diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-03-17 09:23:20 -0400 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-03-17 12:01:58 -0400 |
commit | 83798b7a24a3f03737c32595abbe67aa235769dd (patch) | |
tree | de8e0d1b9b2040681e1d3dbd0f0373eb2bfe4974 | |
parent | 7ec176bfcd7d92aec0e89ab736899da0666f1948 (diff) | |
download | openssl_tpm2_engine-83798b7a24a3f03737c32595abbe67aa235769dd.tar.gz |
tests: move engine tests to a separate directory
Also move tests to be the last item in the Makefile.am SUBDIRS as
recommended by the automake documentation. Eventually this will allow
for the addition of provider tests which can be run independently from
the engine tests.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | Makefile.am | 6 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | tests/Makefile.am | 51 | ||||
-rwxr-xr-x | tests/check_enhanced_auth.sh | 14 | ||||
-rwxr-xr-x | tests/check_importable.sh | 4 | ||||
-rwxr-xr-x | tests/dynamic_engine.sh | 2 | ||||
-rw-r--r-- | tests/engine/Makefile.am | 52 | ||||
-rw-r--r-- | tests/engine/openssl.cnf (renamed from tests/openssl.cnf) | 2 | ||||
-rwxr-xr-x | tests/restricted_parent.sh | 2 | ||||
-rwxr-xr-x | tests/seal_unseal.sh | 4 |
10 files changed, 72 insertions, 67 deletions
diff --git a/Makefile.am b/Makefile.am index 00dd801..131266e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,7 @@ EXTRA_DIST = README openssl.cnf.sample -SUBDIRS = tests doc src/libcommon src/engine src/tools +SUBDIRS = doc +SUBDIRS += src/libcommon +SUBDIRS += src/engine +SUBDIRS += src/tools +SUBDIRS += tests/engine diff --git a/configure.ac b/configure.ac index 2144b95..f189e24 100644 --- a/configure.ac +++ b/configure.ac @@ -160,7 +160,7 @@ fi AC_SUBST(testtpm) AC_OUTPUT([Makefile - tests/Makefile + tests/engine/Makefile doc/Makefile src/libcommon/Makefile src/engine/Makefile diff --git a/tests/Makefile.am b/tests/Makefile.am deleted file mode 100644 index 8666e69..0000000 --- a/tests/Makefile.am +++ /dev/null @@ -1,51 +0,0 @@ -TESTS = fail_connect.sh -TESTS += start_sw_tpm.sh -if HAVE_IBM_TSS -TESTS += check_tpm_directory.sh -endif -TESTS += check_curves.sh \ - create_tpm_key.sh \ - create_tpm_key_auth.sh \ - check_auth.sh \ - wrap_tpm_key.sh \ - check_wrap_auth.sh \ - check_old_keys.sh \ - check_der.sh \ - create_ecc.sh \ - create_nonopenssl_ecc.sh \ - wrap_ecc.sh \ - wrap_generic_ecc.sh \ - wrap_pkcs12.sh \ - derive_ecc.sh \ - create_non_tpm_keys.sh \ - da_check.sh \ - test_nv_key.sh \ - check_enhanced_auth.sh \ - check_counter_timer.sh \ - check_importable.sh \ - check_rsa_oaep_pss.sh \ - restricted_parent.sh \ - seal_unseal.sh \ - check_signed_policies.sh \ - dynamic_engine.sh \ - stop_sw_tpm.sh - -fail_connect.sh: tpm_server_found - -tpm_server_found: - @if [ -z "$(testtpm)" ]; then echo "ERROR: Can't run tests, no tpm server is found"; exit 1; fi - -AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; export TPM_INTERFACE_TYPE; \ - srcdir=$(abs_srcdir); export srcdir; \ - bindir=$(abs_srcdir)/../src/tools; export bindir; \ - OPENSSL_CONF=$(abs_srcdir)/openssl.cnf; export OPENSSL_CONF; \ - TPMSERVER=$(TPMSERVER); export TPMSERVER; \ - TSSTYPE=@TSSTYPE@; export TSSTYPE; \ - SWTPM=$(SWTPM); export SWTPM; \ - SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL; - -TEST_EXTENSIONS = .sh - -CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.* -clean-local: - rm -fr testdir diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh index 1118a46..19865c7 100755 --- a/tests/check_enhanced_auth.sh +++ b/tests/check_enhanced_auth.sh @@ -1,5 +1,5 @@ #!/bin/bash - +set -x tss_pcrreset_cmd=tsspcrreset tss_pcrextend_cmd=tsspcrextend @@ -15,7 +15,7 @@ fi # check we can use a bogus policy 5 times without clogging up the TPM, so # we're properly flushing policy handles ## -${bindir}/create_tpm2_key key.tpm -c policies/policy_bogus.txt +${bindir}/create_tpm2_key key.tpm -c ${testdir}/policies/policy_bogus.txt a=0; while [ $a -lt 5 ]; do a=$[$a+1] echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 @@ -50,7 +50,7 @@ for h in "sha1" "" "sha384"; do # 3. encode a message using the TPM key # 4. verify the message through the public key echo "This is a Message" > plain.txt - ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \ + ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c ${testdir}/policies/policy_authvalue.txt && \ openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -in plain.txt -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 @@ -65,7 +65,7 @@ for h in "sha1" "" "sha384"; do # 6. verify the message through the public key ${tss_pcrreset_cmd} -ha 16 ${tss_pcrextend_cmd} -ha 16 -ic aaa - ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt && \ + ${bindir}/create_tpm2_key ${n} key2.tpm -c ${testdir}/policies/policy_pcr${h}.txt && \ openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 @@ -78,7 +78,7 @@ for h in "sha1" "" "sha384"; do # 4. encode a message using the TPM key # 5. verify the message through the public key ${tss_pcrreset_cmd} -ha 16 - ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt + ${bindir}/create_tpm2_key ${n} key2.tpm -c ${testdir}/policies/policy_pcr${h}.txt openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin @@ -95,7 +95,7 @@ for h in "sha1" "" "sha384"; do # 4. get the corresponding public key from the engine # 5. encode a message using the TPM key # 6. verify the message through the public key - cat policies/policy_authvalue.txt policies/policy_pcr${h}.txt > policy_authvalue_pcr.txt + cat ${testdir}/policies/policy_authvalue.txt ${testdir}/policies/policy_pcr${h}.txt > policy_authvalue_pcr.txt ${tss_pcrreset_cmd} -ha 16 ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_authvalue_pcr.txt && \ @@ -111,7 +111,7 @@ for h in "sha1" "" "sha384"; do # 4. get the corresponding public key from the engine # 5. encode a message using the TPM key # 6. verify the message through the public key - cat policies/policy_pcr${h}.txt policies/policy_authvalue.txt > policy_pcr_authvalue.txt + cat ${testdir}/policies/policy_pcr${h}.txt ${testdir}/policies/policy_authvalue.txt > policy_pcr_authvalue.txt ${tss_pcrreset_cmd} -ha 16 ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_pcr_authvalue.txt && \ diff --git a/tests/check_importable.sh b/tests/check_importable.sh index 93ac4e4..b2c15ab 100755 --- a/tests/check_importable.sh +++ b/tests/check_importable.sh @@ -8,9 +8,9 @@ tssflushcontext -ha ${prim} || exit 1 for n in sha1 sha256 sha384; do echo "Checking Name Hash $n" if [ "$n" = "sha256" ]; then - POLICYFILE=policies/policy_pcr.txt + POLICYFILE=${testdir}/policies/policy_pcr.txt else - POLICYFILE=policies/policy_pcr${n}.txt + POLICYFILE=${testdir}/policies/policy_pcr${n}.txt fi # check an EC key with a cert and password openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out key.priv || exit 1 diff --git a/tests/dynamic_engine.sh b/tests/dynamic_engine.sh index 002cbed..ee7c5e7 100755 --- a/tests/dynamic_engine.sh +++ b/tests/dynamic_engine.sh @@ -5,7 +5,7 @@ set -x # to work with the dynamic engine, we unset the openssl.cnf that # specifies a built in engine unset OPENSSL_CONF -export OPENSSL_ENGINES=${srcdir}/../src/engine/.libs +export OPENSSL_ENGINES=${testdir}/../src/engine/.libs ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so testkey() { diff --git a/tests/engine/Makefile.am b/tests/engine/Makefile.am new file mode 100644 index 0000000..c0617a5 --- /dev/null +++ b/tests/engine/Makefile.am @@ -0,0 +1,52 @@ +TESTS = ../fail_connect.sh +TESTS += ../start_sw_tpm.sh +if HAVE_IBM_TSS +TESTS += ../check_tpm_directory.sh +endif +TESTS += ../check_curves.sh \ + ../create_tpm_key.sh \ + ../create_tpm_key_auth.sh \ + ../check_auth.sh \ + ../wrap_tpm_key.sh \ + ../check_wrap_auth.sh \ + ../check_old_keys.sh \ + ../check_der.sh \ + ../create_ecc.sh \ + ../create_nonopenssl_ecc.sh \ + ../wrap_ecc.sh \ + ../wrap_generic_ecc.sh \ + ../wrap_pkcs12.sh \ + ../derive_ecc.sh \ + ../create_non_tpm_keys.sh \ + ../da_check.sh \ + ../test_nv_key.sh \ + ../check_enhanced_auth.sh \ + ../check_counter_timer.sh \ + ../check_importable.sh \ + ../check_rsa_oaep_pss.sh \ + ../restricted_parent.sh \ + ../seal_unseal.sh \ + ../check_signed_policies.sh \ + ../dynamic_engine.sh \ + ../stop_sw_tpm.sh + +fail_connect.sh: tpm_server_found + +tpm_server_found: + @if [ -z "$(testtpm)" ]; then echo "ERROR: Can't run tests, no tpm server is found"; exit 1; fi + +AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; export TPM_INTERFACE_TYPE; \ + srcdir=$(abs_srcdir); export srcdir; \ + bindir=$(abs_srcdir)/../../src/tools; export bindir; \ + testdir=$(abs_srcdir)/..; export testdir; \ + OPENSSL_CONF=$(abs_srcdir)/openssl.cnf; export OPENSSL_CONF; \ + TPMSERVER=$(TPMSERVER); export TPMSERVER; \ + TSSTYPE=@TSSTYPE@; export TSSTYPE; \ + SWTPM=$(SWTPM); export SWTPM; \ + SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL; + +TEST_EXTENSIONS = .sh + +CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.* +clean-local: + rm -fr testdir diff --git a/tests/openssl.cnf b/tests/engine/openssl.cnf index 8ac239a..5b1e756 100644 --- a/tests/openssl.cnf +++ b/tests/engine/openssl.cnf @@ -18,7 +18,7 @@ engines = engines_section tpm2 = tpm2_section [tpm2_section] -dynamic_path = $ENV::srcdir/../src/engine/.libs/libtpm2.so +dynamic_path = $ENV::srcdir/../../src/engine/.libs/libtpm2.so init = 1 PIN = $ENV::SRKPIN NVPREFIX = $ENV::NVPREFIX diff --git a/tests/restricted_parent.sh b/tests/restricted_parent.sh index 2119ff4..2373d1e 100755 --- a/tests/restricted_parent.sh +++ b/tests/restricted_parent.sh @@ -51,7 +51,7 @@ openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1 # 2. check the use of parent auth to load the NV area ## tssclear -hi p -${bindir}/create_tpm2_key --restricted -c policies/policy_pcr.txt key2.tpm || exit 1 +${bindir}/create_tpm2_key --restricted -c ${testdir}/policies/policy_pcr.txt key2.tpm || exit 1 ${bindir}/load_tpm2_key key2.tpm ${NV} && exit 1 ${bindir}/load_tpm2_key --force key2.tpm ${NV} || exit 1 diff --git a/tests/seal_unseal.sh b/tests/seal_unseal.sh index 22ac1d4..f5a53e2 100755 --- a/tests/seal_unseal.sh +++ b/tests/seal_unseal.sh @@ -44,9 +44,9 @@ for n in sha1 sha256 sha384; do # 6. update PCR and check unseal failure DATA="Some Different DATA $n" if [ "$n" = "sha256" ]; then - POLICYFILE="policies/policy_pcr.txt" + POLICYFILE="${testdir}/policies/policy_pcr.txt" else - POLICYFILE="policies/policy_pcr${n}.txt" + POLICYFILE="${testdir}/policies/policy_pcr${n}.txt" fi prim=$(tsscreateprimary -hi o -st -ecc nistp256 -opem srk.pub | sed 's/Handle //') || exit 1 tssflushcontext -ha $prim |