| #!/usr/bin/env bash |
| |
| # For the license, see the LICENSE file in the root directory. |
| |
| ROOT=${abs_top_builddir:-$(dirname "$0")/..} |
| TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
| |
| SWTPM_CERT=${SWTPM_CERT:-${ROOT}/src/swtpm_cert/swtpm_cert} |
| |
| cert="$(mktemp)" || exit 1 |
| |
| trap "cleanup" SIGTERM EXIT |
| |
| |
| function cleanup() |
| { |
| rm -f "${cert}" |
| } |
| |
| function check_cert_size() |
| { |
| local cert="$1" |
| local exp="$2" |
| |
| local size |
| |
| # Unfortunately different GnuTLS versions may create certs of different |
| # sizes; deactivate this test for now |
| return |
| |
| size=$(stat -c%s "${cert}" 2>/dev/null) |
| if [ "$size" -ne "$exp" ]; then |
| echo "Warning: Certificate file has unexpected size." |
| echo " Expected: $exp; found: $size" |
| fi |
| } |
| |
| if ! ${SWTPM_CERT} \ |
| --tpm2 \ |
| --allow-signing \ |
| --signkey "${TESTDIR}/data/signkey.pem" \ |
| --issuercert "${TESTDIR}/data/issuercert.pem" \ |
| --out-cert "${cert}" \ |
| --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ |
| --days 3650 \ |
| --pem \ |
| --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ |
| --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then |
| echo "Error: ${SWTPM_CERT} returned error code." |
| exit 1 |
| fi |
| |
| #expecting size to be constant |
| check_cert_size "${cert}" 1224 |
| |
| # truncate result file |
| echo -n > "${cert}" |
| echo "Test 1: OK" |
| |
| if ! ${SWTPM_CERT} \ |
| --tpm2 \ |
| --signkey "${TESTDIR}/data/signkey.pem" \ |
| --issuercert "${TESTDIR}/data/issuercert.pem" \ |
| --out-cert "${cert}" \ |
| --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ |
| --days 3650 \ |
| --subject "OU=foo,L=NewYork,ST=NY,C=US" \ |
| --pem \ |
| --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ |
| --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then |
| echo "Error: ${SWTPM_CERT} returned error code." |
| exit 1 |
| fi |
| |
| #expecting size to be constant |
| check_cert_size "${cert}" 1302 |
| |
| # truncate result file |
| echo -n > "${cert}" |
| echo "Test 2: OK" |
| |
| if ! ${SWTPM_CERT} \ |
| --tpm2 \ |
| --signkey "${TESTDIR}/data/signkey.pem" \ |
| --issuercert "${TESTDIR}/data/issuercert.pem" \ |
| --out-cert "${cert}" \ |
| --pubkey "${TESTDIR}/data/pubek.pem" \ |
| --days 3650 \ |
| --subject "OU=foo,L=NewYork,ST=NY,C=US" \ |
| --pem \ |
| --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ |
| --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then |
| echo "Error: ${SWTPM_CERT} returned error code." |
| exit 1 |
| fi |
| |
| #expecting size to be constant |
| check_cert_size "${cert}" 1367 |
| |
| # truncate result file |
| #certtool --certificate-info --infile ${cert} |
| echo -n > "${cert}" |
| echo "Test 3: OK" |
| |
| |
| ###################### Platform Certificate ##################### |
| |
| if ! ${SWTPM_CERT} \ |
| --tpm2 \ |
| --type platform \ |
| --signkey "${TESTDIR}/data/signkey.pem" \ |
| --issuercert "${TESTDIR}/data/issuercert.pem" \ |
| --pubkey "${TESTDIR}/data/pubek.pem" \ |
| --out-cert "${cert}" \ |
| --days 3650 \ |
| --subject "OU=foo,L=NewYork,ST=NY,C=US" \ |
| --pem \ |
| --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ |
| --platform-manufacturer Fedora \ |
| --platform-model QEMU \ |
| --platform-version 2.1; then |
| echo "Error: ${SWTPM_CERT} returned error code." |
| exit 1 |
| fi |
| |
| #expecting size to be constant |
| check_cert_size "${cert}" 1411 |
| |
| # truncate result file |
| #certtool --certificate-info --infile ${cert} |
| echo -n > "${cert}" |
| echo "Test 4: OK" |
| |
| |
| ####################### max. serial number ##################### |
| |
| # max. serial number -- must pass |
| if ! ${SWTPM_CERT} \ |
| --tpm2 \ |
| --signkey "${TESTDIR}/data/signkey.pem" \ |
| --issuercert "${TESTDIR}/data/issuercert.pem" \ |
| --out-cert "${cert}" \ |
| --pubkey "${TESTDIR}/data/pubek.pem" \ |
| --days 3650 \ |
| --subject "OU=foo,L=NewYork,ST=NY,C=US" \ |
| --pem \ |
| --serial 1461501637330902918203684832716283019655932542975 \ |
| --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ |
| --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then |
| echo "Error: ${SWTPM_CERT} failed with max. serial number." |
| exit 1 |
| fi |
| tmp=$(certtool --certificate-info --infile "${cert}" | |
| sed -n 's/.*Serial Number.*: \([[:xdigit:]*]\)/\1/p') |
| exp="00ffffffffffffffffffffffffffffffffffffffff" |
| if [ "${tmp}" != "${exp}" ]; then |
| echo "Error: unexpected serial number in cert" |
| echo "expected: ${exp}" |
| echo "actual : ${tmp}" |
| exit 1 |
| fi |
| |
| # max. serial number + 1 -- must fail |
| if ${SWTPM_CERT} \ |
| --tpm2 \ |
| --signkey "${TESTDIR}/data/signkey.pem" \ |
| --issuercert "${TESTDIR}/data/issuercert.pem" \ |
| --out-cert "${cert}" \ |
| --pubkey "${TESTDIR}/data/pubek.pem" \ |
| --days 3650 \ |
| --subject "OU=foo,L=NewYork,ST=NY,C=US" \ |
| --pem \ |
| --serial 1461501637330902918203684832716283019655932542976 \ |
| --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ |
| --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then |
| echo "Error: ${SWTPM_CERT} should have failed with max. serial number + 1." |
| exit 1 |
| fi |
| |
| # truncate result file |
| #certtool --certificate-info --infile ${cert} |
| echo -n > "${cert}" |
| echo "Test 5: OK" |