[swtpm.git] / tests / test_tpm2_samples_swtpm_localca

#!/bin/bash

# For the license, see the LICENSE file in the root directory.
#set -x

TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}

SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca

workdir=$(mktemp -d)

ek=""
for ((i = 0; i < 256; i++)); do
  ek="${ek}$(printf "%02x" $i)"
done

SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial

PATH=${TOPBUILD}/src/swtpm_cert:$PATH

trap "cleanup" SIGTERM EXIT

function cleanup()
{
	rm -rf ${workdir}
}

cat <<_EOF_ > ${workdir}/swtpm-localca.conf
statedir=${workdir}
signingkey = ${SIGNINGKEY}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
_EOF_

cat <<_EOF_ > ${workdir}/swtpm-localca.options
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_

# the following contains the test parameters and
# expected key usage
for testparams in \
	"--allow-signing|Digital signature" \
	"--allow-signing --decryption|Digital signature,Key encipherment" \
	"--decryption|Key encipherment" \
	"|Key encipherment";
do
  params=$(echo ${testparams} | cut -d"|" -f1)
  usage=$(echo ${testparams} | cut -d"|" -f2)

  ${SWTPM_LOCALCA} \
    --type ek \
    --ek ${ek} \
    --dir ${workdir} \
    --vmid test \
    --tpm2 \
    --configfile ${workdir}/swtpm-localca.conf \
    --optsfile ${workdir}/swtpm-localca.options \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params}
  if [ $? -ne 0 ]; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  if [ ! -r ${workdir}/ek.cert ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  OIFS="$IFS"
  IFS=","

  for u in $usage; do
    echo $u
    if [ -z "$(certtool -i \
                 --inder --infile ${workdir}/ek.cert | \
                grep "Key Usage" -A2 | \
                grep "$u")" ]; then
      echo "Error: Could not find key usage $u in key created " \
           "with $params."
    else
      echo "Found '$u'"
    fi
  done

  IFS="$OIFS"

  certtool \
    -i \
    --inder --infile ${workdir}/ek.cert \
    --outfile ${workdir}/ek.pem

  certtool \
    --verify \
    --load-ca-certificate ${ISSUERCERT} \
    --infile ${workdir}/ek.pem
  if [ $? -ne 0 ]; then
    echo "Error: Could not verify certificate chain."
    exit 1
  fi
done

exit 0
Commit	Line	Data
6a41f8e1 SB	1	#!/bin/bash
	2
	3	# For the license, see the LICENSE file in the root directory.
	4	#set -x
	5
611a1986 MAL	6	TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
611a1986 MAL	7	TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
313cf75c SB	8	TESTDIR=${abs_top_testdir:-$(dirname "$0")}
313cf75c SB	9
611a1986	10	SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca
6a41f8e1 SB	11
	12	workdir=$(mktemp -d)
	13
	14	ek=""
	15	for ((i = 0; i < 256; i++)); do
	16	ek="${ek}$(printf "%02x" $i)"
	17	done
	18
	19	SIGNINGKEY=${workdir}/signingkey.pem
	20	ISSUERCERT=${workdir}/issuercert.pem
	21	CERTSERIAL=${workdir}/certserial
	22
611a1986	23	PATH=${TOPBUILD}/src/swtpm_cert:$PATH
6a41f8e1 SB	24
	25	trap "cleanup" SIGTERM EXIT
	26
	27	function cleanup()
	28	{
	29	rm -rf ${workdir}
	30	}
	31
	32	cat <<_EOF_ > ${workdir}/swtpm-localca.conf
	33	statedir=${workdir}
	34	signingkey = ${SIGNINGKEY}
	35	issuercert = ${ISSUERCERT}
	36	certserial = ${CERTSERIAL}
	37	_EOF_
	38
	39	cat <<_EOF_ > ${workdir}/swtpm-localca.options
	40	--tpm-manufacturer IBM
	41	--tpm-model swtpm-libtpms
28c46454	42	--tpm-version 2
6a41f8e1 SB	43	--platform-manufacturer Fedora
	44	--platform-version 2.1
	45	--platform-model QEMU
	46	_EOF_
	47
	48	# the following contains the test parameters and
	49	# expected key usage
	50	for testparams in \
	51	"--allow-signing\|Digital signature" \
	52	"--allow-signing --decryption\|Digital signature,Key encipherment" \
	53	"--decryption\|Key encipherment" \
	54	"\|Key encipherment";
	55	do
	56	params=$(echo ${testparams} \| cut -d"\|" -f1)
	57	usage=$(echo ${testparams} \| cut -d"\|" -f2)
	58
	59	${SWTPM_LOCALCA} \
	60	--type ek \
	61	--ek ${ek} \
	62	--dir ${workdir} \
	63	--vmid test \
	64	--tpm2 \
	65	--configfile ${workdir}/swtpm-localca.conf \
	66	--optsfile ${workdir}/swtpm-localca.options \
28c46454	67	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
6a41f8e1 SB	68	${params}
	69	if [ $? -ne 0 ]; then
	70	echo "Error: Test with parameters '$params' failed."
	71	exit 1
	72	fi
	73
	74	if [ ! -r ${workdir}/ek.cert ]; then
	75	echo "Error: ${workdir}/ek.cert was not created."
	76	exit 1
	77	fi
	78
	79	OIFS="$IFS"
	80	IFS=","
	81
	82	for u in $usage; do
	83	echo $u
	84	if [ -z "$(certtool -i \
	85	--inder --infile ${workdir}/ek.cert \| \
	86	grep "Key Usage" -A2 \| \
	87	grep "$u")" ]; then
	88	echo "Error: Could not find key usage $u in key created " \
	89	"with $params."
	90	else
	91	echo "Found '$u'"
	92	fi
	93	done
	94
	95	IFS="$OIFS"
	96
	97	certtool \
	98	-i \
	99	--inder --infile ${workdir}/ek.cert \
	100	--outfile ${workdir}/ek.pem
	101
	102	certtool \
	103	--verify \
	104	--load-ca-certificate ${ISSUERCERT} \
28c46454	105	--infile ${workdir}/ek.pem
6a41f8e1 SB	106	if [ $? -ne 0 ]; then
	107	echo "Error: Could not verify certificate chain."
	108	exit 1
	109	fi
	110	done
	111
	112	exit 0