tests: Refactor certificate creation tests Refactor the certificate creation tests to - create all needed keys and certs using openssl CLI tool - accept input parameters passed to test script - grep for more expected data in the created certificates - verify the created certificate with the intermediate CA - test signing with a secp521r1 key Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/tests/Makefile.am b/tests/Makefile.am index 6c67d6b..1737fc2 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am
@@ -82,7 +82,6 @@ test_tpm2_save_load_state_locking \ test_tpm2_setbuffersize \ test_tpm2_swtpm_cert \ - test_tpm2_swtpm_cert_ecc \ test_tpm2_swtpm_localca \ test_tpm2_swtpm_localca_pkcs11.test \ test_tpm2_swtpm_setup_create_cert \ @@ -113,12 +112,6 @@ $(TEST_UTILS) \ swtpm_setup.conf \ create_certs.sh \ - data/ecpubek.pem \ - data/ecprivek.pem \ - data/issuercert.pem \ - data/pubek.pem \ - data/signkey.pem \ - data/signkey-encrypted.pem \ data/keyfile.txt \ data/keyfile256bit.txt \ data/pwdfile.txt \ @@ -189,6 +182,7 @@ _test_save_load_state \ _test_setbuffersize \ _test_swtpm_bios \ + _test_swtpm_cert \ _test_tpm_probe \ _test_tpm2_avoid_da_lockout \ _test_tpm2_derived_keys \ @@ -213,6 +207,7 @@ _test_tpm2_save_load_state_locking \ _test_tpm2_setbuffersize \ _test_tpm2_swtpm_bios \ + _test_tpm2_swtpm_cert \ _test_tpm2_volatilestate \ _test_tpm2_wrongorder \ _test_volatilestate \
diff --git a/tests/_test_swtpm_cert b/tests/_test_swtpm_cert new file mode 100755 index 0000000..bb3d2ae --- /dev/null +++ b/tests/_test_swtpm_cert
@@ -0,0 +1,113 @@ +#!/usr/bin/env bash + +# For the license, see the LICENSE file in the root directory. + +ROOT=${abs_top_builddir:-$(dirname "$0")/..} +TESTDIR=${abs_top_testdir:=$(dirname "$0")} + +source "${TESTDIR}/common" + +trap "cleanup" SIGTERM EXIT + +function cleanup() +{ + rm -f "${cert}" "${pwdfile}" +} + +cert="$(mktemp)" || exit 1 +pwdfile="$(mktemp)" || exit 1 + +function check_cert_size() +{ + local cert="$1" + local exp="$2" + + local size + + size=$(get_filesize "${cert}") + if [ "$size" -ne "$exp" ]; then + echo "Warning: Certificate file has unexpected size." + echo " Expected: $exp; found: $size" + fi +} + +COMMON=( + --signkey "${PARAM_SIGNKEY_ENCRYPTED}" + --issuercert "${PARAM_ISSUERCERT}" + --out-cert "${cert}" + --days 3650 + --pem + --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 + --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321 +) + +if ! VARNAME=${PARAM_PASSWORD} ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --signkey-pwd env:VARNAME \ + --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497'; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert_size "${cert}" 1395 + +# truncate result file +echo -n > "${cert}" +echo "Test 1: OK" + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --signkey-pwd file:<(printf "%s" "${PARAM_PASSWORD}") \ + --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497'; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +#expecting size to be constant +check_cert_size "${cert}" 1395 + +# truncate result file +echo -n > "${cert}" +echo "Test 2: OK" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --signkey-pwd "pass:${PARAM_PASSWORD}" \ + --pubkey "${PARAM_RSAPUBKEY}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert_size "${cert}" 1460 + +# truncate result file +echo -n > "${cert}" +echo "Test 3: OK" + + +###################### Platform Certificate ##################### + +printf "%s" "${PARAM_PASSWORD}" > "${pwdfile}" +exec 100<"${pwdfile}" +if ! ${SWTPM_CERT} \ + --type platform \ + "${COMMON[@]}" \ + --signkey-pwd fd:100 \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --platform-manufacturer Fedora \ + --platform-model QEMU \ + --platform-version 2.1; then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +#expecting size to be constant +check_cert_size "${cert}" 1489 + +# truncate result file +echo -n > "${cert}" +echo "Test 4: OK"
diff --git a/tests/_test_tpm2_swtpm_cert b/tests/_test_tpm2_swtpm_cert new file mode 100755 index 0000000..3fae0a6 --- /dev/null +++ b/tests/_test_tpm2_swtpm_cert
@@ -0,0 +1,307 @@ +#!/usr/bin/env bash + +# For the license, see the LICENSE file in the root directory. + +ROOT=${abs_top_builddir:-$(dirname "$0")/..} +TESTDIR=${abs_top_testdir:-$(dirname "$0")} + +source "${TESTDIR}/common" + +cert="$(mktemp)" || exit 1 + +trap "cleanup" SIGTERM EXIT +function cleanup() +{ + rm -f "${cert}" +} + +function check_cert_size() +{ + local cert="$1" + local exp="$2" + + local size lo hi + + lo=$(cut -d"-" -f1 <<< "${exp}") + hi=$(cut -d"-" -f2 <<< "${exp}") + + # Check size of DER cert + size=$(openssl x509 -in "${cert}" -outform der | wc -c) + if [ "${size}" -lt "${lo}" ] || [ "${size}" -gt "${hi}" ]; then + echo "Warning: DER Certificate has unexpected size." + echo " Expected: $exp; found: $size" + fi +} + +function check_cert() +{ + local cert="$1" + local size="$2" + + shift 2 + + local txt msg + + check_cert_size "${cert}" "${size}" + txt=$(openssl x509 -in "${cert}" -noout -text) + + while [ $# -ne 0 ]; do + if ! grep -q "$1" <<< "${txt}"; then + echo "Could not find expected data in cert." + echo "expected: $1" + echo "${txt}" + exit 1 + fi + shift + done + if ! msg=$(openssl verify \ + -partial_chain \ + -CAfile "${PARAM_ISSUERCERT}" \ + "${cert}" 2>&1); then + echo "Could not verify the certificate." + echo "${msg}" + exit 1 + fi +} + +# shellcheck disable=2206 +PARAM_CERT_SIZES=(${PARAM_CERT_SIZES}) + +COMMON=( + --tpm2 + --signkey "${PARAM_SIGNKEY}" + --issuercert "${PARAM_ISSUERCERT}" + --out-cert "${cert}" + --days 3650 + --pem + --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2 + --tpm-spec-family 2 --tpm-spec-revision 146 --tpm-spec-level 0 + --subject "CN=swtpm,serialNumber=123,O=test,OU=test" +) +TC=0 + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --modulus b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497 \ + --decrypt \ + --days -1; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Dec 31 23:59:59 9999 GMT" \ + "Public-Key: (2048 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (modulus)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --ecc-x 61eaf811ea582656ca2a835dd1b9cd63eb196d7ff62711d6e9b8f85e580a47ca \ + --ecc-y a51efdc71fd6c791a24a75beb50526aa81b44cc598e65b2d5e116084aea4cb5b; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Public-Key: (256 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Key Agreement" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (ecc; coordinates)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --allow-signing \ + --pubkey "${PARAM_RSAPUBKEY}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Public-Key: (2432 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Digital Signature" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (allow signing)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --pubkey "${PARAM_ECPUBKEY}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Public-Key: (256 bit)" \ + "CA:FALSE" \ + "Endorsement Key Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-tpmManufacturer=IBM/tcg-at-tpmModel=swtpm-libtpms/tcg-at-tpmVersion=2" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (ecc)" + +###################### Platform Certificate ##################### + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --serial 123 \ + --type platform \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --platform-manufacturer Fedora \ + --platform-model QEMU \ + --platform-version 2.1; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 123 (0x7b)" \ + "Public-Key: (2432 bit)" \ + "CA:FALSE" \ + "Platform Attribute Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-platformManufacturerStr=Fedora/tcg-at-platformModel=QEMU/tcg-at-platformVersion=2.1" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (platform cert)" + + +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --serial 12 \ + --type platform \ + --pubkey "${PARAM_ECPUBKEY}" \ + --platform-manufacturer Fedora \ + --platform-model QEMU \ + --platform-version 2.1; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 12 (0xc)" \ + "Public-Key: (256 bit)" \ + "CA:FALSE" \ + "Platform Attribute Certificate" \ + "Key Encipherment" \ + "DirName:/tcg-at-platformManufacturerStr=Fedora/tcg-at-platformModel=QEMU/tcg-at-platformVersion=2.1" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (platform cert; ec key)" + +###################### IAK Certificate ##################### + +serial=1234:5678 +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --type iak \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --subject "serialNumber=${serial}" \ + --tpm-serial-num "${serial}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Subject: serialNumber[[:space:]]*=[[:space:]]*${serial}" \ + "Public-Key: (2432 bit)" \ + "DirName:/id-on-hardwareModuleName=0.*${serial}" \ + "CA:FALSE" \ + "Digital Signature" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (IAK)" + +###################### IDevID Certificate ##################### + +serial=1234:5678 +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --type idevid \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --subject "serialNumber=${serial}" \ + --tpm-serial-num "${serial}"; +then + echo "Error: ${SWTPM_CERT} returned error code." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number: 1 (0x1)" \ + "Subject: serialNumber[[:space:]]*=[[:space:]]*${serial}" \ + "Public-Key: (2432 bit)" \ + "DirName:/id-on-hardwareModuleName=0.*${serial}" \ + "CA:FALSE" \ + "Digital Signature" + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (IDevID)" + +####################### max. serial number ##################### + +# max. serial number -- must pass +if ! ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --serial 1461501637330902918203684832716283019655932542975; +then + echo "Error: ${SWTPM_CERT} failed with max. serial number." + exit 1 +fi + +check_cert "${cert}" "${PARAM_CERT_SIZES[$((TC++))]}" \ + "Serial Number:[[:space:]]*$" \ + "ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff" \ + "Public-Key: (2432 bit)" \ + "CA:FALSE" \ + "Key Encipherment" + +# max. serial number + 1 -- must fail +if ${SWTPM_CERT} \ + "${COMMON[@]}" \ + --pubkey "${PARAM_RSAPUBKEY}" \ + --serial 1461501637330902918203684832716283019655932542976; +then + echo "Error: ${SWTPM_CERT} should have failed with max. serial number + 1." + exit 1 +fi + +# truncate result file +echo -n > "${cert}" +echo "Test ${TC}: OK (failed as expected)"
diff --git a/tests/data/ecprivek.pem b/tests/data/ecprivek.pem deleted file mode 100644 index 1823f9a..0000000 --- a/tests/data/ecprivek.pem +++ /dev/null
@@ -1,9 +0,0 @@ -ASN1 OID: prime256v1 ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEINoBbt73wFU8ku/qodAP58flsgL94j+FsX6ycP8ts8MKoAoGCCqGSM49 -AwEHoUQDQgAEne14S57Dr9tYfw2PtsVoaC0IrHjiEFKihkvMeimuYRVxYkZh5kmZ -fwcOIKlGawAo1JhUgA3iYSlLi3ho71aq0g== ------END EC PRIVATE KEY-----
diff --git a/tests/data/ecpubek.pem b/tests/data/ecpubek.pem deleted file mode 100644 index 1907029..0000000 --- a/tests/data/ecpubek.pem +++ /dev/null
@@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEne14S57Dr9tYfw2PtsVoaC0IrHji -EFKihkvMeimuYRVxYkZh5kmZfwcOIKlGawAo1JhUgA3iYSlLi3ho71aq0g== ------END PUBLIC KEY-----
diff --git a/tests/data/issuercert.pem b/tests/data/issuercert.pem deleted file mode 100644 index 4c41b62..0000000 --- a/tests/data/issuercert.pem +++ /dev/null
@@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEITCCAomgAwIBAgIMWtYHsR4z7cnrzsG6MA0GCSqGSIb3DQEBCwUAMB8xHTAb -BgNVBAMTFHN3dHBtLWxvY2FsY2Etcm9vdGNhMB4XDTE4MDQxNzE0NDE1M1oXDTI4 -MDQxNDE0NDE1M1owGDEWMBQGA1UEAxMNc3d0cG0tbG9jYWxjYTCCAaIwDQYJKoZI -hvcNAQEBBQADggGPADCCAYoCggGBAL+1uBTQ5yVOzAwkgNWxRbsqKLMvxPcRcf8W -S70ZSOUu9nvELDvMQPEGE7Y48Qxv2O/XZ8Pa9H6Gupg+uvUBTYnnHBUgJLuXF9YD -naXaS1KY1dHOVOZQygFySq7Z4E0lo8IE+3uROzJT5yv/55DAJseRBB0i5BZMgEno -KGX/61IiAhq6U9ZwTmrK7xi4EzOepNHFW2d0TpKcZAGtCESQ0uaGIileQTUL4cU4 -o0e12Z9ixOXZpJFKigtsVbSe7lrJD9PORQURHGA+p3Tb85VsPwobpNZN8D1sqKif -rSunNgh5mLseK5esx2WWen94AlbO4uYViXMK85QIiBkDGdOah5BUD8R0LFnNtPR8 -FS+4dSwYJGFCpoYqQu1RoBlIR2hREUmtYFt+8/YBUZOG8Aa4S4R2bt6nc6vP37SE -HCbkqJ8+yAmmdL1OXtT8/dQ5l1fnjbOtTAuZcyUMiHZLhRXFkNtUub6Gf+LusZRA -Vw2BQTGtqDzbBX7z7gNEPNgcwgI5kwIDAQABo2QwYjAPBgNVHRMBAf8EBTADAQH/ -MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFEssFsYTUSoI/6sRe4KVVdFY50Uo -MB8GA1UdIwQYMBaAFCAqCpiHlm6wK32Kv48wTVONvNeTMA0GCSqGSIb3DQEBCwUA -A4IBgQBKlh2vXX548odk5k8H+p72VeWatwwcwzdAFKY0KG5kbXGkWeJu8qlioeMl -X1tPXB0lRIf9wY+R7/eFLOeUxSqAx8gGMz7hnbG3YhjY71brPqDN8nPQowoxkG1Y -2mCjMGaTAzpO3Bi3MWnf3zrfxxivxuVv6+EyN4YnnQcs9Okd3HxmXmD1cOrWw4KV -11Ucq+Ff4W04Pz7VfftByE0dscD8SXzmnSx3nAMBxWucwXfOsbQRevzCddLBJa/T -ySZgvqhMlB7KCfQn/+JsK9N192s6kaq0OtENqEvpi3DrWXydaNCZipMKGoc7gty3 -j0sq7aUFfx2ooiDJT+pijT9HJ/N4vLavj8IU06lY1wL1ujKxarME3gqQZNX1iCq/ -OL/LAiSRJofvW5GxCB3ALPXhwXmrj6Y7qMvWY5u+cCw/NN3xi4mCOX5Qmk/wbXrC -x7j+sza1e3x7CMVmprQYLcqxewaH25APirRtnZdp8doX61fwoh1NU0Y7jehTPbN3 -ITy9dIc= ------END CERTIFICATE-----
diff --git a/tests/data/pubek.pem b/tests/data/pubek.pem deleted file mode 100644 index ec8bf0e..0000000 --- a/tests/data/pubek.pem +++ /dev/null
@@ -1,10 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAv1muaCRQNM6UweD+Bpcl -q7Pbysd+RrpugzdPXA+lVY8yPwKSvX7jjW2fVp6SpUnqupxiqjZIWaQPznjtlHRi -7Ak8cl+pBLoBLYfEpz+EUl+IFTOaRSV6tN3ljTEh/gNhgzVk9mYB+4kgfZLNPezc -U4YRypCWxg8ipjc97Pv4zqnRaWCL7mfdmdzoddyjOx6ekvZvg8FonLW/qPOODGyR -qwN5chRD8VzRQBo0xDtPJ5Sph942/Xv5PI34P+wO2aGFzLsLD1IuEzNDtu19zEYG -HqxLuZn0YHp8ouTNKRiQRnfyHE0tLDXiAbQF71wjFQMxXXK3+DC1C0LC0Pub0sir -oxFB4hBG2tuSiM45zRj4M0J8JAfA6d6ef5bygFJly5ew9xXQc0do+1hVtROUyUSF -PwIDAQAB ------END PUBLIC KEY-----
diff --git a/tests/data/signkey-encrypted.pem b/tests/data/signkey-encrypted.pem deleted file mode 100644 index 2e2fe21..0000000 --- a/tests/data/signkey-encrypted.pem +++ /dev/null
@@ -1,42 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-256-CBC,4F72E2939BD5ADD1C5F148D23C8C7B69 - -7ROHqAz7swVFcJCsxSL1TEYAWNB/WLFq7MM1pAT0CiWsm4GODgERLHb1/Zm9I8s4 -gvpAkpOslbjBZKP+kz0DgwR30RDiMalVniWrCYJn91gIqcRCjKdk400ktzg38Nr5 -yEIMODGDskumbxXV6vaFTh6blSLHfLmo1WNyKGeHB8MX2+oQUpZKL31JNWorMRHQ -gF32UOcsLFR1ZAgjtxjeFiYremmxDlBIl2OrIrl0ZepFtbLIxV8Gqpl342rN1fBo -Clks/3DHzbLjgHh/LozArdhqZFS7axp2N3V/W3TtrrLcY5sJXTFDZ+y6Dv4gREq+ -9HwwvhvjlxNovvbM4JQigf7G5C7EGRvoLJYgrWi6nB34l/mX86Us3LD+dSmTVUM/ -sqy7hnXYpZ2Xyj3UaL7pXwqlhx5dqrpBf2cr+jIhcXkCRE4Sxo438kvd91rLZyFG -3/28x36MIFLS0yJscXHx58j55pEtBeGA+WmMSuWIFdk9dhp0Ntb4nskaOGyKzITk -mspagdstrVAd4EWpaeL8MsGE1vVXWKC2fJrt8UlZPy0C7AlbS53SSAdrddxCOFN6 -LMGzZl73Szy+FRADuL0jJBYnJm84DBx5VXHx9jjRVKlfMUy7Rg/QZvHqC0cyEd/b -ccCMXeGqLGrVxj5uXZ/aHb0E3e2TU1PgZBZTU9RXfDmQUy2sxzlFFbfpeae9KOB+ -vu/v4sjbsZatFgHUwB7RZjosgC+b6eWJlRtkR2qC1S79Hjpa1P8VMHgR8G2Uyg43 -j4101PgA/dbOpFXQ2e4MX7vs/nuGEgd2+JNRnIQ3g5lnWzHBCjGtRsAmsYxTZjZc -CvuaGStwDk4TZbJqI4jQmcgZ1dKpXT+ElFyfWzrufYIZL5QyyazUtz1EOqPR+rdl -9NZ6gI9SSKhobqHPY5nffMq2hCOjkYJ0gKp9ufiQKLS2U3uzqNJ+ZINI7lzjj2v1 -Y96Frn8RVF/7Vks+FVlurpM9110toPfNNrqph+KDQjIotIdfGAUJOyypBA7aTD1q -dz6M6SVOAyVhtnx1LqA5kR3S/yjFipVOT0XZli04gCEKsAOPGsVp7v0+Bij3x1I0 -WK5shQsZzUaiHtDxdQl0yoVmC6ujjHWpGOPTq+qWkd5dtlxNpPTOKXhAQiyRGV3D -ytHCjxV+5obqpwdYK7s/+eDtlbLum6zBXY7OU6TwJJB3wdteYpi/mGVWDxiBqCVa -iQnG7ulr+nBNti1gGj8NwtQ1mCPZsuLkrqwq8hrDOJan8JQC+xUz/DGdsUKIFlYn -WeamZ94kQSCNLmmS0eEac1Npq4b7z09y8zZ8lb6hAGe1LnVa+Jsumj4r7Rz1XMMe -pj4nc1W2BwNzjgNo92JkkxCFEwDH+HOceh8S9yRPOQYzvvom8jCIgdU5f0aNgxQw -HdPTjYRMHoXe0rxovMFS2xhxOJd80JiNhaiZo57CqES4+LRe7jgZHc+LEQEn4pzY -8bTWjyk5yZkpDvqrYTTsl5w2v83YAiRibAvfpilfkgzrjK+IQB0OAS77X/TcFHho -bfwfeb6WWSpl1ORLm0exUXu+Gbe5n5axCNVtwyrVD+nTevozS/manKHLrsymJ628 -Bej6lZmr5fISn5y3xRaW4ktRrdeibpOGVOELBMsU7icm2DzJFs/JpCMJElV/qNsD -KcBDOhRkt3qnQuCXk+bRdlNUpEFXzHP6oD9j1/ueA5sFG1m4yAHA+y16xCussdTJ -mC9JtCt10cXnqHULBfrTxu23a4E+qEa1GKKbV/vnJGlqPhGkMZeuuXz8gEoAyC5S -Xf4XjFXAY9CBLbzD43TCIdUTYrpq22XMbICC2dmD9UF9+u54VQnIolxvgqRZEe/b -Kpur0RTyWci8xXpKM0gzVi1JNyb6QijvEXif9JhW+a5PaKT5SZwB36Rs0uT7ZYl/ -h+Jc+ylh4ITxHYNkZxjTgXN1kxcKgq5A0ojvxbDAe40ZY06TqiOfmI/CQE8f6vkp -4/oeq+9HHAs7uiu+KEkDpBnSopPKRy9UBC0UZVkq7AUpeRAEUnUbkOI91afKbkms -0yNcVKkNR/Hx9IK32A0vr9cZoJshG4GA63I2i/HO0F7cJAtHM9A6UGH7/PaM7OSZ -6m6q3hv/nIfTrMkPaIhVnOjNJehlnbb6IIICs1Wrs4GFnOiURFW4AjRRjQagJF/x -u6Lzx3AHepYdYhBISyM5PuxP1FUxYjxkI8tUT78F0vbYo+xfQ8JTX/wRT23T3Tnj -yYX/R9h8Aqb3lRSpS0IyAHuuO79c9ih2D0uF9WaZBfwZD7x/y8cpQV07gXMhkHb6 -uPpjKpnDY0yvS9qNSCJJ32oBUQCpvSpW2qK5AiDwfDcsP8e+kAsew8/V4GnRuqFp ------END RSA PRIVATE KEY-----
diff --git a/tests/data/signkey.pem b/tests/data/signkey.pem deleted file mode 100644 index 46c226c..0000000 --- a/tests/data/signkey.pem +++ /dev/null
@@ -1,190 +0,0 @@ -Public Key Info: - Public Key Algorithm: RSA - Key Security Level: High (3072 bits) - -modulus: - 00:bf:b5:b8:14:d0:e7:25:4e:cc:0c:24:80:d5:b1:45 - bb:2a:28:b3:2f:c4:f7:11:71:ff:16:4b:bd:19:48:e5 - 2e:f6:7b:c4:2c:3b:cc:40:f1:06:13:b6:38:f1:0c:6f - d8:ef:d7:67:c3:da:f4:7e:86:ba:98:3e:ba:f5:01:4d - 89:e7:1c:15:20:24:bb:97:17:d6:03:9d:a5:da:4b:52 - 98:d5:d1:ce:54:e6:50:ca:01:72:4a:ae:d9:e0:4d:25 - a3:c2:04:fb:7b:91:3b:32:53:e7:2b:ff:e7:90:c0:26 - c7:91:04:1d:22:e4:16:4c:80:49:e8:28:65:ff:eb:52 - 22:02:1a:ba:53:d6:70:4e:6a:ca:ef:18:b8:13:33:9e - a4:d1:c5:5b:67:74:4e:92:9c:64:01:ad:08:44:90:d2 - e6:86:22:29:5e:41:35:0b:e1:c5:38:a3:47:b5:d9:9f - 62:c4:e5:d9:a4:91:4a:8a:0b:6c:55:b4:9e:ee:5a:c9 - 0f:d3:ce:45:05:11:1c:60:3e:a7:74:db:f3:95:6c:3f - 0a:1b:a4:d6:4d:f0:3d:6c:a8:a8:9f:ad:2b:a7:36:08 - 79:98:bb:1e:2b:97:ac:c7:65:96:7a:7f:78:02:56:ce - e2:e6:15:89:73:0a:f3:94:08:88:19:03:19:d3:9a:87 - 90:54:0f:c4:74:2c:59:cd:b4:f4:7c:15:2f:b8:75:2c - 18:24:61:42:a6:86:2a:42:ed:51:a0:19:48:47:68:51 - 11:49:ad:60:5b:7e:f3:f6:01:51:93:86:f0:06:b8:4b - 84:76:6e:de:a7:73:ab:cf:df:b4:84:1c:26:e4:a8:9f - 3e:c8:09:a6:74:bd:4e:5e:d4:fc:fd:d4:39:97:57:e7 - 8d:b3:ad:4c:0b:99:73:25:0c:88:76:4b:85:15:c5:90 - db:54:b9:be:86:7f:e2:ee:b1:94:40:57:0d:81:41:31 - ad:a8:3c:db:05:7e:f3:ee:03:44:3c:d8:1c:c2:02:39 - 93: - -public exponent: - 01:00:01: - -private exponent: - 00:be:f0:c5:29:a6:6f:b2:4e:eb:18:64:fb:14:db:7d - 72:4f:29:3e:5f:23:b4:58:e1:cb:89:6f:62:26:5e:de - 35:8a:35:f7:4b:7f:3b:8e:ab:00:bc:7d:4f:f5:75:c7 - a8:b0:29:41:26:67:5c:00:f1:3b:c4:0b:26:b6:83:d7 - b0:b4:48:da:19:ab:bc:53:5e:e0:3f:b5:b2:cc:db:1c - a7:30:bf:c8:db:f2:91:20:c1:94:0e:22:5c:ca:f4:cb - ba:70:b1:f9:b0:37:14:58:aa:0c:a3:5c:3c:4d:85:b4 - 9a:2c:2b:86:c1:8b:9f:52:0e:ac:8d:d8:3e:cf:48:98 - 03:5b:49:37:af:ec:f2:ea:87:9f:1b:c8:e8:fd:e6:f9 - e9:7b:2d:30:3e:b8:2e:d2:03:85:ef:cd:61:60:b9:45 - f5:68:3f:7a:28:70:95:df:01:bd:27:0e:29:8c:4b:f6 - 5d:af:72:a6:f5:2b:e8:ab:d9:78:cb:5c:1c:b7:96:20 - 8e:30:bc:ba:0c:7d:66:fa:11:0a:d0:3e:02:b8:6e:64 - 2c:73:4c:cc:e3:f0:6a:8f:7c:a6:a2:17:6c:d2:82:47 - 17:33:e3:17:e7:a4:ad:e0:5c:d7:23:50:45:f2:fc:a8 - 47:9f:c9:26:f9:9b:e1:94:4d:cf:a5:b5:bf:96:9a:80 - e9:39:8b:51:5e:79:59:85:c1:fc:25:96:9e:4a:ce:b8 - b9:48:ed:cc:b9:1a:a1:98:05:7c:02:6e:53:39:b2:eb - 48:14:89:0b:60:2e:ea:64:89:05:11:e5:39:b0:72:0f - a3:56:bd:49:65:eb:d1:51:30:a2:c9:d1:f3:f2:e5:4b - d0:f6:ff:e4:8d:87:bc:24:a0:6b:e2:7b:c7:88:26:c6 - 2a:f0:3a:94:a9:4a:cd:04:f4:9b:e1:78:f1:94:ff:11 - 31:80:5f:be:05:8d:f0:16:c1:0b:61:02:2b:cc:6b:7d - 01:c7:2e:2b:dc:e0:9a:07:67:1f:db:a8:d3:f5:65:3e - c1: - -prime1: - 00:c5:1a:78:1b:df:1d:ec:13:ac:52:53:85:b9:63:c8 - dd:5d:05:83:34:3e:07:b3:d4:2f:75:5d:a9:28:c3:96 - 84:18:31:ac:c6:d4:81:23:c8:67:72:e0:44:97:92:36 - 5f:0a:30:ed:d8:75:7a:46:ed:83:f0:6a:88:bc:fe:0c - f2:9c:09:3c:66:01:71:ee:4c:5c:5c:6d:6b:97:56:cb - 7d:2c:90:ce:7d:b3:e3:94:3a:27:94:40:1c:aa:8a:ae - e1:b9:d8:0d:5a:29:a0:2a:54:bf:77:23:22:58:8c:29 - 3a:ee:15:d5:57:be:41:76:78:c7:11:f6:6f:8d:80:89 - 1e:1a:d7:a4:a5:a5:df:cf:81:00:bd:fb:de:f3:cd:d1 - 5a:76:0a:52:ed:68:ed:7e:ad:16:96:df:95:8a:59:25 - 33:2d:35:0c:e8:02:19:96:be:40:a7:91:08:a2:16:01 - 05:6b:12:04:e7:91:41:39:1a:a9:15:21:e7:d7:59:f7 - 43: - -prime2: - 00:f8:fe:aa:bf:03:5f:45:c9:7e:7b:ac:d6:28:55:70 - 59:f1:68:0c:56:89:2b:38:2d:98:41:63:11:98:f8:7d - 8b:e1:76:58:0e:17:e2:d2:0b:fc:ee:31:c4:27:a3:49 - 28:5c:2f:21:1c:75:89:6d:6c:b3:ce:d7:50:01:a6:ef - cd:ec:e8:1c:01:cb:86:42:66:65:f8:c1:30:44:5d:6f - 9c:51:8b:33:a1:e0:d0:dd:77:f3:6a:05:37:08:87:ad - 3b:de:9c:d3:45:60:ac:d5:59:0f:09:53:ff:eb:eb:94 - 22:a6:2c:f0:0a:a3:82:c9:67:9a:28:73:8d:3b:36:3d - e7:1f:7a:1c:0c:86:04:0f:f9:14:b3:f7:88:88:94:30 - 38:28:45:96:a7:8b:a2:96:3b:4c:0a:9f:53:15:5a:ef - 92:97:e2:73:2d:49:f8:ab:b1:e6:81:12:36:0a:e6:a9 - 18:3b:99:48:1b:8a:ca:93:55:16:eb:97:fe:60:9d:c7 - 71: - -coefficient: - 77:f0:e7:18:46:f3:f8:b6:01:33:c4:b1:15:8d:ce:dc - c7:ee:c1:45:96:66:7b:13:6c:2d:fa:dc:f7:53:98:af - 45:4f:f6:a0:48:9c:34:31:9a:cb:24:f3:24:52:83:e5 - ad:14:15:75:13:6c:15:37:7b:18:af:39:e7:35:91:3d - 9a:c3:64:51:fd:95:48:7c:18:68:7e:2a:0d:f1:92:f1 - fa:b0:a6:b0:71:b3:71:1d:c8:19:24:05:f5:99:2a:a6 - 47:72:e7:78:d3:48:80:03:5b:a6:2e:ac:6e:6d:d2:e6 - fa:2a:e4:70:84:1c:bc:46:58:5a:9c:b9:da:c0:eb:63 - 99:53:86:8f:1c:23:b1:20:c8:10:dd:2f:15:12:80:ad - 67:dc:1c:29:60:bf:68:c7:ff:e2:98:38:eb:e9:22:3d - 47:63:8a:2b:6c:70:a8:4c:b4:8a:2e:ac:3b:9c:49:fb - 30:14:38:0e:de:eb:67:b0:ea:3c:72:f6:db:36:45:86 - - -exp1: - 00:91:ed:73:e9:66:ba:17:93:c5:2c:3a:8c:31:e2:af - cf:3c:54:9d:7c:2b:44:b6:9e:2c:f8:de:fc:23:a3:13 - 27:ff:65:9f:be:a1:8c:6e:fa:ab:a4:80:68:28:33:e7 - 2f:5c:33:37:94:df:fd:44:d0:0a:b4:0f:9b:e7:18:cc - 6b:3e:9d:13:eb:8d:bc:55:2a:91:e3:18:5b:e4:f3:2c - bb:23:28:9e:c8:b0:4b:98:ed:a9:69:f8:41:80:fe:26 - 56:16:aa:df:cf:d6:2b:af:cb:88:e9:e2:c8:45:f8:97 - 79:fa:d5:8d:5b:66:0f:bf:6f:d2:2a:f9:62:43:c8:5b - 3c:3f:b1:52:44:15:d7:eb:20:5e:75:4a:2a:1a:25:52 - 8f:7f:ff:4a:c0:5c:c4:20:da:73:74:06:5b:07:cf:d2 - 5b:de:67:7d:83:b4:32:4f:c9:d1:c2:7d:fd:7f:4b:7d - 3c:0e:b6:8b:8d:0a:9c:d8:73:65:a5:b0:b1:9e:5e:0c - 53: - -exp2: - 6a:83:6e:81:45:ad:04:ca:7c:2b:e5:b4:bb:0e:49:80 - 80:4f:55:2f:d3:7f:c4:89:64:9f:5c:04:d4:1e:40:7e - 8d:15:35:f7:d9:69:f3:16:a3:bd:35:56:c6:ea:07:ca - 97:1c:a6:1a:69:81:3f:69:07:c6:0c:bf:31:e5:ba:a1 - a9:9d:65:15:b3:7d:9c:7b:f7:55:21:37:47:97:7c:be - 2e:f7:d0:3f:88:4f:70:dd:f6:27:bd:51:5c:79:c5:b6 - 5d:b5:52:7f:54:2a:bb:1d:5c:dc:4d:ad:a5:bb:61:e4 - 2c:97:fe:9b:5e:74:fd:39:2f:6d:ec:78:57:03:0e:1a - 07:92:11:db:9d:9c:b1:44:89:01:af:7b:1d:89:de:d2 - b7:0f:85:b1:e8:7e:c5:ab:5a:0d:15:38:d2:62:d3:27 - 2f:87:f4:63:44:48:77:12:24:1b:c4:b1:8f:9a:3a:6d - 9e:59:24:ca:7b:65:ca:fe:d4:4e:35:f7:e0:56:be:51 - - - -Public Key ID: 4B:2C:16:C6:13:51:2A:08:FF:AB:11:7B:82:95:55:D1:58:E7:45:28 -Public key's random art: -+--[ RSA 3072]----+ -|. =Bo .oo | -| o . o.oEo.. | -| o o * .. | -| + o + | -| + . o S | -| o o o o . | -|. + o . | -| = | -| . | -+-----------------+ - ------BEGIN RSA PRIVATE KEY----- -MIIG5AIBAAKCAYEAv7W4FNDnJU7MDCSA1bFFuyoosy/E9xFx/xZLvRlI5S72e8Qs -O8xA8QYTtjjxDG/Y79dnw9r0foa6mD669QFNieccFSAku5cX1gOdpdpLUpjV0c5U -5lDKAXJKrtngTSWjwgT7e5E7MlPnK//nkMAmx5EEHSLkFkyASegoZf/rUiICGrpT -1nBOasrvGLgTM56k0cVbZ3ROkpxkAa0IRJDS5oYiKV5BNQvhxTijR7XZn2LE5dmk -kUqKC2xVtJ7uWskP085FBREcYD6ndNvzlWw/Chuk1k3wPWyoqJ+tK6c2CHmYux4r -l6zHZZZ6f3gCVs7i5hWJcwrzlAiIGQMZ05qHkFQPxHQsWc209HwVL7h1LBgkYUKm -hipC7VGgGUhHaFERSa1gW37z9gFRk4bwBrhLhHZu3qdzq8/ftIQcJuSonz7ICaZ0 -vU5e1Pz91DmXV+eNs61MC5lzJQyIdkuFFcWQ21S5voZ/4u6xlEBXDYFBMa2oPNsF -fvPuA0Q82BzCAjmTAgMBAAECggGBAL7wxSmmb7JO6xhk+xTbfXJPKT5fI7RY4cuJ -b2ImXt41ijX3S387jqsAvH1P9XXHqLApQSZnXADxO8QLJraD17C0SNoZq7xTXuA/ -tbLM2xynML/I2/KRIMGUDiJcyvTLunCx+bA3FFiqDKNcPE2FtJosK4bBi59SDqyN -2D7PSJgDW0k3r+zy6oefG8jo/eb56XstMD64LtIDhe/NYWC5RfVoP3oocJXfAb0n -DimMS/Zdr3Km9Svoq9l4y1wct5YgjjC8ugx9ZvoRCtA+ArhuZCxzTMzj8GqPfKai -F2zSgkcXM+MX56St4FzXI1BF8vyoR5/JJvmb4ZRNz6W1v5aagOk5i1FeeVmFwfwl -lp5Kzri5SO3MuRqhmAV8Am5TObLrSBSJC2Au6mSJBRHlObByD6NWvUll69FRMKLJ -0fPy5UvQ9v/kjYe8JKBr4nvHiCbGKvA6lKlKzQT0m+F48ZT/ETGAX74FjfAWwQth -AivMa30Bxy4r3OCaB2cf26jT9WU+wQKBwQDFGngb3x3sE6xSU4W5Y8jdXQWDND4H -s9QvdV2pKMOWhBgxrMbUgSPIZ3LgRJeSNl8KMO3YdXpG7YPwaoi8/gzynAk8ZgFx -7kxcXG1rl1bLfSyQzn2z45Q6J5RAHKqKruG52A1aKaAqVL93IyJYjCk67hXVV75B -dnjHEfZvjYCJHhrXpKWl38+BAL373vPN0Vp2ClLtaO1+rRaW35WKWSUzLTUM6AIZ -lr5Ap5EIohYBBWsSBOeRQTkaqRUh59dZ90MCgcEA+P6qvwNfRcl+e6zWKFVwWfFo -DFaJKzgtmEFjEZj4fYvhdlgOF+LSC/zuMcQno0koXC8hHHWJbWyzztdQAabvzezo -HAHLhkJmZfjBMERdb5xRizOh4NDdd/NqBTcIh6073pzTRWCs1VkPCVP/6+uUIqYs -8AqjgslnmihzjTs2PecfehwMhgQP+RSz94iIlDA4KEWWp4uiljtMCp9TFVrvkpfi -cy1J+Kux5oESNgrmqRg7mUgbisqTVRbrl/5gncdxAoHBAJHtc+lmuheTxSw6jDHi -r888VJ18K0S2niz43vwjoxMn/2WfvqGMbvqrpIBoKDPnL1wzN5Tf/UTQCrQPm+cY -zGs+nRPrjbxVKpHjGFvk8yy7IyieyLBLmO2pafhBgP4mVhaq38/WK6/LiOniyEX4 -l3n61Y1bZg+/b9Iq+WJDyFs8P7FSRBXX6yBedUoqGiVSj3//SsBcxCDac3QGWwfP -0lveZ32DtDJPydHCff1/S308DraLjQqc2HNlpbCxnl4MUwKBwGqDboFFrQTKfCvl -tLsOSYCAT1Uv03/EiWSfXATUHkB+jRU199lp8xajvTVWxuoHypccphppgT9pB8YM -vzHluqGpnWUVs32ce/dVITdHl3y+LvfQP4hPcN32J71RXHnFtl21Un9UKrsdXNxN -raW7YeQsl/6bXnT9OS9t7HhXAw4aB5IR252csUSJAa97HYne0rcPhbHofsWrWg0V -ONJi0ycvh/RjREh3EiQbxLGPmjptnlkkyntlyv7UTjX34Fa+UQKBwHfw5xhG8/i2 -ATPEsRWNztzH7sFFlmZ7E2wt+tz3U5ivRU/2oEicNDGayyTzJFKD5a0UFXUTbBU3 -exivOec1kT2aw2RR/ZVIfBhofioN8ZLx+rCmsHGzcR3IGSQF9Zkqpkdy53jTSIAD -W6YurG5t0ub6KuRwhBy8RlhanLnawOtjmVOGjxwjsSDIEN0vFRKArWfcHClgv2jH -/+KYOOvpIj1HY4orbHCoTLSKLqw7nEn7MBQ4Dt7rZ7DqPHL22zZFhg== ------END RSA PRIVATE KEY-----
diff --git a/tests/data/swtpm-localca-rootca-cert.pem b/tests/data/swtpm-localca-rootca-cert.pem deleted file mode 100644 index 89a7c42..0000000 --- a/tests/data/swtpm-localca-rootca-cert.pem +++ /dev/null
@@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEBzCCAm+gAwIBAgIMWtYHsQCZEuhkMw24MA0GCSqGSIb3DQEBCwUAMB8xHTAb -BgNVBAMTFHN3dHBtLWxvY2FsY2Etcm9vdGNhMB4XDTE4MDQxNzE0NDE1M1oXDTI4 -MDQxNDE0NDE1M1owHzEdMBsGA1UEAxMUc3d0cG0tbG9jYWxjYS1yb290Y2EwggGi -MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCr+QDbyew2WXnlSyPiTDaRHlFz -u/YxVXgpHUf1OQjnxg3rsYq87TBa058R5DkqdJwtwIzHL4zlXrK/fq2LDFTeS89v -QSWMx61SayExCCKOQqkTs7jpt8Gy1PNxVeCekyXKwevwRAt0dVebLANwy1xaOlyQ -XpSyCUuJIn1jrmCJIP7yK8EJnOSXuMrH4FZbRC2OkQXmS5AETigZ9lpTxuB2bukp -egf5dNVW3TBW/ugH9/wToSvkisrchv/IHxqGY7tAADo8a31ptJ1uURbeY1tHQtwd -qBuj9t3dWfmzSdC4RTyGzwywTrIgT/xn2bagVCMNzxiAjHthmotNZ7XjNlO6IZMJ -DBJXmk8H8Nf4I8HTNAPRfXYUkVmHx82909PnpC9UV0z/m7v2JSUKvQYHSes+Kan3 -n/Rie7/fOUUGuPhozup5gTauPgVue8YtYGY0DNeLwK5BrImRM9apDuUJQ8LSLa6c -d45SzPp16+GJ6qCKQTEnSdmTyeg1k+L61h+EN80CAwEAAaNDMEEwDwYDVR0TAQH/ -BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKgqYh5ZusCt9ir+P -ME1TjbzXkzANBgkqhkiG9w0BAQsFAAOCAYEAi4Ed2INpqVXvZkoJ/771U+jBS2PQ -IP+2OynmMd0OLFMwcKMds38joRR+K9IVS0z3gFI9uH0hMBtozLI809qTGBV2CLsP -KS0MMSIjtFzxGRKeHqRO8Iys3Z5kxc5dPUP+d9nODDhrUpGTFBuplhD6PpypOrfd -wYgLNhtwcqZ5hVdK/QZ8Ti4ZlrpeMCRMPs6ZVJU/d3YDFZNygCKnDhAlcf+06UG+ -LeqF64FhyokSyn0nflzSziuAmQhiBdY/l6XuOLbK9K9VBVVO1RtfHderc/lvqCs/ -0rmgjPLNfo4nLJNz8gk0SsHmF8ntKx8hcKeepnAFzlM/XvL6faJXXm5axmMNd+kb -Vorqs23oHaqgY0Z9XMm2NjBo3DnkANUDywYVddhcqa+VABl8KjZfal9mIzNT+wY2 -jbFFbRwwkox7+UaZuFdUoxWd4zQEed5pcNeBbrFUrFeLln7Dsn0npYc7UlJpwI7W -+181x87URGPZcu/ykj6XD0wsxonAjXZIIwIb ------END CERTIFICATE-----
diff --git a/tests/data/swtpm-localca-rootca-privkey.pem b/tests/data/swtpm-localca-rootca-privkey.pem deleted file mode 100644 index 3e1403b..0000000 --- a/tests/data/swtpm-localca-rootca-privkey.pem +++ /dev/null
@@ -1,190 +0,0 @@ -Public Key Info: - Public Key Algorithm: RSA - Key Security Level: High (3072 bits) - -modulus: - 00:ab:f9:00:db:c9:ec:36:59:79:e5:4b:23:e2:4c:36 - 91:1e:51:73:bb:f6:31:55:78:29:1d:47:f5:39:08:e7 - c6:0d:eb:b1:8a:bc:ed:30:5a:d3:9f:11:e4:39:2a:74 - 9c:2d:c0:8c:c7:2f:8c:e5:5e:b2:bf:7e:ad:8b:0c:54 - de:4b:cf:6f:41:25:8c:c7:ad:52:6b:21:31:08:22:8e - 42:a9:13:b3:b8:e9:b7:c1:b2:d4:f3:71:55:e0:9e:93 - 25:ca:c1:eb:f0:44:0b:74:75:57:9b:2c:03:70:cb:5c - 5a:3a:5c:90:5e:94:b2:09:4b:89:22:7d:63:ae:60:89 - 20:fe:f2:2b:c1:09:9c:e4:97:b8:ca:c7:e0:56:5b:44 - 2d:8e:91:05:e6:4b:90:04:4e:28:19:f6:5a:53:c6:e0 - 76:6e:e9:29:7a:07:f9:74:d5:56:dd:30:56:fe:e8:07 - f7:fc:13:a1:2b:e4:8a:ca:dc:86:ff:c8:1f:1a:86:63 - bb:40:00:3a:3c:6b:7d:69:b4:9d:6e:51:16:de:63:5b - 47:42:dc:1d:a8:1b:a3:f6:dd:dd:59:f9:b3:49:d0:b8 - 45:3c:86:cf:0c:b0:4e:b2:20:4f:fc:67:d9:b6:a0:54 - 23:0d:cf:18:80:8c:7b:61:9a:8b:4d:67:b5:e3:36:53 - ba:21:93:09:0c:12:57:9a:4f:07:f0:d7:f8:23:c1:d3 - 34:03:d1:7d:76:14:91:59:87:c7:cd:bd:d3:d3:e7:a4 - 2f:54:57:4c:ff:9b:bb:f6:25:25:0a:bd:06:07:49:eb - 3e:29:a9:f7:9f:f4:62:7b:bf:df:39:45:06:b8:f8:68 - ce:ea:79:81:36:ae:3e:05:6e:7b:c6:2d:60:66:34:0c - d7:8b:c0:ae:41:ac:89:91:33:d6:a9:0e:e5:09:43:c2 - d2:2d:ae:9c:77:8e:52:cc:fa:75:eb:e1:89:ea:a0:8a - 41:31:27:49:d9:93:c9:e8:35:93:e2:fa:d6:1f:84:37 - cd: - -public exponent: - 01:00:01: - -private exponent: - 49:ec:c4:1d:b6:f3:3f:79:bf:18:7d:f0:72:fa:e8:0a - 01:ca:69:c1:c6:d6:f6:32:ad:19:d5:30:e8:cf:97:32 - 60:11:8d:44:62:6a:63:7a:e7:b5:5d:6f:89:d3:62:45 - 30:b5:b0:ce:7e:f6:46:33:2b:0b:7e:5d:03:84:cd:86 - b1:77:fe:0f:37:21:09:44:cc:45:19:03:86:c7:b3:f7 - 9b:ce:c8:57:18:c0:d1:17:1a:cb:7b:50:bb:39:ef:6f - 33:75:a1:02:ab:7d:71:16:70:0e:58:21:32:7f:78:b7 - a0:96:e1:c8:86:8a:f1:cb:f2:ab:4c:d3:68:c6:3e:ac - 5c:6b:a5:bb:59:72:84:21:64:62:67:01:5c:9d:e6:f4 - de:70:20:e5:1a:5e:52:3b:76:a9:92:68:c9:d2:97:f2 - d1:42:91:7d:cf:a7:c0:3d:65:15:b8:0d:ed:8d:b8:bf - 35:31:0a:fb:5f:46:fa:65:49:f2:f2:07:cc:d3:30:53 - 3d:50:c6:40:93:32:04:ee:e5:a4:32:1b:07:0c:d1:87 - bd:49:cd:0f:c3:df:9e:2c:11:9b:99:e4:e6:83:b4:61 - a6:35:b0:91:46:3f:9c:86:74:c2:f8:2d:0b:e4:b6:9b - 3d:dd:cb:38:d7:73:b3:65:c4:3f:f2:96:09:69:bb:d3 - b0:b3:73:80:66:83:45:48:aa:ef:34:1d:cf:b2:82:9b - e8:9b:29:5a:3a:fd:b2:90:b9:52:be:4a:ea:f3:fd:c1 - 6a:d4:25:d5:79:cf:d9:85:b6:62:d6:da:0b:d0:b2:21 - 26:37:f1:ae:d9:74:cb:35:98:73:40:d5:51:e9:91:dc - b9:94:d2:36:e2:fd:b4:72:fa:e0:6b:a0:c6:c4:e8:fc - 29:d3:2e:94:c5:d2:66:94:34:f9:24:29:6b:f7:ea:bf - 8b:dc:23:5e:04:cd:76:a7:4e:a9:b7:e9:80:cb:be:d1 - 5f:c9:c5:51:ad:b5:f1:3f:af:e9:51:8a:53:c0:d3:d1 - - -prime1: - 00:c7:2a:e9:5e:01:20:1b:cb:84:6b:17:7a:73:90:6a - 5c:41:dc:7d:ee:95:37:34:da:08:9e:c8:51:75:2e:51 - 82:ee:6f:75:50:26:b2:28:ff:fc:d4:da:c1:37:76:84 - 7f:9d:b7:a2:1c:68:6f:96:fd:52:ba:4e:74:bf:02:cc - b6:bd:a8:72:0d:f6:78:1f:98:b4:e0:9b:6f:47:e2:70 - 0f:f2:20:78:0a:c7:e0:61:9e:02:81:7b:40:fe:08:64 - fd:0d:0b:f3:54:4e:65:60:10:29:a4:b4:99:dc:61:f8 - 3b:20:e9:a4:8c:9e:ea:54:b6:96:0e:9f:2e:60:9f:23 - bf:ae:84:01:7f:7a:77:5a:66:d9:73:e0:25:f9:2a:49 - 79:37:28:19:39:3f:3e:ef:94:f3:e7:3f:e2:ef:f5:ab - e0:b5:dd:18:28:3a:23:49:8b:a1:87:8c:e3:0b:f9:ff - 38:c5:36:74:10:14:ca:87:3c:82:0a:83:e6:75:a2:d9 - 7b: - -prime2: - 00:dd:0b:83:d1:10:04:08:39:0a:4c:c2:78:05:b4:70 - 91:4e:b2:66:2b:de:2c:c4:3c:2c:30:17:d3:29:10:cc - fe:79:59:fc:e0:59:ea:26:6c:19:59:15:cd:09:8f:a2 - c9:04:7d:e1:b4:0b:cc:02:cb:88:20:07:ef:49:0f:75 - 71:b3:be:a4:9f:e0:4d:24:bf:d8:7f:a6:f3:e7:e6:a2 - cd:05:bd:cc:44:67:68:67:43:0a:f2:1e:c1:6c:25:2c - 9c:15:27:f0:ef:75:45:d5:f7:c2:4a:65:a5:c1:53:7c - 5a:cf:d1:f4:4a:5f:6e:96:3d:69:82:3c:36:51:04:37 - 96:ff:e5:d5:ae:81:0b:fd:34:ee:13:94:0f:54:e3:3c - 81:d1:2a:c5:4d:bd:3a:86:84:80:47:16:43:7c:ec:53 - 24:01:2e:52:17:ee:c7:6a:d1:77:70:bd:03:b2:4b:62 - ad:20:b5:36:ce:28:4f:89:32:0d:95:6c:e8:45:ee:3d - 57: - -coefficient: - 13:cf:5c:7a:f5:3f:ac:3e:2d:65:b2:66:3c:43:d8:0f - 75:90:e8:02:15:c4:a5:52:73:bd:0e:bb:86:a9:6c:bb - e6:de:f3:4c:d0:4f:67:db:f6:8f:ce:ad:09:52:62:fd - b2:44:c1:1d:41:c3:2f:0e:35:5f:83:43:bf:8d:98:9f - 96:01:42:73:9f:01:0e:53:84:14:b9:99:ea:0c:04:14 - f7:53:ac:85:4c:c3:51:e6:0b:96:bd:d8:64:e2:fd:72 - 5a:da:c1:b1:ff:6f:45:31:43:e7:a9:db:a6:9d:13:42 - 26:53:2d:70:86:d8:de:03:53:a0:53:5c:dc:a5:76:6c - 10:c0:67:a8:77:ae:b3:03:28:12:0b:90:f3:ed:76:ff - 08:04:a0:c1:a0:28:52:eb:bd:e5:76:78:5b:2b:92:7c - 19:dd:33:39:2f:a5:6d:09:98:d5:fc:3c:1c:c9:71:14 - 09:e3:02:e4:3d:23:c0:4f:18:c1:c6:99:9e:91:db:2e - - -exp1: - 08:fc:81:ad:11:25:ee:bb:1f:0d:69:f0:c7:78:13:a4 - 78:00:47:da:54:f7:39:b6:40:bf:51:50:83:96:04:6d - 80:ee:9c:7f:72:4f:85:94:0f:47:57:5b:72:72:31:86 - 44:8a:7d:91:04:91:4c:61:bf:b2:d2:49:68:38:eb:1d - af:af:02:fe:68:49:81:3b:75:a5:d0:bd:93:a3:be:e4 - a9:4b:17:bf:7c:c7:3e:00:50:22:a1:7a:0c:3c:3a:ba - 44:35:6e:d4:35:f9:52:fd:47:b3:bb:c6:59:70:3e:30 - 04:cb:25:f6:86:51:12:63:6e:9f:d8:44:d2:6d:3b:c2 - b1:50:19:75:34:04:60:9a:d5:62:ea:11:2c:8d:e0:e4 - cc:3d:4d:ee:0c:51:7d:a3:dd:e1:68:3b:88:12:30:a0 - 21:f4:88:db:7f:cc:09:cc:78:0c:52:aa:07:e7:4e:c1 - b3:fc:41:fe:5b:c1:cb:9a:4a:4f:c9:25:c3:d7:06:33 - - -exp2: - 24:d2:37:3a:0b:25:f0:cc:b7:a7:83:b9:84:91:c3:32 - a1:5e:5c:60:b0:58:da:b3:7f:54:df:93:20:43:19:32 - c6:ba:33:c2:97:97:c6:a0:b9:34:3a:ca:75:ee:44:5a - a1:f1:ea:38:18:c2:fa:30:37:53:c6:9e:98:98:07:a3 - 52:22:ce:bf:87:18:b2:a7:76:84:05:26:9a:19:b4:42 - dc:d2:fa:04:e7:08:e0:32:ad:cf:19:4a:75:1e:58:29 - 03:e9:2c:5c:67:37:a3:e5:ea:aa:83:f6:31:97:1b:9e - f1:01:73:65:34:32:72:ba:76:29:e8:a7:cf:a5:19:31 - 81:1d:23:14:37:90:ec:b3:f5:78:b3:70:3e:5e:c0:04 - 8b:f8:48:f7:a3:2e:ed:9b:82:d6:d4:a1:97:5c:b2:98 - cb:cd:90:85:46:14:57:f9:de:a0:9c:0b:d2:96:76:30 - 8a:c3:45:06:e0:76:27:4f:7c:2d:c8:ff:84:2e:a4:6f - - - -Public Key ID: 20:2A:0A:98:87:96:6E:B0:2B:7D:8A:BF:8F:30:4D:53:8D:BC:D7:93 -Public key's random art: -+--[ RSA 3072]----+ -| | -| . o | -| = o | -|.o.o o o . | -|Bo= . . E | -|** . . . | -|=+. | -|o=... | -|+.==. | -+-----------------+ - ------BEGIN RSA PRIVATE KEY----- -MIIG4gIBAAKCAYEAq/kA28nsNll55Usj4kw2kR5Rc7v2MVV4KR1H9TkI58YN67GK -vO0wWtOfEeQ5KnScLcCMxy+M5V6yv36tiwxU3kvPb0EljMetUmshMQgijkKpE7O4 -6bfBstTzcVXgnpMlysHr8EQLdHVXmywDcMtcWjpckF6UsglLiSJ9Y65giSD+8ivB -CZzkl7jKx+BWW0QtjpEF5kuQBE4oGfZaU8bgdm7pKXoH+XTVVt0wVv7oB/f8E6Er -5IrK3Ib/yB8ahmO7QAA6PGt9abSdblEW3mNbR0LcHagbo/bd3Vn5s0nQuEU8hs8M -sE6yIE/8Z9m2oFQjDc8YgIx7YZqLTWe14zZTuiGTCQwSV5pPB/DX+CPB0zQD0X12 -FJFZh8fNvdPT56QvVFdM/5u79iUlCr0GB0nrPimp95/0Ynu/3zlFBrj4aM7qeYE2 -rj4FbnvGLWBmNAzXi8CuQayJkTPWqQ7lCUPC0i2unHeOUsz6devhieqgikExJ0nZ -k8noNZPi+tYfhDfNAgMBAAECggGASezEHbbzP3m/GH3wcvroCgHKacHG1vYyrRnV -MOjPlzJgEY1EYmpjeue1XW+J02JFMLWwzn72RjMrC35dA4TNhrF3/g83IQlEzEUZ -A4bHs/ebzshXGMDRFxrLe1C7Oe9vM3WhAqt9cRZwDlghMn94t6CW4ciGivHL8qtM -02jGPqxca6W7WXKEIWRiZwFcneb03nAg5RpeUjt2qZJoydKX8tFCkX3Pp8A9ZRW4 -De2NuL81MQr7X0b6ZUny8gfM0zBTPVDGQJMyBO7lpDIbBwzRh71JzQ/D354sEZuZ -5OaDtGGmNbCRRj+chnTC+C0L5LabPd3LONdzs2XEP/KWCWm707Czc4Bmg0VIqu80 -Hc+ygpvomylaOv2ykLlSvkrq8/3BatQl1XnP2YW2YtbaC9CyISY38a7ZdMs1mHNA -1VHpkdy5lNI24v20cvrga6DGxOj8KdMulMXSZpQ0+SQpa/fqv4vcI14EzXanTqm3 -6YDLvtFfycVRrbXxP6/pUYpTwNPRAoHBAMcq6V4BIBvLhGsXenOQalxB3H3ulTc0 -2gieyFF1LlGC7m91UCayKP/81NrBN3aEf523ohxob5b9UrpOdL8CzLa9qHIN9ngf -mLTgm29H4nAP8iB4CsfgYZ4CgXtA/ghk/Q0L81ROZWAQKaS0mdxh+Dsg6aSMnupU -tpYOny5gnyO/roQBf3p3WmbZc+Al+SpJeTcoGTk/Pu+U8+c/4u/1q+C13RgoOiNJ -i6GHjOML+f84xTZ0EBTKhzyCCoPmdaLZewKBwQDdC4PREAQIOQpMwngFtHCRTrJm -K94sxDwsMBfTKRDM/nlZ/OBZ6iZsGVkVzQmPoskEfeG0C8wCy4ggB+9JD3Vxs76k -n+BNJL/Yf6bz5+aizQW9zERnaGdDCvIewWwlLJwVJ/DvdUXV98JKZaXBU3xaz9H0 -Sl9ulj1pgjw2UQQ3lv/l1a6BC/007hOUD1TjPIHRKsVNvTqGhIBHFkN87FMkAS5S -F+7HatF3cL0DsktirSC1Ns4oT4kyDZVs6EXuPVcCgcAI/IGtESXuux8NafDHeBOk -eABH2lT3ObZAv1FQg5YEbYDunH9yT4WUD0dXW3JyMYZEin2RBJFMYb+y0kloOOsd -r68C/mhJgTt1pdC9k6O+5KlLF798xz4AUCKhegw8OrpENW7UNflS/Uezu8ZZcD4w -BMsl9oZREmNun9hE0m07wrFQGXU0BGCa1WLqESyN4OTMPU3uDFF9o93haDuIEjCg -IfSI23/MCcx4DFKqB+dOwbP8Qf5bwcuaSk/JJcPXBjMCgcAk0jc6CyXwzLeng7mE -kcMyoV5cYLBY2rN/VN+TIEMZMsa6M8KXl8aguTQ6ynXuRFqh8eo4GML6MDdTxp6Y -mAejUiLOv4cYsqd2hAUmmhm0QtzS+gTnCOAyrc8ZSnUeWCkD6SxcZzej5eqqg/Yx -lxue8QFzZTQycrp2Keinz6UZMYEdIxQ3kOyz9XizcD5ewASL+Ej3oy7tm4LW1KGX -XLKYy82QhUYUV/neoJwL0pZ2MIrDRQbgdidPfC3I/4QupG8CgcATz1x69T+sPi1l -smY8Q9gPdZDoAhXEpVJzvQ67hqlsu+be80zQT2fb9o/OrQlSYv2yRMEdQcMvDjVf -g0O/jZiflgFCc58BDlOEFLmZ6gwEFPdTrIVMw1HmC5a92GTi/XJa2sGx/29FMUPn -qdumnRNCJlMtcIbY3gNToFNc3KV2bBDAZ6h3rrMDKBILkPPtdv8IBKDBoChS673l -dnhbK5J8Gd0zOS+lbQmY1fw8HMlxFAnjAuQ9I8BPGMHGmZ6R2y4= ------END RSA PRIVATE KEY-----
diff --git a/tests/test_swtpm_cert b/tests/test_swtpm_cert index 4b095ee..5a7419e 100755 --- a/tests/test_swtpm_cert +++ b/tests/test_swtpm_cert
@@ -1,127 +1,62 @@ #!/usr/bin/env bash -# For the license, see the LICENSE file in the root directory. +cd "$(dirname "$0")" || exit 1 -ROOT=${abs_top_builddir:-$(dirname "$0")/..} -TESTDIR=${abs_top_testdir:=$(dirname "$0")} - -source "${TESTDIR}/common" - -trap "cleanup" SIGTERM EXIT - +TMPDIR=$(mktemp -d) || exit 1 function cleanup() { - rm -f "${cert}" "${pwdfile}" + rm -rf "${TMPDIR}" } +trap "cleanup" SIGTERM EXIT -cert="$(mktemp)" || exit 1 -pwdfile="$(mktemp)" || exit 1 +# CA: +CACERT=${TMPDIR}/swtpm-localca-rootca-cert.pem +CAKEY=${TMPDIR}/swtpm-localca-rootca-privkey.pem -function check_cert_size() -{ - local cert="$1" - local exp="$2" +# EK keys: +RSAPRIVKEY=${TMPDIR}/rsaprivkey.pem +RSAPUBKEY=${TMPDIR}/rsapubkey.pem - local size +# RSA 3072 key used for signing +RSA3072ENCRYPTED_PRIVKEY=${TMPDIR}/rsa3072privkey.pem +RSA3072ENCRYPTED_PUBKEY=${TMPDIR}/rsa3072pubkey.pem +ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY=${TMPDIR}/rsa3072privkeyissuercert.pem - size=$(get_filesize "${cert}") - if [ "$size" -ne "$exp" ]; then - echo "Warning: Certificate file has unexpected size." - echo " Expected: $exp; found: $size" - fi -} - -if ! VARNAME=password ${SWTPM_CERT} \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd env:VARNAME \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321; then - echo "Error: ${SWTPM_CERT} returned error code." +if ! msg=$(openssl genrsa -out "${RSAPRIVKEY}" 2432 2>&1) || + ! msg=$(openssl rsa -in "${RSAPRIVKEY}" -pubout -out "${RSAPUBKEY}" 2>&1) || + ! msg=$(openssl req \ + -x509 \ + -new \ + -noenc \ + -keyout "${CAKEY}" \ + -newkey rsa:3072 \ + -sha256 \ + -days 365 \ + -out "${CACERT}" \ + -subj "/CN=swtpm-localca-rootca" 2>&1) || \ + ! msg=$(openssl genrsa -out "${RSA3072ENCRYPTED_PRIVKEY}" -aes256 -passout pass:password 3072 2>&1) || \ + ! msg=$(openssl rsa -in "${RSA3072ENCRYPTED_PRIVKEY}" -pubout -passin pass:password -out "${RSA3072ENCRYPTED_PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -key "${RSA3072ENCRYPTED_PRIVKEY}" \ + -passin pass:password \ + -out "${ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY}" \ + -days 1000 \ + -subj "/CN=swtpm-localca" \ + -CA "${CACERT}" \ + -CAkey "${CAKEY}" 2>&1); +then + echo "Could not create the required keys" + echo "${msg}" exit 1 fi -#expecting size to be constant -check_cert_size "${cert}" 1395 +PARAM_RSAPUBKEY="${RSAPUBKEY}" \ +PARAM_PASSWORD=password \ +PARAM_SIGNKEY_ENCRYPTED="${RSA3072ENCRYPTED_PRIVKEY}" \ +PARAM_ISSUERCERT="${ISSUERCERT_RSA3072ENCRYPTED_PRIVKEY}" \ + ./_test_swtpm_cert +ret=$? +[ $ret -ne 0 ] && exit $ret -# truncate result file -echo -n > "${cert}" -echo "Test 1: OK" - -if ! ${SWTPM_CERT} \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd file:<(echo -en "password") \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1395 - -# truncate result file -echo -n > "${cert}" -echo "Test 2: OK" - -if ! ${SWTPM_CERT} \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd pass:password \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 1.2 --tpm-spec-revision 123 --tpm-spec-level 321; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1460 - -# truncate result file -echo -n > "${cert}" -echo "Test 3: OK" - - -###################### Platform Certificate ##################### - -echo -en "password" > "${pwdfile}" -exec 100<"${pwdfile}" -if ! ${SWTPM_CERT} \ - --type platform \ - --signkey "${TESTDIR}/data/signkey-encrypted.pem" \ - --signkey-pwd fd:100 \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --platform-manufacturer Fedora \ - --platform-model QEMU \ - --platform-version 2.1; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1489 - -# truncate result file -echo -n > "${cert}" -echo "Test 4: OK" +exit 0
diff --git a/tests/test_tpm2_swtpm_cert b/tests/test_tpm2_swtpm_cert index b7e5104..e5ad3a8 100755 --- a/tests/test_tpm2_swtpm_cert +++ b/tests/test_tpm2_swtpm_cert
@@ -1,261 +1,95 @@ #!/usr/bin/env bash -# For the license, see the LICENSE file in the root directory. +cd "$(dirname "$0")" || exit 1 -ROOT=${abs_top_builddir:-$(dirname "$0")/..} -TESTDIR=${abs_top_testdir:-$(dirname "$0")} - -source "${TESTDIR}/common" - -cert="$(mktemp)" || exit 1 - -trap "cleanup" SIGTERM EXIT - - +TMPDIR=$(mktemp -d) || exit 1 function cleanup() { - rm -f "${cert}" + rm -rf "${TMPDIR}" } +trap "cleanup" SIGTERM EXIT -function check_cert_size() -{ - local cert="$1" - local exp="$2" +# CA: +CACERT=${TMPDIR}/swtpm-localca-rootca-cert.pem +CAKEY=${TMPDIR}/swtpm-localca-rootca-privkey.pem - local size +# EK keys: +RSAPRIVKEY=${TMPDIR}/rsaprivkey.pem +RSAPUBKEY=${TMPDIR}/rsapubkey.pem +EC256PRIVKEY=${TMPDIR}/ec256privkey.pem +EC256PUBKEY=${TMPDIR}/ec256pubkey.pem - size=$(get_filesize "${cert}") - if [ "$size" -ne "$exp" ]; then - echo "Warning: Certificate file has unexpected size." - echo " Expected: $exp; found: $size" - fi -} +# secp521r1 key used for signing +EC521PRIVKEY=${TMPDIR}/ec521privkey.pem +EC521PUBKEY=${TMPDIR}/ec521pubkey.pem +ISSUERCERT_EC521=${TMPDIR}/ec521-issuercert.pem -if ! ${SWTPM_CERT} \ - --tpm2 \ - --allow-signing \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." +# RSA 3072 key used for signing +RSA3072PRIVKEY=${TMPDIR}/rsa3072privkey.pem +RSA3072PUBKEY=${TMPDIR}/rsa3072pubkey.pem +ISSUERCERT_RSA3072=${TMPDIR}/rsa3072-issuercert.pem + +if ! msg=$(openssl genrsa -out "${RSAPRIVKEY}" 2432 2>&1) || + ! msg=$(openssl rsa -in "${RSAPRIVKEY}" -pubout -out "${RSAPUBKEY}" 2>&1) || + ! msg=$(openssl ecparam -name prime256v1 -genkey -noout -out "${EC256PRIVKEY}" 2>&1) || \ + ! msg=$(openssl ec -in "${EC256PRIVKEY}" -pubout -out "${EC256PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -new \ + -noenc \ + -keyout "${CAKEY}" \ + -newkey rsa:3072 \ + -sha256 \ + -days 365 \ + -out "${CACERT}" \ + -subj "/CN=swtpm-localca-rootca" 2>&1) || \ + ! msg=$(openssl ecparam -name secp521r1 -genkey -noout -out "${EC521PRIVKEY}" 2>&1) || \ + ! msg=$(openssl ec -in "${EC521PRIVKEY}" -pubout -out "${EC521PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -key "${EC521PRIVKEY}" \ + -out "${ISSUERCERT_EC521}" \ + -days 1000 \ + -subj "/CN=swtpm-localca" \ + -CA "${CACERT}" \ + -CAkey "${CAKEY}" 2>&1) || \ + ! msg=$(openssl genrsa -out "${RSA3072PRIVKEY}" 3072 2>&1) || \ + ! msg=$(openssl rsa -in "${RSA3072PRIVKEY}" -pubout -out "${RSA3072PUBKEY}" 2>&1) || \ + ! msg=$(openssl req \ + -x509 \ + -key "${RSA3072PRIVKEY}" \ + -out "${ISSUERCERT_RSA3072}" \ + -days 1000 \ + -subj "/CN=swtpm-localca" \ + -CA "${CACERT}" \ + -CAkey "${CAKEY}" 2>&1) \ +; then + echo "Could not create the required keys" + echo "${msg}" exit 1 fi -#expecting size to be constant -check_cert_size "${cert}" 1395 +echo "Testing with RSA certificate signing key" -# truncate result file -echo -n > "${cert}" -echo "Test 1: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --modulus 'b9dda830729de58f9f5bed2b3b9394ad4ec5afb9c390b89a3337250cbc575cfc8f31f7ffd3f05f4155076f7d1605381cd281b7f147b801154e4f89ee529fe36eae50f79561850e5b63037edaacbb390ea3fcd037e674fb179e3c5afe31214d78a756ca44cc6cf25421b51420ede548310c92b08a513ccc62fd0ef45dcf6546f6e865be6a661d045d1c47b60b428d11dc97cb9f35ee7c385bb20320934b015f8014e8fb19851c2af307e1e64648c142175e40b60615dc494fdb09ea5d5a6f3273b65a241e3cf30cc449b9fb3f900d1ed4be967b32b16f95a1d732dbfa143eaa1c2017556117f70faee5d77f836705d05405361ad5871a32161fa5a1234cfab497' \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1472 - -# truncate result file -echo -n > "${cert}" -echo "Test 2: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1537 - -# truncate result file -echo -n > "${cert}" -echo "Test 3: OK" +PARAM_RSAPUBKEY="${RSAPUBKEY}" \ +PARAM_ECPUBKEY="${EC256PUBKEY}" \ +PARAM_SIGNKEY="${RSA3072PRIVKEY}" \ +PARAM_ISSUERCERT="${ISSUERCERT_RSA3072}" \ +PARAM_CERT_SIZES="1046 841 1092 841 1057 806 973 973 1112" \ + ./_test_tpm2_swtpm_cert +ret=$? +[ $ret -ne 0 ] && exit $ret -###################### Platform Certificate ##################### +printf "\nTesting with secp521r1 certificate signing key\n" -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type platform \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --platform-manufacturer Fedora \ - --platform-model QEMU \ - --platform-version 2.1; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi +PARAM_RSAPUBKEY="${RSAPUBKEY}" \ +PARAM_ECPUBKEY="${EC256PUBKEY}" \ +PARAM_SIGNKEY="${EC521PRIVKEY}" \ +PARAM_ISSUERCERT="${ISSUERCERT_EC521}" \ +PARAM_CERT_SIZES="792-794 588-589 838-840 587-589 804-805 552-554 720-721 720-721 859-860" \ + ./_test_tpm2_swtpm_cert +ret=$? +[ $ret -ne 0 ] && exit $ret -#expecting size to be constant -check_cert_size "${cert}" 1484 - -# truncate result file -echo -n > "${cert}" -echo "Test 4: OK" - -###################### IAK Certificate ##################### - -serial=1234:5678 -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type iak \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "serialNumber=${serial}" \ - --pem \ - --tpm-serial-num "${serial}" \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -ac=$(openssl x509 -in "${cert}" -noout -text | - sed -n "s/.*Subject: serialNumber[[:space:]]*=[[:space:]]*\(.*\)$/\1/p") -if [ "${ac}" != "${serial}" ]; then - echo "Error: Could not find serial number in Subject line" - echo "expected: ${serial}" - echo "actual : ${ac}" - exit 1 -fi - -if ! openssl x509 -in "${cert}" -noout -text | - grep -A1 "Key Usage:" | - grep -q "Digital Signature"; then - echo "Error: IAK certificate must indicate Digital Signature" - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1375 - -# truncate result file -echo -n > "${cert}" -echo "Test 5: OK" - -###################### IDevID Certificate ##################### - -serial=1234:5678 -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type idevid \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "serialNumber=${serial}" \ - --pem \ - --tpm-serial-num "${serial}" \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -ac=$(openssl x509 -in "${cert}" -noout -text | - sed -n "s/.*Subject: serialNumber[[:space:]]*=[[:space:]]*\(.*\)$/\1/p") -if [ "${ac}" != "${serial}" ]; then - echo "Error: Could not find serial number in Subject line" - echo "expected: ${serial}" - echo "actual : ${ac}" - exit 1 -fi - -if ! openssl x509 -in "${cert}" -noout -text | - grep -A1 "Key Usage:" | - grep -q "Digital Signature"; then - echo "Error: IDevID certificate must indicate Digital Signature" - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1375 - -# truncate result file -echo -n > "${cert}" -echo "Test 6: OK" - -####################### max. serial number ##################### - -# max. serial number -- must pass -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --serial 1461501637330902918203684832716283019655932542975 \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} failed with max. serial number." - exit 1 -fi -tmp=$(openssl x509 -in "${cert}" -noout -text | - grep -A1 "Serial Number:" | - tail -n1 | - sed -n 's/[[:space:]]*\([[:xdigit:]:]*\)/\1/p') -exp="ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff" -if [ "${tmp}" != "${exp}" ]; then - echo "Error: unexpected serial number in cert" - echo "expected: ${exp}" - echo "actual : ${tmp}" - exit 1 -fi - -# max. serial number + 1 -- must fail -if ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/pubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --serial 1461501637330902918203684832716283019655932542976 \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} should have failed with max. serial number + 1." - exit 1 -fi - -# truncate result file -echo -n > "${cert}" -echo "Test 7: OK" +exit 0
diff --git a/tests/test_tpm2_swtpm_cert_ecc b/tests/test_tpm2_swtpm_cert_ecc deleted file mode 100755 index baf2848..0000000 --- a/tests/test_tpm2_swtpm_cert_ecc +++ /dev/null
@@ -1,127 +0,0 @@ -#!/usr/bin/env bash - -# For the license, see the LICENSE file in the root directory. - -ROOT=${abs_top_builddir:-$(dirname "$0")/..} -TESTDIR=${abs_top_testdir:-$(dirname "$0")} - -source "${TESTDIR}/common" - -cert="$(mktemp)" || exit 1 - -trap "cleanup" SIGTERM EXIT - - -function cleanup() -{ - rm -f "${cert}" -} - -function check_cert_size() -{ - local cert="$1" - local exp="$2" - - local size - - size=$(get_filesize "${cert}") - if [ "$size" -ne "$exp" ]; then - echo "Warning: Certificate file has unexpected size." - echo " Expected: $exp; found: $size" - fi -} - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --ecc-x 61eaf811ea582656ca2a835dd1b9cd63eb196d7ff62711d6e9b8f85e580a47ca \ - --ecc-y a51efdc71fd6c791a24a75beb50526aa81b44cc598e65b2d5e116084aea4cb5b \ - --days 3650 \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2.0 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1119 - -# truncate result file -echo -n > "${cert}" -echo "Test 1: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --ecc-x 61eaf811ea582656ca2a835dd1b9cd63eb196d7ff62711d6e9b8f85e580a47ca \ - --ecc-y a51efdc71fd6c791a24a75beb50526aa81b44cc598e65b2d5e116084aea4cb5b \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1196 - -# truncate result file -echo -n > "${cert}" -echo "Test 2: OK" - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --out-cert "${cert}" \ - --pubkey "${TESTDIR}/data/ecpubek.pem" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1196 - -# truncate result file -echo -n > "${cert}" -echo "Test 3: OK" - - -###################### Platform Certificate ##################### - -if ! ${SWTPM_CERT} \ - --tpm2 \ - --type platform \ - --signkey "${TESTDIR}/data/signkey.pem" \ - --issuercert "${TESTDIR}/data/issuercert.pem" \ - --pubkey "${TESTDIR}/data/ecpubek.pem" \ - --out-cert "${cert}" \ - --days 3650 \ - --subject "OU=foo,L=NewYork,ST=NY,C=US" \ - --pem \ - --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 1.2 \ - --platform-manufacturer Fedora \ - --platform-model QEMU \ - --platform-version 2.1; then - echo "Error: ${SWTPM_CERT} returned error code." - exit 1 -fi - -#expecting size to be constant -check_cert_size "${cert}" 1143 - -# truncate result file -echo -n > "${cert}" -echo "Test 4: OK"