]>
Commit | Line | Data |
---|---|---|
8f0f381f | 1 | #!/usr/bin/env bash |
6a41f8e1 SB |
2 | |
3 | # For the license, see the LICENSE file in the root directory. | |
4 | #set -x | |
5 | ||
611a1986 MAL |
6 | TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} |
7 | TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} | |
313cf75c SB |
8 | TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
9 | ||
ddc75216 | 10 | SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca |
6a41f8e1 | 11 | |
cce7503c | 12 | workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" || exit 1 |
6a41f8e1 | 13 | |
63b19c22 SB |
14 | ek="80" # 2048 bit key must have highest bit set |
15 | for ((i = 1; i < 256; i++)); do | |
6a41f8e1 SB |
16 | ek="${ek}$(printf "%02x" $i)" |
17 | done | |
18 | ||
19 | SIGNINGKEY=${workdir}/signingkey.pem | |
20 | ISSUERCERT=${workdir}/issuercert.pem | |
21 | CERTSERIAL=${workdir}/certserial | |
22 | ||
611a1986 | 23 | PATH=${TOPBUILD}/src/swtpm_cert:$PATH |
6a41f8e1 | 24 | |
e5bb6f4e SB |
25 | source ${TESTDIR}/common |
26 | ||
22e975dc SB |
27 | if [ -n "$(${CERTTOOL} --help | grep -E "\-\-verify-profile")" ]; then |
28 | verify_profile="--verify-profile=medium" | |
29 | fi | |
30 | ||
6a41f8e1 SB |
31 | trap "cleanup" SIGTERM EXIT |
32 | ||
33 | function cleanup() | |
34 | { | |
77819bb2 | 35 | rm -rf "${workdir}" |
6a41f8e1 SB |
36 | } |
37 | ||
77819bb2 | 38 | cat <<_EOF_ > "${workdir}/swtpm-localca.conf" |
6a41f8e1 SB |
39 | statedir=${workdir} |
40 | signingkey = ${SIGNINGKEY} | |
41 | issuercert = ${ISSUERCERT} | |
42 | certserial = ${CERTSERIAL} | |
a73e9cb8 | 43 | signingkey_password = password |
6a41f8e1 SB |
44 | _EOF_ |
45 | ||
77819bb2 | 46 | cat <<_EOF_ > "${workdir}/swtpm-localca.options" |
6a41f8e1 SB |
47 | --tpm-manufacturer IBM |
48 | --tpm-model swtpm-libtpms | |
28c46454 | 49 | --tpm-version 2 |
6a41f8e1 SB |
50 | --platform-manufacturer Fedora |
51 | --platform-version 2.1 | |
52 | --platform-model QEMU | |
53 | _EOF_ | |
54 | ||
55 | # the following contains the test parameters and | |
56 | # expected key usage | |
57 | for testparams in \ | |
58 | "--allow-signing|Digital signature" \ | |
59 | "--allow-signing --decryption|Digital signature,Key encipherment" \ | |
60 | "--decryption|Key encipherment" \ | |
61 | "|Key encipherment"; | |
62 | do | |
63 | params=$(echo ${testparams} | cut -d"|" -f1) | |
64 | usage=$(echo ${testparams} | cut -d"|" -f2) | |
65 | ||
66 | ${SWTPM_LOCALCA} \ | |
67 | --type ek \ | |
77819bb2 SB |
68 | --ek "${ek}" \ |
69 | --dir "${workdir}" \ | |
6a41f8e1 SB |
70 | --vmid test \ |
71 | --tpm2 \ | |
77819bb2 SB |
72 | --configfile "${workdir}/swtpm-localca.conf" \ |
73 | --optsfile "${workdir}/swtpm-localca.options" \ | |
28c46454 | 74 | --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ |
6a41f8e1 SB |
75 | ${params} |
76 | if [ $? -ne 0 ]; then | |
77 | echo "Error: Test with parameters '$params' failed." | |
78 | exit 1 | |
79 | fi | |
80 | ||
a73e9cb8 SB |
81 | # Signing key should always be password protected |
82 | if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then | |
83 | echo "Error: Signing key is not password protected." | |
84 | exit 1 | |
85 | fi | |
86 | ||
87 | # For the root CA's key we flip the password protection | |
88 | if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then | |
89 | if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then | |
90 | echo "Error: Root CA's private key is not password protected." | |
91 | exit 1 | |
92 | fi | |
93 | unset SWTPM_ROOTCA_PASSWORD | |
94 | else | |
95 | if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then | |
96 | echo "Error: Root CA's private key is password protected but should not be." | |
97 | exit 1 | |
98 | fi | |
99 | export SWTPM_ROOTCA_PASSWORD=xyz | |
100 | fi | |
101 | ||
77819bb2 | 102 | if [ ! -r "${workdir}/ek.cert" ]; then |
6a41f8e1 SB |
103 | echo "Error: ${workdir}/ek.cert was not created." |
104 | exit 1 | |
105 | fi | |
106 | ||
107 | OIFS="$IFS" | |
108 | IFS="," | |
109 | ||
110 | for u in $usage; do | |
111 | echo $u | |
8aff5f76 | 112 | if [ -z "$(${CERTTOOL} -i \ |
77819bb2 | 113 | --inder --infile "${workdir}/ek.cert" | \ |
6a41f8e1 SB |
114 | grep "Key Usage" -A2 | \ |
115 | grep "$u")" ]; then | |
116 | echo "Error: Could not find key usage $u in key created " \ | |
117 | "with $params." | |
118 | else | |
119 | echo "Found '$u'" | |
120 | fi | |
121 | done | |
122 | ||
123 | IFS="$OIFS" | |
124 | ||
8aff5f76 | 125 | ${CERTTOOL} \ |
6a41f8e1 | 126 | -i \ |
77819bb2 SB |
127 | --inder --infile "${workdir}/ek.cert" \ |
128 | --outfile "${workdir}/ek.pem" | |
6a41f8e1 | 129 | |
8aff5f76 | 130 | ${CERTTOOL} \ |
6a41f8e1 | 131 | --verify \ |
22e975dc | 132 | ${verify_profile} \ |
77819bb2 SB |
133 | --load-ca-certificate "${ISSUERCERT}" \ |
134 | --infile "${workdir}/ek.pem" | |
6a41f8e1 SB |
135 | if [ $? -ne 0 ]; then |
136 | echo "Error: Could not verify certificate chain." | |
137 | exit 1 | |
138 | fi | |
a73e9cb8 SB |
139 | |
140 | # Delete all keys to have CA re-created | |
141 | rm -rf "${workdir}"/*.pem | |
6a41f8e1 SB |
142 | done |
143 | ||
86b32851 SB |
144 | echo "Test 1: OK" |
145 | echo | |
146 | ||
147 | #A few tests with odd vm Ids | |
148 | for vmid in \ | |
149 | 's p a c e|s p a c e' \ | |
150 | '$(ls)>foo|$(ls)\>foo' \ | |
151 | '`ls`&; #12|`ls`&\; #12' \ | |
152 | 'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \ | |
153 | "'*|'*" \ | |
154 | '"*|\"*' \ | |
155 | ':$$|:$$' \ | |
156 | '${t}[]|${t}[]'; | |
157 | do | |
158 | in=$(echo "$vmid" | cut -d"|" -f1) | |
159 | exp=$(echo "$vmid" | cut -d"|" -f2) | |
160 | ||
161 | ${SWTPM_LOCALCA} \ | |
162 | --type ek \ | |
163 | --ek "${ek}" \ | |
164 | --dir "${workdir}" \ | |
165 | --vmid "$in" \ | |
166 | --tpm2 \ | |
167 | --configfile "${workdir}/swtpm-localca.conf" \ | |
168 | --optsfile "${workdir}/swtpm-localca.options" \ | |
169 | --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ | |
170 | ${params} &>/dev/null | |
171 | if [ $? -ne 0 ]; then | |
172 | echo "Error: Test with parameters '$params' failed." | |
173 | exit 1 | |
174 | fi | |
175 | ||
176 | if [ ! -r "${workdir}/ek.cert" ]; then | |
177 | echo "Error: ${workdir}/ek.cert was not created." | |
178 | exit 1 | |
179 | fi | |
180 | ||
181 | ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \ | |
182 | sed -n "s/.*Subject: CN=\(.*\)$/\1/p") | |
183 | if [ "$ac" != "$exp" ]; then | |
184 | echo "Error: unexpected subject string" | |
185 | echo "actual : $ac" | |
186 | echo "expected : $exp" | |
187 | else | |
188 | echo "Pass: $ac" | |
189 | fi | |
190 | done | |
191 | ||
192 | echo "Test 2: OK" | |
193 | ||
6a41f8e1 | 194 | exit 0 |