#!/usr/bin/env bash # For the license, see the LICENSE file in the root directory. #set -x TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} TESTDIR=${abs_top_testdir:-$(dirname "$0")} SWTPM_LOCALCA=${TOPBUILD}/samples/swtpm-localca workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX") ek="80" # 2048 bit key must have highest bit set for ((i = 1; i < 256; i++)); do ek="${ek}$(printf "%02x" $i)" done SIGNINGKEY=${workdir}/signingkey.pem ISSUERCERT=${workdir}/issuercert.pem CERTSERIAL=${workdir}/certserial PATH=${TOPBUILD}/src/swtpm_cert:$PATH trap "cleanup" SIGTERM EXIT function cleanup() { rm -rf "${workdir}" } case "$(uname -s)" in Darwin) CERTTOOL=gnutls-certtool;; *) CERTTOOL=certtool;; esac cat <<_EOF_ > "${workdir}/swtpm-localca.conf" statedir=${workdir} signingkey = ${SIGNINGKEY} issuercert = ${ISSUERCERT} certserial = ${CERTSERIAL} signingkey_password = password _EOF_ cat <<_EOF_ > "${workdir}/swtpm-localca.options" --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2 --platform-manufacturer Fedora --platform-version 2.1 --platform-model QEMU _EOF_ # the following contains the test parameters and # expected key usage for testparams in \ "--allow-signing|Digital signature" \ "--allow-signing --decryption|Digital signature,Key encipherment" \ "--decryption|Key encipherment" \ "|Key encipherment"; do params=$(echo ${testparams} | cut -d"|" -f1) usage=$(echo ${testparams} | cut -d"|" -f2) ${SWTPM_LOCALCA} \ --type ek \ --ek "${ek}" \ --dir "${workdir}" \ --vmid test \ --tpm2 \ --configfile "${workdir}/swtpm-localca.conf" \ --optsfile "${workdir}/swtpm-localca.options" \ --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ ${params} if [ $? -ne 0 ]; then echo "Error: Test with parameters '$params' failed." exit 1 fi # Signing key should always be password protected if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then echo "Error: Signing key is not password protected." exit 1 fi # For the root CA's key we flip the password protection if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then echo "Error: Root CA's private key is not password protected." exit 1 fi unset SWTPM_ROOTCA_PASSWORD else if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then echo "Error: Root CA's private key is password protected but should not be." exit 1 fi export SWTPM_ROOTCA_PASSWORD=xyz fi if [ ! -r "${workdir}/ek.cert" ]; then echo "Error: ${workdir}/ek.cert was not created." exit 1 fi OIFS="$IFS" IFS="," for u in $usage; do echo $u if [ -z "$(${CERTTOOL} -i \ --inder --infile "${workdir}/ek.cert" | \ grep "Key Usage" -A2 | \ grep "$u")" ]; then echo "Error: Could not find key usage $u in key created " \ "with $params." else echo "Found '$u'" fi done IFS="$OIFS" ${CERTTOOL} \ -i \ --inder --infile "${workdir}/ek.cert" \ --outfile "${workdir}/ek.pem" ${CERTTOOL} \ --verify \ --load-ca-certificate "${ISSUERCERT}" \ --infile "${workdir}/ek.pem" if [ $? -ne 0 ]; then echo "Error: Could not verify certificate chain." exit 1 fi # Delete all keys to have CA re-created rm -rf "${workdir}"/*.pem done echo "Test 1: OK" echo #A few tests with odd vm Ids for vmid in \ 's p a c e|s p a c e' \ '$(ls)>foo|$(ls)\>foo' \ '`ls`&; #12|`ls`&\; #12' \ 'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \ "'*|'*" \ '"*|\"*' \ ':$$|:$$' \ '${t}[]|${t}[]'; do in=$(echo "$vmid" | cut -d"|" -f1) exp=$(echo "$vmid" | cut -d"|" -f2) ${SWTPM_LOCALCA} \ --type ek \ --ek "${ek}" \ --dir "${workdir}" \ --vmid "$in" \ --tpm2 \ --configfile "${workdir}/swtpm-localca.conf" \ --optsfile "${workdir}/swtpm-localca.options" \ --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \ ${params} &>/dev/null if [ $? -ne 0 ]; then echo "Error: Test with parameters '$params' failed." exit 1 fi if [ ! -r "${workdir}/ek.cert" ]; then echo "Error: ${workdir}/ek.cert was not created." exit 1 fi ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \ sed -n "s/.*Subject: CN=\(.*\)$/\1/p") if [ "$ac" != "$exp" ]; then echo "Error: unexpected subject string" echo "actual : $ac" echo "expected : $exp" else echo "Pass: $ac" fi done echo "Test 2: OK" exit 0