1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#!/usr/bin/env bash
# For the license, see the LICENSE file in the root directory.
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
source "${TESTDIR}/common"
skip_test_no_tpm12 "${SWTPM_EXE}"
workdir="$(mktemp -d)" || exit 1
SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial
PATH=${ROOT}/src/swtpm_bios:$PATH
trap "cleanup" SIGTERM EXIT
function cleanup()
{
rm -rf "${workdir}"
}
# We want swtpm_cert to use the local CA and see that the
# local CA script automatically creates a signingkey and
# self-signed certificate; use ${WORKDIR} in the config files
# to test env variable resolution
cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
statedir=\${WORKDIR}
signingkey = \${WORKDIR}/signingkey.pem
issuercert = \${WORKDIR}/issuercert.pem
certserial = \${WORKDIR}/certserial
_EOF_
cat <<_EOF_ > "${workdir}/swtpm-localca.options"
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 1.2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_
cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
create_certs_tool=${SWTPM_LOCALCA}
create_certs_tool_config=\${WORKDIR}/swtpm-localca.conf
create_certs_tool_options=\${WORKDIR}/swtpm-localca.options
_EOF_
# We need to adapt the PATH so the correct swtpm_cert is picked
export PATH=${ROOT}/src/swtpm_cert:${PATH}
# Create a ROOT CA with a password-protected private key
export SWTPM_ROOTCA_PASSWORD=password
# we need to create at least one cert: --create-ek-cert
if ! WORKDIR=${workdir} $SWTPM_SETUP \
--tpm-state "${workdir}" \
--create-ek-cert \
--config "${workdir}/swtpm_setup.conf" \
--logfile "${workdir}/logfile" \
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
--write-ek-cert-files "${workdir}";
then
echo "Error: Could not run $SWTPM_SETUP."
echo "Setup Logfile:"
cat "${workdir}/logfile"
exit 1
fi
if [ ! -r "${SIGNINGKEY}" ]; then
echo "Error: Signingkey file ${SIGNINGKEY} was not created."
echo "Setup Logfile:"
cat "${workdir}/logfile"
exit 1
fi
if [ ! -r "${ISSUERCERT}" ]; then
echo "Error: Issuer cert file ${ISSUERCERT} was not created."
echo "Setup Logfile:"
cat "${workdir}/logfile"
exit 1
fi
if [ ! -r "${CERTSERIAL}" ]; then
echo "Error: Cert serial number file ${CERTSERIAL} was not created."
echo "Setup Logfile:"
cat "${workdir}/logfile"
exit 1
fi
if ! grep -q "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem"; then
echo "Error: Root CA's private key should be encrypted"
cat "${workdir}/swtpm-localca-rootca-privkey.pem"
exit 1
fi
certfile="${workdir}/ek-rsa2048.crt"
if [ ! -f "${certfile}" ]; then
echo "Error: EK file '${certfile}' was not written."
ls -l "${workdir}"
exit 1
fi
if ! $CERTTOOL --inder --infile "${certfile}" -i | grep -q "2048 bits"; then
echo "Error: EK file '${certfile}' is not an RSA 2048 bit key."
$CERTTOOL --inder --infile "${certfile}" -i
exit 1
fi
expiration="$($CERTTOOL --inder --infile "${certfile}" -i | grep "Not After:")"
expected1="Not After: Fri Dec 31 23:59:59 UTC 9999"
# 32bit machines
expected2="Not After: Thu Dec 31 23:23:23 UTC 2037"
if ! echo "${expiration}" | grep -q "${expected1}" && \
! echo "${expiration}" | grep -q "${expected2}"; then
echo "Error: EK file '${certfile}' does not expire in 9999 or 2037"
echo "actual : ${expiration}"
echo "expected1: ${expected1}"
echo "expected2: ${expected2} (32 bit machines)"
exit 1
fi
echo "OK"
exit 0
|
