| #!/usr/bin/env bash |
| |
| # For the license, see the LICENSE file in the root directory. |
| #set -x |
| |
| TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} |
| TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} |
| TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
| |
| SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca |
| |
| workdir=$(mktemp -d) |
| |
| ek="" |
| for ((i = 0; i < 256; i++)); do |
| ek="${ek}$(printf "%02x" $i)" |
| done |
| |
| SIGNINGKEY=${workdir}/signingkey.pem |
| ISSUERCERT=${workdir}/issuercert.pem |
| CERTSERIAL=${workdir}/certserial |
| |
| PATH=${TOPBUILD}/src/swtpm_cert:$PATH |
| |
| trap "cleanup" SIGTERM EXIT |
| |
| function cleanup() |
| { |
| rm -rf ${workdir} |
| } |
| |
| case "$(uname -s)" in |
| Darwin) |
| CERTTOOL=gnutls-certtool;; |
| *) |
| CERTTOOL=certtool;; |
| esac |
| |
| cat <<_EOF_ > ${workdir}/swtpm-localca.conf |
| statedir=${workdir} |
| signingkey = ${SIGNINGKEY} |
| issuercert = ${ISSUERCERT} |
| certserial = ${CERTSERIAL} |
| _EOF_ |
| |
| cat <<_EOF_ > ${workdir}/swtpm-localca.options |
| --tpm-manufacturer IBM |
| --tpm-model swtpm-libtpms |
| --tpm-version 2 |
| --platform-manufacturer Fedora |
| --platform-version 2.1 |
| --platform-model QEMU |
| _EOF_ |
| |
| # the following contains the test parameters and |
| # expected key usage |
| for testparams in \ |
| "--allow-signing|Digital signature" \ |
| "--allow-signing --decryption|Digital signature,Key encipherment" \ |
| "--decryption|Key encipherment" \ |
| "|Key encipherment"; |
| do |
| params=$(echo ${testparams} | cut -d"|" -f1) |
| usage=$(echo ${testparams} | cut -d"|" -f2) |
| |
| ${SWTPM_LOCALCA} \ |
| --type ek \ |
| --ek ${ek} \ |
| --dir ${workdir} \ |
| --vmid test \ |
| --tpm2 \ |
| --configfile ${workdir}/swtpm-localca.conf \ |
| --optsfile ${workdir}/swtpm-localca.options \ |
| --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ |
| ${params} |
| if [ $? -ne 0 ]; then |
| echo "Error: Test with parameters '$params' failed." |
| exit 1 |
| fi |
| |
| if [ ! -r ${workdir}/ek.cert ]; then |
| echo "Error: ${workdir}/ek.cert was not created." |
| exit 1 |
| fi |
| |
| OIFS="$IFS" |
| IFS="," |
| |
| for u in $usage; do |
| echo $u |
| if [ -z "$(${CERTTOOL} -i \ |
| --inder --infile ${workdir}/ek.cert | \ |
| grep "Key Usage" -A2 | \ |
| grep "$u")" ]; then |
| echo "Error: Could not find key usage $u in key created " \ |
| "with $params." |
| else |
| echo "Found '$u'" |
| fi |
| done |
| |
| IFS="$OIFS" |
| |
| ${CERTTOOL} \ |
| -i \ |
| --inder --infile ${workdir}/ek.cert \ |
| --outfile ${workdir}/ek.pem |
| |
| ${CERTTOOL} \ |
| --verify \ |
| --load-ca-certificate ${ISSUERCERT} \ |
| --infile ${workdir}/ek.pem |
| if [ $? -ne 0 ]; then |
| echo "Error: Could not verify certificate chain." |
| exit 1 |
| fi |
| done |
| |
| exit 0 |