run HSM tests in CI

Resolves #334

Author: nickysemenza

.github/workflows/go.yml

@@ -19,8 +19,22 @@ jobs:
           go-version: ${{ matrix.go }}
       - run: go install github.com/ory/go-acc@latest
       - run: go-acc -o coverage.txt ./... -- -race -tags integration
-      - name: Go Test
-        run: make test-trust
+      - run: make test-trust
+      - uses: codecov/codecov-action@v3
+  test-hsm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: stable
+      - run: sudo apt-get update && sudo apt-get install -y softhsm2
+      - run: sudo cp -r tests/testdata/tokens/* /var/lib/softhsm/tokens
+      - run: go install github.com/ory/go-acc@latest
+      - run: go-acc -o coverage.txt ./... -- -race -tags pkcs11
+        env:
+          TEST_SOFT_HSM: true
       - uses: codecov/codecov-action@v3
   lint:
     runs-on: ubuntu-latest

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "go.buildTags": "pkcs11"
+}

Makefile

@@ -96,8 +96,8 @@ lint:
 
 .PHONY: test
 test:
-	GODEBUG=cgocheck=2 go test -tags pkcs11 -v -cover -race ./...
-	GODEBUG=cgocheck=2 go test -tags pkcs11 -v -cover -race ./tests -args -softhsm2
+	GODEBUG=cgocheck=2 go test -tags pkcs11 -v -coverprofile=coverage.txt -covermode=atomic -race ./...
+	GODEBUG=cgocheck=2 go test -tags pkcs11 -v -coverprofile=coverage.txt -covermode=atomic -race ./tests -args -softhsm2
 
 .PHONY: test-nohsm
 test-nohsm:

README.md

@@ -225,17 +225,15 @@ Each option can optionally be overridden via environment variables or command-li
 
 Unit tests and benchmarks have been implemented for various parts of Go Keyless via `go test`. Most of the tests run out of the box, but some setup is necessary to run the HSM-related tests:
 
-1. Follow https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v2 to install SoftHSM2
+1. Follow https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v2 to install SoftHSM2. On MacOS, the easiest is `brew isntall softhsm`
 1. Copy the test tokens to the location of your SoftHSM2 token directory (commonly `/var/lib/softhsm/tokens`, but may vary):
+```
+cp -r tests/testdata/tokens/* /opt/homebrew/var/lib/softhsm/tokens/
+```
+1. The tests currently assume the SoftHSM2 library will be installed at `/usr/lib/softhsm/libsofthsm2.so`. If your system differs, `SOFTHSM_MODULE_DIR` env var can override that. 
 
-        $ cp -r tests/testdata/tokens/* /path/to/token/directory/
-
-1. The tests currently assume the SoftHSM2 library will be installed at `/usr/local/lib/softhsm/libsofthsm2.so`. If your system differs, you must create a symlink (sudo may be required):
-
-        $ mkdir -p /usr/local/lib/softhsm
-        $ ln -s /path/to/libsofthsm2.so /usr/local/lib/softhsm/libsofthsm2.so
-
-Then simply run `make test` to execute the test suite.
+e.g. on MacOS with softhsm from brew:
+`SOFTHSM_MODULE_DIR=/opt/homebrew/opt/softhsm/lib/softhsm/libsofthsm2.so make test`
 
 Note that if you need to run the tests without first configuring SoftHSM2 for some reason, you can use the `test-nohsm` target.
 

internal/rfc7512/rfc7512.go

@@ -205,12 +205,12 @@ func LoadPKCS11Signer(pk11uri *PKCS11URI) (crypto.Signer, error) {
 
 	context, err := crypto11.Configure(config)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("pkcs11 FindKeyPair: %w", err)
 	}
 
 	signer, err := context.FindKeyPair(pk11uri.ID, pk11uri.Object)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("pkcs11 Configure: %w", err)
 	} else if signer == nil {
 		return nil, fmt.Errorf("not found")
 	}

internal/test/params/params.go

@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/elliptic"
 	"crypto/rsa"
+	"os"
 
 	"github.com/cloudflare/gokeyless/protocol"
 )
@@ -51,13 +52,21 @@ var (
 	ECDSASHA512Params = ECDSASignParams{Opcode: protocol.OpECDSASignSHA512, Curve: elliptic.P521(), Opts: crypto.SHA512, PayloadSize: 64}
 )
 
-const (
+func getSoftHSMModulePath() string {
+	if override := os.Getenv("SOFTHSM_MODULE_DIR"); override != "" {
+		return override
+	}
+	return "/usr/lib/softhsm/libsofthsm2.so"
+
+}
+
+var (
 	// RSAURI and ECDSAURI are sample PKCS #11 URIs used for testing HSM
 	// Compatibility. Before running tests, copy the contents of the
 	// testdata/tokens/ directory to your SoftHSM2 token directory, usually
 	// located at /var/lib/softhsm/tokens/, and run `make test-softhsm`
-	RSAURI   = "pkcs11:token=SoftHSM2%20Token;id=%03?module-path=/usr/local/lib/softhsm/libsofthsm2.so&pin-value=1234"
-	ECDSAURI = "pkcs11:token=SoftHSM2%20Token;id=%02?module-path=/usr/local/lib/softhsm/libsofthsm2.so&pin-value=1234"
+	RSAURI   = "pkcs11:token=SoftHSM2%20Token;id=%03?module-path=" + getSoftHSMModulePath() + "&pin-value=1234"
+	ECDSAURI = "pkcs11:token=SoftHSM2%20Token;id=%02?module-path=" + getSoftHSMModulePath() + "&pin-value=1234"
 )
 
 // HSMSignParams represents a set of parameters to a HSM signing operation.

server/microbench_test.go

@@ -1,3 +1,4 @@
+//go:build pkcs11
 // +build pkcs11
 
 package server
@@ -24,6 +25,9 @@ var testSoftHSM bool
 
 func init() {
 	flag.BoolVar(&testSoftHSM, "softhsm2", false, "whether to test against SoftHSM2")
+	if os.Getenv("TEST_SOFT_HSM") == "true" {
+		testSoftHSM = true
+	}
 }
 
 func TestMain(m *testing.M) {
@@ -234,11 +238,13 @@ func BenchmarkSignRSAMD5SHA1Multi(b *testing.B) { benchSignRSA(b, params.RSAMD5S
 func BenchmarkSignRSAMD5SHA1NotPrecomputed(b *testing.B) {
 	benchSignRSA(b, params.RSAMD5SHA1Params, 2, false)
 }
-func BenchmarkSignRSASHA1(b *testing.B)               { benchSignRSA(b, params.RSASHA1Params, 2, true) }
-func BenchmarkSignRSASHA1Multi(b *testing.B)          { benchSignRSA(b, params.RSASHA1Params, 3, true) }
-func BenchmarkSignRSASHA1NotPrecomputed(b *testing.B) { benchSignRSA(b, params.RSASHA1Params, 2, false) }
-func BenchmarkSignRSASHA224(b *testing.B)             { benchSignRSA(b, params.RSASHA224Params, 2, true) }
-func BenchmarkSignRSASHA224Multi(b *testing.B)        { benchSignRSA(b, params.RSASHA224Params, 3, true) }
+func BenchmarkSignRSASHA1(b *testing.B)      { benchSignRSA(b, params.RSASHA1Params, 2, true) }
+func BenchmarkSignRSASHA1Multi(b *testing.B) { benchSignRSA(b, params.RSASHA1Params, 3, true) }
+func BenchmarkSignRSASHA1NotPrecomputed(b *testing.B) {
+	benchSignRSA(b, params.RSASHA1Params, 2, false)
+}
+func BenchmarkSignRSASHA224(b *testing.B)      { benchSignRSA(b, params.RSASHA224Params, 2, true) }
+func BenchmarkSignRSASHA224Multi(b *testing.B) { benchSignRSA(b, params.RSASHA224Params, 3, true) }
 func BenchmarkSignRSASHA224NotPrecomputed(b *testing.B) {
 	benchSignRSA(b, params.RSASHA224Params, 2, false)
 }
@@ -257,18 +263,24 @@ func BenchmarkSignRSASHA512Multi(b *testing.B) { benchSignRSA(b, params.RSASHA51
 func BenchmarkSignRSASHA512NotPrecomputed(b *testing.B) {
 	benchSignRSA(b, params.RSASHA512Params, 2, false)
 }
-func BenchmarkSignRSAPSSSHA256(b *testing.B)      { benchSignRSA(b, params.RSAPSSSHA256Params, 2, true) }
-func BenchmarkSignRSAPSSSHA256Multi(b *testing.B) { benchSignRSA(b, params.RSAPSSSHA256Params, 3, true) }
+func BenchmarkSignRSAPSSSHA256(b *testing.B) { benchSignRSA(b, params.RSAPSSSHA256Params, 2, true) }
+func BenchmarkSignRSAPSSSHA256Multi(b *testing.B) {
+	benchSignRSA(b, params.RSAPSSSHA256Params, 3, true)
+}
 func BenchmarkSignRSAPSSSHA256NotPrecomputed(b *testing.B) {
 	benchSignRSA(b, params.RSAPSSSHA256Params, 2, false)
 }
-func BenchmarkSignRSAPSSSHA384(b *testing.B)      { benchSignRSA(b, params.RSAPSSSHA384Params, 2, true) }
-func BenchmarkSignRSAPSSSHA384Multi(b *testing.B) { benchSignRSA(b, params.RSAPSSSHA384Params, 3, true) }
+func BenchmarkSignRSAPSSSHA384(b *testing.B) { benchSignRSA(b, params.RSAPSSSHA384Params, 2, true) }
+func BenchmarkSignRSAPSSSHA384Multi(b *testing.B) {
+	benchSignRSA(b, params.RSAPSSSHA384Params, 3, true)
+}
 func BenchmarkSignRSAPSSSHA384NotPrecomputed(b *testing.B) {
 	benchSignRSA(b, params.RSAPSSSHA384Params, 2, false)
 }
-func BenchmarkSignRSAPSSSHA512(b *testing.B)      { benchSignRSA(b, params.RSAPSSSHA512Params, 2, true) }
-func BenchmarkSignRSAPSSSHA512Multi(b *testing.B) { benchSignRSA(b, params.RSAPSSSHA512Params, 3, true) }
+func BenchmarkSignRSAPSSSHA512(b *testing.B) { benchSignRSA(b, params.RSAPSSSHA512Params, 2, true) }
+func BenchmarkSignRSAPSSSHA512Multi(b *testing.B) {
+	benchSignRSA(b, params.RSAPSSSHA512Params, 3, true)
+}
 func BenchmarkSignRSAPSSSHA512NotPrecomputed(b *testing.B) {
 	benchSignRSA(b, params.RSAPSSSHA512Params, 2, false)
 }
@@ -306,19 +318,33 @@ func BenchmarkSignParallelECDSASHA512(b *testing.B) {
 	benchSignParallelECDSA(b, params.ECDSASHA512Params)
 }
 
-func BenchmarkRandForSignRSAMD5SHA1(b *testing.B)   { benchRandForSignRSA(b, params.RSAMD5SHA1Params) }
-func BenchmarkRandForSignRSASHA1(b *testing.B)      { benchRandForSignRSA(b, params.RSASHA1Params) }
-func BenchmarkRandForSignRSASHA224(b *testing.B)    { benchRandForSignRSA(b, params.RSASHA224Params) }
-func BenchmarkRandForSignRSASHA256(b *testing.B)    { benchRandForSignRSA(b, params.RSASHA256Params) }
-func BenchmarkRandForSignRSASHA384(b *testing.B)    { benchRandForSignRSA(b, params.RSASHA384Params) }
-func BenchmarkRandForSignRSASHA512(b *testing.B)    { benchRandForSignRSA(b, params.RSASHA512Params) }
-func BenchmarkRandForSignRSAPSSSHA256(b *testing.B) { benchRandForSignRSA(b, params.RSAPSSSHA256Params) }
-func BenchmarkRandForSignRSAPSSSHA384(b *testing.B) { benchRandForSignRSA(b, params.RSAPSSSHA384Params) }
-func BenchmarkRandForSignRSAPSSSHA512(b *testing.B) { benchRandForSignRSA(b, params.RSAPSSSHA512Params) }
-func BenchmarkRandForSignECDSASHA224(b *testing.B)  { benchRandForSignECDSA(b, params.ECDSASHA224Params) }
-func BenchmarkRandForSignECDSASHA256(b *testing.B)  { benchRandForSignECDSA(b, params.ECDSASHA256Params) }
-func BenchmarkRandForSignECDSASHA384(b *testing.B)  { benchRandForSignECDSA(b, params.ECDSASHA384Params) }
-func BenchmarkRandForSignECDSASHA512(b *testing.B)  { benchRandForSignECDSA(b, params.ECDSASHA512Params) }
+func BenchmarkRandForSignRSAMD5SHA1(b *testing.B) { benchRandForSignRSA(b, params.RSAMD5SHA1Params) }
+func BenchmarkRandForSignRSASHA1(b *testing.B)    { benchRandForSignRSA(b, params.RSASHA1Params) }
+func BenchmarkRandForSignRSASHA224(b *testing.B)  { benchRandForSignRSA(b, params.RSASHA224Params) }
+func BenchmarkRandForSignRSASHA256(b *testing.B)  { benchRandForSignRSA(b, params.RSASHA256Params) }
+func BenchmarkRandForSignRSASHA384(b *testing.B)  { benchRandForSignRSA(b, params.RSASHA384Params) }
+func BenchmarkRandForSignRSASHA512(b *testing.B)  { benchRandForSignRSA(b, params.RSASHA512Params) }
+func BenchmarkRandForSignRSAPSSSHA256(b *testing.B) {
+	benchRandForSignRSA(b, params.RSAPSSSHA256Params)
+}
+func BenchmarkRandForSignRSAPSSSHA384(b *testing.B) {
+	benchRandForSignRSA(b, params.RSAPSSSHA384Params)
+}
+func BenchmarkRandForSignRSAPSSSHA512(b *testing.B) {
+	benchRandForSignRSA(b, params.RSAPSSSHA512Params)
+}
+func BenchmarkRandForSignECDSASHA224(b *testing.B) {
+	benchRandForSignECDSA(b, params.ECDSASHA224Params)
+}
+func BenchmarkRandForSignECDSASHA256(b *testing.B) {
+	benchRandForSignECDSA(b, params.ECDSASHA256Params)
+}
+func BenchmarkRandForSignECDSASHA384(b *testing.B) {
+	benchRandForSignECDSA(b, params.ECDSASHA384Params)
+}
+func BenchmarkRandForSignECDSASHA512(b *testing.B) {
+	benchRandForSignECDSA(b, params.ECDSASHA512Params)
+}
 
 func BenchmarkRandParallelForSignRSAMD5SHA1(b *testing.B) {
 	benchRandParallelForSignRSA(b, params.RSAMD5SHA1Params)

server/pkcs11.go

@@ -17,12 +17,12 @@ func DefaultLoadURI(uri string) (crypto.Signer, error) {
 	// as waiting for network to be up.
 	pk11uri, err := rfc7512.ParsePKCS11URI(uri)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse pkcs11: %w", err)
+		return nil, fmt.Errorf("failed to parse pkcs11 from %s: %w", uri, err)
 	}
 
 	signer, err := rfc7512.LoadPKCS11Signer(pk11uri)
 	if err != nil {
-		return nil, fmt.Errorf("failed to load pkcs11: %w", err)
+		return nil, fmt.Errorf("failed to load pkcs11 from %s: %w", uri, err)
 	}
 	return signer, nil
 }