test: Add external test for pkcs11-provider

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25587)

.github/workflows/ci.yml

@@ -602,6 +602,27 @@ jobs:
         gdb < <(echo -e "file ./libcrypto.so.3\nquit") > ./results
         grep -q "Reading symbols from.*libcrypto\.so\.3\.debug" results
 
+  external-test-pkcs11-provider:
+    runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: recursive
+    - name: package installs
+      run: |
+        sudo apt-get update
+        sudo apt-get -yq install meson pkg-config gnutls-bin libnss3-tools libnss3-dev libsofthsm2 opensc expect
+    - name: config
+      run: ./config --banner=Configured --strict-warnings --debug enable-external-tests && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: get cpu info
+      run: |
+        cat /proc/cpuinfo
+        ./util/opensslwrap.sh version -c
+    - name: test external pkcs11-provider
+      run: make test TESTS="test_external_pkcs11_provider" VERBOSE=1
+
   external-test-pyca:
     runs-on: ${{ github.server_url == 'https://github.com' && 'ubuntu-latest' || 'ubuntu-22.04-self-hosted' }}
     strategy:

.gitmodules

@@ -32,3 +32,6 @@
 	path = fuzz/corpora
 	url = https://github.com/openssl/fuzz-corpora
 	branch = main
+[submodule "pkcs11-provider"]
+	path = pkcs11-provider
+	url = https://github.com/latchset/pkcs11-provider.git

pkcs11-provider

@@ -0,0 +1 @@
+Subproject commit 8757cf26a8ffc4144b66870c8438df00d2668d48

test/README-external.md

@@ -118,6 +118,35 @@ algorithms to be skipped, e.g. as follows:
 The names of all supported quantum-safe algorithms are available at
 <https://github.com/open-quantum-safe/oqs-provider#algorithms>
 
+pkcs11-provider test suite
+======================
+
+This builds and runs pkcs11-provider tests agains the local OpenSSL build.
+
+You will need a git checkout of pkcs11-provider at the top level:
+
+    $ git submodule update --init
+
+Then configure/build OpenSSL enabling external tests:
+
+    $ ./config shared enable-external-tests
+    $ make
+
+pkcs11-provider requires meson for the build process. Moreover, it requires
+softhsm and nss softokn tokens and certtool, certutil, pkcs11-tool and expect
+to run the tests.
+
+Tests will then be run as part of the rest of the suite, or can be
+explicitly run (with more debugging):
+
+    $ make test VERBOSE=1 TESTS=test_external_pkcs11_provider
+
+Test failures and suppressions
+------------------------------
+
+There are tests for different software tokens - softhsm, nss-softokn and kryoptic.
+Kryoptic tests will not run at this point. Currently no test fails.
+
 Updating test suites
 ====================
 

test/recipes/95-test_external_pkcs11_provider.t

@@ -0,0 +1,28 @@
+#! /usr/bin/env perl
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT data_file bldtop_dir srctop_dir cmdstr/;
+
+setup("test_external_pkcs11_provider");
+
+plan skip_all => "No external tests in this configuration"
+    if disabled("external-tests");
+plan skip_all => "pkcs11-provider tests not available on Windows or VMS"
+    if $^O =~ /^(VMS|MSWin32)$/;
+plan skip_all => "pkcs11-provider tests only available in a shared build"
+    if disabled("shared");
+plan skip_all => "pkcs11-provider tests not supported in out of tree builds"
+    if bldtop_dir() ne srctop_dir();
+
+plan tests => 1;
+
+ok(run(cmd(["sh", data_file("pkcs11-provider.sh")])),
+   "running pkcs11-provider tests");

test/recipes/95-test_external_pkcs11_provider_data/pkcs11-provider.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+#
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+#
+# OpenSSL external testing using the pkcs11-provider
+#
+
+PWD="$(pwd)"
+
+SRCTOP="$(cd $SRCTOP; pwd)"
+BLDTOP="$(cd $BLDTOP; pwd)"
+
+if [ "$SRCTOP" != "$BLDTOP" ] ; then
+    echo "Out of tree builds not supported with pkcsa11-provider test!"
+    exit 1
+fi
+
+O_EXE="$BLDTOP/apps"
+O_BINC="$BLDTOP/include"
+O_SINC="$SRCTOP/include"
+O_LIB="$BLDTOP"
+
+unset OPENSSL_CONF
+
+export PATH="$O_EXE:$PATH"
+export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH"
+export OPENSSL_ROOT_DIR="$O_LIB"
+
+# Check/Set openssl version
+OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '`
+
+echo "------------------------------------------------------------------"
+echo "Testing OpenSSL using pkcs11-provider:"
+echo "   CWD:                $PWD"
+echo "   SRCTOP:             $SRCTOP"
+echo "   BLDTOP:             $BLDTOP"
+echo "   OPENSSL_ROOT_DIR:   $OPENSSL_ROOT_DIR"
+echo "   OpenSSL version:    $OPENSSL_VERSION"
+echo "------------------------------------------------------------------"
+
+PKCS11_PROVIDER_BUILDDIR=$OPENSSL_ROOT_DIR/pkcs11-provider/builddir
+
+echo "------------------------------------------------------------------"
+echo "Building pkcs11-provider"
+echo "------------------------------------------------------------------"
+
+PKG_CONFIG_PATH="$BLDTOP" meson setup $PKCS11_PROVIDER_BUILDDIR $OPENSSL_ROOT_DIR/pkcs11-provider/ || exit 1
+meson compile -C $PKCS11_PROVIDER_BUILDDIR pkcs11 || exit 1
+
+echo "------------------------------------------------------------------"
+echo "Running tests"
+echo "------------------------------------------------------------------"
+
+# The OpenSSL app uses ${HARNESS_OSSL_PREFIX} as a prefix for its standard output
+HARNESS_OSSL_PREFIX= meson test -C $PKCS11_PROVIDER_BUILDDIR
+
+if [ $? -ne 0 ]; then
+    cat $PKCS11_PROVIDER_BUILDDIR/meson-logs/testlog.txt
+    exit 1
+fi
+
+rm -rf $PKCS11_PROVIDER_BUILDDIR
+
+exit 0