diff --git a/tests/kickstart_tests/escrow-cert.ks b/tests/kickstart_tests/escrow-cert.ks new file mode 100644 index 00000000000..7909fb42c40 --- /dev/null +++ b/tests/kickstart_tests/escrow-cert.ks @@ -0,0 +1,107 @@ +%pre +# Create an nss database for the escrow certifcate +mkdir -p /tmp/escrow_test/nss +certutil -d /tmp/escrow_test/nss --empty-password -N + +# Create a self-signed certificate +# certutil waits for input if not provided with entropy data (-z). Use some +# crappy data from urandom in the hope of leaving some entropy for the LUKS +# operations to use later. +dd if=/dev/urandom of=/tmp/escrow_test/entropy bs=20 count=1 +certutil -d /tmp/escrow_test/nss -S -x -n escrow_cert \ + -s 'CN=Escrow Test' -t ',,TC' -z /tmp/escrow_test/entropy + +# Export the certificate +certutil -d /tmp/escrow_test/nss -L -n escrow_cert -a -o /tmp/escrow_test/escrow.crt +%end + +url --url=http://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/$basearch/os/ +install +network --bootproto=dhcp + +bootloader --timeout=1 +zerombr +clearpart --all +part --fstype=ext4 --size=4400 / +part --fstype=ext4 --size=500 /boot +part --fstype=swap --size=500 swap + +# Create a partition that's easy to umount and poke at in %post +part --fstype=ext4 --size=500 --encrypted --passphrase='passphrase' --escrowcert=file:///tmp/escrow_test/escrow.crt --backuppassphrase /home + +keyboard us +lang en +timezone America/New_York +rootpw qweqwe +shutdown + +%pre-install +# Copy the escrow database to the install path so we can use it during %post +mkdir $ANA_INSTALL_PATH/root +cp -a /tmp/escrow_test $ANA_INSTALL_PATH/root/ +%end + +%packages +volume_key +%end + +%post +# First, check that the escrow stuff is there +ls "/root/*-escrow" >/dev/null 2>&1 +if [[ $? != 0 ]]; then + echo '*** escrow packet was not created' > /root/RESULT + exit 1 +fi + +ls "/root/*-escrow-backup-passphrase" >/dev/null 2>&1 +if [[ $? != 0 ]]; then + echo '*** backup passphrase was not created' > /root/RESULT + exit 1 +fi + +# Get the LUKS device UUID from the escrow packet filename +uuid="$(basename /root/*-escrow | sed 's|-escrow$||')" + +# umount and close the LUKS device +umount /home +cryptsetup close /dev/mapper/luks-$uuid + +# Try out the backup passphrase +backup_passphrase="$(volume_key --secrets -d /root/escrow_test/nss /root/$uuid-escrow-backup-passphrase | sed -n '/^Passphrase:/s|^Passphrase:[[:space:]]*||p')" + +if [[ $? != 0 ]] || [[ -z "$backup_passphrase" ]]; then + echo '*** unable to parse backup passphrase' > /root/RESULT + exit 1 +fi + +echo -n $backup_passphrase | cryptsetup open -q --key-file - --type luks --test-passphrase /dev/disk/by-uuid/$uuid +if [[ $? != 0 ]]; then + echo '*** unable to decrypt volume with backup passphrase' > /root/RESULT + exit 1 +fi + +# Restore access to the volume with the escrow packet +# First, re-encrypt the packet with a passphrase +echo -n -e 'packet passphrase\0packet passphrase\0' | volume_key --reencrypt -b -d /root/escrow_test/nss /root/$uuid-escrow -o /root/escrow-out +if [[ $? != 0 ]] || [[ ! -f /root/escrow-out ]]; then + echo '*** unable to reencrypt escrow packet' > /root/RESULT + exit 1 +fi + +# Use the escrow packet to set a new passphrase on the LUKS volume +echo -n -e 'packet passphrase\0volume passphrase\0volume passphrase\0' | volume_key --restore -b /dev/disk/by-uuid/$uuid /root/escrow-out +if [[ $? != 0 ]]; then + echo '*** unable to restore volume access with escrow packet' > /root/RESULT + exit 1 +fi + +# Make sure the new passphrase actually works +echo -n 'volume passphrase' | cryptsetup open -q --key-file - --type luks --test-passphrase /dev/disk/by-uuid/$uuid +if [[ $? != 0 ]]; then + echo '*** unable to open volume with restored passphrase' > /root/RESULT + exit 1 +fi + +echo 'SUCCESS' > /root/RESULT + +%end diff --git a/tests/kickstart_tests/escrow-cert.sh b/tests/kickstart_tests/escrow-cert.sh new file mode 100755 index 00000000000..503198bac34 --- /dev/null +++ b/tests/kickstart_tests/escrow-cert.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Copyright (C) 2015 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing to use, +# modify, copy, or redistribute it subject to the terms and conditions of +# the GNU General Public License v.2, or (at your option) any later version. +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY expressed or implied, including the implied warranties of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. You should have received a copy of the +# GNU General Public License along with this program; if not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. Any Red Hat trademarks that are incorporated in the +# source code or documentation are not subject to the GNU General Public +# License and may only be used or replicated with the express permission of +# Red Hat, Inc. +# +# Red Hat Author(s): David Shea + +kernel_args() { + echo vnc +} + +prepare() { + ks=$1 + tmpdir=$2 + + echo ${ks} +} + +validate() { + img=$1 + + # There should be a /root/RESULT file with results in it. Check + # its contents and decide whether the test finally succeeded or + # not. + result=$(virt-cat -a ${img} -m /dev/sda2 /root/RESULT) + if [[ $? != 0 ]]; then + status=1 + echo '*** /root/RESULT does not exist in VM image.' + elif [[ "${result}" != "SUCCESS" ]]; then + status=1 + echo "${result}" + fi + + return ${status} +}