mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-22 19:04:35 +00:00
3919bf09c8
Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb827
"samples: Use new pwd format option for secretly passing passwords"
Extend a test case to ensure that the passwords are always used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
195 lines
4.6 KiB
Bash
Executable File
195 lines
4.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
#set -x
|
|
|
|
TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
|
|
TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
|
|
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
|
|
|
|
SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca
|
|
|
|
workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")
|
|
|
|
ek="80" # 2048 bit key must have highest bit set
|
|
for ((i = 1; i < 256; i++)); do
|
|
ek="${ek}$(printf "%02x" $i)"
|
|
done
|
|
|
|
SIGNINGKEY=${workdir}/signingkey.pem
|
|
ISSUERCERT=${workdir}/issuercert.pem
|
|
CERTSERIAL=${workdir}/certserial
|
|
|
|
PATH=${TOPBUILD}/src/swtpm_cert:$PATH
|
|
|
|
trap "cleanup" SIGTERM EXIT
|
|
|
|
function cleanup()
|
|
{
|
|
rm -rf "${workdir}"
|
|
}
|
|
|
|
case "$(uname -s)" in
|
|
Darwin)
|
|
CERTTOOL=gnutls-certtool;;
|
|
*)
|
|
CERTTOOL=certtool;;
|
|
esac
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
|
|
statedir=${workdir}
|
|
signingkey = ${SIGNINGKEY}
|
|
issuercert = ${ISSUERCERT}
|
|
certserial = ${CERTSERIAL}
|
|
signingkey_password = password
|
|
_EOF_
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm-localca.options"
|
|
--tpm-manufacturer IBM
|
|
--tpm-model swtpm-libtpms
|
|
--tpm-version 2
|
|
--platform-manufacturer Fedora
|
|
--platform-version 2.1
|
|
--platform-model QEMU
|
|
_EOF_
|
|
|
|
# the following contains the test parameters and
|
|
# expected key usage
|
|
for testparams in \
|
|
"--allow-signing|Digital signature" \
|
|
"--allow-signing --decryption|Digital signature,Key encipherment" \
|
|
"--decryption|Key encipherment" \
|
|
"|Key encipherment";
|
|
do
|
|
params=$(echo ${testparams} | cut -d"|" -f1)
|
|
usage=$(echo ${testparams} | cut -d"|" -f2)
|
|
|
|
${SWTPM_LOCALCA} \
|
|
--type ek \
|
|
--ek "${ek}" \
|
|
--dir "${workdir}" \
|
|
--vmid test \
|
|
--tpm2 \
|
|
--configfile "${workdir}/swtpm-localca.conf" \
|
|
--optsfile "${workdir}/swtpm-localca.options" \
|
|
--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
|
|
${params}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Test with parameters '$params' failed."
|
|
exit 1
|
|
fi
|
|
|
|
# Signing key should always be password protected
|
|
if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
|
|
echo "Error: Signing key is not password protected."
|
|
exit 1
|
|
fi
|
|
|
|
# For the root CA's key we flip the password protection
|
|
if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
|
|
if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
|
|
echo "Error: Root CA's private key is not password protected."
|
|
exit 1
|
|
fi
|
|
unset SWTPM_ROOTCA_PASSWORD
|
|
else
|
|
if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
|
|
echo "Error: Root CA's private key is password protected but should not be."
|
|
exit 1
|
|
fi
|
|
export SWTPM_ROOTCA_PASSWORD=xyz
|
|
fi
|
|
|
|
if [ ! -r "${workdir}/ek.cert" ]; then
|
|
echo "Error: ${workdir}/ek.cert was not created."
|
|
exit 1
|
|
fi
|
|
|
|
OIFS="$IFS"
|
|
IFS=","
|
|
|
|
for u in $usage; do
|
|
echo $u
|
|
if [ -z "$(${CERTTOOL} -i \
|
|
--inder --infile "${workdir}/ek.cert" | \
|
|
grep "Key Usage" -A2 | \
|
|
grep "$u")" ]; then
|
|
echo "Error: Could not find key usage $u in key created " \
|
|
"with $params."
|
|
else
|
|
echo "Found '$u'"
|
|
fi
|
|
done
|
|
|
|
IFS="$OIFS"
|
|
|
|
${CERTTOOL} \
|
|
-i \
|
|
--inder --infile "${workdir}/ek.cert" \
|
|
--outfile "${workdir}/ek.pem"
|
|
|
|
${CERTTOOL} \
|
|
--verify \
|
|
--load-ca-certificate "${ISSUERCERT}" \
|
|
--infile "${workdir}/ek.pem"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not verify certificate chain."
|
|
exit 1
|
|
fi
|
|
|
|
# Delete all keys to have CA re-created
|
|
rm -rf "${workdir}"/*.pem
|
|
done
|
|
|
|
echo "Test 1: OK"
|
|
echo
|
|
|
|
#A few tests with odd vm Ids
|
|
for vmid in \
|
|
's p a c e|s p a c e' \
|
|
'$(ls)>foo|$(ls)\>foo' \
|
|
'`ls`&; #12|`ls`&\; #12' \
|
|
'foo>&1<&2;$(ls)|foo\>&1\<&2\;$(ls)' \
|
|
"'*|'*" \
|
|
'"*|\"*' \
|
|
':$$|:$$' \
|
|
'${t}[]|${t}[]';
|
|
do
|
|
in=$(echo "$vmid" | cut -d"|" -f1)
|
|
exp=$(echo "$vmid" | cut -d"|" -f2)
|
|
|
|
${SWTPM_LOCALCA} \
|
|
--type ek \
|
|
--ek "${ek}" \
|
|
--dir "${workdir}" \
|
|
--vmid "$in" \
|
|
--tpm2 \
|
|
--configfile "${workdir}/swtpm-localca.conf" \
|
|
--optsfile "${workdir}/swtpm-localca.options" \
|
|
--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
|
|
${params} &>/dev/null
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Test with parameters '$params' failed."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${workdir}/ek.cert" ]; then
|
|
echo "Error: ${workdir}/ek.cert was not created."
|
|
exit 1
|
|
fi
|
|
|
|
ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
|
|
sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
|
|
if [ "$ac" != "$exp" ]; then
|
|
echo "Error: unexpected subject string"
|
|
echo "actual : $ac"
|
|
echo "expected : $exp"
|
|
else
|
|
echo "Pass: $ac"
|
|
fi
|
|
done
|
|
|
|
echo "Test 2: OK"
|
|
|
|
exit 0
|