[swtpm.git] / tests / test_tpm2_swtpm_localca

#!/usr/bin/env bash

# For the license, see the LICENSE file in the root directory.
#set -x

TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}

SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca

workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")

ek="80" # 2048 bit key must have highest bit set
for ((i = 1; i < 256; i++)); do
  ek="${ek}$(printf "%02x" $i)"
done

SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial

PATH=${TOPBUILD}/src/swtpm_cert:$PATH

source ${TESTDIR}/common

trap "cleanup" SIGTERM EXIT

function cleanup()
{
	rm -rf "${workdir}"
}

cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
statedir=${workdir}
signingkey = ${SIGNINGKEY}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
signingkey_password = password
_EOF_

cat <<_EOF_ > "${workdir}/swtpm-localca.options"
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_

# the following contains the test parameters and
# expected key usage
for testparams in \
	"--allow-signing|Digital signature" \
	"--allow-signing --decryption|Digital signature,Key encipherment" \
	"--decryption|Key encipherment" \
	"|Key encipherment";
do
  params=$(echo ${testparams} | cut -d"|" -f1)
  usage=$(echo ${testparams} | cut -d"|" -f2)

  ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid test \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params}
  if [ $? -ne 0 ]; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  # Signing key should always be password protected
  if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
    echo "Error: Signing key is not password protected."
    exit 1
  fi

  # For the root CA's key we flip the password protection
  if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
     if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
       echo "Error: Root CA's private key is not password protected."
       exit 1
     fi
     unset SWTPM_ROOTCA_PASSWORD
  else
     if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
       echo "Error: Root CA's private key is password protected but should not be."
       exit 1
     fi
     export SWTPM_ROOTCA_PASSWORD=xyz
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  OIFS="$IFS"
  IFS=","

  for u in $usage; do
    echo $u
    if [ -z "$(${CERTTOOL} -i \
                 --inder --infile "${workdir}/ek.cert" | \
                grep "Key Usage" -A2 | \
                grep "$u")" ]; then
      echo "Error: Could not find key usage $u in key created " \
           "with $params."
    else
      echo "Found '$u'"
    fi
  done

  IFS="$OIFS"

  ${CERTTOOL} \
    -i \
    --inder --infile "${workdir}/ek.cert" \
    --outfile "${workdir}/ek.pem"

  ${CERTTOOL} \
    --verify \
    --load-ca-certificate "${ISSUERCERT}" \
    --infile "${workdir}/ek.pem"
  if [ $? -ne 0 ]; then
    echo "Error: Could not verify certificate chain."
    exit 1
  fi

  # Delete all keys to have CA re-created
  rm -rf "${workdir}"/*.pem
done

echo "Test 1: OK"
echo

#A few tests with odd vm Ids
for vmid in \
	's p a c e|s p a c e' \
	'$(ls)>foo|$(ls)\>foo' \
	'`ls`&; #12|`ls`&\; #12' \
	'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \
	"'*|'*" \
	'"*|\"*' \
	':$$|:$$' \
	'${t}[]|${t}[]';
do
  in=$(echo "$vmid" | cut -d"|" -f1)
  exp=$(echo "$vmid" | cut -d"|" -f2)

  ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid "$in" \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params} &>/dev/null
  if [ $? -ne 0 ]; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
       sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
  if [ "$ac" != "$exp" ]; then
    echo "Error: unexpected subject string"
    echo "actual   : $ac"
    echo "expected : $exp"
  else
    echo "Pass: $ac"
  fi
done

echo "Test 2: OK"

exit 0
Commit	Line	Data
8f0f381f	1	#!/usr/bin/env bash
6a41f8e1 SB	2
	3	# For the license, see the LICENSE file in the root directory.
	4	#set -x
	5
611a1986 MAL	6	TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
611a1986 MAL	7	TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
313cf75c SB	8	TESTDIR=${abs_top_testdir:-$(dirname "$0")}
313cf75c SB	9
ddc75216	10	SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca
6a41f8e1	11
77819bb2	12	workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")
6a41f8e1	13
63b19c22 SB	14	ek="80" # 2048 bit key must have highest bit set
63b19c22 SB	15	for ((i = 1; i < 256; i++)); do
6a41f8e1 SB	16	ek="${ek}$(printf "%02x" $i)"
	17	done
	18
	19	SIGNINGKEY=${workdir}/signingkey.pem
	20	ISSUERCERT=${workdir}/issuercert.pem
	21	CERTSERIAL=${workdir}/certserial
	22
611a1986	23	PATH=${TOPBUILD}/src/swtpm_cert:$PATH
6a41f8e1	24
e5bb6f4e SB	25	source ${TESTDIR}/common
e5bb6f4e SB	26
6a41f8e1 SB	27	trap "cleanup" SIGTERM EXIT
	28
	29	function cleanup()
	30	{
77819bb2	31	rm -rf "${workdir}"
6a41f8e1 SB	32	}
6a41f8e1 SB	33
77819bb2	34	cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
6a41f8e1 SB	35	statedir=${workdir}
	36	signingkey = ${SIGNINGKEY}
	37	issuercert = ${ISSUERCERT}
	38	certserial = ${CERTSERIAL}
a73e9cb8	39	signingkey_password = password
6a41f8e1 SB	40	_EOF_
6a41f8e1 SB	41
77819bb2	42	cat <<_EOF_ > "${workdir}/swtpm-localca.options"
6a41f8e1 SB	43	--tpm-manufacturer IBM
6a41f8e1 SB	44	--tpm-model swtpm-libtpms
28c46454	45	--tpm-version 2
6a41f8e1 SB	46	--platform-manufacturer Fedora
	47	--platform-version 2.1
	48	--platform-model QEMU
	49	_EOF_
	50
	51	# the following contains the test parameters and
	52	# expected key usage
	53	for testparams in \
	54	"--allow-signing\|Digital signature" \
	55	"--allow-signing --decryption\|Digital signature,Key encipherment" \
	56	"--decryption\|Key encipherment" \
	57	"\|Key encipherment";
	58	do
	59	params=$(echo ${testparams} \| cut -d"\|" -f1)
	60	usage=$(echo ${testparams} \| cut -d"\|" -f2)
	61
	62	${SWTPM_LOCALCA} \
	63	--type ek \
77819bb2 SB	64	--ek "${ek}" \
77819bb2 SB	65	--dir "${workdir}" \
6a41f8e1 SB	66	--vmid test \
6a41f8e1 SB	67	--tpm2 \
77819bb2 SB	68	--configfile "${workdir}/swtpm-localca.conf" \
77819bb2 SB	69	--optsfile "${workdir}/swtpm-localca.options" \
28c46454	70	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
6a41f8e1 SB	71	${params}
	72	if [ $? -ne 0 ]; then
	73	echo "Error: Test with parameters '$params' failed."
	74	exit 1
	75	fi
	76
a73e9cb8 SB	77	# Signing key should always be password protected
	78	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
	79	echo "Error: Signing key is not password protected."
	80	exit 1
	81	fi
	82
	83	# For the root CA's key we flip the password protection
	84	if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
	85	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	86	echo "Error: Root CA's private key is not password protected."
	87	exit 1
	88	fi
	89	unset SWTPM_ROOTCA_PASSWORD
	90	else
	91	if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	92	echo "Error: Root CA's private key is password protected but should not be."
	93	exit 1
	94	fi
	95	export SWTPM_ROOTCA_PASSWORD=xyz
	96	fi
	97
77819bb2	98	if [ ! -r "${workdir}/ek.cert" ]; then
6a41f8e1 SB	99	echo "Error: ${workdir}/ek.cert was not created."
	100	exit 1
	101	fi
	102
	103	OIFS="$IFS"
	104	IFS=","
	105
	106	for u in $usage; do
	107	echo $u
8aff5f76	108	if [ -z "$(${CERTTOOL} -i \
77819bb2	109	--inder --infile "${workdir}/ek.cert" \| \
6a41f8e1 SB	110	grep "Key Usage" -A2 \| \
	111	grep "$u")" ]; then
	112	echo "Error: Could not find key usage $u in key created " \
	113	"with $params."
	114	else
	115	echo "Found '$u'"
	116	fi
	117	done
	118
	119	IFS="$OIFS"
	120
8aff5f76	121	${CERTTOOL} \
6a41f8e1	122	-i \
77819bb2 SB	123	--inder --infile "${workdir}/ek.cert" \
77819bb2 SB	124	--outfile "${workdir}/ek.pem"
6a41f8e1	125
8aff5f76	126	${CERTTOOL} \
6a41f8e1	127	--verify \
77819bb2 SB	128	--load-ca-certificate "${ISSUERCERT}" \
77819bb2 SB	129	--infile "${workdir}/ek.pem"
6a41f8e1 SB	130	if [ $? -ne 0 ]; then
	131	echo "Error: Could not verify certificate chain."
	132	exit 1
	133	fi
a73e9cb8 SB	134
	135	# Delete all keys to have CA re-created
	136	rm -rf "${workdir}"/*.pem
6a41f8e1 SB	137	done
6a41f8e1 SB	138
86b32851 SB	139	echo "Test 1: OK"
	140	echo
	141
	142	#A few tests with odd vm Ids
	143	for vmid in \
	144	's p a c e\|s p a c e' \
	145	'$(ls)>foo\|$(ls)\>foo' \
	146	'`ls`&; #12\|`ls`&\; #12' \
	147	'foo>&1<&2;$(ls)\|foo\>&1\<&2\;$(ls)' \
	148	"'\|'" \
	149	'"\|\"' \
	150	':$$\|:$$' \
	151	'${t}[]\|${t}[]';
	152	do
	153	in=$(echo "$vmid" \| cut -d"\|" -f1)
	154	exp=$(echo "$vmid" \| cut -d"\|" -f2)
	155
	156	${SWTPM_LOCALCA} \
	157	--type ek \
	158	--ek "${ek}" \
	159	--dir "${workdir}" \
	160	--vmid "$in" \
	161	--tpm2 \
	162	--configfile "${workdir}/swtpm-localca.conf" \
	163	--optsfile "${workdir}/swtpm-localca.options" \
	164	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
	165	${params} &>/dev/null
	166	if [ $? -ne 0 ]; then
	167	echo "Error: Test with parameters '$params' failed."
	168	exit 1
	169	fi
	170
	171	if [ ! -r "${workdir}/ek.cert" ]; then
	172	echo "Error: ${workdir}/ek.cert was not created."
	173	exit 1
	174	fi
	175
	176	ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" \| \
	177	sed -n "s/.Subject: CN=\(.\)$/\1/p")
	178	if [ "$ac" != "$exp" ]; then
	179	echo "Error: unexpected subject string"
	180	echo "actual : $ac"
	181	echo "expected : $exp"
	182	else
	183	echo "Pass: $ac"
	184	fi
	185	done
	186
	187	echo "Test 2: OK"
	188
6a41f8e1	189	exit 0