Enable passing the usual curve names of secp256r1 and secp384r1 instead
of ecc256 and ecc384 on the command line of swtpm-create-tpmca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend swtpm-create-tpm to support rsa2048 (default), rsa3072, ecc256
(NIST P256), and ecc384 (NIST P384) for the created TPM 2 CA. The names
are taken from the output of:
tpm2_ptool addkey --help
ecc521 does not seem to work with the TPM 2 stack even though it is
advertised as a possible option.
Extend an existing test case to create an ecc256 key and extend man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recent GnuTLS does not package tpmtool anymore. Check for
the missing tpmtool and report an error as appropriate.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.
Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address several issues reported by shellcheck and protect
variables with quotes so we now can have filenames with spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If tpmtool supports --srk-well-known we also support the well known
SRK password and allow the user not to provide an SRK password on
the command line.
This patch should have been applied before the previous patch that
tests this. Luckily, only very few systems have tpmtool with
--srk-well-known so that the order would matter there (and cause test
failures).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return the result code from the expect script to the caller.
Also, display possible log messages in case the private key file
was not written properly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Support creation and usage of the root CA with a password protected
private key. The root CA's key password can be set using the environment
variable SWTPM_ROOTCA_PASSWORD.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This (experimental) script uses GnuTLS tpmtool to create a TPM 1.2
intermediate CA that can sign a vTPM's EK and platform certificates.
Add a man page for this tool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
