tests: Extend test cases to also test with RSA 3072 bit keys

Extend a few test cases to also test with RSA 3072 bit keys if they are supported. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · Apr 24, 2020 · 54c8e1b · 54c8e1b
1 parent 1c979fc
commit 54c8e1b
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 32 deletions.
diff --git a/tests/test_tpm2_parameters b/tests/test_tpm2_parameters
@@ -32,6 +32,20 @@ PARAMETERS=(
 	"--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile-fd 101 --cipher aes-256-cbc"
 )
 
+# Tests for 3072 bit RSA keys to be appended to above array if RSA 3072 keys are supported
+PARAMETERS_3072=(
+	"--createek --rsa-keysize 3072"
+	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --rsa-keysize 3072"
+	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt --rsa-keysize 3072"
+	"--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --rsa-keysize 3072"
+	"--createek --allow-signing --rsa-keysize 3072"
+	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --rsa-keysize 3072"
+	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt --rsa-keysize 3072"
+	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --rsa-keysize 3072"
+	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile256bit.txt --cipher aes-256-cbc --rsa-keysize 3072"
+	"--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --cipher aes-256-cbc --rsa-keysize 3072"
+)
+
 # Open read-only file descriptors referenced in test cases
 exec 100<${TESTDIR}/data/keyfile256bit.txt
 exec 101<${TESTDIR}/data/pwdfile.txt
@@ -70,6 +84,10 @@ if [ $? -ne 0 ]; then
 	exit 1
 fi
 
+if [ -n "$($TPMAUTHORING --tpm2 --print-capabilities | grep rsa-keysize-3072 )" ]; then
+	PARAMETERS+=( "${PARAMETERS_3072[@]}" )
+fi
+
 # swtpm_setup.conf points to the local create_certs.sh
 # For create_certs.sh to be found (with out full path)
 # add this directory to the PATH

diff --git a/tests/test_tpm2_swtpm_setup_create_cert b/tests/test_tpm2_swtpm_setup_create_cert
@@ -61,43 +61,54 @@ _EOF_
 # We need to adapt the PATH so the correct swtpm_cert is picked
 export PATH=${TOPBUILD}/src/swtpm_cert:${PATH}
 
-# we need to create at least one cert: --create-ek-cert
-$SWTPM_SETUP \
-	--tpm2 \
-	--allow-signing \
-	--tpm-state "${workdir}" \
-	--create-ek-cert \
-	--create-platform-cert \
-	--config "${workdir}/swtpm_setup.conf" \
-	--logfile "${workdir}/logfile" \
-	--tpm "${SWTPM} socket ${SWTPM_TEST_SECCOMP_OPT}" \
-	--swtpm_ioctl "${SWTPM_IOCTL}"
-
-if [ $? -ne 0 ]; then
-	echo "Error: Could not run $SWTPM_SETUP."
-	echo "Logfile output:"
-	cat "${workdir}/logfile"
-	exit 1
+keysizes="2048"
+if [ -n "$($SWTPM_SETUP --tpm2 --print-capabilities | grep rsa-keysize-3072 )" ]; then
+	keysizes+=" 3072"
 fi
 
-if [ ! -r "${SIGNINGKEY}" ]; then
-	echo "Error: Signingkey file ${SIGNINGKEY} was not created."
-	exit 1
-fi
-
-if [ ! -r "${ISSUERCERT}" ]; then
-	echo "Error: Issuer cert file ${ISSUERCERT} was not created."
-	exit 1
-fi
-
-if [ ! -r "${CERTSERIAL}" ]; then
-	echo "Error: Cert serial number file ${CERTSERIAL} was not created."
-	exit 1
-fi
+for keysize in $(echo $keysizes); do
+	echo "Testing with RSA keysize $keysize"
+	# we need to create at least one cert: --create-ek-cert
+	$SWTPM_SETUP \
+		--tpm2 \
+		--allow-signing \
+		--tpm-state "${workdir}" \
+		--create-ek-cert \
+		--create-platform-cert \
+		--config "${workdir}/swtpm_setup.conf" \
+		--logfile "${workdir}/logfile" \
+		--tpm "${SWTPM} socket ${SWTPM_TEST_SECCOMP_OPT}" \
+		--swtpm_ioctl "${SWTPM_IOCTL}" \
+		--rsa-keysize ${keysize} \
+		--overwrite
+
+	if [ $? -ne 0 ]; then
+		echo "Error: Could not run $SWTPM_SETUP."
+		echo "Logfile output:"
+		cat "${workdir}/logfile"
+		exit 1
+	fi
+
+	if [ ! -r "${SIGNINGKEY}" ]; then
+		echo "Error: Signingkey file ${SIGNINGKEY} was not created."
+		exit 1
+	fi
+
+	if [ ! -r "${ISSUERCERT}" ]; then
+		echo "Error: Issuer cert file ${ISSUERCERT} was not created."
+		exit 1
+	fi
+
+	if [ ! -r "${CERTSERIAL}" ]; then
+		echo "Error: Cert serial number file ${CERTSERIAL} was not created."
+		exit 1
+	fi
+
+	rm -rf ${SIGNINGKEY} ${ISSUERCERT} ${CERTSERIAL}
+done
 
 echo "Test 1: OK"
 
-rm -rf ${SIGNINGKEY} ${ISSUERCERT} ${CERTSERIAL}
 
 # we need to create at least one cert: --create-ek-cert
 $SWTPM_SETUP \