tests/test_tpm2_swtpm_localca - third_party/github.com/stefanberger/swtpm - Git at Google

 #!/usr/bin/env bash

 # For the license, see the LICENSE file in the root directory.
 #set -x

 TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
 TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
 TESTDIR=${abs_top_testdir:-$(dirname "$0")}

 SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca

 workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" || exit 1

 ek="80" # 2048 bit key must have highest bit set
 for ((i = 1; i < 256; i++)); do
   ek="${ek}$(printf "%02x" $i)"
 done

 SIGNINGKEY=${workdir}/signingkey.pem
 ISSUERCERT=${workdir}/issuercert.pem
 CERTSERIAL=${workdir}/certserial

 PATH=${TOPBUILD}/src/swtpm_cert:$PATH

 source ${TESTDIR}/common

 if [ -n "$(${CERTTOOL} --help | grep -E "\-\-verify-profile")" ]; then
 	verify_profile="--verify-profile=medium"
 fi

 trap "cleanup" SIGTERM EXIT

 function cleanup()
 {
 	rm -rf "${workdir}"
 }

 cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
 statedir=${workdir}
 signingkey = ${SIGNINGKEY}
 issuercert = ${ISSUERCERT}
 certserial = ${CERTSERIAL}
 signingkey_password = password
 _EOF_

 cat <<_EOF_ > "${workdir}/swtpm-localca.options"
 --tpm-manufacturer IBM
 --tpm-model swtpm-libtpms
 --tpm-version 2
 --platform-manufacturer Fedora
 --platform-version 2.1
 --platform-model QEMU
 _EOF_

 # the following contains the test parameters and
 # expected key usage
 for testparams in \
 	"--allow-signing|Digital signature" \
 	"--allow-signing --decryption|Digital signature,Key encipherment" \
 	"--decryption|Key encipherment" \
 	"|Key encipherment";
 do
   params=$(echo ${testparams} | cut -d"|" -f1)
   usage=$(echo ${testparams} | cut -d"|" -f2)

   ${SWTPM_LOCALCA} \
     --type ek \
     --ek "${ek}" \
     --dir "${workdir}" \
     --vmid test \
     --tpm2 \
     --configfile "${workdir}/swtpm-localca.conf" \
     --optsfile "${workdir}/swtpm-localca.options" \
     --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
     ${params}
   if [ $? -ne 0 ]; then
     echo "Error: Test with parameters '$params' failed."
     exit 1
   fi

   # Signing key should always be password protected
   if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
     echo "Error: Signing key is not password protected."
     exit 1
   fi

   # For the root CA's key we flip the password protection
   if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
      if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
        echo "Error: Root CA's private key is not password protected."
        exit 1
      fi
      unset SWTPM_ROOTCA_PASSWORD
   else
      if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
        echo "Error: Root CA's private key is password protected but should not be."
        exit 1
      fi
      export SWTPM_ROOTCA_PASSWORD=xyz
   fi

   if [ ! -r "${workdir}/ek.cert" ]; then
     echo "Error: ${workdir}/ek.cert was not created."
     exit 1
   fi

   OIFS="$IFS"
   IFS=","

   for u in $usage; do
     echo $u
     if [ -z "$(${CERTTOOL} -i \
                  --inder --infile "${workdir}/ek.cert" | \
                 grep "Key Usage" -A2 | \
                 grep "$u")" ]; then
       echo "Error: Could not find key usage $u in key created " \
            "with $params."
     else
       echo "Found '$u'"
     fi
   done

   IFS="$OIFS"

   ${CERTTOOL} \
     -i \
     --inder --infile "${workdir}/ek.cert" \
     --outfile "${workdir}/ek.pem"

   ${CERTTOOL} \
     --verify \
     ${verify_profile} \
     --load-ca-certificate "${ISSUERCERT}" \
     --infile "${workdir}/ek.pem"
   if [ $? -ne 0 ]; then
     echo "Error: Could not verify certificate chain."
     exit 1
   fi

   # Delete all keys to have CA re-created
   rm -rf "${workdir}"/*.pem
 done

 echo "Test 1: OK"
 echo

 #A few tests with odd vm Ids
 for vmid in \
 	's p a c e|s p a c e' \
 	'$(ls)>foo|$(ls)\>foo' \
 	'`ls`&; #12|`ls`&\; #12' \
 	'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \
 	"'*|'*" \
 	'"*|\"*' \
 	':$$|:$$' \
 	'${t}[]|${t}[]';
 do
   in=$(echo "$vmid" | cut -d"|" -f1)
   exp=$(echo "$vmid" | cut -d"|" -f2)

   ${SWTPM_LOCALCA} \
     --type ek \
     --ek "${ek}" \
     --dir "${workdir}" \
     --vmid "$in" \
     --tpm2 \
     --configfile "${workdir}/swtpm-localca.conf" \
     --optsfile "${workdir}/swtpm-localca.options" \
     --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
     ${params} &>/dev/null
   if [ $? -ne 0 ]; then
     echo "Error: Test with parameters '$params' failed."
     exit 1
   fi

   if [ ! -r "${workdir}/ek.cert" ]; then
     echo "Error: ${workdir}/ek.cert was not created."
     exit 1
   fi

   ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
        sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
   if [ "$ac" != "$exp" ]; then
     echo "Error: unexpected subject string"
     echo "actual   : $ac"
     echo "expected : $exp"
   else
     echo "Pass: $ac"
   fi
 done

 echo "Test 2: OK"

 exit 0
	#!/usr/bin/env bash

	# For the license, see the LICENSE file in the root directory.
	#set -x

	TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
	TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
	TESTDIR=${abs_top_testdir:-$(dirname "$0")}

	SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca

	workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" \|\| exit 1

	ek="80" # 2048 bit key must have highest bit set
	for ((i = 1; i < 256; i++)); do
	ek="${ek}$(printf "%02x" $i)"
	done

	SIGNINGKEY=${workdir}/signingkey.pem
	ISSUERCERT=${workdir}/issuercert.pem
	CERTSERIAL=${workdir}/certserial

	PATH=${TOPBUILD}/src/swtpm_cert:$PATH

	source ${TESTDIR}/common

	if [ -n "$(${CERTTOOL} --help \| grep -E "\-\-verify-profile")" ]; then
	verify_profile="--verify-profile=medium"
	fi

	trap "cleanup" SIGTERM EXIT

	function cleanup()
	{
	rm -rf "${workdir}"
	}

	cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
	statedir=${workdir}
	signingkey = ${SIGNINGKEY}
	issuercert = ${ISSUERCERT}
	certserial = ${CERTSERIAL}
	signingkey_password = password
	_EOF_

	cat <<_EOF_ > "${workdir}/swtpm-localca.options"
	--tpm-manufacturer IBM
	--tpm-model swtpm-libtpms
	--tpm-version 2
	--platform-manufacturer Fedora
	--platform-version 2.1
	--platform-model QEMU
	_EOF_

	# the following contains the test parameters and
	# expected key usage
	for testparams in \
	"--allow-signing\|Digital signature" \
	"--allow-signing --decryption\|Digital signature,Key encipherment" \
	"--decryption\|Key encipherment" \
	"\|Key encipherment";
	do
	params=$(echo ${testparams} \| cut -d"\|" -f1)
	usage=$(echo ${testparams} \| cut -d"\|" -f2)

	${SWTPM_LOCALCA} \
	--type ek \
	--ek "${ek}" \
	--dir "${workdir}" \
	--vmid test \
	--tpm2 \
	--configfile "${workdir}/swtpm-localca.conf" \
	--optsfile "${workdir}/swtpm-localca.options" \
	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
	${params}
	if [ $? -ne 0 ]; then
	echo "Error: Test with parameters '$params' failed."
	exit 1
	fi

	# Signing key should always be password protected
	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
	echo "Error: Signing key is not password protected."
	exit 1
	fi

	# For the root CA's key we flip the password protection
	if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
	if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	echo "Error: Root CA's private key is not password protected."
	exit 1
	fi
	unset SWTPM_ROOTCA_PASSWORD
	else
	if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
	echo "Error: Root CA's private key is password protected but should not be."
	exit 1
	fi
	export SWTPM_ROOTCA_PASSWORD=xyz
	fi

	if [ ! -r "${workdir}/ek.cert" ]; then
	echo "Error: ${workdir}/ek.cert was not created."
	exit 1
	fi

	OIFS="$IFS"
	IFS=","

	for u in $usage; do
	echo $u
	if [ -z "$(${CERTTOOL} -i \
	--inder --infile "${workdir}/ek.cert" \| \
	grep "Key Usage" -A2 \| \
	grep "$u")" ]; then
	echo "Error: Could not find key usage $u in key created " \
	"with $params."
	else
	echo "Found '$u'"
	fi
	done

	IFS="$OIFS"

	${CERTTOOL} \
	-i \
	--inder --infile "${workdir}/ek.cert" \
	--outfile "${workdir}/ek.pem"

	${CERTTOOL} \
	--verify \
	${verify_profile} \
	--load-ca-certificate "${ISSUERCERT}" \
	--infile "${workdir}/ek.pem"
	if [ $? -ne 0 ]; then
	echo "Error: Could not verify certificate chain."
	exit 1
	fi

	# Delete all keys to have CA re-created
	rm -rf "${workdir}"/*.pem
	done

	echo "Test 1: OK"
	echo

	#A few tests with odd vm Ids
	for vmid in \
	's p a c e\|s p a c e' \
	'$(ls)>foo\|$(ls)\>foo' \
	'`ls`&; #12\|`ls`&\; #12' \
	'foo>&1<&2;$(ls)\|foo\>&1\<&2\;$(ls)' \
	"'\|'" \
	'"\|\"' \
	':$$\|:$$' \
	'${t}[]\|${t}[]';
	do
	in=$(echo "$vmid" \| cut -d"\|" -f1)
	exp=$(echo "$vmid" \| cut -d"\|" -f2)

	${SWTPM_LOCALCA} \
	--type ek \
	--ek "${ek}" \
	--dir "${workdir}" \
	--vmid "$in" \
	--tpm2 \
	--configfile "${workdir}/swtpm-localca.conf" \
	--optsfile "${workdir}/swtpm-localca.options" \
	--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
	${params} &>/dev/null
	if [ $? -ne 0 ]; then
	echo "Error: Test with parameters '$params' failed."
	exit 1
	fi

	if [ ! -r "${workdir}/ek.cert" ]; then
	echo "Error: ${workdir}/ek.cert was not created."
	exit 1
	fi

	ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" \| \
	sed -n "s/.Subject: CN=\(.\)$/\1/p")
	if [ "$ac" != "$exp" ]; then
	echo "Error: unexpected subject string"
	echo "actual : $ac"
	echo "expected : $exp"
	else
	echo "Pass: $ac"
	fi
	done

	echo "Test 2: OK"

	exit 0