]>
Commit | Line | Data |
---|---|---|
6a41f8e1 SB |
1 | #!/bin/bash |
2 | ||
3 | # For the license, see the LICENSE file in the root directory. | |
4 | #set -x | |
5 | ||
611a1986 MAL |
6 | TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} |
7 | TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} | |
313cf75c SB |
8 | TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
9 | ||
611a1986 | 10 | SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca |
6a41f8e1 SB |
11 | |
12 | workdir=$(mktemp -d) | |
13 | ||
14 | ek="" | |
15 | for ((i = 0; i < 256; i++)); do | |
16 | ek="${ek}$(printf "%02x" $i)" | |
17 | done | |
18 | ||
19 | SIGNINGKEY=${workdir}/signingkey.pem | |
20 | ISSUERCERT=${workdir}/issuercert.pem | |
21 | CERTSERIAL=${workdir}/certserial | |
22 | ||
611a1986 | 23 | PATH=${TOPBUILD}/src/swtpm_cert:$PATH |
6a41f8e1 SB |
24 | |
25 | trap "cleanup" SIGTERM EXIT | |
26 | ||
27 | function cleanup() | |
28 | { | |
29 | rm -rf ${workdir} | |
30 | } | |
31 | ||
32 | cat <<_EOF_ > ${workdir}/swtpm-localca.conf | |
33 | statedir=${workdir} | |
34 | signingkey = ${SIGNINGKEY} | |
35 | issuercert = ${ISSUERCERT} | |
36 | certserial = ${CERTSERIAL} | |
37 | _EOF_ | |
38 | ||
39 | cat <<_EOF_ > ${workdir}/swtpm-localca.options | |
40 | --tpm-manufacturer IBM | |
41 | --tpm-model swtpm-libtpms | |
28c46454 | 42 | --tpm-version 2 |
6a41f8e1 SB |
43 | --platform-manufacturer Fedora |
44 | --platform-version 2.1 | |
45 | --platform-model QEMU | |
46 | _EOF_ | |
47 | ||
48 | # the following contains the test parameters and | |
49 | # expected key usage | |
50 | for testparams in \ | |
51 | "--allow-signing|Digital signature" \ | |
52 | "--allow-signing --decryption|Digital signature,Key encipherment" \ | |
53 | "--decryption|Key encipherment" \ | |
54 | "|Key encipherment"; | |
55 | do | |
56 | params=$(echo ${testparams} | cut -d"|" -f1) | |
57 | usage=$(echo ${testparams} | cut -d"|" -f2) | |
58 | ||
59 | ${SWTPM_LOCALCA} \ | |
60 | --type ek \ | |
61 | --ek ${ek} \ | |
62 | --dir ${workdir} \ | |
63 | --vmid test \ | |
64 | --tpm2 \ | |
65 | --configfile ${workdir}/swtpm-localca.conf \ | |
66 | --optsfile ${workdir}/swtpm-localca.options \ | |
28c46454 | 67 | --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ |
6a41f8e1 SB |
68 | ${params} |
69 | if [ $? -ne 0 ]; then | |
70 | echo "Error: Test with parameters '$params' failed." | |
71 | exit 1 | |
72 | fi | |
73 | ||
74 | if [ ! -r ${workdir}/ek.cert ]; then | |
75 | echo "Error: ${workdir}/ek.cert was not created." | |
76 | exit 1 | |
77 | fi | |
78 | ||
79 | OIFS="$IFS" | |
80 | IFS="," | |
81 | ||
82 | for u in $usage; do | |
83 | echo $u | |
84 | if [ -z "$(certtool -i \ | |
85 | --inder --infile ${workdir}/ek.cert | \ | |
86 | grep "Key Usage" -A2 | \ | |
87 | grep "$u")" ]; then | |
88 | echo "Error: Could not find key usage $u in key created " \ | |
89 | "with $params." | |
90 | else | |
91 | echo "Found '$u'" | |
92 | fi | |
93 | done | |
94 | ||
95 | IFS="$OIFS" | |
96 | ||
97 | certtool \ | |
98 | -i \ | |
99 | --inder --infile ${workdir}/ek.cert \ | |
100 | --outfile ${workdir}/ek.pem | |
101 | ||
102 | certtool \ | |
103 | --verify \ | |
104 | --load-ca-certificate ${ISSUERCERT} \ | |
28c46454 | 105 | --infile ${workdir}/ek.pem |
6a41f8e1 SB |
106 | if [ $? -ne 0 ]; then |
107 | echo "Error: Could not verify certificate chain." | |
108 | exit 1 | |
109 | fi | |
110 | done | |
111 | ||
112 | exit 0 |