tests/test_tpm2_samples_swtpm_localca

   1 #!/usr/bin/env bash
   2
   3 # For the license, see the LICENSE file in the root directory.
   4 #set -x
   5
   6 TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
   7 TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
   8 TESTDIR=${abs_top_testdir:-$(dirname "$0")}
   9
  10 SWTPM_LOCALCA=${TOPBUILD}/samples/swtpm-localca
  11
  12 workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")
  13
  14 ek="80" # 2048 bit key must have highest bit set
  15 for ((i = 1; i < 256; i++)); do
  16   ek="${ek}$(printf "%02x" $i)"
  17 done
  18
  19 SIGNINGKEY=${workdir}/signingkey.pem
  20 ISSUERCERT=${workdir}/issuercert.pem
  21 CERTSERIAL=${workdir}/certserial
  22
  23 PATH=${TOPBUILD}/src/swtpm_cert:$PATH
  24
  25 source ${TESTDIR}/common
  26
  27 trap "cleanup" SIGTERM EXIT
  28
  29 function cleanup()
  30 {
  31         rm -rf "${workdir}"
  32 }
  33
  34 cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
  35 statedir=${workdir}
  36 signingkey = ${SIGNINGKEY}
  37 issuercert = ${ISSUERCERT}
  38 certserial = ${CERTSERIAL}
  39 signingkey_password = password
  40 _EOF_
  41
  42 cat <<_EOF_ > "${workdir}/swtpm-localca.options"
  43 --tpm-manufacturer IBM
  44 --tpm-model swtpm-libtpms
  45 --tpm-version 2
  46 --platform-manufacturer Fedora
  47 --platform-version 2.1
  48 --platform-model QEMU
  49 _EOF_
  50
  51 # the following contains the test parameters and
  52 # expected key usage
  53 for testparams in \
  54         "--allow-signing|Digital signature" \
  55         "--allow-signing --decryption|Digital signature,Key encipherment" \
  56         "--decryption|Key encipherment" \
  57         "|Key encipherment";
  58 do
  59   params=$(echo ${testparams} | cut -d"|" -f1)
  60   usage=$(echo ${testparams} | cut -d"|" -f2)
  61
  62   ${SWTPM_LOCALCA} \
  63     --type ek \
  64     --ek "${ek}" \
  65     --dir "${workdir}" \
  66     --vmid test \
  67     --tpm2 \
  68     --configfile "${workdir}/swtpm-localca.conf" \
  69     --optsfile "${workdir}/swtpm-localca.options" \
  70     --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
  71     ${params}
  72   if [ $? -ne 0 ]; then
  73     echo "Error: Test with parameters '$params' failed."
  74     exit 1
  75   fi
  76
  77   # Signing key should always be password protected
  78   if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
  79     echo "Error: Signing key is not password protected."
  80     exit 1
  81   fi
  82
  83   # For the root CA's key we flip the password protection
  84   if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
  85      if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
  86        echo "Error: Root CA's private key is not password protected."
  87        exit 1
  88      fi
  89      unset SWTPM_ROOTCA_PASSWORD
  90   else
  91      if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
  92        echo "Error: Root CA's private key is password protected but should not be."
  93        exit 1
  94      fi
  95      export SWTPM_ROOTCA_PASSWORD=xyz
  96   fi
  97
  98   if [ ! -r "${workdir}/ek.cert" ]; then
  99     echo "Error: ${workdir}/ek.cert was not created."
 100     exit 1
 101   fi
 102
 103   OIFS="$IFS"
 104   IFS=","
 105
 106   for u in $usage; do
 107     echo $u
 108     if [ -z "$(${CERTTOOL} -i \
 109                  --inder --infile "${workdir}/ek.cert" | \
 110                 grep "Key Usage" -A2 | \
 111                 grep "$u")" ]; then
 112       echo "Error: Could not find key usage $u in key created " \
 113            "with $params."
 114     else
 115       echo "Found '$u'"
 116     fi
 117   done
 118
 119   IFS="$OIFS"
 120
 121   ${CERTTOOL} \
 122     -i \
 123     --inder --infile "${workdir}/ek.cert" \
 124     --outfile "${workdir}/ek.pem"
 125
 126   ${CERTTOOL} \
 127     --verify \
 128     --load-ca-certificate "${ISSUERCERT}" \
 129     --infile "${workdir}/ek.pem"
 130   if [ $? -ne 0 ]; then
 131     echo "Error: Could not verify certificate chain."
 132     exit 1
 133   fi
 134
 135   # Delete all keys to have CA re-created
 136   rm -rf "${workdir}"/*.pem
 137 done
 138
 139 echo "Test 1: OK"
 140 echo
 141
 142 #A few tests with odd vm Ids
 143 for vmid in \
 144         's p a c e|s p a c e' \
 145         '$(ls)>foo|$(ls)\>foo' \
 146         '`ls`&; #12|`ls`&\; #12' \
 147         'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \
 148         "'*|'*" \
 149         '"*|\"*' \
 150         ':$$|:$$' \
 151         '${t}[]|${t}[]';
 152 do
 153   in=$(echo "$vmid" | cut -d"|" -f1)
 154   exp=$(echo "$vmid" | cut -d"|" -f2)
 155
 156   ${SWTPM_LOCALCA} \
 157     --type ek \
 158     --ek "${ek}" \
 159     --dir "${workdir}" \
 160     --vmid "$in" \
 161     --tpm2 \
 162     --configfile "${workdir}/swtpm-localca.conf" \
 163     --optsfile "${workdir}/swtpm-localca.options" \
 164     --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
 165     ${params} &>/dev/null
 166   if [ $? -ne 0 ]; then
 167     echo "Error: Test with parameters '$params' failed."
 168     exit 1
 169   fi
 170
 171   if [ ! -r "${workdir}/ek.cert" ]; then
 172     echo "Error: ${workdir}/ek.cert was not created."
 173     exit 1
 174   fi
 175
 176   ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
 177        sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
 178   if [ "$ac" != "$exp" ]; then
 179     echo "Error: unexpected subject string"
 180     echo "actual   : $ac"
 181     echo "expected : $exp"
 182   else
 183     echo "Pass: $ac"
 184   fi
 185 done
 186
 187 echo "Test 2: OK"
 188
 189 exit 0