[swtpm.git] / tests / test_tpm2_swtpm_localca

#!/usr/bin/env bash

# For the license, see the LICENSE file in the root directory.
#set -x

TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}

SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca

workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" || exit 1

ek="80" # 2048 bit key must have highest bit set
for ((i = 1; i < 256; i++)); do
  ek="${ek}$(printf "%02x" $i)"
done

SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial

PATH=${TOPBUILD}/src/swtpm_cert:$PATH

source ${TESTDIR}/common

if [ -n "$(${CERTTOOL} --help | grep -E "\-\-verify-profile")" ]; then
	verify_profile="--verify-profile=medium"
fi

trap "cleanup" SIGTERM EXIT

function cleanup()
{
	rm -rf "${workdir}"
}

cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
statedir=${workdir}
signingkey = ${SIGNINGKEY}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
signingkey_password = password
_EOF_

cat <<_EOF_ > "${workdir}/swtpm-localca.options"
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_

# the following contains the test parameters and
# expected key usage
for testparams in \
	"--allow-signing|Digital signature" \
	"--allow-signing --decryption|Digital signature,Key encipherment" \
	"--decryption|Key encipherment" \
	"|Key encipherment";
do
  params=$(echo ${testparams} | cut -d"|" -f1)
  usage=$(echo ${testparams} | cut -d"|" -f2)

  ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid test \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params}
  if [ $? -ne 0 ]; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  # Signing key should always be password protected
  if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
    echo "Error: Signing key is not password protected."
    exit 1
  fi

  # For the root CA's key we flip the password protection
  if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
     if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
       echo "Error: Root CA's private key is not password protected."
       exit 1
     fi
     unset SWTPM_ROOTCA_PASSWORD
  else
     if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
       echo "Error: Root CA's private key is password protected but should not be."
       exit 1
     fi
     export SWTPM_ROOTCA_PASSWORD=xyz
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  OIFS="$IFS"
  IFS=","

  for u in $usage; do
    echo $u
    if [ -z "$(${CERTTOOL} -i \
                 --inder --infile "${workdir}/ek.cert" | \
                grep "Key Usage" -A2 | \
                grep "$u")" ]; then
      echo "Error: Could not find key usage $u in key created " \
           "with $params."
    else
      echo "Found '$u'"
    fi
  done

  IFS="$OIFS"

  ${CERTTOOL} \
    -i \
    --inder --infile "${workdir}/ek.cert" \
    --outfile "${workdir}/ek.pem"

  ${CERTTOOL} \
    --verify \
    ${verify_profile} \
    --load-ca-certificate "${ISSUERCERT}" \
    --infile "${workdir}/ek.pem"
  if [ $? -ne 0 ]; then
    echo "Error: Could not verify certificate chain."
    exit 1
  fi

  # Delete all keys to have CA re-created
  rm -rf "${workdir}"/*.pem
done

echo "Test 1: OK"
echo

#A few tests with odd vm Ids
for vmid in \
	's p a c e|s p a c e' \
	'$(ls)>foo|$(ls)\>foo' \
	'`ls`&; #12|`ls`&\; #12' \
	'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \
	"'*|'*" \
	'"*|\"*' \
	':$$|:$$' \
	'${t}[]|${t}[]';
do
  in=$(echo "$vmid" | cut -d"|" -f1)
  exp=$(echo "$vmid" | cut -d"|" -f2)

  ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid "$in" \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params} &>/dev/null
  if [ $? -ne 0 ]; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
       sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
  if [ "$ac" != "$exp" ]; then
    echo "Error: unexpected subject string"
    echo "actual   : $ac"
    echo "expected : $exp"
  else
    echo "Pass: $ac"
  fi
done

echo "Test 2: OK"

exit 0
Commit	Line	Data
8f0f381f	1	#!/usr/bin/env bash
6a41f8e1 SB	2
	3	# For the license, see the LICENSE file in the root directory.
	4	#set -x
	5
611a1986 MAL	6	TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
611a1986 MAL	7	TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
313cf75c SB	8	TESTDIR=${abs_top_testdir:-$(dirname "$0")}
313cf75c SB	9
ddc75216	10	SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca
6a41f8e1	11
cce7503c	12	workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" \|\| exit 1
6a41f8e1	13
63b19c22 SB	14	ek="80" # 2048 bit key must have highest bit set
63b19c22 SB	15	for ((i = 1; i < 256; i++)); do
6a41f8e1 SB	16	ek="${ek}$(printf "%02x" $i)"
	17	done
	18
	19	SIGNINGKEY=${workdir}/signingkey.pem
	20	ISSUERCERT=${workdir}/issuercert.pem
	21	CERTSERIAL=${workdir}/certserial
	22
611a1986	23	PATH=${TOPBUILD}/src/swtpm_cert:$PATH
6a41f8e1	24
e5bb6f4e SB	25	source ${TESTDIR}/common
e5bb6f4e SB	26
22e975dc SB	27	if [ -n "$(${CERTTOOL} --help \| grep -E "\-\-verify-profile")" ]; then
	28	verify_profile="--verify-profile=medium"
	29	fi
	30
6a41f8e1 SB	31	trap "cleanup" SIGTERM EXIT
	32
	33	function cleanup()
	34	{
77819bb2	35	rm -rf "${workdir}"
6a41f8e1 SB	36	}
6a41f8e1 SB	37
77819bb2	38	cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
6a41f8e1 SB	39	statedir=${workdir}
	40	signingkey = ${SIGNINGKEY}
	41	issuercert = ${ISSUERCERT}
	42	certserial = ${CERTSERIAL}
a73e9cb8	43	signingkey_password = password
6a41f8e1 SB	44	_EOF_
6a41f8e1 SB	45
77819bb2	46	cat <<_EOF_ > "${workdir}/swtpm-localca.options"
6a41f8e1 SB	47	--tpm-manufacturer IBM
6a41f8e1 SB	48	--tpm-model swtpm-libtpms
28c46454	49	--tpm-version 2
6a41f8e1 SB	50	--platform-manufacturer Fedora
	51	--platform-version 2.1
	52	--platform-model QEMU
	53	_EOF_
	54
	55	# the following contains the test parameters and
	56	# expected key usage
	57	for testparams in \
	58	"--allow-signing\|Digital signature" \
	59	"--allow-signing --decryption\|Digital signature,Key encipherment" \
	60	"--decryption\|Key encipherment" \
	61	"\|Key encipherment";
	62	do
	63	params=$(echo ${testparams} \| cut -d"\|" -f1)
	64	usage=$(echo ${testparams} \| cut -d"\|" -f2)
	65
	66	${SWTPM_LOCALCA} \
	67	--type ek \
77819bb2 SB	68	--ek "${ek}" \
77819bb2 SB	69	--dir "${workdir}" \
6a41f8e1 SB	70	--vmid test \
6a41f8e1 SB	71	--tpm2 \
77819bb2 SB	72	--configfile "${workdir}/swtpm-localca.conf" \
77819bb2 SB	73	--optsfile "${workdir}/swtpm-localca.options" \
28c46454	74	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
6a41f8e1 SB	75	${params}
	76	if [ $? -ne 0 ]; then
	77	echo "Error: Test with parameters '$params' failed."
	78	exit 1
	79	fi
	80
a73e9cb8 SB	81	# Signing key should always be password protected
	82	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
	83	echo "Error: Signing key is not password protected."
	84	exit 1
	85	fi
	86
	87	# For the root CA's key we flip the password protection
	88	if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
	89	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	90	echo "Error: Root CA's private key is not password protected."
	91	exit 1
	92	fi
	93	unset SWTPM_ROOTCA_PASSWORD
	94	else
	95	if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	96	echo "Error: Root CA's private key is password protected but should not be."
	97	exit 1
	98	fi
	99	export SWTPM_ROOTCA_PASSWORD=xyz
	100	fi
	101
77819bb2	102	if [ ! -r "${workdir}/ek.cert" ]; then
6a41f8e1 SB	103	echo "Error: ${workdir}/ek.cert was not created."
	104	exit 1
	105	fi
	106
	107	OIFS="$IFS"
	108	IFS=","
	109
	110	for u in $usage; do
	111	echo $u
8aff5f76	112	if [ -z "$(${CERTTOOL} -i \
77819bb2	113	--inder --infile "${workdir}/ek.cert" \| \
6a41f8e1 SB	114	grep "Key Usage" -A2 \| \
	115	grep "$u")" ]; then
	116	echo "Error: Could not find key usage $u in key created " \
	117	"with $params."
	118	else
	119	echo "Found '$u'"
	120	fi
	121	done
	122
	123	IFS="$OIFS"
	124
8aff5f76	125	${CERTTOOL} \
6a41f8e1	126	-i \
77819bb2 SB	127	--inder --infile "${workdir}/ek.cert" \
77819bb2 SB	128	--outfile "${workdir}/ek.pem"
6a41f8e1	129
8aff5f76	130	${CERTTOOL} \
6a41f8e1	131	--verify \
22e975dc	132	${verify_profile} \
77819bb2 SB	133	--load-ca-certificate "${ISSUERCERT}" \
77819bb2 SB	134	--infile "${workdir}/ek.pem"
6a41f8e1 SB	135	if [ $? -ne 0 ]; then
	136	echo "Error: Could not verify certificate chain."
	137	exit 1
	138	fi
a73e9cb8 SB	139
	140	# Delete all keys to have CA re-created
	141	rm -rf "${workdir}"/*.pem
6a41f8e1 SB	142	done
6a41f8e1 SB	143
86b32851 SB	144	echo "Test 1: OK"
	145	echo
	146
	147	#A few tests with odd vm Ids
	148	for vmid in \
	149	's p a c e\|s p a c e' \
	150	'$(ls)>foo\|$(ls)\>foo' \
	151	'`ls`&; #12\|`ls`&\; #12' \
	152	'foo>&1<&2;$(ls)\|foo\>&1\<&2\;$(ls)' \
	153	"'\|'" \
	154	'"\|\"' \
	155	':$$\|:$$' \
	156	'${t}[]\|${t}[]';
	157	do
	158	in=$(echo "$vmid" \| cut -d"\|" -f1)
	159	exp=$(echo "$vmid" \| cut -d"\|" -f2)
	160
	161	${SWTPM_LOCALCA} \
	162	--type ek \
	163	--ek "${ek}" \
	164	--dir "${workdir}" \
	165	--vmid "$in" \
	166	--tpm2 \
	167	--configfile "${workdir}/swtpm-localca.conf" \
	168	--optsfile "${workdir}/swtpm-localca.options" \
	169	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
	170	${params} &>/dev/null
	171	if [ $? -ne 0 ]; then
	172	echo "Error: Test with parameters '$params' failed."
	173	exit 1
	174	fi
	175
	176	if [ ! -r "${workdir}/ek.cert" ]; then
	177	echo "Error: ${workdir}/ek.cert was not created."
	178	exit 1
	179	fi
	180
	181	ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" \| \
	182	sed -n "s/.Subject: CN=\(.\)$/\1/p")
	183	if [ "$ac" != "$exp" ]; then
	184	echo "Error: unexpected subject string"
	185	echo "actual : $ac"
	186	echo "expected : $exp"
	187	else
	188	echo "Pass: $ac"
	189	fi
	190	done
	191
	192	echo "Test 2: OK"
	193
6a41f8e1	194	exit 0