Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2026-02-05 14:12:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e68cebaf5f
swtpm/tests/test_swtpm_setup_create_cert
Stefan Berger e68cebaf5f swtpm_localca: Created certificates for CAs and TPM that do not expire 
Rather than having the CA certificates, that are created on the fly,
expire in 10 years, have them not expire at all.

Also create TPM certificates that don't expire and extend a test
case for this.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2021-10-08 14:07:02 -04:00

129 lines
3.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# For the license, see the LICENSE file in the root directory.
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
SRCDIR=${abs_top_srcdir:-$(dirname "$0")/..}
source ${TESTDIR}/common
skip_test_no_tpm12 "${SWTPM_EXE}"
SWTPM_LOCALCA=${ROOT}/src/swtpm_localca/swtpm_localca
workdir=$(mktemp -d)
SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial
PATH=${ROOT}/src/swtpm_bios:$PATH
trap "cleanup" SIGTERM EXIT
function cleanup()
{
rm -rf ${workdir}
}
# We want swtpm_cert to use the local CA and see that the
# local CA script automatically creates a signingkey and
# self-signed certificate
cat <<_EOF_ > ${workdir}/swtpm-localca.conf
statedir=${workdir}
signingkey = ${SIGNINGKEY}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
_EOF_
cat <<_EOF_ > ${workdir}/swtpm-localca.options
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 1.2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_
cat <<_EOF_ > ${workdir}/swtpm_setup.conf
create_certs_tool=${SWTPM_LOCALCA}
create_certs_tool_config=${workdir}/swtpm-localca.conf
create_certs_tool_options=${workdir}/swtpm-localca.options
_EOF_
# We need to adapt the PATH so the correct swtpm_cert is picked
export PATH=${ROOT}/src/swtpm_cert:${PATH}
# Create a ROOT CA with a password-protected private key
export SWTPM_ROOTCA_PASSWORD=password
# we need to create at least one cert: --create-ek-cert
$SWTPM_SETUP \
--tpm-state ${workdir} \
--create-ek-cert \
--config ${workdir}/swtpm_setup.conf \
--logfile ${workdir}/logfile \
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
--write-ek-cert-files "${workdir}"
if [ $? -ne 0 ]; then
echo "Error: Could not run $SWTPM_SETUP."
echo "Setup Logfile:"
cat ${workdir}/logfile
exit 1
fi
if [ ! -r "${SIGNINGKEY}" ]; then
echo "Error: Signingkey file ${SIGNINGKEY} was not created."
echo "Setup Logfile:"
cat ${workdir}/logfile
exit 1
fi
if [ ! -r "${ISSUERCERT}" ]; then
echo "Error: Issuer cert file ${ISSUERCERT} was not created."
echo "Setup Logfile:"
cat ${workdir}/logfile
exit 1
fi
if [ ! -r "${CERTSERIAL}" ]; then
echo "Error: Cert serial number file ${CERTSERIAL} was not created."
echo "Setup Logfile:"
cat ${workdir}/logfile
exit 1
fi
if [ -z "$(grep "ENCRYPTED PRIVATE KEY" ${workdir}/swtpm-localca-rootca-privkey.pem)" ]; then
echo "Error: Root CA's private key should be encrypted"
cat ${workdir}/swtpm-localca-rootca-privkey.pem
exit 1
fi
certfile="${workdir}/ek-rsa2048.crt"
if [ ! -f "${certfile}" ]; then
echo "Error: EK file '${certfile}' was not written."
ls -l "${workdir}"
exit 1
fi
if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "2048 bits")" ]; then
echo "Error: EK file '${certfile}' is not an RSA 2048 bit key."
$CERTTOOL --inder --infile "${certfile}" -i
exit 1
fi
expiration="$($CERTTOOL --inder --infile "${certfile}" -i | grep "Not After:")"
expected="Not After: Fri Dec 31 23:59:59 UTC 9999"
if [ -z "$(echo "${expiration}" | grep "${expected}")" ]; then
echo "Error: EK file '${certfile}' does not expire in 9999"
echo "actual: ${expiration}"
echo "expected: ${expected}"
exit 1
fi
echo "OK"
exit 0
Reference in New Issue View Git Blame Copy Permalink