diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-02-16 15:21:37 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-02-16 15:28:28 -0500 |
commit | a5e22eb3c6dd069bd46a8f7cf8fdd7b1444d5161 (patch) | |
tree | 76d856c574bc7074293c79198a5dca9ab8fec172 | |
parent | 34a5e4f85d6a7bd9399bdbf9170999546f0df796 (diff) | |
download | openssl_tpm2_engine-a5e22eb3c6dd069bd46a8f7cf8fdd7b1444d5161.tar.gz |
Fix tests for openssl-3
Openssl 3 deprecated rsautil which we use for testing. This wouldn't
be a problem except they also broke it as well for good measure: it no
longer returns an error code when something fails with the key. The
test infrastructure relies on this return code, so we have to update
all of the rsautl tests to use pkeyutl instead.
Also the return error for unknown curve changed from "unknown curve"
to "invalid curve" so now we have to look for both.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rwxr-xr-x | tests/check_counter_timer.sh | 7 | ||||
-rwxr-xr-x | tests/check_enhanced_auth.sh | 43 | ||||
-rwxr-xr-x | tests/create_ecc.sh | 2 | ||||
-rwxr-xr-x | tests/create_nonopenssl_ecc.sh | 2 | ||||
-rwxr-xr-x | tests/da_check.sh | 4 | ||||
-rwxr-xr-x | tests/derive_ecc.sh | 2 | ||||
-rwxr-xr-x | tests/fail_connect.sh | 4 | ||||
-rwxr-xr-x | tests/wrap_ecc.sh | 4 | ||||
-rwxr-xr-x | tests/wrap_generic_ecc.sh | 2 |
9 files changed, 36 insertions, 34 deletions
diff --git a/tests/check_counter_timer.sh b/tests/check_counter_timer.sh index 248aa06..b3505d7 100755 --- a/tests/check_counter_timer.sh +++ b/tests/check_counter_timer.sh @@ -27,10 +27,11 @@ echo "00080009" >> policy.txt # 3. encode a message using the TPM key # 4. verify the message through the public key ## +echo "policy counter timer" > plain.txt ${bindir}/create_tpm2_key key.tpm -a -k paSSW0RD -c policy.txt && \ openssl rsa -engine tpm2 -inform engine -pubin -in key.tpm -pubout -out key.pub && \ -echo "policy counter timer" | openssl rsautl -sign -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ -openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1 +openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && \ +openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ## # advance the TPM clock by ten minutes and a second which should make @@ -44,7 +45,7 @@ tssclockset -hi o -clock ${clock} || exit 1 # now the signing operation should fail ## echo "Check key failure due to counter timer policy" -echo "policy fail counter timer" | openssl rsautl -sign -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg 2> tmp.txt && exit 1 +openssl pkeyutl -sign -in plain.txt -passin pass:paSSW0RD -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg 2> tmp.txt && exit 1 # check we got the right failure message grep "Policy Failure: Counter Timer at offset 8 is not <=" tmp.txt diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh index 74b453c..c262a97 100755 --- a/tests/check_enhanced_auth.sh +++ b/tests/check_enhanced_auth.sh @@ -19,7 +19,7 @@ fi ${bindir}/create_tpm2_key key.tpm -c policies/policy_bogus.txt a=0; while [ $a -lt 5 ]; do a=$[$a+1] - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 + echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 done ## @@ -27,14 +27,14 @@ done ## for h in "sha1" "sha256" "sha384"; do pcr=0; - while [ $pcr -le 24 ]; do + while [ $pcr -lt 24 ]; do tsspcrextend -ha $pcr -halg $h -ic $RANDOM pcr=$[$pcr + 1] done ## # reset PCR 16 for the fixed policy tests ## - ${tss_pcrreset_cmd} -ha 16 -halg $h + ${tss_pcrreset_cmd} -ha 16 done for h in "sha1" "" "sha384"; do @@ -50,10 +50,11 @@ for h in "sha1" "" "sha384"; do # 2. get the corresponding public key from the engine # 3. encode a message using the TPM key # 4. verify the message through the public key + echo "This is a Message" > plain.txt ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \ openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ - openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 + openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -in plain.txt -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## # test is @@ -67,8 +68,8 @@ for h in "sha1" "" "sha384"; do ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt && \ openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ - openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## # test is @@ -80,8 +81,8 @@ for h in "sha1" "" "sha384"; do ${tss_pcrreset_cmd} -ha 16 ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \ - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ - openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin if [ $? -ne 1 ]; then echo "TPM key should not be accessible" exit 1 @@ -100,8 +101,8 @@ for h in "sha1" "" "sha384"; do ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_authvalue_pcr.txt && \ openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ - openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## # test is @@ -116,8 +117,8 @@ for h in "sha1" "" "sha384"; do ${tss_pcrextend_cmd} -ha 16 -ic aaa ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_pcr_authvalue.txt && \ openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \ - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ - openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \ + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key2.pub -pubin || exit 1 ## # test is @@ -128,24 +129,24 @@ for h in "sha1" "" "sha384"; do ## ${bindir}/create_tpm2_key ${n} -a -k passw0rd key.tpm --pcr-lock 1,2,3-15,17-23 --pcr-lock sha1:1-4 --pcr-lock sha384:10-20 || exit 1 openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key.tpm -pubout -out key.pub || exit 1 - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 - openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${tss_pcrextend_cmd} -ha 16 -ic $RANDOM ${tss_pcrextend_cmd} -ha 5 -halg sha1 -ic $RANDOM ${tss_pcrextend_cmd} -ha 9 -halg sha384 -ic $RANDOM - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 - openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg || exit 1 + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${tss_pcrextend_cmd} -ha 1 -halg sha1 -ic $RANDOM - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg && exit 1 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg && exit 1 ## # Check a smaller PCR lock with no auth ## ${bindir}/create_tpm2_key ${n} --pcr-lock 2,4,7,10 --pcr-lock sha1:1,3 key.tpm || exit 1 openssl rsa -engine tpm2 -inform engine -in key.tpm -pubout -out key.pub || exit 1 - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1 - openssl rsautl -verify -in tmp.msg -inkey key.pub -pubin || exit 1 + openssl pkeyutl -sign -in plain.txt -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg || exit 1 + openssl pkeyutl -verify -in plain.txt -sigfile tmp.msg -inkey key.pub -pubin || exit 1 ${tss_pcrextend_cmd} -ha 4 -halg sha256 -ic $RANDOM - echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 + echo "This is a message" | openssl pkeyutl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1 done exit 0 diff --git a/tests/create_ecc.sh b/tests/create_ecc.sh index 061cedb..8c2c0c8 100755 --- a/tests/create_ecc.sh +++ b/tests/create_ecc.sh @@ -8,7 +8,7 @@ bindir=${srcdir}/.. # 2. Create a self signed x509 certificate # 3. verify the certificate for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then + if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then continue fi echo "Checking curve ${curve}" diff --git a/tests/create_nonopenssl_ecc.sh b/tests/create_nonopenssl_ecc.sh index d7adcc0..5c1f004 100755 --- a/tests/create_nonopenssl_ecc.sh +++ b/tests/create_nonopenssl_ecc.sh @@ -14,7 +14,7 @@ bindir=${srcdir}/.. for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | grep -v 'unknown curve'; then + if openssl ecparam -name ${curve} 2>&1 | egrep -v '(invalid|unknown) curve'; then continue fi echo "Checking curve ${curve}" diff --git a/tests/da_check.sh b/tests/da_check.sh index 68a2a03..b2e996b 100755 --- a/tests/da_check.sh +++ b/tests/da_check.sh @@ -13,7 +13,7 @@ ${bindir}/create_tpm2_key --rsa --da -a -k passw0rd key.tpm || exit 1 count=1; while true; do echo "This is a message" | - openssl rsautl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passwrd -out tmp.msg 2>tmp.txt + openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passwrd -out tmp.msg 2>tmp.txt val=$? cat tmp.txt if [ $val -ne 1 ]; then @@ -39,7 +39,7 @@ done echo "Locked out after $count tries" # try with correct password, should still be locked out echo "This is a message" | -openssl rsautl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg 2>tmp.txt +openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey key.tpm -passin pass:passw0rd -out tmp.msg 2>tmp.txt val=$? cat tmp.txt if [ $val -ne 1 ]; then diff --git a/tests/derive_ecc.sh b/tests/derive_ecc.sh index 163d27b..7a8a11e 100755 --- a/tests/derive_ecc.sh +++ b/tests/derive_ecc.sh @@ -24,7 +24,7 @@ bindir=${srcdir}/.. ## for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then + if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then continue fi echo "Checking curve ${curve} explicitly named" diff --git a/tests/fail_connect.sh b/tests/fail_connect.sh index b47f8cf..eb3edf9 100755 --- a/tests/fail_connect.sh +++ b/tests/fail_connect.sh @@ -41,7 +41,7 @@ QL4QAdW9Ac4kKt4= # conversion to public key doesn't actually contact the TPM # so this should succeed ## -openssl rsa -engine tpm2 -inform engine -in tmp.tpm -pubout -out tmp.pub 2> tmp.txt +openssl pkey -engine tpm2 -inform engine -in tmp.tpm -pubout -out tmp.pub 2> tmp.txt if [ $? -ne 0 ]; then echo "TPM key import failed with $?" cat tmp.txt @@ -51,7 +51,7 @@ fi # key operation does contact the TPM and should fail ## echo "This is a message" |\ -openssl rsautl -sign -engine tpm2 -keyform engine -inkey tmp.tpm -out tmp.msg 2> tmp.txt +openssl pkeyutl -sign -engine tpm2 -keyform engine -inkey tmp.tpm -out tmp.msg 2> tmp.txt if [ $? -ne 1 ]; then echo "TPM key signing failed with $?" cat tmp.txt diff --git a/tests/wrap_ecc.sh b/tests/wrap_ecc.sh index 9912c24..bfebce4 100755 --- a/tests/wrap_ecc.sh +++ b/tests/wrap_ecc.sh @@ -9,7 +9,7 @@ bindir=${srcdir}/.. # 3. Create a self signed x509 certificate # 4. verify the certificate for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then + if openssl ecparam -name ${curve} 2>&1 | egrep '(unknown|invalid) curve'; then continue fi echo "Checking curve ${curve}" @@ -21,7 +21,7 @@ for curve in $(${bindir}/create_tpm2_key --list-curves); do exit 1 done for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then + if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then continue fi echo "Checking curve ${curve}" diff --git a/tests/wrap_generic_ecc.sh b/tests/wrap_generic_ecc.sh index 4925e63..60bc9a9 100755 --- a/tests/wrap_generic_ecc.sh +++ b/tests/wrap_generic_ecc.sh @@ -9,7 +9,7 @@ bindir=${srcdir}/.. # 3. Create a self signed x509 certificate # 4. verify the certificate for curve in $(${bindir}/create_tpm2_key --list-curves); do - if openssl ecparam -name ${curve} 2>&1 | grep 'unknown curve'; then + if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then continue fi openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:${curve} -out key.priv && \ |