Skip to content

Commit

Permalink
samples: Apply password for signing key when creating platform cert (…
Browse files Browse the repository at this point in the history 
…bugfix)

Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb82
"samples: Use new pwd format option for secretly passing passwords"

Extend a test case to ensure that the passwords are always used.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
  • Loading branch information
@stefanberger
stefanberger committed Sep 16, 2020
1 parent 2778103 commit 3919bf0
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
2 changes: 2 additions & 0 deletions samples/swtpm-localca.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,8 @@ create_cert() {
swtpm_cert \
--subject "$subj" \
$options \
${SIGNKEY_PASSWORD:+--signkey-pwd file:<(echo -en "$SIGNKEY_PASSWORD")} \
${PARENTKEY_PASSWORD:+--parentkey-pwd file:<(echo -en "$PARENTKEY_PASSWORD")} \
$tpm_attr_params \
--type platform \
--signkey "${SIGNKEY}" \
Expand Down
25 changes: 25 additions & 0 deletions tests/test_tpm2_samples_swtpm_localca
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ statedir=${workdir}
signingkey = ${SIGNINGKEY}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
signingkey_password = password
_EOF_

cat <<_EOF_ > "${workdir}/swtpm-localca.options"
Expand Down Expand Up @@ -78,6 +79,27 @@ do
exit 1
fi

# Signing key should always be password protected
if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}")" ]; then
echo "Error: Signing key is not password protected."
exit 1
fi

# For the root CA's key we flip the password protection
if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
if [ -z "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
echo "Error: Root CA's private key is not password protected."
exit 1
fi
unset SWTPM_ROOTCA_PASSWORD
else
if [ -n "$(grep "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem")" ]; then
echo "Error: Root CA's private key is password protected but should not be."
exit 1
fi
export SWTPM_ROOTCA_PASSWORD=xyz
fi

if [ ! -r "${workdir}/ek.cert" ]; then
echo "Error: ${workdir}/ek.cert was not created."
exit 1
Expand Down Expand Up @@ -114,6 +136,9 @@ do
echo "Error: Could not verify certificate chain."
exit 1
fi

# Delete all keys to have CA re-created
rm -rf "${workdir}"/*.pem
done

echo "Test 1: OK"
Expand Down

0 comments on commit 3919bf0

Please sign in to comment.