]>
Commit | Line | Data |
---|---|---|
8f0f381f | 1 | #!/usr/bin/env bash |
6a41f8e1 SB |
2 | |
3 | # For the license, see the LICENSE file in the root directory. | |
4 | #set -x | |
5 | ||
611a1986 MAL |
6 | TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} |
7 | TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} | |
313cf75c SB |
8 | TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
9 | ||
ddc75216 | 10 | SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca |
6a41f8e1 | 11 | |
77819bb2 | 12 | workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX") |
6a41f8e1 | 13 | |
63b19c22 SB |
14 | ek="80" # 2048 bit key must have highest bit set |
15 | for ((i = 1; i < 256; i++)); do | |
6a41f8e1 SB |
16 | ek="${ek}$(printf "%02x" $i)" |
17 | done | |
18 | ||
19 | SIGNINGKEY=${workdir}/signingkey.pem | |
20 | ISSUERCERT=${workdir}/issuercert.pem | |
21 | CERTSERIAL=${workdir}/certserial | |
22 | ||
611a1986 | 23 | PATH=${TOPBUILD}/src/swtpm_cert:$PATH |
6a41f8e1 | 24 | |
e5bb6f4e SB |
25 | source ${TESTDIR}/common |
26 | ||
6a41f8e1 SB |
27 | trap "cleanup" SIGTERM EXIT |
28 | ||
29 | function cleanup() | |
30 | { | |
77819bb2 | 31 | rm -rf "${workdir}" |
6a41f8e1 SB |
32 | } |
33 | ||
77819bb2 | 34 | cat <<_EOF_ > "${workdir}/swtpm-localca.conf" |
6a41f8e1 SB |
35 | statedir=${workdir} |
36 | signingkey = ${SIGNINGKEY} | |
37 | issuercert = ${ISSUERCERT} | |
38 | certserial = ${CERTSERIAL} | |
a73e9cb8 | 39 | signingkey_password = password |
6a41f8e1 SB |
40 | _EOF_ |
41 | ||
77819bb2 | 42 | cat <<_EOF_ > "${workdir}/swtpm-localca.options" |
6a41f8e1 SB |
43 | --tpm-manufacturer IBM |
44 | --tpm-model swtpm-libtpms | |
28c46454 | 45 | --tpm-version 2 |
6a41f8e1 SB |
46 | --platform-manufacturer Fedora |
47 | --platform-version 2.1 | |
48 | --platform-model QEMU | |
49 | _EOF_ | |
50 | ||
51 | # the following contains the test parameters and | |
52 | # expected key usage | |
53 | for testparams in \ | |
54 | "--allow-signing|Digital signature" \ | |
55 | "--allow-signing --decryption|Digital signature,Key encipherment" \ | |
56 | "--decryption|Key encipherment" \ | |
57 | "|Key encipherment"; | |
58 | do | |
59 | params=$(echo ${testparams} | cut -d"|" -f1) | |
60 | usage=$(echo ${testparams} | cut -d"|" -f2) | |
61 | ||
62 | ${SWTPM_LOCALCA} \ | |
63 | --type ek \ | |
77819bb2 SB |
64 | --ek "${ek}" \ |
65 | --dir "${workdir}" \ | |
6a41f8e1 SB |
66 | --vmid test \ |
67 | --tpm2 \ | |
77819bb2 SB |
68 | --configfile "${workdir}/swtpm-localca.conf" \ |
69 | --optsfile "${workdir}/swtpm-localca.options" \ | |
28c46454 | 70 | --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ |
6a41f8e1 SB |
71 | ${params} |
72 | if [ $? -ne 0 ]; then | |
73 | echo "Error: Test with parameters '$params' failed." | |
74 | exit 1 | |
75 | fi | |
76 | ||
a73e9cb8 SB |
77 | # Signing key should always be password protected |
78 | if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then | |
79 | echo "Error: Signing key is not password protected." | |
80 | exit 1 | |
81 | fi | |
82 | ||
83 | # For the root CA's key we flip the password protection | |
84 | if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then | |
85 | if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then | |
86 | echo "Error: Root CA's private key is not password protected." | |
87 | exit 1 | |
88 | fi | |
89 | unset SWTPM_ROOTCA_PASSWORD | |
90 | else | |
91 | if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then | |
92 | echo "Error: Root CA's private key is password protected but should not be." | |
93 | exit 1 | |
94 | fi | |
95 | export SWTPM_ROOTCA_PASSWORD=xyz | |
96 | fi | |
97 | ||
77819bb2 | 98 | if [ ! -r "${workdir}/ek.cert" ]; then |
6a41f8e1 SB |
99 | echo "Error: ${workdir}/ek.cert was not created." |
100 | exit 1 | |
101 | fi | |
102 | ||
103 | OIFS="$IFS" | |
104 | IFS="," | |
105 | ||
106 | for u in $usage; do | |
107 | echo $u | |
8aff5f76 | 108 | if [ -z "$(${CERTTOOL} -i \ |
77819bb2 | 109 | --inder --infile "${workdir}/ek.cert" | \ |
6a41f8e1 SB |
110 | grep "Key Usage" -A2 | \ |
111 | grep "$u")" ]; then | |
112 | echo "Error: Could not find key usage $u in key created " \ | |
113 | "with $params." | |
114 | else | |
115 | echo "Found '$u'" | |
116 | fi | |
117 | done | |
118 | ||
119 | IFS="$OIFS" | |
120 | ||
8aff5f76 | 121 | ${CERTTOOL} \ |
6a41f8e1 | 122 | -i \ |
77819bb2 SB |
123 | --inder --infile "${workdir}/ek.cert" \ |
124 | --outfile "${workdir}/ek.pem" | |
6a41f8e1 | 125 | |
8aff5f76 | 126 | ${CERTTOOL} \ |
6a41f8e1 | 127 | --verify \ |
77819bb2 SB |
128 | --load-ca-certificate "${ISSUERCERT}" \ |
129 | --infile "${workdir}/ek.pem" | |
6a41f8e1 SB |
130 | if [ $? -ne 0 ]; then |
131 | echo "Error: Could not verify certificate chain." | |
132 | exit 1 | |
133 | fi | |
a73e9cb8 SB |
134 | |
135 | # Delete all keys to have CA re-created | |
136 | rm -rf "${workdir}"/*.pem | |
6a41f8e1 SB |
137 | done |
138 | ||
86b32851 SB |
139 | echo "Test 1: OK" |
140 | echo | |
141 | ||
142 | #A few tests with odd vm Ids | |
143 | for vmid in \ | |
144 | 's p a c e|s p a c e' \ | |
145 | '$(ls)>foo|$(ls)\>foo' \ | |
146 | '`ls`&; #12|`ls`&\; #12' \ | |
147 | 'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \ | |
148 | "'*|'*" \ | |
149 | '"*|\"*' \ | |
150 | ':$$|:$$' \ | |
151 | '${t}[]|${t}[]'; | |
152 | do | |
153 | in=$(echo "$vmid" | cut -d"|" -f1) | |
154 | exp=$(echo "$vmid" | cut -d"|" -f2) | |
155 | ||
156 | ${SWTPM_LOCALCA} \ | |
157 | --type ek \ | |
158 | --ek "${ek}" \ | |
159 | --dir "${workdir}" \ | |
160 | --vmid "$in" \ | |
161 | --tpm2 \ | |
162 | --configfile "${workdir}/swtpm-localca.conf" \ | |
163 | --optsfile "${workdir}/swtpm-localca.options" \ | |
164 | --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ | |
165 | ${params} &>/dev/null | |
166 | if [ $? -ne 0 ]; then | |
167 | echo "Error: Test with parameters '$params' failed." | |
168 | exit 1 | |
169 | fi | |
170 | ||
171 | if [ ! -r "${workdir}/ek.cert" ]; then | |
172 | echo "Error: ${workdir}/ek.cert was not created." | |
173 | exit 1 | |
174 | fi | |
175 | ||
176 | ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \ | |
177 | sed -n "s/.*Subject: CN=\(.*\)$/\1/p") | |
178 | if [ "$ac" != "$exp" ]; then | |
179 | echo "Error: unexpected subject string" | |
180 | echo "actual : $ac" | |
181 | echo "expected : $exp" | |
182 | else | |
183 | echo "Pass: $ac" | |
184 | fi | |
185 | done | |
186 | ||
187 | echo "Test 2: OK" | |
188 | ||
6a41f8e1 | 189 | exit 0 |