sssd/0053-tests-add-PKCS-11-URI-tests.patch

From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 10:46:43 +0200
Subject: [PATCH 68/83] tests: add PKCS#11 URI tests

Related to https://pagure.io/SSSD/sssd/issue/3814

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++
 src/tests/test_CA/Makefile.am   |  16 +++++-
 2 files changed, 135 insertions(+), 1 deletion(-)

diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 2b02ac2..7fc9224 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -65,6 +65,7 @@
 #endif
 
 #define TEST_TOKEN_NAME "SSSD Test Token"
+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
 #define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
 #ifdef HAVE_NSS
 #define TEST_MODULE_NAME "NSS-Internal"
@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
     return EOK;
 }
 
+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
+                                          size_t blen, enum response_type type,
+                                          const char *name)
+{
+    size_t rp = 0;
+    uint32_t val;
+    size_t check2_len = 0;
+    char const *check2_strings[] = { NULL,
+                                     TEST_TOKEN2_NAME,
+                                     TEST_MODULE_NAME,
+                                     TEST2_KEY_ID,
+                                     TEST2_PROMPT,
+                                     NULL };
+
+    assert_int_equal(status, 0);
+
+    check2_strings[0] = name;
+    check2_len = check_string_array_len(check2_strings);
+
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, pam_test_ctx->exp_pam_status);
+
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, 2);
+
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
+
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, 9);
+
+    assert_int_equal(*(body + rp + val - 1), 0);
+    assert_string_equal(body + rp, TEST_DOM_NAME);
+    rp += val;
+
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, type);
+
+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+    assert_int_equal(val, check2_len);
+
+    check_string_array(check2_strings, body, &rp);
+
+    assert_int_equal(rp, blen);
+
+    return EOK;
+}
+
 static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
 {
     return test_pam_cert_check_ex(status, body, blen,
@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
                                   NULL);
 }
 
+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)
+{
+    return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,
+                                          "pamuser@"TEST_DOM_NAME);
+}
+
 static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
                                             size_t blen)
 {
@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
     assert_int_equal(ret, EOK);
 }
 
+void test_pam_cert_preauth_uri_token1(void **state)
+{
+    int ret;
+
+    struct sss_test_conf_param pam_params[] = {
+        { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },
+        { NULL, NULL },             /* Sentinel */
+    };
+
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
+
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
+                        test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
+
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+    set_cmd_cb(test_pam_cert_check);
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+                          pam_test_ctx->pam_cmds);
+    assert_int_equal(ret, EOK);
+
+    /* Wait until the test finishes with EOK */
+    ret = test_ev_loop(pam_test_ctx->tctx);
+    assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_preauth_uri_token2(void **state)
+{
+    int ret;
+
+    struct sss_test_conf_param pam_params[] = {
+        { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },
+        { NULL, NULL },             /* Sentinel */
+    };
+
+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+    assert_int_equal(ret, EOK);
+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
+
+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
+                        test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);
+
+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+    set_cmd_cb(test_pam_cert2_check);
+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+                          pam_test_ctx->pam_cmds);
+    assert_int_equal(ret, EOK);
+
+    /* Wait until the test finishes with EOK */
+    ret = test_ev_loop(pam_test_ctx->tctx);
+    assert_int_equal(ret, EOK);
+}
 
 void test_filter_response(void **state)
 {
@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])
                                         pam_test_setup, pam_test_teardown),
         cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
                                         pam_test_setup, pam_test_teardown),
+#ifndef HAVE_NSS
+        cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,
+                                        pam_test_setup, pam_test_teardown),
+        cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,
+                                        pam_test_setup, pam_test_teardown),
+#endif /* ! HAVE_NSS */
 #endif /* HAVE_TEST_CA */
 
         cmocka_unit_test_setup_teardown(test_filter_response,
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index 1bce2c3..b574c76 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
 if HAVE_NSS
 extra = p11_nssdb p11_nssdb_2certs
 else
-extra = softhsm2_none softhsm2_one softhsm2_two
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens
 endif
 
 # If openssl is run in parallel there might be conflicts with the serial
@@ -114,6 +114,20 @@ softhsm2_two.conf:
 	@echo "objectstore.backend = file" >> $@
 	@echo "slots.removable = true" >> $@
 
+softhsm2_2tokens: softhsm2_2tokens.conf
+	mkdir $@
+	SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token  --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
+	GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login  --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
+	GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login  --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
+	SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token  --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free
+	GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login  --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
+	GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login  --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
+
+softhsm2_2tokens.conf:
+	@echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@
+	@echo "objectstore.backend = file" >> $@
+	@echo "slots.removable = true" >> $@
+
 CLEANFILES = \
     index.txt  index.txt.attr \
     index.txt.attr.old  index.txt.old \
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Tue, 9 Oct 2018 10:46:43 +0200`
			`Subject: [PATCH 68/83] tests: add PKCS#11 URI tests`

			`Related to https://pagure.io/SSSD/sssd/issue/3814`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/tests/cmocka/test_pam_srv.c \| 120 ++++++++++++++++++++++++++++++++++++++++`
			`src/tests/test_CA/Makefile.am \| 16 +++++-`
			`2 files changed, 135 insertions(+), 1 deletion(-)`

			`diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c`
			`index 2b02ac2..7fc9224 100644`
			`--- a/src/tests/cmocka/test_pam_srv.c`
			`+++ b/src/tests/cmocka/test_pam_srv.c`
			`@@ -65,6 +65,7 @@`
			`#endif`

			`#define TEST_TOKEN_NAME "SSSD Test Token"`
			`+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"`
			`#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"`
			`#ifdef HAVE_NSS`
			`#define TEST_MODULE_NAME "NSS-Internal"`
			`@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,`
			`return EOK;`
			`}`

			`+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,`
			`+ size_t blen, enum response_type type,`
			`+ const char *name)`
			`+{`
			`+ size_t rp = 0;`
			`+ uint32_t val;`
			`+ size_t check2_len = 0;`
			`+ char const *check2_strings[] = { NULL,`
			`+ TEST_TOKEN2_NAME,`
			`+ TEST_MODULE_NAME,`
			`+ TEST2_KEY_ID,`
			`+ TEST2_PROMPT,`
			`+ NULL };`
			`+`
			`+ assert_int_equal(status, 0);`
			`+`
			`+ check2_strings[0] = name;`
			`+ check2_len = check_string_array_len(check2_strings);`
			`+`
			`+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);`
			`+ assert_int_equal(val, pam_test_ctx->exp_pam_status);`
			`+`
			`+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);`
			`+ assert_int_equal(val, 2);`
			`+`
			`+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);`
			`+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);`
			`+`
			`+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);`
			`+ assert_int_equal(val, 9);`
			`+`
			`+ assert_int_equal(*(body + rp + val - 1), 0);`
			`+ assert_string_equal(body + rp, TEST_DOM_NAME);`
			`+ rp += val;`
			`+`
			`+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);`
			`+ assert_int_equal(val, type);`
			`+`
			`+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);`
			`+ assert_int_equal(val, check2_len);`
			`+`
			`+ check_string_array(check2_strings, body, &rp);`
			`+`
			`+ assert_int_equal(rp, blen);`
			`+`
			`+ return EOK;`
			`+}`
			`+`
			`static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)`
			`{`
			`return test_pam_cert_check_ex(status, body, blen,`
			`@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)`
			`NULL);`
			`}`

			`+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)`
			`+{`
			`+ return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,`
			`+ "pamuser@"TEST_DOM_NAME);`
			`+}`
			`+`
			`static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,`
			`size_t blen)`
			`{`
			`@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)`
			`assert_int_equal(ret, EOK);`
			`}`

			`+void test_pam_cert_preauth_uri_token1(void **state)`
			`+{`
			`+ int ret;`
			`+`
			`+ struct sss_test_conf_param pam_params[] = {`
			`+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },`
			`+ { NULL, NULL }, /* Sentinel */`
			`+ };`
			`+`
			`+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);`
			`+ assert_int_equal(ret, EOK);`
			`+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);`
			`+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));`
			`+`
			`+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,`
			`+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);`
			`+`
			`+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);`
			`+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);`
			`+`
			`+ set_cmd_cb(test_pam_cert_check);`
			`+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,`
			`+ pam_test_ctx->pam_cmds);`
			`+ assert_int_equal(ret, EOK);`
			`+`
			`+ /* Wait until the test finishes with EOK */`
			`+ ret = test_ev_loop(pam_test_ctx->tctx);`
			`+ assert_int_equal(ret, EOK);`
			`+}`
			`+`
			`+void test_pam_cert_preauth_uri_token2(void **state)`
			`+{`
			`+ int ret;`
			`+`
			`+ struct sss_test_conf_param pam_params[] = {`
			`+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },`
			`+ { NULL, NULL }, /* Sentinel */`
			`+ };`
			`+`
			`+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);`
			`+ assert_int_equal(ret, EOK);`
			`+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);`
			`+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));`
			`+`
			`+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,`
			`+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);`
			`+`
			`+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);`
			`+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);`
			`+`
			`+ set_cmd_cb(test_pam_cert2_check);`
			`+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,`
			`+ pam_test_ctx->pam_cmds);`
			`+ assert_int_equal(ret, EOK);`
			`+`
			`+ /* Wait until the test finishes with EOK */`
			`+ ret = test_ev_loop(pam_test_ctx->tctx);`
			`+ assert_int_equal(ret, EOK);`
			`+}`

			`void test_filter_response(void **state)`
			`{`
			`@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])`
			`pam_test_setup, pam_test_teardown),`
			`cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,`
			`pam_test_setup, pam_test_teardown),`
			`+#ifndef HAVE_NSS`
			`+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,`
			`+ pam_test_setup, pam_test_teardown),`
			`+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,`
			`+ pam_test_setup, pam_test_teardown),`
			`+#endif /* ! HAVE_NSS */`
			`#endif /* HAVE_TEST_CA */`

			`cmocka_unit_test_setup_teardown(test_filter_response,`
			`diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am`
			`index 1bce2c3..b574c76 100644`
			`--- a/src/tests/test_CA/Makefile.am`
			`+++ b/src/tests/test_CA/Makefile.am`
			`@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))`
			`if HAVE_NSS`
			`extra = p11_nssdb p11_nssdb_2certs`
			`else`
			`-extra = softhsm2_none softhsm2_one softhsm2_two`
			`+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens`
			`endif`

			`# If openssl is run in parallel there might be conflicts with the serial`
			`@@ -114,6 +114,20 @@ softhsm2_two.conf:`
			`@echo "objectstore.backend = file" >> $@`
			`@echo "slots.removable = true" >> $@`

			`+softhsm2_2tokens: softhsm2_2tokens.conf`
			`+ mkdir $@`
			`+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free`
			`+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token`
			`+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token`
			`+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free`
			`+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202`
			`+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202`
			`+`
			`+softhsm2_2tokens.conf:`
			`+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@`
			`+ @echo "objectstore.backend = file" >> $@`
			`+ @echo "slots.removable = true" >> $@`
			`+`
			`CLEANFILES = \`
			`index.txt index.txt.attr \`
			`index.txt.attr.old index.txt.old \`
			`--`
			`2.9.5`