sssd_test_framework.utils.smartcard

Classes

SmartCardUtils(*args, **kwargs)

Utility class for managing smart card operations using SoftHSM and PKCS#11.
class sssd_test_framework.utils.smartcard.SmartCardUtils(*args, **kwargs)

Bases: MultihostUtility[MultihostHost]

Utility class for managing smart card operations using SoftHSM and PKCS#11.

Parameters:

  • host (MultihostHost) – Multihost object.

  • fs (LinuxFileSystem) – Filesystem utility object.

  • svc (SystemdServices) – Systemd svc utility object.

SOFTHSM2_CONF_PATH = '/opt/test_ca/softhsm2.conf'
TOKEN_STORAGE_PATH = '/opt/test_ca/tokens'
OPENSC_CACHE_PATHS = ['$HOME/.cache/opensc/', '/run/sssd/.cache/opensc/']
cli: CLIBuilder

CLI builder utility for command construction.

fs: LinuxFileSystem

Filesystem utility used to handle file operations.

svc: SystemdServices

Systemd utility to manage and interact with svc.

initialize_card(label: str = 'sc_test', so_pin: str = '12345678', user_pin: str = '123456', reset: bool = True) None

Initialize a SoftHSM token with the given label and PINs.

When reset is True (default), existing token storage and OpenSC caches are removed first. Pass False to add a token alongside existing ones (multi-token / multi-card setup).

Parameters:

  • label (str, optional) – Token label, defaults to “sc_test”

  • so_pin (str, optional) – Security Officer PIN, defaults to “12345678”

  • user_pin (str, optional) – User PIN, defaults to “123456”

  • reset (bool, optional) – Remove existing tokens before initializing, defaults to True

add_cert(cert_path: str, cert_id: str = '01', pin: str = '123456', private: bool | None = False, token_label: str | None = None, label: str | None = None) None

Adds a certificate or private key to the smart card.

Parameters:

  • cert_path (str) – Path to the certificate or key file.

  • cert_id (str, optional) – Object ID, defaults to “01”

  • pin (str, optional) – User PIN, defaults to “123456”

  • private (bool, optional) – Whether the object is a private key. Defaults to False.

  • token_label (str | None, optional) – Label of the target token. When None (the default) pkcs11-tool writes to the first available token. Set this when multiple tokens exist to target a specific one.

  • label (str | None, optional) – Label for the PKCS#11 object being written. Required when p11_child accesses the token directly (i.e. without virt_cacard), because the response parser expects a non-empty label.

add_key(key_path: str, key_id: str = '01', pin: str = '123456', token_label: str | None = None, label: str | None = None) None

Adds a private key to the smart card.

Parameters:

  • key_path (str) – Path to the private key.

  • key_id (str, optional) – Key ID, defaults to “01”

  • pin (str, optional) – User PIN, defaults to “123456”

  • token_label (str | None, optional) – Label of the target token (see add_cert()).

  • label (str | None, optional) – Label for the PKCS#11 object (see add_cert()).

generate_cert(key_path: str = '/tmp/selfsigned.key', cert_path: str = '/tmp/selfsigned.crt', subj: str = '/CN=Test Cert', key_type: str = 'RSA') tuple[str, str]

Generates a self-signed certificate and private key.

Parameters:

  • key_path (str, optional) – Output path for the private key, defaults to “/tmp/selfsigned.key”

  • cert_path (str, optional) – Output path for the certificate, defaults to “/tmp/selfsigned.crt”

  • subj (str, optional) – Subject for the certificate, defaults to “/CN=Test Cert”

  • key_type (str, optional) – key type (RSA or EC) of the public-private key pair, defaults to “RSA”

Returns:

Tuple of (key_path, cert_path)

Return type:

tuple

insert_card() None

Simulates card insertion by starting the smart card service.

remove_card() None

Simulates card removal by stopping the smart card service.

setup_local_card(client: Client, username: str) None

Setup local system for smart card authentication.

Example usage
@pytest.mark.topology(KnownTopology.Client)
def test_example(client: Client):
    client.smartcard.setup_local_card(client, 'localuser1')

    result = client.host.conn.run("su - localuser1 -c 'su - localuser1 -c whoami'", input="123456")
    assert "PIN" in result.stderr
    assert "localuser1" in result.stdout
enroll_to_token(client: Client, ipa: IPA, username: str, *, token_label: str = 'sc_test', cert_id: str = '01', pin: str = '123456', init: bool = False) None

Request an IPA-signed certificate for username and store it on token_label.

When init is True, the token is first initialized via initialize_card() (resetting any existing token storage). Pass False when the card has already been initialized or when adding a second certificate to an existing token.

Parameters:

  • client (Client) – Client role object.

  • ipa (IPA) – IPA role object whose CA issues the certificate.

  • username (str) – IPA principal to issue the certificate for.

  • token_label (str, optional) – SoftHSM token label to write the objects to, defaults to “sc_test”.

  • cert_id (str, optional) – PKCS#11 object ID, defaults to “01”.

  • pin (str, optional) – User PIN for the token, defaults to “123456”.

  • init (bool, optional) – Initialize (and reset) the token before enrolling, defaults to False.