[swtpm.git] / tests / test_tpm2_samples_swtpm_localca

#!/usr/bin/env bash

# For the license, see the LICENSE file in the root directory.
#set -x

TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}

SWTPM_LOCALCA=${TOPBUILD}/samples/swtpm-localca

workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")

ek="80" # 2048 bit key must have highest bit set
for ((i = 1; i < 256; i++)); do
  ek="${ek}$(printf "%02x" $i)"
done

SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial

PATH=${TOPBUILD}/src/swtpm_cert:$PATH

trap "cleanup" SIGTERM EXIT

function cleanup()
{
	rm -rf "${workdir}"
}

case "$(uname -s)" in
Darwin)
	CERTTOOL=gnutls-certtool;;
*)
	CERTTOOL=certtool;;
esac

cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
statedir=${workdir}
signingkey = ${SIGNINGKEY}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
signingkey_password = password
_EOF_

cat <<_EOF_ > "${workdir}/swtpm-localca.options"
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_

# the following contains the test parameters and
# expected key usage
for testparams in \
	"--allow-signing|Digital signature" \
	"--allow-signing --decryption|Digital signature,Key encipherment" \
	"--decryption|Key encipherment" \
	"|Key encipherment";
do
  params=$(echo ${testparams} | cut -d"|" -f1)
  usage=$(echo ${testparams} | cut -d"|" -f2)

  ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid test \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params}
  if [ $? -ne 0 ]; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  # Signing key should always be password protected
  if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
    echo "Error: Signing key is not password protected."
    exit 1
  fi

  # For the root CA's key we flip the password protection
  if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
     if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
       echo "Error: Root CA's private key is not password protected."
       exit 1
     fi
     unset SWTPM_ROOTCA_PASSWORD
  else
     if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
       echo "Error: Root CA's private key is password protected but should not be."
       exit 1
     fi
     export SWTPM_ROOTCA_PASSWORD=xyz
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  OIFS="$IFS"
  IFS=","

  for u in $usage; do
    echo $u
    if [ -z "$(${CERTTOOL} -i \
                 --inder --infile "${workdir}/ek.cert" | \
                grep "Key Usage" -A2 | \
                grep "$u")" ]; then
      echo "Error: Could not find key usage $u in key created " \
           "with $params."
    else
      echo "Found '$u'"
    fi
  done

  IFS="$OIFS"

  ${CERTTOOL} \
    -i \
    --inder --infile "${workdir}/ek.cert" \
    --outfile "${workdir}/ek.pem"

  ${CERTTOOL} \
    --verify \
    --load-ca-certificate "${ISSUERCERT}" \
    --infile "${workdir}/ek.pem"
  if [ $? -ne 0 ]; then
    echo "Error: Could not verify certificate chain."
    exit 1
  fi

  # Delete all keys to have CA re-created
  rm -rf "${workdir}"/*.pem
done

echo "Test 1: OK"
echo

#A few tests with odd vm Ids
for vmid in \
	's p a c e|s p a c e' \
	'$(ls)>foo|$(ls)\>foo' \
	'`ls`&; #12|`ls`&\; #12' \
	'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \
	"'*|'*" \
	'"*|\"*' \
	':$$|:$$' \
	'${t}[]|${t}[]';
do
  in=$(echo "$vmid" | cut -d"|" -f1)
  exp=$(echo "$vmid" | cut -d"|" -f2)

  ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid "$in" \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params} &>/dev/null
  if [ $? -ne 0 ]; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
       sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
  if [ "$ac" != "$exp" ]; then
    echo "Error: unexpected subject string"
    echo "actual   : $ac"
    echo "expected : $exp"
  else
    echo "Pass: $ac"
  fi
done

echo "Test 2: OK"

exit 0
Commit	Line	Data
8f0f381f	1	#!/usr/bin/env bash
6a41f8e1 SB	2
	3	# For the license, see the LICENSE file in the root directory.
	4	#set -x
	5
611a1986 MAL	6	TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
611a1986 MAL	7	TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
313cf75c SB	8	TESTDIR=${abs_top_testdir:-$(dirname "$0")}
313cf75c SB	9
cc410ca9	10	SWTPM_LOCALCA=${TOPBUILD}/samples/swtpm-localca
6a41f8e1	11
77819bb2	12	workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")
6a41f8e1	13
63b19c22 SB	14	ek="80" # 2048 bit key must have highest bit set
63b19c22 SB	15	for ((i = 1; i < 256; i++)); do
6a41f8e1 SB	16	ek="${ek}$(printf "%02x" $i)"
	17	done
	18
	19	SIGNINGKEY=${workdir}/signingkey.pem
	20	ISSUERCERT=${workdir}/issuercert.pem
	21	CERTSERIAL=${workdir}/certserial
	22
611a1986	23	PATH=${TOPBUILD}/src/swtpm_cert:$PATH
6a41f8e1 SB	24
	25	trap "cleanup" SIGTERM EXIT
	26
	27	function cleanup()
	28	{
77819bb2	29	rm -rf "${workdir}"
6a41f8e1 SB	30	}
6a41f8e1 SB	31
8aff5f76 SB	32	case "$(uname -s)" in
	33	Darwin)
	34	CERTTOOL=gnutls-certtool;;
	35	*)
	36	CERTTOOL=certtool;;
	37	esac
	38
77819bb2	39	cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
6a41f8e1 SB	40	statedir=${workdir}
	41	signingkey = ${SIGNINGKEY}
	42	issuercert = ${ISSUERCERT}
	43	certserial = ${CERTSERIAL}
a73e9cb8	44	signingkey_password = password
6a41f8e1 SB	45	_EOF_
6a41f8e1 SB	46
77819bb2	47	cat <<_EOF_ > "${workdir}/swtpm-localca.options"
6a41f8e1 SB	48	--tpm-manufacturer IBM
6a41f8e1 SB	49	--tpm-model swtpm-libtpms
28c46454	50	--tpm-version 2
6a41f8e1 SB	51	--platform-manufacturer Fedora
	52	--platform-version 2.1
	53	--platform-model QEMU
	54	_EOF_
	55
	56	# the following contains the test parameters and
	57	# expected key usage
	58	for testparams in \
	59	"--allow-signing\|Digital signature" \
	60	"--allow-signing --decryption\|Digital signature,Key encipherment" \
	61	"--decryption\|Key encipherment" \
	62	"\|Key encipherment";
	63	do
	64	params=$(echo ${testparams} \| cut -d"\|" -f1)
	65	usage=$(echo ${testparams} \| cut -d"\|" -f2)
	66
	67	${SWTPM_LOCALCA} \
	68	--type ek \
77819bb2 SB	69	--ek "${ek}" \
77819bb2 SB	70	--dir "${workdir}" \
6a41f8e1 SB	71	--vmid test \
6a41f8e1 SB	72	--tpm2 \
77819bb2 SB	73	--configfile "${workdir}/swtpm-localca.conf" \
77819bb2 SB	74	--optsfile "${workdir}/swtpm-localca.options" \
28c46454	75	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
6a41f8e1 SB	76	${params}
	77	if [ $? -ne 0 ]; then
	78	echo "Error: Test with parameters '$params' failed."
	79	exit 1
	80	fi
	81
a73e9cb8 SB	82	# Signing key should always be password protected
	83	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
	84	echo "Error: Signing key is not password protected."
	85	exit 1
	86	fi
	87
	88	# For the root CA's key we flip the password protection
	89	if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
	90	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	91	echo "Error: Root CA's private key is not password protected."
	92	exit 1
	93	fi
	94	unset SWTPM_ROOTCA_PASSWORD
	95	else
	96	if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	97	echo "Error: Root CA's private key is password protected but should not be."
	98	exit 1
	99	fi
	100	export SWTPM_ROOTCA_PASSWORD=xyz
	101	fi
	102
77819bb2	103	if [ ! -r "${workdir}/ek.cert" ]; then
6a41f8e1 SB	104	echo "Error: ${workdir}/ek.cert was not created."
	105	exit 1
	106	fi
	107
	108	OIFS="$IFS"
	109	IFS=","
	110
	111	for u in $usage; do
	112	echo $u
8aff5f76	113	if [ -z "$(${CERTTOOL} -i \
77819bb2	114	--inder --infile "${workdir}/ek.cert" \| \
6a41f8e1 SB	115	grep "Key Usage" -A2 \| \
	116	grep "$u")" ]; then
	117	echo "Error: Could not find key usage $u in key created " \
	118	"with $params."
	119	else
	120	echo "Found '$u'"
	121	fi
	122	done
	123
	124	IFS="$OIFS"
	125
8aff5f76	126	${CERTTOOL} \
6a41f8e1	127	-i \
77819bb2 SB	128	--inder --infile "${workdir}/ek.cert" \
77819bb2 SB	129	--outfile "${workdir}/ek.pem"
6a41f8e1	130
8aff5f76	131	${CERTTOOL} \
6a41f8e1	132	--verify \
77819bb2 SB	133	--load-ca-certificate "${ISSUERCERT}" \
77819bb2 SB	134	--infile "${workdir}/ek.pem"
6a41f8e1 SB	135	if [ $? -ne 0 ]; then
	136	echo "Error: Could not verify certificate chain."
	137	exit 1
	138	fi
a73e9cb8 SB	139
	140	# Delete all keys to have CA re-created
	141	rm -rf "${workdir}"/*.pem
6a41f8e1 SB	142	done
6a41f8e1 SB	143
86b32851 SB	144	echo "Test 1: OK"
	145	echo
	146
	147	#A few tests with odd vm Ids
	148	for vmid in \
	149	's p a c e\|s p a c e' \
	150	'$(ls)>foo\|$(ls)\>foo' \
	151	'`ls`&; #12\|`ls`&\; #12' \
	152	'foo>&1<&2;$(ls)\|foo\>&1\<&2\;$(ls)' \
	153	"'\|'" \
	154	'"\|\"' \
	155	':$$\|:$$' \
	156	'${t}[]\|${t}[]';
	157	do
	158	in=$(echo "$vmid" \| cut -d"\|" -f1)
	159	exp=$(echo "$vmid" \| cut -d"\|" -f2)
	160
	161	${SWTPM_LOCALCA} \
	162	--type ek \
	163	--ek "${ek}" \
	164	--dir "${workdir}" \
	165	--vmid "$in" \
	166	--tpm2 \
	167	--configfile "${workdir}/swtpm-localca.conf" \
	168	--optsfile "${workdir}/swtpm-localca.options" \
	169	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
	170	${params} &>/dev/null
	171	if [ $? -ne 0 ]; then
	172	echo "Error: Test with parameters '$params' failed."
	173	exit 1
	174	fi
	175
	176	if [ ! -r "${workdir}/ek.cert" ]; then
	177	echo "Error: ${workdir}/ek.cert was not created."
	178	exit 1
	179	fi
	180
	181	ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" \| \
	182	sed -n "s/.Subject: CN=\(.\)$/\1/p")
	183	if [ "$ac" != "$exp" ]; then
	184	echo "Error: unexpected subject string"
	185	echo "actual : $ac"
	186	echo "expected : $exp"
	187	else
	188	echo "Pass: $ac"
	189	fi
	190	done
	191
	192	echo "Test 2: OK"
	193
6a41f8e1	194	exit 0