]>
Commit | Line | Data |
---|---|---|
8f0f381f | 1 | #!/usr/bin/env bash |
6a41f8e1 SB |
2 | |
3 | # For the license, see the LICENSE file in the root directory. | |
4 | #set -x | |
5 | ||
611a1986 MAL |
6 | TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} |
7 | TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} | |
313cf75c SB |
8 | TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
9 | ||
cc410ca9 | 10 | SWTPM_LOCALCA=${TOPBUILD}/samples/swtpm-localca |
6a41f8e1 | 11 | |
77819bb2 | 12 | workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX") |
6a41f8e1 | 13 | |
63b19c22 SB |
14 | ek="80" # 2048 bit key must have highest bit set |
15 | for ((i = 1; i < 256; i++)); do | |
6a41f8e1 SB |
16 | ek="${ek}$(printf "%02x" $i)" |
17 | done | |
18 | ||
19 | SIGNINGKEY=${workdir}/signingkey.pem | |
20 | ISSUERCERT=${workdir}/issuercert.pem | |
21 | CERTSERIAL=${workdir}/certserial | |
22 | ||
611a1986 | 23 | PATH=${TOPBUILD}/src/swtpm_cert:$PATH |
6a41f8e1 SB |
24 | |
25 | trap "cleanup" SIGTERM EXIT | |
26 | ||
27 | function cleanup() | |
28 | { | |
77819bb2 | 29 | rm -rf "${workdir}" |
6a41f8e1 SB |
30 | } |
31 | ||
8aff5f76 SB |
32 | case "$(uname -s)" in |
33 | Darwin) | |
34 | CERTTOOL=gnutls-certtool;; | |
35 | *) | |
36 | CERTTOOL=certtool;; | |
37 | esac | |
38 | ||
77819bb2 | 39 | cat <<_EOF_ > "${workdir}/swtpm-localca.conf" |
6a41f8e1 SB |
40 | statedir=${workdir} |
41 | signingkey = ${SIGNINGKEY} | |
42 | issuercert = ${ISSUERCERT} | |
43 | certserial = ${CERTSERIAL} | |
a73e9cb8 | 44 | signingkey_password = password |
6a41f8e1 SB |
45 | _EOF_ |
46 | ||
77819bb2 | 47 | cat <<_EOF_ > "${workdir}/swtpm-localca.options" |
6a41f8e1 SB |
48 | --tpm-manufacturer IBM |
49 | --tpm-model swtpm-libtpms | |
28c46454 | 50 | --tpm-version 2 |
6a41f8e1 SB |
51 | --platform-manufacturer Fedora |
52 | --platform-version 2.1 | |
53 | --platform-model QEMU | |
54 | _EOF_ | |
55 | ||
56 | # the following contains the test parameters and | |
57 | # expected key usage | |
58 | for testparams in \ | |
59 | "--allow-signing|Digital signature" \ | |
60 | "--allow-signing --decryption|Digital signature,Key encipherment" \ | |
61 | "--decryption|Key encipherment" \ | |
62 | "|Key encipherment"; | |
63 | do | |
64 | params=$(echo ${testparams} | cut -d"|" -f1) | |
65 | usage=$(echo ${testparams} | cut -d"|" -f2) | |
66 | ||
67 | ${SWTPM_LOCALCA} \ | |
68 | --type ek \ | |
77819bb2 SB |
69 | --ek "${ek}" \ |
70 | --dir "${workdir}" \ | |
6a41f8e1 SB |
71 | --vmid test \ |
72 | --tpm2 \ | |
77819bb2 SB |
73 | --configfile "${workdir}/swtpm-localca.conf" \ |
74 | --optsfile "${workdir}/swtpm-localca.options" \ | |
28c46454 | 75 | --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ |
6a41f8e1 SB |
76 | ${params} |
77 | if [ $? -ne 0 ]; then | |
78 | echo "Error: Test with parameters '$params' failed." | |
79 | exit 1 | |
80 | fi | |
81 | ||
a73e9cb8 SB |
82 | # Signing key should always be password protected |
83 | if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then | |
84 | echo "Error: Signing key is not password protected." | |
85 | exit 1 | |
86 | fi | |
87 | ||
88 | # For the root CA's key we flip the password protection | |
89 | if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then | |
90 | if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then | |
91 | echo "Error: Root CA's private key is not password protected." | |
92 | exit 1 | |
93 | fi | |
94 | unset SWTPM_ROOTCA_PASSWORD | |
95 | else | |
96 | if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then | |
97 | echo "Error: Root CA's private key is password protected but should not be." | |
98 | exit 1 | |
99 | fi | |
100 | export SWTPM_ROOTCA_PASSWORD=xyz | |
101 | fi | |
102 | ||
77819bb2 | 103 | if [ ! -r "${workdir}/ek.cert" ]; then |
6a41f8e1 SB |
104 | echo "Error: ${workdir}/ek.cert was not created." |
105 | exit 1 | |
106 | fi | |
107 | ||
108 | OIFS="$IFS" | |
109 | IFS="," | |
110 | ||
111 | for u in $usage; do | |
112 | echo $u | |
8aff5f76 | 113 | if [ -z "$(${CERTTOOL} -i \ |
77819bb2 | 114 | --inder --infile "${workdir}/ek.cert" | \ |
6a41f8e1 SB |
115 | grep "Key Usage" -A2 | \ |
116 | grep "$u")" ]; then | |
117 | echo "Error: Could not find key usage $u in key created " \ | |
118 | "with $params." | |
119 | else | |
120 | echo "Found '$u'" | |
121 | fi | |
122 | done | |
123 | ||
124 | IFS="$OIFS" | |
125 | ||
8aff5f76 | 126 | ${CERTTOOL} \ |
6a41f8e1 | 127 | -i \ |
77819bb2 SB |
128 | --inder --infile "${workdir}/ek.cert" \ |
129 | --outfile "${workdir}/ek.pem" | |
6a41f8e1 | 130 | |
8aff5f76 | 131 | ${CERTTOOL} \ |
6a41f8e1 | 132 | --verify \ |
77819bb2 SB |
133 | --load-ca-certificate "${ISSUERCERT}" \ |
134 | --infile "${workdir}/ek.pem" | |
6a41f8e1 SB |
135 | if [ $? -ne 0 ]; then |
136 | echo "Error: Could not verify certificate chain." | |
137 | exit 1 | |
138 | fi | |
a73e9cb8 SB |
139 | |
140 | # Delete all keys to have CA re-created | |
141 | rm -rf "${workdir}"/*.pem | |
6a41f8e1 SB |
142 | done |
143 | ||
86b32851 SB |
144 | echo "Test 1: OK" |
145 | echo | |
146 | ||
147 | #A few tests with odd vm Ids | |
148 | for vmid in \ | |
149 | 's p a c e|s p a c e' \ | |
150 | '$(ls)>foo|$(ls)\>foo' \ | |
151 | '`ls`&; #12|`ls`&\; #12' \ | |
152 | 'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \ | |
153 | "'*|'*" \ | |
154 | '"*|\"*' \ | |
155 | ':$$|:$$' \ | |
156 | '${t}[]|${t}[]'; | |
157 | do | |
158 | in=$(echo "$vmid" | cut -d"|" -f1) | |
159 | exp=$(echo "$vmid" | cut -d"|" -f2) | |
160 | ||
161 | ${SWTPM_LOCALCA} \ | |
162 | --type ek \ | |
163 | --ek "${ek}" \ | |
164 | --dir "${workdir}" \ | |
165 | --vmid "$in" \ | |
166 | --tpm2 \ | |
167 | --configfile "${workdir}/swtpm-localca.conf" \ | |
168 | --optsfile "${workdir}/swtpm-localca.options" \ | |
169 | --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ | |
170 | ${params} &>/dev/null | |
171 | if [ $? -ne 0 ]; then | |
172 | echo "Error: Test with parameters '$params' failed." | |
173 | exit 1 | |
174 | fi | |
175 | ||
176 | if [ ! -r "${workdir}/ek.cert" ]; then | |
177 | echo "Error: ${workdir}/ek.cert was not created." | |
178 | exit 1 | |
179 | fi | |
180 | ||
181 | ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \ | |
182 | sed -n "s/.*Subject: CN=\(.*\)$/\1/p") | |
183 | if [ "$ac" != "$exp" ]; then | |
184 | echo "Error: unexpected subject string" | |
185 | echo "actual : $ac" | |
186 | echo "expected : $exp" | |
187 | else | |
188 | echo "Pass: $ac" | |
189 | fi | |
190 | done | |
191 | ||
192 | echo "Test 2: OK" | |
193 | ||
6a41f8e1 | 194 | exit 0 |