void*)password.c_str()); - - // Verify private key. - if (!X509_check_private_key(certificate, returnedValue)) - { - exception = _SecurityException_(std::string("Error verifying private key ") + file.substr(7)); - EVP_PKEY_free(returnedValue); - returnedValue = nullptr; - } - } - else - { - exception = _SecurityException_(std::string("OpenSSL library cannot read file ") + file.substr(7)); - } - - BIO_free(in); - } - else - { - exception = _SecurityException_("OpenSSL library cannot allocate file"); - } + return detail::FileProvider::load_private_key(certificate, file, password, exception); } - return returnedValue; + exception = _SecurityException_(std::string("Unsupported URI format ") + file); + return nullptr; } static bool store_certificate_in_buffer( @@ -613,33 +460,13 @@ static X509_CRL* load_crl( const std::string& identity_crl, SecurityException& exception) { - X509_CRL* returnedValue = nullptr; - if (identity_crl.size() >= 7 && identity_crl.compare(0, 7, "file://") == 0) { - BIO* in = BIO_new(BIO_s_file()); - - if (in != nullptr) - { - if (BIO_read_filename(in, identity_crl.substr(7).c_str()) > 0) - { - returnedValue = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); - } - else - { - exception = _SecurityException_(std::string("OpenSSL library cannot read file ") + identity_crl.substr( - 7)); - } - - BIO_free(in); - } - else - { - exception = _SecurityException_("OpenSSL library cannot allocate file"); - } + return detail::FileProvider::load_crl(identity_crl, exception); } - return returnedValue; + exception = _SecurityException_(std::string("Unsupported URI format ") + identity_crl); + return nullptr; } static bool adjust_participant_key( diff --git a/test/unittest/security/accesscontrol/CMakeLists.txt b/test/unittest/security/accesscontrol/CMakeLists.txt index 2e84c4456ef..64d2da77158 100644 --- a/test/unittest/security/accesscontrol/CMakeLists.txt +++ b/test/unittest/security/accesscontrol/CMakeLists.txt @@ -56,6 +56,7 @@ add_executable(AccessControlTests ${COMMON_SOURCES_ACCESS_CONTROL_TEST_SOURCE} ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/GovernanceParser.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/Permissions.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/PermissionsParser.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/md5.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPFinder.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPLocator.cpp diff --git a/test/unittest/security/authentication/CMakeLists.txt b/test/unittest/security/authentication/CMakeLists.txt index 50037265c63..5e572df33e2 100644 --- a/test/unittest/security/authentication/CMakeLists.txt +++ b/test/unittest/security/authentication/CMakeLists.txt @@ -44,6 +44,7 @@ add_executable(BuiltinPKIDH ${COMMON_SOURCES_AUTH_PLUGIN_TEST_SOURCE} ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIDH.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIIdentityHandle.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIHandshakeHandle.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/md5.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPFinder.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPLocator.cpp From a919e787171c8924999a1bae642119d0e112b844 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 22 Sep 2021 12:53:57 +0200 Subject: [PATCH 02/30] Refs 11914. Add dependency with libp11 in linux Signed-off-by: Iker Luengo --- CMakeLists.txt | 8 ++++++++ cmake/modules/FindLibP11.cmake | 29 +++++++++++++++++++++++++++++ src/cpp/CMakeLists.txt | 2 +- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 cmake/modules/FindLibP11.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index 4514ff5971d..86d498c5daa 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -162,8 +162,10 @@ option(SECURITY "Activate security" OFF) if(SECURITY) find_package(OpenSSL REQUIRED) + find_package(LibP11 REQUIRED) else() find_package(OpenSSL) + find_package(LibP11) endif() if(OPENSSL_FOUND) @@ -179,8 +181,14 @@ endif() if(SECURITY OR TLS_FOUND) set(LINK_SSL 1) + if(LIBP11_FOUND) + set(LINK_P11 1) + else() + set(LINK_P11 0) + endif() else() set(LINK_SSL 0) + set(LINK_P11 0) endif() option(SQLITE3_SUPPORT "Activate SQLITE3 support" ON) diff --git a/cmake/modules/FindLibP11.cmake b/cmake/modules/FindLibP11.cmake new file mode 100644 index 00000000000..3c638d2cbb5 --- /dev/null +++ b/cmake/modules/FindLibP11.cmake @@ -0,0 +1,29 @@ +# Find libp11 +# +# LIBP11_INCLUDE_DIR +# LIBP11_LIBRARIES +# LIBP11_FOUND + +IF (LIBP11_INCLUDE_DIR) + SET(LIBP11_FIND_QUIETLY TRUE) +ENDIF (LIBP11_INCLUDE_DIR) + +FIND_PATH(LIBP11_INCLUDE_DIR libp11.h) + +SET(LIBP11_NAMES p11 libp11) +FIND_LIBRARY(LIBP11_LIBRARY NAMES ${LIBP11_NAMES} ) + +INCLUDE(FindPackageHandleStandardArgs) +FIND_PACKAGE_HANDLE_STANDARD_ARGS(LibP11 DEFAULT_MSG LIBP11_LIBRARY LIBP11_INCLUDE_DIR) + +IF(LIBP11_FOUND) + SET( LIBP11_LIBRARIES ${LIBP11_LIBRARY} ) +ELSE(LIBP11_FOUND) + SET( LIBP11_LIBRARIES ) +ENDIF(LIBP11_FOUND) + +MARK_AS_ADVANCED( LIBP11_LIBRARY LIBP11_INCLUDE_DIR ) + +MESSAGE(${LIBP11_FOUND}) +MESSAGE(${LIBP11_INCLUDE_DIR}) +MESSAGE(${LIBP11_LIBRARIES}) diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index 3d18254aec0..0cb090b1403 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -434,7 +434,7 @@ find_package(Atomic MODULE) target_link_libraries(${PROJECT_NAME} ${PRIVACY} fastcdr foonathan_memory ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS} ${TINYXML2_LIBRARY} - $<$:OpenSSL::SSL$OpenSSL::Crypto$<$:$crypt32.lib>> + $<$:OpenSSL::SSL$OpenSSL::Crypto$<$:$p11>$<$:$crypt32.lib>> $<$:iphlpapi$Shlwapi> ${THIRDPARTY_BOOST_LINK_LIBS} PRIVATE eProsima_atomic From e0b3c096947a82cbf9132533dfcf1f1ea0ec866c Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 22 Sep 2021 12:55:06 +0200 Subject: [PATCH 03/30] Refs 11914. PKCS11 provider for PK load Signed-off-by: Iker Luengo --- .../artifact_providers/Pkcs11Provider.cpp | 127 ++++++++++++++++++ .../artifact_providers/Pkcs11Provider.hpp | 77 +++++++++++ 2 files changed, 204 insertions(+) create mode 100644 src/cpp/security/artifact_providers/Pkcs11Provider.cpp create mode 100644 src/cpp/security/artifact_providers/Pkcs11Provider.hpp diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp new file mode 100644 index 00000000000..764bf31c995 --- /dev/null +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp @@ -0,0 +1,127 @@ +// Copyright 2021 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/** + * @file Pkcs11Provider.cpp + */ + +#include + +#include + +#include + +#include + +#define S1(x) #x +#define S2(x) S1(x) +#define LOCATION " (" __FILE__ ":" S2(__LINE__) ")" +#define _SecurityException_(str) SecurityException(std::string(str) + LOCATION) + + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { +namespace detail { + +constexpr const char* FASTDDS_PKCS11_PIN = "FASTDDS_PKCS11_PIN"; +constexpr const char* PKCS11_ENGINE_ID = "pkcs11"; + +Pkcs11Provider::Pkcs11Provider() +{ + SSL_load_error_strings(); /* readable error messages */ + SSL_library_init(); /* initialize library */ + + ENGINE_load_builtin_engines(); + pkcs11_ = ENGINE_by_id(PKCS11_ENGINE_ID); + if (!pkcs11_) + { + has_initialization_error_ = true; + initialization_exception_ = _SecurityException_(std::string("Error retrieving 'pkcs11' engine")); + } + + const char* pin; + if (ReturnCode_t::RETCODE_OK == SystemInfo::get_env(FASTDDS_PKCS11_PIN, &pin)) + { + if (!ENGINE_ctrl_cmd_string( pkcs11_, "PIN", pin, 0)) + { + has_initialization_error_ = true; + initialization_exception_ = _SecurityException_(std::string("Error setting the PIN in the 'pkcs11' engine")); + ENGINE_free(pkcs11_); + } + } + + if(!ENGINE_init(pkcs11_)) + { + has_initialization_error_ = true; + initialization_exception_ = _SecurityException_(std::string("Error initializeing the HSM provider library")); + ENGINE_free(pkcs11_); + } +} + +Pkcs11Provider::~Pkcs11Provider() +{ + ENGINE_finish(pkcs11_); + ENGINE_free(pkcs11_); +} + +EVP_PKEY* Pkcs11Provider::load_private_key( + X509* certificate, + const std::string& pkey, + const std::string& password, + SecurityException& exception) +{ + return Pkcs11Provider::instance().load_private_key_impl(certificate, pkey, password, exception); +} + +EVP_PKEY* Pkcs11Provider::load_private_key_impl( + X509* certificate, + const std::string& pkey, + const std::string& /*password*/, + SecurityException& exception) +{ + std::cerr << "We have PKCS11 key: " << pkey << std::endl; + + if (has_initialization_error_) + { + exception = initialization_exception_; + return nullptr; + } + + EVP_PKEY* returnedValue = ENGINE_load_private_key(pkcs11_, pkey.c_str(), NULL, NULL); + if (!returnedValue) + { + exception = _SecurityException_(std::string("Error opening the private key ") + pkey.substr(7)); + return returnedValue; + } + + // Verify private key. + if (!X509_check_private_key(certificate, returnedValue)) + { + exception = _SecurityException_(std::string("Error verifying private key ") + pkey.substr(7) + + "\n ERROR: " + ERR_error_string(ERR_get_error(), nullptr)); + EVP_PKEY_free(returnedValue); + returnedValue = nullptr; + } + + return returnedValue; +} + +} // namespace detail +} // namespace security +} // namespace rtps +} // namespace fastrtps +} // namespace eprosima + diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp new file mode 100644 index 00000000000..dca48be87d2 --- /dev/null +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp @@ -0,0 +1,77 @@ +// Copyright 2021 Proyectos y Sistemas de Mantenimiento SL (eProsima). +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +/** + * @file Pkcs11Provider.hpp + */ + +#ifndef SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP +#define SECURITY_ARTIFACTS_PKCS11PROVIDER_HPP + +#include +#include +#include +#include + +#include + + +namespace eprosima { +namespace fastrtps { +namespace rtps { +namespace security { +namespace detail { + +class Pkcs11Provider +{ + +public: + + static EVP_PKEY* load_private_key( + X509* certificate, + const std::string& file, + const std::string& password, + SecurityException& exception); + + ~Pkcs11Provider(); + +private: + + /// @return reference to singleton instance + static Pkcs11Provider& instance() + { + static Pkcs11Provider instance; + return instance; + } + + Pkcs11Provider(); + + EVP_PKEY* load_private_key_impl( + X509* certificate, + const std::string& file, + const std::string& password, + SecurityException& exception); + + SecurityException initialization_exception_; + bool has_initialization_error_ = false; + ENGINE* pkcs11_; +}; + +} // namespace detail +} //namespace security +} //namespace rtps +} //namespace fastrtps +} //namespace eprosima + +#endif // SECURITY_ARTIFACTS_PKCS11PROVIDER_HPP From 39b57060d7edcee91aff21888615ce566e588962 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 22 Sep 2021 12:55:43 +0200 Subject: [PATCH 04/30] Refs 11914. PKIDH using PKCS11 provider depending on URI Signed-off-by: Iker Luengo --- src/cpp/CMakeLists.txt | 1 + src/cpp/security/authentication/PKIDH.cpp | 5 +++++ test/unittest/security/accesscontrol/CMakeLists.txt | 2 ++ test/unittest/security/authentication/CMakeLists.txt | 2 ++ 4 files changed, 10 insertions(+) diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index 0cb090b1403..494c076971e 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -297,6 +297,7 @@ set(${PROJECT_NAME}_security_source_files security/accesscontrol/PermissionsParser.cpp security/logging/LogTopic.cpp security/artifact_providers/FileProvider.cpp + security/artifact_providers/Pkcs11Provider.cpp ) if(SECURITY) diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index 53e31a43617..8beabd893e8 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -46,6 +46,7 @@ #include #include +#include #include #include @@ -259,6 +260,10 @@ static EVP_PKEY* load_private_key( { return detail::FileProvider::load_private_key(certificate, file, password, exception); } + else if (file.size() >= 7 && file.compare(0, 7, "pkcs11:") == 0) + { + return detail::Pkcs11Provider::load_private_key(certificate, file, password, exception); + } exception = _SecurityException_(std::string("Unsupported URI format ") + file); return nullptr; diff --git a/test/unittest/security/accesscontrol/CMakeLists.txt b/test/unittest/security/accesscontrol/CMakeLists.txt index 64d2da77158..3f640f95e40 100644 --- a/test/unittest/security/accesscontrol/CMakeLists.txt +++ b/test/unittest/security/accesscontrol/CMakeLists.txt @@ -57,10 +57,12 @@ add_executable(AccessControlTests ${COMMON_SOURCES_ACCESS_CONTROL_TEST_SOURCE} ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/Permissions.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/PermissionsParser.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/Pkcs11Provider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/md5.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPFinder.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPLocator.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/StringMatching.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/utils/SystemInfo.cpp ${PROJECT_SOURCE_DIR}/src/cpp/fastdds/publisher/qos/WriterQos.cpp ${CMAKE_CURRENT_SOURCE_DIR}/AccessControlTests.cpp) diff --git a/test/unittest/security/authentication/CMakeLists.txt b/test/unittest/security/authentication/CMakeLists.txt index 5e572df33e2..791b24bae0e 100644 --- a/test/unittest/security/authentication/CMakeLists.txt +++ b/test/unittest/security/authentication/CMakeLists.txt @@ -45,9 +45,11 @@ add_executable(BuiltinPKIDH ${COMMON_SOURCES_AUTH_PLUGIN_TEST_SOURCE} ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIIdentityHandle.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIHandshakeHandle.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/Pkcs11Provider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/md5.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPFinder.cpp ${PROJECT_SOURCE_DIR}/src/cpp/utils/IPLocator.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/utils/SystemInfo.cpp ${CMAKE_CURRENT_SOURCE_DIR}/BuiltinPKIDHTests.cpp) target_compile_definitions(BuiltinPKIDH PRIVATE FASTRTPS_NO_LIB BOOST_ASIO_STANDALONE From 2298d2ad19ec40cfb117716cad576c4edad85224 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 22 Sep 2021 14:58:55 +0200 Subject: [PATCH 05/30] Refs 11914. Create a fake UI method for PKCS11 provider Otherwise, if no PIN is given on environment nor URI, the default behavior of the wrapper library is to prompt the user on the console... And we do not want that Signed-off-by: Iker Luengo --- .../artifact_providers/Pkcs11Provider.cpp | 57 +++++++++++++++++-- .../artifact_providers/Pkcs11Provider.hpp | 3 +- 2 files changed, 53 insertions(+), 7 deletions(-) diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp index 764bf31c995..bc2d52b7a42 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp @@ -22,6 +22,7 @@ #include +#include #include #define S1(x) #x @@ -39,11 +40,50 @@ namespace detail { constexpr const char* FASTDDS_PKCS11_PIN = "FASTDDS_PKCS11_PIN"; constexpr const char* PKCS11_ENGINE_ID = "pkcs11"; +static int ui_open(UI *ui) +{ + return UI_method_get_opener(UI_OpenSSL())(ui); +} + +static int ui_read(UI *ui, UI_STRING *uis) +{ + switch(UI_get_string_type(uis)) + { + case UIT_PROMPT: + case UIT_VERIFY: + { + logWarning(PKCS11_PROVIDER, "PKCS#11 engine is asking: " << UI_get0_output_string(uis)); + // Return an empty password without asking the user + UI_set_result(ui, uis, ""); + return 1; + } + default: + break; + } + + // Call the default method of the engine provider + return UI_method_get_reader(UI_OpenSSL())(ui, uis); +} + + +static int ui_close(UI *ui) +{ + return UI_method_get_closer(UI_OpenSSL())(ui); +} + Pkcs11Provider::Pkcs11Provider() { SSL_load_error_strings(); /* readable error messages */ SSL_library_init(); /* initialize library */ + // Create an UI method to use with the engine + // This will be used to retrieve the PIN if none was given in the ENV nor in the URI + ui_method_ = UI_create_method("OpenSSL application user interface"); + UI_method_set_opener(ui_method_, ui_open); + UI_method_set_reader(ui_method_, ui_read); + UI_method_set_closer(ui_method_, ui_close); + + // Load the engine ENGINE_load_builtin_engines(); pkcs11_ = ENGINE_by_id(PKCS11_ENGINE_ID); if (!pkcs11_) @@ -52,10 +92,11 @@ Pkcs11Provider::Pkcs11Provider() initialization_exception_ = _SecurityException_(std::string("Error retrieving 'pkcs11' engine")); } - const char* pin; - if (ReturnCode_t::RETCODE_OK == SystemInfo::get_env(FASTDDS_PKCS11_PIN, &pin)) + // Load the PIN from the environment + std::string pin; + if (ReturnCode_t::RETCODE_OK == SystemInfo::get_env(FASTDDS_PKCS11_PIN, pin)) { - if (!ENGINE_ctrl_cmd_string( pkcs11_, "PIN", pin, 0)) + if (!ENGINE_ctrl_cmd_string( pkcs11_, "PIN", pin.c_str(), 0)) { has_initialization_error_ = true; initialization_exception_ = _SecurityException_(std::string("Error setting the PIN in the 'pkcs11' engine")); @@ -63,6 +104,7 @@ Pkcs11Provider::Pkcs11Provider() } } + // Init the engine with the PIN (if any) if(!ENGINE_init(pkcs11_)) { has_initialization_error_ = true; @@ -75,6 +117,11 @@ Pkcs11Provider::~Pkcs11Provider() { ENGINE_finish(pkcs11_); ENGINE_free(pkcs11_); + + if(ui_method_) + { + UI_destroy_method(ui_method_); + } } EVP_PKEY* Pkcs11Provider::load_private_key( @@ -92,15 +139,13 @@ EVP_PKEY* Pkcs11Provider::load_private_key_impl( const std::string& /*password*/, SecurityException& exception) { - std::cerr << "We have PKCS11 key: " << pkey << std::endl; - if (has_initialization_error_) { exception = initialization_exception_; return nullptr; } - EVP_PKEY* returnedValue = ENGINE_load_private_key(pkcs11_, pkey.c_str(), NULL, NULL); + EVP_PKEY* returnedValue = ENGINE_load_private_key(pkcs11_, pkey.c_str(), ui_method_, nullptr); if (!returnedValue) { exception = _SecurityException_(std::string("Error opening the private key ") + pkey.substr(7)); diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp index dca48be87d2..21ac45eae72 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp @@ -65,7 +65,8 @@ class Pkcs11Provider SecurityException initialization_exception_; bool has_initialization_error_ = false; - ENGINE* pkcs11_; + ENGINE* pkcs11_ = nullptr; + UI_METHOD* ui_method_ = nullptr; }; } // namespace detail From bb6e2fc7a57fc18013bcf7b272c60ba19c4eaa8e Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 22 Sep 2021 16:20:54 +0200 Subject: [PATCH 06/30] Refs 11914. linters Signed-off-by: Iker Luengo --- .../security/accesscontrol/Permissions.cpp | 3 +- .../artifact_providers/FileProvider.hpp | 28 ++++++++--------- .../artifact_providers/Pkcs11Provider.cpp | 30 +++++++++++-------- .../artifact_providers/Pkcs11Provider.hpp | 16 +++++----- src/cpp/security/authentication/PKIDH.cpp | 3 +- 5 files changed, 43 insertions(+), 37 deletions(-) diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp index 09d28303fe9..91bcccada6c 100644 --- a/src/cpp/security/accesscontrol/Permissions.cpp +++ b/src/cpp/security/accesscontrol/Permissions.cpp @@ -355,7 +355,8 @@ static X509_STORE* load_permissions_ca( { if (permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0) { - return detail::FileProvider::load_ca(permissions_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm, exception); + return detail::FileProvider::load_ca(permissions_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm, + exception); } exception = _SecurityException_(std::string("Unsupported URI format ") + permissions_ca); diff --git a/src/cpp/security/artifact_providers/FileProvider.hpp b/src/cpp/security/artifact_providers/FileProvider.hpp index fe70ee61c08..b5707702b54 100644 --- a/src/cpp/security/artifact_providers/FileProvider.hpp +++ b/src/cpp/security/artifact_providers/FileProvider.hpp @@ -40,26 +40,26 @@ class FileProvider public: static X509_STORE* load_ca( - const std::string& ca, - bool& there_are_crls, - std::string& ca_sn, - std::string& ca_algo, - std::function get_signature_algorithm, - SecurityException& exception); + const std::string& ca, + bool& there_are_crls, + std::string& ca_sn, + std::string& ca_algo, + std::function get_signature_algorithm, + SecurityException& exception); static EVP_PKEY* load_private_key( - X509* certificate, - const std::string& file, - const std::string& password, - SecurityException& exception); + X509* certificate, + const std::string& file, + const std::string& password, + SecurityException& exception); static X509* load_certificate( - const std::string& identity_cert, - SecurityException& exception); + const std::string& identity_cert, + SecurityException& exception); static X509_CRL* load_crl( - const std::string& identity_crl, - SecurityException& exception); + const std::string& identity_crl, + SecurityException& exception); }; diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp index bc2d52b7a42..30537119cb0 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp @@ -40,22 +40,25 @@ namespace detail { constexpr const char* FASTDDS_PKCS11_PIN = "FASTDDS_PKCS11_PIN"; constexpr const char* PKCS11_ENGINE_ID = "pkcs11"; -static int ui_open(UI *ui) +static int ui_open( + UI* ui) { return UI_method_get_opener(UI_OpenSSL())(ui); } -static int ui_read(UI *ui, UI_STRING *uis) +static int ui_read( + UI* ui, + UI_STRING* uis) { - switch(UI_get_string_type(uis)) + switch (UI_get_string_type(uis)) { case UIT_PROMPT: case UIT_VERIFY: { - logWarning(PKCS11_PROVIDER, "PKCS#11 engine is asking: " << UI_get0_output_string(uis)); - // Return an empty password without asking the user - UI_set_result(ui, uis, ""); - return 1; + logWarning(PKCS11_PROVIDER, "PKCS#11 engine is asking: " << UI_get0_output_string(uis)); + // Return an empty password without asking the user + UI_set_result(ui, uis, ""); + return 1; } default: break; @@ -65,8 +68,8 @@ static int ui_read(UI *ui, UI_STRING *uis) return UI_method_get_reader(UI_OpenSSL())(ui, uis); } - -static int ui_close(UI *ui) +static int ui_close( + UI* ui) { return UI_method_get_closer(UI_OpenSSL())(ui); } @@ -99,13 +102,14 @@ Pkcs11Provider::Pkcs11Provider() if (!ENGINE_ctrl_cmd_string( pkcs11_, "PIN", pin.c_str(), 0)) { has_initialization_error_ = true; - initialization_exception_ = _SecurityException_(std::string("Error setting the PIN in the 'pkcs11' engine")); + initialization_exception_ = + _SecurityException_(std::string("Error setting the PIN in the 'pkcs11' engine")); ENGINE_free(pkcs11_); } } // Init the engine with the PIN (if any) - if(!ENGINE_init(pkcs11_)) + if (!ENGINE_init(pkcs11_)) { has_initialization_error_ = true; initialization_exception_ = _SecurityException_(std::string("Error initializeing the HSM provider library")); @@ -118,7 +122,7 @@ Pkcs11Provider::~Pkcs11Provider() ENGINE_finish(pkcs11_); ENGINE_free(pkcs11_); - if(ui_method_) + if (ui_method_) { UI_destroy_method(ui_method_); } @@ -156,7 +160,7 @@ EVP_PKEY* Pkcs11Provider::load_private_key_impl( if (!X509_check_private_key(certificate, returnedValue)) { exception = _SecurityException_(std::string("Error verifying private key ") + pkey.substr(7) - + "\n ERROR: " + ERR_error_string(ERR_get_error(), nullptr)); + + "\n ERROR: " + ERR_error_string(ERR_get_error(), nullptr)); EVP_PKEY_free(returnedValue); returnedValue = nullptr; } diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp index 21ac45eae72..61a2187a5a6 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp @@ -39,10 +39,10 @@ class Pkcs11Provider public: static EVP_PKEY* load_private_key( - X509* certificate, - const std::string& file, - const std::string& password, - SecurityException& exception); + X509* certificate, + const std::string& file, + const std::string& password, + SecurityException& exception); ~Pkcs11Provider(); @@ -58,10 +58,10 @@ class Pkcs11Provider Pkcs11Provider(); EVP_PKEY* load_private_key_impl( - X509* certificate, - const std::string& file, - const std::string& password, - SecurityException& exception); + X509* certificate, + const std::string& file, + const std::string& password, + SecurityException& exception); SecurityException initialization_exception_; bool has_initialization_error_ = false; diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index 8beabd893e8..42bff539d58 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -163,7 +163,8 @@ static X509_STORE* load_identity_ca( { if (identity_ca.size() >= 7 && identity_ca.compare(0, 7, "file://") == 0) { - return detail::FileProvider::load_ca(identity_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm, exception); + return detail::FileProvider::load_ca(identity_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm, + exception); } exception = _SecurityException_(std::string("Unsupported URI format ") + identity_ca); From a8f30cb2c4f439423b48632fe87c5e93ab66f2ac Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 22 Sep 2021 16:38:28 +0200 Subject: [PATCH 07/30] Refs 11914. Do not make libp11 requiredwq Signed-off-by: Iker Luengo --- CMakeLists.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 86d498c5daa..6eedb6655ae 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -162,11 +162,10 @@ option(SECURITY "Activate security" OFF) if(SECURITY) find_package(OpenSSL REQUIRED) - find_package(LibP11 REQUIRED) else() find_package(OpenSSL) - find_package(LibP11) endif() +find_package(LibP11) if(OPENSSL_FOUND) message(STATUS "OpenSSL library ${OPENSSL_VERSION} found...") From cc9307df982802161f23f5acee949ff064cd22c2 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Tue, 19 Oct 2021 15:38:04 +0200 Subject: [PATCH 08/30] Refs 11914. Adding test Signed-off-by: Iker Luengo --- test/blackbox/api/dds-pim/PubSubReader.hpp | 29 +-- .../blackbox/common/BlackboxTestsSecurity.cpp | 222 ++++++++++++++++++ 2 files changed, 237 insertions(+), 14 deletions(-) diff --git a/test/blackbox/api/dds-pim/PubSubReader.hpp b/test/blackbox/api/dds-pim/PubSubReader.hpp index 0a27fbdbb40..7697a4b3667 100644 --- a/test/blackbox/api/dds-pim/PubSubReader.hpp +++ b/test/blackbox/api/dds-pim/PubSubReader.hpp @@ -349,26 +349,27 @@ class PubSubReader participant_qos_, &participant_listener_, eprosima::fastdds::dds::StatusMask::none()); - ASSERT_NE(participant_, nullptr); - ASSERT_TRUE(participant_->is_enabled()); } - participant_guid_ = participant_->guid(); + if (participant_ != nullptr) + { + participant_guid_ = participant_->guid(); - type_.reset(new type_support()); + type_.reset(new type_support()); - // Register type - ASSERT_EQ(participant_->register_type(type_), ReturnCode_t::RETCODE_OK); + // Register type + ASSERT_EQ(participant_->register_type(type_), ReturnCode_t::RETCODE_OK); - // Create topic - topic_ = - participant_->create_topic(topic_name_, type_->getName(), - eprosima::fastdds::dds::TOPIC_QOS_DEFAULT); - ASSERT_NE(topic_, nullptr); - ASSERT_TRUE(topic_->is_enabled()); + // Create topic + topic_ = + participant_->create_topic(topic_name_, type_->getName(), + eprosima::fastdds::dds::TOPIC_QOS_DEFAULT); + ASSERT_NE(topic_, nullptr); + ASSERT_TRUE(topic_->is_enabled()); - // Create publisher - createSubscriber(); + // Create publisher + createSubscriber(); + } } virtual void createSubscriber() diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index 9a51b2dfbd8..c27cfbbe10b 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -2896,6 +2896,228 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_valid } } +TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) +{ + { + PubSubReader reader("HelloWorldTopic"); + PubSubWriter writer("HelloWorldTopic"); + std::string governance_file("governance_helloworld_all_enable.smime"); + + // With no PIN, the load of the private key fails + PropertyPolicy pub_property_policy, sub_property_policy; + + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainsubcert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private")); + sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + sub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); + + reader.history_depth(10). + reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). + property_policy(sub_property_policy).init(); + + ASSERT_FALSE(reader.isInitialized()); + + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainpubcert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private")); + pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + pub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); + + writer.history_depth(10). + property_policy(pub_property_policy).init(); + + ASSERT_FALSE(writer.isInitialized()); + } + { + PubSubReader reader("HelloWorldTopic"); + PubSubWriter writer("HelloWorldTopic"); + std::string governance_file("governance_helloworld_all_enable.smime"); + + // Set the PIN on the URI + + PropertyPolicy pub_property_policy, sub_property_policy; + + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainsubcert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private?pin-value=1234")); + sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + sub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); + + reader.history_depth(10). + reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). + property_policy(sub_property_policy).init(); + + ASSERT_TRUE(reader.isInitialized()); + + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainpubcert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private?pin-value=1234")); + pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + pub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); + + writer.history_depth(10). + property_policy(pub_property_policy).init(); + + ASSERT_TRUE(writer.isInitialized()); + + // Wait for authorization + reader.waitAuthorized(); + writer.waitAuthorized(); + + // Wait for discovery. + writer.wait_discovery(); + reader.wait_discovery(); + + auto data = default_helloworld_data_generator(); + + reader.startReception(data); + + // Send data + writer.send(data); + // In this test all data should be sent. + ASSERT_TRUE(data.empty()); + // Block reader until reception finished or timeout. + reader.block_for_all(); + } + { + PubSubReader reader("HelloWorldTopic"); + PubSubWriter writer("HelloWorldTopic"); + std::string governance_file("governance_helloworld_all_enable.smime"); + + // Set the PIN on the environment variable + setenv("FASTDDS_PKCS11_PIN", "1234", 1); + + PropertyPolicy pub_property_policy, sub_property_policy; + + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainsubcert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private")); + sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + sub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); + + reader.history_depth(10). + reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). + property_policy(sub_property_policy).init(); + + ASSERT_TRUE(reader.isInitialized()); + + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainpubcert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private")); + pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + pub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); + + writer.history_depth(10). + property_policy(pub_property_policy).init(); + + ASSERT_TRUE(writer.isInitialized()); + + // Wait for authorization + reader.waitAuthorized(); + writer.waitAuthorized(); + + // Wait for discovery. + writer.wait_discovery(); + reader.wait_discovery(); + + auto data = default_helloworld_data_generator(); + + reader.startReception(data); + + // Send data + writer.send(data); + // In this test all data should be sent. + ASSERT_TRUE(data.empty()); + // Block reader until reception finished or timeout. + reader.block_for_all(); + } +} + static void BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common( PubSubReader& reader, PubSubWriter& writer, From 786a930fd1fb209fb9c1728debbe812be26ddd99 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Sun, 24 Oct 2021 15:18:16 +0200 Subject: [PATCH 09/30] Refs 11914. Create token and keys inside test Signed-off-by: Iker Luengo --- .../blackbox/common/BlackboxTestsSecurity.cpp | 67 +++++++++++++++---- 1 file changed, 55 insertions(+), 12 deletions(-) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index c27cfbbe10b..97810287c33 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -22,6 +22,7 @@ #include "PubSubParticipant.hpp" #include +#include #include #include @@ -79,8 +80,46 @@ class Security : public testing::TestWithParam default: break; } + + //Delete the HSM token if initialized + if (!hsm_token_serial.empty()) + { + delete_hsm_token(); + } + } + + // Initializes an HSM token with the given label and PIN, and returns its serial + void prepare_hsm_token() + { + // Init the token + std::stringstream cmd; + cmd << "softhsm2-util --init-token --slot 0 --label '" << hsm_token_label << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; + ASSERT_EQ(0, std::system (cmd.str())); + + // Get the serial number of the HSM slot + std::stringstream serial_stream; + ASSERT_EQ(0, std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_serial")); + serial_stream << std::ifstream("softhsm_serial").rdbuf(); + std::remove ("softhsm_serial"); + + //Remove possible trailing new line + hsm_token_serial = serial_stream.str(); + hsm_token_serial.erase(hsm_token_serial.find_last_not_of(" \n\t\r\f\v") + 1); + } + + void delete_hsm_token() + { + // Delete the token + std::stringstream cmd; + cmd << "softhsm2-util --delete-token --token '" << hsm_token_label << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; + ASSERT_EQ(0, std::system (cmd.str())); + hsm_token_serial.clear(); } + const char* hsm_token_label = "testing-token"; + const char* hsm_token_pin = "1234"; + std::string hsm_token_serial; + }; TEST_P(Security, BuiltinAuthenticationPlugin_PKIDH_validation_ok) @@ -2898,7 +2937,17 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_valid TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) { + prepare_hsm_token(); + + //Import the keys + ASSERT_EQ(0, std::system(("softhsm2-util --import " + std::string(certs_path) + "/mainpubkey.pem --token " + hsm_token_label + " --label mainpubkey --pin " + hsm_token_pin + " --id 8CBC4F03F2BD5CC4F852BCF171EA9BAC12DA0A9A").c_str())); + ASSERT_EQ(0, std::system(("softhsm2-util --import " + std::string(certs_path) + "/mainsubkey.pem --token " + hsm_token_label + " --label mainsubkey --pin " + hsm_token_pin + " --id 409DAD1C9D36C2C4AB9C7EAA824397D6A5C17D37").c_str())); + + //The keys' URLs + std::string mainsubkey = "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=" + hsm_token_serial + ";token=" + hsm_token_label + ";id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private"; + std::string mainpubkey = "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=" + hsm_token_serial + ";token=" + hsm_token_label + ";id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private"; { + PubSubReader reader("HelloWorldTopic"); PubSubWriter writer("HelloWorldTopic"); std::string governance_file("governance_helloworld_all_enable.smime"); @@ -2912,8 +2961,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainsubkey)); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -2938,8 +2986,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainpubkey)); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -2972,8 +3019,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private?pin-value=1234")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainsubkey + "?pin-value=" + hsm_token_pin)); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -2998,8 +3044,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private?pin-value=1234")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainpubkey + "?pin-value=" + hsm_token_pin)); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3052,8 +3097,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainsubkey)); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3078,8 +3122,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=eabe6e39190e9016;token=testing-token;id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainpubkey)); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", From 8373695e56031f2ad62ae4540765c5959190503d Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 27 Oct 2021 16:59:51 +0200 Subject: [PATCH 10/30] Refs 11914. Refactor test Signed-off-by: Iker Luengo --- .../blackbox/common/BlackboxTestsSecurity.cpp | 160 +++++++++++++----- 1 file changed, 121 insertions(+), 39 deletions(-) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index 97810287c33..09ee222d8da 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -23,6 +23,8 @@ #include #include +#include +#include #include #include @@ -80,21 +82,32 @@ class Security : public testing::TestWithParam default: break; } - - //Delete the HSM token if initialized - if (!hsm_token_serial.empty()) - { - delete_hsm_token(); - } } +}; + - // Initializes an HSM token with the given label and PIN, and returns its serial - void prepare_hsm_token() +class SecurityPkcs : public ::testing::Test +{ +public: + + struct HsmToken + { + std::string pin; + std::string id; + std::string serial; + std::map urls; + }; + + static void create_hsm_token( + const char* token_id) { // Init the token std::stringstream cmd; - cmd << "softhsm2-util --init-token --slot 0 --label '" << hsm_token_label << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; - ASSERT_EQ(0, std::system (cmd.str())); + cmd << "softhsm2-util --init-token --free --label '" << token_id << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; + ASSERT_EQ(0, std::system (cmd.str().c_str())); + tokens[token_id] = HsmToken(); + tokens[token_id].pin = hsm_token_pin; + tokens[token_id].id = token_id; // Get the serial number of the HSM slot std::stringstream serial_stream; @@ -102,26 +115,100 @@ class Security : public testing::TestWithParam serial_stream << std::ifstream("softhsm_serial").rdbuf(); std::remove ("softhsm_serial"); - //Remove possible trailing new line - hsm_token_serial = serial_stream.str(); - hsm_token_serial.erase(hsm_token_serial.find_last_not_of(" \n\t\r\f\v") + 1); + // Read each serial number one by one + while(!serial_stream.eof()) + { + std::string serial; + serial_stream >> serial; + if (!serial.empty()) + { + if (tokens.end() == std::find_if(tokens.begin(), tokens.end(), [&serial](std::pair t){ return t.second.serial == serial; })) + { + tokens[token_id].serial = serial; + break; + } + } + } } - void delete_hsm_token() + static void delete_hsm_token( + const char* token_id) { - // Delete the token - std::stringstream cmd; - cmd << "softhsm2-util --delete-token --token '" << hsm_token_label << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; - ASSERT_EQ(0, std::system (cmd.str())); - hsm_token_serial.clear(); + if (tokens.find(token_id) != tokens.end()) + { + // Delete the token + std::stringstream cmd; + cmd << "softhsm2-util --delete-token --token '" << token_id << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; + ASSERT_EQ(0, std::system (cmd.str().c_str())); + } } - const char* hsm_token_label = "testing-token"; - const char* hsm_token_pin = "1234"; - std::string hsm_token_serial; + static void SetUpTestCase() + { + // Init the tokens + create_hsm_token(hsm_token_id_no_pin); + create_hsm_token(hsm_token_id_url_pin); + create_hsm_token(hsm_token_id_env_pin); + + // Add the keys to the tokens + import_private_key(std::string(certs_path) + "/mainsubkey.pem", hsm_mainsubkey_label, + "1A2B3C", hsm_token_id_no_pin); + import_private_key(std::string(certs_path) + "/mainpubkey.pem", hsm_mainpubkey_label, + "ABCDEF", hsm_token_id_no_pin); + import_private_key(std::string(certs_path) + "/mainsubkey.pem", hsm_mainsubkey_label, + "123456", hsm_token_id_url_pin); + import_private_key(std::string(certs_path) + "/mainpubkey.pem", hsm_mainpubkey_label, + "789ABC", hsm_token_id_url_pin); + import_private_key(std::string(certs_path) + "/mainsubkey.pem", hsm_mainsubkey_label, + "2468AC", hsm_token_id_env_pin); + import_private_key(std::string(certs_path) + "/mainpubkey.pem", hsm_mainpubkey_label, + "13579B", hsm_token_id_env_pin); + } + + static void TearDownTestCase() + { + // delete the tokens + delete_hsm_token(hsm_token_id_no_pin); + delete_hsm_token(hsm_token_id_url_pin); + delete_hsm_token(hsm_token_id_env_pin); + } + + static void import_private_key( + const std::string& key_file, + const char* key_label, + const char* key_id, + const char* token_id) + { + ASSERT_NE(tokens.end(), tokens.find(token_id)); + + // Import the key + ASSERT_EQ(0, std::system(("softhsm2-util --import " + key_file + " --token " + token_id + " --label " + key_label + " --pin " + hsm_token_pin + " --id " + key_id).c_str())); + + // Construct the key URL + std::stringstream id_url; + for (unsigned int i = 0; i < strlen(key_id); i+=2) + { + id_url << "%" << key_id[i] << key_id[i+1]; + } + tokens[token_id].urls[key_label] = "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=" + tokens[token_id].serial + ";token=" + token_id + ";id=" + id_url.str() + ";object=" + key_label + ";type=private"; + } + + static constexpr const char* hsm_token_pin = "1234"; + static constexpr const char* hsm_token_id_no_pin = "testing_token_no_pin"; + static constexpr const char* hsm_token_id_url_pin = "testing_token_url_pin"; + static constexpr const char* hsm_token_id_env_pin = "testing_token_env_pin"; + static constexpr const char* hsm_mainsubkey_label = "mainsubkey"; + static constexpr const char* hsm_mainpubkey_label = "mainpubkey"; + + static std::map tokens; }; +std::map SecurityPkcs::tokens; +const char* const SecurityPkcs::hsm_token_id_no_pin; +const char* const SecurityPkcs::hsm_token_id_url_pin; +const char* const SecurityPkcs::hsm_token_id_env_pin; + TEST_P(Security, BuiltinAuthenticationPlugin_PKIDH_validation_ok) { PubSubReader reader(TEST_TOPIC_NAME); @@ -2935,19 +3022,9 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_valid } } -TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) +TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) { - prepare_hsm_token(); - - //Import the keys - ASSERT_EQ(0, std::system(("softhsm2-util --import " + std::string(certs_path) + "/mainpubkey.pem --token " + hsm_token_label + " --label mainpubkey --pin " + hsm_token_pin + " --id 8CBC4F03F2BD5CC4F852BCF171EA9BAC12DA0A9A").c_str())); - ASSERT_EQ(0, std::system(("softhsm2-util --import " + std::string(certs_path) + "/mainsubkey.pem --token " + hsm_token_label + " --label mainsubkey --pin " + hsm_token_pin + " --id 409DAD1C9D36C2C4AB9C7EAA824397D6A5C17D37").c_str())); - - //The keys' URLs - std::string mainsubkey = "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=" + hsm_token_serial + ";token=" + hsm_token_label + ";id=%40%9D%AD%1C%9D%36%C2%C4%AB%9C%7E%AA%82%43%97%D6%A5%C1%7D%37;object=mainsubkey;type=private"; - std::string mainpubkey = "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=" + hsm_token_serial + ";token=" + hsm_token_label + ";id=%8C%BC%4F%03%F2%BD%5C%C4%F8%52%BC%F1%71%EA%9B%AC%12%DA%0A%9A;object=mainpubkey;type=private"; { - PubSubReader reader("HelloWorldTopic"); PubSubWriter writer("HelloWorldTopic"); std::string governance_file("governance_helloworld_all_enable.smime"); @@ -2961,7 +3038,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainsubkey)); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_no_pin].urls[hsm_mainsubkey_label])); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -2986,7 +3063,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainpubkey)); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_no_pin].urls[hsm_mainpubkey_label])); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3003,6 +3080,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) property_policy(pub_property_policy).init(); ASSERT_FALSE(writer.isInitialized()); + } { PubSubReader reader("HelloWorldTopic"); @@ -3019,7 +3097,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainsubkey + "?pin-value=" + hsm_token_pin)); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_url_pin].urls[hsm_mainsubkey_label] + "?pin-value=" + hsm_token_pin)); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3044,7 +3122,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainpubkey + "?pin-value=" + hsm_token_pin)); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_url_pin].urls[hsm_mainpubkey_label] + "?pin-value=" + hsm_token_pin)); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3080,6 +3158,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) ASSERT_TRUE(data.empty()); // Block reader until reception finished or timeout. reader.block_for_all(); + } { PubSubReader reader("HelloWorldTopic"); @@ -3097,7 +3176,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainsubkey)); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_env_pin].urls[hsm_mainsubkey_label])); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3122,7 +3201,7 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", mainpubkey)); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_env_pin].urls[hsm_mainpubkey_label])); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3158,6 +3237,9 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) ASSERT_TRUE(data.empty()); // Block reader until reception finished or timeout. reader.block_for_all(); + + // unset the PIN environment variable for the next round + unsetenv("FASTDDS_PKCS11_PIN"); } } From 6648966ddcd4f8117ae6843cf17684c07dac1198 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 27 Oct 2021 17:03:15 +0200 Subject: [PATCH 11/30] Refs 11914. Avoid singleton and make the provider destroy with plugin Signed-off-by: Iker Luengo --- .../artifact_providers/Pkcs11Provider.cpp | 9 --------- .../artifact_providers/Pkcs11Provider.hpp | 17 +++++------------ src/cpp/security/authentication/PKIDH.cpp | 11 ++++++++--- src/cpp/security/authentication/PKIDH.h | 3 +++ 4 files changed, 16 insertions(+), 24 deletions(-) diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp index 30537119cb0..cdd069f9164 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp @@ -129,15 +129,6 @@ Pkcs11Provider::~Pkcs11Provider() } EVP_PKEY* Pkcs11Provider::load_private_key( - X509* certificate, - const std::string& pkey, - const std::string& password, - SecurityException& exception) -{ - return Pkcs11Provider::instance().load_private_key_impl(certificate, pkey, password, exception); -} - -EVP_PKEY* Pkcs11Provider::load_private_key_impl( X509* certificate, const std::string& pkey, const std::string& /*password*/, diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp index 61a2187a5a6..02386e3665d 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp @@ -17,7 +17,7 @@ */ #ifndef SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP -#define SECURITY_ARTIFACTS_PKCS11PROVIDER_HPP +#define SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP #include #include @@ -38,25 +38,18 @@ class Pkcs11Provider public: - static EVP_PKEY* load_private_key( + EVP_PKEY* load_private_key( X509* certificate, const std::string& file, const std::string& password, SecurityException& exception); + Pkcs11Provider(); + ~Pkcs11Provider(); private: - /// @return reference to singleton instance - static Pkcs11Provider& instance() - { - static Pkcs11Provider instance; - return instance; - } - - Pkcs11Provider(); - EVP_PKEY* load_private_key_impl( X509* certificate, const std::string& file, @@ -75,4 +68,4 @@ class Pkcs11Provider } //namespace fastrtps } //namespace eprosima -#endif // SECURITY_ARTIFACTS_PKCS11PROVIDER_HPP +#endif // SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index 42bff539d58..78e4cd7e58e 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -255,7 +255,8 @@ static EVP_PKEY* load_private_key( X509* certificate, const std::string& file, const std::string& password, - SecurityException& exception) + SecurityException& exception, + PKIDH& pkidh) { if (file.size() >= 7 && file.compare(0, 7, "file://") == 0) { @@ -263,7 +264,11 @@ static EVP_PKEY* load_private_key( } else if (file.size() >= 7 && file.compare(0, 7, "pkcs11:") == 0) { - return detail::Pkcs11Provider::load_private_key(certificate, file, password, exception); + if (!pkidh.pkcs11_provider) + { + pkidh.pkcs11_provider.reset(new detail::Pkcs11Provider()); + } + return pkidh.pkcs11_provider->load_private_key(certificate, file, password, exception); } exception = _SecurityException_(std::string("Unsupported URI format ") + file); @@ -1074,7 +1079,7 @@ ValidationResult_t PKIDH::validate_local_identity( { if (get_signature_algorithm((*ih)->cert_, (*ih)->sign_alg_, exception)) { - (*ih)->pkey_ = load_private_key((*ih)->cert_, *private_key, *password, exception); + (*ih)->pkey_ = load_private_key((*ih)->cert_, *private_key, *password, exception, *this); if ((*ih)->pkey_ != nullptr) { diff --git a/src/cpp/security/authentication/PKIDH.h b/src/cpp/security/authentication/PKIDH.h index 33214388b1d..e7b46b4ef67 100644 --- a/src/cpp/security/authentication/PKIDH.h +++ b/src/cpp/security/authentication/PKIDH.h @@ -22,6 +22,7 @@ #include #include #include +#include namespace eprosima { namespace fastrtps { @@ -97,6 +98,8 @@ class PKIDH : public Authentication bool return_authenticated_peer_credential_token(PermissionsCredentialToken* token, SecurityException& ex) override; + std::unique_ptr pkcs11_provider; + private: ValidationResult_t process_handshake_request(HandshakeMessageToken** handshake_message_out, From ca0534be3f5ba19984d92bea05c743f3a9beef4f Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 27 Oct 2021 17:04:11 +0200 Subject: [PATCH 12/30] Refs 11914. Conditional compile with libP11 Signed-off-by: Iker Luengo --- cmake/modules/FindLibP11.cmake | 4 ---- include/fastrtps/config.h.in | 4 ++++ src/cpp/CMakeLists.txt | 6 ++++++ src/cpp/security/artifact_providers/Pkcs11Provider.cpp | 3 --- src/cpp/security/artifact_providers/Pkcs11Provider.hpp | 5 ++++- src/cpp/security/authentication/PKIDH.cpp | 6 ++++++ src/cpp/security/authentication/PKIDH.h | 2 ++ test/blackbox/common/BlackboxTestsSecurity.cpp | 3 +++ 8 files changed, 25 insertions(+), 8 deletions(-) diff --git a/cmake/modules/FindLibP11.cmake b/cmake/modules/FindLibP11.cmake index 3c638d2cbb5..24b98b5aef4 100644 --- a/cmake/modules/FindLibP11.cmake +++ b/cmake/modules/FindLibP11.cmake @@ -23,7 +23,3 @@ ELSE(LIBP11_FOUND) ENDIF(LIBP11_FOUND) MARK_AS_ADVANCED( LIBP11_LIBRARY LIBP11_INCLUDE_DIR ) - -MESSAGE(${LIBP11_FOUND}) -MESSAGE(${LIBP11_INCLUDE_DIR}) -MESSAGE(${LIBP11_LIBRARIES}) diff --git a/include/fastrtps/config.h.in b/include/fastrtps/config.h.in index 5c437832970..d143e5ae363 100644 --- a/include/fastrtps/config.h.in +++ b/include/fastrtps/config.h.in @@ -73,6 +73,10 @@ #define HAVE_SECURITY @HAVE_SECURITY@ #endif +#ifndef HAVE_LIBP11 +#define HAVE_LIBP11 @HAVE_LIBP11@ +#endif + //Sqlite3 support #ifndef HAVE_SQLITE3 #define HAVE_SQLITE3 @HAVE_SQLITE3@ diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index 494c076971e..1c0821634e4 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -305,8 +305,14 @@ if(SECURITY) ${${PROJECT_NAME}_security_source_files} ) set(HAVE_SECURITY 1) + if(LIBP11_FOUND) + set(HAVE_LIBP11 1) + else() + set(HAVE_LIBP11 0) + endif() else() set(HAVE_SECURITY 0) + set(HAVE_LIBP11 0) endif() if(WIN32 AND (MSVC OR MSVC_IDE)) diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp index cdd069f9164..ff94bca5a2f 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp @@ -20,8 +20,6 @@ #include -#include - #include #include @@ -164,4 +162,3 @@ EVP_PKEY* Pkcs11Provider::load_private_key( } // namespace rtps } // namespace fastrtps } // namespace eprosima - diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp index 02386e3665d..61f8e2e68bc 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp @@ -22,7 +22,10 @@ #include #include #include + +#if HAVE_LIBP11 #include +#endif // HAVE_LIBP11 #include @@ -68,4 +71,4 @@ class Pkcs11Provider } //namespace fastrtps } //namespace eprosima -#endif // SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP +#endif // _SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP_ diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index 78e4cd7e58e..c8afdb98f67 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -264,11 +264,17 @@ static EVP_PKEY* load_private_key( } else if (file.size() >= 7 && file.compare(0, 7, "pkcs11:") == 0) { +#if HAVE_LIBP11 if (!pkidh.pkcs11_provider) { pkidh.pkcs11_provider.reset(new detail::Pkcs11Provider()); } return pkidh.pkcs11_provider->load_private_key(certificate, file, password, exception); +#endif // HAVE_LIBP11 + static_cast(pkidh); + exception = _SecurityException_(std::string("PKCS11 URIs require libp11 ") + file); + return nullptr; + } exception = _SecurityException_(std::string("Unsupported URI format ") + file); diff --git a/src/cpp/security/authentication/PKIDH.h b/src/cpp/security/authentication/PKIDH.h index e7b46b4ef67..2e1bdb0e5ec 100644 --- a/src/cpp/security/authentication/PKIDH.h +++ b/src/cpp/security/authentication/PKIDH.h @@ -98,7 +98,9 @@ class PKIDH : public Authentication bool return_authenticated_peer_credential_token(PermissionsCredentialToken* token, SecurityException& ex) override; +#if HAVE_LIBP11 std::unique_ptr pkcs11_provider; +#endif // HAVE_LIBP11 private: diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index 09ee222d8da..ee0f9b435a1 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -3022,6 +3022,8 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_valid } } +#if HAVE_LIBP11 + TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) { { @@ -3242,6 +3244,7 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) unsetenv("FASTDDS_PKCS11_PIN"); } } +#endif // HAVE_LIBP11 static void BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_validation_ok_common( PubSubReader& reader, From 46653be119862f1914cfefbb6f919e584096181a Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 27 Oct 2021 17:57:23 +0200 Subject: [PATCH 13/30] Refs 11914. Changes requested on review Signed-off-by: Iker Luengo --- src/cpp/security/artifact_providers/FileProvider.cpp | 5 ++--- src/cpp/security/artifact_providers/FileProvider.hpp | 6 +++--- src/cpp/security/artifact_providers/Pkcs11Provider.cpp | 2 +- src/cpp/security/artifact_providers/Pkcs11Provider.hpp | 4 ++-- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/src/cpp/security/artifact_providers/FileProvider.cpp b/src/cpp/security/artifact_providers/FileProvider.cpp index 9fb124418be..e9dcd3a065e 100644 --- a/src/cpp/security/artifact_providers/FileProvider.cpp +++ b/src/cpp/security/artifact_providers/FileProvider.cpp @@ -16,11 +16,10 @@ * @file FileProvider.cpp */ -#include -#include - #include +#include +#include #include #define S1(x) #x diff --git a/src/cpp/security/artifact_providers/FileProvider.hpp b/src/cpp/security/artifact_providers/FileProvider.hpp index b5707702b54..ca3459fd66d 100644 --- a/src/cpp/security/artifact_providers/FileProvider.hpp +++ b/src/cpp/security/artifact_providers/FileProvider.hpp @@ -16,8 +16,8 @@ * @file FileProvider.hpp */ -#ifndef SECURITY_ARTIFACTPROVIDERS_FILEPROVIDER_HPP -#define SECURITY_ARTIFACTS_FILEPROVIDER_HPP +#ifndef _SECURITY_ARTIFACTPROVIDERS_FILEPROVIDER_HPP_ +#define _SECURITY_ARTIFACTPROVIDERS_FILEPROVIDER_HPP_ #include @@ -69,4 +69,4 @@ class FileProvider } //namespace fastrtps } //namespace eprosima -#endif // SECURITY_ARTIFACTS_FILEPROVIDER_HPP +#endif // _SECURITY_ARTIFACTPROVIDERS_FILEPROVIDER_HPP_ diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp index ff94bca5a2f..c0a7daf6de7 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.cpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.cpp @@ -110,7 +110,7 @@ Pkcs11Provider::Pkcs11Provider() if (!ENGINE_init(pkcs11_)) { has_initialization_error_ = true; - initialization_exception_ = _SecurityException_(std::string("Error initializeing the HSM provider library")); + initialization_exception_ = _SecurityException_(std::string("Error initializing the HSM provider library")); ENGINE_free(pkcs11_); } } diff --git a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp index 61f8e2e68bc..87f558c1ef6 100644 --- a/src/cpp/security/artifact_providers/Pkcs11Provider.hpp +++ b/src/cpp/security/artifact_providers/Pkcs11Provider.hpp @@ -16,8 +16,8 @@ * @file Pkcs11Provider.hpp */ -#ifndef SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP -#define SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP +#ifndef _SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP_ +#define _SECURITY_ARTIFACTPROVIDERS_PKCS11PROVIDER_HPP_ #include #include From a993743873a31304a992a452f44a1264923be789 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 27 Oct 2021 18:00:44 +0200 Subject: [PATCH 14/30] Refs 11914. uncrustify Signed-off-by: Iker Luengo --- include/fastrtps/config.h.in | 40 ++--- src/cpp/security/authentication/PKIDH.cpp | 6 +- src/cpp/security/authentication/PKIDH.h | 170 ++++++++++-------- .../blackbox/common/BlackboxTestsSecurity.cpp | 69 ++++--- 4 files changed, 161 insertions(+), 124 deletions(-) diff --git a/include/fastrtps/config.h.in b/include/fastrtps/config.h.in index d143e5ae363..22ef7331cfc 100644 --- a/include/fastrtps/config.h.in +++ b/include/fastrtps/config.h.in @@ -25,73 +25,73 @@ // C++20 support defines #ifndef HAVE_CXX20 #define HAVE_CXX20 @HAVE_CXX20@ -#endif +#endif /* ifndef HAVE_CXX20 */ // C++17 support defines #ifndef HAVE_CXX17 #define HAVE_CXX17 @HAVE_CXX17@ -#endif +#endif /* ifndef HAVE_CXX17 */ // C++14 support defines #ifndef HAVE_CXX14 #define HAVE_CXX14 @HAVE_CXX14@ -#endif +#endif /* ifndef HAVE_CXX14 */ // C++1Y support defines #ifndef HAVE_CXX1Y #define HAVE_CXX1Y @HAVE_CXX1Y@ -#endif +#endif /* ifndef HAVE_CXX1Y */ // C++11 support defines #ifndef HAVE_CXX11 #define HAVE_CXX11 @HAVE_CXX11@ -#endif +#endif /* ifndef HAVE_CXX11 */ // C++0x support defines #ifndef HAVE_CXX0X #define HAVE_CXX0X @HAVE_CXX0X@ -#endif +#endif /* ifndef HAVE_CXX0X */ // C++ constexpr support #ifndef HAVE_CXX_CONSTEXPR #define HAVE_CXX_CONSTEXPR @HAVE_CXX_CONSTEXPR@ -#endif +#endif /* ifndef HAVE_CXX_CONSTEXPR */ #if HAVE_CXX_CONSTEXPR #define CONSTEXPR constexpr #else #define CONSTEXPR const -#endif +#endif /* if HAVE_CXX_CONSTEXPR */ // Endianness defines #ifndef FASTDDS_IS_BIG_ENDIAN_TARGET #define FASTDDS_IS_BIG_ENDIAN_TARGET @FASTDDS_IS_BIG_ENDIAN_TARGET@ -#endif +#endif /* ifndef FASTDDS_IS_BIG_ENDIAN_TARGET */ // Security #ifndef HAVE_SECURITY #define HAVE_SECURITY @HAVE_SECURITY@ -#endif +#endif /* ifndef HAVE_SECURITY */ #ifndef HAVE_LIBP11 #define HAVE_LIBP11 @HAVE_LIBP11@ -#endif +#endif /* ifndef HAVE_LIBP11 */ //Sqlite3 support #ifndef HAVE_SQLITE3 #define HAVE_SQLITE3 @HAVE_SQLITE3@ -#endif +#endif /* ifndef HAVE_SQLITE3 */ // TLS support #ifndef TLS_FOUND #define TLS_FOUND @TLS_FOUND@ -#endif +#endif /* ifndef TLS_FOUND */ // Strict real-time #ifndef HAVE_STRICT_REALTIME #define HAVE_STRICT_REALTIME @HAVE_STRICT_REALTIME@ -#endif +#endif /* ifndef HAVE_STRICT_REALTIME */ /* Log Macros */ @@ -99,17 +99,17 @@ #cmakedefine FASTDDS_ENFORCE_LOG_INFO #ifndef HAVE_LOG_NO_INFO #define HAVE_LOG_NO_INFO @HAVE_LOG_NO_INFO@ -#endif +#endif /* ifndef HAVE_LOG_NO_INFO */ // Log Warning #ifndef HAVE_LOG_NO_WARNING #define HAVE_LOG_NO_WARNING @HAVE_LOG_NO_WARNING@ -#endif +#endif /* ifndef HAVE_LOG_NO_WARNING */ // Log Error #ifndef HAVE_LOG_NO_ERROR #define HAVE_LOG_NO_ERROR @HAVE_LOG_NO_ERROR@ -#endif +#endif /* ifndef HAVE_LOG_NO_ERROR */ // Statistics #cmakedefine FASTDDS_STATISTICS @@ -123,7 +123,7 @@ #define FASTRTPS_DEPRECATED(msg) __declspec(deprecated(msg)) #else #define FASTRTPS_DEPRECATED(msg) -#endif +#endif /* if __cplusplus >= 201402L */ // Deprecation with version #define FASTDDS_DEPRECATED_UNTIL(major, entity_name, msg) \ @@ -132,7 +132,7 @@ #define FASTDDS_TODO_BEFORE(major, minor, msg) \ static_assert((FASTRTPS_VERSION_MAJOR < major) || \ - (FASTRTPS_VERSION_MAJOR == major && FASTRTPS_VERSION_MINOR < minor), \ - "TODO before version " #major "." #minor " : " #msg); + (FASTRTPS_VERSION_MAJOR == major && FASTRTPS_VERSION_MINOR < minor), \ + "TODO before version " #major "." #minor " : " #msg); #endif // _FASTRTPS_CONFIG_H_ diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index c8afdb98f67..6eeecb0fbcd 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -271,9 +271,9 @@ static EVP_PKEY* load_private_key( } return pkidh.pkcs11_provider->load_private_key(certificate, file, password, exception); #endif // HAVE_LIBP11 - static_cast(pkidh); - exception = _SecurityException_(std::string("PKCS11 URIs require libp11 ") + file); - return nullptr; + static_cast(pkidh); + exception = _SecurityException_(std::string("PKCS11 URIs require libp11 ") + file); + return nullptr; } diff --git a/src/cpp/security/authentication/PKIDH.h b/src/cpp/security/authentication/PKIDH.h index 2e1bdb0e5ec..e1ef422fd4d 100644 --- a/src/cpp/security/authentication/PKIDH.h +++ b/src/cpp/security/authentication/PKIDH.h @@ -31,88 +31,106 @@ namespace security { class PKIDH : public Authentication { - public: - - ValidationResult_t validate_local_identity(IdentityHandle** local_identity_handle, - GUID_t& adjusted_participant_key, - const uint32_t domain_id, - const RTPSParticipantAttributes& participant_attr, - const GUID_t& candidate_participant_key, - SecurityException& exception) override; - - ValidationResult_t validate_remote_identity(IdentityHandle** remote_identity_handle, - const IdentityHandle& local_identity_handle, - const IdentityToken& remote_identity_token, - const GUID_t& remote_participant_key, - SecurityException& exception) override; - - ValidationResult_t begin_handshake_request(HandshakeHandle** handshake_handle, - HandshakeMessageToken** handshake_message, - const IdentityHandle& initiator_identity_handle, - IdentityHandle& replier_identity_handle, - const CDRMessage_t& cdr_participant_data, - SecurityException& exception) override; - - ValidationResult_t begin_handshake_reply(HandshakeHandle** handshake_handle, - HandshakeMessageToken** handshake_message_out, - HandshakeMessageToken&& handshake_message_in, - IdentityHandle& initiator_identity_handle, - const IdentityHandle& replier_identity_handle, - const CDRMessage_t& cdr_participant_data, - SecurityException& exception) override; - - ValidationResult_t process_handshake(HandshakeMessageToken** handshake_message_out, - HandshakeMessageToken&& handshake_message_in, - HandshakeHandle& handshake_handle, - SecurityException& exception) override; - - SharedSecretHandle* get_shared_secret(const HandshakeHandle& handshake_handle, - SecurityException& exception) override; - - bool set_listener(AuthenticationListener* listener, - SecurityException& exception) override; - - bool get_identity_token(IdentityToken** identity_token, - const IdentityHandle& handle, - SecurityException& exception) override; - - bool return_identity_token(IdentityToken* token, - SecurityException& exception) override; - - bool return_handshake_handle(HandshakeHandle* handshake_handle, - SecurityException& exception) override; - - bool return_identity_handle(IdentityHandle* identity_handle, - SecurityException& exception) override; - - bool return_sharedsecret_handle(SharedSecretHandle* sharedsecret_handle, - SecurityException& exception) override; - - bool set_permissions_credential_and_token(IdentityHandle& identity_handle, - PermissionsCredentialToken& permissions_credential_token, - SecurityException& ex) override; - - bool get_authenticated_peer_credential_token(PermissionsCredentialToken **token, - const IdentityHandle& identity_handle, SecurityException& exception) override; - - bool return_authenticated_peer_credential_token(PermissionsCredentialToken* token, - SecurityException& ex) override; +public: + + ValidationResult_t validate_local_identity( + IdentityHandle** local_identity_handle, + GUID_t& adjusted_participant_key, + const uint32_t domain_id, + const RTPSParticipantAttributes& participant_attr, + const GUID_t& candidate_participant_key, + SecurityException& exception) override; + + ValidationResult_t validate_remote_identity( + IdentityHandle** remote_identity_handle, + const IdentityHandle& local_identity_handle, + const IdentityToken& remote_identity_token, + const GUID_t& remote_participant_key, + SecurityException& exception) override; + + ValidationResult_t begin_handshake_request( + HandshakeHandle** handshake_handle, + HandshakeMessageToken** handshake_message, + const IdentityHandle& initiator_identity_handle, + IdentityHandle& replier_identity_handle, + const CDRMessage_t& cdr_participant_data, + SecurityException& exception) override; + + ValidationResult_t begin_handshake_reply( + HandshakeHandle** handshake_handle, + HandshakeMessageToken** handshake_message_out, + HandshakeMessageToken&& handshake_message_in, + IdentityHandle& initiator_identity_handle, + const IdentityHandle& replier_identity_handle, + const CDRMessage_t& cdr_participant_data, + SecurityException& exception) override; + + ValidationResult_t process_handshake( + HandshakeMessageToken** handshake_message_out, + HandshakeMessageToken&& handshake_message_in, + HandshakeHandle& handshake_handle, + SecurityException& exception) override; + + SharedSecretHandle* get_shared_secret( + const HandshakeHandle& handshake_handle, + SecurityException& exception) override; + + bool set_listener( + AuthenticationListener* listener, + SecurityException& exception) override; + + bool get_identity_token( + IdentityToken** identity_token, + const IdentityHandle& handle, + SecurityException& exception) override; + + bool return_identity_token( + IdentityToken* token, + SecurityException& exception) override; + + bool return_handshake_handle( + HandshakeHandle* handshake_handle, + SecurityException& exception) override; + + bool return_identity_handle( + IdentityHandle* identity_handle, + SecurityException& exception) override; + + bool return_sharedsecret_handle( + SharedSecretHandle* sharedsecret_handle, + SecurityException& exception) override; + + bool set_permissions_credential_and_token( + IdentityHandle& identity_handle, + PermissionsCredentialToken& permissions_credential_token, + SecurityException& ex) override; + + bool get_authenticated_peer_credential_token( + PermissionsCredentialToken** token, + const IdentityHandle& identity_handle, + SecurityException& exception) override; + + bool return_authenticated_peer_credential_token( + PermissionsCredentialToken* token, + SecurityException& ex) override; #if HAVE_LIBP11 - std::unique_ptr pkcs11_provider; + std::unique_ptr pkcs11_provider; #endif // HAVE_LIBP11 - private: +private: - ValidationResult_t process_handshake_request(HandshakeMessageToken** handshake_message_out, - HandshakeMessageToken&& handshake_message_in, - PKIHandshakeHandle& handshake_handle, - SecurityException& exception); + ValidationResult_t process_handshake_request( + HandshakeMessageToken** handshake_message_out, + HandshakeMessageToken&& handshake_message_in, + PKIHandshakeHandle& handshake_handle, + SecurityException& exception); - ValidationResult_t process_handshake_reply(HandshakeMessageToken** handshake_message_out, - HandshakeMessageToken&& handshake_message_in, - PKIHandshakeHandle& handshake_handle, - SecurityException& exception); + ValidationResult_t process_handshake_reply( + HandshakeMessageToken** handshake_message_out, + HandshakeMessageToken&& handshake_message_in, + PKIHandshakeHandle& handshake_handle, + SecurityException& exception); }; diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index ee0f9b435a1..73e30cd0c8e 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -83,6 +83,7 @@ class Security : public testing::TestWithParam break; } } + }; @@ -103,7 +104,8 @@ class SecurityPkcs : public ::testing::Test { // Init the token std::stringstream cmd; - cmd << "softhsm2-util --init-token --free --label '" << token_id << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; + cmd << "softhsm2-util --init-token --free --label '" << token_id << "' --pin '" << hsm_token_pin << + "' --so-pin '" << hsm_token_pin << "'"; ASSERT_EQ(0, std::system (cmd.str().c_str())); tokens[token_id] = HsmToken(); tokens[token_id].pin = hsm_token_pin; @@ -111,18 +113,23 @@ class SecurityPkcs : public ::testing::Test // Get the serial number of the HSM slot std::stringstream serial_stream; - ASSERT_EQ(0, std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_serial")); + ASSERT_EQ(0, + std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_serial")); serial_stream << std::ifstream("softhsm_serial").rdbuf(); std::remove ("softhsm_serial"); // Read each serial number one by one - while(!serial_stream.eof()) + while (!serial_stream.eof()) { std::string serial; serial_stream >> serial; if (!serial.empty()) { - if (tokens.end() == std::find_if(tokens.begin(), tokens.end(), [&serial](std::pair t){ return t.second.serial == serial; })) + if (tokens.end() == std::find_if(tokens.begin(), tokens.end(), [&serial](std::pair t) + { + return t.second.serial == serial; + })) { tokens[token_id].serial = serial; break; @@ -138,7 +145,8 @@ class SecurityPkcs : public ::testing::Test { // Delete the token std::stringstream cmd; - cmd << "softhsm2-util --delete-token --token '" << token_id << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; + cmd << "softhsm2-util --delete-token --token '" << token_id << "' --pin '" << hsm_token_pin << + "' --so-pin '" << hsm_token_pin << "'"; ASSERT_EQ(0, std::system (cmd.str().c_str())); } } @@ -174,30 +182,35 @@ class SecurityPkcs : public ::testing::Test } static void import_private_key( - const std::string& key_file, - const char* key_label, - const char* key_id, - const char* token_id) + const std::string& key_file, + const char* key_label, + const char* key_id, + const char* token_id) { ASSERT_NE(tokens.end(), tokens.find(token_id)); // Import the key - ASSERT_EQ(0, std::system(("softhsm2-util --import " + key_file + " --token " + token_id + " --label " + key_label + " --pin " + hsm_token_pin + " --id " + key_id).c_str())); + ASSERT_EQ(0, + std::system(("softhsm2-util --import " + key_file + " --token " + token_id + " --label " + key_label + + " --pin " + hsm_token_pin + " --id " + key_id).c_str())); // Construct the key URL std::stringstream id_url; - for (unsigned int i = 0; i < strlen(key_id); i+=2) + for (unsigned int i = 0; i < strlen(key_id); i += 2) { - id_url << "%" << key_id[i] << key_id[i+1]; + id_url << "%" << key_id[i] << key_id[i + 1]; } - tokens[token_id].urls[key_label] = "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=" + tokens[token_id].serial + ";token=" + token_id + ";id=" + id_url.str() + ";object=" + key_label + ";type=private"; + tokens[token_id].urls[key_label] = "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=" + + tokens[token_id].serial + ";token=" + token_id + ";id=" + id_url.str() + ";object=" + key_label + + ";type=private"; } + static const char* const hsm_token_id_no_pin; + static const char* const hsm_token_id_url_pin; + static const char* const hsm_token_id_env_pin; + static constexpr const char* hsm_token_pin = "1234"; - static constexpr const char* hsm_token_id_no_pin = "testing_token_no_pin"; - static constexpr const char* hsm_token_id_url_pin = "testing_token_url_pin"; - static constexpr const char* hsm_token_id_env_pin = "testing_token_env_pin"; static constexpr const char* hsm_mainsubkey_label = "mainsubkey"; static constexpr const char* hsm_mainpubkey_label = "mainpubkey"; @@ -205,9 +218,9 @@ class SecurityPkcs : public ::testing::Test }; std::map SecurityPkcs::tokens; -const char* const SecurityPkcs::hsm_token_id_no_pin; -const char* const SecurityPkcs::hsm_token_id_url_pin; -const char* const SecurityPkcs::hsm_token_id_env_pin; +const char* const SecurityPkcs::hsm_token_id_no_pin = "testing_token_no_pin"; +const char* const SecurityPkcs::hsm_token_id_url_pin = "testing_token_url_pin"; +const char* const SecurityPkcs::hsm_token_id_env_pin = "testing_token_env_pin"; TEST_P(Security, BuiltinAuthenticationPlugin_PKIDH_validation_ok) { @@ -3040,7 +3053,8 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_no_pin].urls[hsm_mainsubkey_label])); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + tokens[hsm_token_id_no_pin].urls[hsm_mainsubkey_label])); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3065,7 +3079,8 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_no_pin].urls[hsm_mainpubkey_label])); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + tokens[hsm_token_id_no_pin].urls[hsm_mainpubkey_label])); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3099,7 +3114,8 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_url_pin].urls[hsm_mainsubkey_label] + "?pin-value=" + hsm_token_pin)); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + tokens[hsm_token_id_url_pin].urls[hsm_mainsubkey_label] + "?pin-value=" + hsm_token_pin)); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3124,7 +3140,8 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_url_pin].urls[hsm_mainpubkey_label] + "?pin-value=" + hsm_token_pin)); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + tokens[hsm_token_id_url_pin].urls[hsm_mainpubkey_label] + "?pin-value=" + hsm_token_pin)); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3178,7 +3195,8 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_env_pin].urls[hsm_mainsubkey_label])); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + tokens[hsm_token_id_env_pin].urls[hsm_mainsubkey_label])); sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", @@ -3203,7 +3221,8 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) "file://" + std::string(certs_path) + "/maincacert.pem")); pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", tokens[hsm_token_id_env_pin].urls[hsm_mainpubkey_label])); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + tokens[hsm_token_id_env_pin].urls[hsm_mainpubkey_label])); pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", "builtin.AES-GCM-GMAC")); pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", From 97ff8af8d71ff7397f1274a4a0a43c0b0d07f62f Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Fri, 29 Oct 2021 09:48:26 +0200 Subject: [PATCH 15/30] Refs 11914. Suggestions on tests Signed-off-by: Iker Luengo --- .../blackbox/common/BlackboxTestsSecurity.cpp | 239 ++++++------------ 1 file changed, 81 insertions(+), 158 deletions(-) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index 73e30cd0c8e..f20e410c5dc 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -141,13 +141,15 @@ class SecurityPkcs : public ::testing::Test static void delete_hsm_token( const char* token_id) { - if (tokens.find(token_id) != tokens.end()) + auto it = tokens.find(token_id); + if (it != tokens.end()) { // Delete the token std::stringstream cmd; cmd << "softhsm2-util --delete-token --token '" << token_id << "' --pin '" << hsm_token_pin << "' --so-pin '" << hsm_token_pin << "'"; ASSERT_EQ(0, std::system (cmd.str().c_str())); + tokens.erase(it); } } @@ -3037,126 +3039,87 @@ TEST_P(Security, BuiltinAuthenticationAndAccessAndCryptoPlugin_Permissions_valid #if HAVE_LIBP11 -TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) +template +void prepare_pkcs11_nodes( + PubSubReader& reader, + PubSubWriter& writer, + const std::string& reader_private_key_url, + const std::string& writer_private_key_url) { - { - PubSubReader reader("HelloWorldTopic"); - PubSubWriter writer("HelloWorldTopic"); - std::string governance_file("governance_helloworld_all_enable.smime"); + std::string governance_file("governance_helloworld_all_enable.smime"); - // With no PIN, the load of the private key fails - PropertyPolicy pub_property_policy, sub_property_policy; + // With no PIN, the load of the private key fails + PropertyPolicy pub_property_policy; + PropertyPolicy sub_property_policy; - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", - "builtin.PKI-DH")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainsubcert.pem")); + sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + reader_private_key_url)); + sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + sub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", "file://" + std::string(certs_path) + "/maincacert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", - "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - tokens[hsm_token_id_no_pin].urls[hsm_mainsubkey_label])); - sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", - "builtin.AES-GCM-GMAC")); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", - "builtin.Access-Permissions")); - sub_property_policy.properties().emplace_back(Property( - "dds.sec.access.builtin.Access-Permissions.permissions_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/" + governance_file)); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", - "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); - - reader.history_depth(10). - reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). - property_policy(sub_property_policy).init(); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); - ASSERT_FALSE(reader.isInitialized()); + reader.history_depth(10). + reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). + property_policy(sub_property_policy).init(); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", - "builtin.PKI-DH")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", + "builtin.PKI-DH")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", + "file://" + std::string(certs_path) + "/maincacert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", + "file://" + std::string(certs_path) + "/mainpubcert.pem")); + pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", + writer_private_key_url)); + pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", + "builtin.AES-GCM-GMAC")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", + "builtin.Access-Permissions")); + pub_property_policy.properties().emplace_back(Property( + "dds.sec.access.builtin.Access-Permissions.permissions_ca", "file://" + std::string(certs_path) + "/maincacert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", - "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - tokens[hsm_token_id_no_pin].urls[hsm_mainpubkey_label])); - pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", - "builtin.AES-GCM-GMAC")); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", - "builtin.Access-Permissions")); - pub_property_policy.properties().emplace_back(Property( - "dds.sec.access.builtin.Access-Permissions.permissions_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/" + governance_file)); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", - "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", + "file://" + std::string(certs_path) + "/" + governance_file)); + pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", + "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); - writer.history_depth(10). - property_policy(pub_property_policy).init(); + writer.history_depth(10). + property_policy(pub_property_policy).init(); +} - ASSERT_FALSE(writer.isInitialized()); +TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) +{ + { + PubSubReader reader("HelloWorldTopic"); + PubSubWriter writer("HelloWorldTopic"); + prepare_pkcs11_nodes(reader, writer, + tokens[hsm_token_id_no_pin].urls[hsm_mainsubkey_label], + tokens[hsm_token_id_no_pin].urls[hsm_mainpubkey_label]); + ASSERT_FALSE(reader.isInitialized()); + ASSERT_FALSE(writer.isInitialized()); } { PubSubReader reader("HelloWorldTopic"); PubSubWriter writer("HelloWorldTopic"); - std::string governance_file("governance_helloworld_all_enable.smime"); - - // Set the PIN on the URI - - PropertyPolicy pub_property_policy, sub_property_policy; - - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", - "builtin.PKI-DH")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", - "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - tokens[hsm_token_id_url_pin].urls[hsm_mainsubkey_label] + "?pin-value=" + hsm_token_pin)); - sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", - "builtin.AES-GCM-GMAC")); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", - "builtin.Access-Permissions")); - sub_property_policy.properties().emplace_back(Property( - "dds.sec.access.builtin.Access-Permissions.permissions_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/" + governance_file)); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", - "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); - - reader.history_depth(10). - reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). - property_policy(sub_property_policy).init(); + prepare_pkcs11_nodes(reader, writer, + tokens[hsm_token_id_url_pin].urls[hsm_mainsubkey_label] + "?pin-value=" + hsm_token_pin, + tokens[hsm_token_id_url_pin].urls[hsm_mainpubkey_label] + "?pin-value=" + hsm_token_pin); ASSERT_TRUE(reader.isInitialized()); - - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", - "builtin.PKI-DH")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", - "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - tokens[hsm_token_id_url_pin].urls[hsm_mainpubkey_label] + "?pin-value=" + hsm_token_pin)); - pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", - "builtin.AES-GCM-GMAC")); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", - "builtin.Access-Permissions")); - pub_property_policy.properties().emplace_back(Property( - "dds.sec.access.builtin.Access-Permissions.permissions_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/" + governance_file)); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", - "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); - - writer.history_depth(10). - property_policy(pub_property_policy).init(); - ASSERT_TRUE(writer.isInitialized()); // Wait for authorization @@ -3180,64 +3143,20 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) } { - PubSubReader reader("HelloWorldTopic"); - PubSubWriter writer("HelloWorldTopic"); - std::string governance_file("governance_helloworld_all_enable.smime"); - // Set the PIN on the environment variable +#ifdef _WIN32 + _putenv_s("FASTDDS_PKCS11_PIN", "1234"); +#else setenv("FASTDDS_PKCS11_PIN", "1234", 1); +#endif // ifdef _WIN32 - PropertyPolicy pub_property_policy, sub_property_policy; - - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", - "builtin.PKI-DH")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", - "file://" + std::string(certs_path) + "/mainsubcert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - tokens[hsm_token_id_env_pin].urls[hsm_mainsubkey_label])); - sub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", - "builtin.AES-GCM-GMAC")); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", - "builtin.Access-Permissions")); - sub_property_policy.properties().emplace_back(Property( - "dds.sec.access.builtin.Access-Permissions.permissions_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/" + governance_file)); - sub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", - "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); - - reader.history_depth(10). - reliability(eprosima::fastrtps::RELIABLE_RELIABILITY_QOS). - property_policy(sub_property_policy).init(); + PubSubReader reader("HelloWorldTopic"); + PubSubWriter writer("HelloWorldTopic"); + prepare_pkcs11_nodes(reader, writer, + tokens[hsm_token_id_env_pin].urls[hsm_mainsubkey_label], + tokens[hsm_token_id_env_pin].urls[hsm_mainpubkey_label]); ASSERT_TRUE(reader.isInitialized()); - - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.plugin", - "builtin.PKI-DH")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.identity_certificate", - "file://" + std::string(certs_path) + "/mainpubcert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.auth.builtin.PKI-DH.private_key", - tokens[hsm_token_id_env_pin].urls[hsm_mainpubkey_label])); - pub_property_policy.properties().emplace_back(Property("dds.sec.crypto.plugin", - "builtin.AES-GCM-GMAC")); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.plugin", - "builtin.Access-Permissions")); - pub_property_policy.properties().emplace_back(Property( - "dds.sec.access.builtin.Access-Permissions.permissions_ca", - "file://" + std::string(certs_path) + "/maincacert.pem")); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.governance", - "file://" + std::string(certs_path) + "/" + governance_file)); - pub_property_policy.properties().emplace_back(Property("dds.sec.access.builtin.Access-Permissions.permissions", - "file://" + std::string(certs_path) + "/permissions_helloworld.smime")); - - writer.history_depth(10). - property_policy(pub_property_policy).init(); - ASSERT_TRUE(writer.isInitialized()); // Wait for authorization @@ -3260,7 +3179,11 @@ TEST_F(SecurityPkcs, BuiltinAuthenticationAndAccessAndCryptoPlugin_pkcs11_key) reader.block_for_all(); // unset the PIN environment variable for the next round +#ifdef _WIN32 + _putenv_s("FASTDDS_PKCS11_PIN", ""); +#else unsetenv("FASTDDS_PKCS11_PIN"); +#endif // ifdef _WIN32 } } #endif // HAVE_LIBP11 From 3096ce5777ceca011cf2acdf02ed80b1bf77b4d3 Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Tue, 2 Nov 2021 10:01:56 +0100 Subject: [PATCH 16/30] Refs 11914. Update dependencies on README Signed-off-by: Iker Luengo --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index af7c2724a96..4e47ab248aa 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,22 @@ choco install -y -s asio tinyxml2 Please replace `` with the folder you downloaded the packages to. +##### Libp11 library + +Libp11 provides PKCS#11 support for openSSL. This is an optional dependency, +that is needed only when *eprosima Fast DDS* is used with security and PKCS#11 URLs. + +On Linux, you can install libp11 using the package manager of your Linux distribution. +For example, on Ubuntu you can install them by using its package manager with the next command. + +```bash +sudo apt install libp11-dev libengine-pkcs11-openssl +``` + +On Windows, you can download and compile the library from this +[ROS2 Github repository](https://github.com/OpenSC/libp11). +Follow the instructions on the repository to compile it on your platform. + #### Colcon installation [colcon](https://colcon.readthedocs.io) is a command line tool to build sets of software packages. From ef9cd3b7dbe0f932967f02014918c19450132cbe Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Wed, 3 Nov 2021 14:17:49 +0100 Subject: [PATCH 17/30] Refs 11914. update fastrtps API pubsubreader Signed-off-by: Iker Luengo --- .../api/fastrtps_deprecated/PubSubReader.hpp | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp b/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp index 2ae8b618bf0..0c754515f22 100644 --- a/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp +++ b/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp @@ -289,7 +289,7 @@ class PubSubReader return *subscriber_; } - void init() + void init(bool must_fail = false) { participant_attr_.domainId = (uint32_t)GET_PID() % 230; @@ -301,22 +301,23 @@ class PubSubReader participant_ = eprosima::fastrtps::Domain::createParticipant(participant_attr, &participant_listener_); - ASSERT_NE(participant_, nullptr); - - participant_guid_ = participant_->getGuid(); + if (participant_ != nullptr) + { + participant_guid_ = participant_->getGuid(); - // Register type - ASSERT_EQ(eprosima::fastrtps::Domain::registerType(participant_, &type_), true); + // Register type + ASSERT_EQ(eprosima::fastrtps::Domain::registerType(participant_, &type_), true); - //Create subscribe r - subscriber_ = eprosima::fastrtps::Domain::createSubscriber(participant_, subscriber_attr, &listener_); + //Create subscribe r + subscriber_ = eprosima::fastrtps::Domain::createSubscriber(participant_, subscriber_attr, &listener_); - if (subscriber_ != nullptr) - { - std::cout << "Created subscriber " << subscriber_->getGuid() << " for topic " << - subscriber_attr_.topic.topicName << std::endl; + if (subscriber_ != nullptr) + { + std::cout << "Created subscriber " << subscriber_->getGuid() << " for topic " << + subscriber_attr_.topic.topicName << std::endl; - initialized_ = true; + initialized_ = true; + } } } From ac891f1afaa807235ff591edfd0d90e2b68574db Mon Sep 17 00:00:00 2001 From: Iker Luengo Date: Thu, 4 Nov 2021 07:46:58 +0100 Subject: [PATCH 18/30] Refs 11914. Remove unused parameter Signed-off-by: Iker Luengo --- test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp b/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp index 0c754515f22..a5e40ab3dff 100644 --- a/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp +++ b/test/blackbox/api/fastrtps_deprecated/PubSubReader.hpp @@ -289,7 +289,7 @@ class PubSubReader return *subscriber_; } - void init(bool must_fail = false) + void init() { participant_attr_.domainId = (uint32_t)GET_PID() % 230; From bf966448e2fb6252a3d41f9cf340bb4e8b7a4b7d Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Sun, 5 Dec 2021 15:40:41 +0100 Subject: [PATCH 19/30] Refs 11914. Update CMake framework Signed-off-by: Miguel Barro --- src/cpp/CMakeLists.txt | 4 +++- test/blackbox/CMakeLists.txt | 6 ++++-- test/unittest/security/accesscontrol/CMakeLists.txt | 2 ++ test/unittest/security/authentication/CMakeLists.txt | 10 +++++++++- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index 1c0821634e4..a4d2692a19e 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -425,6 +425,7 @@ target_include_directories(${PROJECT_NAME} PUBLIC ${TINYXML2_INCLUDE_DIR} $<$:${ANDROID_IFADDRS_INCLUDE_DIR}> ${THIRDPARTY_BOOST_INCLUDE_DIR} + ${LIBP11_INCLUDE_DIR} ) # No need to expose linked libs when target is a shared library on MSVC. @@ -441,8 +442,9 @@ find_package(Atomic MODULE) target_link_libraries(${PROJECT_NAME} ${PRIVACY} fastcdr foonathan_memory ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS} ${TINYXML2_LIBRARY} - $<$:OpenSSL::SSL$OpenSSL::Crypto$<$:$p11>$<$:$crypt32.lib>> + $<$:OpenSSL::SSL$OpenSSL::Crypto$<$:$crypt32.lib>> $<$:iphlpapi$Shlwapi> + ${LIBP11_LIBRARIES} ${THIRDPARTY_BOOST_LINK_LIBS} PRIVATE eProsima_atomic ) diff --git a/test/blackbox/CMakeLists.txt b/test/blackbox/CMakeLists.txt index bc771212308..8ba761096e9 100644 --- a/test/blackbox/CMakeLists.txt +++ b/test/blackbox/CMakeLists.txt @@ -279,8 +279,9 @@ if(FASTRTPS_API_TESTS) ) target_include_directories(BlackboxTests_FastRTPS PRIVATE ${Asio_INCLUDE_DIR} + ${LIBP11_INCLUDE_DIR} api/fastrtps_deprecated) - target_link_libraries(BlackboxTests_FastRTPS fastrtps fastcdr foonathan_memory GTest::gtest) + target_link_libraries(BlackboxTests_FastRTPS fastrtps fastcdr foonathan_memory GTest::gtest ${LIBP11_LIBRARIES}) add_blackbox_gtest(BlackboxTests_FastRTPS SOURCES ${BLACKBOXTESTS_TEST_SOURCE} ENVIRONMENTS "CERTS_PATH=${PROJECT_SOURCE_DIR}/test/certs" "TOPIC_RANDOM_NUMBER=${TOPIC_RANDOM_NUMBER}" @@ -318,8 +319,9 @@ if(FASTDDS_PIM_API_TESTS) ) target_include_directories(BlackboxTests_DDS_PIM PRIVATE ${Asio_INCLUDE_DIR} + ${LIBP11_INCLUDE_DIR} api/dds-pim) - target_link_libraries(BlackboxTests_DDS_PIM fastrtps fastcdr foonathan_memory GTest::gtest) + target_link_libraries(BlackboxTests_DDS_PIM fastrtps fastcdr foonathan_memory GTest::gtest ${LIBP11_LIBRARIES}) add_blackbox_gtest(BlackboxTests_DDS_PIM SOURCES ${DDS_BLACKBOXTESTS_SOURCE} ENVIRONMENTS "CERTS_PATH=${PROJECT_SOURCE_DIR}/test/certs" "TOPIC_RANDOM_NUMBER=${TOPIC_RANDOM_NUMBER}" diff --git a/test/unittest/security/accesscontrol/CMakeLists.txt b/test/unittest/security/accesscontrol/CMakeLists.txt index 3f640f95e40..8c5cc9a0ccf 100644 --- a/test/unittest/security/accesscontrol/CMakeLists.txt +++ b/test/unittest/security/accesscontrol/CMakeLists.txt @@ -85,6 +85,7 @@ target_include_directories(AccessControlTests PRIVATE ${OPENSSL_INCLUDE_DIR} ${PROJECT_SOURCE_DIR}/include ${PROJECT_BINARY_DIR}/include ${PROJECT_SOURCE_DIR}/src/cpp + ${LIBP11_INCLUDE_DIR} ) target_link_libraries(AccessControlTests @@ -94,6 +95,7 @@ target_link_libraries(AccessControlTests foonathan_memory $<$:ws2_32> ${TINYXML2_LIBRARY} + ${LIBP11_LIBRARIES} ) if(MSVC OR MSVC_IDE) diff --git a/test/unittest/security/authentication/CMakeLists.txt b/test/unittest/security/authentication/CMakeLists.txt index 791b24bae0e..b195296d2c2 100644 --- a/test/unittest/security/authentication/CMakeLists.txt +++ b/test/unittest/security/authentication/CMakeLists.txt @@ -63,8 +63,16 @@ target_include_directories(BuiltinPKIDH PRIVATE ${OPENSSL_INCLUDE_DIR} ${PROJECT_SOURCE_DIR}/include ${PROJECT_BINARY_DIR}/include ${PROJECT_SOURCE_DIR}/src/cpp + ${LIBP11_INCLUDE_DIR} + ) +target_link_libraries(BuiltinPKIDH + GTest::gtest + ${OPENSSL_LIBRARIES} + fastcdr + foonathan_memory + $<$:ws2_32> + ${LIBP11_LIBRARIES} ) -target_link_libraries(BuiltinPKIDH GTest::gtest ${OPENSSL_LIBRARIES} fastcdr foonathan_memory $<$:ws2_32>) add_gtest(BuiltinPKIDH SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/BuiltinPKIDHTests.cpp ${CMAKE_CURRENT_SOURCE_DIR}/AuthenticationPluginTests.hpp From 00c586b226a439385576ea94d8b8494191d3c6bc Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Thu, 9 Dec 2021 10:09:43 +0100 Subject: [PATCH 20/30] Refs 11914. Make p11 windows installer friendly Signed-off-by: Miguel Barro --- cmake/modules/FindLibP11.cmake | 54 ++++++++++++------- src/cpp/CMakeLists.txt | 4 +- src/cpp/security/authentication/PKIDH.cpp | 4 +- test/blackbox/CMakeLists.txt | 19 +++++-- .../security/accesscontrol/CMakeLists.txt | 3 +- .../security/authentication/CMakeLists.txt | 3 +- test/unittest/transport/TCPv4Tests.cpp | 36 ++++++------- 7 files changed, 74 insertions(+), 49 deletions(-) diff --git a/cmake/modules/FindLibP11.cmake b/cmake/modules/FindLibP11.cmake index 24b98b5aef4..ebaaa7289b2 100644 --- a/cmake/modules/FindLibP11.cmake +++ b/cmake/modules/FindLibP11.cmake @@ -1,25 +1,43 @@ -# Find libp11 +# FindLibP11 # -# LIBP11_INCLUDE_DIR -# LIBP11_LIBRARIES -# LIBP11_FOUND +# Generates an imported target associated to an available pksc11 library: +# +# + On linux relies on the apt package libp11-dev +# +# + On Windows the library must be build from sources available at https://github.com/OpenSC/libp11.git +# Given that each user must build its own binaries the following environment variables must be set to hint +# where to locate headers and binaries (semicolon-separated list see https://cmake.org/cmake/help/v3.22/variable/PackageName_ROOT.html): +# + LibP11_ROOT_32 -> to reference sources and 32 bit binaries location +# + LibP11_ROOT_64 -> to reference sources and 64 bit binaries location + +if(TARGET eProsima_p11) + return() +endif() -IF (LIBP11_INCLUDE_DIR) - SET(LIBP11_FIND_QUIETLY TRUE) -ENDIF (LIBP11_INCLUDE_DIR) +if(CMAKE_SIZEOF_VOID_P EQUAL 4) + set(LibP11_ROOT "$ENV{LibP11_ROOT_32}") +else() + set(LibP11_ROOT "$ENV{LibP11_ROOT_64}") +endif() -FIND_PATH(LIBP11_INCLUDE_DIR libp11.h) +find_path(LIBP11_INCLUDE_DIR NAMES libp11.h HINTS ${LibP11_ROOT}) +find_library(LIBP11_LIBRARY NAMES libp11.a libp11.lib HINTS ${LibP11_ROOT}) -SET(LIBP11_NAMES p11 libp11) -FIND_LIBRARY(LIBP11_LIBRARY NAMES ${LIBP11_NAMES} ) +include(FindPackageHandleStandardArgs) +find_package_handle_standard_args(LibP11 DEFAULT_MSG LIBP11_LIBRARY LIBP11_INCLUDE_DIR) -INCLUDE(FindPackageHandleStandardArgs) -FIND_PACKAGE_HANDLE_STANDARD_ARGS(LibP11 DEFAULT_MSG LIBP11_LIBRARY LIBP11_INCLUDE_DIR) +if(LibP11_FOUND) + # add the target + add_library(eProsima_p11 STATIC IMPORTED) -IF(LIBP11_FOUND) - SET( LIBP11_LIBRARIES ${LIBP11_LIBRARY} ) -ELSE(LIBP11_FOUND) - SET( LIBP11_LIBRARIES ) -ENDIF(LIBP11_FOUND) + # update the properties + set_target_properties(eProsima_p11 PROPERTIES + IMPORTED_LOCATION "${LIBP11_LIBRARY}" + INTERFACE_INCLUDE_DIRECTORIES "${LIBP11_INCLUDE_DIR}" + ) +endif() -MARK_AS_ADVANCED( LIBP11_LIBRARY LIBP11_INCLUDE_DIR ) +# clean local variables +unset(LIBP11_INCLUDE_DIR) +unset(LIBP11_LIBRARY) +unset(LibP11_ROOT) diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index a4d2692a19e..e3386da1568 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -425,7 +425,6 @@ target_include_directories(${PROJECT_NAME} PUBLIC ${TINYXML2_INCLUDE_DIR} $<$:${ANDROID_IFADDRS_INCLUDE_DIR}> ${THIRDPARTY_BOOST_INCLUDE_DIR} - ${LIBP11_INCLUDE_DIR} ) # No need to expose linked libs when target is a shared library on MSVC. @@ -444,9 +443,8 @@ target_link_libraries(${PROJECT_NAME} ${PRIVACY} fastcdr foonathan_memory ${TINYXML2_LIBRARY} $<$:OpenSSL::SSL$OpenSSL::Crypto$<$:$crypt32.lib>> $<$:iphlpapi$Shlwapi> - ${LIBP11_LIBRARIES} ${THIRDPARTY_BOOST_LINK_LIBS} - PRIVATE eProsima_atomic + PRIVATE eProsima_atomic $ ) if(MSVC OR MSVC_IDE) diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp index 6eeecb0fbcd..d51859b5f53 100644 --- a/src/cpp/security/authentication/PKIDH.cpp +++ b/src/cpp/security/authentication/PKIDH.cpp @@ -270,11 +270,11 @@ static EVP_PKEY* load_private_key( pkidh.pkcs11_provider.reset(new detail::Pkcs11Provider()); } return pkidh.pkcs11_provider->load_private_key(certificate, file, password, exception); -#endif // HAVE_LIBP11 +#else // HAVE_LIBP11 static_cast(pkidh); exception = _SecurityException_(std::string("PKCS11 URIs require libp11 ") + file); return nullptr; - +#endif // HAVE_LIBP11 } exception = _SecurityException_(std::string("Unsupported URI format ") + file); diff --git a/test/blackbox/CMakeLists.txt b/test/blackbox/CMakeLists.txt index 8ba761096e9..28fd1aa2535 100644 --- a/test/blackbox/CMakeLists.txt +++ b/test/blackbox/CMakeLists.txt @@ -279,9 +279,15 @@ if(FASTRTPS_API_TESTS) ) target_include_directories(BlackboxTests_FastRTPS PRIVATE ${Asio_INCLUDE_DIR} - ${LIBP11_INCLUDE_DIR} api/fastrtps_deprecated) - target_link_libraries(BlackboxTests_FastRTPS fastrtps fastcdr foonathan_memory GTest::gtest ${LIBP11_LIBRARIES}) + target_link_libraries(BlackboxTests_FastRTPS + fastrtps + fastcdr + foonathan_memory + GTest::gtest + $ + ) + add_blackbox_gtest(BlackboxTests_FastRTPS SOURCES ${BLACKBOXTESTS_TEST_SOURCE} ENVIRONMENTS "CERTS_PATH=${PROJECT_SOURCE_DIR}/test/certs" "TOPIC_RANDOM_NUMBER=${TOPIC_RANDOM_NUMBER}" @@ -319,9 +325,14 @@ if(FASTDDS_PIM_API_TESTS) ) target_include_directories(BlackboxTests_DDS_PIM PRIVATE ${Asio_INCLUDE_DIR} - ${LIBP11_INCLUDE_DIR} api/dds-pim) - target_link_libraries(BlackboxTests_DDS_PIM fastrtps fastcdr foonathan_memory GTest::gtest ${LIBP11_LIBRARIES}) + target_link_libraries(BlackboxTests_DDS_PIM + fastrtps + fastcdr + foonathan_memory + GTest::gtest + $ + ) add_blackbox_gtest(BlackboxTests_DDS_PIM SOURCES ${DDS_BLACKBOXTESTS_SOURCE} ENVIRONMENTS "CERTS_PATH=${PROJECT_SOURCE_DIR}/test/certs" "TOPIC_RANDOM_NUMBER=${TOPIC_RANDOM_NUMBER}" diff --git a/test/unittest/security/accesscontrol/CMakeLists.txt b/test/unittest/security/accesscontrol/CMakeLists.txt index 8c5cc9a0ccf..c9da75dcdd6 100644 --- a/test/unittest/security/accesscontrol/CMakeLists.txt +++ b/test/unittest/security/accesscontrol/CMakeLists.txt @@ -85,7 +85,6 @@ target_include_directories(AccessControlTests PRIVATE ${OPENSSL_INCLUDE_DIR} ${PROJECT_SOURCE_DIR}/include ${PROJECT_BINARY_DIR}/include ${PROJECT_SOURCE_DIR}/src/cpp - ${LIBP11_INCLUDE_DIR} ) target_link_libraries(AccessControlTests @@ -95,7 +94,7 @@ target_link_libraries(AccessControlTests foonathan_memory $<$:ws2_32> ${TINYXML2_LIBRARY} - ${LIBP11_LIBRARIES} + $ ) if(MSVC OR MSVC_IDE) diff --git a/test/unittest/security/authentication/CMakeLists.txt b/test/unittest/security/authentication/CMakeLists.txt index b195296d2c2..f270a7900ec 100644 --- a/test/unittest/security/authentication/CMakeLists.txt +++ b/test/unittest/security/authentication/CMakeLists.txt @@ -63,7 +63,6 @@ target_include_directories(BuiltinPKIDH PRIVATE ${OPENSSL_INCLUDE_DIR} ${PROJECT_SOURCE_DIR}/include ${PROJECT_BINARY_DIR}/include ${PROJECT_SOURCE_DIR}/src/cpp - ${LIBP11_INCLUDE_DIR} ) target_link_libraries(BuiltinPKIDH GTest::gtest @@ -71,7 +70,7 @@ target_link_libraries(BuiltinPKIDH fastcdr foonathan_memory $<$:ws2_32> - ${LIBP11_LIBRARIES} + $ ) add_gtest(BuiltinPKIDH SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/BuiltinPKIDHTests.cpp diff --git a/test/unittest/transport/TCPv4Tests.cpp b/test/unittest/transport/TCPv4Tests.cpp index 43780e9a8a0..e46ee0580e7 100644 --- a/test/unittest/transport/TCPv4Tests.cpp +++ b/test/unittest/transport/TCPv4Tests.cpp @@ -533,11 +533,11 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_ports_client_verifies) (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); while (!sent) { - Locators input_begin(locator_list.begin()); - Locators input_end(locator_list.end()); + Locators l_input_begin(locator_list.begin()); + Locators l_input_end(locator_list.end()); sent = - send_resource_list.at(0)->send(message, 5, &input_begin, &input_end, + send_resource_list.at(0)->send(message, 5, &l_input_begin, &l_input_end, (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); std::this_thread::sleep_for(std::chrono::milliseconds(100)); } @@ -633,11 +633,11 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_ports_server_verifies) (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); while (!sent) { - Locators input_begin(locator_list.begin()); - Locators input_end(locator_list.end()); + Locators l_input_begin(locator_list.begin()); + Locators l_input_end(locator_list.end()); sent = - send_resource_list.at(0)->send(message, 5, &input_begin, &input_end, + send_resource_list.at(0)->send(message, 5, &l_input_begin, &l_input_end, (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); std::this_thread::sleep_for(std::chrono::milliseconds(100)); } @@ -735,11 +735,11 @@ TEST_F(TCPv4Tests, send_and_receive_between_both_secure_ports) (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); while (!sent) { - Locators input_begin(locator_list.begin()); - Locators input_end(locator_list.end()); + Locators l_input_begin(locator_list.begin()); + Locators l_input_end(locator_list.end()); sent = - send_resource_list.at(0)->send(message, 5, &input_begin, &input_end, + send_resource_list.at(0)->send(message, 5, &l_input_begin, &l_input_end, (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); std::this_thread::sleep_for(std::chrono::milliseconds(100)); } @@ -839,11 +839,11 @@ TEST_F(TCPv4Tests, send_and_receive_between_both_secure_ports_untrusted) int count = 0; while (!sent && count < 30) { - Locators input_begin(locator_list.begin()); - Locators input_end(locator_list.end()); + Locators l_input_begin(locator_list.begin()); + Locators l_input_end(locator_list.end()); sent = - send_resource_list.at(0)->send(message, 5, &input_begin, &input_end, + send_resource_list.at(0)->send(message, 5, &l_input_begin, &l_input_end, (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); std::this_thread::sleep_for(std::chrono::milliseconds(100)); ++count; @@ -943,11 +943,11 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_clients_1) (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); while (!sent) { - Locators input_begin(locator_list.begin()); - Locators input_end(locator_list.end()); + Locators l_input_begin(locator_list.begin()); + Locators l_input_end(locator_list.end()); sent = - send_resource_list.at(0)->send(message, 5, &input_begin, &input_end, + send_resource_list.at(0)->send(message, 5, &l_input_begin, &l_input_end, (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); std::this_thread::sleep_for(std::chrono::milliseconds(100)); } @@ -1132,10 +1132,10 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_ports_untrusted_server) int count = 0; while (!sent && count < 30) { - Locators input_begin(locator_list.begin()); - Locators input_end(locator_list.end()); + Locators l_input_begin(locator_list.begin()); + Locators l_input_end(locator_list.end()); sent = - send_resource_list.at(0)->send(message, 5, &input_begin, &input_end, + send_resource_list.at(0)->send(message, 5, &l_input_begin, &l_input_end, (std::chrono::steady_clock::now() + std::chrono::microseconds(100))); std::this_thread::sleep_for(std::chrono::milliseconds(100)); ++count; From 20c01e631a7b0bad1e2a5e549a315b767bdfe63a Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Thu, 16 Dec 2021 09:41:35 +0100 Subject: [PATCH 21/30] Refs 11914. Make test grep independent on windows Signed-off-by: Miguel Barro --- test/blackbox/common/BlackboxTestsSecurity.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index f20e410c5dc..2a1d4974de6 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -113,8 +113,14 @@ class SecurityPkcs : public ::testing::Test // Get the serial number of the HSM slot std::stringstream serial_stream; +#ifdef _WIN32 // We are running windows ASSERT_EQ(0, - std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_serial")); + std::system ("powershell -C \"softhsm2-util --show-slots | sls 'Serial number:\\s*([\\d\\w]+)' | " \ + "% { $_.Matches.Groups[1].Value } | Out-File -FilePath softhsm_serial -Encoding ASCII\"")); +#else // We are running something with sh + ASSERT_EQ(0, + std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_seria")); +#endif // _WIN32 serial_stream << std::ifstream("softhsm_serial").rdbuf(); std::remove ("softhsm_serial"); From 94d294a028a0ad7d8e448b24d410fc4739138616 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Thu, 16 Dec 2021 14:32:22 +0100 Subject: [PATCH 22/30] Refs 11914. Ignore pkcs11 tests if not available. Signed-off-by: Miguel Barro --- CMakeLists.txt | 6 -- src/cpp/CMakeLists.txt | 3 +- test/blackbox/CMakeLists.txt | 77 +++++++++++++++---- .../blackbox/common/BlackboxTestsSecurity.cpp | 1 - .../security/accesscontrol/CMakeLists.txt | 2 +- .../security/authentication/CMakeLists.txt | 2 +- 6 files changed, 68 insertions(+), 23 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6eedb6655ae..b2e92a1df75 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -180,14 +180,8 @@ endif() if(SECURITY OR TLS_FOUND) set(LINK_SSL 1) - if(LIBP11_FOUND) - set(LINK_P11 1) - else() - set(LINK_P11 0) - endif() else() set(LINK_SSL 0) - set(LINK_P11 0) endif() option(SQLITE3_SUPPORT "Activate SQLITE3 support" ON) diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt index e3386da1568..f7160c0039f 100644 --- a/src/cpp/CMakeLists.txt +++ b/src/cpp/CMakeLists.txt @@ -444,7 +444,8 @@ target_link_libraries(${PROJECT_NAME} ${PRIVACY} fastcdr foonathan_memory $<$:OpenSSL::SSL$OpenSSL::Crypto$<$:$crypt32.lib>> $<$:iphlpapi$Shlwapi> ${THIRDPARTY_BOOST_LINK_LIBS} - PRIVATE eProsima_atomic $ + PRIVATE eProsima_atomic + $<$:eProsima_p11> # $ ) if(MSVC OR MSVC_IDE) diff --git a/test/blackbox/CMakeLists.txt b/test/blackbox/CMakeLists.txt index 28fd1aa2535..b23507277ad 100644 --- a/test/blackbox/CMakeLists.txt +++ b/test/blackbox/CMakeLists.txt @@ -21,7 +21,7 @@ macro(add_blackbox_gtest) set(test "${ARGV0}") set(command "${test}") endif() - set(multiValueArgs SOURCES ENVIRONMENTS DEPENDENCIES LABELS) + set(multiValueArgs SOURCES ENVIRONMENTS DEPENDENCIES LABELS IGNORE) cmake_parse_arguments(GTEST "" "${uniValueArgs}" "${multiValueArgs}" ${ARGN}) if(GTEST_NAME) @@ -29,6 +29,12 @@ macro(add_blackbox_gtest) set(command ${GTEST_COMMAND}) endif() + # IGNORE keeps a filter expression for the test list: + # + if GTEST_INDIVIDUAL is enforced the expressions are regular expression and the matching tests would be disabled + # using cmake add_test DISABLE property + # + if no GTEST_INDIVIDUAL is enforce the filtering will be added to gtest command via --gtest_filter and it's + # own filtering syntax + if(GTEST_INDIVIDUAL) if(WIN32) set(WIN_PATH "$ENV{PATH}") @@ -55,6 +61,15 @@ macro(add_blackbox_gtest) add_test(NAME ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME} COMMAND ${command} --gtest_filter=${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}) + # decide if disable + unset(GTEST_USER_DISABLED) + foreach(GTEST_USER_FILTER ${GTEST_IGNORE}) + string(REGEX MATCH ${GTEST_USER_FILTER} GTEST_USER_DISABLED ${GTEST_TEST_NAME}) + if(GTEST_USER_DISABLED) + break() + endif() + endforeach() + # Add environment if(WIN32) set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME} APPEND PROPERTY ENVIRONMENT "PATH=${WIN_PATH}") @@ -64,8 +79,10 @@ macro(add_blackbox_gtest) set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME} APPEND PROPERTY ENVIRONMENT "${property}") endforeach() - # Add labels - set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME} PROPERTY LABELS "${GTEST_LABELS}") + # Add labels and enable + set_tests_properties(${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME} PROPERTIES + LABELS "${GTEST_LABELS}" + DISABLED $) endforeach() file(STRINGS ${GTEST_SOURCE_FILE} GTEST_TEST_NAMES REGEX "^TEST_P" ) @@ -77,6 +94,15 @@ macro(add_blackbox_gtest) add_test(NAME ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Transport COMMAND ${command} --gtest_filter=*/${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}/Transport*) + # decide if disable + unset(GTEST_USER_DISABLED) + foreach(GTEST_USER_FILTER ${GTEST_IGNORE}) + string(REGEX MATCH ${GTEST_USER_FILTER} GTEST_USER_DISABLED ${GTEST_TEST_NAME}) + if(GTEST_USER_DISABLED) + break() + endif() + endforeach() + # Add environment if(WIN32) set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Transport APPEND PROPERTY ENVIRONMENT "PATH=${WIN_PATH}") @@ -86,8 +112,10 @@ macro(add_blackbox_gtest) set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Transport APPEND PROPERTY ENVIRONMENT "${property}") endforeach() - # Add labels - set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Transport PROPERTY LABELS "${GTEST_LABELS}") + # Add labels and enable + set_tests_properties(${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Transport PROPERTIES + LABELS "${GTEST_LABELS}" + DISABLED $) add_test(NAME ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Intraprocess COMMAND ${command} --gtest_filter=*/${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}/Intraprocess*) @@ -101,8 +129,10 @@ macro(add_blackbox_gtest) set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Intraprocess APPEND PROPERTY ENVIRONMENT "${property}") endforeach() - # Add labels - set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Intraprocess PROPERTY LABELS "${GTEST_LABELS}") + # Add labels and enable + set_tests_properties(${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Intraprocess PROPERTIES + LABELS "${GTEST_LABELS}" + DISABLED $) if(${test} MATCHES ".*_DDS_PIM$") add_test(NAME ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Datasharing @@ -117,13 +147,22 @@ macro(add_blackbox_gtest) set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Datasharing APPEND PROPERTY ENVIRONMENT "${property}") endforeach() - # Add labels - set_property(TEST ${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Datasharing PROPERTY LABELS "${GTEST_LABELS}") + # Add labels and enable + set_tests_properties(${test}.${GTEST_GROUP_NAME}.${GTEST_TEST_NAME}.Datasharing PROPERTIES + LABELS "${GTEST_LABELS}" + DISABLED $) + endif() endforeach() endforeach() else() + + # add filtering statement if required + if(GTEST_IGNORE) + set(command "${command} --gtest_filter=${GTEST_IGNORE}") + endif() + add_test(NAME ${test} COMMAND ${command}) # Add environment @@ -165,8 +204,18 @@ if(WIN32) endif() ############################################################################### -# Unit tests +# Blackbox tests ############################################################################### + +# Filter pksc11 related tests if library is not available +if(NOT LibP11_FOUND) + if(GTEST_INDIVIDUAL) + set(pkcs_filter "[Pp][Kk][Cc][Ss]") + else() + set(pkcs_filter "-*pcks*") + endif() # GTEST_INDIVIDUAL +endif() # LibP11_FOUND + file(GLOB RTPS_BLACKBOXTESTS_TEST_SOURCE "common/RTPSBlackboxTests*.cpp") set(RTPS_BLACKBOXTESTS_SOURCE ${RTPS_BLACKBOXTESTS_TEST_SOURCE} types/HelloWorld.cpp @@ -199,7 +248,7 @@ target_compile_definitions(BlackboxTests_RTPS PRIVATE target_include_directories(BlackboxTests_RTPS PRIVATE ${Asio_INCLUDE_DIR}) target_link_libraries(BlackboxTests_RTPS fastrtps fastcdr foonathan_memory GTest::gtest) -add_blackbox_gtest(BlackboxTests_RTPS SOURCES ${RTPS_BLACKBOXTESTS_TEST_SOURCE}) +add_blackbox_gtest(BlackboxTests_RTPS SOURCES ${RTPS_BLACKBOXTESTS_TEST_SOURCE} IGNORE ${pkcs_filter}) file(GLOB BLACKBOXTESTS_TEST_SOURCE "common/BlackboxTests*.cpp") set(BLACKBOXTESTS_SOURCE ${BLACKBOXTESTS_TEST_SOURCE} @@ -285,7 +334,7 @@ if(FASTRTPS_API_TESTS) fastcdr foonathan_memory GTest::gtest - $ + $<$:eProsima_p11> # $ ) add_blackbox_gtest(BlackboxTests_FastRTPS SOURCES ${BLACKBOXTESTS_TEST_SOURCE} @@ -294,6 +343,7 @@ if(FASTRTPS_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" + IGNORE ${pkcs_filter} ) endif(FASTRTPS_API_TESTS) @@ -331,7 +381,7 @@ if(FASTDDS_PIM_API_TESTS) fastcdr foonathan_memory GTest::gtest - $ + $<$:eProsima_p11> # $ ) add_blackbox_gtest(BlackboxTests_DDS_PIM SOURCES ${DDS_BLACKBOXTESTS_SOURCE} ENVIRONMENTS "CERTS_PATH=${PROJECT_SOURCE_DIR}/test/certs" @@ -339,6 +389,7 @@ if(FASTDDS_PIM_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" + IGNORE ${pkcs_filter} ) endif(FASTDDS_PIM_API_TESTS) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index 2a1d4974de6..fddac21c934 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -201,7 +201,6 @@ class SecurityPkcs : public ::testing::Test ASSERT_EQ(0, std::system(("softhsm2-util --import " + key_file + " --token " + token_id + " --label " + key_label + " --pin " + hsm_token_pin + " --id " + key_id).c_str())); - // Construct the key URL std::stringstream id_url; for (unsigned int i = 0; i < strlen(key_id); i += 2) diff --git a/test/unittest/security/accesscontrol/CMakeLists.txt b/test/unittest/security/accesscontrol/CMakeLists.txt index c9da75dcdd6..a13c4695f42 100644 --- a/test/unittest/security/accesscontrol/CMakeLists.txt +++ b/test/unittest/security/accesscontrol/CMakeLists.txt @@ -94,7 +94,7 @@ target_link_libraries(AccessControlTests foonathan_memory $<$:ws2_32> ${TINYXML2_LIBRARY} - $ + $<$:eProsima_p11> # $ ) if(MSVC OR MSVC_IDE) diff --git a/test/unittest/security/authentication/CMakeLists.txt b/test/unittest/security/authentication/CMakeLists.txt index f270a7900ec..f30a76e3960 100644 --- a/test/unittest/security/authentication/CMakeLists.txt +++ b/test/unittest/security/authentication/CMakeLists.txt @@ -70,7 +70,7 @@ target_link_libraries(BuiltinPKIDH fastcdr foonathan_memory $<$:ws2_32> - $ + $<$:eProsima_p11> # $ ) add_gtest(BuiltinPKIDH SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/BuiltinPKIDHTests.cpp From 519e8e7c97d77b1ff59d365d5b162ed25e55dee8 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Thu, 16 Dec 2021 16:21:30 +0100 Subject: [PATCH 23/30] Refs 11914. Update system calls on windows Signed-off-by: Miguel Barro --- test/blackbox/common/BlackboxTestsSecurity.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index fddac21c934..e8ed8e0e0d2 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -199,8 +199,8 @@ class SecurityPkcs : public ::testing::Test // Import the key ASSERT_EQ(0, - std::system(("softhsm2-util --import " + key_file + " --token " + token_id + " --label " + key_label + - " --pin " + hsm_token_pin + " --id " + key_id).c_str())); + std::system(("softhsm2-util --import " + key_file + " --token '" + token_id + "' --label " + key_label + + " --pin '" + hsm_token_pin + "' --id " + key_id).c_str())); // Construct the key URL std::stringstream id_url; for (unsigned int i = 0; i < strlen(key_id); i += 2) From 86183074b5e20232b12f1a60cc48e91dfd06ab5b Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Mon, 20 Dec 2021 12:30:02 +0100 Subject: [PATCH 24/30] Refs 11914. Linux ci fixes. Signed-off-by: Miguel Barro --- test/blackbox/common/BlackboxTestsSecurity.cpp | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index e8ed8e0e0d2..bd935909bb6 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -104,8 +104,8 @@ class SecurityPkcs : public ::testing::Test { // Init the token std::stringstream cmd; - cmd << "softhsm2-util --init-token --free --label '" << token_id << "' --pin '" << hsm_token_pin << - "' --so-pin '" << hsm_token_pin << "'"; + cmd << "softhsm2-util --init-token --free --label " << token_id << " --pin " << hsm_token_pin + << " --so-pin " << hsm_token_pin << ""; ASSERT_EQ(0, std::system (cmd.str().c_str())); tokens[token_id] = HsmToken(); tokens[token_id].pin = hsm_token_pin; @@ -119,7 +119,7 @@ class SecurityPkcs : public ::testing::Test "% { $_.Matches.Groups[1].Value } | Out-File -FilePath softhsm_serial -Encoding ASCII\"")); #else // We are running something with sh ASSERT_EQ(0, - std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_seria")); + std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_serial")); #endif // _WIN32 serial_stream << std::ifstream("softhsm_serial").rdbuf(); std::remove ("softhsm_serial"); @@ -152,8 +152,8 @@ class SecurityPkcs : public ::testing::Test { // Delete the token std::stringstream cmd; - cmd << "softhsm2-util --delete-token --token '" << token_id << "' --pin '" << hsm_token_pin << - "' --so-pin '" << hsm_token_pin << "'"; + cmd << "softhsm2-util --delete-token --token " << token_id << " --pin " << hsm_token_pin + << " --so-pin " << hsm_token_pin << ""; ASSERT_EQ(0, std::system (cmd.str().c_str())); tokens.erase(it); } @@ -197,10 +197,12 @@ class SecurityPkcs : public ::testing::Test { ASSERT_NE(tokens.end(), tokens.find(token_id)); + std::stringstream cmd; + cmd << "softhsm2-util --import " << key_file << " --token " << token_id << " --label " << key_label + << " --pin " << hsm_token_pin << " --id " << key_id << ""; // Import the key ASSERT_EQ(0, - std::system(("softhsm2-util --import " + key_file + " --token '" + token_id + "' --label " + key_label + - " --pin '" + hsm_token_pin + "' --id " + key_id).c_str())); + std::system(cmd.str().c_str())); // Construct the key URL std::stringstream id_url; for (unsigned int i = 0; i < strlen(key_id); i += 2) From 804df6344961ae7d8c5c91abee9e25f8161323d9 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Tue, 21 Dec 2021 10:36:59 +0100 Subject: [PATCH 25/30] Refs 11914. Make CMake hint openssl config to blackbox tests on windows Signed-off-by: Miguel Barro --- test/blackbox/CMakeLists.txt | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/blackbox/CMakeLists.txt b/test/blackbox/CMakeLists.txt index b23507277ad..e75126a4a01 100644 --- a/test/blackbox/CMakeLists.txt +++ b/test/blackbox/CMakeLists.txt @@ -203,6 +203,13 @@ if(WIN32) ) endif() +# OpenSSL on Windows requires a hint on which config file to load +if(WIN32 AND OPENSSL_FOUND) + get_filename_component(OPENSSL_DIR "${OPENSSL_INCLUDE_DIR}" DIRECTORY) + set(OPENSSL_CONF "${OPENSSL_DIR}/bin/cnf/openssl.cnf") + unset(OPENSSL_DIR) +endif() + ############################################################################### # Blackbox tests ############################################################################### @@ -343,6 +350,7 @@ if(FASTRTPS_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" + $<$:"OPENSSL_CONF=${OPENSSL_CONF}"> IGNORE ${pkcs_filter} ) endif(FASTRTPS_API_TESTS) @@ -389,6 +397,7 @@ if(FASTDDS_PIM_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" + $<$:"OPENSSL_CONF=${OPENSSL_CONF}"> IGNORE ${pkcs_filter} ) endif(FASTDDS_PIM_API_TESTS) From a23cc9bc73259e55cc10f7221eb31cd9d018ddf3 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Tue, 21 Dec 2021 12:31:09 +0100 Subject: [PATCH 26/30] Refs 11914. Rebase fixes. Signed-off-by: Miguel Barro --- test/unittest/dds/publisher/CMakeLists.txt | 1 + test/unittest/statistics/dds/CMakeLists.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/test/unittest/dds/publisher/CMakeLists.txt b/test/unittest/dds/publisher/CMakeLists.txt index 3b5305eb46f..0b466fd3d72 100644 --- a/test/unittest/dds/publisher/CMakeLists.txt +++ b/test/unittest/dds/publisher/CMakeLists.txt @@ -242,6 +242,7 @@ set(DATAWRITERTESTS_SOURCE DataWriterTests.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/cryptography/AESGCMGMAC_KeyFactory.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/cryptography/AESGCMGMAC_Transform.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/cryptography/AESGCMGMAC_Types.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIIdentityHandle.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIHandshakeHandle.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/AccessPermissionsHandle.cpp diff --git a/test/unittest/statistics/dds/CMakeLists.txt b/test/unittest/statistics/dds/CMakeLists.txt index 4ec673f91d4..aa671e79ecd 100644 --- a/test/unittest/statistics/dds/CMakeLists.txt +++ b/test/unittest/statistics/dds/CMakeLists.txt @@ -236,6 +236,7 @@ if (SQLITE3_SUPPORT AND FASTDDS_STATISTICS) ${PROJECT_SOURCE_DIR}/src/cpp/rtps/xmlparser/XMLParser.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/xmlparser/XMLParserCommon.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/xmlparser/XMLProfileManager.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/statistics/fastdds/domain/DomainParticipant.cpp ${PROJECT_SOURCE_DIR}/src/cpp/statistics/fastdds/domain/DomainParticipantImpl.cpp ${PROJECT_SOURCE_DIR}/src/cpp/statistics/fastdds/domain/DomainParticipantStatisticsListener.cpp From ecdf86b310a0cf2fde19a0ce6aef2369172e90f7 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Tue, 21 Dec 2021 12:33:50 +0100 Subject: [PATCH 27/30] Refs 11914. Linter. Signed-off-by: Miguel Barro --- test/blackbox/common/BlackboxTestsSecurity.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp index bd935909bb6..f8898919521 100644 --- a/test/blackbox/common/BlackboxTestsSecurity.cpp +++ b/test/blackbox/common/BlackboxTestsSecurity.cpp @@ -116,7 +116,7 @@ class SecurityPkcs : public ::testing::Test #ifdef _WIN32 // We are running windows ASSERT_EQ(0, std::system ("powershell -C \"softhsm2-util --show-slots | sls 'Serial number:\\s*([\\d\\w]+)' | " \ - "% { $_.Matches.Groups[1].Value } | Out-File -FilePath softhsm_serial -Encoding ASCII\"")); + "% { $_.Matches.Groups[1].Value } | Out-File -FilePath softhsm_serial -Encoding ASCII\"")); #else // We are running something with sh ASSERT_EQ(0, std::system ("softhsm2-util --show-slots | grep -oP 'Serial number:\\s*\\K(\\d|\\w)+' > softhsm_serial")); @@ -197,8 +197,8 @@ class SecurityPkcs : public ::testing::Test { ASSERT_NE(tokens.end(), tokens.find(token_id)); - std::stringstream cmd; - cmd << "softhsm2-util --import " << key_file << " --token " << token_id << " --label " << key_label + std::stringstream cmd; + cmd << "softhsm2-util --import " << key_file << " --token " << token_id << " --label " << key_label << " --pin " << hsm_token_pin << " --id " << key_id << ""; // Import the key ASSERT_EQ(0, From 0aead0b52e51c0c074971d692534737cccbe58e4 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Tue, 21 Dec 2021 13:00:25 +0100 Subject: [PATCH 28/30] Refs 11914. Address reviewers comments. Signed-off-by: Miguel Barro --- test/blackbox/CMakeLists.txt | 4 ++-- test/unittest/statistics/dds/CMakeLists.txt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/blackbox/CMakeLists.txt b/test/blackbox/CMakeLists.txt index e75126a4a01..ca3f352c817 100644 --- a/test/blackbox/CMakeLists.txt +++ b/test/blackbox/CMakeLists.txt @@ -350,7 +350,7 @@ if(FASTRTPS_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" - $<$:"OPENSSL_CONF=${OPENSSL_CONF}"> + $<$:OPENSSL_CONF="${OPENSSL_CONF}"> IGNORE ${pkcs_filter} ) endif(FASTRTPS_API_TESTS) @@ -397,7 +397,7 @@ if(FASTDDS_PIM_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" - $<$:"OPENSSL_CONF=${OPENSSL_CONF}"> + $<$:OPENSSL_CONF="${OPENSSL_CONF}"> IGNORE ${pkcs_filter} ) endif(FASTDDS_PIM_API_TESTS) diff --git a/test/unittest/statistics/dds/CMakeLists.txt b/test/unittest/statistics/dds/CMakeLists.txt index aa671e79ecd..fcc8c98a2a1 100644 --- a/test/unittest/statistics/dds/CMakeLists.txt +++ b/test/unittest/statistics/dds/CMakeLists.txt @@ -236,7 +236,6 @@ if (SQLITE3_SUPPORT AND FASTDDS_STATISTICS) ${PROJECT_SOURCE_DIR}/src/cpp/rtps/xmlparser/XMLParser.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/xmlparser/XMLParserCommon.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/xmlparser/XMLProfileManager.cpp - ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/statistics/fastdds/domain/DomainParticipant.cpp ${PROJECT_SOURCE_DIR}/src/cpp/statistics/fastdds/domain/DomainParticipantImpl.cpp ${PROJECT_SOURCE_DIR}/src/cpp/statistics/fastdds/domain/DomainParticipantStatisticsListener.cpp @@ -281,6 +280,7 @@ if (SQLITE3_SUPPORT AND FASTDDS_STATISTICS) ${PROJECT_SOURCE_DIR}/src/cpp/rtps/security/logging/Logging.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/security/SecurityManager.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/security/SecurityPluginFactory.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/FileProvider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIDH.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/Permissions.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/cryptography/AESGCMGMAC.cpp From 6ee7fa87c802909cf2984964bc129ee60623a6f3 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Tue, 21 Dec 2021 14:01:39 +0100 Subject: [PATCH 29/30] Refs 11914. Address reviewers comments. Signed-off-by: Miguel Barro --- test/blackbox/CMakeLists.txt | 4 ++-- test/unittest/dds/publisher/CMakeLists.txt | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/test/blackbox/CMakeLists.txt b/test/blackbox/CMakeLists.txt index ca3f352c817..8741f1388cd 100644 --- a/test/blackbox/CMakeLists.txt +++ b/test/blackbox/CMakeLists.txt @@ -350,7 +350,7 @@ if(FASTRTPS_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" - $<$:OPENSSL_CONF="${OPENSSL_CONF}"> + $<$:OPENSSL_CONF=${OPENSSL_CONF}> IGNORE ${pkcs_filter} ) endif(FASTRTPS_API_TESTS) @@ -397,7 +397,7 @@ if(FASTDDS_PIM_API_TESTS) "W_UNICAST_PORT_RANDOM_NUMBER=${W_UNICAST_PORT_RANDOM_NUMBER}" "R_UNICAST_PORT_RANDOM_NUMBER=${R_UNICAST_PORT_RANDOM_NUMBER}" "MULTICAST_PORT_RANDOM_NUMBER=${MULTICAST_PORT_RANDOM_NUMBER}" - $<$:OPENSSL_CONF="${OPENSSL_CONF}"> + $<$:OPENSSL_CONF=${OPENSSL_CONF}> IGNORE ${pkcs_filter} ) endif(FASTDDS_PIM_API_TESTS) diff --git a/test/unittest/dds/publisher/CMakeLists.txt b/test/unittest/dds/publisher/CMakeLists.txt index 0b466fd3d72..6efdb519daf 100644 --- a/test/unittest/dds/publisher/CMakeLists.txt +++ b/test/unittest/dds/publisher/CMakeLists.txt @@ -235,6 +235,7 @@ set(DATAWRITERTESTS_SOURCE DataWriterTests.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/security/logging/Logging.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/security/SecurityManager.cpp ${PROJECT_SOURCE_DIR}/src/cpp/rtps/security/SecurityPluginFactory.cpp + ${PROJECT_SOURCE_DIR}/src/cpp/security/artifact_providers/Pkcs11Provider.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/authentication/PKIDH.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/accesscontrol/Permissions.cpp ${PROJECT_SOURCE_DIR}/src/cpp/security/cryptography/AESGCMGMAC.cpp @@ -319,6 +320,7 @@ target_link_libraries(DataWriterTests fastcdr foonathan_memory $<$:OpenSSL::SSL$OpenSSL::Crypto> $<$:iphlpapi$Shlwapi> ${THIRDPARTY_BOOST_LINK_LIBS} + $<$:eProsima_p11> # $ eProsima_atomic ) if(MSVC OR MSVC_IDE) From 9ffce972ea6f69c6c0d6dc4596044829a474d665 Mon Sep 17 00:00:00 2001 From: Miguel Barro Date: Tue, 21 Dec 2021 17:05:56 +0100 Subject: [PATCH 30/30] Refs 11914. Disable pkcs11 windows testing till ci is reviewed Signed-off-by: Miguel Barro --- test/blackbox/CMakeLists.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/blackbox/CMakeLists.txt b/test/blackbox/CMakeLists.txt index 8741f1388cd..f679fac0842 100644 --- a/test/blackbox/CMakeLists.txt +++ b/test/blackbox/CMakeLists.txt @@ -215,7 +215,9 @@ endif() ############################################################################### # Filter pksc11 related tests if library is not available -if(NOT LibP11_FOUND) +# TODO: restore for windows when CI gets operational +#if(NOT LibP11_FOUND) +if(WIN32 OR NOT LibP11_FOUND) if(GTEST_INDIVIDUAL) set(pkcs_filter "[Pp][Kk][Cc][Ss]") else()