- Move swtpm_localca's sources out of samples/ (where they no longer
belong now that swtpm_localca is a binary) to src/swtpm_localca/.
- Tests now call the swtpm_localca binary directly at the location
where it was built, as they do with all other compiled programs.
- Simplify samples/swtpm-localca.in and delete swtpm-localca.2inst,
removing the now-unnecessary logic to selectively call swtpm_localca
from different locations (samples/ when running tests vs. /usr/bin/
post-installation).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Replace the binary swtpm_localca with a script that now calls the binary
swtpm-localca, which is to be installed in $bindir.
So that we can use this for script for calling swtpm-localca during testing
(when it is not installed), write the script in such a way that it de-
termines whether there's swtpm-localca in the same directory and if not call
it from ${bindir}/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_localca in 'C' as a final step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent),
Fedora 28 PPC Big Endian
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb827
"samples: Use new pwd format option for secretly passing passwords"
Extend a test case to ensure that the passwords are always used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the local CA was create the signing key of the intermediate CA
was not properly protected by the passwords. This patch fixes this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when running swtpm_cert in swtpm-localca.
This is to avoid further evaluation of bash expression that can
spawn subshells ('$(echo foo)') or do other bad things. Bad input
could come from malformed configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the swtpm_cert --signkey-pwd and --parentkey-pwd to pass key passwords
using files rather than using the command line options.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Protect variables with quotes so that pathnames with spaces are now
supported.
Adjust the accompanying test case to make use of spaces in file paths.
Address several issues found by shellcheck. Some of them are false
positives especially when it comes to protecting variables passed
to a commaned in an 'eval' line. They must not be protected, otherwise
they are not passed correctly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
According to the XDG spec,
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html:
"If $XDG_CONFIG_HOME is either not set or empty, a default equal to
$HOME/.config should be used."
This fixes setting up a TPM with libvirt running in a user session.
It works by checking if configuration files are readable in the
directory priority order (XDG_CONFIG_HOME, then HOME, then SYSCONFDIR).
When libvirt is running as a system instance, $HOME isn't set, so it
will fall back on @SYSCONFDIR@ (/etc usually)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
When the project is configured with --prefix=/usr/local several configuration
files are installed to /usr/local/etc but not read by the programs that
need them. This patch fixes this issue by replacing @SYSCONFDIR@ in the source
code of those files with the actual used path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
