diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-12-16 15:25:44 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-12-17 10:49:38 -0500 |
commit | 2fb0548e4065df2e2683e0937cd1402deee1c8d9 (patch) | |
tree | ba951dc2ee37e41ed7036bdea56285c635876658 | |
parent | 5721b68a89100ca42565a686df332c06f5754c4a (diff) | |
download | openssl_tpm2_engine-2fb0548e4065df2e2683e0937cd1402deee1c8d9.tar.gz |
tests: add check for signed policies
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rwxr-xr-x | tests/check_secret_policies.sh | 49 | ||||
-rw-r--r-- | tests/engine/Makefile.am | 1 | ||||
-rw-r--r-- | tests/provider/Makefile.am | 1 |
3 files changed, 51 insertions, 0 deletions
diff --git a/tests/check_secret_policies.sh b/tests/check_secret_policies.sh new file mode 100755 index 0000000..a367b86 --- /dev/null +++ b/tests/check_secret_policies.sh @@ -0,0 +1,49 @@ +#!/bin/bash +set -x + +## +# First create a NV object and a permanent key with a known authorization +## +PASSWORD="RNDPWD${RANDOM}" +NVINDEX=0x01000002 +NVKEY=0x81005555 +DATA="Some Random Data ${RANDOM}" +tssnvdefinespace -hi o -ha ${NVINDEX} -pwdn ${PASSWORD} || exit 1 +# note index is not initialized (but shouldn't need to be) +key=$(tsscreateprimary -hi o -st -ecc nistp256 -pwdk ${PASSWORD}|sed 's/Handle //') && \ +tssevictcontrol -hi o -ho ${key} -hp ${NVKEY} && \ +tssflushcontext -ha ${key} +# create a policy key +openssl genpkey -out policy.key -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 || exit 1 +openssl pkey -in policy.key -pubout -out policy.pub + +## +# Tests for each index, create an ordinary key a sealed object and a +# signed policy key each with --secret and then verify they fail with +# no password and accept the object password +## +for index in ${NVINDEX} ${NVKEY}; do + + ${bindir}/create_tpm2_key --secret ${index} key.tpm || exit 1 + echo ${DATA}|${bindir}/seal_tpm2_data --secret ${index} seal.tpm || exit 1 + echo ${DATA} > plain.txt + openssl pkey $ENGINE $INFORM -in key.tpm -passin pass:" " -pubout -out key.pub || exit 1 + ${bindir}/create_tpm2_key --signed-policy policy.pub skey.tpm + ${bindir}/signed_tpm2_policy add --policy-name "secret" --secret ${index} skey.tpm policy.key || exit 1 + openssl pkey $ENGINE $INFORM -in skey.tpm -passin pass:" " -pubout -out skey.pub || exit 1 + + # Verify use without password fails + + openssl pkeyutl -sign -passin pass:" " -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1 + ${bindir}/unseal_tpm2_data seal.tpm -k " " && exit 1 + openssl pkeyutl -sign -passin pass:" " -in plain.txt $ENGINE $KEYFORM -inkey skey.tpm -out tmp.msg && exit 1 + + # verify use with object password works + openssl pkeyutl -sign -passin pass:${PASSWORD} -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 + ${bindir}/unseal_tpm2_data seal.tpm -k ${PASSWORD}| grep -q "${DATA}" || exit 1 + openssl pkeyutl -sign -passin pass:${PASSWORD} -in plain.txt $ENGINE $KEYFORM -inkey skey.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey skey.pub -pubin || exit 1 +done + +exit 0 diff --git a/tests/engine/Makefile.am b/tests/engine/Makefile.am index 8bc8765..ec6f321 100644 --- a/tests/engine/Makefile.am +++ b/tests/engine/Makefile.am @@ -28,6 +28,7 @@ TESTS += ../check_curves.sh \ ../seal_unseal.sh \ ../check_signed_policies.sh \ ../check_locality.sh \ + ../check_secret_policies.sh \ ../dynamic_engine.sh \ ../stop_sw_tpm.sh diff --git a/tests/provider/Makefile.am b/tests/provider/Makefile.am index cdd043b..1080036 100644 --- a/tests/provider/Makefile.am +++ b/tests/provider/Makefile.am @@ -30,6 +30,7 @@ TESTS += ../check_curves.sh \ ../seal_unseal.sh \ ../check_signed_policies.sh \ ../check_locality.sh \ + ../check_secret_policies.sh \ ../stop_sw_tpm.sh fail_connect.sh: tpm_server_found |