diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2021-02-26 14:17:16 -0800 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2021-02-27 10:03:40 -0800 |
commit | adf3ccb1641d51bab01e987fea11789ebc0de7b0 (patch) | |
tree | a7a0deb235c0d8893990088a354a469e2aa7ffc2 | |
parent | 559531534e3902575aaa22f314e280d1147e64be (diff) | |
download | openssl_tpm2_engine-adf3ccb1641d51bab01e987fea11789ebc0de7b0.tar.gz |
Work around Intel TSS Null Seed problems (issue 1993)
The Intel TSS doesn't seem to be able to use the NULL seed correctly
as a key parent. NULL seed parents are useful for secret keys that
can't live beyond a reboot, but the number of consumers for this
functionality is tiny, so while the issue is outstanding, simply
disable the tests that use the NULL seed to hide the problem.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rwxr-xr-x | tests/create_tpm_key.sh | 12 | ||||
-rwxr-xr-x | tests/wrap_tpm_key.sh | 13 |
2 files changed, 22 insertions, 3 deletions
diff --git a/tests/create_tpm_key.sh b/tests/create_tpm_key.sh index 11fca8b..dab50d1 100755 --- a/tests/create_tpm_key.sh +++ b/tests/create_tpm_key.sh @@ -3,12 +3,22 @@ bindir=${srcdir}/.. ## +# The Intel tss currently fails with the null seed, so skip the test +# +# see https://github.com/intel/tpm2-tss/issues/1993 +## +if [ "$TSSTYPE" = "Intel" ]; then + TESTNULL= +else + TESTNULL="-p null" +fi +## # test is # 1. create TPM internal private key # 2. get the corresponding public key from the engine # 3. encode a message using the TPM key # 4. verify the message through the public key -for parent in "" "-p 81000001" "-p owner" "-p null" "-p platform" "-p endorsement"; do +for parent in "" "-p 81000001" "-p owner" "${TESTNULL}" "-p platform" "-p endorsement"; do echo "Handle: ${parent}" ${bindir}/create_tpm2_key ${parent} key0.tpm || exit 1 openssl rsa -engine tpm2 -inform engine -in key0.tpm -pubout -out key0.pub || exit 1 diff --git a/tests/wrap_tpm_key.sh b/tests/wrap_tpm_key.sh index 371402c..a916fd9 100755 --- a/tests/wrap_tpm_key.sh +++ b/tests/wrap_tpm_key.sh @@ -1,9 +1,18 @@ #!/bin/bash - bindir=${srcdir}/.. ## +# The Intel tss currently fails with the null seed, so skip the test +# +# see https://github.com/intel/tpm2-tss/issues/1993 +## +if [ "$TSSTYPE" = "Intel" ]; then + TESTNULL= +else + TESTNULL="-p null" +fi +## # test is # 1. Create an openssl private key # 2. Wrap it to a TPM internal private key @@ -12,7 +21,7 @@ bindir=${srcdir}/.. # 5. verify the message through the public key ## openssl genrsa 2048 > key1.priv || exit 1; -for parent in "" "-p 81000001" "-p owner" "-p null" "-p platform" "-p endorsement"; do +for parent in "" "-p 81000001" "-p owner" "${TESTNULL}" "-p platform" "-p endorsement"; do echo "Handle: ${parent}" ${bindir}/create_tpm2_key ${parent} -w key1.priv key1.tpm || exit 1 openssl rsa -engine tpm2 -inform engine -in key1.tpm -pubout -out key1.pub || exit 1 |