From 2a300da7196245a00ea94d4f86998f06069e3d8a Mon Sep 17 00:00:00 2001 From: Marcel Guzik Date: Mon, 1 Dec 2025 11:53:43 +0000 Subject: [PATCH 1/6] test(pkcs11): test `tedge cert renew` using tedge-p11-server 1.6.1 Signed-off-by: Marcel Guzik --- .../tests/pkcs11/tedge_cert_renew.robot | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot new file mode 100644 index 00000000000..23ed59196c5 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot @@ -0,0 +1,54 @@ +*** Settings *** +Documentation This test suite runs the tests with tedge-p11-server pinned to a fixed version to ensure that new +... versions of thin-edge remain backwards compatible with tedge-p11-server's binary communication protocol. The +... scope of this test is limited to tedge-p11-server's initial feature set and will generally not be expanded. + +Resource pkcs11_common.resource + +Suite Setup Custom Setup +Suite Teardown Get Suite Logs + +Test Tags adapter:docker theme:cryptoki compatibility + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} 1.6.1 + + +*** Test Cases *** +Use Private Key in SoftHSM2 using tedge-p11-server + Tedge Reconnect Should Succeed + +Renew certificate + [Template] Renew certificate using tedge-p11-server version + ${TEDGE_P11_SERVER_VERSION} + ${EMPTY} + + +*** Keywords *** +Renew certificate using tedge-p11-server version + [Arguments] ${version} + Install tedge-p11-server ${version} + Execute Command tedge cert renew c8y + Tedge Reconnect Should Succeed + +Custom Setup + ${DEVICE_SN}= Setup register=${False} + Set Suite Variable ${DEVICE_SN} + + # Allow the tedge user to access softhsm + Execute Command sudo usermod -a -G softhsm tedge + Transfer To Device ${CURDIR}/data/init_softhsm.sh /usr/bin/ + + # initialize the soft hsm and create a certificate signing request + Execute Command tedge config set device.cryptoki.pin 123456 + Execute Command tedge config set device.cryptoki.module_path /usr/lib/softhsm/libsofthsm2.so + Execute Command sudo -u tedge /usr/bin/init_softhsm.sh --device-id "${DEVICE_SN}" --pin 123456 + + # configure tedge + Set Cumulocity URLs + Execute Command tedge config set mqtt.bridge.built_in true + Execute Command tedge config set device.cryptoki.mode socket + + ${csr_path}= Execute Command cmd=tedge config get device.csr_path strip=${True} + Register Device With Cumulocity CA ${DEVICE_SN} csr_path=${csr_path} From 2a4e71c0131dbab3e8aac5fb91fd563ae1302d1f Mon Sep 17 00:00:00 2001 From: Marcel Guzik Date: Mon, 1 Dec 2025 11:55:09 +0000 Subject: [PATCH 2/6] test(pkcs11): test `tedge cert create-key-hsm` using tedge-p11-server 1.6.1 Signed-off-by: Marcel Guzik --- .../tests/pkcs11/compatibility_16x.robot | 59 ------------------- .../create_key_hsm.resource} | 24 ++++---- .../tests/pkcs11/create_key_hsm/current.robot | 31 ++++++++++ .../tests/pkcs11/create_key_hsm/initial.robot | 31 ++++++++++ .../tests/pkcs11/pkcs11_common.resource | 18 ++++++ 5 files changed, 90 insertions(+), 73 deletions(-) delete mode 100644 tests/RobotFramework/tests/pkcs11/compatibility_16x.robot rename tests/RobotFramework/tests/pkcs11/{create_key.robot => create_key_hsm/create_key_hsm.resource} (92%) create mode 100644 tests/RobotFramework/tests/pkcs11/create_key_hsm/current.robot create mode 100644 tests/RobotFramework/tests/pkcs11/create_key_hsm/initial.robot diff --git a/tests/RobotFramework/tests/pkcs11/compatibility_16x.robot b/tests/RobotFramework/tests/pkcs11/compatibility_16x.robot deleted file mode 100644 index 2f5aa10bdb6..00000000000 --- a/tests/RobotFramework/tests/pkcs11/compatibility_16x.robot +++ /dev/null @@ -1,59 +0,0 @@ -*** Settings *** -Documentation This test suite runs the tests with tedge-p11-server pinned to a fixed version to ensure that new -... versions of thin-edge remain backwards compatible with tedge-p11-server's binary communication protocol. The -... scope of this test is limited to tedge-p11-server's initial feature set and will generally not be expanded. - -Resource pkcs11_common.resource - -Suite Setup Custom Setup -Suite Teardown Get Suite Logs - -Test Tags adapter:docker theme:cryptoki compatibility - - -*** Variables *** -${TEDGE_P11_SERVER_VERSION} 1.6.1 - - -*** Test Cases *** -# the test cases are basically copy-pasted from private_key_storage.robot, as the purpose of this suite is to run the -# exact same tests with a slightly different setup. It would be easiest if we could import the test cases themselves -# from another test suite, but this isn't possible. So we extract reusable keywords into a resource file, but test cases -# remain duplicated. -Use Private Key in SoftHSM2 using tedge-p11-server - Tedge Reconnect Should Succeed - -Renew certificate - Execute Command tedge cert renew c8y - Tedge Reconnect Should Succeed - - -*** Keywords *** -Custom Setup - ${DEVICE_SN}= Setup register=${False} - Set Suite Variable ${DEVICE_SN} - - # this doesn't install anything but adds cloudsmith repo to apt - Execute Command curl -1sLf 'https://dl.cloudsmith.io/public/thinedge/tedge-main/setup.deb.sh' | sudo -E bash - Execute Command cmd=apt-get install -y --allow-downgrades tedge-p11-server=${TEDGE_P11_SERVER_VERSION} - ${stdout}= Execute Command tedge-p11-server -V strip=True - Should Be Equal ${stdout} tedge-p11-server ${TEDGE_P11_SERVER_VERSION} - - # Allow the tedge user to access softhsm - Execute Command sudo usermod -a -G softhsm tedge - Transfer To Device ${CURDIR}/data/init_softhsm.sh /usr/bin/ - - # initialize the soft hsm and create a certificate signing request - Execute Command tedge config set device.cryptoki.pin 123456 - Execute Command tedge config set device.cryptoki.module_path /usr/lib/softhsm/libsofthsm2.so - Execute Command sudo -u tedge /usr/bin/init_softhsm.sh --device-id "${DEVICE_SN}" --pin 123456 - - # configure tedge - Set Cumulocity URLs - Execute Command tedge config set mqtt.bridge.built_in true - Execute Command tedge config set device.cryptoki.mode socket - - ${csr_path}= Execute Command cmd=tedge config get device.csr_path strip=${True} - Register Device With Cumulocity CA ${DEVICE_SN} csr_path=${csr_path} - - Unset tedge-p11-server Uri diff --git a/tests/RobotFramework/tests/pkcs11/create_key.robot b/tests/RobotFramework/tests/pkcs11/create_key_hsm/create_key_hsm.resource similarity index 92% rename from tests/RobotFramework/tests/pkcs11/create_key.robot rename to tests/RobotFramework/tests/pkcs11/create_key_hsm/create_key_hsm.resource index 4a0e18ed701..a49df6f222c 100644 --- a/tests/RobotFramework/tests/pkcs11/create_key.robot +++ b/tests/RobotFramework/tests/pkcs11/create_key_hsm/create_key_hsm.resource @@ -1,12 +1,7 @@ *** Settings *** Documentation Tests for the `tedge cert create-key-hsm` command. -Resource pkcs11_common.resource - -Suite Setup Custom Setup -Suite Teardown Get Suite Logs - -Test Tags adapter:docker theme:cryptoki +Resource ../pkcs11_common.resource *** Variables *** @@ -14,8 +9,8 @@ ${KEY_URI} ${EMPTY} ${TOKEN_URI} pkcs11:token=create-key-token -*** Test Cases *** -Can create a private key on the PKCS11 token +*** Keywords *** +Create a private key on the PKCS11 token Execute Command cmd=softhsm2-util --init-token --free --label create-key-token --pin=123456 --so-pin=123456 ${output}= Execute Command @@ -50,7 +45,7 @@ Can create a private key on the PKCS11 token ... p11tool_keytype=EC/ECDSA-SECP384R1 # ECDSA P521 not supported by rcgen -Shows connected initialized tokens when token argument is not provided +Show connected initialized tokens when token argument is not provided # setup multiple tokens Execute Command cmd=softhsm2-util --init-token --free --label create-key-token1 --pin=123456 --so-pin=123456 Execute Command cmd=softhsm2-util --init-token --free --label create-key-token2 --pin=123456 --so-pin=123456 @@ -67,7 +62,7 @@ Shows connected initialized tokens when token argument is not provided Should Contain ${stderr} token=create-key-token1 Should Contain ${stderr} token=create-key-token2 -Can set key ID using --id flag +Set key ID using --id flag ${output}= Execute Command ... cmd=tedge cert create-key-hsm --type ecdsa --label my-key --id 010203 "${TOKEN_URI}" ... strip=True @@ -83,7 +78,7 @@ Can set key ID using --id flag ... exp_exit_code=!0 Should Contain ${output} Object with this id already exists on the token -Can provide PIN using --pin flag +Provide PIN using --pin flag ${output}= Execute Command ... cmd=tedge cert create-key-hsm --label my-key --pin 000000 "${TOKEN_URI}" ... strip=True @@ -92,7 +87,7 @@ Can provide PIN using --pin flag ... exp_exit_code=!0 Should Contain ${output} The specified PIN is incorrect -Saves public key to file using --outfile-pubkey flag +Save public key to file using --outfile-pubkey flag ${output}= Execute Command ... cmd=tedge cert create-key-hsm --label my-key --outfile-pubkey pubkey.pem "${TOKEN_URI}" ... strip=True @@ -101,8 +96,6 @@ Saves public key to file using --outfile-pubkey flag ${pubkey}= Execute Command cat pubkey.pem strip=True Should Contain ${output} ${pubkey} - -*** Keywords *** Create private key [Arguments] ${type} ${label} ${bits}=${EMPTY} ${curve}=${EMPTY} ${p11tool_keytype}=${EMPTY} # create the private key on token and write CSR to device.csr_path @@ -129,6 +122,7 @@ Create private key Should Contain ${create_key_output} ${key_uri} Custom Setup + [Arguments] ${tedge_p11_server_version} ${DEVICE_SN}= Setup register=${False} Set Suite Variable ${DEVICE_SN} @@ -140,3 +134,5 @@ Custom Setup Execute Command tedge config set c8y.url "${domain}" Execute Command tedge config set mqtt.bridge.built_in true Execute Command tedge config set device.cryptoki.mode socket + + Install tedge-p11-server ${tedge_p11_server_version} diff --git a/tests/RobotFramework/tests/pkcs11/create_key_hsm/current.robot b/tests/RobotFramework/tests/pkcs11/create_key_hsm/current.robot new file mode 100644 index 00000000000..b3e9514791e --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/create_key_hsm/current.robot @@ -0,0 +1,31 @@ +*** Settings *** +Documentation Tests for the `tedge cert create-key-hsm` command. + +Resource ../pkcs11_common.resource +Resource ./create_key_hsm.resource + +Suite Setup Custom Setup ${TEDGE_P11_SERVER_VERSION} +Suite Teardown Get Suite Logs + +Test Tags adapter:docker theme:cryptoki + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} ${EMPTY} + + +*** Test Cases *** +Can create a private key on the PKCS11 token + Create a private key on the PKCS11 token + +Shows connected initialized tokens when token argument is not provided + Show connected initialized tokens when token argument is not provided + +Can set key ID using --id flag + Set key ID using --id flag + +Can provide PIN using --pin flag + Provide PIN using --pin flag + +Saves public key to file using --outfile-pubkey flag + Save public key to file using --outfile-pubkey flag diff --git a/tests/RobotFramework/tests/pkcs11/create_key_hsm/initial.robot b/tests/RobotFramework/tests/pkcs11/create_key_hsm/initial.robot new file mode 100644 index 00000000000..75193e396f5 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/create_key_hsm/initial.robot @@ -0,0 +1,31 @@ +*** Settings *** +Documentation Tests for the `tedge cert create-key-hsm` command. + +Resource ../pkcs11_common.resource +Resource ./create_key_hsm.resource + +Suite Setup Custom Setup ${TEDGE_P11_SERVER_VERSION} +Suite Teardown Get Suite Logs + +Test Tags adapter:docker theme:cryptoki + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} 1.7.0 + + +*** Test Cases *** +Can create a private key on the PKCS11 token + Create a private key on the PKCS11 token + +Shows connected initialized tokens when token argument is not provided + Show connected initialized tokens when token argument is not provided + +Can set key ID using --id flag + Set key ID using --id flag + +Can provide PIN using --pin flag + Provide PIN using --pin flag + +Saves public key to file using --outfile-pubkey flag + Save public key to file using --outfile-pubkey flag diff --git a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource index abf418b5d48..bd111175532 100644 --- a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource +++ b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource @@ -102,3 +102,21 @@ Command Should Fail With ${stderr}= Execute Command ${command} exp_exit_code=!0 stdout=false stderr=true Should Contain ${stderr} ${error} RETURN ${stderr} + +Install tedge-p11-server + [Arguments] ${version}="" + + # this doesn't install anything but adds cloudsmith repo to apt + Execute Command curl -1sLf 'https://dl.cloudsmith.io/public/thinedge/tedge-main/setup.deb.sh' | sudo -E bash + + IF $version + VAR ${package}= tedge-p11-server=${version} + ELSE + VAR ${package}= tedge-p11-server + END + Execute Command cmd=apt-get install -y --allow-downgrades ${package} + + IF $version + ${stdout}= Execute Command tedge-p11-server -V strip=True + Should Be Equal ${stdout} tedge-p11-server ${version} + END From d25779d7c714adfaa45bba67213cc2e851ff4f44 Mon Sep 17 00:00:00 2001 From: Marcel Guzik Date: Tue, 2 Dec 2025 19:05:32 +0000 Subject: [PATCH 3/6] test(pkcs11): test `tedge connect` using tedge-p11-server 1.6.1 Signed-off-by: Marcel Guzik --- .../tests/pkcs11/pkcs11_common.resource | 17 ++++-- .../tests/pkcs11/tedge_cert_renew.robot | 17 ++++-- .../tests/pkcs11/tedge_connect/current.robot | 54 +++++++++++++++++++ .../tests/pkcs11/tedge_connect/initial.robot | 54 +++++++++++++++++++ .../tedge_connect.resource} | 52 ++++++------------ .../tests/pkcs11/tedge_p11_server.robot | 13 +++++ 6 files changed, 165 insertions(+), 42 deletions(-) create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot rename tests/RobotFramework/tests/pkcs11/{private_key_storage.robot => tedge_connect/tedge_connect.resource} (86%) diff --git a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource index bd111175532..3cb613bc823 100644 --- a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource +++ b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource @@ -20,7 +20,8 @@ Create Self Signed Certificate Connect to C8y using new ECDSA keypair [Documentation] Connects to C8y with a newly generated keypair and a self-signed certificate. ... The private key is saved on the token, and the self-signed certificate is registered with c8y. - [Arguments] ${curve}=p256 # if type == ECDSA, curve of the key - one of {secp256r1, secp384r1, secp521r1} + # if type == ECDSA, curve of the key - one of {secp256r1, secp384r1, secp521r1} + [Arguments] ${curve}=secp256r1 # We could alternatively use Cumulocity CA to start with a signed cert, but for testing certificate renewal, we want # to test both renewing a self-signed cert and a cert issued by C8y CA. When we start with self-signed cert, after @@ -67,16 +68,24 @@ Set up new PKCS11 RSA keypair ${identifier}= String.Generate Random String ${label}= Set Variable rsa-${bits}-${identifier} Execute Command - ... cmd=tedge cert create-key-hsm --type rsa --bits ${bits} --label "${label}" "pkcs11:token=tedge" + # ... cmd=tedge cert create-key-hsm --type rsa --bits ${bits} --label "${label}" "pkcs11:token=tedge" + ... cmd=p11tool --set-pin=123456 --login --generate-privkey rsa --bits ${bits} --label ${label} "pkcs11:token=tedge" + VAR ${key_uri}= pkcs11:token=tedge;object=${label} + # warning: PKCS11 _uri variables contain ; so they need to be quoted! + Execute Command cmd=tedge config set device.key_uri "${key_uri}" RETURN ${label} Set up new PKCS11 ECDSA keypair [Documentation] Creates a new keypair on the PKCS11 token, configures thin-edge to use the new key - [Arguments] ${curve}=p256 # curve of the key - one of {p256, p384} + [Arguments] ${curve}=secp256r1 # curve of the key - one of {p256, p384} ${identifier}= String.Generate Random String ${label}= Set Variable ecdsa-${curve}-${identifier} Execute Command - ... cmd=tedge cert create-key-hsm --type ecdsa --curve ${curve} --label "${label}" "pkcs11:token=tedge" + # ... cmd=tedge cert create-key-hsm --type ecdsa --curve ${curve} --label "${label}" "pkcs11:token=tedge" + ... cmd=p11tool --set-pin=123456 --login --generate-privkey ecdsa --curve ${curve} --label ${label} "pkcs11:token=tedge" + VAR ${key_uri}= pkcs11:token=tedge;object=${label} + # warning: PKCS11 _uri variables contain ; so they need to be quoted! + Execute Command cmd=tedge config set device.key_uri "${key_uri}" RETURN ${label} Set tedge-p11-server Uri diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot index 23ed59196c5..db1cc2613f7 100644 --- a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot @@ -21,17 +21,28 @@ Use Private Key in SoftHSM2 using tedge-p11-server Renew certificate [Template] Renew certificate using tedge-p11-server version - ${TEDGE_P11_SERVER_VERSION} - ${EMPTY} + ${TEDGE_P11_SERVER_VERSION} PKCS #11 service failed: Failed to find a signing key + ${EMPTY} PKCS #11 service failed: Failed to find a key *** Keywords *** Renew certificate using tedge-p11-server version - [Arguments] ${version} + [Arguments] ${version} ${error} Install tedge-p11-server ${version} Execute Command tedge cert renew c8y Tedge Reconnect Should Succeed + Execute Command systemctl stop tedge-p11-server tedge-p11-server.socket + Command Should Fail With + ... tedge cert renew c8y + ... error=Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock' + + Execute Command systemctl start tedge-p11-server.socket + + Execute Command cmd=tedge config set c8y.device.key_uri pkcs11:object=nonexistent_key + Command Should Fail With tedge cert renew c8y ${error} + Execute Command cmd=tedge config unset c8y.device.key_uri + Custom Setup ${DEVICE_SN}= Setup register=${False} Set Suite Variable ${DEVICE_SN} diff --git a/tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot b/tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot new file mode 100644 index 00000000000..44ccb152ba1 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot @@ -0,0 +1,54 @@ +*** Settings *** +Documentation Test thin-edge.io MQTT client authentication using a Hardware Security Module (HSM). +... +... This suite focuses on testing selection and connecting to the cloud using different types of private +... keys stored in PKCS#11 tokens. +... +... Uses SoftHSM2 to simulate a hardware security module for testing purposes. In real production +... environments, a dedicated hardware device would be used. + +# it would be good to explain here why we use the tedge-p11-server exclusively and not the module mode +Resource ../pkcs11_common.resource +Resource tedge_connect.resource + +Suite Setup Custom Setup ${TEDGE_P11_SERVER_VERSION} +Suite Teardown Get Suite Logs + +Test Tags adapter:docker theme:cryptoki + + +*** Variables *** +${KEY_URI} ${EMPTY} +${TEDGE_P11_SERVER_VERSION} ${EMPTY} + + +*** Test Cases *** +Can use Private Key in SoftHSM2 using tedge-p11-server + Use Private Key in SoftHSM2 using tedge-p11-server + +Can select Private key using tedge-p11-server URI + Select Private key using tedge-p11-server URI + +Can select Private key using a request URI + Select Private key using a request URI + +Can connect to C8y using an RSA key + Connects to C8y using an RSA key + +Can connect to C8y supporting all TLS13 ECDSA signature algorithms + Connects to C8y supporting all TLS13 ECDSA signature algorithms + +Can use PKCS11 key to renew the public certificate + Use PKCS11 key to renew the public certificate + +Can use tedge cert download c8y to download a certificate + Use tedge cert download c8y to download a certificate + +Can renew the certificate using different keypair + Renew the certificate using different keypair + +Can pass PIN in the request using pin-value + Pass PIN in the request using pin-value + +Can pass PIN in the request using device.key_pin + Pass PIN in the request using device.key_pin diff --git a/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot b/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot new file mode 100644 index 00000000000..903652c5449 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot @@ -0,0 +1,54 @@ +*** Settings *** +Documentation Test thin-edge.io MQTT client authentication using a Hardware Security Module (HSM). +... +... This suite focuses on testing selection and connecting to the cloud using different types of private +... keys stored in PKCS#11 tokens. +... +... Uses SoftHSM2 to simulate a hardware security module for testing purposes. In real production +... environments, a dedicated hardware device would be used. + +# it would be good to explain here why we use the tedge-p11-server exclusively and not the module mode +Resource ../pkcs11_common.resource +Resource tedge_connect.resource + +Suite Setup Custom Setup ${TEDGE_P11_SERVER_VERSION} +Suite Teardown Get Suite Logs + +Test Tags adapter:docker theme:cryptoki + + +*** Variables *** +${KEY_URI} ${EMPTY} +${TEDGE_P11_SERVER_VERSION} 1.6.0 + + +*** Test Cases *** +Can use Private Key in SoftHSM2 using tedge-p11-server + Use Private Key in SoftHSM2 using tedge-p11-server + +Can select Private key using tedge-p11-server URI + Select Private key using tedge-p11-server URI + +Can select Private key using a request URI + Select Private key using a request URI + +Can connect to C8y using an RSA key + Connects to C8y using an RSA key + +Can connect to C8y supporting all TLS13 ECDSA signature algorithms + Connects to C8y supporting all TLS13 ECDSA signature algorithms + +# Can use PKCS11 key to renew the public certificate +# Use PKCS11 key to renew the public certificate + +# Can use tedge cert download c8y to download a certificate +# Use tedge cert download c8y to download a certificate + +# Can renew the certificate using different keypair +# Renew the certificate using different keypair + +# Can pass PIN in the request using pin-value +# Pass PIN in the request using pin-value + +# Can pass PIN in the request using device.key_pin +# Pass PIN in the request using device.key_pin diff --git a/tests/RobotFramework/tests/pkcs11/private_key_storage.robot b/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource similarity index 86% rename from tests/RobotFramework/tests/pkcs11/private_key_storage.robot rename to tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource index 08427e4f0d5..79c3da8a070 100644 --- a/tests/RobotFramework/tests/pkcs11/private_key_storage.robot +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource @@ -8,19 +8,14 @@ Documentation Test thin-edge.io MQTT client authentication using a Hardwar ... environments, a dedicated hardware device would be used. # it would be good to explain here why we use the tedge-p11-server exclusively and not the module mode -Resource pkcs11_common.resource - -Suite Setup Custom Setup -Suite Teardown Get Suite Logs - -Test Tags adapter:docker theme:cryptoki +Resource ../pkcs11_common.resource *** Variables *** ${KEY_URI} ${EMPTY} -*** Test Cases *** +*** Keywords *** Use Private Key in SoftHSM2 using tedge-p11-server Tedge Reconnect Should Succeed @@ -83,42 +78,28 @@ Select Private key using a request URI Connects to C8y using an RSA key [Documentation] Test that we can connect to C8y using an RSA private keys of all sizes. [Setup] Unset tedge-p11-server Uri - [Template] Connect to C8y using new RSA keypair - bits=4096 - bits=3072 - bits=2048 + Connect to C8y using new RSA keypair bits=4096 + Connect to C8y using new RSA keypair bits=3072 + Connect to C8y using new RSA keypair bits=2048 Connects to C8y supporting all TLS13 ECDSA signature algorithms [Documentation] Check that we support all ECDSA sigschemes used in TLS1.3, i.e: ecdsa_secp256r1_sha256, ... ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512. [Setup] Unset tedge-p11-server Uri - Connect to C8y using new ECDSA keypair curve=p256 - Connect to C8y using new ECDSA keypair curve=p384 + Connect to C8y using new ECDSA keypair curve=secp256r1 + Connect to C8y using new ECDSA keypair curve=secp384r1 # rcgen doesn't support p521 # https://github.com/rustls/rcgen/issues/60 # Connect to C8y using new ECDSA keypair curve=p521 - Execute Command systemctl stop tedge-p11-server tedge-p11-server.socket - Command Should Fail With - ... tedge cert renew c8y - ... error=Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock' - - Execute Command systemctl start tedge-p11-server.socket - - Execute Command cmd=tedge config set c8y.device.key_uri pkcs11:object=nonexistent_key - Command Should Fail With - ... tedge cert renew c8y - ... error=PKCS #11 service failed: Failed to find a key - Execute Command cmd=tedge config unset c8y.device.key_uri - -Can use PKCS11 key to renew the public certificate +Use PKCS11 key to renew the public certificate [Documentation] Test that `tedge cert renew c8y` works with all supported keys. We do renew 2 times to see if we ... can renew both a self-signed certificate and a certificate signed by C8y CA. [Setup] Unset tedge-p11-server Uri - Test tedge cert renew type=ecdsa curve=p256 - Test tedge cert renew type=ecdsa curve=p384 + Test tedge cert renew type=ecdsa curve=secp256r1 + Test tedge cert renew type=ecdsa curve=secp384r1 # renewal isn't supported for secp521r1 because rcgen doesn't support it # https://github.com/rustls/rcgen/issues/60 @@ -127,7 +108,7 @@ Can use PKCS11 key to renew the public certificate Test tedge cert renew type=rsa bits=3072 Test tedge cert renew type=rsa bits=4096 -Can use tedge cert download c8y to download a certificate +Use tedge cert download c8y to download a certificate [Documentation] Download a certificate using CSR generated with PKCS11 without a prior certificate. # this new keypair doesn't have an associated certificate Set up new PKCS11 ECDSA keypair @@ -138,7 +119,7 @@ Can use tedge cert download c8y to download a certificate Tedge Reconnect Should Succeed -Can renew the certificate using different keypair +Renew the certificate using different keypair [Documentation] Starting with an initial trusted certificate, replace the keypair and renew the certificate. Connect to C8y using new ECDSA keypair Set up new PKCS11 ECDSA keypair @@ -146,7 +127,7 @@ Can renew the certificate using different keypair ${stdout}= Tedge Reconnect Should Succeed Should Contain ${stdout} The new certificate is now the active certificate -Can pass PIN in the request using pin-value +Pass PIN in the request using pin-value [Documentation] Tests if the PIN can be changed for the request by assuming current one is correct and setting a ... different one to see if we get an error about pin being incorrect. @@ -157,14 +138,12 @@ Can pass PIN in the request using pin-value [Teardown] Execute Command tedge config set device.key_uri "${key_uri}" -Can pass PIN in the request using device.key_pin +Pass PIN in the request using device.key_pin Execute Command tedge config set device.key_pin incorrect Tedge Reconnect Should Fail With The specified PIN is incorrect [Teardown] Execute Command tedge config unset device.key_pin - -*** Keywords *** Test tedge cert renew [Arguments] ${type} ${bits}=${EMPTY} ${curve}=${EMPTY} IF $type == "rsa" @@ -195,6 +174,7 @@ Test tedge cert renew Tedge Reconnect Should Succeed Custom Setup + [Arguments] ${tedge_p11_server_version} ${DEVICE_SN}= Setup register=${False} Set Suite Variable ${DEVICE_SN} @@ -207,4 +187,6 @@ Custom Setup Set Cumulocity URLs ThinEdgeIO.Register Device With Cumulocity CA ${DEVICE_SN} + Install tedge-p11-server ${tedge_p11_server_version} + Unset tedge-p11-server Uri diff --git a/tests/RobotFramework/tests/pkcs11/tedge_p11_server.robot b/tests/RobotFramework/tests/pkcs11/tedge_p11_server.robot index 966b8291a69..83ff0d2ff8a 100644 --- a/tests/RobotFramework/tests/pkcs11/tedge_p11_server.robot +++ b/tests/RobotFramework/tests/pkcs11/tedge_p11_server.robot @@ -75,6 +75,19 @@ Warn the user if tedge.toml cannot be parsed # But proceed Should Contain ${stderr} Using cryptoki configuration + Execute Command systemctl stop tedge-p11-server tedge-p11-server.socket + Command Should Fail With + ... tedge cert renew c8y + ... error=Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock' + + Execute Command systemctl start tedge-p11-server.socket + + Execute Command cmd=tedge config set c8y.device.key_uri pkcs11:object=nonexistent_key + Command Should Fail With + ... tedge cert renew c8y + ... error=PKCS #11 service failed: Failed to find a key + Execute Command cmd=tedge config unset c8y.device.key_uri + *** Keywords *** Custom Setup From 62b61c45de6d7ca2506f52edc2f3c0b460d80799 Mon Sep 17 00:00:00 2001 From: Marcel Guzik Date: Thu, 4 Dec 2025 09:45:45 +0000 Subject: [PATCH 4/6] test(pkcs11): use suite variable to select p11tool Signed-off-by: Marcel Guzik --- .../tests/pkcs11/pkcs11_common.resource | 32 ++++++++++++++----- .../tests/pkcs11/tedge_connect/initial.robot | 1 + .../tedge_connect/tedge_connect.resource | 8 ++--- 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource index 3cb613bc823..f4181e6531a 100644 --- a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource +++ b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource @@ -10,6 +10,10 @@ Library ThinEdgeIO *** Variables *** ${DEVICE_SN} ${EMPTY} # should be set in setup of test suites +# if `False`, PKCS11 operations like creating keys, will use new tedge features, e.g. `tedge cert create-key-hsm`. +# if `True`, `p11tool` will be used instead +${PKCS11_USE_P11TOOL} ${False} + *** Keywords *** Create Self Signed Certificate @@ -21,7 +25,7 @@ Connect to C8y using new ECDSA keypair [Documentation] Connects to C8y with a newly generated keypair and a self-signed certificate. ... The private key is saved on the token, and the self-signed certificate is registered with c8y. # if type == ECDSA, curve of the key - one of {secp256r1, secp384r1, secp521r1} - [Arguments] ${curve}=secp256r1 + [Arguments] ${curve}=p256 # We could alternatively use Cumulocity CA to start with a signed cert, but for testing certificate renewal, we want # to test both renewing a self-signed cert and a cert issued by C8y CA. When we start with self-signed cert, after @@ -67,9 +71,15 @@ Set up new PKCS11 RSA keypair [Arguments] ${bits}=2048 # length in bits of the RSA key - one of {1024, 2048, 3072, 4096} ${identifier}= String.Generate Random String ${label}= Set Variable rsa-${bits}-${identifier} - Execute Command - # ... cmd=tedge cert create-key-hsm --type rsa --bits ${bits} --label "${label}" "pkcs11:token=tedge" - ... cmd=p11tool --set-pin=123456 --login --generate-privkey rsa --bits ${bits} --label ${label} "pkcs11:token=tedge" + + IF ${PKCS11_USE_P11TOOL} + Execute Command + ... cmd=p11tool --set-pin=123456 --login --generate-privkey rsa --bits ${bits} --label ${label} "pkcs11:token=tedge" + ELSE + Execute Command + ... cmd=tedge cert create-key-hsm --type rsa --bits ${bits} --label "${label}" "pkcs11:token=tedge" + END + VAR ${key_uri}= pkcs11:token=tedge;object=${label} # warning: PKCS11 _uri variables contain ; so they need to be quoted! Execute Command cmd=tedge config set device.key_uri "${key_uri}" @@ -77,12 +87,18 @@ Set up new PKCS11 RSA keypair Set up new PKCS11 ECDSA keypair [Documentation] Creates a new keypair on the PKCS11 token, configures thin-edge to use the new key - [Arguments] ${curve}=secp256r1 # curve of the key - one of {p256, p384} + [Arguments] ${curve}=p256 # curve of the key - one of {p256, p384} ${identifier}= String.Generate Random String ${label}= Set Variable ecdsa-${curve}-${identifier} - Execute Command - # ... cmd=tedge cert create-key-hsm --type ecdsa --curve ${curve} --label "${label}" "pkcs11:token=tedge" - ... cmd=p11tool --set-pin=123456 --login --generate-privkey ecdsa --curve ${curve} --label ${label} "pkcs11:token=tedge" + + IF ${PKCS11_USE_P11TOOL} + Execute Command + ... cmd=p11tool --set-pin=123456 --login --generate-privkey ecdsa --curve sec${curve}r1 --label ${label} "pkcs11:token=tedge" + ELSE + Execute Command + ... cmd=tedge cert create-key-hsm --type ecdsa --curve ${curve} --label "${label}" "pkcs11:token=tedge" + END + VAR ${key_uri}= pkcs11:token=tedge;object=${label} # warning: PKCS11 _uri variables contain ; so they need to be quoted! Execute Command cmd=tedge config set device.key_uri "${key_uri}" diff --git a/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot b/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot index 903652c5449..55e7a6af2d8 100644 --- a/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot @@ -20,6 +20,7 @@ Test Tags adapter:docker theme:cryptoki *** Variables *** ${KEY_URI} ${EMPTY} ${TEDGE_P11_SERVER_VERSION} 1.6.0 +${PKCS11_USE_P11TOOL} ${True} *** Test Cases *** diff --git a/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource b/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource index 79c3da8a070..2264d52dad7 100644 --- a/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource @@ -87,8 +87,8 @@ Connects to C8y supporting all TLS13 ECDSA signature algorithms ... ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512. [Setup] Unset tedge-p11-server Uri - Connect to C8y using new ECDSA keypair curve=secp256r1 - Connect to C8y using new ECDSA keypair curve=secp384r1 + Connect to C8y using new ECDSA keypair curve=p256 + Connect to C8y using new ECDSA keypair curve=p384 # rcgen doesn't support p521 # https://github.com/rustls/rcgen/issues/60 # Connect to C8y using new ECDSA keypair curve=p521 @@ -98,8 +98,8 @@ Use PKCS11 key to renew the public certificate ... can renew both a self-signed certificate and a certificate signed by C8y CA. [Setup] Unset tedge-p11-server Uri - Test tedge cert renew type=ecdsa curve=secp256r1 - Test tedge cert renew type=ecdsa curve=secp384r1 + Test tedge cert renew type=ecdsa curve=p256 + Test tedge cert renew type=ecdsa curve=p384 # renewal isn't supported for secp521r1 because rcgen doesn't support it # https://github.com/rustls/rcgen/issues/60 From 8fa28b701b22ba66dd4c6e3d9b935fe3895e7118 Mon Sep 17 00:00:00 2001 From: Marcel Guzik Date: Mon, 8 Dec 2025 09:48:56 +0000 Subject: [PATCH 5/6] test(pkcs11): split up the rest of features from connect into separate suites Signed-off-by: Marcel Guzik --- .../tests/pkcs11/compatibility.robot | 246 ------------------ .../tests/pkcs11/pin_select/current.robot | 16 ++ .../tests/pkcs11/pin_select/initial.robot | 16 ++ .../pkcs11/pin_select/pin_select.resource | 29 +++ .../tests/pkcs11/pkcs11_common.resource | 27 +- .../pkcs11/tedge_cert_download/current.robot | 13 + .../pkcs11/tedge_cert_download/initial.robot | 14 + .../tedge_cert_download.resource | 15 ++ .../tests/pkcs11/tedge_cert_renew.robot | 65 ----- .../pkcs11/tedge_cert_renew/current.robot | 27 ++ .../pkcs11/tedge_cert_renew/initial.robot | 29 +++ .../tedge_cert_renew.resource | 68 +++++ .../tests/pkcs11/tedge_connect/current.robot | 15 -- .../tests/pkcs11/tedge_connect/initial.robot | 20 +- .../tedge_connect/tedge_connect.resource | 80 ------ 15 files changed, 255 insertions(+), 425 deletions(-) delete mode 100644 tests/RobotFramework/tests/pkcs11/compatibility.robot create mode 100644 tests/RobotFramework/tests/pkcs11/pin_select/current.robot create mode 100644 tests/RobotFramework/tests/pkcs11/pin_select/initial.robot create mode 100644 tests/RobotFramework/tests/pkcs11/pin_select/pin_select.resource create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_download/current.robot create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_download/initial.robot create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_download/tedge_cert_download.resource delete mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_renew/current.robot create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_renew/initial.robot create mode 100644 tests/RobotFramework/tests/pkcs11/tedge_cert_renew/tedge_cert_renew.resource diff --git a/tests/RobotFramework/tests/pkcs11/compatibility.robot b/tests/RobotFramework/tests/pkcs11/compatibility.robot deleted file mode 100644 index 2e880724fd0..00000000000 --- a/tests/RobotFramework/tests/pkcs11/compatibility.robot +++ /dev/null @@ -1,246 +0,0 @@ -*** Settings *** -Documentation This test suite runs the tests with tedge-p11-server pinned to a fixed version to ensure that new -... versions of thin-edge remain backwards compatible with tedge-p11-server's binary communication protocol. The -... scope of this test is limited to tedge-p11-server's initial feature set and will generally not be expanded. - -Resource pkcs11_common.resource - -Suite Setup Custom Setup -Suite Teardown Get Suite Logs - -Test Tags adapter:docker theme:cryptoki compatibility - - -*** Variables *** -${TEDGE_P11_SERVER_VERSION} 1.5.1 - - -*** Test Cases *** -# the test cases are basically copy-pasted from private_key_storage.robot, as the purpose of this suite is to run the -# exact same tests with a slightly different setup. It would be easiest if we could import the test cases themselves -# from another test suite, but this isn't possible. So we extract reusable keywords into a resource file, but test cases -# remain duplicated. -Use Private Key in SoftHSM2 using tedge-p11-server - Tedge Reconnect Should Succeed - -Select Private key using tedge-p11-server URI - [Documentation] Make sure that we can select different keys and tokens using a PKCS#11 URI. - ... The URI can either point to a specific key, or to a specific token where we will attempt to find a key. - ... - ... To ensure that correct key is selected and reduce the need to generate and upload different keys and - ... certificates, we'll only be using one key and we'll only import it to the chosen token, keeping other tokens - ... empty. - ... - ... We set the URI on tedge-p11-server, which means that all connecting clients will use the selected key until - ... tedge-p11-server is restarted with a different URI. - - Unset tedge-p11-server Uri - Tedge Reconnect Should Succeed - - # expect failure if we try to use a token that doesn't exist - Set tedge-p11-server Uri value=pkcs11:token=asdf - Tedge Reconnect Should Fail With Failed to find a signing key: Didn't find a slot to use - - # create tokens with no keys on them, so key selection fails if wrong token is selected - Execute Command softhsm2-util --init-token --free --label token1 --pin "123456" --so-pin "123456" - - Set tedge-p11-server Uri value=pkcs11:token=token1 - Tedge Reconnect Should Fail With Failed to find a signing key - - Set tedge-p11-server Uri value=pkcs11:token=tedge - Tedge Reconnect Should Succeed - - # import another private key to the primary token (one that has valid tedge key) so we can select a key - Execute Command - ... cmd=p11tool --set-pin=123456 --login --generate-privkey ECDSA --curve=secp256r1 --label "key2" "pkcs11:token=tedge" - - Set tedge-p11-server Uri value=pkcs11:token=tedge;object=key2 - Tedge Reconnect Should Fail With HandshakeFailure - - # but when URI has correct label, we expect valid key to be used again - Set tedge-p11-server Uri value=pkcs11:token=tedge;object=tedge - Tedge Reconnect Should Succeed - [Teardown] Unset tedge-p11-server Uri - -Select Private key using a request URI - [Documentation] Like above, we select the key using a URI, but this time we include it in a request, which means - ... we can select different keys without restarting tedge-p11-server. - - Execute Command cmd=tedge config set device.key_uri pkcs11:token=token123 - ${stderr}= Tedge Reconnect Should Fail With Failed to find a signing key - Should Contain ${stderr} item=cryptoki: socket (key: pkcs11:token=token123) - - Execute Command cmd=tedge config unset device.key_uri - Execute Command cmd=tedge config set device.key_uri pkcs11:token=token123 - ${stderr}= Tedge Reconnect Should Fail With Failed to find a signing key - Should Contain ${stderr} item=cryptoki: socket (key: pkcs11:token=token123) - - Execute Command cmd=tedge config set device.key_uri "pkcs11:token=tedge;object=tedge" - ${stderr}= Tedge Reconnect Should Succeed - Should Contain ${stderr} item=cryptoki: socket (key: pkcs11:token=tedge;object=tedge) - -Connects to C8y using an RSA key - [Documentation] Test that we can connect to C8y using an RSA private keys of all sizes. - [Setup] Unset tedge-p11-server Uri - [Template] Connect to C8y using new RSA keypair - bits=4096 - bits=3072 - bits=2048 - # bits=1024 # RSA 1024 is considered to be insecure is not supported when using the Cumulocity Certificate Authority feature - -Connects to C8y supporting all TLS13 ECDSA signature algorithms - [Documentation] Check that we support all ECDSA sigschemes used in TLS1.3, i.e: ecdsa_secp256r1_sha256, - ... ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512. - [Setup] Unset tedge-p11-server Uri - [Template] Connect to C8y using new ECDSA keypair - curve=secp256r1 - -Ignore tedge.toml if missing - Execute Command rm -f ./tedge.toml - ${stderr}= Execute Command tedge-p11-server --config-dir . --module-path xx.so exp_exit_code=!0 - # Don't log anything (this is normal behaviour as the user does not have to create a tedge.toml file) - Should Not Contain ${stderr} Failed to read ./tedge.toml: No such file - # And proceed - Should Contain ${stderr} Using cryptoki configuration - # Using default values - Should Contain ${stderr} tedge-p11-server.sock - -Ignore tedge.toml if empty - Execute Command touch ./tedge.toml - ${stderr}= Execute Command tedge-p11-server --config-dir . --module-path xx.so exp_exit_code=!0 - # Don't log anything (this is normal behaviour, where the file is used for tedge and not tedge-p11-server) - Should Not Contain ${stderr} Failed to parse ./tedge.toml: invalid TOML - # And proceed - Should Contain ${stderr} Using cryptoki configuration - # Using default values - Should Contain ${stderr} tedge-p11-server.sock - -Ignore tedge.toml if incomplete - Execute Command echo '[device]' >./tedge.toml - ${stderr}= Execute Command tedge-p11-server --config-dir . --module-path xx.so exp_exit_code=!0 - # Don't log anything (this is normal behaviour, where the file is used for tedge and not tedge-p11-server) - Should Not Contain ${stderr} Failed to parse ./tedge.toml: invalid TOML - Should Not Contain ${stderr} missing field `cryptoki` - # And proceed - Should Contain ${stderr} Using cryptoki configuration - # Using default values - Should Contain ${stderr} tedge-p11-server.sock - -Do not warn the user if tedge.toml is incomplete but not used - Execute Command rm -f ./tedge.toml - ${stderr}= Execute Command - ... tedge-p11-server --config-dir . --module-path xx.so --pin 11.pin --socket-path yy.sock --uri zz.uri - ... exp_exit_code=!0 - # Don't warn as all values are provided on the command line - Should Not Contain ${stderr} Failed to read ./tedge.toml: No such file - # And proceed - Should Contain ${stderr} Using cryptoki configuration - # Using the values provided on the command lin - Should Contain ${stderr} xx.so - Should Contain ${stderr} yy.sock - Should Contain ${stderr} zz.uri - -Warn the user if tedge.toml exists but cannot be read - Execute Command echo '[device.cryptoki]' >./tedge.toml - Execute Command chmod a-rw ./tedge.toml - ${stderr}= Execute Command - ... sudo -u tedge tedge-p11-server --config-dir . --module-path xx.so - ... exp_exit_code=!0 - # Warn the user - Should Contain ${stderr} Failed to read ./tedge.toml: Permission denied - # But proceed - Should Contain ${stderr} Using cryptoki configuration - -Warn the user if tedge.toml cannot be parsed - Execute Command rm -f ./tedge.toml - Execute Command echo '[corrupted toml ...' >./tedge.toml - ${stderr}= Execute Command tedge-p11-server --config-dir . --module-path xx.so exp_exit_code=!0 - # Warn the user - Should Contain ${stderr} Failed to parse ./tedge.toml: invalid TOML - # But proceed - Should Contain ${stderr} Using cryptoki configuration - - -*** Keywords *** -Custom Setup - ${DEVICE_SN}= Setup register=${False} - Set Suite Variable ${DEVICE_SN} - - # this doesn't install anything but adds cloudsmith repo to apt - Execute Command curl -1sLf 'https://dl.cloudsmith.io/public/thinedge/tedge-main/setup.deb.sh' | sudo -E bash - Execute Command cmd=apt-get install -y --allow-downgrades tedge-p11-server=${TEDGE_P11_SERVER_VERSION} - ${stdout}= Execute Command tedge-p11-server -V strip=True - Should Be Equal ${stdout} tedge-p11-server ${TEDGE_P11_SERVER_VERSION} - - # Allow the tedge user to access softhsm - Execute Command sudo usermod -a -G softhsm tedge - Transfer To Device ${CURDIR}/data/init_softhsm.sh /usr/bin/ - - # initialize the soft hsm and create a certificate signing request - Execute Command tedge config set device.cryptoki.pin 123456 - Execute Command tedge config set device.cryptoki.module_path /usr/lib/softhsm/libsofthsm2.so - Execute Command sudo -u tedge /usr/bin/init_softhsm.sh --device-id "${DEVICE_SN}" --pin 123456 - - # configure tedge - Set Cumulocity URLs - Execute Command tedge config set mqtt.bridge.built_in true - Execute Command tedge config set device.cryptoki.mode socket - - ${csr_path}= Execute Command cmd=tedge config get device.csr_path strip=${True} - Register Device With Cumulocity CA ${DEVICE_SN} csr_path=${csr_path} - - Unset tedge-p11-server Uri - -Connect to C8y using new ECDSA keypair - [Documentation] Connects to C8y with a newly generated keypair and a self-signed certificate. - ... The private key is saved on the token, and the self-signed certificate is registered with c8y. - [Arguments] ${curve}=secp256r1 - ${label}= Set up new PKCS11 ECDSA keypair curve=${curve} - - ${cert_path}= Set Variable /etc/tedge/device-certs/${label}.pem - Execute Command cmd=tedge config set device.cert_path ${cert_path} - - Create Self Signed Certificate common_name=${DEVICE_SN} label=${label} output_path=${cert_path} - Set tedge-p11-server Uri value=pkcs11:token=tedge;object=${label} - - Execute Command - ... cmd=sudo env C8Y_USER="${C8Y_CONFIG.username}" C8Y_PASSWORD="${C8Y_CONFIG.password}" tedge cert upload c8y - ThinEdgeIO.Register Certificate For Cleanup - - Tedge Reconnect Should Succeed - -Connect to C8y using new RSA keypair - [Documentation] Connects to C8y with a newly generated keypair and a self-signed certificate. - ... The private key is saved on the token, and the self-signed certificate is registered with c8y. - [Arguments] ${bits}=4096 # length in bits of the RSA key - one of {1024, 2048, 3072, 4096} - ${label}= Set up new PKCS11 RSA keypair bits=${bits} - - ${cert_path}= Set Variable /etc/tedge/device-certs/${label}.pem - Execute Command cmd=tedge config set device.cert_path ${cert_path} - - Create Self Signed Certificate common_name=${DEVICE_SN} label=${label} output_path=${cert_path} - Set tedge-p11-server Uri value=pkcs11:token=tedge;object=${label} - - Execute Command - ... cmd=sudo env C8Y_USER="${C8Y_CONFIG.username}" C8Y_PASSWORD="${C8Y_CONFIG.password}" tedge cert upload c8y - ThinEdgeIO.Register Certificate For Cleanup - - Tedge Reconnect Should Succeed - -Set up new PKCS11 RSA keypair - [Documentation] Creates a new keypair on the PKCS11 token, configures thin-edge to use the new key - [Arguments] ${bits}=2048 # length in bits of the RSA key - one of {1024, 2048, 3072, 4096} - ${identifier}= String.Generate Random String - ${label}= Set Variable rsa-${bits}-${identifier} - Execute Command - ... cmd=p11tool --set-pin=123456 --login --generate-privkey rsa --bits=${bits} --label "${label}" --outfile "/etc/tedge/hsm/${label}.pub" "pkcs11:token=tedge" - RETURN ${label} - -Set up new PKCS11 ECDSA keypair - [Documentation] Creates a new keypair on the PKCS11 token, configures thin-edge to use the new key - [Arguments] ${curve}=p256 # curve of the key - one of {p256, p384} - ${identifier}= String.Generate Random String - ${label}= Set Variable ecdsa-${curve}-${identifier} - Execute Command - ... cmd=p11tool --set-pin=123456 --login --generate-privkey ECDSA --curve ${curve} --label "${label}" --outfile "/etc/tedge/hsm/${label}.pub" "pkcs11:token=tedge" - RETURN ${label} diff --git a/tests/RobotFramework/tests/pkcs11/pin_select/current.robot b/tests/RobotFramework/tests/pkcs11/pin_select/current.robot new file mode 100644 index 00000000000..62dbb73b3f6 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/pin_select/current.robot @@ -0,0 +1,16 @@ +*** Settings *** +Resource pin_select.resource + +Suite Setup tedge-p11-server Setup ${TEDGE_P11_SERVER_VERSION} + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} ${EMPTY} + + +*** Test Cases *** +Can pass PIN in the request using pin-value + Pass PIN in the request using pin-value + +Can pass PIN in the request using device.key_pin + Pass PIN in the request using device.key_pin diff --git a/tests/RobotFramework/tests/pkcs11/pin_select/initial.robot b/tests/RobotFramework/tests/pkcs11/pin_select/initial.robot new file mode 100644 index 00000000000..ea7e6b662ae --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/pin_select/initial.robot @@ -0,0 +1,16 @@ +*** Settings *** +Resource pin_select.resource + +Suite Setup tedge-p11-server Setup ${TEDGE_P11_SERVER_VERSION} + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} 1.7.0 + + +*** Test Cases *** +Can pass PIN in the request using pin-value + Pass PIN in the request using pin-value + +Can pass PIN in the request using device.key_pin + Pass PIN in the request using device.key_pin diff --git a/tests/RobotFramework/tests/pkcs11/pin_select/pin_select.resource b/tests/RobotFramework/tests/pkcs11/pin_select/pin_select.resource new file mode 100644 index 00000000000..77eb88b582c --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/pin_select/pin_select.resource @@ -0,0 +1,29 @@ +*** Settings *** +Resource ../pkcs11_common.resource + + +*** Keywords *** +Pass PIN in the request using pin-value + [Documentation] Tests if the PIN can be changed for the request by assuming current one is correct and setting a + ... different one to see if we get an error about pin being incorrect. + + ${key_uri}= Execute Command tedge config get device.key_uri strip=True ignore_exit_code=True + # FIXME: this breaks if currently set URI already has query attributes, but currently that's not the case (other tests don't set it) + Execute Command cmd=tedge config set device.key_uri "pkcs11:token=tedge;object=tedge?pin-value=incorrect" + Tedge Reconnect Should Fail With The specified PIN is incorrect + + [Teardown] Restore previous key_uri ${key_uri} + +Pass PIN in the request using device.key_pin + Execute Command tedge config set device.key_pin incorrect + Tedge Reconnect Should Fail With The specified PIN is incorrect + + [Teardown] Execute Command tedge config unset device.key_pin + +Restore previous key_uri + [Arguments] ${key_uri} + IF $key_uri + Execute Command tedge config set device.key_uri "${key_uri}" + ELSE + Execute Command tedge config unset device.key_uri + END diff --git a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource index f4181e6531a..caccc1023b5 100644 --- a/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource +++ b/tests/RobotFramework/tests/pkcs11/pkcs11_common.resource @@ -8,11 +8,11 @@ Library ThinEdgeIO *** Variables *** -${DEVICE_SN} ${EMPTY} # should be set in setup of test suites +${DEVICE_SN} ${EMPTY} # should be set in setup of test suites # if `False`, PKCS11 operations like creating keys, will use new tedge features, e.g. `tedge cert create-key-hsm`. # if `True`, `p11tool` will be used instead -${PKCS11_USE_P11TOOL} ${False} +${PKCS11_USE_P11TOOL} ${False} *** Keywords *** @@ -145,3 +145,26 @@ Install tedge-p11-server ${stdout}= Execute Command tedge-p11-server -V strip=True Should Be Equal ${stdout} tedge-p11-server ${version} END + +tedge-p11-server Setup + [Arguments] ${tedge_p11_server_version} + ${DEVICE_SN}= Setup register=${False} + Set Suite Variable ${DEVICE_SN} + + # Allow the tedge user to access softhsm + Execute Command sudo usermod -a -G softhsm tedge + Transfer To Device ${CURDIR}/data/init_softhsm.sh /usr/bin/ + Execute Command sudo -u tedge /usr/bin/init_softhsm.sh --device-id "${DEVICE_SN}" --pin 123456 + + Execute Command tedge config set device.cryptoki.pin 123456 + Execute Command tedge config set device.cryptoki.module_path /usr/lib/softhsm/libsofthsm2.so + Execute Command tedge config set mqtt.bridge.built_in true + Execute Command tedge config set device.cryptoki.mode socket + + # tests expect that the device.key_uri is initially unset + Execute Command cmd=tedge config unset device.key_uri + + Set Cumulocity URLs + ThinEdgeIO.Register Device With Cumulocity CA ${DEVICE_SN} + + Install tedge-p11-server ${tedge_p11_server_version} diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_download/current.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_download/current.robot new file mode 100644 index 00000000000..59f786e5fb5 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_download/current.robot @@ -0,0 +1,13 @@ +*** Settings *** +Resource tedge_cert_download.resource + +Suite Setup tedge-p11-server Setup ${TEDGE_P11_SERVER_VERSION} + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} ${EMPTY} + + +*** Test Cases *** +Can use tedge cert download c8y to download a certificate + Use tedge cert download c8y to download a certificate diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_download/initial.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_download/initial.robot new file mode 100644 index 00000000000..c40099c7018 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_download/initial.robot @@ -0,0 +1,14 @@ +*** Settings *** +Resource tedge_cert_download.resource + +Suite Setup tedge-p11-server Setup ${TEDGE_P11_SERVER_VERSION} + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} 1.7.0 +${PKCS11_USE_P11TOOL} ${True} + + +*** Test Cases *** +Can use tedge cert download c8y to download a certificate + Use tedge cert download c8y to download a certificate diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_download/tedge_cert_download.resource b/tests/RobotFramework/tests/pkcs11/tedge_cert_download/tedge_cert_download.resource new file mode 100644 index 00000000000..d5fab36a558 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_download/tedge_cert_download.resource @@ -0,0 +1,15 @@ +*** Settings *** +Resource ../pkcs11_common.resource + + +*** Keywords *** +Use tedge cert download c8y to download a certificate + [Documentation] Download a certificate using CSR generated with PKCS11 without a prior certificate. + # this new keypair doesn't have an associated certificate + Set up new PKCS11 ECDSA keypair + + ${credentials}= Cumulocity.Bulk Register Device With Cumulocity CA external_id=${DEVICE_SN} + Execute Command + ... cmd=tedge cert download c8y --device-id "${DEVICE_SN}" --one-time-password '${credentials.one_time_password}' --retry-every 5s --max-timeout 60s + + Tedge Reconnect Should Succeed diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot deleted file mode 100644 index db1cc2613f7..00000000000 --- a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew.robot +++ /dev/null @@ -1,65 +0,0 @@ -*** Settings *** -Documentation This test suite runs the tests with tedge-p11-server pinned to a fixed version to ensure that new -... versions of thin-edge remain backwards compatible with tedge-p11-server's binary communication protocol. The -... scope of this test is limited to tedge-p11-server's initial feature set and will generally not be expanded. - -Resource pkcs11_common.resource - -Suite Setup Custom Setup -Suite Teardown Get Suite Logs - -Test Tags adapter:docker theme:cryptoki compatibility - - -*** Variables *** -${TEDGE_P11_SERVER_VERSION} 1.6.1 - - -*** Test Cases *** -Use Private Key in SoftHSM2 using tedge-p11-server - Tedge Reconnect Should Succeed - -Renew certificate - [Template] Renew certificate using tedge-p11-server version - ${TEDGE_P11_SERVER_VERSION} PKCS #11 service failed: Failed to find a signing key - ${EMPTY} PKCS #11 service failed: Failed to find a key - - -*** Keywords *** -Renew certificate using tedge-p11-server version - [Arguments] ${version} ${error} - Install tedge-p11-server ${version} - Execute Command tedge cert renew c8y - Tedge Reconnect Should Succeed - - Execute Command systemctl stop tedge-p11-server tedge-p11-server.socket - Command Should Fail With - ... tedge cert renew c8y - ... error=Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock' - - Execute Command systemctl start tedge-p11-server.socket - - Execute Command cmd=tedge config set c8y.device.key_uri pkcs11:object=nonexistent_key - Command Should Fail With tedge cert renew c8y ${error} - Execute Command cmd=tedge config unset c8y.device.key_uri - -Custom Setup - ${DEVICE_SN}= Setup register=${False} - Set Suite Variable ${DEVICE_SN} - - # Allow the tedge user to access softhsm - Execute Command sudo usermod -a -G softhsm tedge - Transfer To Device ${CURDIR}/data/init_softhsm.sh /usr/bin/ - - # initialize the soft hsm and create a certificate signing request - Execute Command tedge config set device.cryptoki.pin 123456 - Execute Command tedge config set device.cryptoki.module_path /usr/lib/softhsm/libsofthsm2.so - Execute Command sudo -u tedge /usr/bin/init_softhsm.sh --device-id "${DEVICE_SN}" --pin 123456 - - # configure tedge - Set Cumulocity URLs - Execute Command tedge config set mqtt.bridge.built_in true - Execute Command tedge config set device.cryptoki.mode socket - - ${csr_path}= Execute Command cmd=tedge config get device.csr_path strip=${True} - Register Device With Cumulocity CA ${DEVICE_SN} csr_path=${csr_path} diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/current.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/current.robot new file mode 100644 index 00000000000..8141e09819f --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/current.robot @@ -0,0 +1,27 @@ +*** Settings *** +Documentation This test suite runs the tests with tedge-p11-server pinned to a fixed version to ensure that new +... versions of thin-edge remain backwards compatible with tedge-p11-server's binary communication protocol. The +... scope of this test is limited to tedge-p11-server's initial feature set and will generally not be expanded. + +Resource ../pkcs11_common.resource +Resource tedge_cert_renew.resource + +Suite Setup tedge-p11-server Setup ${TEDGE_P11_SERVER_VERSION} +Suite Teardown Get Suite Logs + +Test Tags adapter:docker theme:cryptoki compatibility + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} ${EMPTY} + + +*** Test Cases *** +Use Private Key in SoftHSM2 using tedge-p11-server + Tedge Reconnect Should Succeed + +Renew certificate + Use PKCS11 key to renew the public certificate error=PKCS #11 service failed: Failed to find a key + +Can renew the certificate using different keypair + Renew the certificate using different keypair diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/initial.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/initial.robot new file mode 100644 index 00000000000..da4238e219e --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/initial.robot @@ -0,0 +1,29 @@ +*** Settings *** +Documentation This test suite runs the tests with tedge-p11-server pinned to a fixed version to ensure that new +... versions of thin-edge remain backwards compatible with tedge-p11-server's binary communication protocol. The +... scope of this test is limited to tedge-p11-server's initial feature set and will generally not be expanded. + +Resource tedge_cert_renew.resource + +Suite Setup tedge-p11-server Setup ${TEDGE_P11_SERVER_VERSION} +Suite Teardown Get Suite Logs + +Test Tags adapter:docker theme:cryptoki compatibility + + +*** Variables *** +${TEDGE_P11_SERVER_VERSION} 1.6.1 +${PKCS11_USE_P11TOOL} ${True} + + +*** Test Cases *** +Use Private Key in SoftHSM2 using tedge-p11-server + Tedge Reconnect Should Succeed + +Renew certificate + Use PKCS11 key to renew the public certificate error=PKCS #11 service failed: Failed to find a signing key + +Can renew the certificate using different keypair + # In 1.6.1 there was a bug where the generated CSR signature was invalid (#3737), fixed in 1.7.0 + Install tedge-p11-server 1.7.0 + Renew the certificate using different keypair diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/tedge_cert_renew.resource b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/tedge_cert_renew.resource new file mode 100644 index 00000000000..72bd325de54 --- /dev/null +++ b/tests/RobotFramework/tests/pkcs11/tedge_cert_renew/tedge_cert_renew.resource @@ -0,0 +1,68 @@ +*** Settings *** +Resource ../pkcs11_common.resource + + +*** Keywords *** +Use PKCS11 key to renew the public certificate + [Documentation] Test that `tedge cert renew c8y` works with all supported keys. We do renew 2 times to see if we + ... can renew both a self-signed certificate and a certificate signed by C8y CA. + [Arguments] ${error} + [Setup] Unset tedge-p11-server Uri + + Test tedge cert renew type=ecdsa error=${error} curve=p256 + Test tedge cert renew type=ecdsa error=${error} curve=p384 + + # renewal isn't supported for secp521r1 because rcgen doesn't support it + # https://github.com/rustls/rcgen/issues/60 + + Test tedge cert renew type=rsa error=${error} bits=2048 + Test tedge cert renew type=rsa error=${error} bits=3072 + Test tedge cert renew type=rsa error=${error} bits=4096 + +Test tedge cert renew + [Arguments] ${type} ${error} ${bits}=${EMPTY} ${curve}=${EMPTY} + IF $type == "rsa" + Connect to C8y using new RSA keypair ${bits} + ELSE + Connect to C8y using new ECDSA keypair ${curve} + END + # We could alternatively use Cumulocity CA to start with a signed cert, but for testing certificate renewal, we want + # to test both renewing a self-signed cert and a cert issued by C8y CA. When we start with self-signed cert, after + # the first renewal we get a cert signed by CA, so we test all scenarios by just doing renew 2 times. + + Execute Command tedge cert renew c8y + ${stderr}= Execute Command + ... openssl req -text -noout -in /etc/tedge/device-certs/tedge.csr -verify + ... stdout=False + ... stderr=true + Should Contain ${stderr} Certificate request self-signature verify OK + + Tedge Reconnect Should Succeed + + Execute Command tedge cert renew c8y + ${stderr}= Execute Command + ... openssl req -text -noout -in /etc/tedge/device-certs/tedge.csr -verify + ... stdout=False + ... stderr=true + Should Contain ${stderr} Certificate request self-signature verify OK + + Tedge Reconnect Should Succeed + + Execute Command systemctl stop tedge-p11-server tedge-p11-server.socket + Command Should Fail With + ... tedge cert renew c8y + ... error=Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock' + + Execute Command systemctl start tedge-p11-server.socket + + Execute Command cmd=tedge config set c8y.device.key_uri pkcs11:object=nonexistent_key + Command Should Fail With tedge cert renew c8y ${error} + Execute Command cmd=tedge config unset c8y.device.key_uri + +Renew the certificate using different keypair + [Documentation] Starting with an initial trusted certificate, replace the keypair and renew the certificate. + Connect to C8y using new ECDSA keypair + Set up new PKCS11 ECDSA keypair + Execute Command tedge cert renew c8y + ${stdout}= Tedge Reconnect Should Succeed + Should Contain ${stdout} The new certificate is now the active certificate diff --git a/tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot b/tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot index 44ccb152ba1..034182f1d7d 100644 --- a/tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/current.robot @@ -37,18 +37,3 @@ Can connect to C8y using an RSA key Can connect to C8y supporting all TLS13 ECDSA signature algorithms Connects to C8y supporting all TLS13 ECDSA signature algorithms - -Can use PKCS11 key to renew the public certificate - Use PKCS11 key to renew the public certificate - -Can use tedge cert download c8y to download a certificate - Use tedge cert download c8y to download a certificate - -Can renew the certificate using different keypair - Renew the certificate using different keypair - -Can pass PIN in the request using pin-value - Pass PIN in the request using pin-value - -Can pass PIN in the request using device.key_pin - Pass PIN in the request using device.key_pin diff --git a/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot b/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot index 55e7a6af2d8..bfc5bc2bbe7 100644 --- a/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/initial.robot @@ -19,8 +19,8 @@ Test Tags adapter:docker theme:cryptoki *** Variables *** ${KEY_URI} ${EMPTY} -${TEDGE_P11_SERVER_VERSION} 1.6.0 -${PKCS11_USE_P11TOOL} ${True} +${TEDGE_P11_SERVER_VERSION} 1.5.1 +${PKCS11_USE_P11TOOL} ${True} *** Test Cases *** @@ -37,19 +37,5 @@ Can connect to C8y using an RSA key Connects to C8y using an RSA key Can connect to C8y supporting all TLS13 ECDSA signature algorithms + Install tedge-p11-server 1.6.0 Connects to C8y supporting all TLS13 ECDSA signature algorithms - -# Can use PKCS11 key to renew the public certificate -# Use PKCS11 key to renew the public certificate - -# Can use tedge cert download c8y to download a certificate -# Use tedge cert download c8y to download a certificate - -# Can renew the certificate using different keypair -# Renew the certificate using different keypair - -# Can pass PIN in the request using pin-value -# Pass PIN in the request using pin-value - -# Can pass PIN in the request using device.key_pin -# Pass PIN in the request using device.key_pin diff --git a/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource b/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource index 2264d52dad7..e5d6780e803 100644 --- a/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource +++ b/tests/RobotFramework/tests/pkcs11/tedge_connect/tedge_connect.resource @@ -93,86 +93,6 @@ Connects to C8y supporting all TLS13 ECDSA signature algorithms # https://github.com/rustls/rcgen/issues/60 # Connect to C8y using new ECDSA keypair curve=p521 -Use PKCS11 key to renew the public certificate - [Documentation] Test that `tedge cert renew c8y` works with all supported keys. We do renew 2 times to see if we - ... can renew both a self-signed certificate and a certificate signed by C8y CA. - [Setup] Unset tedge-p11-server Uri - - Test tedge cert renew type=ecdsa curve=p256 - Test tedge cert renew type=ecdsa curve=p384 - - # renewal isn't supported for secp521r1 because rcgen doesn't support it - # https://github.com/rustls/rcgen/issues/60 - - Test tedge cert renew type=rsa bits=2048 - Test tedge cert renew type=rsa bits=3072 - Test tedge cert renew type=rsa bits=4096 - -Use tedge cert download c8y to download a certificate - [Documentation] Download a certificate using CSR generated with PKCS11 without a prior certificate. - # this new keypair doesn't have an associated certificate - Set up new PKCS11 ECDSA keypair - - ${credentials}= Cumulocity.Bulk Register Device With Cumulocity CA external_id=${DEVICE_SN} - Execute Command - ... cmd=tedge cert download c8y --device-id "${DEVICE_SN}" --one-time-password '${credentials.one_time_password}' --retry-every 5s --max-timeout 60s - - Tedge Reconnect Should Succeed - -Renew the certificate using different keypair - [Documentation] Starting with an initial trusted certificate, replace the keypair and renew the certificate. - Connect to C8y using new ECDSA keypair - Set up new PKCS11 ECDSA keypair - Execute Command tedge cert renew c8y - ${stdout}= Tedge Reconnect Should Succeed - Should Contain ${stdout} The new certificate is now the active certificate - -Pass PIN in the request using pin-value - [Documentation] Tests if the PIN can be changed for the request by assuming current one is correct and setting a - ... different one to see if we get an error about pin being incorrect. - - ${key_uri}= Execute Command tedge config get device.key_uri strip=True ignore_exit_code=True - # FIXME: this breaks if currently set URI already has query attributes, but currently that's not the case (other tests don't set it) - Execute Command cmd=tedge config set device.key_uri "pkcs11:token=tedge;object=tedge?pin-value=incorrect" - Tedge Reconnect Should Fail With The specified PIN is incorrect - - [Teardown] Execute Command tedge config set device.key_uri "${key_uri}" - -Pass PIN in the request using device.key_pin - Execute Command tedge config set device.key_pin incorrect - Tedge Reconnect Should Fail With The specified PIN is incorrect - - [Teardown] Execute Command tedge config unset device.key_pin - -Test tedge cert renew - [Arguments] ${type} ${bits}=${EMPTY} ${curve}=${EMPTY} - IF $type == "rsa" - Connect to C8y using new RSA keypair ${bits} - ELSE - Connect to C8y using new ECDSA keypair ${curve} - END - # We could alternatively use Cumulocity CA to start with a signed cert, but for testing certificate renewal, we want - # to test both renewing a self-signed cert and a cert issued by C8y CA. When we start with self-signed cert, after - # the first renewal we get a cert signed by CA, so we test all scenarios by just doing renew 2 times. - - Execute Command tedge cert renew c8y - ${stderr}= Execute Command - ... openssl req -text -noout -in /etc/tedge/device-certs/tedge.csr -verify - ... stdout=False - ... stderr=true - Should Contain ${stderr} Certificate request self-signature verify OK - - Tedge Reconnect Should Succeed - - Execute Command tedge cert renew c8y - ${stderr}= Execute Command - ... openssl req -text -noout -in /etc/tedge/device-certs/tedge.csr -verify - ... stdout=False - ... stderr=true - Should Contain ${stderr} Certificate request self-signature verify OK - - Tedge Reconnect Should Succeed - Custom Setup [Arguments] ${tedge_p11_server_version} ${DEVICE_SN}= Setup register=${False} From 658ea493aa4831fe6c598c772885b3c37ef77c9d Mon Sep 17 00:00:00 2001 From: Marcel Guzik Date: Tue, 9 Dec 2025 17:11:01 +0000 Subject: [PATCH 6/6] tools: ignore RF missing doc on resource file lint Signed-off-by: Marcel Guzik --- tests/RobotFramework/pyproject.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/RobotFramework/pyproject.toml b/tests/RobotFramework/pyproject.toml index b34d33e6d6d..9891b066b5e 100644 --- a/tests/RobotFramework/pyproject.toml +++ b/tests/RobotFramework/pyproject.toml @@ -6,6 +6,7 @@ ignore = [ "missing-doc-suite", "missing-doc-test-case", "missing-doc-keyword", + "missing-doc-resource-file", # Size "too-long-test-case",