Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2025-08-26 00:18:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
test_savecontext
swtpm/tests/test_tpm2_samples_create_tpmca
Stefan Berger f30e202df6 samples: Extend script to create a CA using a TPM 2 for signing 
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.

Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2020-04-14 13:09:00 -04:00

207 lines
5.2 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
#set -x
# For the license, see the LICENSE file in the root directory.
if [ "$(id -u)" -ne 0 ]; then
echo "Need to be root to run this test."
exit 77
fi
# tpm2_ptool may not be packaged everywhere ...
if [ -z "$(type -P tpm2_ptool)" ]; then
echo "Could not find tpmtool in PATH"
exit 77
fi
if [ -z "$(tpm2_ptool | grep ",config,")" ]; then
echo "tpm2_ptool does not support the config command"
exit 77
fi
msg=$(systemctl status tpm2-abrmd 2>&1)
if [ $? -ne 0 ]; then
echo "tpm2-abrmd must be running"
exit 77
fi
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:=$(dirname "$0")}
SRCDIR=${abs_top_srcdir:-$(dirname "$0")/..}
SWTPM_SETUP=${ROOT}/src/swtpm_setup/swtpm_setup
SWTPM_CREATE_TPMCA=${SRCDIR}/samples/swtpm-create-tpmca
SWTPM_LOCALCA=${SRCDIR}/samples/swtpm-localca
SWTPM=${ROOT}/src/swtpm/swtpm
SWTPM_IOCTL=${ROOT}/src/swtpm_ioctl/swtpm_ioctl
SWTPM_INTERFACE=socket+socket
SWTPM_SERVER_NAME=localhost
SWTPM_SERVER_PORT=65434
SWTPM_CTRL_PORT=65435
workdir=$(mktemp -d)
SWTPM_LOCALCA_DIR="${workdir}/my localca"
SWTPM_LOCALCA_CONF="${workdir}/my localca/swtpm-localca.conf"
PID="" # primary object id returned by tpm2_ptool
function cleanup()
{
if [ -n "${PID}" ]; then
echo "y" | tpm2_ptool destroy ${PID} &>/dev/null
fi
rm -rf "${workdir}"
}
trap "cleanup" SIGTERM EXIT
source ${TESTDIR}/common
case "$(uname -s)" in
Darwin)
CERTTOOL=gnutls-certtool;;
*)
CERTTOOL=certtool;;
esac
PATH=${ROOT}/src/swtpm_bios:${ROOT}/src/swtpm_cert:${PATH}
# Run the tests
# @param1: The vTPM for which the certificate is created is a TPM 2
function run_test() {
local vtpm_is_tpm2="$1"
local tmp params certinfo regex regexs fil i skip
rm -rf "${workdir}"/*
cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
create_certs_tool=${SWTPM_LOCALCA}
create_certs_tool_config=${workdir}/swtpm-localca.conf
create_certs_tool_options=/dev/null
_EOF_
tmp="$(tpm2_ptool init 2>&1)"
if [ $? -ne 0 ]; then
echo "tpm2_ptool init failed:"
echo "${tmp}"
exit 1
fi
PID="$(echo "${tmp}" | grep -E "^id:" |cut -d ":" -f2 | tr -d " ")"
if [ -z "${PID}" ]; then
echo "Could not grep the pid from the tpm2_ptool output"
echo "${tmp}"
exit 1
fi
tmp="$(SWTPM_PKCS11_PIN="mypin 123" SWTPM_PKCS11_SO_PIN="123" ${SWTPM_CREATE_TPMCA} \
--dir "${SWTPM_LOCALCA_DIR}" \
--overwrite \
--outfile "${SWTPM_LOCALCA_CONF}" \
--group tss \
--tpm2 \
--pid "${PID}")"
if [ $? -ne 0 ]; then
echo "Error: Could not create TPM CA"
echo "${tmp}"
exit 1
fi
for fil in \
swtpm-localca-rootca-cert.pem \
swtpm-localca-rootca-privkey.pem \
swtpm-localca-tpmca-cert.pem \
swtpm-localca-tpmca-pubkey.pem; do
if [ ! -r "${SWTPM_LOCALCA_DIR}/${fil}" ]; then
echo "Error: TPM CA tool did not create file ${fil}."
exit 1
fi
done
for regex in \
"^statedir = " \
"^signingkey = " \
"^issuercert = " \
"^certserial = " \
"^SWTPM_PKCS11_PIN = mypin 123"; do
if [ -n "${regex}" ] && \
[ -z "$(grep -E "${regex}" "${SWTPM_LOCALCA_CONF}")" ]; then
echo "Error: Could not find regex '${line}' in CA config file."
cat "${SWTPM_LOCALCA_CONF}"
exit 1
fi
done
params=""
if [ ${vtpm_is_tpm2} -ne 0 ]; then
params="--tpm2"
skip=0
else
skip=7 # header in cert
fi
# make sure we can actually sign with this new certificate
${SWTPM_LOCALCA} \
--type ek \
--ek x=739192d8f1004283957a7b1568d610b41c637ccc114aadcac4908c20456468fa,y=59f63ac06f8011f6fdd1460c6bc8e3e0a2d090d4fc188c7e04870e06795ce8ae \
--dir "${workdir}" --vmid test \
${params} \
--tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 00 \
--tpm-model swtpm --tpm-version 20170101 --tpm-manufacturer IBM \
--configfile "${SWTPM_LOCALCA_CONF}" \
--optsfile /dev/null
if [ $? -ne 0 ]; then
echo "Error: The CA could not sign with the new certificate"
exit 1
fi
if [ ! -f "${workdir}/ek.cert" ]; then
echo "Error: The CA did not produce a certificate"
exit 1
fi
# cert was for example 541 bytes long
if [ $(get_filesize "${workdir}/ek.cert") -lt 500 ]; then
echo "Error: The certificate's size is dubious"
ls -l "${workdir}/ek.cert"
exit 1
fi
# Check the contents of the certificate
certinfo=$(dd "if=${workdir}/ek.cert" bs=1 "skip=$skip" status=none | \
"$CERTTOOL" -i --inder)
regexs=('^[[:space:]]+2.23.133.8.1$'
'^[[:space:]]+directoryName:.*(,)?2.23.133.2.3=.*'
'^[[:space:]]+directoryName:.*(,)?2.23.133.2.2=.*'
'^[[:space:]]+directoryName:.*(,)?2.23.133.2.1=.*'
'^[[:space:]]+Certificate Authority \(CA\): FALSE$'
'^[[:space:]]+Unknown extension 2.5.29.9 \(not critical\):$'
'^[[:space:]]+Hexdump: 3019301706056781050210310e300c0c03322e3002010002020092$')
if [ ${vtpm_is_tpm2} -ne 0 ]; then
# TPM 2.0; due to ecc: Key agreement
regexs+=('^[[:space:]]+Key agreement\.$'
'^[[:space:]]+Signature Algorithm: RSA-SHA256$')
else
regexs+=('^[[:space:]]+Key encipherment\.$'
'^[[:space:]]+Signature Algorithm: RSA-SHA1$')
fi
for ((i=0; i < ${#regexs}; i++)); do \
if [ -n "${regexs[$i]}" ] && \
[ -z "$(echo "${certinfo}" | grep -E "${regexs[$i]}")" ]; then
echo "Error: Could not match regex '${regexs[$i]}' with certificate info:"
echo "${certinfo}"
exit 1
fi
done
} # run_test
run_test 1
echo "Test 1: OK"
run_test 0
echo "Test 2: OK"
exit 0
Reference in New Issue View Git Blame Copy Permalink