Skip to content

Commit

Permalink
tests: Use the --write-ek-cert-files option and check for files
Browse files Browse the repository at this point in the history 
Use the --write-ek-cert-files option in existing test cases
and check for written files and correctness of the files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
  • Loading branch information
@stefanberger
stefanberger committed Jul 30, 2021
1 parent 78559ed commit a735e4c
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 4 deletions.
16 changes: 15 additions & 1 deletion tests/test_swtpm_setup_create_cert
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,8 @@ $SWTPM_SETUP \
--create-ek-cert \
--config ${workdir}/swtpm_setup.conf \
--logfile ${workdir}/logfile \
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}"
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
--write-ek-cert-files "${workdir}"

if [ $? -ne 0 ]; then
echo "Error: Could not run $SWTPM_SETUP."
Expand Down Expand Up @@ -99,6 +100,19 @@ if [ -z "$(grep "ENCRYPTED PRIVATE KEY" ${workdir}/swtpm-localca-rootca-privkey.
exit 1
fi

certfile="${workdir}/ek-rsa2048.crt"
if [ ! -f "${certfile}" ]; then
echo "Error: EK file '${certfile}' was not written."
ls -l "${workdir}"
exit 1
fi

if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "2048 bits")" ]; then
echo "Error: EK file '${certfile}' is not an RSA 2048 bit key."
$CERTTOOL --inder --infile "${certfile}" -i
exit 1
fi

echo "OK"

exit 0
36 changes: 33 additions & 3 deletions tests/test_tpm2_swtpm_setup_create_cert
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")
SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial
USER_CERTSDIR=${workdir}/mycerts
mkdir -p "${USER_CERTSDIR}"

PATH=${TOPBUILD}/src/swtpm_bios:$PATH

Expand Down Expand Up @@ -76,7 +78,8 @@ for keysize in $(echo $keysizes); do
--logfile "${workdir}/logfile" \
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
--rsa-keysize ${keysize} \
--overwrite
--overwrite \
--write-ek-cert-files "${USER_CERTSDIR}"

if [ $? -ne 0 ]; then
echo "Error: Could not run $SWTPM_SETUP."
Expand All @@ -100,7 +103,20 @@ for keysize in $(echo $keysizes); do
exit 1
fi

rm -rf ${SIGNINGKEY} ${ISSUERCERT} ${CERTSERIAL}
certfile="${USER_CERTSDIR}/ek-rsa${keysize}.crt"
if [ ! -f "${certfile}" ]; then
echo "Error: EK file '${certfile}' was not written."
ls -l "${USER_CERTSDIR}"
exit 1
fi

if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "${keysize} bits")" ]; then
echo "Error: EK file '${certfile}' is not an RSA ${keysize} bit key."
$CERTTOOL --inder --infile "${certfile}" -i
exit 1
fi

rm -rf "${SIGNINGKEY}" "${ISSUERCERT}" "${CERTSERIAL}" ${USER_CERTSDIR}/ek-*.crt
done

echo "Test 1: OK"
Expand All @@ -115,7 +131,8 @@ $SWTPM_SETUP \
--config "${workdir}/swtpm_setup.conf" \
--logfile "${workdir}/logfile" \
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
--overwrite
--overwrite \
--write-ek-cert-files "${workdir}"

if [ $? -ne 0 ]; then
echo "Error: Could not run $SWTPM_SETUP."
Expand All @@ -139,6 +156,19 @@ if [ ! -r "${CERTSERIAL}" ]; then
exit 1
fi

certfile="${workdir}/ek-secp384r1.crt"
if [ ! -f "${certfile}" ]; then
echo "Error: EK file '${certfile}' was not written."
ls -l "${workdir}"
exit 1
fi

if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "384 bits")" ]; then
echo "Error: EK file '${certfile}' is not an ECC 384 bit key."
$CERTTOOL --inder --infile "${certfile}" -i
exit 1
fi

echo "Test 2: OK"

exit 0

0 comments on commit a735e4c

Please sign in to comment.