3 # For the license, see the LICENSE file in the root directory.
6 TOPBUILD
=${abs_top_builddir:-$(dirname "$0")/..}
7 TOPSRC
=${abs_top_srcdir:-$(dirname "$0")/..}
8 TESTDIR
=${abs_top_testdir:-$(dirname "$0")}
10 SWTPM_LOCALCA
=${TOPBUILD}/samples
/swtpm-localca
12 workdir
=$
(mktemp
-d "/tmp/path with spaces.XXXXXX")
14 ek
="80" # 2048 bit key must have highest bit set
15 for ((i
= 1; i
< 256; i
++)); do
16 ek
="${ek}$(printf "%02x
" $i)"
19 SIGNINGKEY
=${workdir}/signingkey.pem
20 ISSUERCERT
=${workdir}/issuercert.pem
21 CERTSERIAL
=${workdir}/certserial
23 PATH
=${TOPBUILD}/src
/swtpm_cert
:$PATH
25 source ${TESTDIR}/common
27 trap "cleanup" SIGTERM EXIT
34 cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
36 signingkey = ${SIGNINGKEY}
37 issuercert = ${ISSUERCERT}
38 certserial = ${CERTSERIAL}
39 signingkey_password = password
42 cat <<_EOF_ > "${workdir}/swtpm-localca.options"
43 --tpm-manufacturer IBM
44 --tpm-model swtpm-libtpms
46 --platform-manufacturer Fedora
47 --platform-version 2.1
51 # the following contains the test parameters and
54 "--allow-signing|Digital signature" \
55 "--allow-signing --decryption|Digital signature,Key encipherment" \
56 "--decryption|Key encipherment" \
59 params
=$
(echo ${testparams} | cut
-d"|" -f1)
60 usage
=$
(echo ${testparams} | cut
-d"|" -f2)
68 --configfile "${workdir}/swtpm-localca.conf" \
69 --optsfile "${workdir}/swtpm-localca.options" \
70 --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
73 echo "Error: Test with parameters '$params' failed."
77 # Signing key should always be password protected
78 if [ -z "$(grep "ENCRYPTED PRIVATE KEY
" "${SIGNINGKEY}")" ]; then
79 echo "Error: Signing key is not password protected."
83 # For the root CA's key we flip the password protection
84 if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
85 if [ -z "$(grep "ENCRYPTED PRIVATE KEY
" "${workdir}/swtpm-localca-rootca-privkey.pem
")" ]; then
86 echo "Error: Root CA's private key is not password protected."
89 unset SWTPM_ROOTCA_PASSWORD
91 if [ -n "$(grep "ENCRYPTED PRIVATE KEY
" "${workdir}/swtpm-localca-rootca-privkey.pem
")" ]; then
92 echo "Error: Root CA's private key is password protected but should not be."
95 export SWTPM_ROOTCA_PASSWORD
=xyz
98 if [ ! -r "${workdir}/ek.cert" ]; then
99 echo "Error: ${workdir}/ek.cert was not created."
108 if [ -z "$(${CERTTOOL} -i \
109 --inder --infile "${workdir}/ek.cert
" | \
110 grep "Key Usage
" -A2 | \
112 echo "Error: Could not find key usage $u in key created " \
123 --inder --infile "${workdir}/ek.cert" \
124 --outfile "${workdir}/ek.pem"
128 --load-ca-certificate "${ISSUERCERT}" \
129 --infile "${workdir}/ek.pem"
130 if [ $?
-ne 0 ]; then
131 echo "Error: Could not verify certificate chain."
135 # Delete all keys to have CA re-created
136 rm -rf "${workdir}"/*.pem
142 #A few tests with odd vm Ids
144 's p a c e|s p a c e' \
145 '$(ls)>foo|$(ls)\>foo' \
146 '`ls`&; #12|`ls`&\; #12' \
147 'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \
153 in=$
(echo "$vmid" | cut
-d"|" -f1)
154 exp
=$
(echo "$vmid" | cut
-d"|" -f2)
162 --configfile "${workdir}/swtpm-localca.conf" \
163 --optsfile "${workdir}/swtpm-localca.options" \
164 --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
165 ${params} &>/dev
/null
166 if [ $?
-ne 0 ]; then
167 echo "Error: Test with parameters '$params' failed."
171 if [ ! -r "${workdir}/ek.cert" ]; then
172 echo "Error: ${workdir}/ek.cert was not created."
176 ac
=$
(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
177 sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
178 if [ "$ac" != "$exp" ]; then
179 echo "Error: unexpected subject string"
181 echo "expected : $exp"