1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
# set -e
source helpers.sh
start_up
CRYPTO_PROFILE="RSA"
setup_fapi $CRYPTO_PROFILE
function cleanup {
tss2 delete --path=/
shut_down
}
trap cleanup EXIT
# openssl ecparam -name secp256r1 -genkey -noout -out key_priv.pem
# openssl ec -in key_priv.pem -pubout -out key_pub.pem
# -----BEGIN PUBLIC KEY-----
# MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAw+PKFksCw+ikD76l6BMeXfebcZx
# Gf8QGWT2MOy8tOfpe6m+6MUUm2GUijGPkvCTjtJPOJz//XMom+k+7OaWmA==
# -----END PUBLIC KEY-----
# -----BEGIN EC PRIVATE KEY-----
# MHcCAQEEICf0OXKKsPkEVR1jsPOKSQQJnJVimamLYwLDZwJDj7etoAoGCCqGSM49
# AwEHoUQDQgAEAw+PKFksCw+ikD76l6BMeXfebcZxGf8QGWT2MOy8tOfpe6m+6MUU
# m2GUijGPkvCTjtJPOJz//XMom+k+7OaWmA==
# -----END EC PRIVATE KEY-----
KEY_PATH_1=HS/SRK/mySignKey1
KEY_PATH_2=HS/SRK/mySignKey2
SIGN_POLICY_DATA=pol_signed.json
SIGN_POLICY_DATA_KEY_HINT=pol_signed_key_hint.json
POLICY_SIGNED=policy/policy-signed
POLICY_SIGNED_KEY_HINT=policy/policy-signed_key_hint
TEST_SIGNATURE_FILE=test_signature.file
SIGNATURE_FILE=signature.file
DIGEST_FILE=digest.file
PRIV_KEY_FILE=priv_key.file
LOG_FILE=$TEMP_DIR/log.file
touch $LOG_FILE
EMPTY_FILE=$TEMP_DIR/empty.file
BIG_FILE=$TEMP_DIR/big_file.file
# Setup Policy Signed
cat > $SIGN_POLICY_DATA_KEY_HINT <<EOF
{
"description":"Description pol_signed",
"policy":[
{
"type": "POLICYSIGNED",
"keyPEM": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAw+PKFksCw+ikD76l6BMeXfebcZx\nGf8QGWT2MOy8tOfpe6m+6MUUm2GUijGPkvCTjtJPOJz//XMom+k+7OaWmA==\n-----END PUBLIC KEY-----",
"keyPEMhashAlg": "SHA1",
"publicKeyHint": "My Signature Key"
}
]
}
EOF
cat > $SIGN_POLICY_DATA <<EOF
{
"description":"Description pol_signed",
"policy":[
{
"type": "POLICYSIGNED",
"keyPEM": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAw+PKFksCw+ikD76l6BMeXfebcZx\nGf8QGWT2MOy8tOfpe6m+6MUUm2GUijGPkvCTjtJPOJz//XMom+k+7OaWmA==\n-----END PUBLIC KEY-----",
"keyPEMhashAlg": "SHA1",
}
]
}
EOF
# Write private pem key to file
cat > $PRIV_KEY_FILE <<EOF
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEICf0OXKKsPkEVR1jsPOKSQQJnJVimamLYwLDZwJDj7etoAoGCCqGSM49
AwEHoUQDQgAEAw+PKFksCw+ikD76l6BMeXfebcZxGf8QGWT2MOy8tOfpe6m+6MUU
m2GUijGPkvCTjtJPOJz//XMom+k+7OaWmA==
-----END EC PRIVATE KEY-----
EOF
echo -n 01234567890123456789 > $DIGEST_FILE
tss2 provision
tss2 import --path=$POLICY_SIGNED --importData=$SIGN_POLICY_DATA
tss2 import --path=$POLICY_SIGNED_KEY_HINT --importData=$SIGN_POLICY_DATA_KEY_HINT
tss2 createkey --path $KEY_PATH_1 --type="sign, noda" \
--policyPath $POLICY_SIGNED --authValue ""
tss2 createkey --path $KEY_PATH_2 --type="sign, noda" \
--policyPath $POLICY_SIGNED_KEY_HINT --authValue ""
OUTPUT_FILE=$TEMP_DIR/data2sign.file
expect <<EOF
spawn sh -c "tss2 sign --keyPath=$KEY_PATH_1 --digest=$DIGEST_FILE --signature=$TEST_SIGNATURE_FILE --force 2> $LOG_FILE"
expect "Filename for nonce output: " {
send "$OUTPUT_FILE\r"
expect "Filename for signature input: " {
exec openssl dgst -sha1 -sign $PRIV_KEY_FILE -out $SIGNATURE_FILE $OUTPUT_FILE
send "$SIGNATURE_FILE\r"
exp_continue
}
}
EOF
if grep "ERROR" $LOG_FILE > /dev/null
then
cat $LOG_FILE
exit 1
fi
expect <<EOF
spawn sh -c "tss2 sign --keyPath=$KEY_PATH_2 --digest=$DIGEST_FILE --signature=$TEST_SIGNATURE_FILE --force 2> $LOG_FILE"
expect "Filename for nonce output: " {
send "$OUTPUT_FILE\r"
expect "Filename for signature input: " {
exec openssl dgst -sha1 -sign $PRIV_KEY_FILE -out $SIGNATURE_FILE $OUTPUT_FILE
send "$SIGNATURE_FILE\r"
exp_continue
}
}
EOF
if grep "ERROR" $LOG_FILE > /dev/null
then
cat $LOG_FILE
exit 1
fi
echo "sign callback with BIG_FILE" # Expected to fail
expect <<EOF
spawn sh -c "tss2 sign --keyPath=$KEY_PATH_1 --digest=$DIGEST_FILE --signature=$TEST_SIGNATURE_FILE --force 2> $LOG_FILE"
expect "Filename for nonce output: " {
send "$OUTPUT_FILE\r"
expect "Filename for signature input: " {
exec openssl dgst -sha1 -sign $PRIV_KEY_FILE -out $SIGNATURE_FILE $OUTPUT_FILE
send "$BIG_FILE\r"
set ret [wait]
if {[lindex \$ret 2] || [lindex \$ret 3] == 0} {
send_user "\n[lindex \$ret]\n"
send_user "Command not failed as expected\n"
exit 1
}
}
set ret [wait]
if {[lindex \$ret 2] || [lindex \$ret 3] == 0} {
set file [open $LOG_FILE r]
set log [read \$file]
close $file
send_user "\n[lindex \$ret]\n"
send_user "Command has not failed as expected\n"
exit 1
}
}
EOF
if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
echo "Error: AddressSanitizer triggered."
cat $LOG_FILE
exit 1
fi
echo "sign callback with EMPTY_FILE" # Expected to fail
expect <<EOF
spawn sh -c "tss2 sign --keyPath=$KEY_PATH_1 --digest=$DIGEST_FILE --signature=$TEST_SIGNATURE_FILE --force 2> $LOG_FILE"
expect "Filename for nonce output: " {
send "$OUTPUT_FILE\r"
expect "Filename for signature input: " {
exec openssl dgst -sha1 -sign $PRIV_KEY_FILE -out $SIGNATURE_FILE $OUTPUT_FILE
send "$EMPTY_FILE\r"
set ret [wait]
if {[lindex \$ret 2] || [lindex \$ret 3] == 0} {
send_user "\n[lindex \$ret]\n"
send_user "Command has not failed as expected\n"
exit 1
}
}
set ret [wait]
if {[lindex \$ret 2] || [lindex \$ret 3] == 0} {
set file [open $LOG_FILE r]
set log [read \$file]
close $file
send_user "\n[lindex \$ret]\n"
send_user "Command has not failed as expected\n"
exit 1
}
}
EOF
if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
echo "Error: AddressSanitizer triggered."
cat $LOG_FILE
exit 1
fi
exit 0
|
