diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-03-16 15:43:20 -0400 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-03-17 12:18:45 -0400 |
commit | 989c6cc75c953b5c580324d2c5ca77e912ea67a2 (patch) | |
tree | 06b90dd78991d696feee209b15f6b4554ef69f41 | |
parent | 83798b7a24a3f03737c32595abbe67aa235769dd (diff) | |
download | openssl_tpm2_engine-989c6cc75c953b5c580324d2c5ca77e912ea67a2.tar.gz |
tests: make engine specification and inputs variables
Essentially this means modifying the engine tests to specify a
provider or an engine.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rwxr-xr-x | tests/check_auth.sh | 4 | ||||
-rwxr-xr-x | tests/check_counter_timer.sh | 6 | ||||
-rwxr-xr-x | tests/check_der.sh | 4 | ||||
-rwxr-xr-x | tests/check_enhanced_auth.sh | 36 | ||||
-rwxr-xr-x | tests/check_importable.sh | 8 | ||||
-rwxr-xr-x | tests/check_old_keys.sh | 4 | ||||
-rwxr-xr-x | tests/check_rsa_oaep_pss.sh | 8 | ||||
-rwxr-xr-x | tests/check_signed_policies.sh | 14 | ||||
-rwxr-xr-x | tests/check_tpm_directory.sh | 4 | ||||
-rwxr-xr-x | tests/check_wrap_auth.sh | 4 | ||||
-rwxr-xr-x | tests/create_ecc.sh | 2 | ||||
-rwxr-xr-x | tests/create_non_tpm_keys.sh | 6 | ||||
-rwxr-xr-x | tests/create_nonopenssl_ecc.sh | 8 | ||||
-rwxr-xr-x | tests/create_tpm_key.sh | 6 | ||||
-rwxr-xr-x | tests/create_tpm_key_auth.sh | 6 | ||||
-rwxr-xr-x | tests/da_check.sh | 6 | ||||
-rwxr-xr-x | tests/derive_ecc.sh | 4 | ||||
-rwxr-xr-x | tests/dynamic_engine.sh | 4 | ||||
-rw-r--r-- | tests/engine/Makefile.am | 6 | ||||
-rwxr-xr-x | tests/fail_connect.sh | 32 | ||||
-rwxr-xr-x | tests/restricted_parent.sh | 10 | ||||
-rwxr-xr-x | tests/test_nv_key.sh | 18 | ||||
-rwxr-xr-x | tests/wrap_ecc.sh | 4 | ||||
-rwxr-xr-x | tests/wrap_generic_ecc.sh | 2 | ||||
-rwxr-xr-x | tests/wrap_pkcs12.sh | 2 | ||||
-rwxr-xr-x | tests/wrap_tpm_key.sh | 4 |
26 files changed, 108 insertions, 104 deletions
diff --git a/tests/check_auth.sh b/tests/check_auth.sh index e6cc50f..3e717ad 100755 --- a/tests/check_auth.sh +++ b/tests/check_auth.sh @@ -8,7 +8,7 @@ # 3. encode a message using the TPM key # 4. verify the message through the public key ${bindir}/create_tpm2_key -a -k passw0rd key2.tpm && \ -openssl rsa -engine tpm2 -inform engine -pubin -in key2.tpm -pubout -out key2.pub && \ -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ +openssl rsa $ENGINE $INFORM -pubin -in key2.tpm -pubout -out key2.pub && \ +echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin diff --git a/tests/check_counter_timer.sh b/tests/check_counter_timer.sh index ac87009..eb2b69e 100755 --- a/tests/check_counter_timer.sh +++ b/tests/check_counter_timer.sh @@ -28,8 +28,8 @@ echo "00080009" >> policy.txt ## echo "policy counter timer" > plain.txt ${bindir}/create_tpm2_key key.tpm -a -k paSSW0RD -c policy.txt && \ -openssl rsa -engine tpm2 -inform engine -pubin -in key.tpm -pubout -out key.pub && \ -openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ +openssl rsa $ENGINE $INFORM -pubin -in key.tpm -pubout -out key.pub && \ +openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ## @@ -44,7 +44,7 @@ tssclockset -hi o -clock ${clock} || exit 1 # now the signing operation should fail ## echo "Check key failure due to counter timer policy" -openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg 2> tmp.txt && exit 1 +openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg 2> tmp.txt && exit 1 # check we got the right failure message grep "Policy Failure: Counter Timer at offset 8 is not <=" tmp.txt diff --git a/tests/check_der.sh b/tests/check_der.sh index c06516b..79ab008 100755 --- a/tests/check_der.sh +++ b/tests/check_der.sh @@ -10,7 +10,7 @@ # 5. verify the message through the public key ${bindir}/create_tpm2_key -a -k passw0rd key2.tpm && \ openssl asn1parse -in key2.tpm -out key2.der && \ -openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.der -pubout -out key2.pub && \ -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.der -passin pass:passw0rd -out tmp.msg && \ +openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.der -pubout -out key2.pub && \ +echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key2.der -passin pass:passw0rd -out tmp.msg && \ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh index 19865c7..240a338 100755 --- a/tests/check_enhanced_auth.sh +++ b/tests/check_enhanced_auth.sh @@ -18,7 +18,7 @@ fi ${bindir}/create_tpm2_key key.tpm -c ${testdir}/policies/policy_bogus.txt a=0; while [ $a -lt 5 ]; do a=$[$a+1] - echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 + echo "This is a message" | openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1 done ## @@ -51,8 +51,8 @@ for h in "sha1" "" "sha384"; do # 4. verify the message through the public key echo "This is a Message" > plain.txt ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c ${testdir}/policies/policy_authvalue.txt && \ - openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ - openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -in plain.txt -out tmp.msg && \ + openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ + openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -in plain.txt -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## @@ -66,8 +66,8 @@ for h in "sha1" "" "sha384"; do ${tss_pcrreset_cmd} -ha 16 ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} key2.tpm -c ${testdir}/policies/policy_pcr${h}.txt && \ - openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ + openssl rsa $ENGINE $INFORM -in key2.tpm -pubout -out key2.pub && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## @@ -79,8 +79,8 @@ for h in "sha1" "" "sha384"; do # 5. verify the message through the public key ${tss_pcrreset_cmd} -ha 16 ${bindir}/create_tpm2_key ${n} key2.tpm -c ${testdir}/policies/policy_pcr${h}.txt - openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ + openssl rsa $ENGINE $INFORM -in key2.tpm -pubout -out key2.pub && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin if [ $? -ne 1 ]; then echo "TPM key should not be accessible" @@ -99,8 +99,8 @@ for h in "sha1" "" "sha384"; do ${tss_pcrreset_cmd} -ha 16 ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_authvalue_pcr.txt && \ - openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ + openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## @@ -115,8 +115,8 @@ for h in "sha1" "" "sha384"; do ${tss_pcrreset_cmd} -ha 16 ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_pcr_authvalue.txt && \ - openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ + openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## @@ -127,25 +127,25 @@ for h in "sha1" "" "sha384"; do # 4. extend mentioned PCR and verify key fails ## ${bindir}/create_tpm2_key ${n} -a -k passw0rd key.tpm --pcr-lock 1,2,3-15,17-23 --pcr-lock sha1:1-4 --pcr-lock sha384:10-20 || exit 1 - openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key.tpm -pubout -out key.pub || exit 1 - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 + openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key.tpm -pubout -out key.pub || exit 1 + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic $RANDOM ${tss_pcrextend_cmd} -ha 5 -halg sha1 -ic $RANDOM ${tss_pcrextend_cmd} -ha 9 -halg sha384 -ic $RANDOM - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${tss_pcrextend_cmd} -ha 1 -halg sha1 -ic $RANDOM - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg && exit 1 + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg && exit 1 ## # Check a smaller PCR lock with no auth ## ${bindir}/create_tpm2_key ${n} --pcr-lock 2,4,7,10 --pcr-lock sha1:1,3 key.tpm || exit 1 - openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1 - openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1 + openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1 + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg || exit 1 openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${tss_pcrextend_cmd} -ha 4 -halg sha256 -ic $RANDOM - echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 + echo "This is a message" | openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1 done exit 0 diff --git a/tests/check_importable.sh b/tests/check_importable.sh index b2c15ab..72faec5 100755 --- a/tests/check_importable.sh +++ b/tests/check_importable.sh @@ -15,13 +15,13 @@ for n in sha1 sha256 sha384; do # check an EC key with a cert and password openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out key.priv || exit 1 ${bindir}/create_tpm2_key --import srk.pub --wrap key.priv -n ${n} -a -k passw0rd key.tpm || exit 1 - openssl req -new -x509 -subj '/CN=test/' -key key.tpm -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1 + openssl req -new -x509 -subj '/CN=test/' -key key.tpm -passin pass:passw0rd $ENGINE $KEYFORM -out tmp.crt || exit 1 openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1 # Check the loadability of an importable key NV=81000201 ${bindir}/load_tpm2_key key.tpm ${NV} || exit 1 - openssl req -new -x509 -subj '/CN=test/' -key //nvkey:${NV} -passin pass:passw0rd -engine tpm2 -keyform engine -out tmp.crt || exit 1 + openssl req -new -x509 -subj '/CN=test/' -key //nvkey:${NV} -passin pass:passw0rd $ENGINE $KEYFORM -out tmp.crt || exit 1 openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1 tssevictcontrol -hi o -ho ${NV} -hp ${NV} @@ -29,8 +29,8 @@ for n in sha1 sha256 sha384; do openssl genrsa 2048 > key.priv || exit 1 tsspcrreset -ha 16 ${bindir}/create_tpm2_key --import srk.pub -n ${n} --wrap key.priv -c ${POLICYFILE} key.tpm || exit 1 - openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && exit 1 + openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && exit 1 tsspcrextend -ha 16 -ic aaa - openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt || exit 1 + openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt || exit 1 openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1 done diff --git a/tests/check_old_keys.sh b/tests/check_old_keys.sh index b5778a2..0840b97 100755 --- a/tests/check_old_keys.sh +++ b/tests/check_old_keys.sh @@ -13,6 +13,6 @@ openssl genrsa 2048 > key1.priv && \ ${bindir}/create_tpm2_key --deprecated -a -k passw0rd -p 81000001 -w key1.priv key1.tpm && \ grep -e "-----BEGIN TSS2 KEY BLOB-----" key1.tpm && \ -openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \ -echo "This is another message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \ +openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \ +echo "This is another message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \ openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin diff --git a/tests/check_rsa_oaep_pss.sh b/tests/check_rsa_oaep_pss.sh index b0ecdba..f1e971b 100755 --- a/tests/check_rsa_oaep_pss.sh +++ b/tests/check_rsa_oaep_pss.sh @@ -1,24 +1,24 @@ #!/bin/bash - +set -x openssl genrsa 2048 > key.priv || exit 1 openssl rsa -in key.priv -out key.pub -pubout || exit 1 ${bindir}/create_tpm2_key --wrap key.priv -a -k passw0rd key.tpm || exit 1 echo "Checked encryption of OAEP PSS" > tmp.txt openssl rsautl -encrypt -oaep -in tmp.txt -out tmp.msg -inkey key.pub -pubin || exit 1 -openssl rsautl -decrypt -oaep -in tmp.msg -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd || exit 1 +openssl rsautl -decrypt -oaep -in tmp.msg $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd || exit 1 ## # this PSS signature will be padded manually and done as an unpadded encrypt # by the TPM ## openssl sha256 -out tmp.md -binary tmp.txt || exit 1 -openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -pkeyopt rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.md -out tmp.msg -passin pass:passw0rd || exit 1 +openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -pkeyopt rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.md -out tmp.msg -passin pass:passw0rd || exit 1 # OpenSSL bug in some versions returns false for correct signature openssl pkeyutl -verify -inkey key.pub -pubin -pkeyopt rsa_padding_mode:pss -pkeyopt digest:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.md -sigfile tmp.msg|grep 'Signature Verified Successfully'|| exit 1 ## # finally an OAEP encrypt which triggers an unpadded decrypt ## openssl pkeyutl -encrypt -inkey key.pub -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.txt -out tmp.msg || exit 1 -openssl pkeyutl -decrypt -engine tpm2 -keyform engine -inkey key.tpm -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.msg -out recover.txt -passin pass:passw0rd || exit 1 +openssl pkeyutl -decrypt $ENGINE $KEYFORM -inkey key.tpm -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in tmp.msg -out recover.txt -passin pass:passw0rd || exit 1 diff -q tmp.txt recover.txt || exit 1 diff --git a/tests/check_signed_policies.sh b/tests/check_signed_policies.sh index b3eaddf..46405d3 100755 --- a/tests/check_signed_policies.sh +++ b/tests/check_signed_policies.sh @@ -36,7 +36,7 @@ for alg in EC RSA; do fi openssl pkey -in policy.key -pubout -out policy.pub ${bindir}/create_tpm2_key ${n} --signed-policy policy.pub key.tpm || exit 1 - openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -in plain.txt -out tmp.msg && exit 1 + openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -in plain.txt -out tmp.msg && exit 1 echo ${DATA} | ${bindir}/seal_tpm2_data --signed-policy policy.pub seal.tpm || exit 1 ${bindir}/unseal_tpm2_data seal.tpm && exit 1 @@ -51,7 +51,7 @@ for alg in EC RSA; do ${tss_pcrreset_cmd} -ha 16 ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 key.tpm policy.key || exit 1 ${bindir}/signed_tpm2_policy --policy-name "PCR16-0" --pcr-lock 16 seal.tpm policy.key || exit 1 - openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1 + openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 key.tpm policy.key || exit 1 ${bindir}/signed_tpm2_policy --policy-name "PCR16-extend" --pcr-lock 16 seal.tpm policy.key || exit 1 @@ -62,23 +62,23 @@ for alg in EC RSA; do ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 key.tpm policy.key || exit 1 ${bindir}/signed_tpm2_policy --policy-name "PCR16-extendx3" --pcr-lock 16 seal.tpm policy.key || exit 1 ${tss_pcrreset_cmd} -ha 16 - openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa - openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa - openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa - openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && \ openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${bindir}/unseal_tpm2_data seal.tpm | grep -q "${DATA}" || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic aaa - openssl pkeyutl -sign -in plain.txt -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 + openssl pkeyutl -sign -in plain.txt $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg && exit 1 ${bindir}/unseal_tpm2_data seal.tpm && exit 1 done diff --git a/tests/check_tpm_directory.sh b/tests/check_tpm_directory.sh index f40e192..26049d1 100755 --- a/tests/check_tpm_directory.sh +++ b/tests/check_tpm_directory.sh @@ -17,7 +17,7 @@ $bindir/create_tpm2_key -p 81000001 -rsa -a -k passw0rd key.tpm || exit 1 mkdir testdir chmod u-w testdir || exit 1 cd testdir || exit 1 -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey ../key.tpm -passin pass:passw0rd -out ../tmp.msg +echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey ../key.tpm -passin pass:passw0rd -out ../tmp.msg cd .. ## @@ -47,7 +47,7 @@ $bindir/create_tpm2_key -p 81000001 -rsa -a -k passw0rd key.tpm || exit 1 rm -f fifo rm -f tmp.msg mkfifo fifo || exit 1 -cat fifo | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg & +cat fifo | openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg & pid=$! while [ ! -f tmp.msg ] && [ -d /proc/$pid ]; do sleep 0.5 diff --git a/tests/check_wrap_auth.sh b/tests/check_wrap_auth.sh index 25bdc7d..ed54bea 100755 --- a/tests/check_wrap_auth.sh +++ b/tests/check_wrap_auth.sh @@ -12,6 +12,6 @@ ## openssl genrsa 2048 > key1.priv && \ ${bindir}/create_tpm2_key -a -k passw0rd -p 81000001 -w key1.priv key1.tpm && \ -openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \ -echo "This is another message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \ +openssl rsa $ENGINE $INFORM -passin pass:passw0rd -in key1.tpm -pubout -out key1.pub && \ +echo "This is another message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key1.tpm -passin pass:passw0rd -out tmp.msg && \ openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin diff --git a/tests/create_ecc.sh b/tests/create_ecc.sh index 9fecdd2..bbb3014 100755 --- a/tests/create_ecc.sh +++ b/tests/create_ecc.sh @@ -14,7 +14,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do ${bindir}/create_tpm2_key -p 81000001 --ecc ${curve} key.tpm || \ exit 1 for hash in sha1 sha256 sha384; do - openssl req -new -x509 -${hash} -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \ + openssl req -new -x509 -${hash} -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \ openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \ exit 1 done diff --git a/tests/create_non_tpm_keys.sh b/tests/create_non_tpm_keys.sh index 275c2d5..3d654fb 100755 --- a/tests/create_non_tpm_keys.sh +++ b/tests/create_non_tpm_keys.sh @@ -1,5 +1,5 @@ #!/bin/bash - +set -x ## # test is @@ -13,7 +13,7 @@ ## for alg in "EC -pkeyopt ec_paramgen_curve:prime256v1" "RSA -pkeyopt rsa_keygen_bits:2048"; do openssl genpkey -algorithm ${alg} > key.priv && \ - openssl req -new -x509 -subj '/CN=test/' -key key.priv -engine tpm2 -out tmp.crt && \ - openssl verify -CAfile tmp.crt -engine tpm2 -check_ss_sig tmp.crt || \ + openssl req -new -x509 -subj '/CN=test/' -key key.priv $ENGINE -out tmp.crt && \ + openssl verify -CAfile tmp.crt $ENGINE -check_ss_sig tmp.crt || \ exit 1 done diff --git a/tests/create_nonopenssl_ecc.sh b/tests/create_nonopenssl_ecc.sh index 6774584..a23a4cf 100755 --- a/tests/create_nonopenssl_ecc.sh +++ b/tests/create_nonopenssl_ecc.sh @@ -19,11 +19,11 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do echo "Checking curve ${curve}" ${bindir}/create_tpm2_key --ecc ${curve} key1.tpm || \ exit 1 - openssl pkey -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1 + openssl pkey $ENGINE $INFORM -in key1.tpm -pubout -out key1.pub || exit 1 ${bindir}/create_tpm2_key --ecc ${curve} key2.tpm || \ exit 1 - openssl pkey -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub || exit 1 - openssl pkeyutl -engine tpm2 -keyform engine -inkey key1.tpm -peerkey key2.pub -derive -out secret1.bin || exit 1 - openssl pkeyutl -engine tpm2 -keyform engine -inkey key2.tpm -peerkey key1.pub -derive -out secret2.bin || exit 1 + openssl pkey $ENGINE $INFORM -in key2.tpm -pubout -out key2.pub || exit 1 + openssl pkeyutl $ENGINE $KEYFORM -inkey key1.tpm -peerkey key2.pub -derive -out secret1.bin || exit 1 + openssl pkeyutl $ENGINE $KEYFORM -inkey key2.tpm -peerkey key1.pub -derive -out secret2.bin || exit 1 diff -b secret1.bin secret2.bin || exit 1 done diff --git a/tests/create_tpm_key.sh b/tests/create_tpm_key.sh index a56b4be..a1077ac 100755 --- a/tests/create_tpm_key.sh +++ b/tests/create_tpm_key.sh @@ -1,5 +1,5 @@ #!/bin/bash - +set -x ## # The Intel tss currently fails with the null seed, so skip the test @@ -20,8 +20,8 @@ fi for parent in "" "-p 81000001" "-p owner" "${TESTNULL}" "-p platform" "-p endorsement"; do echo "Handle: ${parent}" ${bindir}/create_tpm2_key ${parent} key0.tpm || exit 1 - openssl rsa -engine tpm2 -inform engine -in key0.tpm -pubout -out key0.pub || exit 1 - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key0.tpm -out tmp.msg || exit 1 + openssl rsa $ENGINE $INFORM -in key0.tpm -pubout -out key0.pub || exit 1 + echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key0.tpm -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key0.pub -pubin || exit 1 done diff --git a/tests/create_tpm_key_auth.sh b/tests/create_tpm_key_auth.sh index 4edd703..bbde12c 100755 --- a/tests/create_tpm_key_auth.sh +++ b/tests/create_tpm_key_auth.sh @@ -1,5 +1,5 @@ #!/bin/bash - +set -x auth=4ffsiurh4 @@ -12,11 +12,11 @@ tsshierarchychangeauth -hi p -pwdn ${auth} # 3. encode a message using the TPM key # 4. verify the message through the public key ${bindir}/create_tpm2_key -p platform -b ${auth} key0.tpm || exit 1 -openssl rsa -engine tpm2 -inform engine -in key0.tpm -pubout -out key0.pub || exit 1 +openssl rsa $ENGINE $INFORM -in key0.tpm -pubout -out key0.pub || exit 1 # openssl has no way to specify the engine ctrl for the pin so we cheat # and do it in the openssl.cnf file via an environment variable export SRKPIN=${auth} -echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key0.tpm -out tmp.msg || exit 1 +echo "This is a message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key0.tpm -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key0.pub -pubin || exit 1 tsshierarchychangeauth -hi p -pwda ${auth} diff --git a/tests/da_check.sh b/tests/da_check.sh index b2134a4..b82d739 100755 --- a/tests/da_check.sh +++ b/tests/da_check.sh @@ -12,7 +12,7 @@ ${bindir}/create_tpm2_key --rsa --da -a -k passw0rd key.tpm || exit 1 count=1; while true; do echo "This is a message" | - openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passwrd -out tmp.msg 2>tmp.txt + openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passwrd -out tmp.msg 2>tmp.txt val=$? cat tmp.txt if [ $val -ne 1 ]; then @@ -38,7 +38,7 @@ done echo "Locked out after $count tries" # try with correct password, should still be locked out echo "This is a message" | -openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg 2>tmp.txt +openssl pkeyutl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg 2>tmp.txt val=$? cat tmp.txt if [ $val -ne 1 ]; then @@ -53,4 +53,4 @@ fi # clear the TPM DA (this would normally be password protected) tssdictionaryattacklockreset echo "This is a message" | -openssl rsautl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 +openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 diff --git a/tests/derive_ecc.sh b/tests/derive_ecc.sh index 5475b60..69ec381 100755 --- a/tests/derive_ecc.sh +++ b/tests/derive_ecc.sh @@ -28,7 +28,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do fi echo "Checking curve ${curve} explicitly named" ${bindir}/create_tpm2_key -p 81000001 --ecc ${curve} key0.tpm || exit 1 - openssl pkey -engine tpm2 -inform engine -in key0.tpm -pubout -out key0.pub || exit 1 + openssl pkey $ENGINE $INFORM -in key0.tpm -pubout -out key0.pub || exit 1 #openssl ecparam -name ${curve} > key1.param #openssl genpkey -paramfile key1.param -out key1.priv || exit 1 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -pkeyopt ec_param_enc:named_curve -out key1.priv || exit 1 @@ -36,7 +36,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do # OK have two private and two public keys now generate two # derivations, one from key0.tpm and key1.pub and the other from # key1.priv and key0.pub. - openssl pkeyutl -derive -engine tpm2 -keyform engine -inkey key0.tpm -peerkey key1.pub -out derive.1 || exit 1 + openssl pkeyutl -derive $ENGINE $KEYFORM -inkey key0.tpm -peerkey key1.pub -out derive.1 || exit 1 openssl pkeyutl -derive -inkey key1.priv -peerkey key0.pub -out derive.2 || exit 1 # if we got it right, both derivations should be the same cmp derive.1 derive.2 || exit 1 diff --git a/tests/dynamic_engine.sh b/tests/dynamic_engine.sh index ee7c5e7..5012dad 100755 --- a/tests/dynamic_engine.sh +++ b/tests/dynamic_engine.sh @@ -9,10 +9,10 @@ export OPENSSL_ENGINES=${testdir}/../src/engine/.libs ln -s libtpm2.so ${OPENSSL_ENGINES}/tpm2.so testkey() { - openssl pkey -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1 + openssl pkey $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1 # must be 32 bytes exactly for ECDSA signatures echo -n "12345678901234567890123456789012" > tmp.plain - openssl pkeyutl -sign -engine tpm2 -keyform engine -in tmp.plain -inkey key.tpm -out tmp.msg || exit 1 + openssl pkeyutl -sign $ENGINE $KEYFORM -in tmp.plain -inkey key.tpm -out tmp.msg || exit 1 openssl pkeyutl -verify -in tmp.plain -sigfile tmp.msg -inkey key.pub -pubin || exit 1 } diff --git a/tests/engine/Makefile.am b/tests/engine/Makefile.am index c0617a5..be350b5 100644 --- a/tests/engine/Makefile.am +++ b/tests/engine/Makefile.am @@ -43,7 +43,11 @@ AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; export TPM_INTERFACE_TYPE; \ TPMSERVER=$(TPMSERVER); export TPMSERVER; \ TSSTYPE=@TSSTYPE@; export TSSTYPE; \ SWTPM=$(SWTPM); export SWTPM; \ - SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL; + SWTPM_IOCTL=$(SWTPM_IOCTL); export SWTPM_IOCTL; \ + ENGINE="-engine tpm2"; export ENGINE; \ + INFORM="-inform engine"; export INFORM; \ + KEYFORM="-keyform engine"; export KEYFORM; \ + CAKEYFORM="-CAkeyform engine"; export CAKEYFORM; TEST_EXTENSIONS = .sh diff --git a/tests/fail_connect.sh b/tests/fail_connect.sh index a69907f..6675adb 100755 --- a/tests/fail_connect.sh +++ b/tests/fail_connect.sh @@ -23,25 +23,25 @@ fi ## # This is a real TPM key so the ASN.1 parses correctly ## -echo "-----BEGIN TSS2 KEY BLOB----- -MIICFwYFZ4EFCgKgAwEBAaEGAgSBAAABooIBHASCARgBFgABAAsAAgRgAAAAEAAQ -CAAAAAAAAQDe92kKAADnax0VXfanY1VrsSAYyHudOVaFtkja8+JL3l4IMM4M19Wi -0q42V/yeqY1FTEgd4gO8pYDtDdYrxNGe1Z7Hl5JuZigXRUqtqR6KCmTLYxW+mwkD -iarJsZnYOawNtDDt4kQdV/saD9WbmX9NSsKA8/T256B7/AY9FWYtz8v41J/ZJfL1 -Cs6y5LAe/HiJc+dODFjZsPSS/CgGeiEguUh8g11BdnDocrgsXZGzIhZYP/t1lZA9 -AbfPAxf04Cj3NGd0kdLwCrNBbirMKXHuryPkBAKlvhseylFjZz39GjVh+wY745bc -FVwEV382mn6fvR3G5qqkdxPEUzFzJCePBIHgAN4AINHqRAW9YlEmDtMrKevZNgKT -N+FKyLR/dVBo0HT9BW6ZABD4tdfB5ZLkW5Seos7Ey8l0ov+yaOeBhARVovXR6tJG -21VdUo0n2Eauc1ehaZ6dFAoU7rpgID3UtfBfgLLEoymS44Y8xqLgpWMQLg7pHMic -JZ84jI3HuhPJTo4fDTeHf7aI/1uAfsPe0q0zzND5+cF2Maw6Wm6gsjAJsSoLD0MO -2vJiwPzr1X9f9PGbhlkciOj/IJRHiu423I4ymvFEVgKMVZg4BEpQBrWIWyMceVRx -QL4QAdW9Ac4kKt4= ------END TSS2 KEY BLOB-----" > tmp.tpm +echo "-----BEGIN TSS2 PRIVATE KEY----- +MIICEgYGZ4EFCgEDoAMBAQECBEAAAAEEggEYARYAAQALAAIEYAAAABAAEAgAAAAA +AAEAmhZqBqBvWkQUQno1blrLz0PhzSiF1+Hs/9P57vm3IKt02XAsiXzfipso+uiq +UxECUc1zESO6XI5Qeo/3a2XNJMpJ9e2U7vsD/9TaNoA4yXQ3pDVRbyTQsKYv4QG9 ++jPwWnaz8cw8JLJ3rIjVbrb2VXl6u7OtgWNBXpsUlrHQRopiOsnk9NNV5C7dwrct +/XOUr2sJBBAPKGBnb0KLO9IfyFBiet1Sn/eSIce5QrF4zPLnntqAJLHKRaVB95Lg ++MOQ1p5+ZiBun780FW7EHSbfgwunxU7FK5CkOb8GfO5b9fg+/MO6GoCh1F5psJTX +mLEkGQF1c9Myts4Cc+Zbu1g8vwSB4ADeACDpW/gnAcRnH0qn2VZ7W3jpPJKrYDbv +xxSr7wAuXopD6QAQ+gwemszEUlHXssutoiUbPcDwGZ7Iwb0wGNcK6CEKh9k1UECa +giDcPZ8AMVK3XWlqCK5jXWgwXyX3n5gqafHjW878HH8tkMbTzLVjsszodG6JIBT5 +hWslwvPCknPRgkbo2GxXjaigVeameT/k1v3qn2hDSU/b70QcI1xeq0Uh5HeS5ok3 +heJUXsSYKGCfbbobhWVno/dAc4sOXd7BwwdclWYkDoQOpqUPWb4QqIbuYYb1Ha6K +q1DxkJAF +-----END TSS2 PRIVATE KEY-----" > tmp.tpm ## # conversion to public key doesn't actually contact the TPM # so this should succeed ## -openssl pkey -engine tpm2 -inform engine -in tmp.tpm -pubout -out tmp.pub 2> tmp.txt +openssl pkey $ENGINE $INFORM -in tmp.tpm -pubout -out tmp.pub 2> tmp.txt if [ $? -ne 0 ]; then echo "TPM key import failed with $?" cat tmp.txt @@ -51,7 +51,7 @@ fi # key operation does contact the TPM and should fail ## echo "This is a message" |\ -openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey tmp.tpm -out tmp.msg 2> tmp.txt +openssl pkeyutl -sign $ENGINE $KEYFORM -inkey tmp.tpm -out tmp.msg 2> tmp.txt if [ $? -ne 1 ]; then echo "TPM key signing failed with $?" cat tmp.txt diff --git a/tests/restricted_parent.sh b/tests/restricted_parent.sh index 2373d1e..11e166f 100755 --- a/tests/restricted_parent.sh +++ b/tests/restricted_parent.sh @@ -33,8 +33,8 @@ ${bindir}/load_tpm2_key keyecc.tpm ${NV2} || exit 1 ## for parent in ${NV2} ${NV}; do ${bindir}/create_tpm2_key -p ${parent} key.tpm || exit 1 - openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1 - echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1 + openssl rsa $ENGINE $INFORM -in key.tpm -pubout -out key.pub || exit 1 + echo "This is a test of moveable keys" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1 done # on exit key 1 is parented to ${NV} @@ -42,7 +42,7 @@ tssclear -hi p || exit 1 ${bindir}/create_tpm2_key --restricted -w keyrsa.priv keyrsa.tpm || exit 1 ${bindir}/load_tpm2_key keyrsa.tpm ${NV} || exit 1 -echo "This is a test of moveable keys" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1 +echo "This is a test of moveable keys" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key.tpm -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1 ## @@ -69,12 +69,12 @@ ${bindir}/load_tpm2_key --auth-parent Passw0rd key3.tpm ${NV2} || exit 1 tssclear -hi p ${bindir}/create_tpm2_key --restricted -w keyecc.priv keyecc.tpm || exit 1 ${bindir}/load_tpm2_key keyecc.tpm ${NV2} || exit 1 -openssl pkey -engine tpm2 -inform engine -in //nvkey:${NV2} -pubout -out keyecc.pub || exit 1 +openssl pkey $ENGINE $INFORM -in //nvkey:${NV2} -pubout -out keyecc.pub || exit 1 openssl genrsa 2048 > key.priv || exit 1 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -out key1.priv for key in key.priv key1.priv; do ${bindir}/create_tpm2_key --parent ${NV2} --import keyecc.pub --wrap ${key} key.tpm || exit 1 - openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt || exit 1 + openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt || exit 1 openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || exit 1 done diff --git a/tests/test_nv_key.sh b/tests/test_nv_key.sh index 5b56b50..5ef4549 100755 --- a/tests/test_nv_key.sh +++ b/tests/test_nv_key.sh @@ -1,5 +1,5 @@ #!/bin/bash - +set -x ## @@ -17,8 +17,8 @@ tsscreate -rsa -gp -hp 81000001 -opr key.tpmpriv -opu key.tpmpub || exit 1 key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') || exit 1 tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1 tssflushcontext -ha ${key} -openssl rsa -engine tpm2 -inform engine -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 -echo "This is an internal key message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey //nvkey:${nvkey} -out tmp.msg || exit 1 +openssl rsa $ENGINE $INFORM -pubin -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 +echo "This is an internal key message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey //nvkey:${nvkey} -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1 tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey} @@ -28,8 +28,8 @@ key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') | tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1 tssflushcontext -ha ${key} -openssl rsa -engine tpm2 -inform engine -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 -echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} -engine tpm2 -engine tpm2 -keyform engine -inkey //nvkey:${nvkey} -out tmp.msg || exit 1 +openssl rsa $ENGINE $INFORM -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 +echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} $ENGINE $KEYFORM -inkey //nvkey:${nvkey} -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1 tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey} @@ -38,8 +38,8 @@ tsscreate -rsa -gp -hp 81000001 -pwdk ${auth} -da -opr key.tpmpriv -opu key.tpmp key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') || exit 1 tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1 tssflushcontext -ha ${key} -openssl rsa -engine tpm2 -inform engine -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 -echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} -engine tpm2 -engine tpm2 -keyform engine -inkey //nvkey:${nvkey} -out tmp.msg || exit 1 +openssl rsa $ENGINE $INFORM -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 +echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} $ENGINE $KEYFORM -inkey //nvkey:${nvkey} -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1 tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey} @@ -49,9 +49,9 @@ key=$(tssload -hp 81000001 -ipu key.tpmpub -ipr key.tpmpriv|sed 's/Handle //') | tssevictcontrol -hi o -ho ${key} -hp ${nvkey} || exit 1 tssflushcontext -ha ${key} -openssl rsa -engine tpm2 -inform engine -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 +openssl rsa $ENGINE $INFORM -passin pass:${auth} -in //nvkey:${nvkey} -pubout -out key1.pub || exit 1 export NVPREFIX="wibble:" -echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} -engine tpm2 -engine tpm2 -keyform engine -inkey ${NVPREFIX}${nvkey} -out tmp.msg || exit 1 +echo "This is an internal key message" | openssl rsautl -sign -passin pass:${auth} $ENGINE $KEYFORM -inkey ${NVPREFIX}${nvkey} -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1 tssevictcontrol -hi o -hp ${nvkey} -ho ${nvkey} diff --git a/tests/wrap_ecc.sh b/tests/wrap_ecc.sh index e2ca530..63fa445 100755 --- a/tests/wrap_ecc.sh +++ b/tests/wrap_ecc.sh @@ -15,7 +15,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do openssl ecparam -param_enc named_curve -genkey -name ${curve} > tmp.param && \ openssl genpkey -paramfile tmp.param -out key.priv && \ ${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \ - openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \ + openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \ openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \ exit 1 done @@ -27,7 +27,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do openssl ecparam -param_enc explicit -genkey -name ${curve} > tmp.param && \ openssl genpkey -paramfile tmp.param -out key.priv && \ ${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \ - openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \ + openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \ openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \ exit 1 done diff --git a/tests/wrap_generic_ecc.sh b/tests/wrap_generic_ecc.sh index 6a49943..4cc0172 100755 --- a/tests/wrap_generic_ecc.sh +++ b/tests/wrap_generic_ecc.sh @@ -13,7 +13,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do fi openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -out key.priv && \ ${bindir}/create_tpm2_key -p 81000001 -w key.priv key.tpm && \ - openssl req -new -x509 -subj '/CN=test/' -key key.tpm -engine tpm2 -keyform engine -out tmp.crt && \ + openssl req -new -x509 -subj '/CN=test/' -key key.tpm $ENGINE $KEYFORM -out tmp.crt && \ openssl verify -CAfile tmp.crt -check_ss_sig tmp.crt || \ exit 1 done diff --git a/tests/wrap_pkcs12.sh b/tests/wrap_pkcs12.sh index 5603eff..60f04ef 100755 --- a/tests/wrap_pkcs12.sh +++ b/tests/wrap_pkcs12.sh @@ -16,6 +16,6 @@ openssl pkcs12 -out tmp.p12 -passout pass: -export -inkey key.priv -in tmp.crt ${bindir}/create_tpm2_key -w tmp.p12 key.tpm || exit 1 openssl req -new -newkey rsa:2048 -keyout key1.priv -subj '/CN=test intermediate/' -out tmp1.csr -nodes || exit 1 -openssl x509 -req -in tmp1.csr -CA tmp.crt -CAkey key.tpm -CAkeyform engine -engine tpm2 -set_serial 1 -out tmp1.crt -days 365 || exit 1 +openssl x509 -req -in tmp1.csr -CA tmp.crt -CAkey key.tpm $CAKEYFORM $ENGINE -set_serial 1 -out tmp1.crt -days 365 || exit 1 openssl verify -CAfile tmp.crt tmp1.crt || exit 1 diff --git a/tests/wrap_tpm_key.sh b/tests/wrap_tpm_key.sh index 6621275..29be460 100755 --- a/tests/wrap_tpm_key.sh +++ b/tests/wrap_tpm_key.sh @@ -23,8 +23,8 @@ openssl genrsa 2048 > key1.priv || exit 1; for parent in "" "-p 81000001" "-p owner" "${TESTNULL}" "-p platform" "-p endorsement"; do echo "Handle: ${parent}" ${bindir}/create_tpm2_key ${parent} -w key1.priv key1.tpm || exit 1 - openssl rsa -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1 - echo "This is another message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key1.tpm -out tmp.msg || exit 1 + openssl rsa $ENGINE $INFORM -in key1.tpm -pubout -out key1.pub || exit 1 + echo "This is another message" | openssl rsautl -sign $ENGINE $KEYFORM -inkey key1.tpm -out tmp.msg || exit 1 openssl rsautl -verify -in tmp.msg -inkey key1.pub -pubin || exit 1 done |